Clevik — Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Clevik, Inc. ("Clevik," "Processor") and the entity agreeing to Clevik's Terms of Service ("Customer," "Controller") (together, the "Parties") and governs the processing of personal data by Clevik on behalf of Customer in connection with the Clevik platform and related services (the "Service").

This DPA supplements and is incorporated into Clevik's Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

1. Definitions

1.1. "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.

1.2. "Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Controller.

1.3. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

1.4. "Personal Data" means any information relating to a Data Subject that is processed by Clevik in connection with providing the Service, including personal data contained within Customer Business Data.

1.5. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

1.6. "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Clevik is the Processor.

1.7. "Sub-Processor" means a third party engaged by Clevik to process Personal Data on behalf of the Customer.

1.8. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

2. Scope and Purpose of Processing

2.1. Scope. This DPA applies to all Personal Data that Clevik processes on behalf of Customer in connection with providing the Service, including personal data contained within:

  • Customer Business Data synced from ERP, CRM, and database systems
  • Documents uploaded to the knowledge base
  • Data processed through AI query features

2.2. Purpose. Clevik processes Personal Data solely as necessary to provide the Service as described in the Terms of Service, including:

  • Syncing, storing, and organizing Customer Business Data
  • Processing AI queries and generating outputs
  • Providing analytics and operational intelligence
  • Maintaining and improving Service performance and security

2.3. Customer Instructions. Clevik will process Personal Data only on documented instructions from the Customer, unless required by applicable law. The Customer's use of the Service (including configuration of data connections and submission of queries) constitutes documented instructions. If Clevik believes an instruction violates Applicable Data Protection Law, it will promptly notify the Customer.

2.4. Categories of Data Subjects. The categories of Data Subjects whose Personal Data may be processed include Customer's employees, customers, vendors, suppliers, partners, and other individuals whose data is contained in Customer's business systems.

2.5. Types of Personal Data. The types of Personal Data processed may include names, contact information, business transaction data, employment data, and other personal data contained in Customer's connected systems.

3. Clevik's Obligations

3.1. Processing Limitations. Clevik will:

  • (a) Process Personal Data only for the purposes described in Section 2 and in accordance with Customer's documented instructions;
  • (b) Not sell, share, or use Personal Data for any purpose other than providing the Service;
  • (c) Not combine Personal Data with personal data from other customers or third-party sources except as necessary to provide the Service;
  • (d) Maintain tenant isolation to prevent cross-customer data access.

3.2. Confidentiality. Clevik will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

3.3. Cooperation. Clevik will reasonably assist Customer in fulfilling its obligations under Applicable Data Protection Law, including obligations related to data protection impact assessments and prior consultation with supervisory authorities.

4. Sub-Processors

4.1. Authorized Sub-Processors. Customer authorizes Clevik to engage the following Sub-Processors:

Sub-ProcessorPurposeData ProcessedLocation
Microsoft AzureCloud hosting, infrastructure, and AI model routing (Azure AI Foundry)All Service data including Personal DataEast US 2 region, United States
ClickHouse CloudAnalytics database for synced Customer Business DataCustomer Business DataCloud infrastructure
SupabaseApplication database (PostgreSQL) for account and application dataAccount data, application metadataCloud infrastructure
StripePayment processing and billingCustomer billing informationUnited States
OpenAIAI language model processing (accessed via Azure AI Foundry)Query context and relevant data excerptsProcessed via Azure infrastructure
AnthropicAI language model processing (accessed via Azure AI Foundry)Query context and relevant data excerptsProcessed via Azure infrastructure

4.2. Sub-Processor Obligations. Clevik will:

  • (a) Enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those in this DPA;
  • (b) Remain fully liable to Customer for the acts and omissions of its Sub-Processors;
  • (c) Conduct appropriate due diligence on Sub-Processors before engagement.

4.3. Changes to Sub-Processors. Clevik will provide Customer with at least thirty (30) days' advance written notice before engaging a new Sub-Processor or replacing an existing one. The notice will include the Sub-Processor's name, the processing it will perform, and its location.

4.4. Objection to Sub-Processors. Customer may object to a new Sub-Processor within fifteen (15) days of receiving notice. If Customer objects on reasonable data protection grounds, the Parties will work in good faith to resolve the concern. If no resolution is reached within thirty (30) days of Customer's objection, Customer may terminate the affected portion of the Service without penalty.

4.5. AI Model Providers. With respect to OpenAI and Anthropic: (a) Personal Data sent for AI processing is transmitted through Azure AI Foundry and is subject to Microsoft's data processing terms; (b) these providers do not retain Customer data for model training per our contractual agreements; (c) data is processed solely to generate the requested output and is not stored beyond the processing session.

5. Security Measures

5.1. Technical and Organizational Measures. Clevik implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including:

  • (a) Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
  • (b) Tenant Isolation: Logical separation of each customer's data in the multi-tenant architecture;
  • (c) Access Controls: Role-based access controls, principle of least privilege, multi-factor authentication for Clevik personnel;
  • (d) Network Security: Firewalls, intrusion detection, network segmentation;
  • (e) Monitoring and Logging: Security event logging, monitoring, and alerting;
  • (f) Vulnerability Management: Regular vulnerability scanning and patching;
  • (g) Employee Security: Background checks, security training, and confidentiality agreements for personnel with access to Personal Data;
  • (h) Physical Security: Provided by our infrastructure providers (Azure, ClickHouse Cloud, Supabase) under their respective security programs;
  • (i) Business Continuity: Regular backups, disaster recovery procedures, and redundancy.

5.2. SOC 2 Certification. Clevik is pursuing SOC 2 Type II certification. Upon achieving certification, Clevik will make the audit report available to Customer upon request under NDA.

5.3. Security Updates. Clevik will review and update its security measures periodically to maintain an appropriate level of protection, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

6. Personal Data Breach Notification

6.1. Notification. Clevik will notify Customer of a confirmed Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

6.2. Notification Contents. The notification will include, to the extent available:

  • (a) A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • (b) The name and contact details of Clevik's point of contact for the breach;
  • (c) A description of the likely consequences of the breach;
  • (d) A description of the measures taken or proposed to address the breach, including measures to mitigate its potential adverse effects.

6.3. Cooperation. Clevik will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

6.4. Documentation. Clevik will document all Personal Data Breaches, including the facts, effects, and remedial actions taken, and will make this documentation available to Customer upon request.

6.5. No Acknowledgment of Fault. Notification of a breach under this Section 6 shall not be construed as an acknowledgment of fault or liability by Clevik.

7. Data Subject Rights

7.1. Assistance. Clevik will provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2. Direct Requests. If Clevik receives a request directly from a Data Subject regarding Personal Data processed under this DPA, Clevik will promptly redirect the Data Subject to Customer and notify Customer of the request, unless prohibited by law.

7.3. Technical Measures. Clevik will implement appropriate technical measures to enable Customer to fulfill Data Subject requests, including data export functionality and data deletion capabilities within the Service.

8. Data Return and Deletion

8.1. During the Term. Customer may export Customer Business Data (including Personal Data contained therein) at any time during the term through the Service's export functionality.

8.2. Upon Termination. Upon termination of the Terms of Service:

  • (a) Clevik will make Customer Business Data available for export for thirty (30) days following the effective date of termination;
  • (b) After the 30-day export period, Clevik will delete all Personal Data processed under this DPA within ninety (90) days, except as required to comply with applicable law;
  • (c) Clevik will confirm deletion in writing upon Customer's request.

8.3. Backup Copies. Copies of Personal Data may persist in encrypted backups for a limited period following deletion. Such backup data will be deleted through Clevik's normal backup rotation cycle and will not be actively processed.

9. Audit Rights

9.1. Audit. Customer may audit Clevik's compliance with this DPA once per calendar year, subject to the following conditions:

  • (a) Customer must provide at least thirty (30) days' advance written notice;
  • (b) Audits must be conducted during normal business hours and in a manner that minimizes disruption to Clevik's operations;
  • (c) Customer (or its authorized third-party auditor, subject to Clevik's reasonable approval and execution of a confidentiality agreement) may conduct the audit;
  • (d) The scope of the audit is limited to Clevik's processing of Personal Data under this DPA.

9.2. Audit Reports. In lieu of an on-site audit, Clevik may provide Customer with:

  • (a) Relevant third-party audit reports (e.g., SOC 2 report, when available);
  • (b) Certifications or attestations by qualified independent assessors;
  • (c) Written responses to reasonable audit questionnaires submitted by Customer.

9.3. Costs. Each party bears its own costs in connection with audits. If an audit requires Clevik resources beyond what is commercially reasonable, Customer will reimburse Clevik's reasonable costs upon prior agreement.

10. International Data Transfers

10.1. Transfer Mechanisms. To the extent that Personal Data is transferred from the EEA, UK, or Switzerland to the United States or any other country not deemed to provide an adequate level of data protection, the Parties agree to rely on the following transfer mechanisms:

  • (a) Standard Contractual Clauses (SCCs): The Parties hereby incorporate by reference the SCCs adopted by the European Commission (Commission Implementing Decision (EU) 2021/914). For transfers subject to Module Two (Controller to Processor): Customer is the "data exporter" and Clevik is the "data importer." The governing law and competent supervisory authority shall be determined by the EEA member state in which the data exporter is established, or, if not established in the EEA, the member state with the closest connection.

  • (b) UK Addendum: For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner) shall apply.

  • (c) Swiss Addendum: For transfers subject to the Swiss FADP, the applicable modifications to the SCCs required by the Swiss Federal Data Protection and Information Commissioner shall apply.

10.2. Sub-Processor Transfers. Clevik will ensure that any onward transfer of Personal Data to Sub-Processors in third countries is protected by appropriate transfer mechanisms as described above.

10.3. Transfer Impact Assessment. Clevik will cooperate with Customer in conducting transfer impact assessments where required by Applicable Data Protection Law and will implement supplementary measures as reasonably necessary to ensure an adequate level of protection.

11. Term and Termination

11.1. Term. This DPA is effective as of the date Customer agrees to the Terms of Service and remains in effect for as long as Clevik processes Personal Data on behalf of Customer under the Terms of Service.

11.2. Survival. Sections 6 (Breach Notification), 8 (Data Return and Deletion), 9 (Audit Rights), and 10 (International Data Transfers) shall survive termination of this DPA for as long as Clevik retains any Personal Data processed under this DPA.

12. Liability

The liability of each Party under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that such limitations shall not apply to either Party's obligations under Applicable Data Protection Law to the extent prohibited by such law.

13. General

13.1. Governing Law. This DPA is governed by the laws of the State of Texas, without regard to its conflict of laws principles, except that the SCCs shall be governed as specified therein.

13.2. Amendments. This DPA may be amended only in writing signed by both Parties, except that Clevik may update the list of Sub-Processors in accordance with Section 4.3.

13.3. Entire Agreement. This DPA, together with the Terms of Service and Privacy Policy, constitutes the complete agreement between the Parties regarding the subject matter hereof.

13.4. Severability. If any provision of this DPA is held to be unenforceable, the remaining provisions remain in full force and effect.

14. Contact

For questions about this DPA or to exercise rights under this agreement:

Clevik, Inc. Austin, Texas, USA Email: support@clevik.com Website: clevik.com