Data Processing Addendum (DPA)

Last updated: May 7, 2026

This Data Processing Addendum (the "DPA") forms part of the agreement between Clevertrek (the "Processor") and the Customer (the "Controller") for the Service, where the Service involves the processing of Personal Data on behalf of the Customer (typically under the Team or Enterprise plans, or any plan where the Customer determines the purposes and means of processing of Personal Data of its own end users, employees, or contractors).

This DPA is incorporated by reference into the Terms of Service. In case of conflict between the Terms of Service and this DPA on a data-protection matter, this DPA prevails for that matter.

Clevertrek is operated by Fernando Beneitez Vela-Hidalgo (sole proprietor under Spanish law, NIF 75794423Q, Avenida del Hotel, 1, 15º, 08860 Castelldefels, Barcelona, Spain).

1. Definitions

In this DPA:

  • "Applicable Data Protection Law" means the GDPR (Regulation (EU) 2016/679), the Spanish LOPDGDD (Organic Law 3/2018), the ePrivacy Directive 2002/58/EC as transposed in Spain by Law 9/2014 (LGTel) and Law 34/2002 (LSSI-CE), and any other data-protection law applicable to the processing.

  • "GDPR" has the meaning given in Applicable Data Protection Law.

  • "Personal Data", "Processing", "Controller", "Processor", "Subprocessor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.

  • "Customer Personal Data" means Personal Data that is processed by Clevertrek on behalf of the Customer in connection with the Service.

  • "Subprocessor" means any third party engaged by Clevertrek to process Customer Personal Data on behalf of the Customer.

  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor instrument.

2. Subject Matter and Duration

2.1 The subject matter of the Processing is Clevertrek's provision of the Service to the Customer.

2.2 The duration of the Processing is the term of the Customer's subscription plus any post-termination period during which Clevertrek retains data in accordance with this DPA, the Terms of Service, or applicable law.

3. Nature and Purpose of Processing

3.1 Clevertrek will process Customer Personal Data only:

  • to provide the Service in accordance with the Customer's documented instructions;
  • to operate, secure, and maintain the Service;
  • to comply with applicable law.

3.2 The nature of Processing includes hosting, storage, structuring, retrieval, display, sharing among authorized users, transmission to third-party services chosen by the Customer (e.g., AI provider, MCP Connectors, Google APIs), backup, and deletion.

3.3 The purpose is to deliver the collaborative knowledge-management functionality described in the Terms of Service.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects (typical):

  • the Customer's employees, contractors, agents, and authorized users;
  • the Customer's clients, prospects, members, students, contacts, or other persons identified in the Customer's content.

Categories of Personal Data (typical):

  • identification data (name, username, email);
  • contact data;
  • professional data (role, organization);
  • content created by users (notes, links, comments);
  • usage data (logs, IP addresses);
  • where chosen by the Customer, AI Feature inputs and outputs.

The Customer is responsible for ensuring that the categories of Personal Data uploaded into the Service are appropriate for the Service and lawful under Applicable Data Protection Law. The Customer shall not upload special categories of Personal Data (Article 9 GDPR) unless strictly necessary and lawful, and shall inform Clevertrek when doing so.

5. Customer Instructions

5.1 The Customer hereby instructs Clevertrek to process Customer Personal Data:

  • as necessary to provide the Service in accordance with the Terms of Service;
  • as necessary to comply with applicable law;
  • as further documented in any agreed change order, configuration, or feature setting.

5.2 If Clevertrek considers that an instruction infringes Applicable Data Protection Law, it will inform the Customer without undue delay (Art. 28(3) last paragraph GDPR).

5.3 The Customer warrants that it has all necessary legal bases (consent, contract, legitimate interest, etc.) for the Processing of Customer Personal Data through the Service, including for transfers to third-party services chosen by the Customer.

6. Confidentiality of Personnel

6.1 Clevertrek will ensure that any persons authorized to process Customer Personal Data are bound by confidentiality (whether contractually or by statutory duty) and have received appropriate training on data protection and security.

7. Security Measures (Annex II)

7.1 Clevertrek implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account Article 32 GDPR.

7.2 Current measures include:

  • Encryption in transit using TLS for all communications between client and server;
  • Encryption at rest of sensitive secrets, including BYOK API keys (AES-256-CBC);
  • Access controls based on least-privilege principles, with admin actions auditable;
  • Authentication using industry-standard hashing of passwords;
  • Network and infrastructure security at the hosting provider's level;
  • Backups with regular testing and documented retention;
  • Logging and monitoring for unusual activity, abuse, and security events;
  • Software-update discipline, dependency monitoring, and prompt patching of known vulnerabilities;
  • Separation of customer data by Workspace and permission scope;
  • Incident response procedures for the detection, containment, eradication, and notification of security incidents;
  • Vendor management: subprocessors are selected and monitored under contractual data-protection commitments.

7.3 Clevertrek may update its security measures over time. Updates will not materially decrease the level of security.

8. Subprocessors (Annex III)

8.1 The Customer authorizes Clevertrek to engage Subprocessors to process Customer Personal Data, subject to this Section.

8.2 The current list of Subprocessors includes the following categories. A current detailed list is available on request:

  • Hosting and infrastructure provider (for hosting of the WordPress application, database, and storage);
  • Stripe Payments Europe, Ltd. (payment processing);
  • Anthropic, PBC (AI Features, where not in BYOK mode);
  • Google LLC / Google Ireland Limited (Google API integrations the Customer or its users have authorized);
  • Email-delivery provider(s) (transactional and consent-based email);
  • Error-monitoring and analytics providers;
  • Any additional provider(s) reasonably required to operate the Service.

8.3 Clevertrek imposes data-protection obligations on each Subprocessor that are no less protective than this DPA.

8.4 Clevertrek will provide the Customer with prior notice of the addition or replacement of Subprocessors. The Customer may object to a new Subprocessor on reasonable data-protection grounds within fifteen (15) days of the notice. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service for cause and obtain a pro-rata refund of prepaid fees for the unused term.

8.5 Clevertrek remains responsible to the Customer for the Processing carried out by its Subprocessors in accordance with Article 28(4) GDPR.

9. Data Subject Rights Assistance

9.1 Clevertrek will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of the GDPR.

9.2 Where Clevertrek receives a Data Subject request directly relating to Customer Personal Data, Clevertrek will, where lawful, redirect the Data Subject to the Customer or notify the Customer.

10. Personal Data Breach Notification

10.1 Clevertrek will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it.

10.2 The notification will include, to the extent known at the time, the information set out in Article 33(3) GDPR, including the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

10.3 Clevertrek will provide reasonable assistance to the Customer in connection with the Customer's notification obligations to the Supervisory Authority and to Data Subjects under Articles 33 and 34 GDPR.

11. Data Protection Impact Assessments and Prior Consultation

11.1 Where required by Article 35 GDPR, Clevertrek will, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to the Customer with data-protection impact assessments and prior consultations with Supervisory Authorities.

12. Audits and Inspections

12.1 Clevertrek will make available to the Customer, on reasonable request, the information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

12.2 Where the Customer reasonably considers that the information so provided is insufficient, Clevertrek will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to the following:

  • audits are limited to once per twelve (12) months, except where required by a Supervisory Authority or following a Personal Data Breach;
  • audits are conducted during normal business hours, with at least thirty (30) days' prior notice, with appropriate confidentiality undertakings;
  • the auditor must not be a competitor of Clevertrek;
  • the Customer bears its own costs and the reasonable costs of Clevertrek for the audit, except where the audit reveals a material breach of this DPA, in which case the Customer's reasonable costs may be borne by Clevertrek.

13. International Data Transfers and Standard Contractual Clauses (Annex IV)

13.1 Clevertrek processes Customer Personal Data primarily within the European Economic Area (EEA). Some Subprocessors may process Customer Personal Data outside the EEA, including in the United States.

13.2 Where transfers occur to a country not benefiting from an adequacy decision under Article 45 GDPR, the parties rely on the Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Subprocessor, as applicable), which are incorporated by reference into this DPA, supplemented as required by transfer impact assessments and additional safeguards.

13.3 For transfers to the United States, Clevertrek prefers Subprocessors certified under the EU–U.S. Data Privacy Framework (DPF), where available.

13.4 The parties will cooperate in good faith to maintain appropriate transfer safeguards.

14. Return and Deletion of Data

14.1 Upon termination of the Service, Clevertrek will, at the Customer's choice, return or delete Customer Personal Data, except where Union or Member State law requires retention.

14.2 The Customer is responsible for exporting its data within the grace period set out in the Terms of Service. After this period, Clevertrek may delete Customer Personal Data in line with its standard deletion practices.

14.3 Backup copies will be deleted in accordance with the standard backup-rotation cycle, after which they are permanently removed.

15. Liability

15.1 The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service, except as required by Article 82 GDPR.

15.2 Each party remains liable for its own non-compliance with Applicable Data Protection Law.

16. Order of Precedence; Miscellaneous

16.1 In case of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails.

16.2 In case of conflict between this DPA and the Standard Contractual Clauses on transfer matters, the Standard Contractual Clauses prevail.

16.3 This DPA is governed by Spanish law, and the courts of Barcelona, Spain, shall have exclusive jurisdiction in respect of disputes between the parties (without prejudice to the rights of Data Subjects under Applicable Data Protection Law).

17. Annexes

The following annexes are part of this DPA and updated by Clevertrek as needed:

  • Annex I — Description of Processing (categories of Data Subjects, categories of Personal Data, nature and purpose of Processing, duration);
  • Annex II — Technical and Organizational Measures (Section 7 above);
  • Annex III — List of Subprocessors (categories listed in Section 8; current detailed list available on request);
  • Annex IV — Standard Contractual Clauses for international transfers, where applicable.

18. Contact

For DPA matters, contact:

Clevertrek (Fernando Beneitez Vela-Hidalgo, sole proprietor, NIF 75794423Q) Avenida del Hotel, 1, 15º 08860 Castelldefels, Barcelona, Spain Email: privacy@clevertrek.com / legal@clevertrek.com (replace with your actual contact emails)