Features Pricing FAQ
Log in Try free
GDPR-compliant

Data Processing Agreement

Version 1.1  ·  Effective date

Parties and nature

This data processing agreement applies automatically between:

  • Klaver Solutions, trading as Practions, hereinafter: "Processor", and
  • the Customer that has entered into an Agreement for the Service with Processor, hereinafter: "Controller".

This data processing agreement forms an integral part of the Terms of Service and the Agreement and takes effect upon use of the Service. In the event of conflict between this data processing agreement and the Terms of Service with respect to the processing of Personal Data, this data processing agreement prevails.

Capitalised terms in this data processing agreement have the meaning ascribed to them in the Terms of Service or, in the absence thereof, the meaning given in Article 4 GDPR.

Article 1. Subject matter and duration

  1. Processor processes Personal Data of Clients exclusively on behalf of Controller and on the documented instruction of Controller, in the context of the Service as described in the Terms of Service.
  2. This data processing agreement applies for the duration of the Agreement and, where applicable, thereafter for the term of statutory retention obligations and the after-care described in Article 12(2).

Article 2. Nature and purpose of processing

  1. The nature of the processing is the processing of Personal Data via an online platform for the purpose of managing a coaching practice: client administration, session calendar, real-time transcription, AI-supported session notes, file exchange, invoicing, payment processing and accounting integration.
  2. The purpose of the processing is to deliver, secure, maintain and further develop the Service and to comply with statutory obligations applicable to Processor in its capacity as processor.

Article 3. Categories of personal data and data subjects

  1. The categories of Personal Data that Processor processes on behalf of Controller are listed in Annex 1.
  2. The categories of data subjects are: a. Clients of Controller (end-clients of the coaching practice); b. any contact persons of Clients recorded for the performance of a session or invoice.
  3. Controller warrants that the input or upload of special categories of personal data (Article 9 GDPR), including coaching content, transcripts or health-related indications, takes place on a valid legal basis, in principle the explicit consent of the Client (Article 9(2)(a) GDPR). Processor offers in the Service a per-session consent recording mechanism for recording, transcription and AI processing.

Article 4. Rights and obligations of Controller

  1. Controller is responsible for the lawfulness of the processing, including in any event: a. the validity of the legal basis used; b. the duty to inform data subjects (Articles 13 and 14 GDPR); c. the proper handling of data subject rights.
  2. Controller issues instructions to Processor through the Service (such as enabling or disabling AI features, configuring the client portal and recording consent) and, where necessary, in writing via [email protected].
  3. An instruction from Controller that Processor considers to be contrary to the GDPR or other privacy legislation is reported by Processor in writing, after which Processor may refuse the instruction without consequences for itself.

Article 5. Obligations of Processor

  1. Processor processes Personal Data only on the documented instruction of Controller, save in so far as Processor is required to process by Union or national law. In the latter case, Processor informs Controller before processing, unless such law prohibits such information.
  2. Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Processor takes, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing and the risks for the rights and freedoms of natural persons, appropriate technical and organisational measures in accordance with Article 32 GDPR. The measures are specified in Annex 3.
  4. Processor, upon request, supports Controller in complying with its obligations under Articles 32 to 36 GDPR (security, breach notification, prior consultation and data protection impact assessment), taking into account the nature of the processing and the information available to Processor.
  5. Processor offers reasonable support for requests from data subjects exercising their rights under Chapter III GDPR. Standard support is included in the price of the Service (in any event access and export via the functionality offered in the Service). Excessive requests may be handled against a reasonable cost reimbursement.

Article 6. Sub-processors

  1. Controller hereby grants general prior written consent for the engagement of sub-processors, subject to the conditions of this article.
  2. The sub-processors engaged at the time this data processing agreement takes effect are listed in Annex 2, published at https://practions.com/en/sub-processors.
  3. Processor informs Controller at least thirty (30) days before any intended change to or addition of a sub-processor, via email or via a notice in the Service.
  4. Controller is entitled, during this notice period, to object on reasoned grounds. If the parties cannot reach a mutually acceptable solution, Controller is entitled to terminate the Agreement against the date on which the new sub-processor is put into use.
  5. Processor imposes upon every sub-processor by contract the same obligations that apply to Processor under this data processing agreement, in particular the obligations under Article 28(4) GDPR.

Article 7. Data breaches

  1. Processor reports a breach of Personal Data within Controller's responsibility, without undue delay after discovery, to Controller, and in any event within 24 hours of discovery, so that Controller can comply with the 72-hour notification obligation in Article 33 GDPR.
  2. The notification contains in any event the information referred to in Article 33(3) GDPR, in so far as known at the time of notification.
  3. If additional information becomes available later, Processor provides it in phases, in accordance with Article 33(4) GDPR.
  4. Processor reasonably cooperates in any investigation conducted by Controller and in communications to data subjects under Article 34 GDPR.

Article 8. Audit

  1. Processor provides Controller, upon request, with all information necessary to demonstrate compliance with this data processing agreement, such as descriptions of security measures and any relevant audit reports available.
  2. Controller may, with at least four (4) weeks' prior notice, commission an audit once per calendar year, by an independent auditor bound by a confidentiality undertaking. The audit is limited in scope to compliance with this data processing agreement and may not disrupt the continuity of the Service for other customers.
  3. The cost of an audit is borne by Controller, unless the audit reveals a material non-compliance by Processor; in that case, the costs are borne by Processor and Processor draws up a remediation plan without undue delay.

Article 9. International transfers

  1. Processor processes Personal Data in principle within the European Economic Area. For production AI processing, exclusive use is made of Microsoft Azure OpenAI in EU regions. The direct API of OpenAI in the United States is not used in production.
  2. Where a sub-processor is established outside the EEA, transfer takes place on the basis of an appropriate mechanism recognised by Article 46 GDPR, including the Standard Contractual Clauses of the European Commission and, where applicable, the EU-US Data Privacy Framework, supplemented where necessary by transfer impact assessments and additional technical and organisational measures.
  3. The applicable transfer mechanisms per sub-processor are listed in Annex 2.

Article 10. Liability

  1. The liability of Processor under this data processing agreement is governed by and limited as set out in Article 13 of the Terms of Service, on the understanding that mandatory law, including Article 82 GDPR, continues to apply in full.
  2. In the context of any claim under Article 82 GDPR, the parties shall observe the proper allocation of responsibility, in the sense that a party is only addressed for damages flowing from its own acts or omissions.
  3. Administrative fines imposed by a supervisory authority shall be borne by the party whose acts or omissions caused the fine.

Article 11. Duration and termination

  1. This data processing agreement ends automatically when the Agreement ends.
  2. An interim termination of this data processing agreement, separate from the Agreement, is not possible, save in so far as the GDPR mandatorily so requires.

Article 12. Final provisions

  1. This data processing agreement is governed exclusively by Dutch law. Disputes are submitted to the competent court in the district of Midden-Nederland, Lelystad location.
  2. After the end of the Agreement, the after-care set out in Article 16(2) of the Terms of Service applies: a 90-day grace period for data export, then permanent deletion from production and overwriting of backups within 30 days, save for invoicing data which is retained for seven (7) years pursuant to the Dutch tax retention obligation.
  3. The Dutch version of this data processing agreement is binding. An English translation is provided for convenience; in the event of any discrepancy, the Dutch text prevails.

Annex 1. Specification of personal data and data subjects

Categories of data subjects

  • Clients of Controller (coachees, end-clients).
  • Contact persons of Clients for invoicing or business handling.

Categories of personal data

Category Examples
Identification and contact data name, email, phone, postal address
Client profile initials, photo, focus of coaching, frequency, status of relationship
Coaching content (special category, GDPR Art. 9) session transcripts, session notes, private notes, themes, action items
Coaching protocol layers coach-defined goals (Goals), habits (Habits), program enrollments (Programs/Enrollments), group membership (Groups), rule-based client insights (ClientInsights), automations (Automations) and optional AI suggestions on notes
Client portal account email address, hashed password, optional name, photo, phone; a single portal account may be linked to multiple coaches
Financial data invoice lines, VAT status, payment status, billing address
Consent records timestamp, IP address, user-agent, version of consent text shown
Messaging and file exchange in client portal messages, attachments
Security telemetry of portal sessions IP, user-agent, login timestamps

Annex 2. Sub-processors

An up-to-date list is published at https://practions.com/en/sub-processors and maintained in the separate document Sub-processor List, which forms part of this data processing agreement.

Annex 3. Security measures (Article 32 GDPR)

Encryption

  • TLS for all inbound and outbound connections.
  • Encryption at rest of substantive session data (transcripts, session summaries, private notes, transcript lines), TOTP seeds and sub-processor API tokens, with separate Fernet keys per column category. Coaching protocol metadata (Goals, Habits, Programs, Enrollments, Groups, ClientInsights, Automations and the AI suggestions on Note) is not separately encrypted at rest in the current release, but is subject to the same access, audit and network controls as the other tables; extending encryption to these tables is on the roadmap.
  • Hashing of passwords via bcrypt with SHA-256 pre-hashing to prevent truncation of long passwords.

Access and authentication

  • Short access-token TTL (15 minutes) and refresh-token rotation with reuse detection.
  • Optional two-factor authentication (TOTP) with encrypted seed and bcrypt-hashed recovery codes.
  • HttpOnly, Secure and SameSite cookie attributes for authentication.
  • Double-submit CSRF mechanism.
  • Role-based access for administrative functions.

Network and infrastructure

  • Application egress allowlist limiting outbound connections from the production process to a fixed set of sub-processor domains.
  • HTTP Strict Transport Security with max-age=31536000; includeSubDomains.
  • Content Security Policy with frame-ancestors 'none', object-src 'none', base-uri 'self' and form-action 'self'.
  • Permissions-Policy explicitly restricting access to camera, microphone and geolocation.
  • Rate limiting on authentication and public endpoints.

Logging and monitoring

  • Audit logging with composite indexes for per-user and per-action investigation.
  • A PII scrubber at log level filtering JWTs, bcrypt hashes, IBAN/VAT numbers, email local-parts, phone numbers and long hex tokens from log lines.
  • Optional error monitoring via Sentry with PII scrubbing and a forbidden-fields filter prior to sending events.

Retention and deletion

  • Daily retention batch with per-table retention periods set out in Article 7 of the Privacy Policy.
  • No automated hard deletion of invoicing data before the expiry of the Dutch tax retention obligation; deletion is operator- confirmed after seven (7) years.

Organisational

  • Confidentiality undertaking for staff and suppliers with access to production data.
  • Periodic review of access rights.
  • Incident-response and data-breach-notification procedure.