Data Processing Addendum ("DPA")
This Data Processing Addendum forms part of and is incorporated into the Cleanroom Terms of Service (the "Agreement") between Stravik Technologies AB, doing business as Cleanroom ("Processor") and the entity or individual who is party to the Agreement ("Controller"). Capitalized terms not defined in this DPA have the meanings set out in the Agreement.
1. Purpose and Scope
1.1 Purpose. This DPA sets out the parties' obligations with respect to the Processing of Personal Data subject to the EU General Data Protection Regulation 2016/679 ("GDPR") and equivalent laws that apply to the Personal Data.
1.2 Roles. Controller acts as the data controller and Processor acts as the data processor solely on behalf of Controller.
1.3 Annexes. Details of the Processing are set out in Annex I (Details of Processing). Security measures are described in Annex II (Technical and Organisational Measures). Approved sub‑processors are listed in Annex III (Sub‑processors).
2. Processor Obligations
Processor shall:
- (a) process Personal Data only on documented instructions from Controller as set out in the Agreement, this DPA and Annex I, unless Processor is required to do so by EU or Member‑State law;
- (b) ensure that any person authorised by Processor to Process Personal Data is subject to appropriate confidentiality obligations;
- (c) implement and maintain the technical and organisational measures described in Annex II;
- (d) notify Controller without undue delay after becoming aware of a Personal Data Breach relating to Personal Data Processed under this DPA; and
- (e) assist Controller, at Controller's cost and taking into account the nature of the Processing, with (i) responses to data‑subject requests, (ii) data protection impact assessments, and (iii) consultations with supervisory authorities.
3. Sub‑Processing
3.1 Authorised Sub‑Processors. Controller grants Processor a general authorisation to engage sub‑processors listed in Annex III. Processor shall impose data‑protection terms on each sub‑processor that are substantially the same as those set out in this DPA.
3.2 Changes. Processor will notify Controller in advance of any intended changes to its sub‑processors. Controller may object on reasonable, data‑protection‑related grounds within a reasonable time after receiving the notice. If the parties cannot resolve the objection, Controller may terminate the affected Service in accordance with the Agreement.
4. International Data Transfers
Processor shall not transfer Personal Data outside the European Economic Area ("EEA") or United Kingdom unless it ensures that such transfer is made in compliance with Chapter V of the GDPR, including by using: (a) an adequacy decision; (b) Standard Contractual Clauses approved by the European Commission; or (c) another legally recognised transfer mechanism.
5. Audits
Upon written request and subject to appropriate confidentiality, Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and shall allow for audits by Controller or a mutually agreed independent auditor, no more than once per 12‑month period, during normal business hours, and at Controller's expense.
6. Deletion or Return of Data
Within thirty (30) days after termination or expiry of the Agreement, Processor will, at Controller's choice, delete or return all Personal Data Processed under this DPA, unless EU or Member‑State law requires retention.
7. Liability and Indemnity
The limitations of liability set out in the Agreement apply to this DPA. Nothing in this DPA seeks to limit either party's liability under Article 82 GDPR.
8. Order of Precedence
In the event of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict as it relates to Processing of Personal Data.
Annex I – Details of Processing
| Item | Details |
|---|---|
| Subject‑matter & Duration | Processing of Client Data for the term of the Agreement and any post‑termination retention period permitted under the DPA. |
| Nature & Purpose | Ingesting, cleansing, deduplicating, enriching and exporting CRM records using AI models; providing customer support; ensuring Service security, availability and improvement. |
| Categories of Data Subjects | Controller's end‑customers, prospects, employees, contractors and any other individuals whose Personal Data appears in CRM records supplied by Controller. |
| Types of Personal Data | Typical CRM fields such as names, titles, email addresses, phone numbers, postal addresses, company affiliations, notes, and interaction history. Special categories of data are neither intended nor required for use of the Service. |
| Frequency of Transfer | Continuous, for the duration of the Agreement. |
| Retention | As per Section 6 of this DPA. |
Annex II – Technical and Organisational Measures
Processor implements appropriate technical and organisational measures which may include, without limitation, the following:
- Access Control – Role‑based access; unique user IDs; MFA for privileged access; periodic access reviews.
- Encryption – TLS 1.2+ for data in transit; AES‑256 (or equivalent) for data at rest.
- Separation of Environments – Segregated production and development networks; data logically partitioned per customer.
- Incident Response – Documented procedures; incident logging; breach notifications to Controller without undue delay.
- Back‑ups & Resilience – Regular encrypted back‑ups; geographically redundant storage; periodic disaster‑recovery testing.
- Logging & Monitoring – Centralised logging of authentication, data access and system events; automated alerts for anomalous activities.
- Personnel Security & Training – Background checks (where permitted by law); mandatory security and privacy training.
- Secure Development – Secure coding guidelines; code reviews; vulnerability scanning and penetration testing.
Annex III – Authorised Sub‑Processors
| Sub‑Processor | Address | Purpose of Processing | Location of Processing |
|---|---|---|---|
| Stripe, Inc. | 510 Townsend Street, San Francisco, CA 94103, USA | Payment processing for subscription fees | USA, EU (Ireland) |
| Vercel Inc. | 340 S Lemon Ave #4133, Walnut, CA 91789, USA | Cloud hosting and content delivery for web application | USA, Global CDN |
| Supabase, Inc. | 970 Toa Payoh North #07-04, Singapore 318992 | Database and backend infrastructure for storing waitlist and user data | EU (Ireland), USA |
| OpenAI, L.L.C. | 3180 18th Street, San Francisco, CA 94110, USA | AI model processing for CRM data cleaning and enrichment | USA |
Processor maintains an up‑to‑date list of sub‑processors on request and will notify Controller of changes pursuant to Section 3 of this DPA.