Data Processing Addendum (DPA)
Last updated: May 13, 2026
This Data Processing Addendum (the "DPA") forms part of the agreement between the creator (the "Controller") and Marea Kiss LLC, operating Clonify (the "Processor"), and reflects the parties' obligations under article 28 of Regulation (EU) 2016/679 (GDPR). Acceptance is automatic upon activation of a paid subscription.
Article 1. Definitions
- Controller: the creator subscribing to Clonify, who determines the purposes and means of processing personal data of their visitors.
- Processor: Marea Kiss LLC, operating the Clonify service on behalf of the Controller.
- Data subject: any visitor to a clone published by the Controller.
Article 2. Subject matter and duration
The Processor processes personal data of the Controller's visitors solely to provide the Clonify service. This DPA remains in force as long as the Processor processes personal data on behalf of the Controller.
Article 3. Nature and purpose
Operating an AI clone of the Controller: storing uploaded content, transcribing audio/video, generating embeddings, running language models to produce replies, maintaining visitor sessions, building per-visitor memory profile, and providing analytics.
Article 4. Types of personal data and data subjects
Data subjects: visitors of the Controller's clone. Categories processed:
- Email address and optional name.
- Conversation transcripts with the clone.
- AI-derived memory profile.
- IP address, user agent, session cookies.
- Timestamp of acceptance of visitor terms.
No special categories of data (art. 9 GDPR) are intentionally processed. The Controller must not configure the clone to elicit such data.
Article 5. Rights and obligations of the Controller
- Provide lawful instructions; configuring the clone via the admin panel counts as documented instructions.
- Ensure a valid legal basis for the processing of visitors' data.
- Publish its own privacy notice when the clone is embedded on the Controller's own domain.
- Respond to data subject requests within legal deadlines.
Article 6. Obligations of the Processor
- Process personal data only on documented instructions.
- Ensure persons authorised to process the data are under confidentiality obligations.
- Implement the security measures described in Article 9.
- Engage sub-processors as described in Article 7.
- Notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware of it.
- Assist the Controller in complying with articles 32-36 GDPR.
Article 7. Sub-processors
The Controller authorises the Processor to engage the following sub-processors, each bound by a written agreement imposing data protection obligations equivalent to this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon Inc. | PostgreSQL database | EE.UU. / UE |
| Upstash Inc. | Rate limiting and cache | EE.UU. / UE |
| Sentry | Error telemetry | EE.UU. |
| OpenAI L.L.C. | LLM models | EE.UU. |
| Anthropic PBC | LLM models | EE.UU. |
| Resend Inc. | Transactional email | EE.UU. |
| AssemblyAI Inc. | Audio transcription | EE.UU. |
| Replicate Inc. | Auxiliary audio processing | EE.UU. |
| Vercel Inc. | Hosting | EE.UU. |
| Cloudflare R2 | File storage | EE.UU. / UE |
| PostHog Inc. | Product analytics | UE (Frankfurt) |
The Processor will give the Controller at least 30 days' prior notice of any addition or replacement. The Controller may object on reasonable data protection grounds; if no agreement is reached, either party may terminate the affected portion.
Article 8. Data subject rights
Where a visitor exercises rights directly with the Processor, the Processor will forward the request to the Controller without undue delay and assist in fulfilling it. Direct visitor deletion requests addressed to privacy@clonify.com are processed by the Processor immediately.
Article 9. Security measures
- Multi-tenant isolation in the application layer via queryWithTenant primitive, complemented by lint rules.
- Encryption at rest provided by Neon (database) and Cloudflare R2 (file storage).
- Encryption in transit (TLS 1.2+) on every public endpoint.
- Rate limiting on sensitive endpoints (auth, OTP, chat) via Upstash.
- CORS pinning to authorised origins for the embeddable widget.
- OTP-based authentication for visitor identification.
- Role-based access control inside the admin panel.
- Centralised error and security logging via Sentry.
Article 10. International transfers
Several sub-processors are located in the United States. Such transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914) and, where the recipient is self-certified, by the EU-US Data Privacy Framework.
Article 11. Termination — return or deletion
On termination, the Processor applies a Shopify-style soft-delete schedule:
- Workspace enters "suspended" state for 90 days; Controller can export data and reactivate.
- After 90 days: visitor personal data permanently deleted.
- Minimal tenant skeleton (billing/fiscal records) kept 4 years for Spanish fiscal obligations.
- The Controller may request immediate deletion of all visitor data at any time.
Article 12. Audit rights
The Controller may audit the Processor's compliance with this DPA up to once per calendar year, on at least 30 days' written notice, during business hours and without unduly disrupting operations. The Processor may satisfy audit requests by providing existing certifications, attestations or written summaries of controls. Additional audits triggered by a documented breach or by a supervisory authority's binding instruction are allowed beyond the annual cap.
Acceptance
Acceptance of this DPA is automatic upon activation of a paid Clonify subscription. The most recent published version applies. Material amendments will be notified by email with at least 30 days' prior notice when reasonably possible.