Data Processing Agreement

Last updated: April 7, 2026

GDPR Art. 28 DPA: This agreement is automatically in effect for all customers using Clawshift as a data processor. No signature required for standard terms.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: You, the customer ("Controller")
  • Data Processor: Clawshift, operating as a processor on your behalf ("Processor")

2. Subject Matter & Duration

This DPA governs the processing of personal data by Clawshift on behalf of the Controller for the purpose of providing the Clawshift Agent Platform. The DPA remains in effect for the duration of the service agreement.

3. Nature & Purpose of Processing

Type of data processed:

Email content, contact information, CRM data, calendar data, and other business data you connect to Clawshift Agents via integrations.

Categories of data subjects:

Your customers, prospects, employees, and business contacts.

Purpose:

Delivering AI agent services as described in the Terms of Service, including email management, lead tracking, social media management, and operations support.

4. Processor Obligations

Clawshift as Processor shall:

  • Process data only on documented instructions from the Controller (you)
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (Art. 32 GDPR)
  • Not engage sub-processors without prior written consent (see Sub-Processors list below)
  • Assist the Controller in fulfilling data subject rights requests
  • Delete or return all personal data upon termination of services
  • Provide information necessary to demonstrate compliance with this DPA

5. Sub-Processors

By accepting this DPA, you authorize use of the following sub-processors. We will notify you 14 days before adding new sub-processors.

Sub-ProcessorPurposeLocation
Hetzner Online GmbHInfrastructure / hostingGermany / Finland
AnthropicAI model inferenceEU (SCCs apply)
Stripe Inc.Payment processingEU (SCCs apply)
Resend / LoopsTransactional emailEU (SCCs apply)

6. Security Measures

We implement the following technical and organizational measures:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Access control with role-based permissions and MFA
  • Regular security audits and penetration testing
  • Automated anomaly detection and incident response
  • Data minimization — we only process what's needed
  • Tenant isolation — your data is never mixed with other customers

7. Data Breaches

We will notify you without undue delay (within 72 hours where feasible) upon becoming aware of a personal data breach affecting your data, as required by GDPR Art. 33-34.

8. International Transfers

Data is primarily processed within the EU/EEA. Where sub-processors are located outside the EU, we rely on EU Standard Contractual Clauses (SCCs) as the legal transfer mechanism.

9. Custom DPA

Enterprise customers requiring a custom-signed DPA may request one at [email protected].

Privacy PolicyTerms of ServiceImpressum