← Back to CleverAI

Data Processing Addendum (DPA)

GDPR Article 28 processor obligations for B2B customers using CleverAI services.

Draft notice: The DPA template is being finalized with counsel. Request a signed copy at legal@cleverai.ai — turnaround target 5 business days.

When do you need a DPA?

You need a Data Processing Addendum with AZINOVE SAS when you are a B2B customer of CleverAI and personal data of natural persons (your end users, employees, or visitors) flows through our services. Common scenarios:

  • Botsmith — you operate a chatbot that talks to your end-users. You are the controller; we are the processor.
  • Workspace — you administer a CleverAI organization and your employees' usage flows through CleverAI.
  • Vault — you operate a sovereign CleverAI instance with customers' or employees' data.
  • Any other B2B usage where your end-users' personal data is processed by CleverAI on your behalf.

What does our DPA cover?

The DPA implements the obligations of GDPR Article 28 plus the European Commission Standard Contractual Clauses (Decision 2021/914) for any data transferred outside the European Economic Area. Key sections:

  • Subject matter and duration of processing
  • Categories of personal data and data subjects (typically: your end-users, customers, employees)
  • Confidentiality undertakings by AZINOVE personnel
  • Technical and organizational measures (encryption, access controls, audit logs, incident response)
  • Sub-processors — list current as of contract start; we notify 30 days in advance of any addition
  • Data subject rights assistance — we help you respond to access, erasure, portability, etc.
  • Data breach notification within 72 hours of awareness
  • International transfers — EU SCCs (Decision 2021/914) for US-headquartered subprocessors; EU-US Data Privacy Framework where the recipient is certified
  • Audit rights — annual SOC 2 / ISO 27001 reports under NDA; on-site audits at Enterprise tier with reasonable notice
  • Return or deletion of data at contract end (30 days for active data, 90 days for backups, certificate of destruction on request)

Current subprocessors

The DPA references the live subprocessor list (also available in our Privacy Policy):

  • Clerk Inc.User authentication, session management, organization management (US, Standard Contractual Clauses (SCCs))
  • Stripe, Inc.Payment processing, subscription billing, invoice management (US/IE, Standard Contractual Clauses (SCCs))
  • Vercel Inc.Application hosting, edge runtime, CDN (US, Standard Contractual Clauses (SCCs))
  • Neon Inc.Managed PostgreSQL database hosting (US/EU (Frankfurt), Standard Contractual Clauses (SCCs))
  • OpenAI, OpCo, LLCLarge language model inference (ChatGPT, GPT-4, DALL-E) (US, Standard Contractual Clauses (SCCs))
  • Anthropic, PBCLarge language model inference (Claude) (US, Standard Contractual Clauses (SCCs))
  • Google LLCLarge language model inference (Gemini), AI services (US, EU-US Data Privacy Framework)
  • Mistral AILarge language model inference (Mistral) (FR, EU/EEA)
  • xAILarge language model inference (Grok) — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
  • DeepSeekLarge language model inference (DeepSeek) — routed via AI Gateway (CN, Standard Contractual Clauses (SCCs))
  • Groq, Inc.Low-latency LLM inference — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
  • Cerebras SystemsLow-latency LLM inference — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
  • Fireworks AILLM inference (open-weights models) — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
  • Tavily Inc.Real-time web search (used by Findora for AI-augmented search) (US, Standard Contractual Clauses (SCCs))
  • Replicate, Inc.Image/video model inference (Flux, SDXL, etc.) — used by Pixova (US, Standard Contractual Clauses (SCCs))
  • ElevenLabs Inc.Voice synthesis (text-to-speech, voice cloning) — used by Pixova (US, Standard Contractual Clauses (SCCs))
  • Fal.aiImage/video model inference — used by Pixova (US, Standard Contractual Clauses (SCCs))
  • Postmark / ActiveCampaign LLCTransactional email delivery (account, billing, notifications) (US, Standard Contractual Clauses (SCCs))

Vault-specific DPA

For Vault sovereign deployments, the DPA is customized per instance: region pinning, BYOK key custody, customer-managed sub-processors. See Vault Sovereign Deployment Terms.

How to request

Email legal@cleverai.ai with:

  • Your company legal name and registered address
  • The CleverAI product(s) and tier(s) you use
  • An estimated volume of end-users / data subjects per month
  • Whether you require any redlines to the standard template

Standard DPA turnaround is 5 business days for the unmodified template, 2-3 weeks for customer-paper or heavily-redlined versions.