Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Clarevo AI, LLC, a Texas limited liability company ("Clarevo," "Processor," "we," or "us"), located in The Woodlands, TX, and the entity or individual subscribing to the Clarevo platform ("Client," "Controller," or "you"). This DPA is effective upon your creation of a Clarevo account and governs the processing of Personal Data by Clarevo on behalf of the Client.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

"Controller" means the Client, who determines the purposes and means of Processing Personal Data.

"Processor" means Clarevo, which Processes Personal Data on behalf of the Controller.

"Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU 2016/679) ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable state, federal, or international data privacy laws.

"Sub-processor" means any third party engaged by Clarevo to Process Personal Data on behalf of the Controller.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Standard Contractual Clauses" ("SCCs") means the contractual clauses adopted by the European Commission for international data transfers.

2. Roles and Scope of Processing

2.1 Roles

The Client acts as the Controller and Clarevo acts as the Processor with respect to Personal Data provided by the Client through the Clarevo platform. Clarevo shall Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.

2.2 Scope of Processing

Clarevo Processes Personal Data solely for the purpose of delivering the subscribed services, which include:

• LinkedIn content creation, scheduling, and management on behalf of Client
• Voice profile development and maintenance based on Client-provided materials
• Content performance analytics and reporting
• Account management, billing, and support communications
• AI-assisted content generation using Client voice data and industry context

2.3 Categories of Data

Personal Data Processed may include: Client name, email address, LinkedIn profile information, professional biography, content preferences, voice profile data, billing and payment details, and usage analytics.

2.4 Data Subjects

Data Subjects include: Client personnel, Client contacts, and individuals whose information appears in Client-provided materials.

3. Client Obligations

The Client warrants that: (a) it has the lawful basis to provide Personal Data to Clarevo for Processing; (b) it has provided all required notices and obtained all necessary consents from Data Subjects; (c) its instructions to Clarevo comply with all applicable Data Protection Laws; and (d) it will not provide Clarevo with any special category data (sensitive personal data) unless expressly agreed in writing.

4. Clarevo Obligations

Clarevo shall:

• Process Personal Data only in accordance with documented instructions from the Client, unless required by applicable law
• Ensure that persons authorized to Process Personal Data are bound by obligations of confidentiality
• Implement and maintain appropriate technical and organizational security measures
• Assist the Client in responding to Data Subject requests and in ensuring compliance with its obligations under Data Protection Laws
• Not engage any Sub-processor without the prior general written authorization of the Client (provided herein)
• Make available to the Client all information necessary to demonstrate compliance with this DPA

5. Sub-processors

5.1 Authorized Sub-processors

The Client provides general authorization for Clarevo to engage the following Sub-processors:

• Anthropic — AI content generation and language processing
• Vercel — Application hosting and content delivery
• Neon — Database hosting and management
• Stripe — Payment processing and subscription management
• Clerk — Authentication and identity management
• Buffer — Social media post scheduling and publishing
• Resend — Transactional email delivery
• Close CRM — Sales and client relationship management
• Snov.io — Outbound prospecting and outreach

5.2 Sub-processor Obligations

Clarevo shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; (b) remain fully liable to the Client for the acts and omissions of its Sub-processors; and (c) notify the Client of any intended changes to Sub-processors, providing the Client with the opportunity to object within fourteen (14) days of notification.

5.3 Objection to Sub-processors

If the Client objects to a new Sub-processor on reasonable data protection grounds, Clarevo shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is feasible, either party may terminate the affected services upon thirty (30) days' written notice.

6. Data Security

Clarevo implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with least-privilege principles
• Use of SOC 2 Type II certified infrastructure and service providers
• Regular security assessments and vulnerability scanning
• Multi-factor authentication for administrative access
• Automated monitoring, logging, and alerting for unauthorized access attempts
• Secure development lifecycle practices

7. Data Subject Rights

Clarevo shall assist the Client in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

Data Subjects should direct requests to the Client (Controller). Upon receiving a request directly, Clarevo shall promptly notify the Client and shall not respond to such requests except on the Client's documented instructions.

Clarevo shall provide reasonable assistance in responding to verified Data Subject requests within ten (10) business days of the Client's written request for such assistance.

8. Data Breach Notification

Clarevo shall notify the Client without undue delay, and in any event within seventy-two (72) hours, of becoming aware of any Personal Data breach. Such notification shall include: (a) the nature of the breach, including the categories and approximate number of Data Subjects affected; (b) the name and contact details of Clarevo's point of contact; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.

Clarevo shall cooperate with the Client and take reasonable steps to assist in the investigation, mitigation, and remediation of any such breach.

9. Data Retention and Deletion

Upon termination or expiration of the Client's subscription, Clarevo shall, at the Client's election, return or delete all Personal Data within thirty (30) days, unless retention is required by applicable law. Clarevo shall provide written confirmation of deletion upon the Client's request.

During the term of the agreement, Clarevo retains Personal Data only for as long as necessary to provide the subscribed services and fulfill the purposes described in this DPA.

10. International Data Transfers

To the extent Personal Data is transferred outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland, Clarevo shall ensure that such transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission, as applicable
• The UK International Data Transfer Agreement or Addendum, where required
• Any other legally recognized transfer mechanism under applicable Data Protection Laws

Clarevo primarily processes data within the United States. Sub-processors may process data in the jurisdictions where their infrastructure is located, subject to the safeguards described herein.

11. GDPR Compliance

With respect to Personal Data subject to the GDPR, Clarevo shall: (a) Process Personal Data in accordance with GDPR requirements applicable to Processors; (b) assist the Client in conducting data protection impact assessments where required; (c) assist the Client in consultations with supervisory authorities; and (d) make available information necessary to demonstrate compliance upon reasonable request.

12. CCPA/CPRA Compliance

With respect to Personal Data subject to the CCPA/CPRA, Clarevo: (a) acts as a "Service Provider" as defined under the CCPA; (b) shall not sell or share Personal Data; (c) shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA or as otherwise permitted by the CCPA; (d) shall not combine Personal Data received from the Client with Personal Data received from other sources except as permitted by the CCPA; and (e) shall comply with all applicable provisions of the CCPA and grant the Client the right to take reasonable steps to ensure compliance.

13. Audits

Upon the Client's reasonable written request (no more than once per twelve-month period), Clarevo shall make available information necessary to demonstrate compliance with this DPA. If a Client requires an on-site audit, such audit shall be at the Client's expense, conducted during normal business hours with at least thirty (30) days' prior written notice, and subject to reasonable confidentiality obligations.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the underlying service agreement between the parties. Nothing in this DPA limits either party's liability for breaches that cannot be limited under applicable Data Protection Laws.

15. Term and Termination

This DPA shall remain in effect for the duration of the Client's subscription and shall automatically terminate upon the termination or expiration of the underlying service agreement, subject to Section 9 (Data Retention and Deletion) which shall survive termination.

16. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to conflict of law principles, except to the extent applicable Data Protection Laws require otherwise.

17. Contact

For questions about this DPA or to exercise your rights, contact us at support@clarevo.ai.

Effective Date: March 29, 2026