Data Transfer Agreement Documentation | Cluely

Data Transfer Agreement Documentation

Cluely, Inc. Data Transfer Agreement

Last Updated on April 1, 2025

Transfer Record 1: EU Meeting Data to US Processing Infrastructure

Destination Country: USA

Transfer Mechanism: Standard Contractual Clauses

Start Date: April 1, 2025

Frequency: Real-time transfers during active meetings for EU customers using transcription services

Volume: Continuous during meeting sessions (typically 1-4 hours per session)

Transfer Scope: Regular

Purpose and Data Categories

Purpose: Real-time meeting transcription, AI analysis, and insight generation for EU-based enterprise customers

Data Categories:

  • Audio recordings from EU-based meetings
  • Meeting transcripts and text content
  • Voice patterns and speech data
  • Meeting metadata (timestamps, participant identifiers)
  • User identification data (names, email addresses)
  • Meeting context and business content

Additional Safeguards

  • End-to-end encryption in transit (TLS 1.2+)
  • Data encryption at rest (AES-256)
  • Pseudonymization of user identifiers where technically feasible
  • Automated data deletion after processing (configurable retention periods)
  • Access controls limiting US-based processing to authorized AI systems only
  • Audit logging of all data access and processing activities
  • Regular security assessments and penetration testing
  • Data minimization - only essential data for transcription and analysis

High-Risk Findings

  • Government Access Risk: US surveillance laws (FISA, CLOUD Act) may permit government access to data
  • Cross-Border Latency: Real-time processing requirements limit data localization options
  • Mitigation Assessment: Risks are balanced by strong technical safeguards and limited data retention

Risk Assessment

Risk TypeLevelDescription
Privacy ImpactMediumPersonal voice data and meeting content processed in US jurisdiction
Security RiskLowStrong encryption and access controls in place
Regulatory RiskLow-MediumCompliance with SCCs and additional safeguards implemented
Business RiskLowTransfer necessary for core service functionality
Individual Rights ImpactMediumPotential government access rights under US law

Mitigation Measures

  • Implementation of Standard Contractual Clauses with US processors (OpenAI, DeepGram, Neon)
  • Data processing agreements with detailed security and privacy requirements
  • Regular compliance audits and security assessments of US processors
  • Transparent privacy notices informing EU data subjects of US processing
  • Data subject rights mechanisms (access, deletion, objection) maintained despite transfer
  • Incident response procedures for cross-border data breach notification
  • Legal review of US processor terms and conditions for adequacy
  • Technical measures to minimize data exposure (encryption, access controls, retention limits)

Transfer Record 2: EU User Account Data to US Database Infrastructure

Destination Country: USA

Transfer Mechanism: Standard Contractual Clauses

Start Date: April 1, 2025

Frequency: Continuous for account management and authentication

Volume: All EU user account data stored in US-based Neon database infrastructure

Transfer Scope: Regular

Purpose and Data Categories

Purpose: User authentication, account management, and service delivery for EU enterprise customers

Data Categories:

  • User credentials and authentication data
  • Profile information (names, email addresses, job titles)
  • Organization and team membership data
  • User preferences and configuration settings
  • Login logs and session data

Additional Safeguards

  • Database encryption at rest (AES-256)
  • Encrypted connections for all database access (TLS 1.2+)
  • Multi-factor authentication for administrative access
  • Database access logging and monitoring
  • Regular security updates and patches
  • Backup encryption and secure storage
  • Network isolation and firewall protection

High-Risk Findings

  • Government Access Risk: US law enforcement may request access to database records
  • Data Persistence Risk: User data stored persistently in US infrastructure
  • Administrative Access Risk: US-based database administrators may have technical access
  • Mitigation Assessment: Risks mitigated through contractual safeguards and technical controls

Transfer Record 3: EU System Logs to US Monitoring Infrastructure

Destination Country: USA

Transfer Mechanism: Standard Contractual Clauses

Start Date: April 1, 2025

Frequency: Continuous automated log transfer for monitoring

Volume: High-volume automated transfers of log data

Transfer Scope: Regular

Purpose and Data Categories

Purpose: System monitoring, error tracking, and performance optimization for EU customer services

Data Categories:

  • System logs and error reports
  • Performance metrics and usage statistics
  • IP addresses and device information (anonymized where possible)
  • Application diagnostic data
  • Security event logs

Additional Safeguards

  • Log data encryption in transit and at rest
  • Automated anonymization of IP addresses where technically feasible
  • Limited retention periods (90 days for most logs)
  • Access controls restricting log access to authorized personnel only
  • Automated log rotation and secure deletion
  • Data minimization in log collection practices

Existing Data Outside EU - Justification

Current Status: Cluely operates a serverless architecture with all processing infrastructure located in the United States. Personal data about EU residents is processed in the US for the following business reasons:

Technical Justification

  • Serverless architecture requires centralized processing infrastructure
  • Real-time AI processing demands low-latency connections to AI services (OpenAI, DeepGram)
  • Current technology limitations prevent real-time EU-based processing at required scale
  • Service architecture designed for optimal performance and reliability

Legal Justification

  • Standard Contractual Clauses implemented with all US processors
  • Additional safeguards exceed minimum SCC requirements
  • Transfer Impact Assessments conducted and documented
  • Data subject rights maintained despite US processing location

Business Justification

  • Core service functionality requires US-based AI processing capabilities
  • Customer demand for advanced AI features drives processing requirements
  • Competitive positioning requires access to cutting-edge AI technologies
  • Service quality and reliability best achieved through current architecture

Future Considerations

  • Monitoring regulatory developments for EU data localization requirements
  • Evaluating EU-based processing alternatives as technology evolves
  • Maintaining flexibility to adapt architecture based on legal requirements
  • Continuous assessment of transfer necessity and proportionality

Contact Information

For questions about these data transfer arrangements or to exercise your data subject rights, please contact us at [email protected].