ClausePilot Data Processing Agreement
Last updated 23 April 2026.
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions and Privacy Policy (collectively, the "Agreement") between:
ClausePilot Korlátolt Felelősségű Társaság (registration number: Cg.01-09-454891; registered seat: 1163 Budapest, Karát utca 33., Hungary), ("Processor" or "ClausePilot")
and
The User, being the individual or entity that has registered for and uses the ClausePilot Platform ("Controller")
(each a "party" and together the "parties").
1. DEFINITIONS AND INTERPRETATION
1.1
In this DPA, the following terms shall have the meanings set out below:
"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR");
"Controller" has the meaning given to it in Article 4(7) of the GDPR;
"Controller Personal Data" means any Personal Data Processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement;
"Personal Data" has the meaning given to it in Article 4(1) of the GDPR;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data;
"Process/Processing" has the meaning given to it in Article 4(2) of the GDPR;
"Processor" has the meaning given to it in Article 4(8) of the GDPR;
"Sub-processor" means any Processor engaged by ClausePilot to Process Controller Personal Data;
"User-Generated Content" means any documents, contracts, drafts, clauses, templates, text, data, information, or other materials that are uploaded, input, created, modified, stored, or otherwise processed by Controller through the Platform, which may contain Personal Data.
1.2
The terms, "data subject", "supervisory authority", "special categories of personal data", and "transfer" shall have the meanings ascribed to them in the GDPR.
2. PROCESSING OF CONTROLLER PERSONAL DATA
2.1 Role of the Parties
The parties acknowledge and agree that with regard to the Processing of User-Generated Content that contains Personal Data, the Controller is the Controller and ClausePilot is the Processor.
2.2 Controller Responsibilities
The Controller represents and warrants that:
- its Processing of Personal Data and its instructions to the Processor comply with Applicable Data Protection Law;
- it has provided all necessary notices to and obtained all necessary consents from data subjects as required by Applicable Data Protection Law for the Processor to Process the Controller Personal Data as contemplated by the Agreement;
- it is responsible for the accuracy, quality, and legality of Controller Personal Data and the means by which it acquired the Personal Data.
2.3 Processor Processing
The Processor shall Process Controller Personal Data only:
- for the purposes set forth in the Agreement and this DPA, or as otherwise instructed by the Controller in writing;
- in accordance with the documented instructions from the Controller (which may be specific or general in nature), including with regard to transfers of Controller Personal Data to a third country, unless such Processing is required by EU or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2.4 Details of Processing
Appendix 1 to this DPA sets out certain information regarding the Processing of Controller Personal Data as required by Article 28(3) of the GDPR.
3. PROCESSOR PERSONNEL
3.1 Confidentiality
The Processor shall ensure that its personnel engaged in the Processing of Controller Personal Data are informed of the confidential nature of the Controller Personal Data, have received appropriate training, and have executed written confidentiality agreements.
3.2 Limitation of Access
The Processor shall ensure that access to Controller Personal Data is limited to those personnel who require such access to perform the Agreement.
4. SECURITY
4.1 Implementation of Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the pseudonymization and encryption of Controller Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
4.2 Security Assessment
In assessing the appropriate level of security, the Processor shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.
4.3 Legal Professionals' Requirements
The Processor acknowledges that the Controller may be a legal professional subject to professional confidentiality obligations and shall implement additional security measures as detailed in ClausePilot’s Security Policy to protect privileged and confidential legal documents.
5. SUB-PROCESSING
5.1 General Authorization
The Controller hereby provides a general authorization to the Processor to engage Sub-processors, subject to the requirements of this Section 5.
5.2 Current Sub-processors
The Processor may continue to use those Sub-processors already engaged by the Processor as of the date of this DPA, i.e. the third-party API providers listed in Appendix 2 of this Data Processing Agreement.
5.3 New Sub-processors
The Processor shall:
- provide the Controller with notice of the addition or replacement of any Sub-processor ("Sub-processor Notice");
- ensure that each Sub-processor is subject to written contractual terms which offer at least the same level of protection for Controller Personal Data as those set out in this DPA; and
- remain fully liable to the Controller for the performance of that Sub-processor's obligations.
5.4 Objection Right
The Controller may object to the Processor's use of a new Sub-processor by notifying the Processor in writing within thirty (30) days of receipt of the Sub-processor Notice. In the event the Controller objects to a new Sub-processor, the Processor shall use reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller's use of the Services to avoid Processing of Controller Personal Data by the objected-to new Sub-processor without unreasonably burdening the Controller. If the Processor is unable to make available such change within a reasonable period of time (not to exceed thirty (30) days), the Controller may terminate the Agreement with respect to those Services which cannot be provided by the Processor without the use of the objected-to new Sub-processor by providing written notice to the Processor.
6. DATA SUBJECT RIGHTS
6.1 Data Subject Requests
The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a data subject to exercise the data subject's rights under Applicable Data Protection Law regarding Controller Personal Data ("Data Subject Request").
6.2 Controller Responsibility
The Controller shall be responsible for responding to all Data Subject Requests. The Processor shall provide the Controller with commercially reasonable assistance to enable the Controller to respond to such Data Subject Requests.
7. PERSONAL DATA BREACH
7.1 Breach Notification
The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects or supervisory authorities of the Personal Data Breach under Applicable Data Protection Law.
7.2 Breach Information
The notification referred to in Section 7.1 shall at least:
- describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of the Processor's privacy lead or other contact point where more information can be obtained;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.3 Assistance to Controller
The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with supervisory authorities, which the Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
9. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
9.1 Deletion or Return
The Processor shall, at the Controller's election, delete or return all Controller Personal Data to the Controller upon termination or expiration of the Agreement, and delete existing copies except as detailed in our Privacy Policy retention table.
9.2 User Vault Content
The Controller may, at any time during the term of the Agreement, directly delete any Controller Personal Data stored in the Controller's vault on the Platform, and such deletion shall take immediate effect in the live systems and be propagated to backups as described in the Privacy Policy.
10. AUDIT RIGHTS
10.1 Audit Information
The Processor shall make available to the Controller, upon request, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller for the purpose of compliance verification.
10.2 Confidentiality
Any information and audit rights granted under this DPA are subject to any confidentiality obligations under the Agreement and the Processor's internal policies and procedures.
11. INTERNATIONAL TRANSFERS
11.1 Restriction on Transfers
The Processor shall not transfer Controller Personal Data outside the European Economic Area (EEA) except as expressly authorized by the Controller in writing, which shall be granted with respect to the API providers listed in Appendix 2. Data transfers to the API providers listed in Appendix 2 are subject to strict zero data retention obligations by the API providers.
11.2 Transfer Mechanisms
To the extent the Processor is authorized to transfer Controller Personal Data outside the EEA, it shall ensure that an appropriate transfer mechanism is in place, as detailed in the Privacy Policy.
12. LEGAL PROFESSIONAL CONSIDERATIONS
12.1 Preservation of Privilege
The Processor acknowledges that the Controller may be a legal professional subject to legal professional privilege and other professional obligations. The Processor shall implement measures to preserve and protect legal professional privilege as detailed in ClausePilot’s Security Policy.
12.2 Confidentiality of Legal Documents
The Processor shall treat all User-Generated Content as confidential information and shall not access, use, or disclose such content except as necessary to provide the Services or as expressly permitted by the Controller.
13. API PROVIDERS
13.1 API Processing
When the Controller uses AI-powered features of the Platform, the Processor may transmit Controller Personal Data to third-party API providers (acting as Sub-processors) strictly for the purpose of delivering the requested AI-powered service.
13.2 API Provider Safeguards
The Processor has implemented the safeguards for all API provider processing as detailed in the Security Policy.
14. GENERAL TERMS
14.1 Conflict
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict or inconsistency with regard to the Processing of Controller Personal Data.
14.2 Changes in Data Protection Laws
The parties agree to negotiate in good faith to amend this DPA if necessary to comply with any changes in Applicable Data Protection Law.
14.3 Severance
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
15. GOVERNING LAW AND JURISDICTION
This DPA shall be governed by and construed in accordance with the laws of Hungary, and the parties submit to the exclusive jurisdiction of the courts of Hungary for any disputes arising out of or in connection with this DPA.
APPENDIX 1: DETAILS OF PROCESSING
Nature and Purpose of Processing:
- Processing necessary to provide the AI-powered contract drafting, review, and analysis platform and related services pursuant to the Agreement, including:
- Storage and management of documents uploaded by the Controller
- Analysis of documents to provide insights, suggestions, and drafting assistance
- Processing text input through the integrated text editor
- AI-powered document drafting, review, and clause suggestions
- Processing of document content submitted by the Controller through the online text editor.
Duration of Processing:
The Processing shall continue for the duration of the Agreement. Following the end of the Agreement, the Processor shall delete or return all Controller Personal Data in accordance with Section 9 of this DPA.
Categories of Data Subjects:
The Controller Personal Data transferred may concern the following categories of data subjects:
- Individuals whose personal data is contained in User-Generated Content
Categories of Personal Data:
The Controller Personal Data transferred may concern the following categories of data:
- Personal data contained in User-Generated Content uploaded or created by the Controller
Special Categories of Personal Data (if applicable):
The Controller Personal Data transferred may concern the following special categories of data:
- Any special categories of personal data contained in User-Generated Content uploaded or created by the Controller
Processing Operations:
The Controller Personal Data shall be subject to the following basic processing activities:
- Collection and storage
- Analysis and automated processing
- Retrieval and consultation
- Use for providing AI-powered contract drafting and analysis
- Deletion or return upon Controller request
APPENDIX 2: Approved Sub-processors
| # | Sub-processor | Location | Service | Transfer tool | TOM reference |
|---|---|---|---|---|---|
| 1 | Amazon Web Services EMEA SARL | EU (Ireland, Frankfurt) | Hosting/IaaS | N/A | §2 Security Policy |
| 2 | Mixpanel Inc. | United States | Product analytics | DPF / SCCs M2 | §4 Security Policy |
| 3 | Hotjar Ltd. | Ireland | Behaviour analytics | N/A | §4 |
| 4 | Stripe Payments Europe Ltd. | Ireland/United States | Payment processing | SCCs M2 | §4 |
| 5 | OpenAI L.L.C. | United States | LLM API | SCCs M2 | §4.4 |
| 6 | Anthropic PBC | United States | LLM API | SCCs M2 | §4.4 |
| 7 | Perplexity AI Inc. | United States | LLM API | SCCs M2 | §4.4 |
| 8 | Voyager Labs Ltd. | United States | LLM API | SCCs M2 | §4.4 |
| 9 | Cookiebot A/S | Denmark | Consent platform | N/A | §4 |
| 10 | Google Ireland Ltd. | United States | LLM API | DPF / SCCs M2 | §4.4 |
| 11 | Google Ireland Ltd. | United States | User authentication | DPF / SCCs M2 | §5 Security Policy |
| 12 | HubSpot, Inc. | United States | Customer Relationship Management (CRM), Email and marketing | DPF / SCCs M2 | §10 Security Policy |