Data Processing Agreement
Last updated: February 2026
1. Definitions
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Data Controller” or “Controller”) and Clarity AI LLC (“Data Processor” or “Processor”), operating the Job Clarity platform.
- Data Controller — The customer who determines the purposes and means of processing personal data through the Job Clarity platform.
- Data Processor — Clarity AI LLC, which processes personal data on behalf of the Data Controller to provide the Job Clarity platform and services.
- Personal Data — Any information relating to an identified or identifiable natural person that is processed through the platform.
- Subprocessor — A third-party service provider engaged by the Processor to assist in processing personal data.
2. Scope of Processing
The Processor processes personal data solely for the purpose of providing the Job Clarity CRM platform to the Controller. The categories of data processed include:
- Contact information — Names, email addresses, phone numbers, mailing addresses of the Controller's customers and leads.
- Project details — Job site addresses, project descriptions, inspection data, measurements, and status information.
- Communication logs — Records of calls, SMS messages, and emails sent through the platform.
- Financial data — Estimates, invoices, payment records, and expense tracking associated with projects.
- Employee data — Names, roles, and activity logs for the Controller's team members using the platform.
- Documents and media — Photos, contracts, inspection reports, and other files uploaded to the platform.
3. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 6.
- Assist the Controller in responding to data subject requests.
- Assist the Controller in ensuring compliance with breach notification obligations.
- Delete or return all personal data upon termination of services, subject to the retention policy in Section 5.
- Make available all information necessary to demonstrate compliance with this DPA.
4. Subprocessors
The Controller authorizes the Processor to engage the following subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a subprocessor.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, and real-time services | United States |
| Vercel Inc. | Application hosting and edge delivery | United States |
| Stripe Inc. | Payment processing and billing | United States |
| Twilio Inc. | SMS and voice communication services | United States |
| Resend Inc. | Transactional email delivery | United States |
| OpenAI LLC | AI-powered features (summarization, suggestions) | United States |
| Google LLC | Calendar integration and geocoding services | United States |
| Sentry (Functional Software Inc.) | Application error monitoring and performance tracking | United States |
5. Data Retention
The Processor retains personal data according to the following policy:
- Active subscription — All data is retained for the duration of the Controller's active subscription and is available for export at any time.
- Subscription cancellation — Upon cancellation, data is retained for 90 calendar days to allow for reactivation or data export. After 90 days, all personal data is permanently deleted from production systems.
- Backups — Encrypted backups containing personal data may persist for up to 30 additional days beyond the retention period before being automatically purged.
- Immediate deletion — The Controller may request immediate deletion of all data at any time by contacting the Processor. The Processor will complete the deletion within 30 days of the request.
6. Security Measures
The Processor implements the following technical and organizational measures to protect personal data:
- Encryption at rest — All data stored in the database is encrypted at rest using AES-256 encryption.
- Encryption in transit — All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
- Tenant isolation — Row Level Security (RLS) policies enforce strict data isolation between tenants at the database level. Each tenant's data is logically separated and inaccessible to other tenants.
- Authentication and access control — Multi-factor authentication (MFA) is available for all user accounts. Role-based access control restricts data access based on user permissions.
- Audit logging — Security-relevant events are logged for audit and compliance purposes.
- Vulnerability management — Application dependencies are regularly updated and monitored for known vulnerabilities.
- Error monitoring — Automated error tracking detects and alerts on anomalous behavior without exposing personal data in reports.
7. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable the Controller to meet any obligations to report or inform data subjects of the breach.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
- Not inform any third party of the breach without first obtaining the Controller's written consent, unless required by law.
8. Data Subject Rights
The Controller's customers and contacts (“data subjects”) have the following rights, which the Controller can fulfill through the Job Clarity admin panel:
- Right of access — Data subjects may request a copy of their personal data. The Controller can export individual contact records from the platform.
- Right to rectification — Data subjects may request correction of inaccurate data. The Controller can update records directly in the platform.
- Right to erasure — Data subjects may request deletion of their personal data. The Controller can delete individual records from the platform.
- Right to data portability — Data subjects may request their data in a portable format. The Controller can export data in standard formats (CSV, JSON).
- Right to object — Data subjects may object to processing of their data. The Controller should contact the Processor for assistance with objection requests.
The Processor will assist the Controller in responding to data subject requests within the timeframes required by applicable law.
9. Cross-Border Data Transfers
Personal data is primarily processed and stored in the United States. Where personal data is transferred across international borders:
- The Processor ensures that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) where applicable.
- Subprocessors are contractually required to maintain equivalent data protection standards.
- The Controller may request information about the specific safeguards in place for any cross-border transfer.
10. Amendments
The Processor may update this DPA from time to time to reflect changes in processing activities, subprocessors, or applicable law. The Processor will provide the Controller with at least 30 days' notice of any material changes. Continued use of the platform after the notice period constitutes acceptance of the updated DPA. The Controller may terminate the agreement if they do not accept the changes by providing written notice before the effective date.
11. Governing Law
This DPA is governed by the laws of the State of Tennessee, consistent with the Terms of Service. Where the Controller is subject to the GDPR or other data protection regulations, the provisions of this DPA shall be interpreted in a manner consistent with those regulations.
12. Contact
For questions about this Data Processing Agreement or to exercise data protection rights, contact us at: info@jobclarity.io