Last updated June 3, 20261. Roles and scope
Claura is operated by DjaloVentures OÜ (registration code 16915498), Narva mnt 5, 10117 Tallinn, Estonia. In providing the Service, Claura processes personal data contained in the mailboxes, sources, and documents a customer connects ('Customer Personal Data') as a processor acting on the customer's documented instructions. The customer is the controller and is responsible for the lawfulness of that data and for having a valid legal basis to instruct the processing, including for third parties whose data appears in connected sources.
2. Processing details
Subject matter: provision of the Claura financial-inbox service. Duration: the term of the Terms plus any deletion period. Nature and purpose: connecting to authorised sources, scanning for documents, ingesting and storing attachments, OCR, AI extraction and classification, deduplication, entity inference, indexing, search, archiving, and export. Data types: identification and contact details, financial and transactional data, email metadata and excerpts, document contents, and usage data. Data subjects: the customer's personnel and users, and third parties referenced in documents.
3. Our obligations as processor
Claura will process Customer Personal Data only on the customer's documented instructions; ensure persons authorised to process it are bound by confidentiality; implement appropriate security measures; respect the conditions for engaging sub-processors; assist the customer, so far as possible, with data-subject requests and with security, breach-notification, and impact-assessment obligations; and, at the customer's choice, delete or return the data at the end of the services.
4. Security
Claura maintains reasonable and appropriate technical and organisational measures, including encryption of authorisation tokens at rest, encryption in transit, access controls and least-privilege administration, logical isolation of customer workspaces, monitoring, and recovery procedures. Measures may evolve provided the overall level of protection is not reduced.
5. Sub-processors
The customer gives general authorisation for Claura to engage sub-processors bound by obligations no less protective than this DPA. Current sub-processors include Supabase, Vercel, OpenAI, Microsoft Azure Document Intelligence and Google Document AI (where enabled), Google and Microsoft for mailbox connectivity, and Sentry. Claura will give reasonable notice of additions or replacements and an opportunity to object on reasonable grounds, and remains liable for its sub-processors.
6. International transfers
Where Customer Personal Data is transferred outside the EEA, including to OpenAI in the United States, the parties rely on the European Commission's Standard Contractual Clauses (and, for UK transfers, the UK Addendum or IDTA), with supplementary measures where required. The customer is the data exporter and Claura or the relevant sub-processor is the data importer.
7. Audits, deletion, and breaches
Claura will make available information reasonably necessary to demonstrate compliance and allow for audits on reasonable notice, subject to confidentiality and to not unreasonably disrupting operations. On termination, Claura will delete or return Customer Personal Data except where retention is legally required. Claura will notify the customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data and assist with the customer's notification obligations.
8. Contact
Data-protection matters can be sent to privacy@claura.io. Business customers with specific requirements may request a counter-signed copy of this DPA.