Skip to main content
Clarity First

Data Processing Addendum

Last updated: 10 February 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Clarity First Limited, trading as Clarity First ("Processor", "we", "us") and you ("Controller", "Customer") and governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Irish Data Protection Act 2018, and any other applicable data protection legislation.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.

2. Roles and Scope

2.1 Controller and Processor

For the purposes of this DPA, you (the Customer) are the Controller of Personal Data uploaded to or processed through the Clarity First service, and Clarity First acts as Processor on your behalf.

2.2 Scope of Processing

The Processor processes Personal Data solely to provide the Clarity First service, including:

  • Conducting and recording discovery interviews
  • Transcribing and analysing interview content
  • Generating insights, patterns, and synthesis reports
  • Storing project data and outputs
  • Creating anonymised, aggregated data for service improvement (see 2.3)

2.3 Anonymised Data

The Controller authorises the Processor to create anonymised, aggregated data derived from the processing of Personal Data. Once data is anonymised such that it can no longer identify any individual, it is no longer Personal Data and falls outside the scope of this DPA. The Processor may use such anonymised data to improve its services, conduct research, and generate industry benchmarks.

3. Details of Processing

Subject MatterProvision of the Clarity First discovery and analysis platform
DurationFor the term of the service agreement plus data retention period
Nature and PurposeInterview transcription, AI-assisted analysis, pattern detection, synthesis
Types of Personal DataNames, job titles, contact details, opinions, interview responses, voice recordings
Categories of Data SubjectsInterview participants, employees of client organisations
Special Category DataNot expected. The Controller should not upload special category data (Article 9 GDPR) without ensuring appropriate safeguards and lawful basis are in place.

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including transfers to third countries
  • Ensure persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Respect the conditions for engaging Sub-processors as set out in this DPA
  • Assist the Controller in responding to Data Subject rights requests
  • Assist the Controller in meeting obligations under Articles 32-36 of GDPR (security, breach notification, impact assessments)
  • Delete or return all Personal Data at the end of the service, at the Controller's choice
  • Make available information necessary to demonstrate compliance and allow for audits

5. Sub-processors

5.1 Authorised Sub-processors

The Controller authorises the use of the following Sub-processors:

Sub-processorPurposeLocation
Supabase Inc.Database and authenticationEU (Frankfurt)
Vercel Inc.Application hostingEU edge locations
OpenAI LLCTranscription and AI analysisUSA (with SCCs)
Anthropic PBCAI synthesis and analysisUSA (with SCCs)
ElevenLabs Inc.Text-to-speechUSA (with SCCs)
Tavily Inc.Web researchUSA (with SCCs)
Resend Inc.Email deliveryUSA (with SCCs)
Stripe Inc.Payment processingUSA (with SCCs)

5.2 Sub-processor Changes

We will notify you of any intended changes to Sub-processors by updating this page. You may object to a new Sub-processor by contacting us within 14 days. If we cannot reasonably accommodate your objection, you may terminate the affected services.

5.3 Sub-processor Obligations

All Sub-processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA.

6. Security Measures

The Processor implements appropriate technical and organisational measures to protect Personal Data, as detailed in Annex II of this DPA. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Employee training on data protection
  • Incident response procedures
  • Business continuity and disaster recovery measures
  • Logging and monitoring of access to Personal Data

AI processing is limited to what is necessary to deliver the Service. Data shared with AI providers is minimised to the content required for the specific processing task. Customers may contact us to discuss processing configurations where available.

7. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If a Data Subject contacts us directly, we will promptly inform you unless legally prohibited.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay, and in any event within 48 hours of becoming aware
  • Provide information about the nature of the breach, categories of data affected, and likely consequences
  • Describe measures taken or proposed to address the breach
  • Cooperate with the Controller's investigation and regulatory notifications

9. International Transfers

Where Personal Data is transferred outside the EEA to Sub-processors in the United States, such transfers are made pursuant to:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary technical measures including encryption and access controls
  • Data Processing Agreements with each Sub-processor

API-based AI services process data transiently and do not retain Personal Data beyond the immediate processing request.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA by:

  • Requesting documentation of security measures and compliance certifications
  • Conducting or commissioning an audit with reasonable notice (minimum 30 days)
  • Reviewing third-party audit reports where available

Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations. The Controller bears the costs of any audit.

11. Data Retention and Deletion

Upon termination of the service agreement or upon request:

  • The Controller may request export of all Personal Data in a structured format
  • The Processor will delete Personal Data within 12 months of contract expiry, unless retention is required by law
  • The Controller may request earlier deletion at any time
  • Deletion includes removal from active systems and backups (within 30 days for backups)
  • Derived outputs (analysis reports, synthesis, generated insights) are treated as Customer data and included in deletion or return obligations

12. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service. Each party is liable for damages caused by its breach of Data Protection Laws or this DPA, in accordance with the allocation of responsibilities under GDPR Article 82.

13. Contact

For questions about this DPA or to exercise rights under it:

Email: info@clarityfirst.io

Postal Address:

Clarity First Limited

Trading as Clarity First

21 Morell Lawns

Naas

Co. Kildare

Naas, W91 YE1R

Ireland

Acceptance: By using the Clarity First service, you accept this Data Processing Addendum as part of the Terms of Service.

Annex II — Technical and Organisational Measures

The Processor maintains the following technical and organisational measures to protect Personal Data in accordance with GDPR Article 32.

1. Access Controls

  • Role-based access controls with least privilege principles
  • Multi-factor authentication for administrative accounts
  • Restricted staff access on a need-to-know basis
  • Access logging for sensitive systems
  • Prompt deprovisioning upon role change or termination

2. Encryption

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption at rest for stored customer content
  • Secure credential and key management practices

3. Infrastructure and Network Security

  • Secure cloud hosting providers (Supabase EU, Vercel)
  • Firewall and network protection controls
  • Regular patching and vulnerability management
  • Logical separation of customer environments where appropriate

4. Data Handling Safeguards

  • Confidentiality obligations for all authorised personnel
  • Sub-processor agreements with GDPR-aligned obligations
  • Data minimisation practices for AI processing
  • Customer content treated as confidential at all times

5. Monitoring and Incident Response

  • Monitoring for unauthorised access or abnormal activity
  • Internal incident response procedures
  • Breach notification processes aligned with GDPR requirements

6. Backup and Continuity

  • Regular backups with controlled retention periods
  • Secure backup storage with encryption
  • Restoration procedures to support business continuity