Last updated: May 2026

This Data Processing Addendum ("DPA") forms part of your agreement with Deklarative for Deklarative Cloud and applies whenever Deklarative processes Personal Data on your behalf as a Processor under the GDPR, UK GDPR, or equivalent legislation.

Scope of processing

• Subject matter: provision of the Deklarative Cloud service.
• Duration: while you have an active subscription, plus 30 days for export.
• Nature & purpose: hosting, indexing, and execution of manifests, workflows, and generated code on your instruction.
• Categories of data subjects: the end users of the apps you build with Deklarative.
• Categories of personal data: whatever your manifest declares — names, emails, addresses, business records, etc.

Processor obligations

• Process only on documented instructions.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organisational measures (described in the security overview).
• Engage sub-processors only as listed on the trust center, with prior notice of changes.
• Assist with data-subject requests and DPIAs.
• Notify you of personal-data breaches within 72 hours of discovery.
• Return or delete personal data on termination.

International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (EU 2021/914) and UK Addendum apply.

Sub-processors

Current sub-processors are listed on the trust center. We will notify you at least 30 days in advance of any new sub-processor.

Audits

We make available the SOC 2 Type II report (when issued) under NDA. Customers paying $25,000+ per year may request an annual audit on reasonable notice.

Self-hosted users

If you use only the Apache 2.0 self-hosted distribution, this DPA does not apply — Deklarative does not process your data and is not your processor.

Execution

This DPA is effective without signature for Cloud customers. To request a counter-signed copy, email privacy@deklarative.com.