Security & compliance

GDPR posture

clmSpace operates under UK GDPR and EU GDPR. Restricted transfers to the US for AI inference are covered by the UK IDTA referencing the EU SCCs.

Roles

You are the controller for the contract data in your tenant.
Rated Counsel Limited (clmSpace) is the processor. We process on your documented instructions, as set out in the DPA.
Microsoft is a sub-processor for hosting, identity and storage in your own Microsoft tenant.
Neon is a sub-processor for the read-model replica of derived structured data, in AWS London.
Vercel is a sub-processor for customer-portal hosting and CDN, in London.
Anthropic is a sub-processor for AI inference, in the United States.
DocuSign is an optional, per-tenant sub-processor for e-signature.

Restricted transfers

Inference traffic to Anthropic crosses outside the UK and EEA. The transfer is governed by the UK ICO’s International Data Transfer Addendum (IDTA) referencing the EU SCCs, on a processor-to-processor basis.

Deletion and return on termination

On request you receive an export of your structured contract data.
Client content is deleted within 30 days of termination on request. Operational logs are retained for around 90 days for incident response, then deleted.
Source contract documents stay in your own SharePoint throughout; clmSpace keeps no separate copy.

DPA on file

Every tenant signs a DPA at onboarding. Updates are versioned and notified. The current sub-processor list is published in the DPA appendix.

Data residency

Roles & access control