When do you need a DPA?
You need a Data Processing Addendum with AZINOVE SAS when you are a B2B customer of CleverAI and personal data of natural persons (your end users, employees, or visitors) flows through our services. Common scenarios:
- Botsmith — you operate a chatbot that talks to your end-users. You are the controller; we are the processor.
- Workspace — you administer a CleverAI organization and your employees' usage flows through CleverAI.
- Vault — you operate a sovereign CleverAI instance with customers' or employees' data.
- Any other B2B usage where your end-users' personal data is processed by CleverAI on your behalf.
What does our DPA cover?
The DPA implements the obligations of GDPR Article 28 plus the European Commission Standard Contractual Clauses (Decision 2021/914) for any data transferred outside the European Economic Area. Key sections:
- Subject matter and duration of processing
- Categories of personal data and data subjects (typically: your end-users, customers, employees)
- Confidentiality undertakings by AZINOVE personnel
- Technical and organizational measures (encryption, access controls, audit logs, incident response)
- Sub-processors — list current as of contract start; we notify 30 days in advance of any addition
- Data subject rights assistance — we help you respond to access, erasure, portability, etc.
- Data breach notification within 72 hours of awareness
- International transfers — EU SCCs (Decision 2021/914) for US-headquartered subprocessors; EU-US Data Privacy Framework where the recipient is certified
- Audit rights — annual SOC 2 / ISO 27001 reports under NDA; on-site audits at Enterprise tier with reasonable notice
- Return or deletion of data at contract end (30 days for active data, 90 days for backups, certificate of destruction on request)
Current subprocessors
The DPA references the live subprocessor list (also available in our Privacy Policy):
- Clerk Inc. — User authentication, session management, organization management (US, Standard Contractual Clauses (SCCs))
- Stripe, Inc. — Payment processing, subscription billing, invoice management (US/IE, Standard Contractual Clauses (SCCs))
- Vercel Inc. — Application hosting, edge runtime, CDN (US, Standard Contractual Clauses (SCCs))
- Neon Inc. — Managed PostgreSQL database hosting (US/EU (Frankfurt), Standard Contractual Clauses (SCCs))
- OpenAI, OpCo, LLC — Large language model inference (ChatGPT, GPT-4, DALL-E) (US, Standard Contractual Clauses (SCCs))
- Anthropic, PBC — Large language model inference (Claude) (US, Standard Contractual Clauses (SCCs))
- Google LLC — Large language model inference (Gemini), AI services (US, EU-US Data Privacy Framework)
- Mistral AI — Large language model inference (Mistral) (FR, EU/EEA)
- xAI — Large language model inference (Grok) — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
- DeepSeek — Large language model inference (DeepSeek) — routed via AI Gateway (CN, Standard Contractual Clauses (SCCs))
- Groq, Inc. — Low-latency LLM inference — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
- Cerebras Systems — Low-latency LLM inference — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
- Fireworks AI — LLM inference (open-weights models) — routed via AI Gateway (US, Standard Contractual Clauses (SCCs))
- Tavily Inc. — Real-time web search (used by Findora for AI-augmented search) (US, Standard Contractual Clauses (SCCs))
- Replicate, Inc. — Image/video model inference (Flux, SDXL, etc.) — used by Pixova (US, Standard Contractual Clauses (SCCs))
- ElevenLabs Inc. — Voice synthesis (text-to-speech, voice cloning) — used by Pixova (US, Standard Contractual Clauses (SCCs))
- Fal.ai — Image/video model inference — used by Pixova (US, Standard Contractual Clauses (SCCs))
- Postmark / ActiveCampaign LLC — Transactional email delivery (account, billing, notifications) (US, Standard Contractual Clauses (SCCs))
Vault-specific DPA
For Vault sovereign deployments, the DPA is customized per instance: region pinning, BYOK key custody, customer-managed sub-processors. See Vault Sovereign Deployment Terms.
How to request
Email legal@cleverai.ai with:
- Your company legal name and registered address
- The CleverAI product(s) and tier(s) you use
- An estimated volume of end-users / data subjects per month
- Whether you require any redlines to the standard template
Standard DPA turnaround is 5 business days for the unmodified template, 2-3 weeks for customer-paper or heavily-redlined versions.