Data Processing Addendum (Standard Form Review Draft)

This Data Processing Addendum ("DPA") supplements the agreement between CleverCat and the customer entity that purchases, installs, or uses CleverCat services ("Customer"). It applies when CleverCat processes Customer-authorized personal data in connection with DupliCat, PressKit, TabCalendar, or related support operations.

This draft is focused on Customer data processed through CleverCat services and related support flows. It does not replace the Customer's separate direct terms with HubSpot or other third-party platforms the Customer uses directly.

If the parties execute a version of this DPA, that executed version governs over this review draft for the relevant customer relationship. Except where this DPA adds processor-specific obligations, the main agreement remains in effect.

Customer acts as controller or business, and CleverCat acts as processor or service provider, for the personal data processed through the services on Customer's behalf.

CleverCat will process personal data only on Customer's documented instructions as expressed through the main agreement, installed-app configuration, support requests, and other written directions that are consistent with the services and applicable law.

CleverCat will ensure that personnel authorized to process personal data are bound by confidentiality obligations and limited to the access needed to operate, support, and secure the services.

Access will stay scoped to operational need, support triage, incident response, and service reliability work tied to Customer's use of the services.

CleverCat will maintain reasonable and appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Current operational measures are summarized in Annex 2 below and should be read together with the public security, privacy, support, and subprocessor disclosures published on this site.

Customer authorizes CleverCat to use subprocessors needed to operate the services and related support workflows, provided those subprocessors are bound by data-protection obligations appropriate to the processing they perform.

Current subprocessors are disclosed on the public /subprocessors page. That page is the umbrella diligence inventory for both clevercat.app and installed app operations, so not every listed processor is necessarily used for every Customer workflow.

Taking into account the nature of the processing, CleverCat will provide reasonable assistance to help Customer respond to data-subject requests, regulator inquiries, and similar data-protection obligations that relate to the services.

If CleverCat becomes aware of a confirmed personal-data incident affecting Customer data within the scope of this DPA, CleverCat will notify Customer without undue delay through the customer contact associated with the request, support relationship, or other contact then on file, and may also use the public status path for broader service updates where appropriate.

Customer acknowledges that CleverCat and its subprocessors may process data in the regions disclosed on the public subprocessor page for the relevant service components.

If a restricted international transfer requires an additional transfer mechanism under applicable law for the relevant service relationship, the parties will execute the required mechanism, including applicable standard contractual clauses where relevant, as part of the DPA execution process.

CleverCat will make available information reasonably necessary to demonstrate its processing posture, including the public security, privacy, subprocessor, status, and procurement surfaces maintained on clevercat.app and reasonable supplemental diligence materials coordinated through support.

If Customer has a material legal requirement that is not addressed by those materials, CleverCat will coordinate a reasonable supplemental diligence path through support, including targeted questionnaire responses or follow-up materials where appropriate. Any deeper review must remain proportionate to the services and protect CleverCat confidential information and the security of other customers.

Upon valid Customer request or termination of the relevant services, CleverCat will follow its documented portal-level deletion process for stored app records, tokens, settings, and related CleverCat-controlled portal data.

Deletion handling remains subject to documented retention windows, including limited backup retention that can preserve some deleted CleverCat-controlled portal rows for up to 30 days before backup expiration.

This DPA is subject to the liability, disclaimer, and dispute terms of the main agreement unless a separately executed DPA states otherwise.

This public page is a standard-form review draft. Signatures, customer legal entity details, and negotiated redlines are handled manually through support.