Clevermation
CleverRouter

Legal

Data Processing Agreement

Article 28 GDPR Data Processing Agreement (DPA) for customers of the CleverRouter gateway. This is the English version — a German legal-equivalent is available under /legal/avv.

Last updated11 May 2026

Achtung — Template-Status. Dieses Dokument ist eine für die CleverRouter-MVP generierte Vorlage und wurde nicht von einem deutschen Rechtsanwalt geprüft. Bitte nur als Ausgangspunkt verwenden — vor Go-Live mit zahlenden Kunden zwingend juristische Prüfung einholen.

EN: This is a TEMPLATE generated for the CleverRouter MVP. It has NOT been reviewed by a German lawyer. Use only as starting point — get a real legal review before going live with paying customers.

Need a signed PDF version?

We provide a counter-signed PDF on request. Send an email with your company details to legal@clevermation.com — we typically turn it around in 1–2 business days.
[PLACEHOLDER — replace with direct download link once the PDF generator is live]

German version → /legal/avv

1. Parties & Scope

This Data Processing Agreement ("DPA") is entered into between:

  • Controller:the customer entity defined in the order form or, in the absence of one, the account holder identified in the CleverRouter dashboard ("Customer"); and
  • Processor:Clevermation GmbH, [PLACEHOLDER — address], Germany, HRB [PLACEHOLDER] ("Clevermation").

The DPA forms an integral part of the main agreement (Terms of Service or Enterprise Order Form) under which Clevermation provides the CleverRouter gateway (the "Service"). It supplements, and where conflicting takes precedence over, those terms for matters of data protection.

2. Subject Matter & Duration

The subject matter of the processing is the operation of the CleverRouter API gateway: receiving inference requests from the Customer, forwarding them to one or more LLM providers, returning the response to the Customer, and recording usage metadata for billing.

The DPA applies for the entire duration of the main agreement and survives any termination for the purposes of clauses on deletion, audit, and liability.

3. Nature & Purpose of Processing

Processing is performed solely to provide the Service: routing, rate-limiting, budget enforcement, billing, abuse prevention, and operational monitoring. Clevermation does not process personal data contained in prompts or completions beyond ephemeral forwarding (see clause 6 on Zero Data Retention).

4. Categories of Data Subjects & Data

4.1 Data subjects

Account administrators, developers, and end-users of the Customer whose data is included in API calls.

4.2 Categories of personal data

  • Account data: email, optional name, password hash, Stripe identifier.
  • API caller metadata: timestamp, model identifier, token counts, response status, latency, truncated key identifier.
  • Hashed IP addresses for short-term rate-limit enforcement.
  • Any personal data contained in request payloads — processed in transit only, not persisted.

Clevermation does not store prompts, completions, embeddings, or tool arguments at rest. Special categories (Art. 9 GDPR) may only be sent through the Service under a separate written agreement.

5. Processor Obligations

Clevermation undertakes to:

  • process personal data only on documented instructions of the Customer, including transfers to third countries (the main agreement and this DPA constitute such instructions);
  • ensure that persons authorised to process the personal data have committed to confidentiality;
  • take all measures required under Article 32 GDPR (see clause 6 below);
  • respect the conditions for engaging sub-processors set out in clause 7;
  • taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures with the fulfilment of the Customer's obligation to respond to requests from data subjects;
  • assist the Customer with Articles 32–36 GDPR (security, breach notification, impact assessment, prior consultation);
  • at the choice of the Customer, delete or return all personal data after end of provision of services (see clause 12);
  • make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (clause 10).

6. Technical & Organisational Measures (TOMs)

Clevermation implements the following measures pursuant to Article 32 GDPR. They may be adjusted over time to reflect technical progress; any material reduction will be notified in advance.

CategoryMeasure
Encryption in transitTLS 1.3 enforced on all endpoints; HSTS; mTLS for sub-processor connections.
Encryption at restAES-256 for all persistent storage (Postgres, object storage, backups).
Zero Data RetentionPrompts, completions, embeddings and tool arguments are never persisted. Only metadata is logged.
Access controlLeast-privilege IAM, MFA mandatory for all engineers, JIT production access with full audit trail.
Audit logsAll administrative actions and customer-data access are logged; logs retained for 12 months in append-only storage.
Network segmentationProduction isolated from development; private subnets for data plane; WAF and rate-limiting at edge.
EU-only routingDefault deployment is Scaleway Paris (FR). No sub-processor outside the EU. US endpoints only on explicit Customer opt-in.
PersonnelBackground checks, written confidentiality undertakings, mandatory privacy training, clean-desk policy.
Incident response24/7 on-call rotation, documented runbook, target P0 acknowledgement < 30 min.
Backups & recoveryDaily encrypted backups, monthly restore drills, RTO < 4h, RPO < 1h for metadata.

7. Sub-Processors

The Customer hereby grants general authorisation for the engagement of sub-processors. Clevermation maintains the current list at this page and below. Clevermation will inform the Customer of any intended addition or replacement at least 14 days in advance by email or dashboard notice. The Customer may object on reasonable grounds; if no amicable solution is found, either party may terminate the affected service component.

Sub-ProcessorLocationPurpose
Scaleway SASParis, France (EU)Hosting & compute of gateway nodes
Stripe Payments Europe Ltd.Dublin, Ireland (EU)Payment processing (EU data residency)
Postmark (ActiveCampaign LLC, EU instance)Frankfurt, Germany (EU)Transactional email delivery

8. Assistance with Data Subject Rights

Clevermation will assist the Customer through appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests by data subjects (access, rectification, erasure, restriction, portability, objection). Standard data subject requests can be served via the dashboard export/deletion features at no extra charge.

9. Personal Data Breach Notification

Clevermation will notify the Customer without undue delay — and in any event within 48 hours after becoming aware — of any personal data breach. The notification will include the information listed in Article 33(3) GDPR to the extent available at the time.

10. Audit Rights

Clevermation will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. The Customer may, no more than once per twelve months and with 30 days' written notice, conduct an audit either directly or through a mandated third-party auditor (subject to confidentiality).

Audits at the production data centre are restricted under the agreements with the relevant sub-processor. Clevermation will provide current third-party certifications (e.g. Scaleway ISO 27001, SOC 2) in lieu of an on-site visit where reasonable.

11. International Transfers

Personal data is processed exclusively inside the EU/EEA. There are no third-country transfers by default. Should the Customer instruct Clevermation to route specific requests to a non-EU model endpoint, the parties will execute the EU Standard Contractual Clauses (Commission Decision 2021/914) with the respective sub-processor prior to any such transfer.

12. Deletion & Return of Data

On termination of the main agreement, Clevermation will, at the Customer's choice, delete or return all personal data within 30 days and certify deletion in writing. Statutory retention obligations (in particular tax law) remain unaffected; data covered by such obligations is locked from access and deleted at the end of the statutory period.

13. Liability

Liability is governed by the main agreement. Article 82 GDPR remains unaffected.

14. Signing the DPA

For Pay-as-you-go customers this DPA is concluded by clicking through the standard terms during account creation and remains valid for the duration of the account. Enterprise customers receive a counter-signed PDF as part of the Order Form package.

Custom addenda (e.g. specific sub-processor exclusions, region pinning, additional TOMs) are available under the Enterprise plan — please reach out to legal@clevermation.com.

Fragen zum Vertrag?

Schreib direkt an unsere Legal-Adresse

Custom Addenda, DPA-Reviews, Sub-Processor-Listen — alles über legal@clevermation.com.

legal@clevermation.com

Andere Legal-Dokumente: Impressum · Privacy · Terms · DPA · AVV