Data Processing Agreement
ClauseClear's standard Data Processing Agreement (DPA), available to all Enterprise customers and on request to other tiers. Governs processing of Personal Data under UK GDPR Article 28 and the UK Data Protection Act 2018.
Last updated:
How to use this DPA
This page is the publishable version of ClauseClear’s standard DPA. It is legally binding when (a) executed by both parties via electronic signature, or (b) incorporated by reference into the Customer’s Master Services Agreement (MSA) or Order Form.
Self-serve customers (Starter / Pro tiers) accept this DPA by reference when they tick the consent box at /onboarding and accept the Terms of Service. Enterprise customers receive a counter-signed copy as part of their MSA package.
For a Word / PDF copy ready for your legal team to mark up, email hello@clauseclear.co.uk.
The parties
Processor: PJ Consulting Group Ltd, trading as ClauseClear, a company registered in England & Wales under company number 13298258; ICO data-protection fee registration number 00014050667 (“ClauseClear”, the “Processor”). The Processor’s registered office and full notice address will be inserted into the signed copy of this DPA when executed with a specific Customer.
Controller: The customer entity identified in the applicable Order Form, MSA, or self-serve account (the “Customer”, the “Controller”).
1. Definitions
Unless otherwise defined here, capitalised terms have the meaning given to them in the UK GDPR and the UK Data Protection Act 2018 (together, the “Data Protection Laws”).
- “Affiliate” means an entity that controls, is controlled by, or is under common control with a party.
- “Customer Data” means Personal Data that ClauseClear processes on behalf of the Customer in connection with the Services.
- “Personal Data Breach” has the meaning given in Article 4(12) UK GDPR.
- “Services” means the ClauseClear platform, including Terms & Conditions audits, the Simpler Terms translator, the verified badge, change-detection monitoring, and any related functionality made available under the Customer’s subscription.
- “Subprocessor” means any third party engaged by ClauseClear to process Customer Data on its behalf.
2. Scope and roles
2.1 Roles
The Customer is the Controller and ClauseClear is the Processor in respect of the Customer Data. Each party will comply with its obligations under the Data Protection Laws as such roles dictate.
2.2 Scope
This DPA applies to ClauseClear’s processing of Customer Data that is Personal Data, in connection with the provision of the Services to the Customer. It does not apply to data ClauseClear processes as a Controller (e.g. billing records, marketing analytics about ClauseClear itself).
3. Processing details
The subject matter, duration, nature, purpose, types of Personal Data and categories of data subjects are described in Annex 1. ClauseClear will process Customer Data only:
- for the purposes set out in Annex 1 and in accordance with the documented instructions of the Customer (which include the MSA, Order Form, this DPA, and any subsequent written instructions); and
- where processing is required by UK or EU law applicable to ClauseClear, in which case ClauseClear will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.
4. Confidentiality
ClauseClear will ensure that any person it authorises to process the Customer Data (including employees, contractors and Subprocessors) is bound by an appropriate obligation of confidentiality, whether by contract or statutory duty.
5. Security (Article 32 measures)
ClauseClear will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those specified in Annex 3. The current operational measures are also published at /security and may be updated from time to time, provided the level of protection is not materially decreased.
6. Subprocessors
6.1 General authorisation
The Customer provides general authorisation for ClauseClear’s use of Subprocessors, the current list of which is published at /subprocessors and reproduced in Annex 2.
6.2 Notice of changes
ClauseClear will give the Customer at least 30 days’ prior notice of any addition or replacement of a Subprocessor by updating the published list and notifying the Customer’s primary contact email. The Customer may object to a proposed change on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if no resolution is reached, the Customer may terminate the affected Services with no further fees payable for the unused portion of the term.
6.3 Subprocessor obligations
ClauseClear will impose on every Subprocessor data-protection obligations no less protective than those in this DPA, and will remain liable to the Customer for the acts and omissions of its Subprocessors as if they were its own.
7. International transfers
The majority of ClauseClear’s processing takes place within the UK and EEA. Where Customer Data is transferred outside the UK to a country not covered by an adequacy decision, ClauseClear ensures an appropriate transfer mechanism is in place, including:
- the UK International Data Transfer Agreement (IDTA) issued by the ICO; or
- the UK Addendum to the EU Standard Contractual Clauses; or
- another mechanism approved by the ICO from time to time.
The current Subprocessor that requires a transfer mechanism is Anthropic PBC (United States), used for AI inference. The IDTA between ClauseClear and Anthropic is on file and available on reasonable request.
8. Personal Data Breach
ClauseClear will notify the Customer of any Personal Data Breach affecting Customer Data without undue delay, and in any event within 48 hours of becoming aware of it. The notification will include, to the extent then known:
- the nature of the breach, including categories and approximate numbers of data subjects and Personal Data records affected;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach and mitigate its adverse effects; and
- contact details for further information.
ClauseClear will reasonably assist the Customer in fulfilling its own breach notification obligations to the ICO and to affected data subjects.
9. Data subject rights
ClauseClear will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as practicable, in fulfilling the Customer’s obligation to respond to requests for the exercise of data subject rights under Chapter III UK GDPR.
Where ClauseClear receives a data-subject request that relates to Customer Data, ClauseClear will not respond to the data subject directly except to confirm that the request has been forwarded to the Customer. ClauseClear will forward the request to the Customer within 5 working days of receipt.
10. Assistance with security and impact-assessment obligations
ClauseClear will, taking into account the nature of the processing and the information available to it, reasonably assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
11. Audit and information rights
11.1 Information requests
ClauseClear will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR. This ordinarily takes the form of: (a) the published Subprocessor list; (b) the published Security & Data Handling page; (c) any third-party assurance reports ClauseClear holds (e.g. SOC 2, ISO 27001) where available; and (d) written responses to reasonable security questionnaires.
11.2 On-site audits
On reasonable prior written notice (not less than 30 days, except in the case of a Personal Data Breach reasonably requiring earlier inspection), the Customer or an independent third-party auditor reasonably acceptable to ClauseClear may conduct an audit limited to ClauseClear’s compliance with this DPA. Audits will be conducted during normal business hours, no more than once per twelve- month period (except in the case of a Personal Data Breach), and at the Customer’s sole cost. ClauseClear may charge its reasonable costs of cooperating with audits beyond the first per year.
12. Return or deletion of Customer Data
On termination of the Services, the Customer may instruct ClauseClear, within 30 days, to either: (a) return all Customer Data in a commonly used machine-readable format; or (b) delete all Customer Data from ClauseClear’s active systems. In the absence of an instruction within that 30-day period, ClauseClear will delete the Customer Data.
Backups containing Customer Data will be deleted in the normal course of ClauseClear’s backup cycle, which is no longer than 90 days after deletion from active systems. ClauseClear may retain Customer Data to the extent required by law, in which case it will continue to apply the technical and organisational measures of this DPA for the period of retention.
13. Liability
The liability of each party under or in connection with this DPA is governed by the liability provisions of the MSA or, for self-serve customers, the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded by law (including liability for personal injury caused by negligence or fraud).
14. Conflict and severability
In the event of a conflict between this DPA and any other agreement between the parties, this DPA prevails to the extent of the conflict, in respect of the subject matter of this DPA. If any provision of this DPA is held unenforceable, the remainder will continue in full force and effect.
15. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The English courts have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, save that either party may seek injunctive or equitable relief in any court of competent jurisdiction to protect Personal Data or enforce its rights under this DPA.
Annex 1 — Description of processing
A1.1 Subject matter
Provision of the ClauseClear Services to the Customer, namely automated audit of the Customer’s published Terms & Conditions against the UK Digital Markets, Competition and Consumers Act 2024 and connected consumer-protection statute; production of a “Simpler Terms” translation; rendering of the verified ClauseClear badge on the Customer’s checkout/T&Cs page; ongoing change-detection of the published terms.
A1.2 Duration
For the term of the MSA / subscription, plus any wind-down period as set out in Section 12 of this DPA.
A1.3 Nature and purpose of processing
Storage of Customer account records; automated text processing of the Customer’s submitted T&Cs through the ClauseClear rules engine and the Anthropic Claude AI translator; daily HTTP fetch of the Customer’s published T&Cs URL for content-hash comparison; serving of the Verified badge via embed.js to visitors of the Customer’s site; sending of transactional email to the Customer (welcome, change alerts, billing) via Resend.
A1.4 Types of Personal Data
- Customer Personnel data: name, business email address, business role, single-sign-on identifier (Google or Microsoft) of users authorised to administer the Customer’s ClauseClear account.
- Solicitor / advisor email nominated by the Customer to receive copies of compliance reports.
- Customer’s published T&Cs text: the full text of the Customer’s consumer-facing terms, which may incidentally contain personal data (e.g. names of directors, contact email of the Customer’s data-protection contact).
- Visitor IP-derived data: shoppers visiting the Customer’s install points (embed.js, verify page) generate request logs held by Vercel; ClauseClear’s own database stores only daily-salted SHA-256 hashes of visitor IPs (non-reversible) for rate-limiting and abuse prevention. No raw IP addresses or device identifiers are persisted by ClauseClear.
A1.5 Categories of data subjects
- Customer Personnel (administrators, billing contacts).
- Customer’s nominated legal advisors.
- Visitors to the Customer’s consumer-facing pages where ClauseClear’s embed.js or verify page is rendered (limited to non-PII salted-hash records).
- Individuals incidentally named in the Customer’s published T&Cs text.
A1.6 Special categories of Personal Data
ClauseClear does not knowingly process special categories of Personal Data (Article 9 UK GDPR) on behalf of the Customer. The Customer must not submit special-category Personal Data through the Services without prior written agreement.
Annex 2 — Approved Subprocessors
The current list of Subprocessors is maintained at /subprocessors. As at the “Last updated” date of this DPA, the approved Subprocessors are:
- Vercel Inc. — web hosting, edge CDN, serverless function execution — EU primary, global edge.
- Supabase Inc. — database, authentication, RLS — Frankfurt, Germany.
- Anthropic PBC — AI inference for the Simpler Terms translator — United States and United Kingdom (UK IDTA in place).
- Resend Inc. — transactional email delivery — Ireland (EU).
- GoDaddy.com LLC — domain registrar and DNS hosting (no user data) — United Kingdom.
- Microsoft Corporation — inbound email at clauseclear.co.uk via Microsoft 365; SSO sign-in option — European Union.
- Google LLC — SSO sign-in option (Google OAuth) — global, with EU residency.
Annex 3 — Technical and organisational measures
The full operational description of ClauseClear’s security measures is published at /security and is incorporated by reference. The minimum measures applied to Customer Data are:
- Encryption in transit: TLS 1.2 or higher on all public endpoints; HSTS enforced on the production domain.
- Encryption at rest: AES-256 on the production database and on backups; encryption-at-rest of secrets stored in the deployment platform.
- Access control: role-based access; named-allowlist for administrative access; per-tenant isolation enforced by Postgres row-level security.
- Authentication: SSO-only (Google or Microsoft) for administrative access; passwords are not stored by ClauseClear.
- Backup and recovery: daily automated database backups; recovery time objective ≤ 4 hours; recovery point objective ≤ 24 hours.
- Vulnerability management: automated dependency scanning on every deploy; critical patches applied within 24 hours of disclosure where practicable.
- Incident response: documented breach-notification procedure including ICO and affected-data-subject notification within statutory windows.
- Personnel: all ClauseClear personnel and authorised contractors are bound by written confidentiality obligations.
Additional or stricter measures may be agreed in the Order Form for Enterprise customers (e.g. dedicated VPC, customer-managed keys, named-individual access logging).
Signature block
For Enterprise execution, this DPA is signed in counterpart by an authorised signatory of each party. For self-serve acceptance, the “I agree to Terms, Privacy Policy, and Cookie Policy” tickbox at /onboarding incorporates this DPA by reference and constitutes execution by the Customer.
For a counter-signable copy of this DPA in Word or PDF format, email hello@clauseclear.co.uk.