Data Processing Agreement

Effective date: March 1, 2026 | Last updated: March 20, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between One Frequency Inc. (“Processor” or “Claw GRC”) and the entity agreeing to the Terms of Service (“Controller” or “Customer”) for the processing of personal data in connection with the Claw GRC platform. This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

Controller

The Customer who determines the purposes and means of processing personal data through the Service. The Customer organization that uploads compliance data, registers agents, and manages their GRC program.

Processor

One Frequency Inc. (Claw GRC), which processes personal data on behalf of the Controller to provide the Service.

Sub-processor

A third party engaged by the Processor to process personal data on behalf of the Controller. Sub-processors are subject to equivalent contractual obligations.

Personal Data

Any information relating to an identified or identifiable natural person, as defined by the GDPR, that is processed through the Service.

2. Scope of Processing

The Processor shall process personal data only to the extent necessary to provide the Service and in accordance with the Controller's documented instructions.

Categories of Data Subjects

  • Customer employees and administrators
  • Customer end users of the platform
  • Individuals referenced in compliance evidence or assessment data

Types of Personal Data

  • Name, email address, job title, organization
  • Account credentials (hashed, never stored in plaintext)
  • IP addresses, browser metadata, usage logs
  • Compliance-related data uploaded by the Controller
  • AI agent metadata and interaction logs

Purpose of Processing

  • Providing the GRC platform functionality
  • Compliance framework management and scoring
  • Evidence collection, storage, and verification
  • Security assessment and vulnerability scanning
  • AI agent governance and trust scoring
  • Audit trail generation and maintenance
  • Customer support and incident response

3. Data Security Measures

The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit for all data.
  • Access control: Role-based access control (RBAC), multi-factor authentication, and least-privilege access policies for all personnel.
  • Data isolation: PostgreSQL Row-Level Security (RLS) enforcing strict multi-tenant isolation at the database level.
  • Audit logging: Tamper-evident SHA-256 chain hashing on all state changes, with immutable audit records.
  • Infrastructure: Google Cloud Platform with SOC 2 Type II certified infrastructure, Cloud Armor DDoS protection, and VPC network isolation.
  • Secret management: All credentials and keys managed via GCP Secret Manager, never stored in application code.
  • Vulnerability management: Regular penetration testing, dependency scanning, secrets detection, and configuration auditing.

4. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller at least 30 days before engaging a new sub-processor, providing the Controller an opportunity to object.

Sub-processorPurposeLocation
Google Cloud PlatformInfrastructure, compute, storage, databaseUnited States
Firebase (Google)Authentication, real-time dataUnited States
StripePayment processing, billingUnited States
CloudflareCDN, DDoS protection, DNSGlobal (edge)

5. International Data Transfers

Personal data is primarily processed in the United States on Google Cloud Platform infrastructure. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, the following safeguards apply:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission (June 2021 version).
  • EU-U.S. Data Privacy Framework certification where applicable.
  • Supplementary technical measures including encryption and access controls described in Section 3.

Enterprise customers may request data residency in specific GCP regions. Contact legal@clawgrc.com for regional deployment options.

6. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted:

  • By reviewing the Processor's SOC 2 Type II report, penetration test summaries, and security certifications, which are available upon request under NDA.
  • By conducting or commissioning a third-party audit, with at least 30 days' written notice, during normal business hours, and no more than once per year.
  • The Processor shall cooperate with audits and provide necessary documentation, access, and personnel. Costs of on-site audits shall be borne by the Controller.

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
  • Provide all available details including the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller's investigation and assist in meeting the Controller's notification obligations to supervisory authorities and data subjects.
  • Document all breaches, including facts, effects, and remedial actions taken, regardless of whether the breach is reportable.

8. Data Return and Deletion

Upon termination or expiry of the Service agreement:

  • The Controller may export all Customer Data via the dashboard or API for up to 90 days after termination.
  • After the 90-day export period, the Processor shall delete all Customer Data from production systems within 30 days.
  • Data in encrypted backups will be overwritten through the normal backup rotation cycle within 180 days.
  • The Processor shall provide written confirmation of deletion upon the Controller's request.
  • Data that must be retained for legal or regulatory obligations (e.g., audit trail records) will be clearly identified and retained only for the minimum required period.

9. GDPR Compliance

The Processor shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers outside the EEA.
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Assist the Controller in responding to data subject access requests (DSARs), including requests for access, rectification, erasure, portability, and restriction of processing.
  • Assist the Controller in ensuring compliance with GDPR obligations regarding data protection impact assessments (DPIAs) and prior consultation with supervisory authorities.
  • Maintain records of processing activities carried out on behalf of the Controller, as required by GDPR Article 30(2).
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations.

10. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

11. Contact

For questions about this DPA or to exercise data processing rights:

One Frequency Inc.

Data Protection Officer: dpo@clawgrc.com

Legal: legal@clawgrc.com

To request a signed copy of this DPA or the SCCs, contact legal@clawgrc.com