Version: 1.0-draft Last Updated: 2026-05-07 Effective Date: 2026-05-07 Canonical Source: This document is the source text for a future enterprise-facing DPA and is intended for enterprise entities and business customers, not general consumer users.
Read This First
This Data Processing Addendum ("DPA") is meant for enterprise entities and business customers that want contractual data processing terms with Clerica. It is not a general consumer-facing policy. We use this document to set the baseline processor/controller relationship, security commitments, and enterprise handling expectations without pretending every customer needs a negotiated custom paper on day one.
1. Scope and Applicability
This DPA applies only where Clerica processes Customer Personal Data on behalf of an enterprise customer or other business entity under a written agreement for the Service.
Plain-English Summary
This is for enterprise or business contracts, not regular individual users reading the website.
2. Order of Precedence
This DPA supplements the applicable master services agreement, order form, or other written customer agreement. If there is a conflict, the customer agreement controls unless it expressly states that this DPA controls on a specific issue.
Plain-English Summary
The DPA is part of the enterprise contract stack, not a random standalone promise floating by itself.
3. Roles of the Parties
For Customer Personal Data subject to this DPA, the customer acts as the controller or business, and Clerica acts as the processor or service provider, except where Clerica acts as an independent controller for its own account, billing, legal compliance, or security operations.
Plain-English Summary
This section says whose instructions we follow and where we still have our own legal obligations.
4. Processing Instructions
Clerica will process Customer Personal Data only on documented instructions from the customer, except where processing is required by applicable law, security needs, fraud prevention, or necessary operation of the Service as described in the customer agreement and related documentation.
Plain-English Summary
We follow customer instructions, but we still need room to run the product securely and comply with law.
5. Nature and Purpose of Processing
Processing may include hosting, storage, organization, retrieval, transmission, analysis, monitoring-related workflows, customer support, security operations, and related Service delivery functions.
Plain-English Summary
This explains the kinds of work we may do with enterprise customer data while operating the product.
6. Categories of Data and Data Subjects
Customer Personal Data may include account details, business contact information, user identifiers, monitored service selections, preferences, support interactions, and other data submitted through the Service by authorized users of the customer.
Plain-English Summary
This section keeps the DPA broad enough to match real product use without pretending we only process one tiny data field.
7. Confidentiality
Clerica will ensure that personnel and authorized service providers with access to Customer Personal Data are subject to appropriate confidentiality obligations.
Plain-English Summary
Anyone handling enterprise data needs a real confidentiality obligation, not just a casual expectation.
8. Security Measures
Clerica will implement reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the data and the risks involved.
Plain-English Summary
This is the baseline enterprise security commitment. It should be real, but not overpromise beyond what operations can support.
9. Subprocessors
Clerica may use subprocessors to support the Service, including infrastructure, authentication, billing, communication, security, analytics, and professional review services, provided that Clerica remains responsible for their processing to the extent required by applicable law and contract.
Plain-English Summary
We may use vendors, but we still own the responsibility for how they fit into the service relationship.
10. Assistance with Data Subject Requests
Taking into account the nature of the processing, Clerica will provide reasonable assistance to the customer in responding to applicable requests relating to Customer Personal Data where required by law and where the customer cannot reasonably handle the request without Clerica's support.
Plain-English Summary
If an enterprise customer gets a legitimate privacy request, we will provide reasonable support where contractually appropriate.
11. Security Incident Notification
Clerica will notify the customer without undue delay after becoming aware of a confirmed security incident affecting Customer Personal Data covered by this DPA, and will provide reasonably available information needed to understand the nature and impact of the incident.
Plain-English Summary
Enterprise customers expect incident notice. This section sets that baseline without making impossible promises.
12. Deletion and Return
Upon termination or expiration of the applicable customer agreement, Clerica will delete or return Customer Personal Data as required by the agreement and applicable law, subject to reasonable retention for legal compliance, security, backup integrity, and dispute resolution.
Plain-English Summary
We do not retain enterprise customer data indefinitely, but backup and legal-record constraints can require limited retention periods.
13. Audits and Information Rights
Where required by applicable law or agreed contractually, Clerica may provide reasonable information about its processing and security measures, subject to confidentiality, security, and operational limits.
Plain-English Summary
Enterprise customers may need diligence materials, but that does not mean unlimited audit disruption.
14. Cross-Border Processing
If cross-border processing terms become necessary under a customer agreement, the parties may incorporate additional transfer terms, exhibits, or standard contractual language as needed.
Plain-English Summary
This keeps the base DPA usable now while leaving room for future enterprise or international requirements.
15. Limitation
This DPA does not create broader obligations than those required by the customer agreement, applicable law, or expressly agreed written addenda.
Plain-English Summary
This keeps the DPA from accidentally becoming an unlimited custom legal promise.
16. Contact
Enterprise privacy or data processing questions about this DPA can be sent to privacy@clerica.io or legal@clerica.io.
Plain-English Summary
Enterprise customers need a clean way to route processing questions without guessing where they belong.