Data Processing Agreement
When GeoClear processes personal data on behalf of a customer (the data controller), this DPA, together with our Terms of Service and Privacy Policy, sets out the binding processor obligations under GDPR Art. 28 and CCPA / CPRA.
1. Roles and scope
Customer is the data controller; GeoClear, Inc. is the data processor. GeoClear, Inc. processes personal data only to provide the address-intelligence services as instructed by Customer through the API.
2. Categories of data processed
- Address strings submitted via API (street, city, state, ZIP, lat/lon)
- API request metadata (timestamp, request hash, response hash) retained in the append-only receipts table for cryptographic verification
- Customer account data (email, billing) handled separately under our Privacy Policy
We do not retain raw query payloads beyond the receipt hash. Address strings are not warehoused.
3. Sub-processors
Current authorized sub-processors are listed in our Privacy Policy §5. We notify Customers by email 30 days before adding a new sub-processor that processes Customer data, with a right to object.
4. Security measures
Technical and organizational measures meet or exceed the requirements of GDPR Art. 32:
- Encryption in transit: TLS 1.3 enforced end-to-end
- Encryption at rest: AES-256 on all data stores
- Cryptographic attestation: hardware-backed signing signing keys bound to hardware-backed signing infrastructures; receipts append-only
- Access controls: least-privilege IAM, MFA on all admin access, pgaudit on every database connection
- Continuous control assessment: industry frameworks + industry frameworks frameworks evaluated in real time
- Incident response: 48-hour SLO on CRITICAL + HIGH severity findings
5. Data subject requests
GeoClear assists Customer with data-subject access, rectification, erasure, restriction, and portability requests (GDPR Art. 12-22; CCPA equivalent rights). Requests are actioned within 30 days; complex requests may be extended once with notice.
6. International transfers
Processing occurs exclusively in US-East and US-West regions. Where personal data is transferred from the EEA, UK, or Switzerland to the United States, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), which are incorporated by reference into this DPA upon execution.
7. Audits
Customer may audit GeoClear's compliance with this DPA once per 12-month period at Customer's expense, with 30 days written notice. Interim continuous-control-assessment evidence exports + signed receipt logs are available on request under NDA, these typically satisfy enterprise procurement reviews without an on-site audit.
8. Sub-breach notification
Personal-data breaches affecting Customer data will be notified to Customer without undue delay and within 72 hours of GeoClear becoming aware (GDPR Art. 33). Notification includes nature, categories, approximate number of records, likely consequences, and remediation steps.
9. Term and deletion
This DPA applies for the duration of the Service agreement. On termination, Customer Personal Data is deleted or returned within 30 days, except (a) operational receipts retained in the append-only receipts table to preserve historical verifiability of decisions made during the Service period, and (b) data required to be retained by applicable law.
10. Executing this DPA
For most use cases, this published DPA forms part of your Terms of Service on acceptance. For enterprise customers requiring a counter-signed DPA: email legal@geoclear.io with your Customer name, jurisdiction, and any redlines. We typically counter-sign within 5 business days.
Contact
- Data protection inquiries
- privacy@geoclear.io
- DPA + redlines
- legal@geoclear.io
- Security disclosures
- security@geoclear.io
- Processor
- GeoClear, Inc. · Virginia, USA
Last updated: 2026-04-26 · Version: v1.0