Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ClearAct ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the ClearAct platform ("Service").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
2. Scope of Processing
The Processor processes Personal Data solely for the purpose of providing the Service, which includes:
- Processing customer AI system descriptions and metadata to generate EU AI Act compliance documents.
- Storing and managing compliance documents, AI system inventories, and audit logs.
- User authentication and account management.
- Subscription and billing management.
Categories of data subjects: Customer employees and authorized users of the Service.
Types of personal data: Names, email addresses, organization names, AI system descriptions, compliance document content, and usage logs.
3. Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 7).
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
- Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach.
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice, within 30 days.
4. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller of any changes to this list with at least 30 days' advance notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI processing (Claude API) for compliance document generation | United States |
| Supabase / AWS | Database hosting, authentication, and data storage | United States |
| Vercel | Application hosting and serverless functions | United States |
| Stripe | Payment processing | United States |
The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
5. International Data Transfers
Personal Data is transferred to and processed in the United States by the sub-processors listed above. These transfers are made on the basis of:
- EU-U.S. Data Privacy Framework (DPF): Where sub-processors are certified under the EU-U.S. Data Privacy Framework, transfers rely on the European Commission's adequacy decision.
- Standard Contractual Clauses (SCCs): Where the DPF does not apply, transfers are governed by the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
A copy of the applicable transfer mechanism may be requested by contacting privacy@clearact.ai.
6. Data Retention and Deletion
- Personal Data is retained for the duration of the Service agreement plus 30 days.
- Upon termination or at the Controller's request, the Processor will delete all Personal Data within 30 days, except where retention is required by applicable law (e.g., tax records retained for 7 years).
- The Controller may export their data at any time via the "Export My Data" feature in account settings.
- The Controller may request immediate account deletion via the "Delete Account" feature in account settings.
7. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security (RLS) policies ensuring complete tenant data isolation.
- Authentication via Supabase Auth with support for email/password and OAuth providers.
- Regular security assessments and dependency updates.
- Access controls limiting data access to authorized personnel and systems only.
- Audit logging of significant data access and modification events.
8. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests under GDPR Articles 15–22, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor will respond to such assistance requests without undue delay.
9. Audits
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.
10. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms of Service.
11. Term and Termination
This DPA takes effect upon acceptance of the Terms of Service and remains in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. The obligations of the Processor regarding data deletion and confidentiality survive termination.
12. Contact
For questions about this DPA, please contact us at privacy@clearact.ai.