R
RAi by Clemtech Medical Solutions

Data Processing Agreement

Effective date: June 19, 2026  ·  Version 1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Clemtech Medical Solutions ("Processor") and the customer organization that subscribes to RAi ("Controller"). It governs the processing of Customer Personal Data by RAi on the Controller's behalf. To execute this DPA for your organization, contact legal@clemtechmedical.com; a countersigned copy will be returned for your records.

Contents

  1. Definitions
  2. Roles of the Parties
  3. Scope & Instructions
  4. Confidentiality
  5. Security Measures
  6. Sub-processors
  7. Data Subject Requests
  8. Personal Data Breach
  9. International Transfers
  10. Audits
  11. Return & Deletion
  12. Liability & Term
  13. Annex I — Details of Processing
  14. Annex II — Sub-processors
  15. Annex III — Technical & Organizational Measures

1. Definitions

"Customer Personal Data" means personal data contained within Customer Data that RAi processes on the Controller's behalf. "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the EU GDPR, UK GDPR, and applicable U.S. state privacy laws.

2. Roles of the Parties

The Controller is the controller of Customer Personal Data and Clemtech Medical Solutions is the processor. Clemtech processes Customer Personal Data only on behalf of, and in accordance with the documented instructions of, the Controller. RAi is a regulatory affairs and quality management platform; its intended use is the management of device technical documentation, QMS records, and submission materials, which generally do not contain patient-identifiable information.

3. Scope & Instructions

Clemtech processes Customer Personal Data only to provide and support the Service, as further described in Annex I, and in accordance with the Controller's documented instructions (including this DPA and the Terms of Service). Clemtech will inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. Clemtech will not sell Customer Personal Data and will not process it for its own purposes.

4. Confidentiality

Clemtech ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access such data only on a need-to-know basis.

5. Security Measures

Clemtech implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Annex III. The Controller is responsible for securing its own account credentials and for configuring user access within its organization.

6. Sub-processors

The Controller authorizes Clemtech to engage the Sub-processors listed in Annex II to process Customer Personal Data. Clemtech imposes data protection obligations on each Sub-processor substantially equivalent to those in this DPA and remains responsible for each Sub-processor's performance. Clemtech will provide notice of any intended addition or replacement of a Sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.

7. Data Subject Requests

Taking into account the nature of the processing, Clemtech assists the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, and objection). The Controller can access, correct, export, and delete Customer Data directly through the Service, including the full-organization data export feature.

8. Personal Data Breach

Clemtech notifies the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides information reasonably available to assist the Controller in meeting its own breach-notification obligations.

9. International Transfers

Customer Personal Data is processed primarily in the United States (AWS us-east-1). Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference and, where applicable, are flowed down to Sub-processors.

10. Audits

Clemtech makes available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including available third-party reports of its infrastructure providers and Annex III. Where the Controller reasonably requires further information, the parties will cooperate on a mutually agreed audit, subject to confidentiality and reasonable scheduling.

11. Return & Deletion

Upon termination of the Service, and on the Controller's request, Clemtech returns or deletes Customer Personal Data in accordance with the Terms of Service, unless retention is required by applicable law. The Controller may export its data at any time during the subscription term using the in-product export feature.

12. Liability & Term

This DPA is effective for as long as Clemtech processes Customer Personal Data on the Controller's behalf. Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls.

Annex I — Details of Processing

ItemDescription
Subject matterProvision of the RAi regulatory affairs and QMS platform.
DurationFor the term of the subscription and any post-termination period permitted by the Terms of Service.
Nature & purposeStorage, organization, retrieval, AI-assisted drafting and analysis, and management of regulatory and quality documentation.
Categories of Data SubjectsThe Controller's authorized users (employees, contractors, and consultants).
Types of Personal DataAccount identifiers (name, work email), authentication metadata, audit-log activity, and any personal data the Controller chooses to include in uploaded documents.
Special categoriesNot intended. The Service is not designed for Protected Health Information (PHI); do not upload PHI without a signed Business Associate Agreement.

Annex II — Sub-processors

Sub-processorPurposeLocation
Supabase / Amazon Web ServicesDatabase, authentication, and file storageUS (us-east-1)
Cloudflare, Inc.Edge compute (API), CDN, and WAFGlobal edge
Anthropic PBCAI inference (Claude API) for drafting and analysisUS
Microsoft CorporationSharePoint / OneDrive document import via Microsoft Graph (customer-authorized)Controller's Microsoft 365 region
Resend (Plus Five Five, Inc.)Transactional and notification email deliveryUS
Stripe, Inc.Payment processing (billing data only)US
Plausible AnalyticsPrivacy-preserving, cookieless web analytics (aggregate, no personal profiles)EU

Anthropic does not train its models on API inputs by default. Where an organization requires a formal BAA covering AI processing, it should contact Anthropic directly.

Annex III — Technical & Organizational Measures