Data Processing Agreement (DPA)

Version effective as of 2026-06-06. This agreement governs the processing of engagement content by CleverContracts on behalf of freelancer users.

1. Roles

For engagement content (scope text, terms, messages, file attachments, change items, time entries, and client identifiers in that context), the freelancer user (“you”) is the controller and CleverContracts (operated by Lionel Wermelinger and Fynn Auerbach) is the processor.

For account, billing, and security operations, CleverContracts acts as a controller as described in the Privacy Policy. This DPA covers only the processor relationship for engagement content.

2. Subject matter and scope of processing

CleverContracts processes engagement content solely to provide the service as described in the Terms of Service. This includes:

  • Storing and displaying engagement records (scope, terms, changes, messages)
  • Enabling client portal access (verify-to-view) for review and approvals
  • Generating exports, receipts, and snapshots
  • Sending transactional emails (invitations, approval reminders, OTP codes)
  • Operating security and abuse-prevention controls (rate limiting, content moderation)
  • Enforcing retention rules (automatic redaction of expired content per the retention summary)
3. Categories of data and data subjects

Data categories processed:

  • Engagement scope and terms text (versioned)
  • Messages and structured change requests
  • File attachments and associated metadata
  • Change items with approval/decline receipts (typed name, decision, timestamp)
  • Time entries (date, duration, description)
  • Client contact identifiers used to invite and attribute participation (email, display name)
  • Client notes (private freelancer notes about a client)

Data subjects:

  • Clients of the freelancer (invited to the portal or referenced in engagement content)
  • Any individuals whose personal data appears in freelancer-created content (scope text, messages, notes)
4. Purpose limitation

CleverContracts processes engagement content solely for the purpose of providing the service. We do not:

  • Use engagement content for our own marketing or advertising
  • Use engagement content to train AI models — as configured with our AI provider under applicable Google Cloud Service Specific Terms (§18 Training Restriction)
  • Sell or rent engagement content to third parties
  • Access engagement content except as needed to provide the service, enforce security, or comply with legal obligations
5. AI processing

When you enable AI features and use them on an engagement, engagement content (scope, messages, changes) is sent to Google Vertex AI / Gemini for processing. This processing occurs only when you explicitly trigger an AI action.

The content sent is truncated (maximum 4,000 characters per message, maximum 50 messages per request). Under Google Cloud Service Specific Terms (§18 Training Restriction, §20 Generative AI Services), prompts and generated output are not stored outside our Google Cloud account longer than reasonably necessary to create output, absent our permission or instruction. Google may retain data where required for service operation, abuse monitoring (suspicious prompts may be logged up to approximately 90 days for safety review), security, or legal compliance. No customer data is used for model training without prior permission or instruction.

AI features are opt-in and off by default. Enabling AI requires two-factor authentication step-up. You can disable AI at any time. See the AI Policy for full details.

6. Sub-processors

CleverContracts uses the following sub-processors to provide the service. These providers process data only to deliver their respective services.

Sub-processorServiceCountrySafeguard
Google / FirebaseFirestore database, file storage, authenticationUSAGoogle Cloud CDPA + EU-US DPF + SCCs
Google / Vertex AIAI inference — opt-in (Gemini)USA (configurable region)Google Cloud CDPA + EU-US DPF + SCCs
VercelHosting, edge functions, KV storeUSA / GlobalSCCs
UpstashRate limiting (Redis)USA / EUSCCs
ResendEmail delivery (landing)USASCCs

Stripe, Inc. processes the Controller's own billing data (email, workspace metadata) under the Privacy Policy as a separate controller-processor relationship. Stripe does not process end-client personal data under this DPA.

Google may engage its own subprocessors for Firebase and Vertex AI services. Google provides at least 30 days’ advance notice of new subprocessors where required by the Google Cloud CDPA. The right to object to a Google subprocessor is governed by the Google Cloud CDPA, which generally requires termination of the GCP service relationship rather than per-vendor blocking.

CleverContracts will update this sub-processor list when material changes affecting engagement content occur, and will forward relevant Google-originated notices to you as required under §11 below. We ensure that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. International data transfers

Engagement content may be transferred to and processed in Switzerland, the EEA, and the United States.

For transfers involving Google services (Firebase and Vertex AI), we rely on the Google Cloud Data Processing Addendum (CDPA), which incorporates Standard Contractual Clauses (SCCs), and the EU-US Data Privacy Framework (DPF) where applicable. These mechanisms also address Swiss revFADP requirements for transfers to the United States. For other sub-processors, we rely on the EU-US DPF and SCCs as safeguards.

8. Retention and deletion

Engagement content is retained and deleted according to the periods described in the data retention summary. In brief:

  • Message bodies are redacted after 18 months (placeholder retained)
  • File attachments are deleted after 6 months (metadata placeholder retained)
  • Durable records (approvals, scope versions) persist until engagement or account deletion

CleverContracts deletes engagement content from the application layer promptly after a valid deletion request (engagement deletion or account deletion). Because our infrastructure runs on Google Cloud services, deleted Customer Data may remain in backups, replicas, logs, or other backend systems for a limited period in accordance with the Google Cloud Data Processing Addendum, generally up to 180 days after the deletion instruction, and up to an additional 30-day recovery period before deletion runs on contract termination, unless applicable law requires longer retention.

Client portal access is revoked immediately upon engagement or account deletion. Accounting records subject to the 10-year retention period (Swiss OR Art. 958f) are preserved separately from the regular account deletion process.

9. Security measures

CleverContracts implements the following technical and organizational measures to protect engagement content:

  • Encryption in transit: HTTPS/TLS for all web traffic
  • Encryption at rest: AES-256 via Google Cloud default encryption
  • Server-mediated access: All database access through server-side API routes; no direct client-side database access
  • Session security: HttpOnly, Secure, SameSite cookies; CSRF double-submit protection
  • 2FA and step-up: TOTP and WebAuthn passkeys for freelancers; required for high-trust actions
  • Rate limiting: Redis-based rate limiting for APIs, OTP attempts, and file uploads
  • Input validation: Schema validation (Zod) for all API inputs
  • No PII in logs: Message bodies, scope text, attachment contents, and AI prompts are never logged
  • Workspace isolation: All data is scoped to individual workspaces with server-side validation

Controller security responsibilities

As the controller, you are responsible for: maintaining the security of your account credentials and two-factor authentication methods; ensuring your client invite practices comply with applicable law; ensuring the lawfulness of content you upload or process through the platform; and promptly notifying CleverContracts of any suspected unauthorized access. Security incidents caused by user-side factors — such as leaked credentials, weak passwords, or misconfiguration outside CleverContracts' control — are outside CleverContracts' security obligations under this DPA.

10. Data subject requests

As the controller, you are responsible for responding to data subject requests (access, rectification, erasure, portability) from your clients regarding engagement content.

CleverContracts will assist you in responding to such requests, including by providing relevant data exports and by deleting data upon your instruction (via engagement deletion or account deletion). Engagement snapshot exports (PDF) and decision receipt exports are available self-service. For full structured data exports, CleverContracts will respond to requests within 30 days of receipt.

If a data subject contacts CleverContracts directly regarding engagement content, we will direct them to you as the controller and notify you of the request.

11. Breach notification

CleverContracts incidents

If CleverContracts becomes aware of a personal data breach affecting engagement content arising from CleverContracts' own systems, configurations, or actions (for example, application bugs, internal misconfigurations, or credential leaks within CleverContracts' control), we will notify you without undue delay and provide sufficient information to meet any obligation to report or inform data subjects under applicable data protection law. The notification will describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Google and subprocessor incidents

When CleverContracts receives a material “Data Incident” notice from Google or another sub-processor concerning engagement content — including notices relating to security incidents, new subprocessors, SCCs, or transfer safeguards — CleverContracts will forward such notices to the affected freelancer-controller without undue delay, where required and legally permitted. Google incidents are limited to breaches of Google-managed systems; Google will not issue notices for customer-caused issues such as leaked API keys, misconfigured Firestore rules, or client-side vulnerabilities.

12. Audit rights

You may request reasonable information about our data processing practices and security measures to verify compliance with this DPA. We will respond to such requests in a timely manner. On-site audits are not supported in the current version but may be considered on a case-by-case basis for material compliance concerns.

For Google-managed infrastructure (Firebase, Vertex AI), third-party compliance audits are satisfied by Google's industry certifications and audit reports (such as SOC 2 Type II and ISO 27001), available under NDA via Google. On-site audits of Google are not offered unless required by law, consistent with the Google Cloud CDPA (§7.4–7.5).

13. Term and termination

This DPA is effective for as long as you use CleverContracts and we process engagement content on your behalf. Upon termination of your account, we will delete engagement content as described in Section 8, subject to legally required retention.

Obligations under this DPA that by their nature should survive termination (including confidentiality, breach notification, and deletion obligations) will survive.