Last updated: April 11, 2026
Effective: April 11, 2026
AI-Drafted Disclaimer: These documents were drafted with AI assistance and have not been reviewed by an attorney. Consult legal counsel before relying on them.
ClearQuote Data Processing Addendum
Last updated: April 2026
This Data Processing Addendum ("DPA") governs how ClearQuote processes Personal Information and Nonpublic Personal Information (NPI) on behalf of Customer in connection with the ClearQuote service. This DPA is incorporated into and forms part of the ClearQuote Terms of Service.
Defined Terms
"Customer" or "Data Controller" means the licensed insurance agent or producer who uses the ClearQuote Service.
"ClearQuote" or "Data Processor" means ClearQuote LLC, the operator of the Service.
"Personal Information" means information that identifies, relates to, describes, or is reasonably capable of being associated with an individual, as further defined in the ClearQuote Privacy Policy.
"NPI" or "Nonpublic Personal Information" means personally identifiable financial and insurance information, as defined under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq.
"Processing" means any operation performed on Personal Information, including collecting, storing, using, accessing, disclosing, or deleting it.
"Subprocessor" means a third-party service provider engaged by ClearQuote to process Personal Information on behalf of Customer as part of delivering the Service.
"Breach" means an unauthorized acquisition, access, use, or disclosure of Personal Information or NPI that compromises the security, confidentiality, or integrity of such information.
"Service" means the ClearQuote software-as-a-service platform for insurance proposal generation and delivery.
Scope and Purpose
This DPA governs ClearQuote's processing of Personal Information and NPI on behalf of Customer to provide the Service. ClearQuote processes data solely to deliver the Service as described in the Terms of Service — specifically, to enable insurance agents to generate AI-written proposals from carrier quotes and deliver them to clients via email.
ClearQuote does not process Personal Information for its own independent purposes beyond what is necessary to provide the Service.
Customer Obligations (Data Controller)
Customer is the Data Controller for all client data uploaded to or processed by the Service. As Data Controller, Customer is responsible for:
(a) Ensuring a lawful basis exists for collecting client insurance information and sharing it with the Service;
(b) Compliance with applicable regulations governing the collection, use, and protection of client insurance data, including:
- The GLBA Safeguards Rule (16 CFR Part 314) for agents who meet the definition of "financial institution" under GLBA;
- Applicable state insurance data security laws, including RCW 48.135 for Washington State licensed producers;
(c) Informing clients about the use of the Service to generate proposals where required by applicable law or professional obligation.
ClearQuote supports, but does not replace, Customer's compliance program. Customers operating as licensed insurance producers remain solely responsible for their own regulatory compliance obligations.
ClearQuote Obligations (Data Processor)
ClearQuote will:
(a) Process Personal Information only as instructed by Customer and as necessary to provide the Service;
(b) Not sell, share, or use Personal Information for any purpose other than providing the Service, including not using client data for AI model training;
(c) Maintain security measures as described in the Security Exhibit below;
(d) Notify Customer of any confirmed Breach as described in the Breach Notification section;
(e) Ensure that personnel with access to Personal Information are bound by confidentiality obligations.
Data Types Processed
ClearQuote processes the following categories of data on behalf of Customer:
Agent Account Data — Information about the insurance agent using the Service:
- Name, email address, phone number, agency name
- Insurance producer license number
- Agency logo and branding (if uploaded)
Client Proposal Data — Information about the insurance clients for whom proposals are generated:
- Client name and email address
- Insurance product type
- AI-generated proposal content (text)
Carrier Quote Data — Insurance quote information uploaded by Customer:
- Carrier name, premium amounts, coverage terms
- Text extracted from uploaded quote documents (PDFs)
- AI-generated summaries and structured comparison data
Usage Data — Technical information generated during Service use:
- Device type, browser/user agent string
- IP address
- Page interaction events (for rate limiting and abuse prevention)
Permitted Purposes
Processing of Personal Information is limited to:
- Service delivery: Generating proposals, extracting quote data, delivering proposals via email;
- Billing: Processing payment information (via Stripe, our payment subprocessor);
- Abuse prevention: Rate limiting and security monitoring;
- Service improvement: Aggregate, de-identified analytics to improve the Service. No individual user data is used for model training.
ClearQuote does not engage in secondary use, cross-context behavioral advertising, or sale of Personal Information.
Subprocessors
ClearQuote uses subprocessors to provide the Service. The current list of subprocessors, including each subprocessor's role, data processed, and location, is available in the ClearQuote Subprocessor List.
By using the Service, Customer consents to ClearQuote engaging the subprocessors listed in the Subprocessor List.
Subprocessor Changes: ClearQuote will notify Customer by email at least 30 days before:
- Engaging any new subprocessor; or
- Making a material change to the data processing role of an existing subprocessor.
Customer may object to a new or changed subprocessor by terminating their account in accordance with the Terms of Service before the effective date of the change.
Confidentiality
Access to Personal Information is limited to ClearQuote personnel and automated systems that require it to provide the Service. All personnel with access to Personal Information are subject to confidentiality obligations.
Breach Notification
In the event of a confirmed Breach affecting Customer's Personal Information, ClearQuote will:
(a) Notify affected Customer(s) without unreasonable delay, and in any event within 72 hours of confirming the Breach;
(b) Provide notification that includes, to the extent then known:
- The nature and scope of the Breach;
- The categories and approximate number of individuals and records affected;
- Measures taken or planned to contain, remediate, and prevent recurrence;
- Contact information for follow-up questions (security@clearquoteapp.com).
What constitutes a notifiable Breach: Unauthorized access to data in the agencies, proposals, or carrier_quotes database tables, or the uploads storage bucket. Infrastructure alerts (failed login attempts, blocked rate-limited requests) are not notifiable Breaches.
Data Return and Deletion
Upon termination of Customer's account:
(a) ClearQuote retains Customer Data for 30 days after termination to allow Customer to export their data upon request;
(b) After 30 days, Customer Data (proposals, carrier quotes, agency profile, client data) is permanently deleted from ClearQuote's systems;
(c) Stripe retains payment records per its own data retention policies and legal obligations. Stripe's retention practices are governed by Stripe's DPA and applicable financial regulations, not by this DPA.
Geographic Scope
This DPA covers processing within the United States. ClearQuote does not transfer Personal Information outside the United States. All subprocessors operate in US regions. This DPA is US-scoped; no cross-border data transfer mechanisms are applicable.
Security Exhibit: GLBA Safeguards Service-Provider Measures
ClearQuote, as a service provider, maintains the following security measures to support Customer's compliance with applicable regulations, including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 CFR Part 314). These measures are based on ClearQuote's current security posture as documented in our internal security audit.
| Security Measure | Description | Evidence |
|---|---|---|
| Encryption at Rest | All database tables encrypted with AES-256 (Supabase hosted on AWS us-east-1) | SECURITY-AUDIT.md AUD-05 |
| Encryption in Transit | TLS enforced on all connections — application, database, and API. SSL enforcement enabled at the database layer. | SECURITY-AUDIT.md AUD-05 |
| Access Control | Row-Level Security (RLS) enforced on all 13 database tables and 5 storage policies; automated regression tests (pgTAP) verify RLS correctness on every CI run | SECURITY-AUDIT.md AUD-05; Phase 22 INV-07 |
| Rate Limiting | Sliding-window rate limits on authentication, password reset, AI generation, file upload, and other sensitive endpoints (6 endpoints covered) | Phase 24 FIX-05 |
| Automated Security Scanning | CI pipeline runs npm audit (dependency vulnerability scanning), Gitleaks (secrets detection), and Semgrep (SAST static analysis) on every code change | Phase 22 INV-06 |
| Content Security Policy | CSP in enforcing mode, restricting script sources, frame ancestors, and other resource loading | Phase 24 FIX-03 |
| Input Sanitization | User-generated content (proposal markdown) sanitized via rehype-sanitize before rendering, preventing XSS | Phase 24 FIX-01 |
| Webhook Verification | Stripe webhook signatures verified using STRIPE_WEBHOOK_SECRET on every incoming webhook request | SECURITY-AUDIT.md |
| Service Key Isolation | Supabase service-role key restricted to a single authenticated callsite (Stripe webhook handler) with handler-level secret validation | SERVICE_ROLE_INVENTORY.md |
Current limitations (as of April 2026): ClearQuote does not currently maintain SOC 2 certification, a formal business continuity plan, or a paid external penetration testing program. We do not have a formal employee security training program (ClearQuote is currently operated as a solo-developer SaaS). This exhibit reflects our actual security posture. We update our security practices as our business grows and will notify Customers of material changes.
RCW 48.135 Awareness
Customers operating as licensed insurance producers in Washington State may have obligations under RCW 48.135 (Washington State Insurance Data Security Law). ClearQuote's security measures described in the Security Exhibit are designed to support Customer's compliance with these requirements.
This DPA does not replace Customer's obligation to maintain their own information security program as required by applicable state law. Washington State producers are solely responsible for assessing whether ClearQuote's service-provider measures satisfy the requirements of their own information security program under RCW 48.135.
Contact
For data processing inquiries: support@clearquoteapp.com
For security matters (including breach reports): security@clearquoteapp.com