The terms reference a separate Data Processing Agreement applicable to users who process personal data of EU or UK residents, establishing Klaviyo's role as a data processor and the user's role as data controller under GDPR and UK GDPR.
This analysis describes what Klaviyo's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that EU and UK data protection obligations are addressed in a separate contractual instrument rather than within the ToS itself, creating a multi-document compliance framework that requires users to locate, review, and execute the DPA separately.
Interpretive note: The specific content of the referenced DPA was not available in the provided document; the adequacy of its transfer mechanisms and sub-processor provisions cannot be assessed from the ToS alone.
Under this clause, EU and UK data protection compliance for personal data processed through Klaviyo is governed by the separate DPA rather than the ToS, which means users must execute the DPA to establish the GDPR-required data processing agreement with Klaviyo.
How other platforms handle this
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the p...
We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including app...
That is why we are committed to transparency about how we collect, use, and share that information.
Monitoring
Klaviyo has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
1) REGULATORY LANDSCAPE: GDPR Article 28 requires that data controllers enter into a binding contract with data processors that specifies the subject matter, duration, nature, and purpose of processing, as well as processor obligations and data subject rights. The DPA referenced in the ToS is the primary instrument for satisfying this requirement. Enforcement authorities include EU national data protection authorities and the UK ICO. 2) GOVERNANCE EXPOSURE: High for EU and UK-facing businesses. Failure to execute the DPA while processing EU or UK personal data through Klaviyo would constitute a violation of GDPR Article 28, exposing the data controller to regulatory enforcement by the relevant supervisory authority. The DPA should be reviewed for adequacy of standard contractual clauses for international data transfers and completeness of sub-processor disclosures. 3) JURISDICTION FLAGS: EU member states and the UK represent the primary jurisdictions of heightened exposure under this provision. Organizations with operations across multiple EU member states should confirm lead supervisory authority designation. Post-Brexit UK IDTA or UK Addendum to SCCs may be required for UK data transfers to the US. 4) CONTRACT AND VENDOR IMPLICATIONS: The DPA should be reviewed for: inclusion of an approved transfer mechanism for US-to-EU data flows (SCCs or equivalent); a current and complete sub-processor list with notification mechanisms for changes; audit rights consistent with GDPR requirements; and clear data deletion and return obligations on contract termination. 5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should confirm DPA execution status, review the sub-processor list for any processors that present additional risk, verify that data transfer mechanisms are current following Schrems II requirements, and schedule periodic DPA reviews aligned with updates to Klaviyo's sub-processor roster.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 10 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that EU and UK data protection obligations are addressed in a separate contractual instrument rather than within the ToS itself, creating a multi-document compliance framework that requires users to locate, review, and execute the DPA separately.
Under this clause, EU and UK data protection compliance for personal data processed through Klaviyo is governed by the separate DPA rather than the ToS, which means users must execute the DPA to establish the GDPR-required data processing agreement with Klaviyo.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Klaviyo.