Privacy FAQ and Transparency Report

Updated December 9, 2022

1. OUR APPROACH TO PRIVACY

Klaviyo, Inc. (“Klaviyo”) takes its privacy responsibility seriously and is committed to protecting and respecting the privacy of our customers and their customers. 

This Frequently Asked Questions document provides information that Klaviyo customers may use to fulfill their commitment to transparency and enable themselves to comply with their own privacy obligations, including in connection with conducting data transfer impact assessments. Note this document is meant for customers’ internal use only and does not create any kind of representation or other commitment. Klaviyo’s commitments are exclusively contained in its agreements with its customers. 

2. DATA PROCESSING AGREEMENT

2.1 When offering its services, Klaviyo acts on behalf of its customers. 

2.2 Klaviyo enters into data processing agreements with its customers to ensure that personal data is sufficiently protected by contractual arrangements. 

2.3 Klaviyo’s standard data processing agreement (“DPA”) is a global data processing agreement which also contains some country-specific terms. It contains details on the processing of personal data in the context of the provision of the Klaviyo services, including the types of data used and the scope of the processing. The data processed by Klaviyo is determined by our customer’s configuration of our services. Please see Schedule 1 of our DPA for more information. 

3. GOVERNMENT REQUESTS (U.S. SURVEILLANCE LAWS) TRANSPARENCY REPORT

3.1 To date, Klaviyo has not received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) requiring the disclosure of customer data.

3.2 If Klaviyo were to receive a demand for customer data from any government, Klaviyo has policies in place that govern how we would handle any such requests.  

3.3 Specifically, Klaviyo would respond as follows: 

　(a) Klaviyo will review any requests for information, including an analysis by Klaviyo’s legal team, to determine the appropriate response. 

　(b) Where possible, Klaviyo will direct the requesting authorities to request the data directly from its customer. 

　(c) Klaviyo will also notify the affected customer(s) unless the law prohibits Klaviyo from doing so. 

　(d) Where there is a legal basis for doing so, Klaviyo will challenge the order.

4. INTERNATIONAL TRANSFER

4.1 For customers that are subject to the European General Data Protection Regulation (“GDPR”) or the UK GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, the DPA also incorporates the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (“SCCs”) as well as an UK addendum to safeguard the transfer of personal data to the US. 

4.2 In addition to entering into the SCCs and the UK addendum as applicable, Klaviyo commits itself to a number of Supplementary Measures that are set out in Schedule 4 of the DPA.

4.3 Klaviyo has also entered into an Intra-Group Agreement that covers the various data transfers within the Klaviyo company group. 

4.4 President Biden has already signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities in preparation of a new EU-U.S. Data Privacy Framework, thereby implementing further safeguards for international data transfer as further described in the White House’s Fact Sheet accessible here. 

5. DATA SECURITY 

5.1 The DPA contains a list of technical and organizational measures to which Klaviyo will adhere. All relevant privacy compliance and security policies and procedures are reviewed regularly and re-evaluated. Where needed, Klaviyo will update its policies and procedures.  

5.2 Klaviyo personnel handling personal data will also be trained on privacy matters as well as cyber security. 

6. APPOINTMENT OF SUB-PROCESSORS 

6.1 Klaviyo has a risk assessment and management process to ensure that its engagements with vendors who process customer personal data comply with privacy requirements. 

6.2 Klaviyo enters into appropriate data processing agreement with its vendors. 

6.3 The DPA contains a list of sub-processors engaged by Klaviyo. 

7. PRIVACY QUESTIONS? 

If you have any questions regarding Klaviyo’s processing of personal data (including any cross-border transfer) or require further information to comply with your privacy obligations, we are happy to assist. Please do not hesitate to contact us at privacy@klaviyo.com.