See Clari in action

 

Clari Data Processing Addendum 2025

This Data Processing Addendum and its Annexes (the "DPA") forms part of the Clari Master Subscription Agreement (the "Agreement") between Clari Inc. (or one of its Subsidiaries, as applicable) (collectively, "Clari" or "Processor") and the party identified as "Customer" in the Agreement ("Customer" or "Controller") and reflects the parties' agreement with respect to the Processing of Personal Data by Clari as a processor on behalf of Customer in connection with the Services under the Agreement. In the event of any conflict or inconsistency with the terms of the Agreement in respect of the Processing of Personal Data, the terms of this DPA will supersede and control. This DPA is incorporated into and is subject to the terms of the Agreement. Any terms not defined in this DPA will have the meaning as set forth in the Agreement.

1) Definitions.

"Data Privacy Framework" means, as applicable, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework.

"Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the processing of Personal Data including, each to the extent applicable: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (the "EU GDPR") and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") (together, collectively, the "GDPR"); (ii) the Swiss Federal Act on Data Protection; (iii) the UK Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (v) U.S. state comprehensive privacy laws, including but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the "CCPA"); in each case, as updated, amended or replaced from time to time. The terms "business purpose," "controller," "cross-contextual behavioral advertising," "processor," "Process" or "Processing," "sell," "share," "supervisory authority," or "targeted advertising" shall have the meanings set forth for those or equivalent terms under Data Protection Laws. For the avoidance of doubt, the terms "controller" and "processor" include "business" and "service provider," respectively, as defined in the CCPA.

"Instructions" means a direction, either in writing or in electronic form (e.g., by email or software), issued by Controller to Processor and directing Processor to process Personal Data.

"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and constitutes "personal data," "personal information," or equivalent term under Data Protection Laws.

"Standard Contractual Clauses" (or "Clauses") means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); and (ii) where the UK GDPR applies, the EU SCCs as amended by the UK Addendum (as defined below) (the "UK SCCs").

"Sub-Processor" means any third party engaged by Clari to process Personal Data in order to provide the Services under the Agreement.

"Subsidiaries" means any Clari subsidiary which adheres to this DPA, including but not limited to the following: Clari Software (Canada) Limited, Clari UK Limited, Clari Software Private Limited, Strings Systems Inc., or AIStrings Solutions Private Limited.

"UK Addendum" means the International Data Transfer Addendum to the European Commission's standard contractual clauses for international data transfers (issued by the UK Information Commissioner under S119A(1) of the UK Data Protection Act 2018).

2) Customer Obligations.

a) Compliance with Laws. Customer is responsible for complying with all Data Protection Laws with respect to its Processing of Personal Data. Customer is solely responsible for: (i) the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data; and (ii) ensuring that Customer's Instructions to Clari regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws. Customer will inform Clari without undue delay if Customer is not able to comply with its responsibilities under this DPA, including Data Protection Laws. Customer shall not provide or make available to Clari any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services.

b) Customer Instructions. The parties agree that the Agreement, together with Customer's use of the Services in accordance with the Agreement, constitute Customer's Instructions to Clari in relation to the Processing of Personal Data. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Annex 1 to this DPA.

3) Clari Obligations.

a) Compliance with Instructions. Clari will Process Personal Data only: (i) for the purposes described in the Agreement and this DPA; (ii) in accordance with any other reasonable Instructions provided by Customer in accordance with this DPA and the Agreement; and (iii) as required by Data Protection Laws or a supervisory authority. Clari shall immediately notify Customer if an instruction, in Clari's opinion, infringes Data Protection Laws or instructions of a supervisory authority.

b) Use of Personal Data. Clari shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Clari's direct business relationship with Customer or for any purpose other than for a business purpose under the CCPA on behalf of Customer or as necessary to perform the Services for Customer pursuant to the Agreement, except as otherwise permitted in the Agreement or by Data Protection Laws; and (iii) combine Personal Data received from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another party or person, except as necessary to provide the Services or as otherwise instructed by Customer.

c) Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Clari will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, as described in Annex 2 to this DPA.

d) Confidentiality. Clari will take commercially reasonable steps to: (i) ensure the reliability and appropriate training of any personnel whom Clari authorizes to Process Personal Data on Clari's behalf ("Authorized Personnel"); (ii) ensure that Authorized Personnel are subject to a confidentiality agreement that prevents the processing of Personal Data, both during and after their engagement by Clari, except in accordance with their obligations in connection with the Services; and (iii) limit access to Personal Data only to Authorized Personnel.

e) Personal Data Breaches. Clari will notify Customer without undue delay, but in no event more than seventy-two (72) hours, after Clari becomes aware of any Personal Data Breach and take such steps as Clari deems necessary and reasonable to remediate such Personal Data Breach. Clari's notification shall include (to the extent known): (i) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and the categories and approximate number of Personal Data records concerned; (ii) the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken by Clari to address the Personal Data Breach, where appropriate, measures to mitigate its possible adverse effects.

f) Deletion or Return of Personal Data. Within ninety (90) days following the expiration or termination of the Subscription Term, Clari will return or delete the Personal Data, except as required to be retained by applicable laws. If return or destruction is impracticable or prohibited by law, rule or regulation, Clari shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Clari have entered into Standard Contractual Clauses, the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Clari to Customer only upon Customer's request.

4) Data Subject Requests.

a) Taking into account the nature of the Services, Clari offers Customer controls that Customer can use to comply with its obligations to respond to requests from Data Subjects under Data Protection Laws ("Data Subject Requests"). Where a Data Subject Request is made directly to Clari, Clari will either advise the Data Subject to submit their request to Customer or forward that request to Customer. Customer will be responsible for responding to such request.

b) To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer's written request Clari will provide reasonable assistance to Customer to respond to any Data Subject Requests relating to the Processing of Personal Data under the Agreement.

5) Sub-Processors.

a) Clari engages the Sub-Processors listed in Annex 3 of this DPA (the "List") to Process Personal Data on Customer's behalf in connection with the Services. The Sub-Processors included on the List as of the Effective Date are approved by Customer, constituting Customer's prior written consent to Clari's sub-processing of the Processing of Personal Data. If Clari intends to add a new Sub-Processor to the List after the Effective Date, it will provide written notice to Customer of such intention (via email). Customer will have thirty (30) days from such notice to object to the newly proposed Sub-Processor. Objection must be based on reasonable data protection grounds. If no objection is provided within such period, the Sub-Processor is deemed approved by Customer. If Customer provides an objection within such period, the parties will, for a period of ten (10) days after such objection, discuss the issue diligently and in good faith. If they cannot agree on a workaround or alternative within such period, Customer's sole remedy is to terminate the Agreement on written notice to Clari.

b) Clari will ensure that it imposes data protection terms on the Sub-Processors that provide a substantially similar level of protection for Personal Data as those set out in this DPA. Clari will remain responsible for each Sub-Processor's compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor to the same extent that Clari would itself be liable under this DPA had it conducted such acts or omissions.

6) Cross-Border Data Transfers.

a) Restricted Transfers. For the purposes of Processing Personal Data under the Agreement, Customer shall be regarded as the Controller, and Clari shall be regarded as the Processor. The parties agree that Clari and its Sub-Processors may make international transfers of Personal Data Processed under this DPA, including outside the EEA, the UK, or Switzerland as necessary to provide the Services, and in accordance with Data Protection Laws. To the extent Clari Processes any Customer Personal Data subject to the EU GDPR or UK GDPR under the Agreement, any such transfer will be subject to: (i) the Data Privacy Framework; or (ii) if the Data Privacy Framework is unavailable, the EU SCCs or UK SCCs, as applicable and as set forth under Section 6(b) and 6(d) below.

b) Transfers from the EEA. With respect to Customer Personal Data transferred from the European Economic Area ("EEA") pursuant to the Standard Contractual Clauses (if the Data Privacy Framework is unavailable), the EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the EU SCCs. They will be deemed completed as follows:

i) Where Customer is a data exporter and controller, and Clari is a data importer and processor, Module 2 shall apply. When Customer is a data exporter and processor, and Clari is a data importer and subprocessor, Module 3 shall apply.

ii) Clause 7, the "Docking Clause (Optional)", does not apply.

iii) Under Clause 9 (Use of sub-processors), the Parties select Option 2 (general written authorization), and the time period for prior notice of addition or replacement of Sub-Processors will be as set forth in Section 5(a) of this DPA.

iv) Under Clause 11 (Redress), the optional language does not apply.

v) Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.

vi) Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.

vii) Annexes I-III are set forth below as Annex 1-3.

viii) By entering into this DPA, the Parties are deemed to be signing the EU SCCs and its applicable Annexes.

c) Transfers from Switzerland. The Parties agree that transfers from Switzerland shall either be made pursuant to: (i) the Data Privacy Framework, or (ii) if the Data Privacy Framework is unavailable, the EU SCCs with the following modifications:

i) The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the "FADP," and as revised as of 25 September 2020, the "Revised FADP") with respect to data transfers subject to the FADP.

ii) The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.

iii) Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.

iv) The term "EU Member State" as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

d) Transfers from the UK. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any EEA jurisdiction) governs the international nature of the transfer and a data transfer mechanism is required, such transfers shall be made pursuant to: (i) the Data Privacy Framework, or (ii) if the Data Privacy Framework is unavailable, the UK SCCs, which are deemed entered into and incorporated into this DPA by reference. Undefined capitalized terms used in this provision shall have the definitions set forth in the UK SCCs.

i) For transfers that implicate Personal Data subject only to the UK GDPR and not the EU GDPR, the UK International Data Transfer Agreement (the "UK Agreement"), template IDTA A.1.0 issued 2 February 2022, will be deemed executed. Where applicable, the UK Agreement shall be deemed completed as follows:

(1) Table 1 of the UK Agreement: the Parties' details shall be the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex 1; (2) the Key Contact shall be the contacts set forth in Annex 1; (3) the Parties will be deemed to execute the UK Agreement on the date of signature of this DPA.

(2) Table 2 of the UK Agreement: (1) The Parties select England (1) and Wales to govern the UK Agreement and as the primary place for legal claims to be made; (2) where Customer is a controller, the Exporter/Controller box will apply. Where Customer is a processor, the Exporter/Processor box will apply. Clari shall be the Importer/Processor; (3) the UK GDPR shall apply to the Importer's Processing of the Transferred Data; (4) this DPA is a Linked Agreement; (5) Clari shall process data for the time period for which the Linked Agreement is in force; (6) the Parties cannot end the UK Agreement before the end of the term; (7) Clari may end the IDTA as set out in Section 29.2; (8) Clari may transfer on the Transferred Data in accordance with section 16.1 of the UK Agreement to the authorized receivers set out in Annex 3 and this DPA; (9) the Parties will review the Security Requirements each time there is a change to the Transferred Data, Purposes, Importer Information, TRA, or risk assessment.

(3) Table 3 of the UK Agreement: (1) the categories of Transferred Data and special category data will update automatically if the Linked Agreement is updated; (2) the Transferred Data includes the data set out in Annex 1; (3) the categories of data subjects will update automatically if the Linked Agreement is updated; and (4) Clari may Process Transferred Data for the purposes set out in this DPA.

(4) Table 4 of the UK Agreement: The Security Requirements set forth in Annex 2 shall apply.

(5) Parts 2 and 3 (optional) of the UK Agreement shall not apply.

(6) By entering into this DPA, the Parties are deemed to be signing the UK Agreement and its applicable Tables and Appendix Information.

ii) For transfers that implicate Personal Data subject to both the UK GDPR and EU GDPR, the UK Addendum, template Addendum B.1.0 issued 2 February 2022 will be deemed executed. Where applicable, the UK Addendum shall be deemed completed as follows:

(1) Table 1 of the UK Addendum: (1) The Parties' details shall be the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex 1; (2) The Key Contact shall be the contacts set forth in Annex 1

(2) Table 2 of the UK Addendum: The Approved EU SCCs referenced in Table 12 shall be the EU SCCs as executed by the Parties.

(3) Table 3 of the UK Addendum: Annex 1A, 1B, and II shall be set forth in Annex 1 and Annex 2 hereto.

(4) Table 4 of the UK Addendum: Clari may end this DPA as set out in Section 19 of the UK Addendum. By entering into this DPA, the Parties are deemed to be signing the UK Addendum and its applicable Tables and Appendix Information.

(5) By entering into this DPA, the Parties are deemed to be signing the UK Addendum and its applicable Tables and Appendix Information.

e) Statutory Revisions to the EU SCCs or UK SCCs. In the event that the EU GDPR or UK GDPR require the use of revised standard contractual clauses applicable to this DPA, such revised standard contractual clauses shall automatically be deemed to replace the EU SCCs and/or UK SCCs, as applicable, without the need for any further action, unless Clari otherwise informs Customer.

f) Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent required by Data Protection Laws, Clari will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities.

7) Demonstration of Compliance and Audits.

a) Clari will maintain records sufficient to demonstrate its compliance with its obligations under this DPA and retain such records for a period of three (3) years after the expiration or termination of the Subscription Term ("Compliance Documentation"). Clari also uses external auditors to verify the adequacy of its security measures. This audit (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or substantially equivalent standards; (c) will be performed by independent third-party security professionals at Clari's selection and expense; and (d) will result in the generation of a confidential audit report ("Audit Report"). Upon Customer's request, no more than once per year, Clari will provide (on a confidential basis) Customer with a summary of the Compliance Documentation and Audit Reports so that Customer can verify Clari's compliance with this DPA.

b) To the extent Customer's audit requirements under the Standard Contractual Clauses or Data Protection Laws cannot reasonably be satisfied through Section 7(a) above, Customer may conduct an audit of Clari's systems and facilities solely to verify compliance with this DPA. Any such audit shall be conducted not more than once per calendar year and upon thirty (30) days' prior written notice to Clari. Customer agrees to exercise any such right only through use of an independent, accredited third-party audit firm that is reasonably acceptable to Clari. The audit will occur during Clari's regular business hours and shall not unreasonably interfere with Clari's business. The auditor(s) may be required to execute reasonable confidentiality obligations with Clari. Before the commencement of the audit, Customer and Clari will mutually agree upon the scope, timing, duration, control and evidence requirements for the audit, provided that this requirement to agree will not permit Clari to unreasonably delay performance of the audit. Customer will be responsible for the expenses of any such audits or inspections. If the audit report generated as a result of Customer's audit includes any finding of material non-compliance with this DPA, Customer will share such audit report with Clari and, after Clari's verification of the issue, Clari will promptly cure the non-compliance. If Customer and Clari have entered into Standard Contractual Clauses as described in Section 6 (Cross-Border Data Transfers), the Parties agree that the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 7.

8) General.

a) Limitation of Liability. The limitations of liability contained in the Agreement shall apply to this DPA.

b) Governing Law. This DPA will be governed in accordance with the choice of jurisdiction stipulated in the Agreement, unless required otherwise by Data Protection Laws.

ANNEX 1 - Details of Processing

This Annex forms part of the DPA and Clauses and must be completed and signed by the Parties.

A. LIST OF PARTIES

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Customer may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by Customer in Customer's sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: individuals including Customer's end users, employees, agents, contractors, collaborators, prospects, suppliers and subcontractors.

Categories of personal data transferred:

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer's sole discretion, and which may include but is not limited to the following categories of Personal Data:

  • First and last name
  • Title/position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • Login credentials
  • Communications and calendar information (including emails, business meeting information)
  • Technical usage and telecommunications data (including IP addresses of devices used to access the Services)
  • Sensory (audio) data (including information including call recordings, and transcriptions and analyses thereof)
  • Any other Personal Data submitted by, sent to, or received by Customer, or Customer's End Users, via the Services

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Data exporter may submit sensitive data to the data importer or the Services, the extent of which is determined and controlled by the data exporter.

The frequency of the transfer:

Personal Data will be Processed on a continuous basis.

Nature of the processing:

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

  • Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer; and/or.
  • Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws

Purpose(s) of the data transfer and further processing:

Clari will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Agreement, this DPA, and as further instructed by Customer in Customer's use of the Services.

The period for which the personal data will be retained:

Subject to the "Deletion or Return of Personal Data" section of this DPA, Clari will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

  • As per the "Purpose(s) of the data transfer and further processing" section above, Sub-Processors may Process Personal Data as necessary to provide the Services.
  • Subject to the terms of this DPA, the Sub-Processors may Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
  • Data importer may transfer Personal Data to its Sub-Processors in accordance with the DPA.
  • The subject matter, nature and location of the Processing of Personal Data by Sub-Processors is set forth in Annex 3 of this DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

  • Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as the competent supervisory authority.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
  • Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the Data Protection Commission (DPC) of Ireland shall act as the competent supervisory authority.

ANNEX 2 - Security Measures

See Clari Security Addendum: https://www.clari.com/security-addendum/

ANNEX 3 - List of Sub-Processors

Customer acknowledges and agrees that the third parties listed at the webpage URL: https://www.clari.com/gdpr/#sub-processors shall be deemed Sub-Processors that may Process Personal Data pursuant to this DPA.