Skip to content
Claresia Docs

DPA template

Claresia’s DPA is Schrems II compliant — it includes the EU Standard Contractual Clauses (SCCs), technical and organizational measures (TOMs), and the supplementary measures Schrems II requires for transfers to the US.

The downloadable PDF lives at trust.claresia.com/dpa. This page describes its structure for engineering and compliance teams.

Sections

Section titled “Sections”

1. Definitions

Section titled “1. Definitions”
  • Controller / Processor / Sub-Processor
  • Personal Data
  • Special Categories of Personal Data
  • Authorized Affiliates / Authorized Sub-Processor

2. Scope of Processing

Section titled “2. Scope of Processing”
  • Subject matter
  • Duration
  • Nature and purpose
  • Type of personal data
  • Categories of data subjects

3. Customer’s instructions

Section titled “3. Customer’s instructions”
  • Standing instruction: process per the contract + this DPA
  • Out-of-scope instructions require a written change order

4. Personnel

Section titled “4. Personnel”
  • Confidentiality obligations of Claresia personnel
  • Limits on access (need-to-know basis)
  • Background checks where required by law

5. Sub-Processors

Section titled “5. Sub-Processors”
  • General authorization (with right to object — see Sub-processors)
  • 14-day prior notice
  • 90-day prior notice for new data-plane sub-processors
  • Sub-processor DPA flow-down requirement

6. Data Subject Requests

Section titled “6. Data Subject Requests”
  • Claresia assists Controller in honoring data subject rights:
    • Access (Art. 15)
    • Rectification (Art. 16)
    • Erasure (Art. 17) — see Retention
    • Restriction (Art. 18)
    • Portability (Art. 20)
  • 30-day fulfillment SLA for assistance

7. Personal Data Breach Notification

Section titled “7. Personal Data Breach Notification”
  • Claresia notifies Controller within 72 hours of becoming aware
  • Notification includes: nature, categories of data, approximate volume, consequences, mitigation
  • Joint root-cause analysis

8. International Data Transfers

Section titled “8. International Data Transfers”
  • For transfers to non-adequate jurisdictions (e.g., US): EU SCCs Module 2 (Controller-to-Processor) attached
  • Supplementary measures per Schrems II:
    • Encryption in transit (TLS 1.3) and at rest (AES-256)
    • Pseudonymization where feasible
    • No FISA 702 challenges in our deployment
    • Customer Lockbox for support access (Mode B/C)
  • Mode C BYOC: no transfer at all (data plane stays in customer cloud)

9. Audits

Section titled “9. Audits”
  • Customer’s right to audit Claresia (annual + on incident)
  • Reliance on third-party audits (SOC 2 Type 2, ISO 27001) accepted in lieu
  • 30-day notice for on-site audits
  • Reasonable cost limits

10. Deletion + Return of Data

Section titled “10. Deletion + Return of Data”
  • On contract termination, Controller chooses: delete or return
  • Return: structured JSON-Lines export within 30 days
  • Delete: hard-delete within 90 days, governance_event audit retained per Art. 17(3)(b)

11. Governing Law

Section titled “11. Governing Law”
  • For EU customers: customer’s local jurisdiction (Schrems II compliant)
  • For US customers: Delaware
  • Customer-negotiable

Annex 1 — Description of Processing

Section titled “Annex 1 — Description of Processing”
  • Subject matter, duration, nature, purpose, types of data, categories of data subjects (auto-populated from your tenant config at signing)

Annex 2 — Technical and Organizational Measures

Section titled “Annex 2 — Technical and Organizational Measures”
  • Encryption (at rest + in transit)
  • Pseudonymization + anonymization (provenance hashes are not personal data)
  • Confidentiality (RBAC, least-privilege)
  • Integrity (provenance + cosign chain)
  • Availability (multi-AZ, multi-region, backups)
  • Resilience (DR drills, status page, SLA)
  • Incident response (24/7, 72-hour notification SLA)
  • Audit logging (7-year governance_event chain)
  • Personnel training (annual security training)
  • Vendor risk management (sub-processor onboarding gate)

Annex 3 — Sub-Processors

Section titled “Annex 3 — Sub-Processors”

Annex 4 — Standard Contractual Clauses

Section titled “Annex 4 — Standard Contractual Clauses”
  • Module 2 (Controller-to-Processor) for transfers to non-adequate countries
  • Module 3 (Processor-to-Processor) for our use of sub-processors
  • Both signed at contract execution

How to request the DPA

Section titled “How to request the DPA”

For a standard Mode A click-through DPA: integrated into the Onboarding Portal sign-up.

For a signed, redlined DPA (Mode B/C): contact your CSM. Standard turnaround 2 weeks. Redlines accepted on Annex 1 (description) and Annex 4 (governing law). Redlines on Annex 2 (TOMs) require Claresia security team review and typically take 4 weeks.

NIS2 Readiness Pack

Section titled “NIS2 Readiness Pack”

Available Q3 2026 GA. Required for EU customers classified as essential/important entities under NIS2. Adds:

  • 18 NIS2 categories of PHI handling
  • 60-day breach notification (vs 72h GDPR)
  • BAA-specific TOMs (encryption, access logs, audit cooperation)

EU AI Act compliance

Section titled “EU AI Act compliance”

The DPA includes a Provider obligations annex (Article 13–15 of EU AI Act) covering:

  • Transparency obligation (Article 13) — Claresia documents the AI system in this docs site
  • Human oversight (Article 14) — decision Hub records capture HITL approvals
  • Logging (Article 12) — governance_event chain provides 7-year audit

Reference

Section titled “Reference”