"Customer Personal Data" means personal data contained within Customer Data that RAi processes on the Controller's behalf. "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the EU GDPR, UK GDPR, and applicable U.S. state privacy laws.
The Controller is the controller of Customer Personal Data and Clemtech Medical Solutions is the processor. Clemtech processes Customer Personal Data only on behalf of, and in accordance with the documented instructions of, the Controller. RAi is a regulatory affairs and quality management platform; its intended use is the management of device technical documentation, QMS records, and submission materials, which generally do not contain patient-identifiable information.
Clemtech processes Customer Personal Data only to provide and support the Service, as further described in Annex I, and in accordance with the Controller's documented instructions (including this DPA and the Terms of Service). Clemtech will inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. Clemtech will not sell Customer Personal Data and will not process it for its own purposes.
Clemtech ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access such data only on a need-to-know basis.
Clemtech implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Annex III. The Controller is responsible for securing its own account credentials and for configuring user access within its organization.
The Controller authorizes Clemtech to engage the Sub-processors listed in Annex II to process Customer Personal Data. Clemtech imposes data protection obligations on each Sub-processor substantially equivalent to those in this DPA and remains responsible for each Sub-processor's performance. Clemtech will provide notice of any intended addition or replacement of a Sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds.
Taking into account the nature of the processing, Clemtech assists the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, and objection). The Controller can access, correct, export, and delete Customer Data directly through the Service, including the full-organization data export feature.
Clemtech notifies the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides information reasonably available to assist the Controller in meeting its own breach-notification obligations.
Customer Personal Data is processed primarily in the United States (AWS us-east-1). Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference and, where applicable, are flowed down to Sub-processors.
Clemtech makes available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including available third-party reports of its infrastructure providers and Annex III. Where the Controller reasonably requires further information, the parties will cooperate on a mutually agreed audit, subject to confidentiality and reasonable scheduling.
Upon termination of the Service, and on the Controller's request, Clemtech returns or deletes Customer Personal Data in accordance with the Terms of Service, unless retention is required by applicable law. The Controller may export its data at any time during the subscription term using the in-product export feature.
This DPA is effective for as long as Clemtech processes Customer Personal Data on the Controller's behalf. Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls.
| Item | Description |
|---|---|
| Subject matter | Provision of the RAi regulatory affairs and QMS platform. |
| Duration | For the term of the subscription and any post-termination period permitted by the Terms of Service. |
| Nature & purpose | Storage, organization, retrieval, AI-assisted drafting and analysis, and management of regulatory and quality documentation. |
| Categories of Data Subjects | The Controller's authorized users (employees, contractors, and consultants). |
| Types of Personal Data | Account identifiers (name, work email), authentication metadata, audit-log activity, and any personal data the Controller chooses to include in uploaded documents. |
| Special categories | Not intended. The Service is not designed for Protected Health Information (PHI); do not upload PHI without a signed Business Associate Agreement. |
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase / Amazon Web Services | Database, authentication, and file storage | US (us-east-1) |
| Cloudflare, Inc. | Edge compute (API), CDN, and WAF | Global edge |
| Anthropic PBC | AI inference (Claude API) for drafting and analysis | US |
| Microsoft Corporation | SharePoint / OneDrive document import via Microsoft Graph (customer-authorized) | Controller's Microsoft 365 region |
| Resend (Plus Five Five, Inc.) | Transactional and notification email delivery | US |
| Stripe, Inc. | Payment processing (billing data only) | US |
| Plausible Analytics | Privacy-preserving, cookieless web analytics (aggregate, no personal profiles) | EU |
Anthropic does not train its models on API inputs by default. Where an organization requires a formal BAA covering AI processing, it should contact Anthropic directly.