Data Processing Agreement

1. Parties

This DPA is between BV Consulting AB ("Processor", "Clarifyr") and the customer entity ("Controller") that has agreed to the Terms of Service.

2. Subject matter

Clarifyr processes personal data on behalf of the Controller solely to provide the knowledge base ingestion and retrieval service as described in the Terms of Service.

3. Nature of processing

• Purpose: Indexing, embedding and semantic retrieval of knowledge base content
• Duration: For the term of the service agreement plus 90 days
• Types of data: Content submitted by Controller (may include personal data in support articles, video transcripts, etc.)
• Data subjects: Customers, employees or users of the Controller whose data appears in submitted content

4. Processor obligations

Clarifyr agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure confidentiality of authorised personnel accessing the data
• Implement appropriate technical and organisational security measures
• Not use personal data to train or improve general AI models
• Assist the Controller in fulfilling GDPR data subject rights requests
• Delete or return all personal data upon termination of the agreement
• Make available all information necessary to demonstrate compliance

5. Sub-processors

Clarifyr uses the following sub-processors, all located within the EU:

We will notify Controllers at least 30 days in advance of any changes to sub-processors.

6. Security measures

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• API key authentication with hashed storage
• Access controls and least-privilege principles
• Access logs retained for 30 days
• Regular dependency and security updates

7. Data breaches

In the event of a personal data breach, Clarifyr will notify the Controller within 72 hours of becoming aware of the breach, providing sufficient information to meet GDPR notification obligations.

8. Contact

For DPA-related queries: [email protected]