CClarivyBilingual AI Search Visibility

Data Processing Agreement (template)

v1.0 · Effective 11 June 2026 · To be signed via DocuSign — dpo@clarivy.ai

This Data Processing Agreement ("DPA") forms part of the Clarivy Master Services Agreement (MSA) between HG-Solution Co., Limited ("Processor") and the Customer ("Controller"). It satisfies GDPR Art. 28, is compatible with UK GDPR, and incorporates the EU Standard Contractual Clauses 2021/914 Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Sub-processor) by reference. For Mainland-China-resident data, it also incorporates one of the three PIPL §38/39/40 mechanisms, applied case-by-case.

Article 1 — Definitions

Capitalised terms have the meaning given in GDPR Art. 4. "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," "Data Subject" all have their statutory meaning. "Customer Personal Data" means the Personal Data described in Schedule A.

Article 2 — Scope, nature, and purpose of processing

Processor shall process Customer Personal Data only (a) for the purposes set out in Schedule A, (b) on the documented instructions of Controller (the MSA + this DPA + Controller's written instructions), and (c) as required by applicable law. Processor shall inform Controller of any legal requirement that mandates processing, unless that law prohibits such information on important grounds of public interest.

Article 3 — Sub-processors

Controller authorises Processor to engage the sub-processors listed at /legal/subprocessors.html. Processor shall (i) provide at least 30 calendar days' prior notice of any new or replacement sub-processor, by email and in-product notification; (ii) impose data-protection terms on each sub-processor that are no less protective than this DPA; (iii) remain fully liable for any sub-processor's acts or omissions. If Controller objects to a new sub-processor on reasonable data-protection grounds, Controller may terminate the affected services and receive a pro-rata refund of pre-paid fees for undelivered work, or, if the objection is material, terminate the entire MSA with 90 days' transition assistance.

Article 4 — Processor obligations (Art. 28(3))

  1. (a) Documented instructions. Process only on documented instructions.
  2. (b) Confidentiality. Ensure persons authorised to process the data are bound by confidentiality.
  3. (c) Security measures. Implement appropriate technical and organisational measures (see Schedule B).
  4. (d) Sub-processor controls. Engage sub-processors only with prior specific or general written authorisation, and notify Controller of any intended changes.
  5. (e) Assistance with Data Subject rights. Assist Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection, automated decision-making) within 30 days, free of charge, using the customer self-service portal where possible.
  6. (f) Assistance with Art. 32–36. Assist Controller in ensuring compliance with security, breach notification, DPIA, and prior consultation obligations.
  7. (g) Return or deletion on termination. At Controller's choice, return or delete all Customer Personal Data within 30 days of termination, retaining only what is required by law (e.g. tax records).
  8. (h) Audit rights. Make available to Controller all information necessary to demonstrate compliance with Art. 28, and allow audits (see Article 8).

Article 5 — Data Subject rights assistance

Processor shall, on Controller's request, (i) provide self-service export and deletion via product UI, (ii) assist with Data Subject access requests within 30 days (extendable to 60 days for complex requests, with notice), (iii) forward any Data Subject request received directly to Controller within 48 hours, and (iv) not respond to Data Subjects directly without Controller's written instruction, except to acknowledge receipt and refer them to Controller.

Article 6 — Security measures (Art. 32)

Processor shall implement the measures set out in Schedule B, including but not limited to: TLS 1.3 in transit; AES-256 at rest; per-tenant key rotation every 12 months; least-privilege RBAC with mandatory MFA on all production systems; centralised logging with 12-month retention; immutable audit trail for all data access; quarterly vulnerability scans and annual third-party penetration tests; documented incident response plan with tabletop exercises at least twice per year.

Article 7 — Data return and deletion

On termination of the MSA, or earlier on Controller's written request, Processor shall, at Controller's election, (a) return Customer Personal Data in a machine-readable format (JSON / CSV) within 30 days, or (b) permanently delete Customer Personal Data within 30 days. Processor shall provide a PGP-signed deletion attestation within 7 days of deletion. Backups containing Customer Personal Data are deleted within 30 days of the deletion request (rolling backup window); Processor is not obliged to delete data it is required to retain by law (e.g. tax records for 7 years under HK IRO Cap. 112 §51C), and shall inform Controller of any such retention.

Article 8 — Audit rights

Processor shall make available to Controller, on reasonable request and subject to confidentiality, (i) a current SOC 2 Type II report once available, (ii) a current ISO 27001 certificate once available, (iii) a redacted penetration-test summary (free, public), and (iv) the full penetration-test report under NDA. Once per calendar year, Controller may audit Processor in person or via an independent third-party auditor, on 30 days' notice, during business hours, subject to confidentiality and at Controller's expense.

Article 9 — International transfers

For Personal Data transferred from the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the parties rely on the EU Standard Contractual Clauses 2021/914 (Module 2 or 3 as applicable), with the UK Addendum where required. For Personal Data transferred out of Mainland China, the parties rely on one of the three PIPL mechanisms (security assessment / standard contract / certification) per PIPL §38–40, selected based on the volume and sensitivity of the transfer. Processor shall conduct a Transfer Impact Assessment before any new sub-processor engages in cross-border processing.

Article 10 — Liability

Liability under this DPA is subject to the liability cap in the MSA, except that this cap shall not apply to (i) Processor indemnification for IP infringement, (ii) breach of confidentiality, (iii) any liability that cannot be limited by law (gross negligence, wilful misconduct, fraud).

Article 11 — Term and termination

This DPA is effective from the Effective Date of the MSA and terminates when Processor has returned or deleted all Customer Personal Data. Articles 7 (return / deletion), 8 (audit), 9 (transfers), 10 (liability), and 12 (governing law) survive termination.

Article 12 — Governing law

This DPA is governed by the laws of Hong Kong SAR. Disputes are resolved per the MSA's dispute-resolution clause, except that any matter within the exclusive jurisdiction of a Data Subject's habitual residence (e.g. GDPR Art. 79) shall be brought in that jurisdiction.

Schedule A — Processing details

Categories of Data SubjectCustomer's authorised users (employees, contractors, agents with a business need)
Categories of Personal DataName, work email, company name, country, billing details; the 3 audit queries (typically non-personal); Customer's brand/URL being audited (may include PII if the URL contains PII, e.g. a founder's personal site)
Special categoriesNone processed. Customer warrants no special-category data is submitted.
Processing purposesDelivering the GEO audit deliverable; invoicing; support; security; aggregated, anonymised industry benchmarking (opt-out available)
DurationTerm of the MSA + 30-day deletion window
Sub-processorsPer /legal/subprocessors.html

Schedule B — Technical and organisational measures

  1. Encryption: TLS 1.3 in transit (forward secrecy); AES-256 at rest; per-tenant key rotation every 12 months.
  2. Access control: least-privilege RBAC, mandatory MFA, 90-day password rotation, immediate revocation on personnel change.
  3. Logging: centralised audit logs, 12-month retention, immutable storage, alerting on anomalous access.
  4. Vulnerability management: quarterly third-party scans, annual third-party penetration test, public pen-test summary, full report under NDA.
  5. Business continuity: daily backups, 30-day retention, documented RTO 4h / RPO 1h, annual DR test.
  6. Personnel: confidentiality clauses in every employment contract, annual security & privacy training, background checks where local law permits.
  7. Vendor management: DPA required from every sub-processor, ZDR contracts for all LLM sub-processors.
  8. Incident response: 7×24 on-call, documented runbook, 48h customer preliminary report, 72h regulator notification (GDPR), root-cause report within 30 days.

How to sign

Email dpo@clarivy.ai with subject "DPA signing request". We will counter-sign within 5 business days. Both parties retain a fully-executed PDF. Standard turnaround: order day → fully-executed DPA in ≤ 7 business days.

This DPA template v1.0 is effective from 11 June 2026.