Data Processing Addendum

Terms not defined here have the meanings given in the applicable data-protection law.

• Personal Data: any information relating to an identified or identifiable individual that Customer submits to or that is processed through the Service.
• Processing: any operation performed on Personal Data.
• Sub-processor: a third party engaged by Clarity Books that processes Personal Data on Clarity Books's behalf.
• Controller / Processor / Business / Service Provider: as defined under GDPR and CCPA/CPRA, respectively.

For Personal Data relating to Customer's end-users, contractors, and business contacts that Customer inputs into the Service, Customer is the Controller (or "Business") and Clarity Books is the Processor (or "Service Provider"). Clarity Books acts on Customer's documented instructions as set out in the Terms of Service and this DPA.

For Personal Data about Customer's own account (name, email, billing, usage), Clarity Books acts as the Controller, as described in the Privacy Policy.

The table below describes the processing performed by Clarity Books on Customer's behalf.

Clarity Books will:

• Process Personal Data only on Customer's documented instructions, including with regard to cross-border transfers, unless required by law;
• Ensure that persons authorized to process Personal Data are bound by confidentiality;
• Implement appropriate technical and organizational measures (see Section 7);
• Assist Customer in responding to data-subject rights requests (access, deletion, portability, correction);
• Notify Customer without undue delay (and no later than 72 hours) upon becoming aware of a Personal Data breach;
• Make available information necessary to demonstrate compliance with this DPA;
• At the end of the subscription, at Customer's choice, delete or return Personal Data, subject to retention required by law.

Customer provides general authorization for Clarity Books to use the Sub-processors listed below. We maintain a current list; we will provide at least 14 days' advance notice of a new Sub-processor by email to the account owner, during which time Customer may object on reasonable data-protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for convenience.

Clarity Books is established in the United States and Personal Data is processed in the United States. For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the US, the parties incorporate by reference the EU Standard Contractual Clauses (Module Two: Controller to Processor), the UK International Data Transfer Addendum, and the Swiss SCC adjustments, each as applicable. The parties will cooperate in completing any required schedules upon written request.

Clarity Books implements the following technical and organizational measures:

• Encryption in transit: TLS 1.3 for all traffic to and from the Service.
• Encryption at rest: AES-256 for database and object storage at the infrastructure layer.
• Access control: role-based access, multi-factor authentication for administrative access, and least-privilege defaults.
• Database isolation: Postgres row-level security policies enforce per-customer data isolation at the database layer.
• No storage of banking credentials: we never receive your online-banking username or password; Plaid handles authentication.
• Logging and monitoring: audit logs for administrative and security-relevant events.
• Secure SDLC: dependency scanning, code review, and protected branches.
• Vendor due diligence: Sub-processors are selected from providers with SOC 2 or equivalent attestations where available.
• Backups: encrypted, retention-limited, and tested for restoration.
• Incident response: documented procedure and 72-hour breach-notification commitment.

If Clarity Books receives a request directly from a data subject regarding Personal Data processed on Customer's behalf, we will, without undue delay, forward the request to Customer and will not respond except at Customer's direction or as required by law. For requests Customer receives, Clarity Books will provide reasonable assistance, taking into account the nature of the processing.

Upon termination, and at Customer's written direction made within 30 days of termination, Clarity Books will either return a copy of Customer's Personal Data in a common electronic format or delete it from live systems (within 48 hours) and encrypted backups (within 30 days), except for records we are legally required to retain (including tax and payment records, which may be retained for up to 7 years).

Customer may verify Clarity Books's compliance with this DPA once per calendar year by reviewing: (a) the Privacy Policy, this DPA, and the Security page; (b) any SOC 2 or equivalent attestations made available; and (c) written responses to a reasonable questionnaire. On-site audits are not included; where required by law, the parties will negotiate in good faith on scope, timing, and cost.

Clarity Books is a Service Provider under the CCPA/CPRA. Clarity Books will not: (a) sell or share Personal Information (as those terms are defined under CCPA/CPRA); (b) retain, use, or disclose Personal Information outside the direct business relationship between Clarity Books and Customer; (c) combine Personal Information received from Customer with Personal Information from other sources except as permitted by the CCPA/CPRA. Clarity Books certifies that it understands and will comply with these restrictions.

In the event of a conflict between the Terms of Service, the Privacy Policy, and this DPA regarding the processing of Personal Data, this DPA controls. This DPA will remain in effect for so long as Clarity Books processes Personal Data on Customer's behalf.

Questions about this DPA? Email brayden@claritybooksai.com.