Data processing addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between the Customer ("Customer") and ClarityLoop Limited ("ClarityLoop"), governing Customer’s use of ClarityLoop services (the "Services"). This DPA is effective upon execution of the Agreement or use of the Services.

If you are a ClarityLoop customer and need a signed copy of this DPA, please contact us at security@clarityloop.com.

1. Subject Matter and Duration

1.1 Subject Matter. This DPA governs the processing of Customer Personal Data by ClarityLoop in providing the Services under the Agreement.
1.2 Duration. This DPA remains in effect for as long as ClarityLoop processes Customer Personal Data under the Agreement, unless otherwise agreed in writing.

2. Definitions

"Customer Personal Data" means any personal data that Customer provides to ClarityLoop through use of the Services.
"Data Protection Laws" means all applicable data privacy laws, including GDPR, UK GDPR, and CCPA.
"Controller" means the entity that determines the purposes and means of processing personal data.
"Processor" means the entity that processes personal data on behalf of the Controller.
"Subprocessor" means any third party engaged by ClarityLoop to process Customer Personal Data.
"SCCs" means the Standard Contractual Clauses for data transfers as approved by the European Commission.

3. Roles and Responsibilities

3.1 Roles. Customer is the Controller of Customer Personal Data, and ClarityLoop is the Processor.
3.2 Instructions. ClarityLoop processes Customer Personal Data only on documented instructions from Customer, unless required to do so by law.
3.3 Compliance. Customer is responsible for ensuring that its use of the Services complies with applicable Data Protection Laws.

4. Subprocessors

4.1 Authorization. Customer authorizes ClarityLoop to engage Subprocessors listed here.
4.2 Obligations. ClarityLoop ensures Subprocessors are contractually bound to data protection obligations no less protective than those in this DPA.
4.3 Changes. ClarityLoop will notify Customers of any new Subprocessors and give the Customer an opportunity to object within 10 business days.

5. Security

ClarityLoop implements and maintains appropriate technical and organizational security measures as described in Security Practices.

6. Data Subject Rights

To the extent required by law and technically feasible, ClarityLoop will assist Customer in responding to requests from data subjects to exercise their rights (e.g., access, deletion).

7. Data Breach Notification

ClarityLoop will notify Customer without undue delay upon becoming aware of a personal data breach involving Customer Personal Data. Such notification will include details reasonably required for Customer to comply with its obligations under applicable Data Protection Laws.

8. Data Transfers

ClarityLoop is registered in the United Kingdom and processes Customer Personal Data using infrastructure hosted on Google Cloud Platform in the United States.

Where such transfer constitutes a "Restricted Transfer" under applicable Data Protection Laws (e.g., UK GDPR or EU GDPR), ClarityLoop relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission, and the UK Addendum as approved by the UK Information Commissioner's Office.

For EU customers, the EU SCCs, Module 2 (Controller to Processor) apply by reference.
For UK customers, the UK Addendum applies alongside the EU SCCs.

ClarityLoop agrees to comply with the obligations of the data importer under these frameworks. A signed version of the SCCs and supporting documentation is available upon request at security@clarityloop.com.

9. Return or Deletion of Data

Upon termination of the Agreement, ClarityLoop will, at the choice of the Customer, return or delete Customer Personal Data, unless retention is required by law. Backup data will be deleted according to ClarityLoop’s standard retention schedule.

10. Audit Rights

ClarityLoop will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, conducted by Customer or a designated auditor, no more than once per year with reasonable notice, and subject to confidentiality obligations.

11. Liability

This DPA is subject to the limitations of liability set forth in the Agreement, except where prohibited by applicable law.

Annex I – Details of Processing

Nature and Purpose: To provide the Services under the Agreement.
Duration: For the term of the Agreement.
Categories of Data Subjects: Employees, contractors, or users of the Customer.
Types of Personal Data: Name, email address, feedback content, metadata related to workspace activity.
Sensitive Data: Not expected or permitted.

Annex II – Security Measures

See Security Practices for a full list of technical and organizational measures.

Last updated: March 24, 2025

1. Subject Matter and Duration​

2. Definitions​

3. Roles and Responsibilities​

4. Subprocessors​

5. Security​

6. Data Subject Rights​

7. Data Breach Notification​

8. Data Transfers​

9. Return or Deletion of Data​

10. Audit Rights​

11. Liability​

Annex I – Details of Processing​

Annex II – Security Measures​