Data Processing Addendum (DPA)

Customer is the Controller; Provider is the Processor. Where Customer transmits personal data of its own users (e.g. through a co-pilot chat), Provider processes it solely on Customer's instructions and for the purpose of providing the Service.

Processing lasts for the term of the service agreement + 30 days (legal-claims window), after which data is deleted or returned at Customer's choice.

Subjects: Customer's employees, contractors, and end users whose data Customer enters. Categories: names, emails, business communication, anything else Customer chooses to enter.

• Process only on Controller's documented instructions.
• Confidentiality for all personnel with access.
• Technical and organisational measures under Art. 32 GDPR.
• Notify Controller within 48 hours of a personal-data breach.
• Assist with data-subject rights.
• Return or delete on termination (Controller's choice).
• Make available information necessary for an audit, no more than annually or upon reasonable suspicion.

Current list: Stripe Payments Europe Ltd. (Ireland), Anthropic PBC (US, SCCs + DPF), OpenAI Ireland Ltd. (Ireland), Google Ireland Ltd. (Ireland), Vercel Inc. (US, SCCs), Apple Inc. (US, SCCs — when Apple Sign In is enabled), PostgreSQL hosting provider (EU region).

We notify Customer of new subprocessors at least 30 days in advance; Customer has a right to object.

We rely on SCCs 2021/914 for all transfers outside the EEA, plus supplementary measures (encryption at rest and in transit, access controls). A Transfer Impact Assessment is conducted where appropriate.

On termination of the primary agreement, Provider deletes or returns all personal data within 30 days, unless applicable law requires longer retention (e.g. invoices — 10 years).

A signed paper/PDF DPA can be requested at legal@chernata.ai.