This Data Processing Agreement (“DPA”) forms part of the Terms of Service available at clarita.app/terms (the “Agreement”) between Clarita Technology Inc. (“Clarita” or “Processor”) and the entity identified in the applicable account or Order Form (“Customer” or “Controller”) (each a “Party” and together the “Parties”).
By using the Service, Customer agrees to this DPA. Where Customer has executed a separate agreement with Clarita that references or incorporates this DPA, the terms of this DPA shall apply to the processing of Personal Data under that agreement.
This DPA sets out the Parties’ obligations with respect to the processing and security of Personal Data in connection with Customer’s use of the Service. This DPA is intended to ensure compliance with applicable Data Protection Laws, including Canadian federal and provincial privacy legislation and U.S. state privacy laws.
This DPA applies to all processing of Personal Data by Clarita on behalf of Customer in connection with the provision of the Service. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Schedule A.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing and protection of Personal Data. In the event of any conflict between this DPA and any applicable Data Protection Law, the requirements of such Data Protection Law shall prevail.
Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. In this DPA:
“Applicable Data Protection Laws” or “Data Protection Laws” means all applicable laws, regulations, and binding guidance relating to the processing and protection of Personal Data, including: (a) the Personal Information Protection and Electronic Documents Act (PIPEDA); (b) Quebec’s Act respecting the protection of personal information in the private sector (as amended by Law 25); (c) any other applicable Canadian provincial privacy legislation; (d) the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); (e) any other applicable U.S. state privacy legislation; and (f) to the extent applicable, the European Union General Data Protection Regulation (GDPR) and the United Kingdom GDPR.
“Controller” means the Party that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, Controller refers to Customer. Under PIPEDA and Quebec privacy law, this corresponds to the entity that collects and controls Personal Data. Under the CCPA/CPRA, this corresponds to the “Business.”
“Data Subject” means an identified or identifiable individual whose Personal Data is processed under this DPA.
“Personal Data” means any information that relates to, describes, identifies, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual, as defined under the applicable Data Protection Laws. This includes “personal information” as defined under PIPEDA, Quebec privacy law, and the CCPA/CPRA.
“Processing” (and its variants, including “Process” and “Processed”) means any operation or set of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, restriction, erasure, and destruction.
“Processor” means the Party that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Processor refers to Clarita. Under the CCPA/CPRA, this corresponds to a “Service Provider.”
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Clarita under this DPA. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as failed login attempts, pings, port scans, denial-of-service attacks, or similar incidents.
“Sub-processor” means any third party engaged by Clarita to process Personal Data on behalf of Customer in connection with the Service.
Customer is the Controller of Personal Data processed through the Service. Customer is responsible for: (a) determining the lawful basis for processing Personal Data; (b) ensuring that it has obtained all necessary consents and provided all required notices to Data Subjects in accordance with applicable Data Protection Laws; (c) the accuracy, quality, and legality of Personal Data provided to Clarita; and (d) complying with its obligations as a Controller under applicable Data Protection Laws.
Clarita shall process Personal Data solely on behalf of and in accordance with Customer’s documented instructions, as described in this DPA and the Agreement. Clarita shall not: (a) process Personal Data for any purpose other than as necessary to provide the Service and fulfill its obligations under the Agreement; (b) “sell” or “share” Personal Data (as those terms are defined under the CCPA/CPRA); (c) retain, use, or disclose Personal Data for any commercial purpose other than providing the Service; or (d) combine Personal Data with personal data received from or on behalf of other customers or collected from Clarita’s own interactions with Data Subjects, except as expressly permitted by applicable Data Protection Laws.
Clarita certifies that it understands and will comply with the restrictions and obligations set forth in this DPA and applicable Data Protection Laws. Clarita shall promptly inform Customer if, in Clarita’s opinion, an instruction from Customer infringes applicable Data Protection Laws.
Clarita shall process Personal Data only in accordance with Customer’s documented instructions. The Agreement (including this DPA) constitutes Customer’s initial instructions. Customer may issue additional or modified instructions to Clarita in writing, provided such instructions are consistent with the Agreement and the nature of the Service.
The details of Clarita’s processing activities, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Schedule A.
If Customer requires processing beyond the scope described in Schedule A or the Agreement, Clarita will cooperate in good faith to accommodate such requests, which may require a separate written agreement and additional fees. Clarita is not obligated to perform processing outside the scope of the Service.
Clarita shall promptly notify Customer if it becomes aware that processing of Personal Data under Customer’s instructions may violate applicable Data Protection Laws, unless prohibited from doing so by applicable law. Clarita may suspend the relevant processing until Customer issues new instructions that Clarita reasonably determines are compliant.
Clarita shall ensure that access to Personal Data is limited to personnel who have a need to access it for the purposes of performing Clarita’s obligations under the Agreement and this DPA (“Authorized Personnel”).
Clarita shall ensure that all Authorized Personnel: (a) are bound by written confidentiality obligations at least as protective as those set forth in this DPA; (b) have received appropriate training on data protection and privacy; and (c) process Personal Data only in accordance with Customer’s instructions as set forth in this DPA.
Clarita shall provide regular data protection and security awareness training to Authorized Personnel who process Personal Data.
Clarita shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall be appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The specific security measures are described in Schedule B.
Without limiting Section 6.1, Clarita’s security measures shall include, at a minimum:
Clarita shall regularly review and, where appropriate, update its security measures to reflect changes in technology, industry standards, and the risk profile of its processing activities. Clarita shall not materially reduce the overall level of security provided under this DPA during the term of the Agreement.
Customer provides general written authorization for Clarita to engage Sub-processors to process Personal Data in connection with the Service, subject to the requirements of this Section 7. The current list of Sub-processors is available at sub-processors.
Before engaging any Sub-processor, Clarita shall: (a) conduct reasonable due diligence to evaluate the Sub-processor’s ability to provide adequate data protection; and (b) enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set forth in this DPA.
Clarita shall provide Customer with at least thirty (30) days’ prior written notice before engaging any new Sub-processor or replacing an existing Sub-processor. Notice will be provided via email to the address associated with Customer’s account and by updating the Sub-processor list at clarita.app/sub-processors. Customer may subscribe to notifications of Sub-processor changes at the same URL.
If Customer has a reasonable, good-faith objection to a new or replacement Sub-processor based on legitimate data protection grounds, Customer shall notify Clarita in writing within fifteen (15) days of receiving notice. The Parties shall work together in good faith to resolve the objection, which may include Clarita providing additional information about its due diligence, offering an alternative Sub-processor, or modifying the processing arrangement. If the Parties are unable to resolve the objection within thirty (30) days of Customer’s notice, Customer may terminate the affected portion of the Service (or the Agreement, if the Sub-processor is essential to the Service as a whole) and receive a pro-rata refund of any prepaid fees for the unused portion of the Subscription Term.
Clarita shall remain fully liable to Customer for the acts and omissions of its Sub-processors in relation to the processing of Personal Data to the same extent as if Clarita had performed the processing itself.
Clarita shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection.
If Clarita receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, Clarita shall promptly (and in any event within five (5) business days) notify Customer of the request and shall not respond to the Data Subject directly unless: (a) directed to do so by Customer; (b) required to do so by applicable law (in which case Clarita will, to the extent permitted, inform Customer before responding); or (c) the response is limited to directing the Data Subject to contact Customer.
Clarita shall provide Customer with reasonable self-service functionality within the Service to enable Customer to access, export, correct, and delete Personal Data, to the extent technically feasible. Where self-service functionality does not cover a specific Data Subject request, Clarita shall provide reasonable manual assistance to Customer upon request.
Clarita shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident. Notification shall be made via email to the address associated with Customer’s account and, where available, through an additional communication channel designated by Customer.
The notification shall include, to the extent reasonably available at the time of notification (with updates provided as additional information becomes available):
Clarita shall: (a) take all commercially reasonable steps to contain, investigate, and remediate the Security Incident; (b) cooperate with Customer in connection with any investigation, notification, or remediation efforts, including providing Customer with reasonably requested information and assistance; and (c) preserve evidence related to the Security Incident as reasonably requested by Customer or as required by applicable law.
Customer is solely responsible for determining whether a Security Incident triggers any notification obligations to Data Subjects, regulators, or other parties under applicable Data Protection Laws, and for making such notifications. Clarita shall cooperate with Customer to provide information necessary for Customer to fulfill its notification obligations.
In accordance with Quebec Law 25, Clarita shall maintain a register of all confidentiality incidents, including those that do not present a risk of serious injury. The register shall include a description of the incident, the Personal Data affected, the date of the incident or the period in which it occurred, the date on which Clarita became aware of the incident, and the measures taken to reduce the risk of harm. Records shall be retained for a minimum of five (5) years from the date Clarita became aware of the incident.
Clarita shall provide reasonable assistance to Customer in conducting privacy impact assessments (“PIAs”) and prior consultations with supervisory authorities, to the extent that such assessments relate to Clarita’s processing of Personal Data under this DPA. Assistance may include providing information about Clarita’s processing activities, security measures, and Sub-processors.
In accordance with Quebec Law 25, Clarita conducts PIAs for its own processing activities, including assessments of cross-border data transfers and the implementation of new technologies that involve the collection, use, or disclosure of Personal Data. Summaries of relevant PIAs are available upon request.
Customer acknowledges that in the course of providing the Service, Personal Data may be transferred to and processed in jurisdictions outside Customer’s jurisdiction of residence, including Canada, the United States, and other countries where Clarita’s Sub-processors operate. The current processing locations are identified in Schedule A.
For all cross-border transfers of Personal Data, Clarita shall ensure that appropriate safeguards are in place, including:
To the extent that the processing of Personal Data under this DPA is subject to the GDPR or UK GDPR, and such processing involves a transfer of Personal Data to a country that has not received an adequacy determination from the European Commission or UK Secretary of State (as applicable), the Parties agree that such transfers shall be subject to the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) or their UK equivalent, as applicable. The Standard Contractual Clauses are hereby incorporated by reference and shall be deemed completed with the information set forth in Schedule A. In the event of a conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail with respect to such transfers.
Clarita shall, to the extent legally permitted, promptly notify Customer if Clarita receives any request or order from a governmental or regulatory authority for access to or disclosure of Personal Data processed under this DPA. Clarita shall not disclose Personal Data in response to such a request unless required to do so by applicable law, and shall cooperate with Customer in challenging such requests where appropriate.
During the Subscription Term, Customer may access, export, and delete Personal Data through the self-service functionality of the Service or by contacting Clarita at privacy@clarita.app.
Upon expiration or termination of the Agreement, Clarita shall:
Clarita may retain Personal Data to the extent required by applicable law, regulation, or legal process, or to maintain its confidentiality incident register as required by Quebec Law 25. Any retained Personal Data shall continue to be protected in accordance with this DPA and shall be processed solely for the purpose for which retention is required.
Clarita shall make available to Customer, upon reasonable request, all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. This includes access to relevant policies, procedures, certifications, audit reports, and summaries of privacy impact assessments.
Clarita shall, at its own expense, engage an independent, qualified third-party auditor to conduct an annual assessment of Clarita’s security controls and data processing practices. Clarita will provide Customer with a summary of the most recent audit findings upon written request, subject to confidentiality obligations. Accepted audit frameworks include SOC 2 Type II, ISO 27001, or equivalent certifications.
If Customer reasonably determines that the information and certifications provided under Sections 13.1 and 13.2 are insufficient to verify Clarita’s compliance with this DPA, Customer may, at its own expense, conduct or commission a reasonable audit of Clarita’s processing activities, subject to the following conditions:
If an audit reveals any material non-compliance with this DPA, Clarita shall promptly develop and implement a remediation plan and provide Customer with reasonable progress updates until the non-compliance is resolved.
Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement, except as otherwise required by applicable Data Protection Laws.
Each Party shall indemnify and hold harmless the other Party from and against any losses, damages, fines, penalties, costs, and expenses (including reasonable attorneys’ fees) arising from or related to any breach of this DPA by the indemnifying Party or its personnel, Sub-processors, or agents, subject to the limitation of liability provisions in the Agreement.
This DPA shall become effective on the date Customer accepts the Agreement and shall remain in effect for the duration of the Agreement. This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to any provisions that survive termination.
Sections 2, 6, 9.5, 12, 13, 14, and 16 shall survive any termination or expiration of this DPA.
This DPA shall be governed by and construed in accordance with the laws of the Province of Quebec and the federal laws of Canada applicable therein, consistent with the governing law provisions of the Agreement. This choice of law does not affect the applicability of mandatory data protection provisions of other jurisdictions where applicable.
Clarita may update this DPA from time to time to reflect changes in applicable Data Protection Laws, industry standards, or Clarita’s processing activities. Clarita shall provide Customer with at least thirty (30) days’ prior written notice of any material changes. Customer’s continued use of the Service after the effective date of any update constitutes acceptance of the updated DPA.
This DPA (including its Schedules) constitutes the entire agreement between the Parties with respect to the processing and protection of Personal Data in connection with the Service and supersedes all prior agreements, understandings, and communications on such subject matter.
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
For any questions or concerns regarding this DPA, please contact:
Nicholas Martin, Data Protection Officer
Email: privacy@clarita.app
Clarita Technology Inc., 342 Penn, Beaconsfield, QC H9W 1B6, Canada
| Element | Description |
|---|---|
| Subject Matter | Processing of Personal Data in connection with Customer’s use of the Clarita cloud-based certificate of insurance management platform. |
| Duration | For the duration of the Agreement, plus any applicable data retention period following termination as described in Section 12. |
| Nature of Processing | Purpose |
|---|---|
| Collection, storage, organization, structuring, retrieval, consultation, use, transmission, and erasure | To provide the Service, including uploading, parsing, storing, organizing, and managing certificates of insurance and related documents; monitoring insurance compliance; sending automated notifications and alerts; generating reports and analytics; providing customer support; and enabling integrations with third-party systems as directed by Customer. |
| Category | Examples |
|---|---|
| Account and Contact Information | Names, email addresses, phone numbers, job titles, company names, and mailing addresses of Customer’s Authorized Users. |
| Certificate of Insurance Data | Named insured names and addresses, insurance broker and agent names and contact information, policy numbers, coverage types and limits, effective and expiration dates, certificate holder names and addresses, and additional insured information. |
| Usage Data | IP addresses, login timestamps, feature usage data, and activity logs associated with Authorized Users. |
| Communications Data | Support requests, messages, and other communications exchanged through or in connection with the Service. |
| Category | Description |
|---|---|
| Customer’s Authorized Users | Employees, contractors, and agents of Customer who are authorized to access the Service. |
| Third-Party Individuals on Certificates | Named insureds, insurance brokers, agents, certificate holders, and additional insureds whose information appears on certificates of insurance uploaded to the Service by Customer. |
| Customer’s Business Contacts | Individuals at Customer’s vendors, contractors, or subcontractors whose contact information is processed through the Service for compliance tracking purposes. |
| Location | Purpose |
|---|---|
| Canada | Primary hosting and processing infrastructure |
| United States | Sub-processor services (as identified in our sub-processor list) |
Clarita maintains the following security measures to protect Personal Data. These measures are reviewed and updated periodically to reflect evolving threats and industry best practices.
| Measure | Standard |
|---|---|
| Data in transit | TLS 1.2 or higher for all communications between clients and the Service, and between internal service components. |
| Data at rest | AES-256 encryption (or equivalent) for all stored Personal Data, including database storage and backups. |
| Key management | Encryption keys managed through industry-standard key management systems with regular rotation. |
| Measure | Description |
|---|---|
| Authentication | Unique user credentials required for all access. Multi-factor authentication required for administrative and privileged access. |
| Authorization | Role-based access control (RBAC) with least-privilege principle. Access granted based on job function and reviewed periodically. |
| Session management | Automatic session timeout, secure session tokens, and protection against session fixation and hijacking. |
| Tenant isolation | Logical separation of Customer data in multi-tenant architecture, enforced at the application and database layers. |
| Measure | Description |
|---|---|
| Firewalls | Network and web application firewalls with regularly updated rulesets. |
| Intrusion detection | Intrusion detection and prevention systems monitoring for malicious activity. |
| DDoS protection | Distributed denial-of-service mitigation through infrastructure provider. |
| Network segmentation | Production, staging, and development environments logically separated. |
| Measure | Description |
|---|---|
| Secure development | Secure software development lifecycle (SDLC) including code review, static analysis, and security testing. |
| Vulnerability management | Regular vulnerability scanning and timely patching of identified vulnerabilities based on severity. |
| Security assessments | Periodic security assessments and vulnerability testing, with remediation of identified findings based on risk severity. |
| Input validation | Server-side input validation, output encoding, and protection against common web application vulnerabilities (OWASP Top 10). |
| Measure | Description |
|---|---|
| Audit logging | Comprehensive logging of access to Personal Data, administrative actions, and security-relevant events. |
| Log retention | Security and audit logs retained for a minimum of twelve (12) months. |
| Monitoring | Automated monitoring and alerting for anomalous activity, unauthorized access attempts, and system availability. |
| Measure | Description |
|---|---|
| Backups | Regular automated backups of Customer Data with encryption. Backup restoration tested periodically. |
| Redundancy | Redundant infrastructure components to minimize single points of failure. |
| Disaster recovery | Documented disaster recovery plan with defined recovery time and recovery point objectives. Plan tested at least annually. |
| Measure | Description |
|---|---|
| Data Protection Officer | Designated DPO responsible for overseeing data protection compliance: Nicholas Martin (privacy@clarita.app). |
| Training | Regular privacy and security awareness training for all personnel with access to Personal Data. |
| Policies | Documented information security policies, acceptable use policies, and incident response procedures. |
| Vendor management | Due diligence and contractual safeguards for Sub-processors, including security assessments and data protection agreements. |
| Background checks | Background verification for personnel with access to production systems and Personal Data, in accordance with applicable law. |