johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/clavitor.ai/templates/dpa.tmpl

105 lines
9.0 KiB
Cheetah
Raw Permalink Blame History

{{define "dpa"}}
<div class="hero container">
<p class="label mb-3">Legal</p>
<h1 class="mb-6">Data Processing Agreement</h1>
<p class="lead mb-8">Standard contractual clauses for GDPR and Swiss FADP compliance. Automatically applies to all hosted (paid) subscriptions.</p>
</div>
<hr class="divider">
<div class="section container prose-width">
<h2 class="mb-4">1. Definitions</h2>
<p class="mb-4"><strong>"Controller"</strong> means the natural person who creates and owns the data within their Clavitor vault. You are always the Controller of your own credentials and personal data.</p>
<p class="mb-4"><strong>"Processor"</strong> means Clavitor.ai, the entity that provides hosting infrastructure, encryption orchestration, and data storage services on behalf of the Controller.</p>
<p class="mb-4"><strong>"Data Subject"</strong> means the natural person whose personal data is processed — this may be you (the Controller) or others whose data you store in your vault (family members, employees, clients).</p>
<p class="mb-4"><strong>"Personal Data"</strong> means any information relating to an identified or identifiable natural person stored in your vault, including but not limited to: credentials, passwords, API keys, payment card data, identity documents, and contact information.</p>
<p class="mb-6"><strong>"Processing"</strong> means any operation performed on Personal Data, including collection, storage, encryption, transmission, backup, and deletion.</p>
<h2 class="mb-4">2. Processing Details</h2>
<table class="data-table mb-6">
<tbody>
<tr>
<td><strong>Subject matter</strong></td>
<td>Encrypted credential vault hosting and related services</td>
</tr>
<tr>
<td><strong>Duration</strong></td>
<td>For the term of your subscription, plus 30 days for compliance backups (not restorable)</td>
</tr>
<tr>
<td><strong>Nature and purpose</strong></td>
<td>Storage of encrypted data; authentication orchestration; backup and disaster recovery; technical support (with zero-knowledge limitations)</td>
</tr>
<tr>
<td><strong>Type of Personal Data</strong></td>
<td>User credentials, authentication tokens, payment card data, identity documents, secure notes, TOTP seeds, metadata</td>
</tr>
<tr>
<td><strong>Categories of Data Subjects</strong></td>
<td>Controller (account holder) and third parties whose data Controller chooses to store</td>
</tr>
</tbody>
</table>
<h2 class="mb-4">3. Obligations of the Processor</h2>
<p class="mb-4"><strong>3.1 Process only on documented instructions.</strong> Clavitor processes Personal Data only to provide the hosted vault service as described in our Terms of Service. We do not use data for our own purposes, train AI models, derive insights, or monetize beyond subscription fees.</p>
<p class="mb-4"><strong>3.2 Ensure confidentiality.</strong> All Clavitor personnel with potential access to infrastructure are bound by confidentiality agreements. Access is granted on principle of least privilege and logged.</p>
<p class="mb-4"><strong>3.3 Implement security measures.</strong> We implement:</p>
<ul class="mb-4">
<li>End-to-end encryption: Data encrypted at rest and in transit</li>
<li>Tiered encryption (L2/L3): Identity fields encrypted with WebAuthn PRF — not decryptable by us</li>
<li>Zero-knowledge architecture: We cannot decrypt vault contents; only metadata (entry IDs, types, timestamps) is readable</li>
<li>WebAuthn/passkey authentication: No passwords stored server-side</li>
<li>Geographic distribution: 21 POPs with encrypted replication</li>
<li>Incident response: 24/7 monitoring, automated alerts, documented breach procedures</li>
</ul>
<p class="mb-4"><strong>3.4 Subprocessor transparency.</strong> We use only the subprocessors listed in our <a href="/subprocessors">Subprocessor List</a>. We notify subscribers 30 days before adding any new subprocessor.</p>
<p class="mb-4"><strong>3.5 Assist with Data Subject rights.</strong> Upon your request, we will assist you in responding to requests from Data Subjects exercising rights under GDPR/FADP (access, rectification, erasure, portability, restriction, objection). Note: Due to encryption architecture, we cannot access or modify encrypted vault contents; assistance is limited to account-level operations.</p>
<p class="mb-4"><strong>3.6 Assist with security obligations.</strong> We provide security documentation, penetration test summaries (NDA required for details), and audit logs on request.</p>
<p class="mb-4"><strong>3.7 Delete or return data.</strong> Upon subscription termination, we delete all active data immediately per our <a href="/terms">Cancellation Policy</a>. Compliance backups are retained for 30 days only and then destroyed. Data cannot be returned in decrypted form (we don't have keys).</p>
<p class="mb-4"><strong>3.8 Audit and inspection.</strong> Upon 30 days written notice, you may audit our compliance with this DPA. Audits are conducted at our Zürich headquarters or virtually. We provide relevant documentation; direct infrastructure access requires security clearance. Self-hosted Community Edition users perform their own audits.</p>
<p class="mb-4"><strong>3.9 Notify of breaches.</strong> We notify you within 24 hours of discovering any breach affecting your Personal Data. We will never delay notification for investigation or legal review.</p>
<p class="mb-6"><strong>3.10 Document processing activities.</strong> We maintain records of processing activities and make summaries available upon request.</p>
<h2 class="mb-4">4. Obligations of the Controller</h2>
<p class="mb-4">You warrant that:</p>
<ul class="mb-4">
<li>You have lawful basis to process Personal Data in your vault</li>
<li>You have provided appropriate privacy notices to Data Subjects whose data you store</li>
<li>You will not store data in violation of applicable laws (e.g., child pornography, terrorism-related data)</li>
<li>You will promptly notify us of any Data Subject requests or regulatory inquiries</li>
</ul>
<h2 class="mb-4">5. Data Location and Transfer</h2>
<p class="mb-4">Your vault data is stored encrypted at the Point of Presence (POP) geographically nearest to your access pattern. Primary and backup POPs are in different regions for resilience. The complete list of 21 POPs with cities, providers, and compliance certifications is maintained in our <a href="/pops">POP database</a>.</p>
<p class="mb-4">Infrastructure providers used for POPs include: Amazon Web Services (primary provider for most regions), ISHosting (Istanbul, Almaty), HostAfrica (Lagos, Nairobi), and Hostkey (Zürich POP). Zürich HQ operations (billing, administrative) also use Hostkey.</p>
<p class="mb-4">All POPs are either:</p>
<ul class="mb-4">
<li>In jurisdictions with adequacy decisions (EU, EEA, Switzerland, UK, Canada, etc.)</li>
<li>Bound by Standard Contractual Clauses (SCCs) where no adequacy decision exists</li>
</ul>
<p class="mb-6">Due to our encryption architecture (zero-knowledge), even data stored in non-adequate jurisdictions is technically protected. We cannot decrypt it; neither can local authorities. DNS resolution is handled by Cloudflare; no vault data ever passes through their network.</p>
<h2 class="mb-4">6. Encryption and Technical Measures</h2>
<p class="mb-4">Our architecture is designed so that we <em>cannot</em> access your sensitive data even if compelled:</p>
<ul class="mb-6">
<li><strong>L1 (Metadata):</strong> Entry IDs, titles (if unmarked), types, timestamps — visible to us for service operation</li>
<li><strong>L2 (Standard fields):</strong> Passwords, usernames, API keys — encrypted with server-held keys, decryptable only with your active session</li>
<li><strong>L3 (Identity fields):</strong> Credit cards, CVV, passport numbers, SSNs — encrypted with WebAuthn PRF, a key derived from your biometric/device that <strong>never leaves your possession</strong>. We mathematically cannot decrypt these.</li>
</ul>
<h2 class="mb-4">7. Contact</h2>
<p class="mb-4">For DPA-related inquiries:</p>
<p class="mb-2"><strong>Data Protection Officer (DPO)</strong><br>
Clavitor.ai<br>
c/o Johan Jongsma<br>
<a href="mailto:privacy@clavitor.ai">privacy@clavitor.ai</a></p>
<p class="mb-6">Zürich, Switzerland</p>
<h2 class="mb-4">8. Effective Date and Changes</h2>
<p class="mb-4">This DPA is effective as of your subscription start date and remains in effect until termination. Changes are notified 30 days in advance. Continued use constitutes acceptance.</p>
<p class="text-sm text-tertiary">Last updated: April 2026 | Version 1.0</p>
</div>
{{end}}
Reference in New Issue View Git Blame Copy Permalink