Data Processing Addendum
Effective July 17, 2026. This page describes how ClauseMinds approaches these topics for transparency. It is not legal advice; have counsel review for your organization.
About this DPA
This Data Processing Addendum ("DPA") forms part of the agreement between ClauseMinds ("Processor", "we") and the customer identified in the applicable order or account ("Customer", "Controller") covering Customer's use of the ClauseMinds service ("Service"). It applies where ClauseMinds processes personal data contained in Customer content — most commonly names, contact details, and signature blocks inside uploaded contracts — on Customer's behalf.
To execute this DPA, request a countersigned copy via our contact page. For customers who do not require a signed copy, this published DPA applies to the Service by reference from our Terms.
1. Definitions
"Data Protection Laws" means all laws applicable to the processing of personal data under the agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA"). "Personal data", "processing", "controller", "processor", and "data subject" have the meanings given in the GDPR. "Customer Data" means data Customer submits to the Service, including uploaded contract files and the data extracted from them.
2. Roles and scope of processing
Customer is the controller of Customer Data; ClauseMinds is a processor. ClauseMinds processes Customer Data only to provide, maintain, and secure the Service, and only on Customer's documented instructions, which are: the agreement, this DPA, and Customer's configuration and use of the Service. Annex 1 describes the subject matter, duration, nature, and purpose of processing and the categories of data and data subjects. ClauseMinds will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
3. Confidentiality
ClauseMinds ensures that persons authorized to process Customer Data are bound by confidentiality obligations. Access to production Customer Data is restricted to personnel who need it to operate or support the Service, and access is logged.
4. Security
ClauseMinds implements and maintains the technical and organizational measures described in Annex 2, and will not materially decrease the overall security of the Service during a subscription term. Customer is responsible for configuring and using the Service securely, including managing workspace membership and roles.
5. Subprocessors
Customer grants ClauseMinds general authorization to engage the subprocessors listed at clauseminds.com/subprocessors, which is incorporated into this DPA. ClauseMinds will update that page before adding or replacing a subprocessor that processes Customer contract content and, for customers with an executed DPA, provide notice of material changes. Customer may object on reasonable data-protection grounds within 30 days of notice; if the objection cannot be resolved, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees. ClauseMinds remains responsible for its subprocessors' performance under this DPA.
6. AI model processing
Where Customer enables AI-assisted features, contract text is sent to the language-model subprocessor identified on the subprocessors page via its business API. Under that provider's API terms, API data is not used to train the provider's models. ClauseMinds does not use Customer Data to train models of its own or anyone else's. AI-assisted outputs are grounded to quoted source text within the Service so Customer can verify them against the underlying document.
7. Assistance
Taking into account the nature of processing, ClauseMinds will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to data subject requests, and in Customer's compliance with its obligations regarding security, breach notification, and data protection impact assessments under Articles 32–36 GDPR.
8. Personal data breach
ClauseMinds will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to help Customer meet its own notification obligations, followed by timely updates as the investigation proceeds.
9. Deletion and return
Customer can delete contracts and associated extracted data in-product at any time. Upon termination of the agreement, ClauseMinds will, at Customer's choice, delete or return Customer Data and delete existing copies within 30 days, unless retention is required by law. Backups are purged on the backup provider's rotation schedule.
10. Audits
ClauseMinds will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of security practices and subprocessor agreements, and will allow for and contribute to audits, including inspections, conducted by Customer or its mandated auditor, no more than once per year on reasonable notice, in a manner that does not compromise the security or confidentiality of other customers.
11. International transfers
Where processing involves a transfer of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: controller to processor) and, for UK transfers, the UK International Data Transfer Addendum, completed with the details in Annex 1 and Annex 2. ClauseMinds relies on its subprocessors' equivalent transfer mechanisms for onward transfers.
12. Liability and order of precedence
Each party's liability under this DPA is subject to the limitations of liability in the agreement. In case of conflict between this DPA and the agreement regarding the processing of personal data, this DPA prevails.
Annex 1 — Details of processing
- Subject matter and duration: processing of Customer Data to provide the Service for the term of the agreement plus the deletion window in Section 9.
- Nature and purpose: storage, text extraction, AI-assisted analysis, obligation and deadline tracking, drafting and review assistance, notifications, and related support.
- Categories of data subjects: Customer's personnel and users; signatories, representatives, and contacts of Customer's contract counterparties.
- Categories of personal data: identification and business contact data appearing in contracts (names, titles, emails, addresses, signatures); account data of Customer's users. The Service is not intended for special categories of data; Customer should not upload documents containing them.
Annex 2 — Technical and organizational measures
- Workspace-level tenancy isolation enforced at the application and API layers.
- Role-based access control with scoped capabilities; least-privilege defaults.
- TLS encryption in transit; encrypted storage at rest via hosting providers.
- Private storage buckets; production configuration validated at deploy readiness.
- Authentication via a managed identity provider; SSO available.
- Audit logging of security-relevant actions within the Service.
- Upload validation (type, size); rate limiting on sensitive endpoints.
- Segregated environments; production access restricted and logged.
- Dependency scanning and security review in the release pipeline.
- Documented incident response with customer notification (Section 8).