Last updated: April 23, 2026
Effective: April 23, 2026
ClearQuote Data Processing Addendum
Last updated: April 23, 2026
This Data Processing Addendum ("DPA") governs how ClearQuote processes Personal Information and Nonpublic Personal Information (NPI) on behalf of Customer in connection with the ClearQuote service. This DPA is incorporated into and forms part of the ClearQuote Terms of Service.
Defined Terms
"Customer" or "Data Controller" means the licensed insurance agent or producer who uses the ClearQuote Service.
"ClearQuote" or "Data Processor" means the ClearQuote service, a product of Pix Design, LLC (the operator of the Service).
"Personal Information" means information that identifies, relates to, describes, or is reasonably capable of being associated with an individual, as further defined in the ClearQuote Privacy Policy.
"NPI" or "Nonpublic Personal Information" means personally identifiable financial and insurance information, as defined under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801 et seq.
"Processing" means any operation performed on Personal Information, including collecting, storing, using, accessing, disclosing, or deleting it.
"Subprocessor" means a third-party service provider engaged by ClearQuote to process Personal Information on behalf of Customer as part of delivering the Service.
"Breach" means an unauthorized acquisition, access, use, or disclosure of Personal Information or NPI that compromises the security, confidentiality, or integrity of such information.
"Service" means the ClearQuote software-as-a-service platform for insurance proposal generation and delivery.
Scope and Purpose
This DPA governs ClearQuote's processing of Personal Information and NPI on behalf of Customer to provide the Service. ClearQuote processes data solely to deliver the Service as described in the Terms of Service — specifically, to enable insurance agents to generate AI-written proposals from carrier quotes and deliver them to clients via email, and to monitor and respond to inbound support and security emails via an autonomous feedback agent (bug triage, code fix generation, and operator notification).
ClearQuote does not process Personal Information for its own independent purposes beyond what is necessary to provide the Service.
Customer Obligations (Data Controller)
Customer is the Data Controller for all client data uploaded to or processed by the Service. As Data Controller, Customer is responsible for:
(a) Ensuring a lawful basis exists for collecting client insurance information and sharing it with the Service;
(b) Compliance with applicable regulations governing the collection, use, and protection of client insurance data, including:
- The GLBA Safeguards Rule (16 CFR Part 314) for agents who meet the definition of "financial institution" under GLBA;
- Applicable state insurance data security laws, including RCW 48.135 for Washington State licensed producers;
(c) Informing clients about the use of the Service to generate proposals where required by applicable law or professional obligation.
ClearQuote supports, but does not replace, Customer's compliance program. Customers operating as licensed insurance producers remain solely responsible for their own regulatory compliance obligations.
ClearQuote Obligations (Data Processor)
ClearQuote will:
(a) Process Personal Information only as instructed by Customer and as necessary to provide the Service;
(b) Not sell, share, or use Personal Information for any purpose other than providing the Service, including not using client data for AI model training;
(c) Maintain security measures as described in the Security Exhibit below;
(d) Notify Customer of any confirmed Breach as described in the Breach Notification section;
(e) Ensure that personnel with access to Personal Information are bound by confidentiality obligations.
Data Types Processed
ClearQuote processes the following categories of data on behalf of Customer:
Agent Account Data — Information about the insurance agent using the Service:
- Name, email address, phone number, agency name
- Insurance producer license number
- Agency logo and branding (if uploaded)
Client Proposal Data — Information about the insurance clients for whom proposals are generated:
- Client name and email address
- Insurance product type
- AI-generated proposal content (text)
Carrier Quote Data — Insurance quote information uploaded by Customer:
- Carrier name, premium amounts, coverage terms
- Text extracted from uploaded quote documents (PDFs)
- AI-generated summaries and structured comparison data
Usage Data — Technical information generated during Service use:
- Device type, browser/user agent string
- IP address
- Page interaction events (for rate limiting and abuse prevention)
Inbound Support and Security Email Data — Subject lines and sanitized body content (first 1000 characters, with sender metadata excluded) from emails sent to support@clearquoteapp.com and security@clearquoteapp.com. This data is processed for bug classification and security triage purposes by the autonomous feedback agent.
- Email subject (extracted verbatim)
- Email body preview (first 1000 characters of text content; HTML stripped)
- Gmail message ID (for deduplication)
- AI-derived triage metadata (classification, severity, confidence, AI-generated summary, reproduction steps)
Triage metadata is stored in a local agent-state SQLite database (agent-data/state.db) and is retained indefinitely until manually purged (see also Privacy Policy § Data Retention). A future product update will add a rolling retention window (v2 backlog item RETENTION-01).
Permitted Purposes
Processing of Personal Information is limited to:
- Service delivery: Generating proposals, extracting quote data, delivering proposals via email;
- Billing: Processing payment information (via Stripe, our payment subprocessor);
- Abuse prevention: Rate limiting and security monitoring;
- Service improvement: Aggregate, de-identified analytics to improve the Service. No individual user data is used for model training.
- Autonomous feedback processing: Processing inbound support and security emails to classify reported issues (using AI triage), generate code fixes for qualifying bug reports (using Claude Code), and submit those fixes as GitHub pull requests — all without direct human intervention in the pipeline. Processing for this purpose is limited to emails sent to ClearQuote's official support and security aliases.
ClearQuote does not engage in secondary use, cross-context behavioral advertising, or sale of Personal Information.
Subprocessors
ClearQuote uses subprocessors to provide the Service. The current list of subprocessors, including each subprocessor's role, data processed, and location, is available in the ClearQuote Subprocessor List.
By using the Service, Customer consents to ClearQuote engaging the subprocessors listed in the Subprocessor List.
Subprocessor Changes: ClearQuote will notify Customer by email at least 30 days before:
- Engaging any new subprocessor; or
- Making a material change to the data processing role of an existing subprocessor.
Customer may object to a new or changed subprocessor by terminating their account in accordance with the Terms of Service before the effective date of the change.
Confidentiality
Access to Personal Information is limited to ClearQuote personnel and automated systems that require it to provide the Service. All personnel with access to Personal Information are subject to confidentiality obligations.
Breach Notification
In the event of a confirmed Breach affecting Customer's Personal Information, ClearQuote will:
(a) Notify affected Customer(s) without unreasonable delay, and in any event within 72 hours of confirming the Breach;
(b) Provide notification that includes, to the extent then known:
- The nature and scope of the Breach;
- The categories and approximate number of individuals and records affected;
- Measures taken or planned to contain, remediate, and prevent recurrence;
- Contact information for follow-up questions (security@clearquoteapp.com).
What constitutes a notifiable Breach: Unauthorized access to data in the agencies, proposals, or carrier_quotes database tables, or the uploads storage bucket, or the agent-data/state.db agent state database (which stores triage metadata derived from inbound support and security emails). Infrastructure alerts (failed login attempts, blocked rate-limited requests) are not notifiable Breaches.
Data Return and Deletion
Upon termination of Customer's account:
(a) ClearQuote retains Customer Data for 30 days after termination to allow Customer to export their data upon request;
(b) After 30 days, Customer Data (proposals, carrier quotes, agency profile, client data) is permanently deleted from ClearQuote's systems;
(c) Stripe retains payment records per its own data retention policies and legal obligations. Stripe's retention practices are governed by Stripe's DPA and applicable financial regulations, not by this DPA.
Geographic Scope
This DPA covers processing within the United States. ClearQuote does not transfer Personal Information outside the United States. All subprocessors operate in US regions. This DPA is US-scoped; no cross-border data transfer mechanisms are applicable.
Security Exhibit: GLBA Safeguards Service-Provider Measures
ClearQuote, as a service provider, maintains the following security measures to support Customer's compliance with applicable regulations, including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 CFR Part 314). These measures are based on ClearQuote's current security posture as documented in our internal security audit.
| Security Measure | Description | Evidence |
|---|---|---|
| Encryption at Rest | All database tables encrypted with AES-256 (Supabase hosted on AWS us-east-1) | SECURITY-AUDIT.md AUD-05 |
| Encryption in Transit | TLS enforced on all connections — application, database, and API. SSL enforcement enabled at the database layer. | SECURITY-AUDIT.md AUD-05 |
| Access Control | Row-Level Security (RLS) enforced on all 13 database tables and 5 storage policies; automated regression tests (pgTAP) verify RLS correctness on every CI run | SECURITY-AUDIT.md AUD-05; Phase 22 INV-07 |
| Rate Limiting | Sliding-window rate limits on authentication, password reset, AI generation, file upload, and other sensitive endpoints (6 endpoints covered) | Phase 24 FIX-05 |
| Automated Security Scanning | CI pipeline runs npm audit (dependency vulnerability scanning), Gitleaks (secrets detection), and Semgrep (SAST static analysis) on every code change | Phase 22 INV-06 |
| Content Security Policy | CSP in enforcing mode, restricting script sources, frame ancestors, and other resource loading | Phase 24 FIX-03 |
| Input Sanitization | User-generated content (proposal markdown) sanitized via rehype-sanitize before rendering, preventing XSS | Phase 24 FIX-01 |
| Webhook Verification | Stripe webhook signatures verified using STRIPE_WEBHOOK_SECRET on every incoming webhook request | SECURITY-AUDIT.md |
| Service Key Isolation | Supabase service-role key restricted to a single authenticated callsite (Stripe webhook handler) with handler-level secret validation | SERVICE_ROLE_INVENTORY.md |
| Autonomous Agent Safeguards | Sensitive file blocklist (4 path prefixes: Stripe webhook handler, Supabase migrations, Supabase client lib, middleware) prevents the autonomous feedback agent from modifying authentication/billing/RLS files, enforced both in the agent's instructions and by post-execution file inspection. Verification gate (TypeScript compilation + ESLint + production build) must pass before any commit. PR rate cap limits autonomous code changes to 3 per 24-hour period. Agent runs as a user-level LaunchAgent (not root daemon). Temp prompt files are deleted after each Claude Code invocation. | Phase 31 FIX-01; Phase 33 SUMMARYs; agent/src/config.ts; agent/src/fix.ts |
Current limitations (as of April 23, 2026): ClearQuote does not currently maintain SOC 2 certification, a formal business continuity plan, or a paid external penetration testing program. We do not have a formal employee security training program (ClearQuote is currently operated as a solo-developer SaaS). This exhibit reflects our actual security posture. We update our security practices as our business grows and will notify Customers of material changes.
RCW 48.135 Awareness
Customers operating as licensed insurance producers in Washington State may have obligations under RCW 48.135 (Washington State Insurance Data Security Law). ClearQuote's security measures described in the Security Exhibit are designed to support Customer's compliance with these requirements.
This DPA does not replace Customer's obligation to maintain their own information security program as required by applicable state law. Washington State producers are solely responsible for assessing whether ClearQuote's service-provider measures satisfy the requirements of their own information security program under RCW 48.135.
Contact
For data processing inquiries: support@clearquoteapp.com
For security matters (including breach reports): security@clearquoteapp.com