Data Processing Agreement
The Claresia DPA is published, pre-signed by Claresia, and ready to counter-sign. It applies to every customer regardless of region or deployment mode and is compatible with EU Standard Contractual Clauses, the EU-US Data Privacy Framework, and the UK International Data Transfer Addendum.
EU + UK + US ready
SCC Module 2 (controller-to-processor) and Module 3 (processor-to-sub-processor) included. UK IDTA addendum executable in same envelope.
Schrems II safeguards
Supplementary technical measures documented in Annex II — encryption keys customer-controlled in Mode B/C, no plaintext data in any third-country transfer.
5-day legal SLA
Standard turnaround for bilateral redlines is 5 business days. Counter-signing the as-is template is same-day.
DPA artifacts
- Claresia DPA v1.2PDF
Master DPA template — counter-signable as-is. SCC Module 2 + Module 3 selectable. UK IDTA addendum included.
Updated 2026-03-20
- Security Annex (Annex II)PDF
Technical and Organisational Measures aligned to ISO 27001 Annex A controls.
Updated 2026-03-20
- Sub-processor Flow-Down ScheduleHTML
Annex IV — list of authorised sub-processors with role, region, data category, applicable safeguards.
Updated 2026-04-30
- NIS2 Vendor Due-Diligence PackPDF
Available on request for Mode B and Mode C deployments handling PHI.
Updated Q3 2026
Sub-processor change notifications
Per the DPA, Claresia notifies customers at least 30 days before any new sub-processor begins processing customer data. Subscribe to receive the notification by email — you can object to a new sub-processor before activation per Section 9.4 of the DPA.
- New sub-processor additions
- Region changes for existing sub-processors
- Data-category scope changes
- Sub-processor removals