Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service available at /terms and forms part of the agreement between the entity or person subscribing to ClawTrust services ("Customer", "Controller") and AutoRev AI LLC dba ClawTrust ("ClawTrust", "Processor", "we", "us", or "our").

This DPA governs the processing of Personal Data by ClawTrust on behalf of Customer in connection with the provision of AI agent hosting infrastructure and related services. In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, the terms of this DPA shall prevail.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned to them in the Terms of Service.

• "Controller" means the entity which determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Controller.
• "Processor" means the entity which processes Personal Data on behalf of the Controller. For purposes of this DPA, ClawTrust is the Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Supervisory Authority" means an independent public authority established by a Member State pursuant to the GDPR or other Data Protection Laws.
• "Sub-processor" means any third party engaged by ClawTrust to process Personal Data on behalf of Customer in connection with the services.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses approved by the European Commission.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK GDPR as defined in the Data Protection Act 2018; (c) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"); and (d) any other privacy or data protection law, regulation, or directive applicable to the processing of Personal Data under this DPA.

3. Scope of Processing

3.1 Subject Matter

The subject matter of the processing is the provision of AI agent hosting infrastructure and related email services as described in the Terms of Service.

3.2 Duration

The duration of the processing is for the term of the Terms of Service agreement between Customer and ClawTrust, including any renewal periods, until terminated in accordance with the Terms of Service.

3.3 Nature and Purpose of Processing

The nature and purpose of the processing includes:

• Hosting, operating, and maintaining AI agents on dedicated virtual private servers (VPS) on behalf of Customer
• Processing and storing emails received by and sent from Customer's AI agent
• Executing tasks and operations as instructed by Customer via the ClawTrust platform
• Providing Customer with access to agent data, logs, and configuration via the ClawTrust dashboard and API
• Facilitating integrations with third-party services as configured by Customer
• Maintaining security, monitoring, and audit logs for service integrity and security incident response

3.4 Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of data subjects:

3.5 Types of Personal Data

The types of Personal Data processed under this DPA may include:

4. Customer Obligations as Controller

Customer, in its role as Controller, represents, warrants, and covenants that:

4.1 Lawful Basis for Processing

Customer has established and will maintain a lawful basis for the processing of Personal Data under applicable Data Protection Laws, including but not limited to consent, contractual necessity, legitimate interests, legal obligation, or vital interests.

4.2 Transparent Privacy Notices

Customer has provided and will continue to provide transparent privacy notices to data subjects informing them of the processing of their Personal Data, including the involvement of ClawTrust as a Processor and the categories of sub-processors engaged.

4.3 Data Subject Rights

Customer is responsible for responding to requests from data subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

4.4 Processing Instructions

Customer determines the purposes and means of processing Personal Data and ensures that all instructions to ClawTrust comply with applicable Data Protection Laws. Customer's use of the ClawTrust platform, including configuration settings, agent instructions, and API calls, constitutes documented instructions for the purposes of this DPA.

4.5 Data Protection Impact Assessments

Where required by Data Protection Laws, Customer will conduct Data Protection Impact Assessments (DPIAs) and, where necessary, consult with relevant Supervisory Authorities prior to processing.

4.6 Special Categories of Data

If Customer's use of the services involves processing special categories of Personal Data (as defined in Article 9 of the GDPR) or Personal Data relating to criminal convictions and offences, Customer warrants that it has implemented appropriate additional safeguards and obtained any necessary explicit consents or established other lawful bases required under Data Protection Laws.

5. ClawTrust Obligations as Processor

ClawTrust, in its role as Processor, shall:

5.1 Process Only on Instructions

Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such case, ClawTrust shall inform Customer of that legal requirement before processing, unless prohibited from doing so by law. Customer's configuration and use of the ClawTrust platform constitutes documented instructions.

5.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 of this DPA.

5.4 Sub-processors

Engage sub-processors only in accordance with Section 8 of this DPA, ensuring that sub-processors are bound by data protection obligations no less protective than those set forth in this DPA.

5.5 Assistance with Data Subject Requests

Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising data subject rights as set forth in Section 6.

5.6 Assistance with Security Obligations

Assist Customer in ensuring compliance with Customer's obligations under Data Protection Laws with respect to security of processing, data breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of processing and the information available to ClawTrust.

5.7 Deletion or Return of Data

At Customer's choice, delete or return all Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data, as detailed in Section 11.

5.8 Demonstration of Compliance

Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, as set forth in Section 12.

5.9 Prohibition on Independent Processing

Not process Personal Data for ClawTrust's own purposes or on behalf of any third party, except as required by applicable law or as explicitly instructed by Customer through the platform.

5.10 Immediate Notice of Unlawful Instructions

Immediately inform Customer if, in ClawTrust's opinion, an instruction from Customer infringes applicable Data Protection Laws.

6. Data Subject Rights

6.1 Notification of Requests

ClawTrust will promptly notify Customer if ClawTrust receives a request from a data subject to exercise any of their rights under Data Protection Laws (including access, rectification, erasure, restriction of processing, data portability, objection, or rights related to automated decision-making).

6.2 No Direct Response

ClawTrust will not respond to any data subject request directly unless legally required to do so or authorized in writing by Customer. If ClawTrust is required by law to respond to a data subject request, ClawTrust will promptly notify Customer and provide Customer with a copy of the request unless legally prohibited from doing so.

6.3 Assistance and Cooperation

ClawTrust will provide reasonable assistance to Customer to enable Customer to respond to data subject requests within the timeframes required by applicable Data Protection Laws. Such assistance shall include:

• Providing Customer with tools via the ClawTrust dashboard and API to export, rectify, or delete Personal Data
• Implementing Customer's instructions to restrict processing or cease certain processing activities where technically feasible
• Providing data exports in machine-readable format (JSON) to facilitate data portability requests
• Cooperating with Customer to provide information necessary for Customer to respond to data subject inquiries

6.4 Timeframes

ClawTrust will use commercially reasonable efforts to respond to Customer's requests for assistance within five (5) business days. Customer acknowledges that it is solely responsible for ensuring compliance with data subject request response timeframes under applicable Data Protection Laws.

6.5 Data Export Functionality

The ClawTrust platform provides Customer with self-service tools to export all Personal Data associated with Customer's account in machine-readable format (JSON). Customer may use these tools at any time to facilitate responses to data subject access requests or data portability requests.

7. Security Measures

In accordance with Article 32 of the GDPR, ClawTrust has implemented and will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. These measures include:

7.1 Encryption

7.2 Access Control

• Tenant Isolation: Each Customer is provisioned a dedicated virtual private server with no shared compute or database resources with other tenants.
• Zero-Trust Networking: All network communications between ClawTrust infrastructure and tenant VPS are secured via encrypted zero-trust VPN tunnels.
• Identity and Access Management: Role-based access control (RBAC) for administrative functions, ensuring users have access only to resources associated with their account.
• API Authentication: All API requests are authenticated using timing-safe token comparison to prevent timing attacks.
• Principle of Least Privilege: ClawTrust employees and systems are granted the minimum level of access necessary to perform their functions.

7.3 Network Security

• Content Security Policy: HTTP Content Security Policy (CSP) headers are implemented to mitigate cross-site scripting (XSS) and data injection attacks.
• CSRF Protection: All state-changing API requests require origin validation to prevent cross-site request forgery attacks.
• Rate Limiting: All API endpoints implement rate limiting to prevent abuse and denial-of-service attacks.
• Firewall Configuration: Tenant VPS instances are protected by host-based firewalls restricting access to authorized VPN connections only.
• No Public Exposure: AI agent gateway services are not directly accessible from the public internet.

7.4 Monitoring and Incident Response

• Audit Logging: Comprehensive audit logs are maintained for all state changes, including user actions, API requests, configuration changes, and security events.
• Abuse Detection: Email sending is subject to rate limits and automated abuse detection to prevent misuse and identify potential security incidents.
• Health Monitoring: Automated health checks are performed on all tenant infrastructure components to detect and respond to failures or anomalies.
• Security Incident Response: ClawTrust maintains documented procedures for detecting, responding to, and reporting security incidents, including Personal Data breaches as described in Section 10.

7.5 Organizational Measures

• Access Restrictions: Access to production systems and Personal Data is limited to authorized ClawTrust personnel on a need-to-know basis.
• Confidentiality Commitments: All ClawTrust employees and contractors with access to Personal Data are bound by confidentiality obligations.
• Security Hardening: All infrastructure components follow documented security hardening procedures, including minimizing installed software, disabling unnecessary services, and applying security patches.
• Regular Review: ClawTrust conducts regular reviews of security measures and updates them as necessary to address emerging threats and evolving best practices.

7.6 Ongoing Security Evaluation

ClawTrust will continue to evaluate and enhance security measures as technology, threats, and regulatory requirements evolve. Customer acknowledges that security measures may be updated from time to time to maintain an appropriate level of security.

8. Sub-processors

8.1 Authorization of Sub-processors

Customer hereby provides general authorization for ClawTrust to engage sub-processors to process Personal Data on Customer's behalf in connection with the provision of the services. ClawTrust shall impose data protection terms on any sub-processor it appoints that require the sub-processor to protect Personal Data to the standard required by Data Protection Laws and no less protective than those set forth in this DPA.

8.2 Current Sub-processors

Customer authorizes ClawTrust to engage the following categories of sub-processors as of the effective date of this DPA:

A detailed list of named sub-processors is available upon request by emailing privacy@clawtrust.ai. ClawTrust maintains current sub-processor information and will provide it to Customer upon reasonable request.

8.3 Notice of New Sub-processors

ClawTrust shall notify Customer at least thirty (30) days in advance before engaging any new sub-processor or replacing an existing sub-processor. Such notification shall be provided by:

• Email to the email address associated with Customer's account; or
• Posting an update to the sub-processor list on the ClawTrust website at https://clawtrust.ai/legal/sub-processors with notification via the ClawTrust dashboard or email

8.4 Objection to New Sub-processors

Customer may object to ClawTrust's appointment of a new sub-processor by providing written notice to ClawTrust within fifteen (15) days of receiving notice of the proposed change. Such objection must be based on reasonable grounds relating to data protection.

If Customer objects to a new sub-processor, ClawTrust will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer's configuration to avoid processing of Personal Data by the objected-to sub-processor.

If ClawTrust is unable to make available such change within a reasonable period of time (not to exceed sixty (60) days from the date of Customer's objection), Customer may terminate the applicable services that cannot be provided without the use of the objected-to sub-processor by providing written notice to ClawTrust. In such case, Customer may terminate the affected processing activity, and ClawTrust will cease using the objected-to Sub-Processor for Customer's data.

8.5 Sub-processor Obligations

ClawTrust ensures that each sub-processor is bound by a written agreement requiring the sub-processor to provide at least the same level of data protection as is required by this DPA. ClawTrust shall remain fully liable to Customer for the performance of any sub-processor's obligations.

9. International Data Transfers

9.1 Data Processing Location

Personal Data is primarily processed on infrastructure located in the United States. ClawTrust and its sub-processors maintain infrastructure in the United States for service delivery.

9.2 Transfers to the United States

For transfers of Personal Data from the EU/EEA to the United States, ClawTrust and its sub-processors rely on the EU Standard Contractual Clauses as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

ClawTrust hereby incorporates the Standard Contractual Clauses (Module Two: Controller to Processor) into this DPA. For purposes of the Standard Contractual Clauses:

• Customer is the "data exporter"
• ClawTrust is the "data importer"
• The details in Sections 3.3, 3.4, and 3.5 of this DPA satisfy the requirements of Annex I to the Standard Contractual Clauses
• The security measures described in Section 7 of this DPA satisfy the requirements of Annex II to the Standard Contractual Clauses
• The sub-processors listed in Section 8.2 of this DPA satisfy the disclosure requirements of Annex III to the Standard Contractual Clauses

Where applicable, certain service providers may also rely on their certification under the EU-U.S. Data Privacy Framework as an additional or alternative basis for lawful data transfers.

9.3 UK Data Transfers

For transfers of Personal Data from the United Kingdom, ClawTrust relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. The same details regarding data exporter, data importer, processing details, security measures, and sub-processors apply as set forth in Section 9.2.

9.4 Supplementary Measures

In addition to the Standard Contractual Clauses, ClawTrust implements supplementary technical and organizational measures to ensure an adequate level of protection for Personal Data transferred outside the EU/EEA, including:

• Modern encryption protocols (TLS 1.2+, encrypted tunnels) for data in transit and encryption at rest (AES-256-GCM for sensitive database fields)
• Strict access controls limiting access to Personal Data to authorized personnel only
• Regular security audits and assessments of data processing activities
• Policies to challenge government or law enforcement requests for data access where lawful to do so

9.5 Data Residency Requests

Customer may request data residency restrictions (e.g., requiring all Personal Data to be processed exclusively within the EU/EEA). ClawTrust will use commercially reasonable efforts to accommodate such requests where technically feasible, which may involve additional fees or service limitations. Such requests must be made in writing to legal@clawtrust.ai.

10. Data Breach Notification

10.1 Notification Obligation

ClawTrust shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a confirmed Personal Data breach affecting Customer's Personal Data.

10.2 Notification Contents

The notification shall include, to the extent known at the time of notification:

• A description of the nature of the Personal Data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of ClawTrust's designated data protection point of contact where more information can be obtained
• A description of the likely consequences of the Personal Data breach
• A description of the measures taken or proposed to be taken by ClawTrust to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects

10.3 Phased Notification

If it is not possible to provide all of the information at the same time, ClawTrust may provide the information in phases without undue further delay as information becomes available.

10.4 Method of Notification

Notifications shall be delivered to Customer via email to the email address associated with Customer's account and, where applicable, via the ClawTrust dashboard. Customer is responsible for maintaining current and accurate contact information.

10.5 Cooperation and Investigation

ClawTrust shall cooperate with Customer in investigating the Personal Data breach and shall provide Customer with reasonable assistance to enable Customer to fulfill its obligations under Data Protection Laws with respect to notifying Supervisory Authorities and data subjects.

10.6 Documentation

ClawTrust shall document all Personal Data breaches, including the facts relating to the breach, its effects, and the remedial action taken. Such documentation shall be made available to Customer and, where required by Data Protection Laws, to Supervisory Authorities.

10.7 Customer Obligations

Customer acknowledges that it is solely responsible for complying with all breach notification obligations under applicable Data Protection Laws, including notification to Supervisory Authorities and affected data subjects where required.

11. Data Retention and Deletion

11.1 Retention Period

ClawTrust retains Personal Data only for the duration necessary to provide the services to Customer and fulfill the purposes described in Section 3 of this DPA, unless a longer retention period is required or permitted by law.

11.2 Data Export Window

Upon termination or expiration of the Terms of Service for any reason, Customer shall have seven (7) calendar days from the termination date (the "Export Window") to export and download all Personal Data via the ClawTrust dashboard or API. Customer acknowledges and agrees that it is solely responsible for exporting its data during the Export Window.

11.3 Post-Termination Deletion

After the Export Window expires, ClawTrust shall permanently delete all Personal Data within thirty (30) calendar days, except where retention is required by applicable law. Deletion includes:

• Secure deletion of all database records containing Personal Data from production and backup systems
• Destruction of the Customer's dedicated VPS instance, including secure erasure of all data stored on the virtual machine
• Removal of all email data from email delivery systems
• Deletion of audit logs containing Personal Data, except where retention is required by law for security or compliance purposes

11.4 Legal Retention Exceptions

Notwithstanding Section 11.3, ClawTrust may retain certain Personal Data where required by applicable law, including but not limited to:

• Billing and payment records required for tax compliance (retained for seven (7) years in accordance with U.S. federal tax law)
• Records required to be retained for legal proceedings, investigations, or regulatory compliance
• Metadata and audit logs required for security incident investigation and fraud prevention, to the extent permitted by Data Protection Laws

Where Personal Data is retained for legal compliance purposes, ClawTrust shall continue to protect such data in accordance with this DPA and shall delete or anonymize it as soon as the legal retention period expires.

11.5 Deletion Methodology

ClawTrust employs industry-standard secure deletion methods, including:

• Cryptographic erasure (destruction of encryption keys) for encrypted data
• Overwriting data on physical media in accordance with NIST SP 800-88 guidelines where applicable
• Physical destruction of storage media at end-of-life for hardware under ClawTrust's direct control
• Coordinated deletion requests to sub-processors to ensure end-to-end data deletion

11.6 Certification of Deletion

Upon Customer's written request submitted to legal@clawtrust.ai, ClawTrust will provide written confirmation that Customer's Personal Data has been deleted in accordance with this Section 11. Such confirmation will be provided within thirty (30) days of the completion of the deletion process.

12. Audits

12.1 Information Provision

ClawTrust shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and in applicable Data Protection Laws.

12.2 Security Questionnaires

Customer may submit a written security questionnaire to ClawTrust at legal@clawtrust.ai no more than once per calendar year. ClawTrust shall respond to such questionnaire within thirty (30) calendar days of receipt, provided the questionnaire is reasonable in scope and does not require disclosure of confidential information relating to other customers or ClawTrust's proprietary security measures.

12.3 Third-Party Audit Reports

ClawTrust does not currently hold SOC 2 Type II certification. When such certification or equivalent third-party security assessments become available, ClawTrust will provide them to Customer in lieu of on-site audits. Such reports shall be subject to confidentiality obligations and may be provided under non-disclosure agreement (NDA).

12.4 On-Site Audits

Customer may conduct an on-site audit of ClawTrust's data processing facilities and procedures, subject to the following conditions:

• Customer shall provide at least thirty (30) calendar days' written notice to ClawTrust prior to the proposed audit date
• Audits may be conducted no more than once per calendar year unless required by a Supervisory Authority or in response to a confirmed Personal Data breach
• Audits shall be conducted during ClawTrust's normal business hours and in a manner that does not unreasonably interfere with ClawTrust's business operations
• Customer shall bear all costs and expenses associated with the audit, including reasonable fees for ClawTrust personnel time exceeding eight (8) hours
• The auditor must be a qualified independent third-party auditor, not a direct competitor of ClawTrust
• The auditor must execute a confidentiality agreement acceptable to ClawTrust prior to the audit

12.5 Audit Scope and Limitations

Audits shall be limited to verification of ClawTrust's compliance with its obligations under this DPA and applicable Data Protection Laws. Audits shall not include:

• Access to Personal Data of other ClawTrust customers or confidential information not related to Customer's data processing
• Access to source code, proprietary algorithms, or trade secrets unrelated to data protection compliance
• Penetration testing or other security testing that could disrupt ClawTrust's services (such testing requires separate written agreement)

12.6 Audit Reports

Customer shall provide ClawTrust with a copy of any audit report within thirty (30) days of completion. Audit reports shall be treated as Confidential Information under the Terms of Service. If an audit reveals non-compliance with this DPA, the parties shall cooperate in good faith to develop and implement a remediation plan within a reasonable timeframe.

13. Liability

13.1 Respective Liability

Each party is liable for damages caused by its own violation of applicable Data Protection Laws in accordance with the allocation of responsibilities set forth in this DPA and applicable law.

13.2 Limitation on Processor Liability

ClawTrust shall not be liable for any damages or penalties arising from processing of Personal Data that is carried out in compliance with Customer's documented instructions, even if such processing results in a violation of applicable Data Protection Laws. Customer is solely responsible for ensuring that its instructions to ClawTrust comply with all applicable laws.

13.3 Incorporation of Terms of Service Limitations

Except as expressly modified by this Section 13, liability under this DPA is subject to the limitations of liability, disclaimers, and other liability provisions set forth in the Terms of Service. The aggregate liability of ClawTrust arising out of or related to this DPA shall not exceed the liability cap set forth in the Terms of Service.

13.4 Exceptions to Limitations

Nothing in this DPA shall limit or exclude liability for:

• Gross negligence or willful misconduct
• Fraud or fraudulent misrepresentation
• Violations of Data Protection Laws that cannot be limited by contract under applicable law
• Death or personal injury caused by negligence
• Breach of confidentiality obligations with respect to Personal Data

13.5 Indemnification for Unlawful Instructions

Customer shall indemnify, defend, and hold harmless ClawTrust from and against any claims, damages, fines, penalties, or costs (including reasonable attorneys' fees) arising from or related to:

• Customer's instructions to ClawTrust that violate applicable Data Protection Laws
• Customer's failure to comply with its obligations as a Controller under Data Protection Laws
• Customer's processing of special categories of Personal Data without adequate safeguards
• Customer's failure to provide adequate privacy notices to data subjects

13.6 Allocation Between Parties

Where both Customer and ClawTrust are jointly liable for damages under applicable Data Protection Laws, liability shall be allocated between the parties in accordance with the degree of fault and responsibility of each party, as determined by a court of competent jurisdiction or mutually agreed by the parties.

14. Term and Termination

14.1 Term

This DPA is effective as of the date Customer first accepts the Terms of Service or begins using the ClawTrust services, whichever is earlier, and shall remain in effect for the duration of the Terms of Service, including any renewal periods.

14.2 Termination

This DPA shall automatically terminate upon termination or expiration of the Terms of Service. Either party may terminate this DPA immediately upon written notice if the other party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice of the breach.

14.3 Effect of Termination

Upon termination of this DPA:

• ClawTrust shall cease processing Personal Data on behalf of Customer, except as necessary to comply with legal obligations or as instructed by Customer for purposes of data export
• The provisions of Section 11 (Data Retention and Deletion) shall apply
• All rights and obligations that by their nature should survive termination shall survive, including Sections 10 (Data Breach Notification), 11 (Data Retention and Deletion), 13 (Liability), and 15 (Contact)

14.4 Survival

The following provisions shall survive termination or expiration of this DPA: Section 5.2 (Confidentiality), Section 10 (Data Breach Notification) to the extent relating to breaches occurring prior to termination, Section 11 (Data Retention and Deletion), Section 13 (Liability), and Section 15 (Contact).

15. Contact

15.1 Data Protection Inquiries

For questions or concerns regarding data protection, privacy practices, or this DPA, please contact:

15.2 DPA-Related Requests

For requests related to this DPA, including audit requests, security questionnaires, data residency requests, or legal inquiries, please contact:

15.3 Data Breach Notifications

In the event of a Personal Data breach, ClawTrust will notify Customer at the email address associated with Customer's account. Customer is responsible for ensuring this email address is current and monitored.

15.4 Response Time

ClawTrust will make commercially reasonable efforts to respond to data protection inquiries within five (5) business days. Formal legal requests and audit requests will be responded to within the timeframes specified in this DPA.

16. General Provisions

16.1 Conflict with Terms of Service

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, the terms of this DPA shall prevail.

16.2 Amendments

ClawTrust may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or business practices. ClawTrust will notify Customer of material changes by email or via the ClawTrust dashboard at least thirty (30) days before the changes take effect. Customer's continued use of the services after the effective date of changes constitutes acceptance of the updated DPA.

16.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely reflects the original intent of the parties.

16.4 Governing Law and Jurisdiction

This DPA shall be governed by the same governing law and jurisdiction provisions as set forth in the Terms of Service, except where Data Protection Laws mandate otherwise. For European customers, the parties agree to submit to the jurisdiction of the courts of the EU Member State where Customer is established for disputes relating to this DPA.

16.5 Entire Agreement

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous understandings or agreements, whether written or oral, regarding such subject matter.

16.6 Order of Precedence

In the event of any conflict or inconsistency between the documents governing the relationship between Customer and ClawTrust, the following order of precedence shall apply (highest to lowest):

1. This Data Processing Agreement
2. Standard Contractual Clauses (where applicable to international data transfers)
3. Terms of Service

16.7 Language

This DPA is provided in English. If translated into another language, the English version shall prevail in the event of any conflict or ambiguity.