Data Processing Agreement (DPA)
Version effective as of 2026-04-14. This agreement governs the processing of engagement content by CleverContracts on behalf of freelancer users.
For engagement content (scope text, terms, messages, file attachments, change items, time entries, and client identifiers in that context), the freelancer user (“you”) is the controller and CleverContracts (operated by Lionel Wermelinger and Fynn Auerbach) is the processor.
For account, billing, and security operations, CleverContracts acts as a controller as described in the Privacy Policy. This DPA covers only the processor relationship for engagement content.
CleverContracts processes engagement content solely to provide the service as described in the Terms of Service. This includes:
- Storing and displaying engagement records (scope, terms, changes, messages)
- Enabling client portal access (verify-to-view) for review and approvals
- Generating exports, receipts, and snapshots
- Sending transactional emails (invitations, approval reminders, OTP codes)
- Operating security and abuse-prevention controls (rate limiting, content moderation)
- Enforcing retention rules (automatic redaction of expired content per the retention summary)
Data categories processed:
- Engagement scope and terms text (versioned)
- Messages and structured change requests
- File attachments and associated metadata
- Change items with approval/decline receipts (typed name, decision, timestamp)
- Time entries (date, duration, description)
- Client contact identifiers used to invite and attribute participation (email, display name)
- Client notes (private freelancer notes about a client)
Data subjects:
- Clients of the freelancer (invited to the portal or referenced in engagement content)
- Any individuals whose personal data appears in freelancer-created content (scope text, messages, notes)
CleverContracts processes engagement content solely for the purpose of providing the service. We do not:
- Use engagement content for our own marketing or advertising
- Use engagement content to train AI models
- Sell or rent engagement content to third parties
- Access engagement content except as needed to provide the service, enforce security, or comply with legal obligations
When you enable AI features and use them on an engagement, engagement content (scope, messages, changes) is sent to a third-party AI provider (xAI / Grok or Google / Vertex AI Gemini) for processing. This processing occurs only when you explicitly trigger an AI action.
The content sent is truncated (maximum 4,000 characters per message, maximum 50 messages per request) and is processed ephemerally. For xAI, the store: falseflag is set; data is deleted within 30 days per xAI's enterprise terms. No customer data is used for model training by any AI provider.
AI features are opt-in and off by default. Enabling AI requires two-factor authentication step-up. You can disable AI at any time. See the AI Policy for full details.
CleverContracts uses the following sub-processors to provide the service. These providers process data only to deliver their respective services.
| Sub-processor | Service | Country | Safeguard |
|---|---|---|---|
| Google / Firebase | Database, file storage, authentication | USA | EU-US DPF + SCCs |
| xAI (Grok) | AI processing (opt-in) | USA | SCCs |
| Google / Vertex AI | AI processing (opt-in) | USA | EU-US DPF + SCCs |
| Vercel | Hosting, edge functions, KV store | USA / Global | SCCs |
| Upstash | Rate limiting (Redis) | USA / EU | SCCs |
| Resend | Email delivery (landing) | USA | SCCs |
Stripe, Inc. processes the Controller's own billing data (email, workspace metadata) under the Privacy Policy as a separate controller-processor relationship. Stripe does not process end-client personal data under this DPA.
We will inform you of any intended changes to sub-processors by updating this page. We ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.
Engagement content may be transferred to and processed in Switzerland, the EEA, and the United States.
For transfers to countries without an adequate level of data protection, we rely on the EU-US Data Privacy Framework (where applicable) and the European Commission's Standard Contractual Clauses (SCCs) as safeguards.
Engagement content is retained and deleted according to the periods described in the data retention summary. In brief:
- Message bodies are redacted after 18 months (placeholder retained)
- File attachments are deleted after 6 months (metadata placeholder retained)
- Durable records (approvals, scope versions) persist until engagement or account deletion
When you delete an engagement, all associated content is deleted promptly. When you delete your account, all workspace data (including all engagements) is deleted promptly. We implement the 10-year retention obligation for accounting records through a combination of automated and manual processes. Accounting records subject to the 10-year retention period (Swiss OR Art. 958f) are preserved separately from the regular account deletion process.
CleverContracts implements the following technical and organizational measures to protect engagement content:
- Encryption in transit: HTTPS/TLS for all web traffic
- Encryption at rest: AES-256 via Google Cloud default encryption
- Server-mediated access: All database access through server-side API routes; no direct client-side database access
- Session security: HttpOnly, Secure, SameSite cookies; CSRF double-submit protection
- 2FA and step-up: TOTP and WebAuthn passkeys for freelancers; required for high-trust actions
- Rate limiting: Redis-based rate limiting for APIs, OTP attempts, and file uploads
- Input validation: Schema validation (Zod) for all API inputs
- No PII in logs: Message bodies, scope text, attachment contents, and AI prompts are never logged
- Workspace isolation: All data is scoped to individual workspaces with server-side validation
As the controller, you are responsible for responding to data subject requests (access, rectification, erasure, portability) from your clients regarding engagement content.
CleverContracts will assist you in responding to such requests, including by providing relevant data exports and by deleting data upon your instruction (via engagement deletion or account deletion).
If a data subject contacts CleverContracts directly regarding engagement content, we will direct them to you as the controller and notify you of the request.
If we become aware of a personal data breach affecting engagement content, we will notify you without undue delay and provide you with sufficient information to meet any obligation to report or inform data subjects under applicable data protection law.
The notification will describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed to address the breach.
You may request reasonable information about our data processing practices and security measures to verify compliance with this DPA. We will respond to such requests in a timely manner. On-site audits are not supported in the current version but may be considered on a case-by-case basis for material compliance concerns.
This DPA is effective for as long as you use CleverContracts and we process engagement content on your behalf. Upon termination of your account, we will delete engagement content as described in Section 8, subject to legally required retention.
Obligations under this DPA that by their nature should survive termination (including confidentiality, breach notification, and deletion obligations) will survive.