Updated
December 2025
Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") is entered into between:
· Data Controller ("Controller"): The entity identified as "User" or "Organization" in the Terms of Use for Claribi.
· Data Processor ("Processor"): Claribi OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Republic of Estonia.
Effective Date: The date on which Controller accepts the Claribi Terms of Use or signs a separate service agreement with Processor.
Incorporation: This DPA is incorporated by reference into the Claribi Terms of Use (the "Agreement") and forms an integral part of the contractual relationship between Controller and Processor.
1.1. "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that Controller uploads, submits, or otherwise makes available to Processor through the Services.
1.2. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
1.3. "Services" means the Claribi Console (Developer Service) and Claribi (End‑User Service) as described in the Agreement.
1.4. "Subprocessor" means any third party appointed by or on behalf of Processor to process Personal Data on behalf of Controller in connection with the Agreement.
1.5. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
1.6. "EEA" means the European Economic Area.
1.7. "GDPR" means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
2.1. Controller:
For Personal Data that Controller provides or makes available via the Services (including data in PBIX files, BI environments, and user accounts), Controller is the Data Controller.
2.2. Processor:
For such Personal Data, Processor acts as Data Processor, processing Personal Data solely on behalf of and under the documented instructions of Controller, except where otherwise required by applicable law.
2.3. Account/Data for Billing and Service Management:
For certain categories of Personal Data (e.g., Controller’s administrative account details, billing data, usage analytics), Processor may act as an independent Data Controller for its own purposes as described in the Privacy Policy.
3. Object and Duration of Processing
3.1. Object:
Processor will process Personal Data only for the purpose of providing, operating, maintaining, securing, and improving the Services, and for no other purpose unless explicitly instructed in writing by Controller.
3.2. Duration:
Processor will process Personal Data for the duration of the Agreement and this DPA, and for any additional period required for data export and deletion in accordance with Sections 12 and 13 of this DPA, unless a longer retention period is required by law.
4. Nature and Purpose of Processing
4.1. Claribi Console (Developer Service):
· Nature:
Analysis of PBIX files, data models, and related metadata; generation of DAX, M code, documentation, and insights. Transmission of pseudonymized prompts and schema metadata to Third-Party LLM providers (e.g., OpenAI, Google) for inference and code generation.
· Purpose:
To provide code generation, documentation, and model analysis functionalities as requested by Controller.
4.2. Claribi (End‑User Service):
· Nature:
Interpretation of natural language queries, use of metadata and permissions from Controller’s BI environment to locate and navigate to relevant reports.
· Purpose:
To enable end users to query and navigate existing BI assets under the Organization’s existing permissions and RLS.
5. Types of Personal Data and Categories of Data Subjects
5.1. Types of Personal Data (as determined by Controller):
· Identification data (e.g., names, email addresses of users or employees).
· Organizational data (e.g., roles, departments, teams).
· BI‑related data and metadata contained in PBIX files or connected data sources, which may include personal data depending on Controller’s configuration.
· Technical data and logs (e.g., IP addresses, device identifiers, usage logs, query logs).
5.2. Categories of Data Subjects:
· Employees, contractors, and other authorized users of Controller.
· Customers, prospects, suppliers, and other individuals whose data is contained in Controller’s BI systems or uploaded content.
· Any other individuals whose Personal Data Controller chooses to process via the Services.
5.3. Controller Responsibility:
Controller remains solely responsible for the lawfulness of Personal Data it submits or makes available to Processor.
Controller shall:
6.1. Ensure it has a valid legal basis under GDPR (or applicable law) for the Processing of Personal Data via the Services.
6.2. Provide only Personal Data that is adequate, relevant, and limited to what is necessary for the purposes of the Services.
6.3. Inform Data Subjects where required (e.g., via privacy notices) about the use of Processor as a Data Processor.
6.4. Respond to and manage Data Subject requests and complaints (access, rectification, erasure, restriction, portability, objection), with Processor’s assistance as described in this DPA.
6.5. Conduct any required Data Protection Impact Assessments (DPIA) and consult supervisory authorities where required.
6.6. Ensure that its instructions to Processor are lawful and documented.
Processor shall:
7.1. Process Only on Instructions:
Process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required by EU or Member State law. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information.
7.2. Confidentiality:
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3. Security:
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, regular security testing, and incident response, as further described in Appendix A.
7.4. Data Breach Notification:
Notify Controller without undue delay and in any case within 24 hours after becoming aware of a Data Breach affecting Personal Data processed on behalf of Controller. Such notification shall include the information required by GDPR Article 33(3) where possible.
7.5. Assistance with Data Subject Rights:
Taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller’s obligation to respond to Data Subject requests under GDPR Chapter III.
7.6. Assistance with Compliance:
Assist Controller in ensuring compliance with obligations relating to security, breach notifications, DPIAs, and prior consultations, taking into account the nature of Processing and information available to Processor.
7.7. Records of Processing:
Maintain records of processing activities on behalf of Controller as required by GDPR Article 30(2) and make them available to Controller and supervisory authorities upon request.
8.1. Authorization:
Controller grants Processor general authorization to engage Subprocessors in connection with the provision of the Services.
8.2. Current Subprocessors:
The current list of Subprocessors is maintained online and updated in real-time at https://claribi.ai/subprocessors in accordance with Section 8.4 and 8.5 of this DPA.
8.3. Subprocessor Obligations:
Processor shall ensure that each Subprocessor is bound by written terms that provide at least the same level of data protection obligations as those set out in this DPA, including obligations regarding confidentiality, security, and Data Subject rights.
8.4. Notification of Changes:
Processor shall notify Controller at least thirty (30) days prior to adding or replacing a Subprocessor.
8.5. Right to Object:
Controller may object, on reasonable data protection grounds, to the engagement of a new Subprocessor by notifying Processor in writing within fifteen (15) days of receipt of the notification. The parties will work together in good faith to resolve Controller’s objection.
If the objection cannot be resolved:
· Controller may terminate the affected Services without penalty for future periods; and
· Processor will cooperate with Controller in facilitating data export and secure deletion as described in this DPA.
8.6. Liability:
Processor remains fully liable to Controller for any failure of a Subprocessor to fulfill its data protection obligations.
9. International Data Transfers
9.1. Location of Processing:
Processor primarily processes and stores Personal Data within the EEA. Some Subprocessors may process Personal Data outside the EEA.
9.2. Compliance with GDPR Chapter V:
Any transfer of Personal Data outside the EEA will be made in compliance with GDPR Chapter V, including the use of Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.
9.3. Details:
More detailed information on international transfers and applicable safeguards is provided in Appendix C to this DPA.
10.1. Technical and Organizational Measures:
Processor implements appropriate security measures as described in Appendix A, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects.
10.2. Controller’s Responsibilities:
Controller is responsible for:
· Securing its own devices, networks, and accounts;
· Ensuring that access to the Services from its environment is properly controlled;
· Configuring its BI environment (e.g., Power BI) and RLS securely.
11.1. Assistance:
Considering the nature of the Processing, Processor shall assist Controller, as far as reasonably possible, by implementing appropriate technical and organizational measures, in fulfilling Controller’s obligations to respond to Data Subjects’ requests.
11.2. Direct Requests:
If Processor receives a Data Subject request directly, Processor will not respond to such request except to inform the Data Subject that the request has been passed to Controller, unless legally required to respond. Processor will promptly forward the request to Controller.
12. Data Retention and Deletion
12.1. Retention:
Processor will retain Personal Data only for as long as necessary to fulfill the purposes described in this DPA and the Agreement, unless a longer retention period is required by applicable law.
12.2. Deletion or Return:
Upon termination or expiry of the Services, Processor shall, at Controller’s choice:
· Return all Personal Data to Controller; or
· Delete all Personal Data, unless retention is required by law.
Controller must communicate its choice in writing within thirty (30) days of termination. If no choice is communicated, Processor will delete Personal Data.
12.3. Backups:
Personal Data stored in backups will be deleted or overwritten in accordance with Processor’s standard backup rotation and deletion practices, within a maximum of ninety (90) days after deletion from production systems.
12.4. Certificate of Deletion:
Upon written request, Processor will provide a written confirmation that Personal Data has been deleted in accordance with this DPA.
13.1. Audit Rights:
Controller may, up to once per calendar year (unless justified by a Data Breach or security incident), audit Processor’s compliance with this DPA and applicable data protection law, as set forth in the Audit Rights section of the Agreement.
13.2. Procedures:
Audits shall be conducted:
· Upon at least thirty (30) days’ written notice;
· During normal business hours;
· In a manner that does not unreasonably interfere with Processor’s operations.
13.3. Third‑Party Auditors:
Any third‑party auditor engaged by Controller must:
· Be subject to confidentiality obligations;
· Have no conflict of interest with Processor;
· Comply with Processor’s security and access policies.
13.4. Costs:
Controller bears all costs of audits. If an audit reveals material non‑compliance by Processor, Processor will reimburse Controller’s reasonable audit costs associated with identifying the non‑compliance.
14. Liability and Indemnification
14.1. Liability:
Processor’s aggregate liability under this DPA shall be subject to the liability limitations set forth in the Agreement, except where applicable law prohibits such limitations.
14.2. Indemnification:
Each party shall indemnify the other for damages and fines arising from its own breach of this DPA or applicable data protection laws, to the extent permitted by the Agreement and applicable law.
15. Governing Law and Jurisdiction
15.1. Governing Law:
This DPA shall be governed by and construed in accordance with the laws of the Republic of Estonia.
15.2. Jurisdiction:
Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of Estonia, without prejudice to rights under GDPR for Data Subjects or supervisory authorities.
16.1. Term:
This DPA enters into force on the Effective Date and remains in force for as long as Processor processes Personal Data on behalf of Controller under the Agreement.
16.2. Survival:
Obligations relating to confidentiality, data deletion, liability, and governing law shall survive termination of this DPA.
17.1. Processor may propose amendments to this DPA to reflect changes in applicable data protection laws or regulatory guidance.
17.2. Processor will notify Controller of any material changes at least thirty (30) days in advance. Controller’s continued use of the Services after the effective date of the changes will constitute acceptance of the amended DPA, unless the parties agree otherwise in writing.
For privacy and data protection matters, Controller may contact Processor at:
Email: privacy@claribi.com
Address: Claribi OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Republic of Estonia
Appendix A: Technical and Organizational Security Measures
Processor maintains, at a minimum, the following security measures:
· Access Control:
o Role‑based access controls (RBAC)
o Strong authentication (e.g., MFA for administrative accounts)
o Least‑privilege principle and regular access reviews
· Encryption:
o Encryption of data at rest (e.g., AES‑256 or equivalent)
o Encryption of data in transit using TLS 1.2 or higher
· Network and Application Security:
o Firewalls and network segmentation where appropriate
o Regular vulnerability scanning and patch management
o Secure development practices and code reviews
· Monitoring and Logging:
o Logging of security‑relevant events
o Monitoring for unusual activity or intrusion attempts
· Backup and Disaster Recovery:
o Regular backups of critical systems and data
o Disaster recovery and business continuity plans
o Periodic tests of restoration procedures
· Organizational Measures:
o Security and privacy training for employees
o Confidentiality agreements for personnel with data access
o Incident response policies and procedures
Processor’s current Subprocessors and categories (including locations and purposes) are listed in the Claribi Terms of Use and/or at the Subprocessor URL designated by Processor.
Please see Section 8.2 above for the complete, updated list of all Subprocessors.
Appendix C: International Data Transfers and Standard Contractual Clauses
Data Transfer Safeguards:
For transfers of Personal Data outside the European Economic Area (EEA), Processor implements the following safeguards:
1. Standard Contractual Clauses (SCCs):
Processor has executed the EU Commission Standard Contractual Clauses
(2021 version, Module 2: Controller‑to‑Processor and Module 3:
Processor‑to‑Subprocessor) with Subprocessors located outside the EEA.
2. Subprocessor Safeguards:
Each Subprocessor that processes Personal Data outside the EEA has
committed to:
o EU Commission SCCs, or
o Privacy Shield successor frameworks (where applicable), or
o Binding Corporate Rules (BCRs)
3. Processor Guarantees:
Processor ensures that all international transfers comply with GDPR
Chapter V requirements and provides adequate protection equivalent to
that within the EEA.
4. Documentation Available:
Full SCCs documentation is available to Controller upon written request
to privacy@claribi.com within 15 business days.
5. Transfer Impact Assessment:
Processor has conducted Transfer Impact Assessments (TIAs) as required by EDPB guidance for transfers to third countries. Full TIA documentation is available to Controller upon written request to privacy@claribi.com within 15 business days.
6. Controller Acknowledgment:
By accepting this DPA, Controller acknowledges and consents to the
international transfers described in Section 9 of this DPA and Appendix B
(Subprocessor List).
Effective Date: December 2, 2025
Last Updated: December 2, 2025
Version: 1.1
End of Data Processing Addendum (DPA)