01Parties & roles
This DPA is between you (the Controller) and Claver at 200 SE 1st St, Suite 500, Miami, FL 33131 (the Processor). For end-customer data inside your workspace, you decide what's processed and why. We follow your instructions and these terms.
02What we process
| Item | Description |
|---|---|
| Subject matter | Hosting and processing the data you upload to Claver to deliver the field-service-management platform. |
| Duration | Length of your subscription, plus the wind-down period in Privacy §08. |
| Nature & purpose | Storage, retrieval, transmission, search, deletion, backup; sending SMS/email on your behalf; processing payments on your behalf via Stripe Connect. |
| Data subjects | Your employees and contractors. Your end-customers (homeowners, businesses). People who interact with your workspace (booking-form leads, SMS replies). |
| Categories | Identifiers, contact info, address, scheduling, job/quote/invoice content, photos, signatures, GPS arrival data, communications, payment metadata. |
| Special categories | None requested or expected. Don't enter health, biometric, racial, religious, or sexual-orientation data into customer notes. |
03Instructions
We process personal data only on your documented instructions, which are: the Terms, this DPA, and what you do inside the app. We'll tell you if an instruction looks like it would break GDPR or another data-protection law, and we won't comply with it until you fix it.
04Confidentiality
Everyone at Claver with access to your data is under a written confidentiality obligation. Background checks for new hires touching production. Access is least-privilege and audited.
05Security measures
The technical and organizational measures (Article 32 GDPR) are listed in Annex II below. We can update them, but not in a way that materially weakens the protection in place at the start of your subscription.
06Sub-processors
You give us general authorization to engage sub-processors. The current list is at /sub-processors. We'll post additions there at least 30 days before they go live. If you object on reasonable grounds you can email [email protected]; if we can't accommodate, you can terminate the affected portion of the Service for a pro-rated refund.
Each sub-processor is bound by terms at least as protective as this DPA. We stay liable to you for what they do.
07Data-subject requests
If a data subject contacts us, we'll route them to you. We give you the tools (export, search, delete) to handle access, correction, deletion, restriction, and portability inside Claver. If you need help, email [email protected] and we'll respond within 5 business days.
08Personal-data breaches
If we learn of a personal-data breach affecting your data, we'll notify you without undue delay and in any case within 72 hours of confirmation. The notice will include: nature of the breach, categories and approximate number of records affected, likely consequences, and the measures taken or proposed.
09Audits
You can audit our compliance once per year during business hours, with 30 days' written notice, and not in a way that disrupts the service or compromises other customers. Most customers' needs are met by our annual SOC 2 Type II report (available under NDA) plus the security pages at /security. On-site audits at our facilities are by appointment.
10International transfers
For transfers from the EEA, the EU Standard Contractual Clauses (Module 2) dated 4 June 2021 are incorporated by reference and apply between Claver as data importer and you as data exporter. For UK transfers, the UK International Data Transfer Addendum applies. For Switzerland, the SCCs apply with the modifications outlined by the FDPIC.
The clauses' optional terms: Clause 7 docking — yes; Clause 9 sub-processor authorization — option 2 (general, with 30-day notice); Clause 11 redress — no independent dispute resolution; Clause 17 governing law — Ireland; Clause 18 forum — Ireland.
11California — service-provider terms
For California residents, Claver is a "service provider" under the CCPA/CPRA. We:
- only process personal info to provide the Service to you (the "business purpose");
- don't sell or share personal info;
- don't combine personal info we get from you with info from other sources for our own purposes;
- certify that we understand and will comply with these restrictions.
12Return & deletion
On termination, you can export everything for 30 days from Settings → Data Export. After that, we delete it within 90 days, except backups (rotated within 35 days) and records we must keep for legal reasons (e.g., 7-year billing records).
13Liability
The liability cap and exclusions in the Terms apply to this DPA. The cap covers all claims arising from a series of related events.
14Order of precedence
If this DPA conflicts with the SCCs, the SCCs win. If this DPA conflicts with the Terms, this DPA wins. Otherwise the Terms govern.
A1Annex I — Description of processing
See §02 above (subject matter, duration, nature, purpose, categories, data subjects). Frequency: continuous. Competent supervisory authority for SCC purposes: the lead authority of your primary establishment, or — if none in the EEA — the Irish Data Protection Commission.
A2Annex II — Technical & organizational measures
- Encryption. TLS 1.2+ in transit. AES-256 at rest. Database backups encrypted with separate keys.
- Access control. SSO + MFA mandatory for all Claver staff. Production access limited to a named on-call list. Logged and reviewed.
- Network. WAF + DDoS mitigation. Rate limiting on auth endpoints. Internal services on private subnets.
- Application security. Dependency scanning on every commit. Annual third-party penetration test. Secure SDLC with code review.
- Data isolation. Each tenant's data tagged with a tenant_id; row-level security enforced at the database.
- Backups. Daily encrypted backups, 35-day retention, restore drills quarterly.
- Incident response. Documented runbook. 24/7 on-call rotation. 72-hour breach-notification SLA.
- Personnel. Background checks, written confidentiality, annual security training.
- Vendor management. Each sub-processor reviewed before onboarding; terms at least as strict as this DPA.
- Audits & certifications. SOC 2 Type II audit underway (target completion: 2026 Q4). Available under NDA when ready.