DATA PROCESSING ADDENDUM (DPA)
Between ClearMetric ("Processor") and Customer ("Controller")
Effective Date: Upon execution of the Master Service Agreement
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed by ClearMetric on behalf of Customer.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
"Subprocessor" means any third party engaged by ClearMetric to process Personal Data on behalf of Customer.
2. Scope of Processing
2.1 Data Categories
ClearMetric processes the following categories of data on behalf of Customer:
| Category | Examples | Purpose |
|---|---|---|
| Account Data | User email, name | Authentication, access control |
| Metadata | Table names, column definitions | Definition governance, mappings, and lineage functionality |
| Configuration | Connection settings (encrypted) | Service delivery |
| Usage Data | Feature usage, timestamps | Service improvement |
2.2 Processing Purpose
ClearMetric processes Customer data solely to:
- Provide the ClearMetric platform services
- Maintain and improve service functionality
- Provide customer support
- Comply with legal obligations
3. Security Measures
ClearMetric implements the following technical and organizational measures:
3.1 Encryption
- Data in transit: TLS (via infrastructure providers)
- Data at rest: AES-256
- Stored credentials: Fernet AES-128
3.2 Access Control
- Role-based access control (RBAC)
- Multi-factor authentication available
- Principle of least privilege
3.3 Data Isolation
- Row-Level Security (RLS) at database level
- Organization-scoped access policies
- Complete tenant isolation
3.4 Monitoring
- Authentication event logging
- Data access audit trails
4. Subprocessors
4.1 Current Subprocessors
| Subprocessor | Purpose | Location | Certification |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | United States | SOC 2 Type 2 |
| Render Inc. | Application Hosting | United States | SOC 2 Type 2, ISO 27001 |
4.2 AI Providers (Optional)
When Customer enables AI features using their own API keys (BYOK model):
- Customer's data is sent directly to Customer's chosen AI provider
- ClearMetric acts as a conduit, not a processor, for AI-related data
- Customer's agreement with the AI provider governs that processing
4.3 Changes to Subprocessors
ClearMetric will:
- Notify Customer of new subprocessors 30 days in advance
- Provide Customer the opportunity to object
- Ensure subprocessors maintain equivalent security measures
5. Data Subject Rights
ClearMetric will assist Customer in responding to data subject requests:
| Right | ClearMetric Support |
|---|---|
| Access | Provide data export within 30 days |
| Rectification | Customer can update via platform |
| Erasure | Complete deletion within 30 days |
| Portability | Standard export formats available |
6. Data Retention and Deletion
6.1 Active Data
- Retained while Customer's account is active
- Customer can delete data at any time via the platform
6.2 Upon Termination
- Active data deleted within 30 days
- Backup data deleted within 30 days of backup rotation
6.3 Deletion Certification
Upon request, ClearMetric will certify in writing that deletion has been completed.
7. Security Incidents
7.1 Notification
ClearMetric will notify Customer of a confirmed security incident affecting Customer's data:
- Notification: Within 72 hours of confirmation
7.2 Notification Contents
- Nature of the incident
- Categories and approximate number of records affected
- Likely consequences
- Measures taken or proposed
7.3 Cooperation
ClearMetric will:
- Cooperate with Customer's incident investigation
- Provide reasonable assistance for regulatory notifications
- Document all incidents and remediation steps
8. Audits
8.1 Documentation
Upon Customer's written request, ClearMetric will provide:
- Security documentation
- Infrastructure provider certifications (Supabase, Render SOC 2 reports)
8.2 On-Site Audits
- Available upon reasonable notice (30 days)
- Subject to confidentiality agreement
- Customer bears audit costs
9. Data Transfers
9.1 Current Location
Customer data is processed and stored in the United States.
9.2 International Transfers
If data is transferred outside the original jurisdiction:
- Standard Contractual Clauses will apply
- Customer will be notified in advance
- Equivalent security measures will be maintained
10. Liability
ClearMetric's liability under this DPA is subject to the limitations set forth in the Master Service Agreement.
11. Term and Termination
This DPA:
- Becomes effective upon execution of the Master Service Agreement
- Remains in effect for the duration of the Agreement
- Survives termination with respect to any Personal Data still in ClearMetric's possession
12. Contact
Data Protection Inquiries: support@clearmetric.ai
Security Incidents: support@clearmetric.ai
Appendix A: Technical and Organizational Measures
A.1 Physical Security
- Managed by subprocessors (Supabase, Render)
- SOC 2 Type 2 certified data centers
- 24/7 monitoring and access controls
A.2 Network Security
- Managed by infrastructure providers (Supabase, Render)
A.3 Application Security
- Input validation and sanitization
- SQL injection prevention
- XSS protection
- CORS configuration
- Rate limiting
A.4 Data Security
- Encryption at rest (AES-256)
- Encryption in transit (TLS via providers)
- Credential encryption (Fernet AES-128)
- Row-Level Security isolation
A.5 Access Management
- Role-based access control
- Multi-factor authentication
- Session management
A.6 Monitoring and Logging
- Authentication event logging
- Data access audit trails
A.7 Business Continuity
- Daily automated backups (managed by Supabase)
- 30-day backup retention
- Point-in-time recovery capability (via Supabase)
Document Version: 1.1
Last Updated: February 2026