Subprocessors
About This Page
CharmIQ, Inc. ("CharmIQ") engages the third-party service providers listed below ("Subprocessors") to support the delivery of our Services. This page is published pursuant to, and forms part of, the CharmIQ Data Processing Addendum ("DPA").
Each Subprocessor is contractually bound — through its online terms of service, published data processing addendum, or a negotiated agreement — to data-protection obligations substantially as protective as those in the DPA. CharmIQ assesses each Subprocessor prior to engagement in accordance with its Third Party Management Policy.
Staying Informed of Changes
CharmIQ notifies Customers of new Subprocessors through in-product notification at least thirty (30) days before a new Subprocessor begins processing Customer Personal Data. Customers may object to a new Subprocessor in accordance with Section 5 of the DPA. Questions about this page, or requests to be added to the notification list, may be directed to privacy@charmiq.ai.
Core Infrastructure
These Subprocessors provide the foundational compute, storage, authentication, and hosting infrastructure for the Services. All Customer Content resides within this tier.
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| Google Cloud Platform / Firebase | Google LLC | United States (us-central1) |
Cloud compute, database, file storage, authentication, hosting, logging, and secrets management | No |
AI / Large Language Model Providers
These Subprocessors receive Customer Prompts and related context at the moment of an AI-assisted action within the Services. Providers are accessed via API and are selected (by default) based on contractual commitments not to train on API-submitted data. See Customer-Selected Models below for exceptions.
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| OpenAI | OpenAI OpCo, LLC | United States | Text, image, audio, and video generation (GPT family and related models) | No (per OpenAI API DPA) |
| Anthropic | Anthropic, PBC | United States | Text generation (Claude family models) | No (per Anthropic Commercial Terms / DPA) |
| Google Generative AI | Google LLC | United States | Text, image, audio, video, and music generation (Gemini / Vertex AI) | No (per Google Cloud DPA) |
| xAI | X.AI LLC | United States | Text generation (Grok family models) | Varies — see Customer-Selected Models |
| Perplexity | Perplexity AI, Inc. | United States | Research, retrieval, and web-augmented generation | No (per Perplexity enterprise terms) |
Customer-Selected Models
Certain models offered through the Services are made available under provider terms that do permit training on submitted data. These models are clearly marked within the Services interface as "May Train on User Supplied Data" and are selected only at the Customer's explicit direction. Customer's selection of such a model constitutes instruction to CharmIQ to route the corresponding Customer Prompt through that provider on the disclosed terms. See Section 4.3 of the DPA.
Payments
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| Stripe | Stripe, Inc. | United States | Subscription billing, payment processing, invoicing | No |
Communications
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| SendGrid | Twilio Inc. | United States | Transactional email (notifications, invitations, system alerts) | No |
| Mailchimp | The Rocket Science Group LLC (d/b/a Mailchimp, an Intuit company) | United States | Marketing and product communications (opt-in only) | No |
Document Processing
These Subprocessors are invoked only when a Customer uploads or requests processing of a document format requiring external conversion or parsing.
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| ConvertAPI | ConvertAPI, UAB | European Union (Lithuania) | File format conversion (PDF, DOCX, etc.) | No |
| Mathpix | Mathpix, Inc. | United States | Mathematical and scientific document parsing (OCR for equations, scientific notation) | No |
Analytics
| Provider | Legal Entity | Processing Location | Purpose | Trains on Customer Data |
|---|---|---|---|---|
| Google Analytics | Google LLC | United States | Aggregate site and product usage analytics (no Customer Content) | No |
Customer-Controlled Integrations
The following categories involve data flows that are authorized and directed by the Customer, rather than engaged by CharmIQ as Subprocessors:
- OAuth 2.0 Integrations. Customers may connect third-party services (e.g., productivity, storage, or developer tools) to their CharmIQ workspace via OAuth. These connections are established at the Customer's direction; CharmIQ acts as an interface, and the connected provider's terms govern data processed through that integration.
- Bring-Your-Own-Key ("BYOK") / Developer Plan. Customers on the Developer plan may configure the Services to sync resources directly to their own infrastructure (e.g., the Customer's Google Cloud Storage buckets or OpenAI Vector Stores). Such infrastructure is outside CharmIQ's custody, and the Customer retains full ownership, control, and responsibility for the lifecycle of that data.
Neither category is considered a CharmIQ Subprocessor for purposes of the DPA.
Contact
Questions, objections, or notification-list requests may be directed to privacy@charmiq.ai.