Sub-processors
The third-party sub-processors KLNR Labs P.S.A. engages to deliver the KLNR product group, including each party's role, location, and data-residency posture, plus how to subscribe to change notifications. This is a placeholder list maintained for transparency and GDPR Article 28 compliance. — DRAFT, pending legal review.
About this list
To provide the KLNR product group (Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS, and Bill), KLNR Labs P.S.A. engages a limited set of third-party sub-processors. A sub-processor is a third party that processes personal data on KLNR's behalf in connection with the services.
KLNR remains accountable for personal data processed by its sub-processors. Each sub-processor is engaged under a written contract containing data-protection obligations no less protective than those KLNR owes to its customers, consistent with GDPR Article 28. Where a sub-processor is located outside the EEA, transfers are governed by an adequacy decision or appropriate safeguards (e.g., Standard Contractual Clauses) under GDPR Articles 44–49, with supplementary measures as needed.
The table below is a placeholder maintained for transparency; specific provider names, regions, and details will be completed and kept current. Effective date: [effective date].
Current sub-processors (placeholder)
| Sub-processor | Role / purpose | Location of provider | Data residency |
|---|---|---|---|
| [Hosting & infrastructure provider] | Cloud hosting, compute, storage, and backups for the KLNR platform | [EU / provider HQ] | EU region [EU region] |
| [AI model provider(s)] | Foundation-model inference for AI features (zero/limited retention; no training on customer content) | [...] | [EU region where available / SCCs for any non-EEA processing] |
| [Email & SMS provider(s)] | Transactional and notification email/SMS delivery (Comms and platform notifications) | [...] | [EU / SCCs where applicable] |
| [Payments provider] | Subscription billing and payment processing | [...] | [EU / SCCs where applicable] |
| [E-signature / eIDAS trust service provider] | Qualified/advanced e-signature, certificates, and trusted timestamping (Sign) | [EU] | EU [EU region] |
| [KSeF integration] | National e-Invoicing System (Krajowy System e-Faktur) submission and retrieval (Bill) | Poland (Ministry of Finance) | Poland / EU |
| [Analytics & error-monitoring provider] | Privacy-respecting product analytics and error/incident monitoring | [...] | [EU / self-hosted / SCCs where applicable] |
Categories without a current provider are listed for transparency; where a category is not yet in use, it is marked [not currently engaged].
Customer-controlled integrations
Some integrations are enabled at the customer's option (for example, connecting a Microsoft 365 mailbox to Comms, or a customer's own AI provider key). When a customer directs KLNR to connect to such a service, that service may receive data under the customer's instructions and its own terms; it is not a KLNR sub-processor for that processing. Customers are responsible for the integrations they enable.
How we vet sub-processors
Before engaging a sub-processor, and periodically thereafter, we assess its security and privacy posture, including relevant certifications, data-residency options, sub-processing chains, and contractual data-protection terms. We engage a sub-processor only where it can meet our standards and the commitments we make to customers.
Subscribe to updates (GDPR Art. 28)
Under our Data Processing Agreement and GDPR Article 28, customers are entitled to advance notice of intended changes to our sub-processors and an opportunity to object.
- Subscribe: To receive notifications when we intend to add or replace a sub-processor, subscribe at [privacy@klnr.ai] (or via the in-product/settings notification option, where available).
- Notice period: We will provide notice of a new or replacement sub-processor before it begins processing customer personal data, allowing a reasonable period to raise a reasoned objection on data-protection grounds.
- Objections: If you object on reasonable data-protection grounds, we will work in good faith to address your concern; the rights and process are governed by the applicable DPA.
Regional supplement — European Union (GDPR)
For EU/EEA/UK customers: KLNR Labs P.S.A. acts as processor (and the customer as controller) for personal data processed to provide the services, and the sub-processors above act as further processors. Engagements comply with GDPR Article 28(2)–(4), including authorisation, equivalent obligations, and KLNR's continued liability for sub-processor performance. International transfers are addressed under GDPR Articles 44–49. The list and notification mechanism support the controller's accountability and oversight obligations. Controller/data-protection contact: [dpo@klnr.ai] / [privacy@klnr.ai].
Regional supplement — United States (CCPA/CPRA & other state laws)
For processing subject to US state law: the sub-processors above act as KLNR's "service providers" or "contractors" (CCPA/CPRA) or "subprocessors" (e.g., VCDPA, CPA, CTDPA, UCPA). They are contractually restricted to processing personal information solely to provide services to KLNR, and are prohibited from selling or sharing it, from retaining or using it for their own purposes, and from combining it outside the permitted business purpose. KLNR does not sell or share personal information. US-related questions: [privacy@klnr.ai].
Changes & contact
We will update this list as our sub-processors change and will notify subscribed customers in accordance with the DPA. Related pages: Trust & Security. Effective date: [effective date]. Contact: [privacy@klnr.ai] / [dpo@klnr.ai] · General: [kontakt@klnr.ai].