CO
CLAIRITY← Back

Legal

Data Processing Agreement

Last updated: April 12, 2026

About This Agreement

This page describes how Clairity processes personal data on behalf of its customers. It is provided for transparency and is available to all users.

Free and Paid plan customersmay reference this page to understand Clairity's data processing practices. These terms apply by default as part of the Clairity Terms of Service.

Enterprise customers requiring a formally executed, countersigned DPA for procurement, compliance, or regulatory purposes (e.g. EU GDPR, UK GDPR) can request one as part of the Enterprise plan. To request a countersigned copy, contact us at privacy@clairity-co.com or use the Enterprise inquiry form on our website. We aim to respond within 5 business days.

1. Definitions

For the purposes of this DPA:

  • "Controller" means the organization or individual that determines the purposes and means of processing personal data — i.e., the Clairity customer.
  • "Processor" means the party that processes personal data on behalf of the Controller — i.e., Clairity Cutover Management.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-Processor" means any third party engaged by Clairity to process Personal Data in connection with the service.

2. Roles and Responsibilities

The parties acknowledge that:

  • The customer (Controller) determines what personal data is entered into Clairity and for what purpose.
  • Clairity (Processor) processes that personal data only to deliver the contracted service and only in accordance with the Controller's documented instructions.
  • Clairity will not process Personal Data for its own purposes, sell it to third parties, or use it for advertising.

3. Nature and Purpose of Processing

Clairity processes the following categories of personal data on behalf of the Controller:

  • Names and email addresses of users and team members
  • Content entered into the platform (task descriptions, notes, risk entries, etc.) that may reference individuals
  • Authentication and session data
  • Usage metadata such as timestamps and action logs (audit trail)

Processing is carried out for the purpose of providing the Clairity cutover management service as described in the Terms of Service.

4. Sub-Processors

Clairity uses the following sub-processors to deliver the service. The Controller hereby provides general authorization for their use:

Sub-ProcessorPurposeLocation
Neon (neon.tech)PostgreSQL database hosting — stores all platform dataUnited States
Resend (resend.com)Transactional email delivery for invitation emailsUnited States
Vercel (vercel.com)Application hosting and serverless function executionUnited States / Global CDN

Clairity will notify the Controller of any intended changes to sub-processors by updating this page and sending an email notice to the account admin at least 14 days in advance, giving the Controller the opportunity to object.

5. International Data Transfers

Personal data may be transferred to and processed in the United States. Clairity relies on the data processing terms of its sub-processors, which include Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms where required by applicable law.

6. Security Measures

Clairity implements the following technical and organizational measures to protect personal data:

  • Passwords are hashed using bcrypt with a cost factor of 12 — plaintext passwords are never stored
  • All data in transit is encrypted using TLS (HTTPS enforced)
  • Database connections require SSL with channel binding
  • Authentication uses secure, HttpOnly session tokens managed by NextAuth
  • Access to production systems is restricted to authorized personnel only
  • Organization data is logically isolated — users can only access data belonging to their organization

7. Data Subject Rights

Clairity will assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection) to the extent technically feasible. Controllers may contact us at privacy@clairity-co.com to submit such requests on behalf of their data subjects.

Where a data subject contacts Clairity directly, we will forward the request to the relevant Controller within 5 business days.

8. Data Breach Notification

In the event of a personal data breach that affects the Controller's data, Clairity will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of records affected
  • The measures taken or proposed to address the breach

9. Retention and Deletion

Upon termination of the service or upon written request from the Controller, Clairity will delete all Personal Data within 30 days, except where retention is required by law. Confirmation of deletion will be provided on request.

10. Signed DPA (Enterprise)

A formally executed, countersigned copy of this DPA is available to Enterprise plan customers. If your procurement or legal team requires a signed DPA for compliance, audit, or regulatory purposes, please contact us:

Clairity Cutover Management
Email: privacy@clairity-co.com
Subject: DPA Request — [Your Organization Name]

Alternatively, use the Enterprise inquiry form on the pricing page and mention your DPA requirement in the message. We aim to respond within 5 business days.

Free and Paid plan customers who require a signed DPA should consider upgrading to Enterprise. Contact us to discuss pricing and scope.