Data Processing Addendum

Last updated: December 19, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Addendum”) between Vedin Labs AB (“Clara”, “Processor”, “we”, “us”) and the customer entity entering into the Agreement (“Customer”, “Controller”).

This DPA applies where Clara processes Personal Data on behalf of the Customer in connection with the use of the Clara service.

1. Roles and scope

1.1 For the purposes of this DPA:

• The Customer acts as Data Controller

• Clara acts as Data Processor

1.2 This DPA applies solely to the processing of Personal Data by Clara on behalf of the Customer as part of providing the Clara service. Processing where Clara acts as a Data Controller (for example, website usage, marketing, billing, or account administration) is governed by Clara’s Privacy Policy.

2. Subject matter, nature, and purpose of processing

2.1 The subject matter of the processing is the provision of an automatic time-tracking and activity analysis platform for legal practitioners.

2.2 The nature of the processing includes the collection, structuring, storage, analysis, association, and summarisation of work activity metadata.

2.3 The purpose of the processing is to:

• automatically capture work activity metadata

• associate activity with clients and matters

• generate time entry narratives

• enable review, reporting, and export of time records

2.4 The processing is carried out for the duration of the Customer’s use of the service, unless otherwise agreed or required by applicable law.

3. Processing on documented instructions

3.1 Clara shall process Personal Data only on documented instructions from the Customer, including instructions given through configuration and use of the service.

3.2 Clara shall inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws, unless prohibited by law from doing so.

4. Categories of data and data subjects

The categories of Personal Data and Data Subjects processed under this DPA are described in Annex I (Specification of Data Processing).

5. Confidentiality

Clara shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality requirements.

6. Security of processing

6.1 Clara implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of the processing.

6.2 Such measures are described in Annex II (Security Measures).

7. Sub-processing

7.1 The Customer grants Clara a general authorisation to engage Sub-processors to process Personal Data on the Customer’s behalf.

7.2 Clara shall notify the Customer of any intended addition or replacement of Sub-processors at least thirty (30) days in advance, providing the Customer with an opportunity to object.

7.3 Where the Customer objects to a new Sub-processor on reasonable data protection grounds, the parties shall cooperate in good faith to resolve the concern. If resolution is not possible, the Customer may terminate the affected part of the service.

7.4 Clara shall ensure that all Sub-processors are subject to data protection obligations no less protective than those set out in this DPA.

8. Assistance to the Customer

8.1 Taking into account the nature of the processing, Clara shall provide reasonable assistance to enable the Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws.

8.2 Clara shall assist the Customer with data protection impact assessments and prior consultations with supervisory authorities where required, to the extent applicable to the processing performed under this DPA.

9. Personal Data Breach

9.1 Clara shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

9.2 Such notification shall include information reasonably required to allow the Customer to comply with its obligations under Data Protection Laws.

10. Deletion or return of Personal Data

10.1 Upon termination of the Customer’s use of the service, Clara shall, at the Customer’s choice, delete or return all Personal Data processed on the Customer’s behalf, unless retention is required by applicable law.

10.2 Deletion shall take place within a reasonable period following termination.

11. Audits and compliance

11.1 Clara shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.

11.2 Audit rights shall be exercised in a manner that does not unreasonably disrupt Clara’s business or compromise the security of other customers’ data.

12. International data transfers

12.1 Clara primarily processes Personal Data within the European Economic Area (EEA).

12.2 Clara does not intentionally transfer Personal Data outside the EEA. Where a transfer to a third country becomes necessary, such transfer shall be subject to appropriate safeguards in accordance with Chapter V of the GDPR, including Standard Contractual Clauses approved by the European Commission.

13. Governing law

This DPA is governed by the laws of Sweden, and disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of that jurisdiction.

Annex I – Specification of Data Processing

Categories of Personal Data

• User identifiers (name, email address, phone number, user ID)

• Email metadata (sender, recipient, subject line, timestamps, message identifiers; no email bodies or attachment contents)

• Calendar metadata (event title, start and end time, attendees, location, meeting links; no event descriptions)

• Desktop activity metadata (application name, window title, optional URL, timestamps and duration)

• Client, project, and contact records created by the Customer

• Generated summaries and narratives derived from the above metadata

Special categories of data
Not intentionally processed. Such data may be included incidentally as part of Customer Data depending on the Customer’s use of the service.

Categories of Data Subjects

• Customer users (law firm staff)

• Clients and contacts of the Customer

• Third parties appearing in email or calendar metadata

Annex II – Security Measures

Clara implements technical and organisational measures including, but not limited to:

• Encryption of data in transit using TLS

• Encryption at rest using cloud-provider managed encryption mechanisms

• Additional application-level encryption for selected sensitive data fields, including:

  • OAuth access and refresh tokens

  • activity signal payloads

  • memory titles

  • generated time entry narratives

• Secure key management using managed secret storage services

• Logical separation of customer data within shared infrastructure

• Role-based access controls and least-privilege principles

• Restricted access to production systems by authorised personnel only

• Incident detection and response procedures

Annex III – Approved Sub-processors

As of the date of this DPA, Clara uses the following Sub-processors: