Legal
Data Processing Agreement
Last updated: June 28, 2026.
Draft pending legal review. This Data Processing Agreement (DPA) is a good-faith draft we publish for transparency. It is not yet confirmed by counsel and may change. The binding terms for a paid engagement are those in your signed order/Statement of Work and any executed DPA. Nothing here is legal advice. Enterprise clients can request a counter-signed copy at [email protected].
1. Scope and roles
This DPA applies where Clear Cited processes personal data on behalf of a client (the "Controller") in the course of providing AI-search-visibility services. In that processing Clear Cited acts as a processor (a "service provider" under the CCPA/CPRA; a "processor" under the Virginia CDPA and the EU/UK GDPR). For personal data Clear Cited determines the purposes of (e.g. our own marketing or billing records), Clear Cited is the controller and our Privacy Policy governs. This one DPA is intended to satisfy GDPR Article 28, the CCPA/CPRA service-provider terms, and the Virginia CDPA processor terms together.
2. Processing details (Art. 28(3))
Subject-matter & duration: the provision of the services for the term of the engagement and any agreed wind-down. Nature & purpose: AEO/GEO audits, content and visibility work, measurement, and related deliverables. Types of personal data: business-contact details and any personal data contained in materials the Controller provides or asks us to ingest. Categories of data subjects: the Controller's personnel, customers, and prospects as reflected in those materials.
3. Processor obligations
Clear Cited will: (a) process personal data only on the Controller's documented instructions, including for international transfers, unless required by law (and then, where lawful, we will tell you first); (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational security measures (Section 7); (d) respect the sub-processor conditions in Section 4; (e) assist the Controller, taking into account the nature of processing, to respond to data-subject requests and to meet its security, breach-notification, and impact-assessment obligations; (f) at the Controller's choice, delete or return the personal data at the end of the services and delete existing copies except where law requires retention; and (g) make available the information needed to demonstrate compliance and allow for and contribute to audits.
4. Sub-processors
The Controller provides general written authorisation for Clear Cited to engage the sub-processors in the annex below. We bind each sub-processor by a written contract to data-protection obligations no less protective than this DPA, and we remain responsible for their performance. We maintain the current list as a single inventory and review it at least quarterly; we will give the Controller a reasonable way to learn of intended changes (additions or replacements) so it can object on reasonable data-protection grounds.
5. No training; data ownership
Clear Cited does not sell client or end-user personal data, and does not use the Controller's confidential business data or end-user personal data to train, fine-tune, or improve any machine-learning model. Confidential client text is routed only to providers approved for that data classification, and never to a free or train-on-input tier (we never promise a provider grants "zero retention" unless it actually has). The Controller's data and the deliverables we derive from it remain the Controller's; we claim no licence to it beyond what is needed to provide the services.
6. International transfers
Clear Cited is based in Canada and several sub-processors process data in the United States or elsewhere. Where personal data is transferred out of the EEA, the UK, or Switzerland, the transfer relies on an appropriate safeguard such as the European Commission's Standard Contractual Clauses (with the UK Addendum / IDTA where relevant) or another lawful mechanism. We will tell the Controller, on request, about the safeguards and about any legally binding request by a public authority for the personal data (including foreign government or law-enforcement access), to the extent we are lawfully permitted.
7. Security measures
Measures include encryption in transit (HTTPS/TLS), least-privilege access controls and multi-factor authentication on administrative accounts, network and host hardening, code-enforced data-classification routing that keeps confidential client data off public surfaces and off train-on-input model tiers, atomic and audited handling of data files, encrypted backups with a tested restore procedure, and logging/alerting on high-signal security events. We review these measures periodically and as the risk changes.
8. Personal-data breaches
Clear Cited will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with the information the Controller reasonably needs to meet its own notification duties. We maintain an internal register of breaches (including non-reportable ones) with a documented risk assessment, and — for our own controller data — we will notify the relevant supervisory authority and affected individuals where the law requires (in Canada, the Office of the Privacy Commissioner where a breach poses a real risk of significant harm).
9. Deletion and return
On the Controller's written request, or at the end of the engagement, Clear Cited will return or delete the Controller's personal data and existing copies. Client materials, ingested content, and derived profiles/deliverables are deleted or returned within 30 days of a written request or 90 days after the engagement ends, whichever is sooner, except copies we are required by law to retain (e.g. financial records) and routine encrypted backups, which are deleted on their normal rotation (typically within 90 days).
10. Audits and term
Clear Cited will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for reasonable, confidential audits on reasonable notice, subject to protecting other clients' confidentiality. This DPA takes effect when incorporated into an order or signed by both parties and continues for as long as Clear Cited processes the Controller's personal data.
Annex — sub-processors
Annex generated from our single sub-processor inventory; last reviewed 2026-06-28. The legal characterisation of each vendor is subject to counsel review.
| Sub-processor | Purpose | Data | Region | Max data class | Trains on data? | Zero-retention? |
|---|---|---|---|---|---|---|
| Stripe | Payment processing and billing. | Card and payment data, billing name/email, country, charge status and amount. | United States / global | client_confidential | no | No |
| MailerLite | Email/newsletter delivery and subscriber management. | Name, email, engagement data. | United States / EU | internal | no | No |
| Resend | Sending transactional and operational email. | Recipient email and message content. | United States | internal | no | No |
| Instantly | Sending owner-approved outbound/cold business email (CASL/CAN-SPAM gated; never auto-sent). | Business prospect name, role, and published business email; message content. | United States | internal | no | No |
| Postiz | Scheduling and publishing social media posts. | Public post content and the connected social-account access tokens. | EU / self-hostable | public | no | No |
| Documenso | Electronic signature for contracts and statements of work (owner-armed). | Signer name, email, IP/audit metadata, and the document being signed. | Self-hosted on Hostinger VPS (EU) | client_confidential | no | No |
| Hostinger | VPS hosting for our self-hosted services (Chatwoot, Documenso, LanguageTool, uptime/change monitoring). | Whatever those self-hosted apps process — support chats, signed documents, ingested text — at rest on the VPS. | EU (data centre region as configured) | client_confidential | no | No |
| Chatwoot | Live-chat support widget and shared support inbox. | Name, email, messages you provide, and a session identifier. | Self-hosted on Hostinger VPS (EU) | client_confidential | no | No |
| Cloudflare | Website hosting, DNS, CDN, and security/DDoS protection. | Connection data such as IP addresses. | Global edge network | public | no | No |
| Google Workspace (Google LLC) | Business email and document/file storage. | Your correspondence and any files exchanged. | United States / global | client_confidential | no | No |
| Plausible Analytics | Cookieless, aggregated, anonymized website analytics. | No personal identifiers; aggregate counts only. | European Union | public | no | No |
| DataForSEO | Search-data and AI-answer-engine measurement APIs used to build audits. | Prompts about brands, products, domains, and public market topics — no client-confidential data. | United States / EU | public | no | No |
| AI answer engines (OpenAI, Anthropic, Google Gemini, Perplexity, xAI Grok) | Querying answer engines to research and build teardowns and audits. | Prompts about brands, products, domains, and public market topics. We do NOT submit confidential client business information or end-user personal data. | United States / global | internal | tier-dependent | No |
Contact
Privacy Officer, Logan Adams, at [email protected]. Clear Cited, 570 Hood Road, Unit 14, #1584, Markham, ON L3R 4G7, Canada. See also our Privacy Policy, Data Deletion Instructions, and Terms of Service.