Data Processing Addendum — Clarity Stream

This Data Processing Addendum ("DPA") supplements the Terms of Service between Clarity Stream (processor) and Customer (controller). It applies where Clarity Stream processes personal data on behalf of Customer.

1. Subject matter and duration

Processing of personal data submitted by Customer to the service for the term of the subscription.

2. Nature and purpose of processing

Hosting, storage, analysis, and transmission of telemetry and operational data to provide the service to Customer.

3. Types of personal data

Identifiers, contact data, device identifiers, telemetry, and any additional categories Customer chooses to submit.

4. Categories of data subjects

Customer's end users, employees, contractors, and operators of devices Customer connects to the service.

5. Sub-processors

Customer authorizes the sub-processors listed at /legal/subprocessors. We will notify Customer of changes and provide a right to object.

6. Security measures

Encryption in transit (TLS 1.3) and at rest (AES-256).
Logical isolation via row-level security and tenant-scoped tokens.
Access controls, audit logging, vulnerability management, secure SDLC.

7. International transfers

Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor) apply where transfers occur outside the EEA/UK.

8. Data subject rights and assistance

We provide reasonable assistance to Customer for responding to data subject requests and regulator inquiries.

9. Breach notification

We will notify Customer of a personal data breach without undue delay (target: within 48 hours of confirmation).

10. Return or deletion

Upon termination, Customer may export data for 30 days, after which we will delete it within 60 days unless retention is required by law.

11. Audits

Customer may audit compliance through certifications (SOC 2 Type II, ISO 27001) and reasonable annual reviews.

12. Contact

dpo@clarity-stream.example