> ## Documentation Index > Fetch the complete documentation index at: https://learn.cleftnotes.com/llms.txt > Use this file to discover all available pages before exploring further. # Data Processing Agreement > Cleft's complete Data Processing Agreement and transparency guide for all data handling **Formal DPA**: This page serves as Cleft's official Data Processing Agreement for all customers and compliance teams, while also providing transparent information for all users. **Last Updated**: September 10, 2025\ **Effective**: September 10, 2025 ## Data Processing Agreement This document serves as both our user-friendly data transparency guide and our formal Data Processing Agreement (DPA) for customers requiring compliance documentation. ### Data Controller/Processor Relationship **You (Data Controller)**: You control the personal data in your notes, recordings, and account **Cleft (Data Processor)**: We process your data solely to provide voice-to-text services as instructed by you **Legal Basis**: Processing based on legitimate interests (service provision) and consent where applicable **Key Principle**: We only collect and process data that's essential for delivering our service. Your content is never used for training AI models or shared with advertisers. **Complete Vendor List**: This DPA covers our key data processors. For our complete list of all 37 vendors (including business operations vendors that handle no personal data), see our [Vendor Transparency page](/trust/vendors). *** ## Data Categories & Usage ### Audio Recordings **What We Collect**: Audio files when you press record **How It's Processed**: 1. **Local Storage**: Audio stays on your device during recording 2. **Device Transcription**: Processed locally using OpenAI's Whisper model 3. **Cloud Backup**: Audio files uploaded to AWS for 1-hour temporary access 4. **Permanent Storage**: Moved to secure AWS storage after 1 hour 5. **Download Access**: Available for download anytime via the app **Who Has Access**: * **AWS** (hosting only - no content access) * **You** (full ownership and download rights) **Retention**: Kept for 2 years after your last login, then securely deleted ### Transcripts & Text **What We Collect**: Text versions of your audio recordings **How It's Processed**: 1. **Device Creation**: Generated locally on your device 2. **AI Enhancement**: Text sent to AI providers for note processing 3. **Cloud Sync**: Stored on AWS for cross-device access 4. **User Access**: Available in-app and via export **Who Has Access**: * **OpenAI** (primary AI processing - text only, never audio) * **Groq** (backup AI processing - text only) * **Anthropic** (additional AI processing - text only) * **AWS** (hosting only - no content access) **Important**: AI providers receive only text, never your audio recordings. Your data is never used to train their models. ### Account Information **What We Collect**: * Email address (for authentication) * Display name * App preferences and settings * Device information (for sync) **How It's Used**: * **Authentication**: Secure login via email * **Sync**: Cross-device note synchronization * **Support**: Customer service assistance * **Communications**: Service updates and newsletters (opt-in) **Who Has Access**: * **AWS** (secure hosting) * **HubSpot** (customer support interactions only) * **Mailerlite** (newsletter delivery - opt-in only) * **1Password** (internal team password management only) **Control**: You can export, modify, or delete this data anytime ### Website & Forms **What We Collect**: * Form submissions on our website * Contact requests and support inquiries * Scheduling information for consultations **How It's Used**: * **Customer Support**: Responding to inquiries and requests * **Scheduling**: Coordinating onboarding calls and consultations * **Website Hosting**: Maintaining our public-facing website **Who Has Access**: * **Webflow** (website hosting and form submissions) * **Fillout** (form building and data collection) * **Namecheap** (domain registration and DNS management) * **Cloudflare** (CDN and website performance) **Purpose**: These vendors help us maintain our website and respond to customer inquiries ### Integration & Automation **What We Collect**: * Integration data flows you configure * Automated workflow triggers * Connected app permissions **How It's Used**: * **User Integrations**: Connecting Cleft with your other tools * **Automation**: Streamlining workflows as configured by you * **Data Export**: Sending your notes to destinations you choose **Who Has Access**: * **Zapier** (workflow automation - only data flows you configure) **Control**: You configure all data flows and can disable integrations anytime ### Usage Analytics **What We Collect**: * Feature usage patterns (anonymous) * App performance metrics * Crash reports (no personal content) * Documentation page views **How It's Used**: * **Product Improvement**: Understanding which features are most valuable * **Bug Fixes**: Identifying and resolving technical issues * **Performance**: Optimizing app speed and reliability **Who Has Access**: * **Fathom Analytics** (website analytics only - privacy-focused) * **TelemetryDeck** (in-app anonymous analytics - no PII collected) * **Sentry** (crash reporting - no personal data) * **Metabase** (internal analytics - aggregated data only) **Privacy**: All analytics are anonymous and contain no personal content or notes ### Payment Information **What We Collect**: * Subscription status * Purchase history * Payment method (handled by Apple/Stripe) **How It's Processed**: * **Apple App Store**: Handles all iOS subscription billing * **Stripe**: Processes web payments (we don't see card details) * **RevenueCat**: Manages subscription status and analytics **Important**: We never see or store your actual payment details (card numbers, etc.). This is handled entirely by secure payment processors. **Who Has Access**: * **Apple** (iOS subscriptions) * **Stripe** (web payments - PCI compliant) * **RevenueCat** (subscription management) *** ## Data Flow Diagram **Step 1**: You record audio → **Your Device** (local storage) **Step 2**: Audio transcribed → **Your Device** (using OpenAI's Whisper model) **Step 3**: Audio backed up → **AWS** (secure cloud storage) **Step 4**: Transcript enhanced → **OpenAI/Groq/Anthropic** (text processing only) **Step 5**: Final note saved → **AWS** (encrypted storage) **Step 6**: Synced to your devices → **Your Apps** (encrypted transfer) **Your Device**: * Audio files (during recording) * Transcripts and notes (local cache) * App preferences **AWS Cloud Storage**: * Audio files (encrypted) * Transcripts and notes (encrypted) * Account information (encrypted) * Sync data (encrypted) **AI Providers** (OpenAI, Groq, Anthropic): * No data stored - processing only * Receive text, never audio * No training on your data **Device ↔ AWS**: End-to-end encryption using TLS 1.3 **AWS ↔ AI Providers**: Encrypted API calls (HTTPS/TLS) **Device ↔ Payment Processors**: Direct secure connection (bypasses our servers) **App ↔ Analytics**: Anonymous, aggregated data only *** ## Your Data Rights **You Own Everything** * All notes, transcripts, and audio files * Complete export available anytime * Delete individual items or entire account * No vendor lock-in - portable data **Granular Permissions** * Choose which features to sync * Control communication preferences * Manage integration permissions * Request specific data deletion **Full Visibility** * Know exactly who processes your data * See all vendor relationships * Access data processing agreements * Review security certifications **Built-in Protection** * No advertising or tracking * No data sales to third parties * No AI training on your content * GDPR & CCPA compliant *** ## Data Minimization We follow strict data minimization principles: * **Only Essential Data**: We collect only what's needed for core functionality * **Purpose Limitation**: Data used only for stated purposes * **Retention Limits**: Automatic deletion after 2 years of inactivity * **Access Controls**: Vendor access limited to necessary functions only *** ## DPA Compliance & Audit Rights **Audit Rights**: Customers have the right to audit our data processing activities upon reasonable notice **Compliance Support**: We assist with your GDPR, CCPA, and other regulatory compliance requirements **Documentation**: This page serves as your DPA - bookmark, download, or print for your compliance records **Updates**: We'll notify customers of material changes to our data processing practices ## Incident Response & Security **Notification Timeline**: We notify affected customers within 72 hours of discovering a security incident **Response Process**: Immediate containment, investigation, remediation, and detailed incident reports **Customer Support**: Dedicated incident response team **Encryption**: All data encrypted in transit (TLS 1.3) and at rest (AES-256) **Access Controls**: Role-based access, multi-factor authentication, regular access reviews **Infrastructure**: SOC 2 compliant cloud infrastructure with redundancy and monitoring **Staff Training**: Regular security awareness training for all Cleft personnel *** ## Questions About Data Processing? **[Jonny Cosgrove](https://www.linkedin.com/in/jonnycosgrove/)**\ Founder, COO and Data Protection Officer 📧 [DPO@cleftnotes.com](mailto:DPO@cleftnotes.com)\ 📋 **DPA Questions**: Include "DPA" in subject line **Privacy Team** 📧 [privacy@cleftnotes.com](mailto:privacy@cleftnotes.com)\ 📋 **For**: DPA questions, audit requests, compliance documentation, general privacy questions *** ## Related Documentation * **[Privacy Policy](/trust/privacy-policy)** - Complete legal privacy policy * **[Vendor Transparency](/trust/vendors)** - Detailed vendor information * **[Cookie Policy](/trust/cookie-policy)** - Our no-cookie promise * **[Terms of Service](/trust/terms-of-service)** - Usage terms and conditions **Official Versions**: [Privacy Policy](https://www.cleftnotes.com/privacy) | [Terms of Service](https://www.cleftnotes.com/terms) *** **Data Subject Access Request**: To request a copy of all personal data we hold about you, submit a request [here](https://tally.so/r/mee2dx) or contact our Data Protection Officer.