Data Security and Confidentiality Policy

To ensure clear understanding, the following terms are defined in accordance with GDPR and applicable data protection laws: • Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email, financial information). • Processing: Any operation on Personal Data, automated or otherwise (e.g., collection, storage, deletion). • Security Incident: Any confirmed breach resulting in the destruction, loss, alteration, unauthorized disclosure or unauthorized access to Personal Data (excluding minor attempts with no impact). • Sensitive Data: Data revealing racial/ethnic origin, political opinions, religious beliefs, health data, or relating to criminal offenses. • Sub-Processor: Any entity authorized by Cleavr to process Personal Data. • Data Controller: The client who determines the purposes and means of processing.

Cleavr is a technological debt recovery assistance solution designed for businesses wishing to secure their receivables while respecting the highest standards of compliance, security and confidentiality. We process our clients' data with strict compliance with legal obligations, particularly the General Data Protection Regulation (GDPR), and we are committed to total transparency regarding their processing.

All data processed by Cleavr is hosted on our partner Supabase's infrastructure, using AWS regions located exclusively in the European Union: eu-west-1 (Ireland), eu-west-3 (Paris) and eu-central-1 (Frankfurt). The client may choose a specific region for primary storage and processing, subject to legal compliance; Cleavr undertakes to respect this choice. These regions comply with European Union requirements for personal data protection. The infrastructures used are certified to the strictest security standards (ISO 27001, SOC 2, etc.).

As part of our operations, we use the following sub-processors: • Stripe: for payment management, identity verification and collection of supporting documents (such as national ID card). This data is transmitted directly to Stripe, without Cleavr having access. Stripe is PCI DSS certified and GDPR compliant. • Brevo: for sending transactional emails and notifications. Brevo is established in France and fully GDPR compliant. • Vercel: for hosting and deploying our front-end applications, offering a scalable and secure infrastructure compliant with GDPR via its pre-signed Data Processing Agreement (DPA), with AES-256 encryption, ISO 27001 and SOC 2 certifications, and no transfers outside EU without standard contractual clauses. • StackAuth: for secure user authentication management, using JWT or encrypted cookies, supporting over 60 OAuth/SAML providers, and ensuring GDPR compliance by minimizing sensitive data collection without permanent storage of credentials. All our sub-processors are established in the European Union or comply with standard contractual clauses established by the European Commission to guarantee an equivalent level of protection. The client grants general authorization for these sub-processors; Cleavr notifies any change at least 30 days in advance. The client may object within 5 days; in case of disagreement, Cleavr resolves in good faith or allows termination of affected services. Cleavr remains fully responsible for the acts of its sub-processors.

Access to data is strictly controlled via secure authentication systems and role management. Only authorized persons within Cleavr can access certain categories of data, according to their function. Data is systematically encrypted: • In transit, via HTTPS/TLS 1.2+; • At rest, via AES-256 on our host's servers. • Logical partitioning between clients is in place to prevent unauthorized access to other accounts' data. • A security log monitoring and alerting system is in place to detect anomalies, unauthorized access attempts or potential incidents in real time. Logs are retained for a minimum period of 6 to 12 months, in accordance with CNIL recommendations, and protected against any alteration.

Data is retained only for the duration necessary to provide the service, on client instruction. At the end of the contract or upon request, it is securely erased (irreversible deletion, with confirmation provided to the client). By default, active data is retained for the duration of the contract, and backups are retained for 30 days before final deletion. A copy can be provided upon request during this period.

Automatic encrypted logical backups are performed daily to ensure service continuity. These backups are stored on secure and replicated servers, guaranteeing their availability in case of failure (target: 99.99%). We regularly perform restoration tests to guarantee the integrity and resilience of our infrastructure.

Cleavr acts as a processor within the meaning of GDPR. We commit to: • Process data only on documented instruction from the client (data controller); • Respect the principles of minimization, purpose limitation and proportionality; • Guarantee users their rights of access, rectification, objection, portability and erasure; • Provide an up-to-date register of processing activities upon request; • Fully cooperate with competent supervisory authorities, including CNIL. A Data Protection Officer (DPO) is available for any request or clarification.

In case of proven or suspected personal data breach, Cleavr commits to: • Inform affected clients as soon as possible; • Document the incident (date, nature, impact, measures taken); • Immediately implement necessary corrective actions; • Inform CNIL within 72 hours if the incident presents a high risk to the rights and freedoms of the data subjects.

For any questions regarding security, confidentiality or data processing, please contact our DPO: baptiste.nassoy@cleavr.fr