Our GDPR-compliant DPA ensures your data is processed securely and in accordance with UK and EU data protection regulations.
Version 1.0 • Effective January 13, 2026 • PDF download coming soon
When you use Clarium, you remain the Data Controller for your organization's data. Clarium acts as a Data Processor, processing personal data only on your documented instructions.
We use carefully selected sub-processors including Supabase (EU database hosting), Vercel (web hosting), and Resend (transactional emails). A full list is available in Schedule B of the DPA.
All customer data is stored in EU data centers. We do not transfer personal data outside the EEA except where adequate safeguards are in place (e.g., Standard Contractual Clauses).
We implement technical and organizational measures including encryption at rest and in transit, row-level security, access controls, and regular security audits.
We assist you in fulfilling data subject rights requests including access, rectification, erasure, and portability within the timelines required by GDPR.
In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware of the breach.
You have the right to audit our compliance with this DPA. We provide security certifications and audit reports upon request.
Upon termination of services, we will delete or return all personal data within 30 days, unless retention is required by law.
For Enterprise customers requiring a countersigned DPA, please contact us with your specific requirements.