Legal

Data Processing Addendum

How ClearBinder processes personal data on behalf of accountant customers (the "Controllers") under the GDPR.

Last updated: 20 May 2026 Effective: 20 May 2026
Summary:

When your clients upload documents to your ClearBinder workflow, you are the data controller and ClearBinder is the data processor. This addendum sets out what we do with that data, how we keep it secure, who we share it with (sub-processors like Stripe, Resend, DigitalOcean, Sentry), and how we notify you of breaches. Aligned with GDPR Article 28. Operated by DIGITFORGE LTD (UK).

1.Definitions

Terms used in this Addendum have the meaning given in the EU General Data Protection Regulation (the "GDPR") or the UK GDPR, including:

  • Controller — the entity that decides why and how Personal Data is processed. In this Addendum, that's the ClearBinder customer (the accountant or firm).
  • Processor — the entity that processes Personal Data on the Controller's behalf. In this Addendum, that's ClearBinder.
  • Personal Data — any information relating to an identified or identifiable natural person.
  • Data Subject — the natural person to whom Personal Data relates (typically a Controller's client).
  • Sub-processor — any third party engaged by the Processor to process Personal Data on the Controller's behalf.
  • Processing — any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

2.Scope and roles

This Addendum applies when ClearBinder processes Personal Data on behalf of a Controller in connection with the service. It forms part of the Terms of Service.

The Controller is and remains the controller of Personal Data of its Data Subjects (e.g., the Controller's clients). ClearBinder acts as a Processor for that data.

The categories of Personal Data and Data Subjects processed under this Addendum typically include:

  • Names, email addresses, phone numbers, and other identifiers of the Controller's clients;
  • The contents of documents and files uploaded through the client portal;
  • Free-text submissions, checklist responses, and structured field data;
  • Activity logs and timestamps related to the above.

Processing is limited to what's necessary to provide the service: receiving uploads, storing and serving documents, sending notifications, and supporting the Controller in reviewing submissions.

3.Processing instructions

ClearBinder processes Personal Data only on documented instructions from the Controller, including with regard to transfers, unless required to do so by law. The Controller's use of the platform (configuration, requests sent, actions taken) constitutes ongoing instructions.

If ClearBinder is required by law to process Personal Data outside the Controller's instructions, it will inform the Controller before processing, unless prohibited by that law.

ClearBinder ensures that persons authorised to process Personal Data are subject to confidentiality obligations.

4.Sub-processors

The Controller authorises ClearBinder to engage Sub-processors to provide the service, subject to the following conditions:

  • ClearBinder maintains a list of current Sub-processors and the services they perform;
  • ClearBinder imposes on each Sub-processor data protection obligations no less protective than those in this Addendum;
  • ClearBinder remains liable to the Controller for the performance of each Sub-processor.

Current Sub-processors:

Sub-processor Service Location
Stripe, Inc. Subscription billing and payment processing US / Ireland (SCCs)
Resend Transactional email delivery US (SCCs)
DigitalOcean, LLC Application hosting, database United States (NYC) (SCCs)
DigitalOcean, LLC Encrypted file storage United States (NYC) (SCCs)

ClearBinder will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds.

5.Security measures

ClearBinder implements appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the risks. Measures include:

  • Encryption of Personal Data in transit (TLS) and at rest;
  • Strong authentication, password hashing, and optional two-factor authentication for Controller accounts;
  • Time-limited, single-use access tokens for client portal sessions;
  • Role-based access control and the principle of least privilege for ClearBinder personnel;
  • Rate limiting and abuse protection on sensitive endpoints;
  • Activity logging and audit trails;
  • Regular dependency updates and infrastructure hardening;
  • Backups with restricted access and a documented restoration process;
  • Confidentiality obligations on all personnel with access to Personal Data.

6.Breach notification

ClearBinder will notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data breach affecting the Controller's data. The notification will include, to the extent known at the time:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate its effects;
  • Contact details for further information.

ClearBinder will reasonably assist the Controller in fulfilling its breach notification obligations to authorities and Data Subjects.

7.Data subject requests

The Controller is responsible for responding to Data Subject requests (access, correction, deletion, portability, restriction, objection). ClearBinder provides the Controller with the tools needed to manage its clients' data directly through the platform, including delete, export, and update functions.

If ClearBinder receives a request directly from a Data Subject relating to a Controller, it will forward the request to the Controller without responding to it (except as required by law).

8.International transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country not deemed to provide an adequate level of protection, ClearBinder relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum, which are hereby incorporated by reference.

9.Audits

ClearBinder makes available to the Controller all information reasonably necessary to demonstrate compliance with this Addendum. On reasonable notice and no more than once per year (except in case of a substantiated breach), the Controller may audit ClearBinder's compliance, at the Controller's expense and subject to confidentiality obligations.

Where ClearBinder holds third-party certifications or audit reports (such as SOC 2 or ISO 27001), the Controller agrees to accept these in lieu of conducting an audit, where they reasonably address the Controller's audit objectives.

10.Return or deletion of data

On termination of the agreement, ClearBinder will, at the Controller's choice, return or delete all Personal Data processed on its behalf within a reasonable period, unless retention is required by law.

For convenience, ClearBinder maintains a short retention window (up to 30 days) after termination to allow recovery, after which Personal Data is permanently deleted from active systems and removed from backups within a documented retention cycle.

11.Term and governance

This Addendum takes effect on the date of acceptance of the Terms of Service and continues for as long as ClearBinder processes Personal Data on the Controller's behalf.

If there's a conflict between this Addendum and the Terms of Service, this Addendum prevails with respect to processing of Personal Data on the Controller's behalf.

12.Contact

Privacy and data protection questions: [email protected].

Postal address: DIGITFORGE LTD (Company No. 17091016), Office 9489, 321-323 High Road, Chadwell Heath, Essex, RM6 6AX, United Kingdom.