CleverX Data Processing Addendum (DPA)
Last updated 16 July 2026
Version: Draft v0.1, 16 July 2026
Entity: BluMatter, Inc., a Delaware corporation, doing business as CleverX ("CleverX")
1. Introduction and parties
This Data Processing Addendum ("DPA") forms part of the agreement between CleverX and the customer named in that agreement ("Customer") for the use of the CleverX platform (the "Agreement"). It applies where CleverX processes personal data on Customer's behalf in connection with Customer's studies.
If there is a conflict between this DPA and the Agreement on the subject of personal data, this DPA controls.
2. Definitions
"Data Protection Laws" means all laws that apply to the processing of personal data under this DPA. This includes the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comparable statutes, in each case to the extent applicable.
"Personal data", "controller", "processor", "data subject", "processing", and "personal data breach" have the meanings given in the GDPR. Under the CCPA, "controller" includes "business" and "processor" includes "service provider."
"Study Data" means personal data of Participants that is collected, generated, or submitted through a study run by Customer on the platform. Study Data includes screener answers, survey responses, interview and test recordings (video and audio), transcripts, session recordings, chat messages within a study, files uploaded by Participants in response to study tasks, and study results derived from these.
"Platform Data" means personal data that CleverX processes for its own purposes to operate the platform. Platform Data includes Participant account and profile data, Participant panel and recruitment data, professional and employment history, payment and payout data, fraud prevention and device signals, platform usage analytics, and communications between CleverX and its users.
"Participant" means an individual who takes part in a study on the platform, whether recruited from the CleverX panel, from a third-party panel, or brought by Customer ("bring your own audience").
"Subprocessor" means a third party engaged by CleverX to process Study Data on Customer's behalf.
3. Roles of the parties
This section is the core of this DPA. The parties process personal data in two distinct capacities.
3.1 Study Data: Customer is controller, CleverX is processor
For Study Data, Customer is the controller and CleverX is the processor. Customer decides why and how Study Data is processed. Customer designs the study, writes the questions, chooses the audience criteria, and decides what happens with the results. CleverX processes Study Data only to provide the platform services under Customer's instructions.
3.2 Platform Data: CleverX is an independent controller
For Platform Data, CleverX is an independent controller. CleverX decides why and how Platform Data is processed. This includes operating and securing the platform, maintaining its Participant panel, verifying Participant identity and quality, preventing fraud, paying Participants, and improving the services. CleverX's processing of Platform Data is governed by the CleverX Privacy Policy, not by this DPA.
3.3 No joint control
The parties do not intend to be joint controllers of any personal data. Each party is separately responsible for its own compliance in its own role.
3.4 Practical consequences of the split
(a) Customer is responsible for its study design, the lawfulness of the questions it asks, and everything it does with Study Data after collection, including export, sharing, and further use.
(b) CleverX is responsible for the platform: hosting, security, Participant account management, panel operations, fraud prevention, and Participant payouts.
(c) If a Participant exercises a privacy right against Customer about Study Data, Customer handles it and CleverX assists (Section 8). If a Participant exercises a right against CleverX about Platform Data, CleverX handles it directly.
4. Processing on documented instructions
4.1 CleverX will process Study Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to CleverX. In that case CleverX will inform Customer of the legal requirement before processing, unless the law prohibits this.
4.2 Customer's instructions consist of: (a) the Agreement and this DPA; (b) Customer's configuration of studies and use of platform features; and (c) any additional written instructions the parties agree to. CleverX may charge a reasonable fee for instructions that go beyond the platform's standard functionality.
4.3 CleverX will inform Customer without undue delay if, in its opinion, an instruction infringes Data Protection Laws. CleverX may suspend the affected processing until the instruction is confirmed or changed. CleverX is not obligated to review Customer's instructions for legal compliance.
5. Confidentiality
CleverX will ensure that persons authorized to process Study Data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and that access is limited to what each person needs to perform their role.
6. Security
6.1 CleverX will implement and maintain appropriate technical and organizational measures to protect Study Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Annex II.
6.2 CleverX may update the measures in Annex II from time to time, provided the updates do not materially reduce the overall level of protection.
7. Subprocessors
7.1 General authorization. Customer gives CleverX general authorization to engage Subprocessors to process Study Data. The current list of Subprocessors is maintained at the CleverX subprocessor page.
7.2 Notice of changes. CleverX will update the subprocessor page at least 30 days before adding or replacing a Subprocessor that processes Study Data. The current list and its effective date are maintained on that page, and Customer should review it periodically for changes.
7.3 Objection. Customer may object to a new Subprocessor on reasonable data protection grounds within 30 days of notice. The parties will discuss the objection in good faith. If CleverX cannot offer a reasonable alternative, Customer may terminate the affected services and receive a pro rata refund of prepaid, unused fees for those services.
7.4 Flow-down and liability. CleverX will impose data protection obligations on each Subprocessor that are materially equivalent to those in this DPA, by way of a written contract. CleverX remains fully liable to Customer for the performance of each Subprocessor's obligations.
8. Assistance to Customer
8.1 Data subject requests. Taking into account the nature of the processing, CleverX will assist Customer with appropriate technical and organizational measures, insofar as this is possible, to respond to requests from Participants exercising their rights under Data Protection Laws with respect to Study Data (access, rectification, erasure, restriction, portability, objection). If CleverX receives such a request directly and can identify that it concerns Customer's Study Data, CleverX will forward it to Customer without undue delay and will not respond on the merits except as instructed or as required by law.
8.2 DPIAs and consultations. CleverX will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to CleverX.
8.3 CleverX may charge a reasonable fee for assistance that goes materially beyond standard platform functionality, except where the need for assistance results from CleverX's own breach of this DPA.
9. Personal data breach
9.1 CleverX will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Study Data.
9.2 The notification will describe, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point. Information may be provided in phases as it becomes available.
9.3 CleverX's notification of, or response to, a breach is not an admission of fault or liability. Customer is responsible for its own notifications to authorities and data subjects as controller.
10. Deletion and return of Study Data
10.1 During the term, Customer can export study results through the platform and can request deletion of specific Study Data.
10.2 At termination or expiry of the Agreement, CleverX will, at Customer's choice, delete or return all Study Data, and delete existing copies, unless retention is required by law. If Customer makes no election within 60 days of termination, CleverX will delete the Study Data.
10.3 Deletion under this DPA means removal of Study Data or its de-identification such that it can no longer be associated with an identifiable person, including purge of stored recordings, transcripts, and response files. CleverX deletes Study Data periodically and upon Customer request. When Customer deletes a study in the platform, deletion is initiated for that study's Study Data.
10.4 Deletion from encrypted backups occurs as backups expire in the ordinary course of CleverX's backup rotation.
11. Audits
11.1 CleverX will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. CleverX satisfies this primarily through documentation: this DPA, Annex II, the subprocessor page, and written responses to reasonable security questionnaires (no more than once per year, unless a personal data breach affecting Customer's Study Data has occurred).
11.2 If the documentation above is not reasonably sufficient, Customer may conduct, or mandate an independent third-party auditor to conduct, an audit or inspection, subject to all of the following: (a) at most once per calendar year, unless required by a supervisory authority or following a personal data breach affecting Customer's Study Data; (b) at least 30 days' prior written notice; (c) during normal business hours, without disrupting CleverX's operations; (d) subject to confidentiality obligations; and (e) at Customer's cost, including reimbursement of CleverX's reasonable time at its then-standard rates.
11.3 Audit rights under this section satisfy the audit requirements of GDPR Article 28(3)(h) and, where the SCCs apply, will be exercised in accordance with the SCCs.
12. Customer obligations
12.1 Lawful basis. Customer is solely responsible for establishing and maintaining a lawful basis for the processing of Study Data in its studies, and for the lawfulness of its instructions to CleverX.
12.2 No unlawful instructions. Customer will not instruct CleverX to process Study Data in violation of Data Protection Laws.
12.3 Study design and sensitive data. Customer decides what its studies collect. If Customer chooses to collect special categories of personal data (GDPR Art. 9) or sensitive personal information (CCPA and similar laws), such as health data, political opinions, religious beliefs, sexual orientation, or precise demographic data, Customer is solely responsible for ensuring that collection and use are lawful, including obtaining any explicit consent required. Customer will not use the platform to collect sensitive data from Participants without a lawful basis to do so.
12.4 Consents beyond the platform's. The platform obtains Participant consent to recording as part of the study flow. Customer is responsible for obtaining any additional consents, notices, or permissions that its own use of Study Data requires beyond the platform's recording consent. Examples: using recordings in marketing materials, sharing clips outside Customer's organization, or combining Study Data with other datasets.
12.5 Bring your own audience. If Customer invites its own participants to a study, Customer is responsible for the lawfulness of that invitation and for its relationship with those individuals.
12.6 Accuracy of representations. Customer will not represent to Participants that CleverX is the controller of Study Data.
13. International transfers
13.1 Hosting location. CleverX hosts and processes personal data in the United States. No EU or other regional data residency option is currently offered.
13.2 EU transfers. To the extent Customer transfers Study Data subject to the GDPR to CleverX in the US, the parties enter into the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 ("SCCs"), which are incorporated into this DPA by reference, as follows:
(a) Module Two (controller to processor) applies where Customer is a controller.
(b) Module Three (processor to processor) applies where Customer acts as a processor for its own client.
(c) Clause 7 (docking) is included. Clause 9(a): Option 2 (general authorization), with the notice period in Section 7.2. Clause 11(a): the optional independent-resolution language is not included. Clause 17: the law of Ireland. Clause 18: the courts of Ireland.
(d) Annexes I, II, and III to the SCCs are completed by Annexes I, II, and III to this DPA.
13.3 UK transfers. For transfers subject to the UK GDPR, the SCCs apply as amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner (version B1.0), completed with the information in the Annexes to this DPA.
13.4 Swiss transfers. For transfers subject to Swiss data protection law, the SCCs apply with these amendments: references to the GDPR are read as references to the Swiss FADP; the competent supervisory authority is the Swiss FDPIC; the term "member state" is read to allow Swiss data subjects to sue in Switzerland; and the SCCs also protect the data of legal entities to the extent the FADP so requires.
13.6 If a transfer mechanism relied on under this section is invalidated, the parties will cooperate in good faith to put in place a lawful alternative.
14. Liability
To the maximum extent permitted by law, each party's total aggregate liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability in the Agreement, and liability under this DPA counts toward, and does not add to, the liability cap in the Agreement. Nothing in this section limits either party's liability where liability cannot be limited under applicable Data Protection Laws, or affects a data subject's own rights.
15. US state privacy law rider
Where US state privacy laws apply to Study Data, the following terms apply in addition to the rest of this DPA. For the CCPA, Customer is the "business" and CleverX is a "service provider." For other state laws, Customer is the "controller" and CleverX is the "processor."
15.1 CleverX is processing Study Data for the limited and specified business purpose of providing the platform services described in the Agreement and Annex I.
15.2 CleverX will not: (a) sell or share Study Data (as "sell" and "share" are defined in the CCPA); (b) retain, use, or disclose Study Data for any purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Study Data outside the direct business relationship between the parties; or (d) combine Study Data with personal information it receives from other sources, except as permitted for service providers under the CCPA.
15.3 CleverX certifies that it understands the restrictions in Section 15.2 and will comply with them.
15.4 CleverX will notify Customer without undue delay if it determines it can no longer meet its obligations under applicable US state privacy laws. Upon such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Study Data, including instructing CleverX to suspend the affected processing.
15.5 Customer may take reasonable and appropriate steps to ensure that CleverX uses Study Data consistently with Customer's obligations, through the audit mechanism in Section 11.
15.6 CleverX will provide the same level of privacy protection to Study Data as required of businesses by the CCPA, and will assist Customer in responding to verifiable consumer requests as described in Section 8.
15.7 For clarity, this rider covers Study Data only. CleverX's processing of Platform Data as an independent controller (independent business) is described in the CleverX Privacy Policy.
16. General
16.1 This DPA starts on the effective date of the Agreement and lasts as long as CleverX processes Study Data.
16.2 Sections that by their nature should survive termination (including Sections 10, 14, and 15) survive.
16.3 If any provision of this DPA is held invalid, the rest remains in effect, and the invalid provision is replaced with a valid one that comes closest to the parties' intent.
16.4 Governing law and venue follow the Agreement, except where the SCCs require otherwise for the SCCs themselves.
Annex I: Description of processing
This Annex completes Annex I of the SCCs and describes the processing of Study Data.
A. List of parties
- Data exporter: Customer (name and contact details as set out in the Agreement or order form). Role: controller (Module Two) or processor (Module Three).
- Data importer: BluMatter, Inc. (d/b/a CleverX), 131 Continental Drive, Suite 305, Newark, DE 19713, USA. Contact: sharekh@cleverx.com. Role: processor.
B. Subject matter
Provision of the CleverX research platform: recruiting study participants, running surveys, AI-moderated interviews, human-moderated interviews and tests, unmoderated tests, and video diary studies, and delivering results to Customer.
C. Duration
The term of the Agreement, plus the wind-down period in Section 10.
D. Nature and purposes of processing
Collection, recording, organization, storage, transcription, analysis, retrieval, disclosure to Customer, and deletion of Study Data, for the purpose of running Customer's studies and delivering study results. This includes: hosting participant responses; recording video and audio sessions; generating transcripts and AI-assisted summaries of study sessions; and making results available to Customer in the platform.
E. Categories of data subjects
Study participants: individuals who take part in Customer's studies, whether from the CleverX panel, third-party panels, or Customer's own audience.
F. Categories of personal data
- Screener and survey responses
- Video and audio recordings of interviews, tests, and video diary entries
- Transcripts of recorded sessions
- Session recordings and task interaction data (for example screen activity during a test)
- Chat messages and files submitted within a study
- Participant identifiers needed to run the study (name or display name, participation status)
- Any other personal data that Customer's study design elicits from Participants
G. Special categories of data
None, unless Customer's study design collects them. If Customer chooses to collect special categories (for example health data in a healthcare study), Customer is responsible under Section 12.3, and the applied restrictions and safeguards are: collection only with the data subject's explicit consent obtained through the study flow, access limited to Customer and to CleverX personnel who need it to provide support, and the security measures in Annex II.
H. Frequency of transfer
Continuous, for the duration of each study and the Agreement.
I. Retention
Study Data is retained for the term of the Agreement and deleted per Section 10.
J. Competent supervisory authority (SCCs Clause 13)
The supervisory authority of the EU member state in which the data exporter is established, or as otherwise determined under Clause 13.
Annex II: Technical and organizational measures
- Encryption in transit. Platform traffic is served over HTTPS/TLS.
- Encryption at rest. Study Data files, including recordings, are stored in Amazon S3 (us-east-2).
- Access controls. Access to production systems is limited to authorized personnel.
- Application-level access. Study Data is scoped to the owning Customer account within the application. Customer controls which of its team members can access a study.
- Recording storage. Video meetings are recorded through LiveKit and stored as files in S3. AI interview audio and transcripts are stored with the study.
- Subprocessor security. CleverX engages the vendors listed on the subprocessor page, each under contract terms covering confidentiality and security.
- Fraud and abuse prevention. Device fingerprinting and behavioral checks protect study integrity (this processing is Platform Data, under CleverX's controllership).
- Personnel. Personnel with access to Study Data are subject to confidentiality obligations.
- Backups and resilience.
- Incident response. CleverX maintains a process for detecting, escalating, and responding to security incidents, supporting the notification commitment in Section 9.
- Data minimization and deletion.
- Logging and monitoring.
Annex III: Subprocessors
The current list of Subprocessors authorized to process Study Data is published at the CleverX subprocessor page and is incorporated into this DPA. Only the vendors on that list marked as touching Study Data act as Subprocessors under this DPA; vendors that process Platform Data only are engaged by CleverX as an independent controller.