GDPR Compliance - ClickSafe.ai | ClickSafe - Guard your online journey!

Last updated: 2024-08-27

ClickSafe has made commercially reasonable efforts to provide detailed overview of our GDPR compliance and how ClickSafe supports your business to operate within the confines of this regulation. Especially when it comes to customer data and its verification through the ClickSafe Website Analytics Service. But it is still advised to engage services of a legal counsel to have a better understanding of GDPR compliance and the liabilities that come along with it for your organization. The following compliance guide is the practices, procedures and upgrades introduced in the internal working of ClickSafe to make its services GDPR complaint. Here is a summary of GDPR sections that are applicable to users of ClickSafe services. Cookies GDPR only allows collection of user data for a legal reason. ClickSafe only collects data for verification purposes as per the legal agreement signed by ClickSafe and its customers in the Terms of Use. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement. Lawful Basis GDPR only allows collection of user data for a legal reason. ClickSafe only collects data for verification purposes as per the legal agreement signed by ClickSafe and its customers in the Terms of Use. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement. We have even added a consent button at the form where a customer is supposed to fill its identification details. We also provide the option for customers to go through our data protection, privacy policy and Terms & Conditions, to ensure full transparency. Deletion GDPR requires ClickSafe to forget and delete the user data when requested by the user. ClickSafe has taken steps to provide full control to the end-users about their data that they have submitted for identity verification for login. This can be deleted via their account settings or contacting a Customer Service Representative via chat or email. ClickSafe Plan for GDPR Compliance ClickSafe Users and Enterprise partners should feel confident that we are both knowledgeable and compliant with General Data Protection Regulation (GDPR) that are under our control. This directive set by the European Union, a legislation that set forth guidelines regarding how information is collected and how it is processed and used. The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizen’s data privacy in the process, and to reshape how organizations approach data privacy in a secure and transparent manner. At ClickSafe, we deploy commercially reasonable efforts to assist our users, businesses and our clients. To help them understand, what the GDPR means for their businesses and to assist them in establishing a compliant process of their own. Considering that aspect, we have made great improvements to our ClickSafe platform to ensure that we stand at par with the critical components of GDPR measures. The ClickSafe Process: Let us say that Daniel Shopper is a potential customer and lives in France. He is called the Data Subject, and the service provider, is called the Controller of his data. Since ClickSafe is verifying the credentials of Daniel, then that makes ClickSafe, the Processor. How Daniel might interact with ClickSafe:

An Enterprise partner integrates ClickSafe with their online business/portal/app
Daniel approaches the Online Business and is redirected to a landing page where ClickSafe Verification is carried out.
Or Daniel goes directly to clicksafe.ai and enters relevant credentials (email address and password)
ClickSafe uses STRIPE for payment collections, so ClickSafe does NOT retain any Credit or Debit card info.
ClickSafe does NOT collect Date of Birth, Physical Address, Social Security Numbers or other overly sensitive PII (Personal Identifiable Information).
Based on the results of a verification of Daniels username and password only, he is Verified or Not Verified to use the ClickSafe service.

All the above stated steps gather user data from the Data Subject on behalf of Controller that is passed on to Processor. Following are various aspects of our data protection policy, privacy policy and Terms & Conditions that control the entire process, under the guidelines of GDPR User Data User Data means any data, content, code, video, images, or other materials of any type that User uploads, submits or otherwise transmits to or through Services. User will retain all right, title, and interest in and to User Data in the form provided to clicksafe.ai. ClickSafe stores data on industry secured servers located in EEA zone, and are monitored. Subject to the terms of this Agreement, you hereby grant to ClickSafe a non-exclusive, worldwide, royalty-free right to: (a) collect, use, copy, store, and transmit User Data, in each case solely to the extent necessary to provide the applicable Services to Client (b) Client hereby grants to ClickSafe all necessary rights to use, reproduce, modify, create derivative works from, distribute, perform, transmit and display the User solely to the extent necessary to provide the Services which will include the right for ClickSafe to grant equivalent rights to its service providers that perform services that form part of or are otherwise used to perform the Services. Access to Data The Services may delete any stored items in storage upon expiration or termination of this Agreement. ClickSafe will have no responsibility or liability for storing and deleting items in accordance with our Terms of Use agreement. User Data Collected by ClickSafe You may instruct us to provide you with any personal information we hold about you; ClickSafe only collects the following information (mostly nonapplicable to GDPR):

ip address
username
password (hash encrypted)
email address
timezone created_at time
google_token
blog_posts_read
stripe_id for ClickSafe to verify payment was made for accessing the service
selected_language
two_factor_auth

In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for ClickSafe marketing purposes. ClickSafe DOES NOT SELL any user data. Automated decision-making We may use your personal data for the purposes of automated decision-making in relation to our website analytics service. This automated decision-making will involve checking the info provided by you and matching that with the identity information provided by you. Identity Verification ClickSafe employs simple user named accounts, email address and password only. Unless otherwise stated in the Standard Agreement, the Verifications parameters include:

User Name
Email address
Customized Service parameters (Paid Plans)

Users Individual Rights Request The GDPR enhances the rights of individuals in several ways. Access and Privileges User can request access to the personal data they have shared with ClickSafe about their account. Personal data is anything identifiable, like his name and email address. If they requests access, ClickSafe (as the processor) will provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS). A client can seek access to their data by asking ClickSafe of what they require at legal@clicksafe.ai. We at ClickSafe believe to be at legal and moral obligation to facilitate any manner of an individual rights request. Modification In the manner same as accessing information, user can request ClickSafe to modify their personal data, if it is inaccurate, incomplete or requires any sort modification or amendment. The GDPR requires that a company be able to accommodate modification requests, as and when required. Deletion Under the GDPR, users have the right to request that ClickSafe delete all personal data it has collected from them. GDPR requires ClickSafe to permanently remove users contact from their database, including verification results, all personal information, saved images/video, form submission data and credit card data. In a GDPR compliant manner, a client can seek to have their data deleted by querying ClickSafe at legal@clicksafe.ai. The Data protection officer at ClickSafe will respond back within a 30-day period. DATA PROCESSING AGREEMENT 1. BACKGROUND Bluvio Software Studio LLP provides ClickSafe Website Analytics Services for EU based enterprises that can provide accounts for employees and other individuals. According to the GDPR such process requires the implementation of data processing agreement ( “DPA” ) and, in case of international transfers, standard contractual clauses ( “SCC” or “UK SCC” ) between the Processor and the Controller. Annex A of this DPA forms the SCC or UK SCC between Controller and Processor. This DPA and SCC applies to the extent where data is regarded as personal data by EU General Data Protection Regulation (EU) 2016/679 (GDPR). ClickSafe Inc. representative in terms of GDPR is ClickSafe Estonia OÜ, the legal entity established in Estonia, address Telliskivi tn 60a/8, 10412, registry code 16183126. The client hereby instructs ClickSafe Inc. to process the data as described in this DPA. 2. PARTIES Client ( “Data Controller” or “Controller” ) and ClickSafe ( “Data Processor” or “Processor” ) 3. PERSONAL DATA 3.1. The personal data of individuals transferred by the Controller to the Processor during the implementation of ClickSafe Website Analytics Services. 3.2. No biometrics or other type of special categories of data is processed to provide ClickSafe Website Analytics Services. 3.3. Categories and Purposes of Data Processing: 3.3.1. Enterprises (Controllers) can create multiple accounts for employees and other individuals. During the sign up of the accounts, the Controller transfer to Processor usernames and email addresses. Any other personal data (ip address, password hash encrypted, timezone created_at time, google_token, blog_posts_read, stripe_id for ClickSafe to verify payment was made for accessing the service, selected_language, two_factor_auth) is created automatically during the sign-up process and is not, therefore, part of this DPA. 3.3.2. Browsing history and website content that you're viewing are never stored or captured by the Processor unless the Client requests otherwise. In the latter situation, the content is stored for 30 days period. Therefore the Processor does not by default process any personal data attached to any type of content. 4. SERVICE This DPA covers ClickSafe’s Website Analytics Services provided by the Processor. 5. CONTROLLER OBLIGATIONS 5.1. Controller is responsible for having valid legal grounds for the use of employees or individuals data while importing data subjects’ personal data to Processor. 5.2. Controller is responsible for sufficient notifications and transparency in place for data subjects to be informed of the use of ClickSafe Website Analytics Services. 6. PROCESSOR OBLIGATIONS 6.1. Processor processes Controller’s data only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures. Processor will not use or process the Controller’s data for any other purpose 6.2. Processor ensures that its employees and any sub-processors are required to comply with and acknowledge and respect the confidentiality of the Controller’s data. 6.3. If Processor intends to engage sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors, Processor will enter into contractual arrangements with such sub-processors binding them to provide the same level of data protection, and information security to that provided for herein. 6.4. Processor obtains the prior written consent of Controller to such subcontracting, such consent to not be unreasonably withheld if parties have agreed upon. The consent shall not be required for those Sub-processors (service providers) listed in Annex of this DPA (this Annex may be provided on the Processor’s website). 6.5. Processor will inform Controller if Processor becomes aware of any legally binding request for disclosure of Controller’s data by a law enforcement authority unless Processor is otherwise forbidden by law to inform Controller. 6.6. Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s data) received directly from data subjects of Controller, Processor will not respond to any such request without Controller’s prior written authorization. 6.7. Processor will provide reasonable assistance to Controller regarding the investigation of personal data breaches and the notification to the supervisory authority and Controller's data subjects regarding such personal data breaches. 6.8. Processor will provide reasonable assistance to Controller where appropriate, for the preparation of data protection impact assessments and, where necessary, carrying out consultations with any supervisory authority. 6.9. Processor will maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s data to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction. 6.10. Processor will notify Controller of any personal data breach by Processor, its sub-processors, or any other third parties acting on Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a breach. 6.11. If Processor is required by Data Protection Requirements to process any Controller Personal Data for a reason other than providing the services described in the Service Terms and Conditions, Processor will inform Controller of this requirement in advance of any Processing, unless Processor is legally prohibited from informing Controller of such Processing (e.g., as a result of secrecy requirements that may exist under applicable laws). 7. LIABILITY 7.1. Processor shall have no liability to the extent that a claim has arisen due to any act or omission not attributable to the Processor. 7.2. Processor shall be liable for damage caused in the course of processing if it has not complied with the requirements of the applicable legislation specifically addressed to the Processor, or if it has not complied with or acted against the lawful instructions of the Controller by this DPA. 7.3. If the processing is determined by the Processor, then the Processor shall be considered as a data controller in respect of that processing and be liable for infringements under the applicable laws. 7.4. Any person who has suffered material or non-material damage as a result of an infringement of this DPA shall have the right to receive compensation from the Controller or Processor for the damage suffered. 7.5. Controller involved in processing shall be liable for the damage caused by processing which infringes this DPA. Processor shall be liable for the damage caused by processing only where it has not complied with obligations of this DPA specifically directed to Processor or where it has acted outside or contrary to lawful instructions of the Controller. 7.6. Controller or Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. 7.7. Where both Controller and Processor are responsible for any damage caused by processing, they shall be held liable for the entire damage in order to ensure effective compensation of the data subject. 7.8. Where a Controller or Processor has paid full compensation for the damage suffered, it shall be entitled to claim back from the other liable party involved in the same processing that part of the compensation corresponding to their part of the responsibility for the damage. 8. DATA RETURN AND DELETION The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any sub-processors to, at the choice of Controller, return all the Controller personal data and copies of such data to Controller or securely destroy them and demonstrate to the satisfaction of Controller that it has taken such measures unless data protection requirements prevent Processor from returning or destroying all or part of the Controller personal data disclosed. In such a case, Processor agrees to preserve the confidentiality of the Controller personal data retained by it and that it will only actively process such Controller Personal Data after such date in order to comply with applicable laws. 9. TERM This DPA shall remain in effect as long as Processor carries out personal data processing on behalf of the Controller or until the termination of the service agreement. 10. DISPUTE RESOLUTION Disputes arising from or related to this DPA shall be resolved through negotiations. In case of failure of negotiations, disputes will be settled in Harju County Court on the basis of legislation in force in the Republic of Estonia. ANNEX A STANDARD CONTRACTUAL CLAUSES Client and ClickSafe acknowledges that to the personal data transfer from EU/EEA to USA or UK to USA, the full text of EU Standard Contractual Clauses (“SCC”) or UK Standard Contractual Clauses (“UK SCC”) apply to such processing. The full text of the SCC is available here. This Annex serves as reference between ClickSafe Data Processing Agreement, (“DPA”) (provided to the Clients by default while using ClickSafe Inc. services) and SCC on Clauses where additional information needs to be provided. ClickSafe Inc. representative in terms of GDPR and SCC is ClickSafe Estonia OÜ, the legal entity established in Estonia, address Telliskivi tn 60a/8, 10412, registry code 16183126. 1. Definitions “DPA” means Data Processing Agreement between Client as data Controller and ClickSafe Inc. as data Processor “EC” means the European Commission “EEA” means the European Economic Area “SCC” means 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914. “UK SCC” means: (a) Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), and (b) Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”). 2. Cross Border Data Transfer Mechanism. 2.1 UK SCC. The parties agree that the UK SCC will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK SCC, the UK SCC will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows: (a) The UK Controller to Processor SCCs will apply where ClickSafe is processing Client Content. The illustrative indemnification clause will not apply. Section 3 of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Section 6.9 of this DPA serves as Appendix II of the UK Controller to Processor SCCs. (b) The UK Controller to Controller SCCs will apply where ClickSafe is processing Client Account Data or Client Usage Data. In Clause II(h) of the UK Controller to Controller SCCs, ClickSafe will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Section 3 of this DPA serves as Annex B of the UK Controller to Controller SCCs. Personal data transferred under these clauses may only be disclosed to the following categories of recipients: (i) ClickSafe’s employees, agents, affiliates, advisors, and independent contractors with a reasonable business purpose for processing such personal data; (ii) ClickSafe vendors that, in their performance of their obligations to ClickSafe, must process such personal data acting on behalf of and according to instructions from ClickSafe; and (iii) any person (natural or legal) or organization to whom ClickSafe may be required by applicable law or regulation to disclose personal data, including law enforcement authorities and central and local government authorities. 2.2 SCC. The parties agree that the SCC will apply to personal data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that not recognized by the EC (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the EEA that are subject to the SCC, the SCC will be deemed entered into (and incorporated into this Annex by this reference) and completed as follows: (a) Module One (Controller to Controller) of the SCC will apply where (i) ClickSafe is processing Client Account Data and (ii) Client is a controller of Client Usage Data and ClickSafe is processing Client Usage Data. (b) Module Two (Controller to Processor) of the SCC will apply where Client is a controller of Client Content and ClickSafe is processing Client Content. (e) For each Module, where applicable: (i) in Clause 7 of the SCC, the optional docking clause will not apply; (ii) in Clause 9 of the SCC, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 6.4 of the DPA; (iii) in Clause 11 of the SCC, the optional language will not apply; (iv) in Clause 17 (Option 1), the SCC will be governed by Estonian law; (v) in Clause 18(b) of the SCC, disputes will be resolved before the courts of Estonia; (vi) in Annex I, Part A of the SCC: Data Exporter: Client Contact details: The email address(es) designated by Client in Client’s account via its notification preferences. Data Exporter Role: The Data Exporter’s role is set forth in Section 4 of the DPA. Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCC incorporated herein, including their Annexes, as of the Effective Date of the DPA. Data Importer: ClickSafe Contact details: legal@clicksafe.ai Data Importer Role: The Data Importer’s role is set forth in Section 3 of the DPA. Signature and Date: By entering into the DPA, Data Importer is deemed to have signed these SCC, incorporated herein, including their Annexes, as of the Effective Date of the DPA. (vii) in Annex I, Part B of the SCC: The categories of data subjects are described in Section 3.3 of the DPA. The sensitive data transferred is described in Section 3.2 of the DPA. The frequency of the transfer is a continuous basis for the duration of the DPA. The nature of the processing is described in Section 3 of the DPA. The purpose of the processing is described in Section 3.3 of the DPA. The period for which the personal data will be retained is described in Section 8 of the DPA. For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at Section 6.2, 6.3, 6.4 of the DPA. (viii) in Annex I, Part C of the SCC: the Estonian Data Protection Inspectorate will be the competent supervisory authority. (ix) Schedule 6.9 of the DPA serves as Annex II of the SCC. 2.3 Conflict. To the extent there is any conflict between the SCC, and any other terms in this Annex,, the DPA, or the Privacy Policy, the provisions of the SCC will prevail. 3. Juristiction Specific Terms. United Kingdom: 3.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018). 3.2 When ClickSafe engages a sub-processor under Section 6 of this DPA, it will: (a) require any appointed sub-processor to protect the Client Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and (b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities. 3.3 Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR. 3.4 Client acknowledges that ClickSafe, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Client Usage Data. If a regulatory authority requires ClickSafe to notify impacted data subjects with whom ClickSafe does not have a direct relationship (e.g., Client’s end users), ClickSafe will notify Client of this requirement. Client will provide reasonable assistance to ClickSafe to notify the impacted data subjects. 4. Local laws affecting compliance with the clause The following clauses apply to the data stored by ClickSafe as data Processor which means that only the content up to 30 days period is considered. 4.1. The Parties warrant that they have no reason to believe that the laws in the United States applicable to the processing of the personal data by ClickSafe, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent ClickSafe from fulfilling its obligations under these clauses. This is based on the understanding that laws that respect the essence of the fundamental rights and freedoms do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the clauses. 4.2. The parties declare that they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the content and duration of the contract; the scale and regularity of transfers; the length of the processing chain, the number of actors involved and the transmission channels used; the type of recipient; the purpose of processing; the nature of the personal data transferred; any relevant practical experience with prior instances, or the absence of requests for disclosure from public authorities received by the data importer for the type of data transferred; (ii) the laws of the United States, including those requiring to disclose data to public authorities or authorizing access by such authorities, as well as the applicable limitations and safeguards; (iii) any safeguards in addition to those under these clauses, including the technical and organizational measures applied during transmission and to the processing of the personal data in the United States. 4.3. ClickSafe warrants that it has made best efforts to provide the Client with relevant information and agrees that it will continue to cooperate with the Client in ensuring compliance with these clauses. The parties agree to document the assessment and make it available to the competent supervisory authority upon request. 4.4. ClickSafe agrees to promptly notify the Client if, after having agreed to these clauses and for the duration of the DPA, it has reason to believe that it is or has become subject to laws not in line with the requirements, including following a change of the laws the United States a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements under paragraph 3.1. 4.5. If the Client otherwise has reason to believe that ClickSafe can no longer fulfil its obligations under the clauses, the Client shall promptly identify appropriate measures (such as, for instance, technical or organizational measures to ensure security and confidentiality) to be adopted by the Client and / or ClickSafe to address the situation, if appropriate in consultation with the competent supervisory authority. If the Client decides to continue the transfer, based on its assessment that these additional measures will allow ClickSafe to fulfill its obligations under the clauses, the Client shall forward the notification to the competent supervisory authority together with an explanation, including a description of the measures taken. The Client shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the Client shall inform the competent supervisory authority and shall be entitled to terminate the DPA. 5. Obligations of the Processor in case of government access requests 5.1. ClickSafe agrees to promptly notify the Client and, where possible, the data subject (if necessary with the help of the Client) if it: (i) receives a legally binding request by a public authority under the laws of the country of the United States for disclosure of personal data transferred pursuant to these clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these clauses in accordance with the laws of the United States; such notification shall include all information available to ClickSafe. 5.2. If ClickSafe is prohibited from notifying the Client and / or the data subject, ClickSafe agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. ClickSafe agrees to document its best efforts in order to be able to demonstrate them upon request of the Client. 5.3. To the extent permissible under the laws of the United States, ClickSafe agrees to provide to the Client, in regular intervals for the duration of the DPA, the greatest possible amount of relevant information on the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.). 5.4. ClickSafe agrees to preserve the information for the duration of the DPA and make it available to the competent supervisory authority upon request. 5.5. Clauses 4.1 to 4.3 are notwithstanding the obligation of ClickSafe to promptly inform the Client where it is unable to comply with these clauses. 6. Review of legality and data minimization 6.1. ClickSafe agrees to review, under the laws of the United States, the legality of the request for disclosure, notably whether it remains within the powers granted to the requesting public authority and to challenge the request if it concludes that there are grounds under the laws of the United States to do so. When challenging a request, ClickSafe shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. 6.2. ClickSafe agrees to document its legal assessment as well as any challenge to the request for disclosure and, to the extent permissible under the laws of the United States, make it available to the Client. It shall also make it available to the competent supervisory authority upon request. 6.3. ClickSafe agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.