Data Processing Agreement

This Data Processing Agreement ("DPA") is between:

• Clarence Legal Limited, a company incorporated in England and Wales with company number 16983899 ("Processor" or "Clarence"); and
• the Customer identified in the order form or otherwise contracting with Clarence to receive the Platform ("Controller" or "Customer").

It is entered into in connection with, and forms part of, the Terms & Conditions and any signed order form between the parties (together the "Principal Agreement"). In case of conflict on a data‑protection question, this DPA prevails over the Principal Agreement.

1. Definitions

In this DPA, the following terms have the meanings given to them in the UK GDPR:

• "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub‑processor", "Personal Data Breach", "Special Category Data", "Supervisory Authority".

In addition:

• "Applicable Data Protection Law" — the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and any other data‑protection law applicable to the Processing under this DPA (including, where the Customer is established in or processes Personal Data about EEA Data Subjects, the EU GDPR).
• "Customer Personal Data" — Personal Data Processed by Clarence on the Customer's behalf in connection with the Platform.
• "Platform" — the Clarence service described in the Principal Agreement.
• "SCCs" — the European Commission's Standard Contractual Clauses (EU 2021/914) as supplemented by the UK Addendum issued under section 119A of the DPA 2018 (the "UK Addendum") and/or the UK International Data Transfer Agreement issued by the ICO ("IDTA"), as applicable to a given transfer.

2. Roles of the parties

The Customer is Controller in respect of Customer Personal Data. Clarence is Processor. The parties acknowledge that, in respect of certain Personal Data described in the Clarence Privacy Policy (e.g., User account telemetry, billing data, security logs), Clarence acts as Controller; that processing is governed by the Privacy Policy, not by this DPA.

Where Customer is itself a processor for a third‑party controller, the Customer warrants that it has authority to instruct Clarence as a sub‑processor under that third‑party controller's instructions.

3. Scope, subject matter and duration

The subject matter, nature, purpose, duration of Processing, categories of Personal Data and categories of Data Subjects are set out in Schedule 1 (Processing Particulars). The duration of the Processing is the term of the Principal Agreement plus any post‑termination period required for the return or deletion of data under Section 11.

4. Customer's instructions

Clarence will Process Customer Personal Data only on the documented instructions of the Customer. The Principal Agreement, this DPA, the Customer's use of the Platform in line with the Documentation, and any subsequent written instructions reasonably given by the Customer (and reasonably acceptable to Clarence) together constitute the Customer's documented instructions.

Clarence will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. Where a legal obligation requires Clarence to Process Personal Data otherwise than on the Customer's instructions, Clarence will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

5. Confidentiality

Clarence will ensure that all personnel authorised to Process Customer Personal Data are under a duty of confidentiality (whether contractual or statutory).

6. Security of Processing

Clarence will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to Customer Personal Data, as set out in Schedule 2 (Security Measures). Schedule 2 may be updated from time to time; updates that materially weaken the security posture require the Customer's prior written consent.

The Customer is responsible for the security of its own systems and credentials, including its Users' device security, and for configuring the Platform's available security features appropriately for its risk profile (e.g., enforcing MFA, managing seat access).

7. Sub‑processors

7.1 General authorisation

The Customer authorises Clarence to engage the sub‑processors listed in Schedule 3 (Sub‑processors) to Process Customer Personal Data, subject to the conditions in this Section 7.

7.2 New or replacement sub‑processors

Clarence will notify the Customer at least 30 days in advance of any new or replacement sub‑processor (the "Sub‑processor Change Notice"). During the notice period the Customer may object on reasonable data‑protection grounds. If the parties cannot resolve the objection within the notice period, the Customer may terminate the affected service for material breach without penalty (other than fees accrued to the date of termination).

7.3 Flow‑down

Clarence will impose data protection obligations on each sub‑processor that are substantively no less onerous than those in this DPA, by way of a written contract. Clarence remains liable to the Customer for the acts and omissions of its sub‑processors.

7.4 List

The current sub‑processor list is at Schedule 3 and is also published at /legal/dpa#subprocessors. The Customer may subscribe to update notifications by writing to privacy@clarencelegal.ai.

8. International transfers

Where Clarence (or a sub‑processor) Processes Customer Personal Data outside the United Kingdom (and, where applicable, outside the European Economic Area) to a country not subject to a UK adequacy decision (or equivalent), the parties will rely on one or more of the following mechanisms:

(a) the EU SCCs plus the UK Addendum, executed by reference under this DPA as set out in Schedule 4 (Transfer Mechanisms); (b) the UK IDTA, executed by reference as set out in Schedule 4; or (c) another lawful transfer mechanism recognised under Applicable Data Protection Law and notified to the Customer.

For the EU SCCs:

• Module Two (Controller to Processor) applies where Customer is Controller and Clarence is Processor for the relevant transfer;
• Module Three (Processor to Processor) applies where Customer is itself a Processor;
• Clause 7 (docking) is selected;
• Clause 9 option 2 (general authorisation for sub‑processors) is selected, with a 30‑day notice period (Section 7.2);
• Clause 11 optional language is not included;
• Clause 17 — governing law is England and Wales (where the UK Addendum applies);
• Clause 18 — supervisory authority is the UK Information Commissioner's Office.

Clarence will conduct a transfer risk assessment for each onward transfer to a third country as part of our pre‑launch readiness and will implement supplementary measures as set out in Schedule 2 where the assessment requires them. A summary of the relevant assessments will be made available to the Customer on request.

9. Assistance with Data Subject requests

Taking into account the nature of the Processing, Clarence will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

Where Clarence receives a Data Subject request that relates to Customer Personal Data, it will (unless legally prohibited) (a) acknowledge receipt within 5 working days, (b) not respond directly to the Data Subject, and (c) forward the request to the Customer's designated contact.

The Customer is responsible for the substantive response to Data Subject requests.

10. Personal Data Breach notification

Clarence will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of Clarence becoming aware of the breach. The notification will, to the extent then known:

(a) describe the nature of the breach (categories and approximate numbers of Data Subjects and Personal Data records concerned); (b) identify the likely consequences; (c) describe the measures taken or proposed to address the breach and mitigate its possible adverse effects; (d) provide a contact point.

Clarence will provide reasonable cooperation in the Customer's investigation and in any required notification to a Supervisory Authority or Data Subjects.

A notification of a Personal Data Breach is not an admission of fault or liability.

11. Return or deletion at end of services

At the Customer's choice, on termination or expiry of the Principal Agreement (or earlier, on the Customer's written request), Clarence will:

(a) return Customer Personal Data to the Customer in a structured, commonly used and machine‑readable format; or (b) delete Customer Personal Data,

within 30 days of the choice being made. Clarence will then certify deletion in writing on request.

This obligation is subject to:

• Customer Personal Data retained in encrypted backups, which will be deleted on Clarence's standard backup rotation (currently 35 days); during that period Clarence will not restore the data except for disaster recovery and will not return it to active Processing;
• Customer Personal Data that Clarence is required by law to retain (in which case Clarence will inform the Customer of the legal basis and the retention period); and
• Customer Personal Data that has been irreversibly anonymised so it is no longer Personal Data.

If the Customer makes no choice within 30 days of termination, Clarence may, after giving the Customer reasonable further notice, delete Customer Personal Data.

12. Data Protection Impact Assessment and prior consultation

Clarence will provide reasonable assistance to the Customer with Data Protection Impact Assessments and prior consultation with Supervisory Authorities, taking into account the nature of the Processing and the information available to Clarence. Assistance that requires substantial resource beyond the information already documented in this DPA and the Privacy Policy may be charged at Clarence's standard professional rates.

13. Records of Processing

Clarence will maintain a record of Processing activities carried out on behalf of the Customer, in accordance with UK GDPR Article 30(2). Clarence will make the record available to the Customer on reasonable request.

14. Audit

Once per calendar year, and on no less than 30 days' written notice, the Customer may audit Clarence's compliance with this DPA, either by reviewing the most recent independent audit report Clarence makes available (e.g., SOC 2 / ISO 27001 once obtained) or, where that is not sufficient, by an audit conducted by the Customer or its appointed third‑party auditor (the auditor must not be a competitor of Clarence and must sign a reasonable NDA).

Audits must be carried out during normal business hours, must not unreasonably disrupt Clarence's operations, must respect the confidentiality of other Clarence customers' data, and the Customer must bear its own costs. Where an audit finds a material non‑compliance attributable to Clarence, Clarence will reimburse reasonable audit costs.

Additional audits may be required by a Supervisory Authority or following a Personal Data Breach.

15. Liability and indemnity

The liability provisions of the Principal Agreement (including any agreed cap) apply to this DPA. Nothing in this DPA limits liability that cannot be limited or excluded under Applicable Data Protection Law. Where Article 82 UK GDPR (right to compensation) applies, allocations of liability between the parties will be determined in accordance with Article 82(5).

16. Term and termination

This DPA takes effect on the same date as the Principal Agreement and continues for so long as Clarence Processes Customer Personal Data on the Customer's behalf, plus any post‑termination period under Section 11.

Termination of the Principal Agreement terminates this DPA, save for those clauses that by their nature survive (in particular Sections 5, 8, 10 (in respect of breaches that occurred during the term), 11, 13, 14, 15 and 17).

17. General

Governing law. This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the English courts.

Order of precedence. In case of conflict, this DPA prevails over the rest of the Principal Agreement on data protection matters, and the SCCs / UK Addendum / UK IDTA prevail over this DPA in respect of restricted international transfers.

Notices. Data‑protection notices to Clarence: privacy@clarencelegal.ai. Notices to the Customer: the email address of the Customer's designated data‑protection contact on file (or the primary billing email if none).

Entire agreement. This DPA, together with its Schedules and the Principal Agreement, is the entire agreement on the subject matter.

Schedule 1 — Processing Particulars

Schedule 2 — Security Measures

Clarence implements the following technical and organisational measures. The list reflects current measures and will be kept up to date.

Access control

• Multi‑factor authentication enforced for all Clarence staff with production access.
• Role‑based access control with principle of least privilege.
• Multi‑tenant isolation via Row‑Level Security in PostgreSQL with a company‑scoped policy on every table holding tenant data.
• Tenant‑scoped storage paths in file storage.
• All administrative access to customer data is logged and reviewable.

Encryption

• TLS 1.2+ for all data in transit.
• AES‑256 at rest for the database and file storage.
• At‑rest encryption applies to encrypted backups.

Resilience and continuity

• Daily automated backups on a 35‑day rolling schedule.
• Documented disaster recovery procedures with periodic tests.
• Production and non‑production environments are segregated.

Logging and monitoring

• Audit logging of administrative actions and security‑relevant events.
• Automated alerting on anomalous sign‑in and admin patterns.
• AI usage events logged in ai_usage_events for billing and security analytics.

Personnel

• Background checks for staff with production access (subject to local law).
• Annual data‑protection and security training.
• Confidentiality obligations in every employment / contractor agreement.

Vendor management

• All sub‑processors are subject to written contracts with data‑protection obligations no less onerous than this DPA.
• Sub‑processor security posture is assessed before onboarding and reviewed periodically.

Vulnerability and incident management

• Documented incident response process aligned to the 72‑hour breach notification requirement.
• Vulnerability scanning of the production environment.
• Penetration testing before broader launch and at least annually thereafter.
• A responsible disclosure programme at security@clarencelegal.ai.

Specific AI safeguards

• AI Processing is performed via Anthropic under enterprise terms that prohibit use of Customer Personal Data for foundation‑model training.
• Where AI prompts/responses are logged for debugging or quality review, retention is short and access is restricted.
• Tenant identifiers are carried through AI calls to prevent cross‑tenant context leakage.

Schedule 3 — Sub‑processors

The following sub‑processors are authorised under this DPA. Region columns reflect the primary processing region; sub‑processors may operate global infrastructure for resilience.

Updates to this Schedule are made in accordance with Section 7.

Schedule 4 — Transfer Mechanisms

Where Customer Personal Data is transferred from the United Kingdom (and, where applicable, the EEA) to a country without a UK adequacy decision (or equivalent), the parties incorporate the relevant SCCs and the UK Addendum (or the UK IDTA) by reference, with the following modular and option selections:

• EU SCCs (Decision 2021/914) — Module Two (Controller → Processor) or Module Three (Processor → Processor) as applicable;
• Clause 7 — Docking Clause included;
• Clause 9 — Option 2 selected (general authorisation, 30‑day notice, Section 7.2 above);
• Clause 11 — Optional language not included;
• Clause 17 — Governing law: laws of England and Wales (via the UK Addendum);
• Clause 18 — Supervisory authority: the UK Information Commissioner's Office.

The Annexes to the SCCs are completed by reference to Schedules 1, 2 and 3 of this DPA. The data exporter is the Customer (and, where applicable, its EEA / UK Affiliates). The data importer is Clarence. For onward transfers from Clarence to sub‑processors, Clarence will put in place SCCs or another lawful transfer mechanism between itself and each sub‑processor.

Where the UK IDTA is used instead of the EU SCCs + UK Addendum, Tables 1–4 are completed by reference to Schedules 1–3 and the parties' identifying information in the order form.

Signatures

This DPA is entered into between the parties on the effective date of the Principal Agreement. Where the Customer accepts the Clarence Terms & Conditions online and is on the Enterprise Plan or otherwise enters into an order form referencing this DPA, this DPA is incorporated by reference and treated as signed.

Version v0.2 — prepared 2026-05-26 incorporating John's review comments on v0.1. Not yet in force.