This Data Processing Agreement (“DPA”) forms part of the agreement between Codewerx LLC, doing business as Clarity AI (“Clarity”), and the customer organization (“Customer”) under which Clarity processes personal data on Customer’s behalf. Capitalized terms not defined here have the meaning given in the underlying agreement. Where the GDPR applies, terms used here have the meaning given in Article 4 of the GDPR.
1Scope & roles
Customer is the controller of personal data it submits to or generates within the Software. Clarity is the processor and processes personal data only on Customer’s documented instructions, including those set out in the underlying agreement and this DPA.
2Subject matter & duration
The subject matter of processing is the provision of the Software and related services described in the Order Form. The duration of processing is the term of the underlying agreement plus any period required for return or deletion under Section 12.
3Nature & purpose
Personal data is processed to deploy, operate, secure, maintain, and support the Software within Customer-aligned environments, to deliver the integrations described in the Order Form, and to comply with applicable law.
4Categories of data & data subjects
Data subjects.Customer’s personnel, end users, contractors, and other individuals whose data Customer chooses to process within the Software.
Categories of personal data. Identification data (name, email, role), business contact information, content submitted to the Software by data subjects, technical metadata (IP, device, timestamps), and any further categories Customer chooses to submit.
Special categories. Clarity does not require special-category data to provide the Software. Customer should not submit special-category data unless it has been agreed in writing.
5 Processor obligations
- Process personal data only on Customer’s documented instructions, including those reflected in the underlying agreement and this DPA, except as required by applicable law (in which case Clarity will notify Customer in advance unless prohibited by law).
- Ensure that personnel authorized to process personal data are bound by written confidentiality obligations.
- Implement and maintain the security measures described in Annex A.
- Assist Customer with data subject rights, security, breach notification, data protection impact assessments, and prior consultations (Sections 8 and 9).
- At Customer’s choice, delete or return personal data at the end of the service term (Section 12).
- Make available to Customer information needed to demonstrate compliance with this DPA (Section 11).
6 Sub-processors
Customer grants general authorization for Clarity to engage sub-processors. The current list is in Annex B. Clarity will (a) impose written terms on each sub-processor that are no less protective than this DPA, (b) remain responsible for sub-processor performance, and (c) notify Customer at least 30 days before adding or replacing a sub-processor.
Customer may object to a new sub-processor on reasonable data-protection grounds during the notice period. If the parties cannot resolve the objection, either party may terminate the affected portion of the underlying agreement without penalty.
7 Security measures
Clarity maintains technical and organizational measures designed to ensure a level of security appropriate to the risk, including the measures described in Annex A. Clarity will review these measures regularly and may update them provided they do not materially decrease the level of protection.
8 Assistance with data subject rights
Taking into account the nature of processing, Clarity will assist Customer through appropriate technical and organizational measures (and where reasonable, in-product tooling) to respond to requests from data subjects to exercise their rights under applicable data protection law. If a data subject contacts Clarity directly, Clarity will promptly forward the request to Customer and will not respond except to direct the data subject to Customer.
9 Personal data breach
Clarity will notify Customer without undue delay and in any event within 48 hours after becoming aware of a personal data breach affecting Customer’s personal data. The notification will include the information reasonably available about the breach, the categories and approximate number of data subjects and records affected, and the measures taken or proposed.
10 International transfers
Clarity is headquartered in the United States. Where Clarity transfers personal data of EU/EEA, UK, or Swiss data subjects to a country that has not been the subject of an adequacy decision, the parties will rely on the EU Standard Contractual Clauses (Module Two: controller to processor), incorporated into this DPA by reference, with the UK Addendum and Swiss equivalent applying where relevant.
11 Audits
Clarity will make available to Customer, on reasonable written request and no more than once per year (except following a personal data breach or where required by a regulator), the most recent third-party audit reports (e.g., SOC 2) and summaries of penetration test results, under NDA. Where additional audit information is reasonably required by applicable law, the parties will agree the scope and timing in good faith, with on-site audits limited to business-day hours and at Customer’s expense.
12 Return or deletion
Within 30 days after the end of the service term, Clarity will, at Customer’s choice, return or delete all personal data processed on behalf of Customer, unless retention is required by applicable law. Backups containing personal data will be deleted in line with Clarity’s standard backup rotation, during which time the data remains subject to this DPA.
AAnnex A — Security measures
Clarity implements the following technical and organizational measures:
- Access control. SSO with MFA for production systems, least-privilege access, quarterly access reviews, just-in-time elevation for sensitive operations.
- Encryption.TLS 1.2+ in transit; AES-256 at rest; managed key rotation via the cloud provider’s KMS.
- Tenant isolation. Organization-specific deployment boundaries with logical isolation where shared operational services are used; dedicated organization-specific deployments available where operational or compliance requirements call for them.
- Network security. Private networking between services, firewall and WAF on public surfaces, no direct database exposure.
- Vulnerability management. Continuous dependency scanning, monthly patch cadence, periodic third-party penetration testing.
- Logging & monitoring. Centralized audit logging with integrity protection; alerting on security-relevant events.
- Backups & recovery. Encrypted backups, documented RPO/RTO targets per environment, periodic restore testing.
- Personnel. Background checks where permitted by law, confidentiality agreements, annual security and privacy training.
- Vendor management. Diligence and contractual safeguards on sub-processors; published list maintained in Annex B.
- Incident response. Written runbooks, on-call rotation, customer-notification SLA defined in Section 9.
BAnnex B — Sub-processors
As of the last-updated date above:
| Sub-processor | Category | Location | Purpose of processing |
|---|---|---|---|
| Amazon Web Services (AWS) | Part of service offering | United States | Hosts and operates Clarity’s production infrastructure, including servers, storage, application services, logging systems, support tooling, and transactional email delivery required to securely operate and deliver the Clarity service. |
| Google Workspace | Internal tooling | United States | Used for internal authentication, email, document collaboration, and operational communications. May process customer or prospect contact information and support-related communications. |
| OpenAI | Engineering | United States | Used internally by Clarity personnel for engineering, research, documentation, and operational tooling. Customer data is not intentionally submitted as part of normal operations. |
| Anthropic Claude | Engineering | United States | Used internally by Clarity personnel for engineering, research, documentation, and operational tooling. Customer data is not intentionally submitted as part of normal operations. |
For changes to this list, see Section 6.