Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated into and forms part of the CharmIQ Terms of Service available at https://www.charmiq.ai/legal/terms-of-service (the "ToS") or any other written agreement between CharmIQ, Inc. ("CharmIQ") and Customer that references this DPA (collectively, the "Agreement"). This DPA governs CharmIQ's processing of Customer Personal Data in connection with Customer's use of the Services. Capitalized terms used but not defined here have the meanings given in the Agreement.
In the event of a conflict between this DPA and the Agreement, this DPA controls solely with respect to the processing of Customer Personal Data.
1. Definitions
1.1 "Applicable Data Protection Laws" means all privacy and data protection laws and regulations applicable to CharmIQ's processing of Customer Personal Data, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").
1.2 "Customer Personal Data" means personal data contained within Customer Prompts, Generated Content, or other Customer Content submitted to the Services by or for Customer or its Authorized Users.
1.3 "Data Subject Request" means a request from a data subject to exercise their rights under Applicable Data Protection Laws.
1.4 "Security Incident" means a breach of CharmIQ's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by CharmIQ.
1.5 "Sub-processor" means a third party engaged by CharmIQ to process Customer Personal Data in connection with the Services.
1.6 The terms "personal data," "data subject," "processing," "controller," and "processor" have the meanings given by Applicable Data Protection Laws, and include "personal information," "consumer," "business," and "service provider," respectively, as those terms are defined under the CCPA.
2. Roles of the Parties
2.1 With respect to Customer Personal Data, Customer is the controller (or processor, where applicable) and CharmIQ is Customer's processor (or sub-processor, as applicable).
2.2 Each party will comply with its respective obligations under Applicable Data Protection Laws.
2.3 The subject matter, nature, purpose, duration, and categories of data and data subjects are set out in Schedule 1.
3. CharmIQ's Processing Obligations
3.1 Instructions. CharmIQ will process Customer Personal Data only (a) to provide, secure, and maintain the Services, (b) in accordance with Customer's documented instructions (including as set out in the Agreement, this DPA, and Customer's configuration of the Services), and (c) as required by applicable law.
3.2 Restrictions. CharmIQ will not:
(a) sell or share Customer Personal Data (as those terms are defined under Applicable Data Protection Laws);
(b) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than providing the Services; or
(c) combine Customer Personal Data with personal data received from or on behalf of any third party, except as permitted under Applicable Data Protection Laws or to provide the Services.
3.3 Confidentiality. CharmIQ will ensure that any person it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality.
3.4 Notice of Non-compliance. CharmIQ will promptly notify Customer if, in its opinion, it can no longer comply with its obligations under this DPA or if an instruction from Customer violates Applicable Data Protection Laws.
4. AI and Model Training
4.1 No Training on Customer Data. CharmIQ does not train, fine-tune, or otherwise use Customer Personal Data, Customer Prompts, or Generated Content to train its own artificial intelligence or machine-learning models.
4.2 Third-Party Model Providers. CharmIQ accesses third-party large language models and other generative AI services as Sub-processors. By default, CharmIQ selects providers that contractually commit not to train on data submitted through their APIs.
4.3 Customer-Selected Providers. Notwithstanding Section 4.2, if Customer explicitly selects or enables a third-party model or service whose terms permit training on submitted data, and CharmIQ has clearly disclosed that permission to Customer (for example, in the Services interface, documentation, or provider selection flow), Customer's continued use of that model or service will constitute instruction to CharmIQ to process Customer Personal Data through that provider on that basis.
4.4 Sensitive Data. CharmIQ does not intend to process special categories of personal data (e.g., health, biometric, racial, or criminal background data). Customer is responsible for any such data it chooses to submit to the Services.
5. Sub-processors
5.1 General Authorization. Customer provides general authorization for CharmIQ to engage Sub-processors listed at https://www.charmiq.ai/legal/subprocessors (the "Sub-processor List").
5.2 Sub-processor Obligations. CharmIQ will: (a) enter into a written agreement with each Sub-processor imposing data-protection obligations substantially as protective as those in this DPA, and (b) remain liable for each Sub-processor's acts and omissions to the same extent CharmIQ is liable for its own under the Agreement.
5.3 New Sub-processors. CharmIQ will notify Customer of any new Sub-processor through an in-product notice, blog post, or update to the Sub-processor List at least thirty (30) days before the new Sub-processor begins processing Customer Personal Data.
5.4 Objection Right. Customer may object to a new Sub-processor on reasonable data-protection grounds by providing written notice to privacy@charmiq.ai within thirty (30) days after CharmIQ's notice. The parties will work in good faith to resolve the objection. If no resolution is reached, Customer's sole and exclusive remedy is to terminate the affected Service and receive a pro-rata refund of any pre-paid fees for the unused portion of the then-current subscription term.
6. Security
6.1 Security Measures. CharmIQ will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against a Security Incident, as summarized in Schedule 2. CharmIQ may update these measures from time to time, provided that such updates do not materially reduce the overall security of the Services.
6.2 Security Incidents. CharmIQ will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident. The notification will include, to the extent known: the nature and scope of the Incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. CharmIQ's notification of or response to a Security Incident is not an acknowledgment of fault or liability.
6.3 Customer Cooperation. Customer will reasonably cooperate with CharmIQ's investigation of any Security Incident.
7. Data Subject Requests
7.1 CharmIQ will promptly forward to Customer any Data Subject Request it receives relating to Customer Personal Data. CharmIQ may advise the data subject to submit the request directly to Customer.
7.2 Taking into account the nature of the processing, CharmIQ will provide reasonable assistance to enable Customer to respond to Data Subject Requests, including through the self-service export and deletion functionality available within the Services.
8. Deletion and Return
8.1 During the Term. Customer may export Customer Content at any time through the self-service functionality of the Services. Upon written request to support@charmiq.ai, CharmIQ will provide a full export of Customer Content (documents as Markdown, binary assets in their original formats) within seventy-two (72) hours.
8.2 Upon Termination. Within thirty (30) days after termination or expiration of the Agreement, CharmIQ will delete all Customer Personal Data in its control or possession, except to the extent retention is required by applicable law or reasonably necessary to resolve a dispute, enforce the Agreement, or combat fraud or abuse.
8.3 Developer Plan / Shared Responsibility. For Customers using the Developer (bring-your-own-keys) plan, data synced to Customer-owned infrastructure (e.g., Customer's own Google Cloud Storage buckets or OpenAI Vector Stores) is outside CharmIQ's control. Customer is solely responsible for the lifecycle and deletion of such data.
9. Audit and Compliance
9.1 Security Documentation. Upon Customer's reasonable written request (no more than once every twelve months), and subject to confidentiality obligations, CharmIQ will make available documentation reasonably necessary to demonstrate compliance with this DPA, which may include its Information Security Policy Set summary, security questionnaire responses, and (once available) SOC 2 reports.
9.2 No Onsite Audits. CharmIQ is not obligated to permit onsite audits or inspections. The documentation provided under Section 9.1 is Customer's sole audit right under this DPA.
10. CCPA Service Provider Terms
To the extent Customer Personal Data includes personal information subject to the CCPA, and solely with respect to such information:
10.1 CharmIQ acts as a service provider to Customer. Customer is not providing personal information to CharmIQ in exchange for monetary or other valuable consideration, and no "sale" or "sharing" occurs.
10.2 CharmIQ will comply with Section 3.2 of this DPA and all applicable CCPA requirements for service providers.
10.3 If CharmIQ determines it can no longer meet its CCPA obligations, it will notify Customer, and Customer may take reasonable and appropriate steps to stop or remediate any unauthorized processing.
11. International Transfers
CharmIQ processes Customer Personal Data in the United States. CharmIQ does not currently offer Services in or market Services to customers in the European Economic Area, the United Kingdom, or Switzerland. If CharmIQ expands availability to those regions, this DPA will be updated to include applicable transfer mechanisms (including Standard Contractual Clauses).
12. Liability
The limitations of liability set forth in Section 9 (Limitation of Liability) of the ToS apply to this DPA and to each party's obligations under it. Customer's and CharmIQ's aggregate liability arising from or relating to this DPA is subject to, and counts toward, the cap set forth in Section 9.2 of the ToS. Any separately signed order form or master services agreement between the parties may supersede this Section 12 with respect to that agreement.
13. Miscellaneous
13.1 Governing Law. This DPA is governed by the laws of the State of New York, without regard to conflict-of-laws principles, consistent with Section 12.1 of the ToS.
13.2 Order of Precedence. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data. All other matters are governed by the Agreement.
13.3 Updates. CharmIQ may update this DPA from time to time to reflect changes in applicable law or its practices. Material changes will be communicated through the Services or by email to the Customer's administrator.
13.4 Contact. Questions about this DPA may be directed to privacy@charmiq.ai or to:
CharmIQ, Inc.
Attn: Privacy
220 N. Green Street, Suite 2011
Chicago, IL 60607
Schedule 1 — Details of Processing
| Subject Matter | Provision of the CharmIQ AI-augmented workspace and collaboration Services. |
|---|---|
| Nature and Purpose | Collection, storage, organization, structuring, transmission, and retrieval of Customer Personal Data as part of a natural-language-based, machine-learning-assisted content platform. |
| Duration | The term of the Agreement plus the retention period set forth in Section 8. |
| Categories of Data Subjects | Determined by Customer. Typically includes Customer's employees (Authorized Users) and any individuals referenced in Customer Content. |
| Categories of Personal Data | Determined by Customer. May include names, email addresses, authentication identifiers, professional information, and any personal data contained in documents, prompts, uploads, or generated output. |
| Special Categories | None intended. Customer is responsible for any sensitive data it chooses to submit. |
| Processing Locations | United States (Google Cloud Platform, us-central1 primary). |
| Frequency | Continuous for the duration of the Agreement. |
Schedule 2 — Technical and Organizational Measures
CharmIQ maintains a written Information Security Policy Set (the "Security Program") reviewed at least annually by CharmIQ's Resilience Team. The Security Program includes the policies referenced below, each of which governs the corresponding control domain. CharmIQ may update individual policies, standards, and implementations from time to time, provided that the overall level of protection afforded to Customer Personal Data is not materially diminished.
1. Information Security Program. CharmIQ maintains a formal, documented information security program governed by its Information Security Policy. The program is overseen by CharmIQ's Resilience Team and reviewed at least annually.
2. Access Controls. CharmIQ enforces least-privilege, role-based access to systems that process Customer Personal Data. Access by CharmIQ personnel to production environments requires multi-factor authentication and is provisioned through centralized identity management enabling prompt revocation upon role change or termination. End-user authentication to the Services is delegated to federated identity providers. Controls are maintained in accordance with CharmIQ's Access Controls Policy.
3. Encryption. CharmIQ encrypts Customer Personal Data at rest and in transit using industry-standard cryptographic algorithms and protocols. Credentials and secrets held on behalf of Customer are stored in dedicated secret-management infrastructure or encrypted at rest using per-user derived keys. Standards are reviewed in accordance with CharmIQ's Encryption Policy.
4. Logical Separation. CharmIQ maintains logical separation between Customer environments through database-layer security rules, server-side authorization checks, document-level permission models, and organization-scoped data access. Development and production environments are fully segregated.
5. Vulnerability Management. CharmIQ maintains continuous vulnerability scanning, dependency auditing, and static analysis tooling integrated into its software development lifecycle. Identified vulnerabilities are prioritized by severity and remediated on timelines commensurate with risk, in accordance with CharmIQ's Vulnerability Management / Patch Management Policy.
6. Logging and Monitoring. CharmIQ logs authenticated access to, and operations performed within, systems processing Customer Personal Data. Logs are centrally aggregated and retained for a period appropriate to support incident investigation and audit.
7. Incident Response. CharmIQ maintains a documented Incident Response Policy and Procedures covering classification, containment, evidence preservation, communication, and post-incident review. The program is tested at least annually, including through tabletop exercises that model SaaS-specific threat vectors.
8. Business Continuity and Disaster Recovery. CharmIQ maintains a Disaster Recovery Policy providing for periodic backups, documented recovery procedures, and defined recovery objectives. Backup restoration is tested at least annually.
9. Personnel Security. All CharmIQ personnel are subject to background checks (where legally permitted), are bound by confidentiality obligations, and acknowledge CharmIQ's Acceptable Use Policy and Information Security Policy as a condition of access. Security awareness is embedded in CharmIQ's development and operational practices. Personnel working remotely are subject to CharmIQ's Work from Home Policy.
10. Third-Party and Sub-processor Security. CharmIQ assesses the security and privacy posture of its third-party vendors and Sub-processors in accordance with its Third Party Management Policy, and requires each Sub-processor to be bound by data-protection obligations substantially as protective as those set forth in this DPA.
11. Data Retention and Destruction. CharmIQ retains and disposes of Customer Personal Data in accordance with its Data Retention and Destruction Policy and Section 8 of this DPA.
Additional detail regarding the current implementation of the Security Program — including specific technologies, vendors, and operational metrics — is available upon request to resilience@charmiq.ai.
Schedule 3 — Sub-processors
The current list of Sub-processors is maintained at https://www.charmiq.ai/legal/subprocessors and includes:
| Category | Provider | Purpose |
|---|---|---|
| Core Infrastructure | Google Cloud Platform / Firebase | Compute, storage, authentication, database, hosting |
| AI / LLM Providers | OpenAI | Text, image, audio, video generation (API access; no training) |
| AI / LLM Providers | Anthropic | Text generation (API access; no training) |
| AI / LLM Providers | Google Generative AI (Gemini / Vertex AI) | Text, image, audio, video, music generation (API access; no training) |
| AI / LLM Providers | xAI | Text generation (API access; no training) |
| AI / LLM Providers | Perplexity | Research and retrieval (API access; no training) |
| Payment Processing | Stripe | Subscription billing |
| Transactional Email | SendGrid | Notifications, invitations |
| Marketing Email | Mailchimp | Product and marketing communications |
| Document Processing | ConvertAPI | File format conversion |
| Document Processing | Mathpix | Mathematical and scientific document parsing |
| Analytics | Google Analytics | Site and usage analytics |