Data Processing Agreement
Last updated: July 10, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Laconic Company LLC ("ClearPolicy," "we," "our," or "us"), operating ClearPolicy, and the organization that creates or uses a ClearPolicy account ("Customer," "you," or "your").
This DPA applies when ClearPolicy processes personal data on your behalf in connection with the ClearPolicy service. It supplements our Terms of Service and Privacy Policy. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls.
By creating or using a ClearPolicy account, you agree to this DPA on behalf of your organization. If you need transfer documentation for UK compliance, download our pre-signed UK International Data Transfer Agreement (PDF) . For other procurement or compliance requests, contact us at [email protected].
1. Roles and scope
For personal data that you upload, import, sync, or otherwise provide through ClearPolicy about your people, team members, and organization:
- You are the data controller (or equivalent under applicable law). You decide what data to collect, which documents to send, and who receives requests.
- ClearPolicy is the data processor (or equivalent). We process that data only to provide, secure, support, and improve the service as described in this DPA and in accordance with your instructions through normal use of ClearPolicy.
ClearPolicy acts as an independent controller — not your processor — for data we collect to operate our own business, such as billing account administration, product analytics about how organizations use ClearPolicy, and marketing website analytics. That processing is described in our Privacy Policy.
2. Definitions
In this DPA:
- "Personal Data" means information relating to an identified or identifiable individual that you provide to ClearPolicy or that is generated through your use of the service.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, and deletion.
- "Sub-processor" means a third party engaged by ClearPolicy to process Personal Data on our behalf.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by ClearPolicy on your behalf.
- "Service" means the ClearPolicy application and related features described at www.clearpolicy.app.
3. Details of processing
The following describes the processing ClearPolicy performs on your behalf.
Subject matter
Policy and document management, acknowledgment and signature collection, compliance tracking, notifications, exports, and related account administration.
Duration
For the term of your subscription or trial, and as otherwise described in Section 10 (Data Retention) and Section 11 (Deletion and return).
Nature and purpose of processing
- Storing and displaying documents and document revisions
- Sending document requests, reminders, and service-related notifications
- Recording acknowledgments, electronic signatures, timestamps, audit trails, and compliance reports
- Recording paper on file when your team members upload a signed paper copy for a pending document request (status and evidence stored with the request)
- Generating exports, receipts, and printable reports
- Operating optional integrations you authorize
- Securing the service, providing support, and maintaining reliability
ClearPolicy does not sell Personal Data, use it for advertising, or use it to train third-party artificial intelligence models.
Categories of data subjects
- People you add or import (employees, volunteers, contractors, and other recipients)
- Team members who sign in and work inside your organization
- Individuals whose data is synced through integrations you enable (for example, Planning Center)
Types of Personal Data
- People records: name, email address, phone number (if provided), group membership, and document request status
- Team member records: name, email address, organization name, role, account preferences, and authentication data (such as password hash, two-factor authentication status, and passkey credential metadata including credential identifier, public key, label, and usage metadata, when registered)
- Signature and acknowledgment records: for electronic completions — typed name (where applicable), timestamp, IP address, browser or user agent, document version, activity history, document integrity hash, and related audit data; for paper on file — completion method, completion timestamp, the team member who recorded the completion, activity history, and related audit data (paper completions do not include recipient IP, user agent, or document integrity hash of the uploaded file as electronic signature evidence)
- Paper on file evidence: signed paper copies (PDF or image) uploaded by your team members and associated with a document request, plus file metadata such as file name, MIME type, size, and content integrity hash of the uploaded file
- Document content: policies, forms, uploaded PDFs, editor content, exported files, and related metadata
- Communications content: message text included with document requests or in-app product support, where you provide it
- Integration data (if enabled): encrypted authentication tokens, provider account identifiers, and data imported from connected services
4. Your responsibilities as controller
You are responsible for:
- Ensuring you have a lawful basis to collect, upload, import, sync, and process Personal Data through ClearPolicy
- The accuracy, content, and legality of documents and communications you send
- Providing appropriate notice to people and team members whose data you process through ClearPolicy
- Managing which integrations, API clients, and automation tools you authorize to access your ClearPolicy data
- Your use of exported data, compliance reports, and signature records after download or print
ClearPolicy does not provide legal advice.
5. Our obligations as processor
ClearPolicy will:
- Process Personal Data only on your documented instructions, which include your configuration and use of the Service, unless required by applicable law
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 9
- Engage Sub-processors only as described in Section 8 and remain responsible for their performance
- Assist you, insofar as reasonably possible, with data subject requests to access, correct, delete, or export Personal Data processed on your behalf
- Notify you of Security Incidents as described in Section 12
- Make available information reasonably necessary to demonstrate compliance with this DPA
6. Instructions
Your instructions to ClearPolicy are reflected in your use of the Service, including the people and documents you manage, the requests you send, the integrations you connect, and the exports you generate.
If you require processing outside the scope of normal Service functionality, contact [email protected]. We will review reasonable written requests and respond as appropriate.
7. Data location
ClearPolicy stores and processes customer Personal Data primarily in the United States.
- Application and database servers are hosted on separate servers in Vultr's New Jersey, United States data center
- Uploaded documents and files (PDFs, document revisions, imports, and related file storage) are stored in Cloudflare object storage, provisioned through Laravel Forge, with region set to automatic selection
Vultr's New Jersey data center maintains third-party attestations including SOC 1 Type II, SOC 2 Type II, ISO 27001, PCI DSS, and HITRUST. These are infrastructure-provider certifications and do not represent a separate certification held by ClearPolicy itself.
Cloudflare's global network may process limited technical metadata (such as request routing information) at edge locations as part of normal service delivery. Primary file storage remains in Cloudflare object storage as configured for the Service.
8. Sub-processors
You authorize ClearPolicy to engage the Sub-processors listed below to process Personal Data on your behalf. ClearPolicy will impose data protection obligations on Sub-processors that are substantially similar to those in this DPA.
Core Sub-processors
These providers are used to operate the Service for all customers:
- Vultr — application and database hosting (United States, New Jersey)
- Cloudflare — private object storage for uploaded documents and files (region: automatic)
- Resend — transactional email delivery for document requests, reminders, and service notifications (United States)
- Stripe — billing and subscription management for account holders (United States)
- Laravel Nightwatch — application monitoring and error tracking (United States)
- Matomo — product usage analytics (hosted in Seattle, United States; may include organization-level usage identifiers)
- OpenAI — limited AI-assisted features, including internal organization classification and in-app product support for team members. May process organization and account signals, billing status, support messages, and conversation context. Configured so routine product workflows do not send people records or document content; team members should not include people data, document content, or other sensitive information in support messages. OpenAI does not receive people records or document content through standard product workflows
Conditional Sub-processors
These providers process Personal Data only when you enable the relevant feature:
- Google — optional Google sign-in and Google Drive document import
- Microsoft — optional Microsoft sign-in
- Planning Center — optional people and list synchronization
- Zapier and authorized API clients — data accessed through integrations and automations you configure
Changes to Sub-processors
We may add or replace Sub-processors from time to time. We will update this page when we make material changes to the core Sub-processor list. If you object to a new Sub-processor on reasonable data-protection grounds, contact [email protected] within 30 days of the update. If we cannot reasonably accommodate your objection, you may terminate the Service as your sole remedy.
9. Security measures
ClearPolicy maintains administrative, technical, and organizational measures designed to protect Personal Data, including:
- Hosting production systems on dedicated cloud infrastructure in the United States
- HTTPS/TLS encryption for data in transit
- Private object storage for uploaded documents and files
- Encryption at rest for sensitive integration and authentication tokens
- Role-based access controls within the product and organization data isolation
- Team member authentication with optional two-factor authentication
- Access to production systems limited to authorized personnel
- Application monitoring and error tracking to detect and respond to issues
No security program can guarantee absolute security. You are responsible for maintaining the security of your account credentials and for managing access within your organization.
10. Data retention
Active accounts: Personal Data is retained while your account is active and as needed to provide the Service.
Signature and acknowledgment records: Completed signature and acknowledgment records — including electronic completions and paper on file — with associated audit trails, document integrity information where applicable, and uploaded paper evidence files, are retained to preserve legal and compliance records. ClearPolicy does not apply a scheduled purge date to these records. Our goal is to retain legally significant completion records for as long as practicable so you maintain a durable audit trail.
Other data: You may archive or delete certain people, documents, and related records through the ClearPolicy interface, subject to product rules and data integrity safeguards. Some deletion actions may not remove associated completed signature or acknowledgment records where those records form part of the legal audit trail.
Integration credentials: Authentication tokens for connected integrations are retained until you disconnect the integration or the relevant access scope is removed.
11. Deletion and return
During an active subscription, you may export data through the Service where export features are available, or request assistance at [email protected].
Upon termination of your account:
- You may request export of your data within 30 days of termination
- After that period, ClearPolicy may delete or de-identify Personal Data from active production systems, except where retention is required by law or reasonably necessary for the purposes described in this DPA
- Signature and acknowledgment records may be retained after account termination in accordance with Section 10, including where needed to preserve legal audit trails, resolve disputes, or comply with applicable law
If you require deletion of specific Personal Data, contact us at [email protected]. We will respond to lawful and technically feasible requests, subject to the retention principles above.
12. Security incidents
If ClearPolicy becomes aware of a Security Incident affecting Personal Data we process on your behalf, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of it.
Our notification will, to the extent known at the time, describe:
- The nature of the Security Incident
- The categories of Personal Data and data subjects likely affected
- The likely consequences
- Measures taken or proposed to address the incident
ClearPolicy will take reasonable steps to investigate, mitigate, and remediate the Security Incident. You are responsible for notifying relevant authorities and affected individuals when required by applicable law.
13. International transfers
ClearPolicy is based in the United States and processes Personal Data primarily in the United States. If you are located in the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data transfer requirements, you acknowledge that Personal Data may be transferred to and processed in the United States.
Where required by applicable law, ClearPolicy makes available appropriate transfer mechanisms, including the European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum.
Customers transferring personal data from the United Kingdom may download our pre-signed UK International Data Transfer Agreement (PDF) . The agreement incorporates the UK International Data Transfer Addendum and EU Standard Contractual Clauses (Module Two: Controller to Processor). Complete the exporter details in the document for your own compliance records. Contact [email protected] if you need additional transfer documentation.
14. Audits and information requests
ClearPolicy will make available the information in this DPA, our Privacy Policy, and reasonable additional written information about our processing practices upon request.
If you require an audit beyond this information, you may request one no more than once per year on reasonable advance notice, subject to confidentiality obligations and execution of any required access agreements. ClearPolicy may satisfy audit requests by providing third-party reports or certifications where available.
15. Liability
Liability arising from or related to this DPA is subject to the limitation of liability provisions in our Terms of Service, except where prohibited by applicable data protection law.
16. Term
This DPA takes effect when you create or continue using a ClearPolicy account and remains in effect for as long as ClearPolicy processes Personal Data on your behalf.
17. Changes
We may update this DPA from time to time. Material changes will be posted on this page with an updated date. Continued use of the Service after an update constitutes acceptance of the revised DPA.
18. Contact
ClearPolicy is operated by:
Laconic Company LLC
2120 S Reserve Street PMB 1087
Missoula, MT 59801
United States
Questions about this DPA, Sub-processors, security, or data processing requests: [email protected]