Legal

Data Processing Addendum (DPA)

Last updated: May 8, 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Chaberista Terms of Service or any other agreement between Chaber, LLC ("Processor") and the customer ("Controller") governing the use of the Service. It applies to the extent Processor processes Personal Data on behalf of Controller.

1. Definitions

Capitalized terms have the meaning given in the EU GDPR, UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (collectively, "Data Protection Laws"). "Personal Data", "Processing", "Data Subject", "Sub-processor", and "Personal Data Breach" bear those meanings.

2. Scope & Roles

Controller is the controller (or business under CCPA) of Personal Data contained in Customer Data. Processor processes such Personal Data only as a processor (or service provider under CCPA), on documented instructions from Controller as set out in the Agreement and through use of the Service.

3. Details of Processing

  • Subject matter: provision of the Service.
  • Duration: term of the Agreement.
  • Nature & purpose: ingest, store, classify, analyze, and present AI activity events; provide reporting, alerting, and governance workflows.
  • Categories of Data Subjects: Controller's personnel and any individuals appearing in Customer Data.
  • Categories of Personal Data: account identifiers, prompt and response content, file metadata, IP addresses, and any other Personal Data Controller chooses to submit.
  • Special categories: only if Controller submits them; Controller is responsible for legality.

4. Processor Obligations

  • Process Personal Data only on Controller's documented instructions, including international transfers, unless required by law.
  • Ensure personnel are bound by confidentiality.
  • Implement and maintain the technical and organizational measures in Annex II.
  • Assist Controller with Data Subject requests, security incidents, DPIAs, and prior consultations.
  • Make available information necessary to demonstrate compliance and allow audits per Section 9.

5. Sub-processors

Controller authorizes Processor to engage the Sub-processors listed in Annex III. Processor will give at least 30 days' advance notice of new Sub-processors and Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Controller may terminate the affected portion of the Service for convenience.

6. International Data Transfers

Where transfers of Personal Data subject to EU/UK/Swiss law leave their region, the parties enter into the European Commission's Standard Contractual Clauses (Module 2 / Module 3 as applicable) and the UK International Data Transfer Addendum, incorporated by reference.

7. Personal Data Breach

Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's Personal Data, and will provide reasonable assistance to enable Controller to meet its own notification obligations.

8. Deletion / Return

Upon termination, Processor will, at Controller's choice, delete or return all Personal Data within 30 days, unless retention is required by law. Backups are deleted on rolling 35-day cycles.

9. Audits

Processor will make available SOC 2 / ISO 27001 reports (when issued) and supporting documentation to demonstrate compliance. Controller may conduct an audit no more than once per 12 months on at least 30 days' notice, during business hours, and subject to confidentiality and reasonable cost-recovery.

10. CCPA Addendum

Processor is a "service provider" with respect to Personal Information of California residents. Processor will not (a) sell or share such Personal Information; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement; or (c) combine it with personal information received from other sources, except as permitted by the CCPA.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Annex I — Processing Details

As described in Section 3 above.

Annex II — Technical & Organizational Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM).
  • Tenant isolation via row-level security; least-privilege IAM.
  • SSO (SAML/OIDC), MFA, SCIM provisioning, session timeouts.
  • Centralized logging, anomaly detection, incident response runbooks.
  • Annual penetration testing; vulnerability management with documented SLAs.
  • Background checks for personnel with production access; mandatory security training.
  • Encrypted, geo-redundant backups; documented restore tests.
  • Change management with code review and CI security checks.

Annex III — Sub-processors

  • Cloud hosting: AWS / Cloudflare (US, EU regions per customer config) — infrastructure and edge.
  • Database & auth: managed Postgres + auth provider (US/EU).
  • Payment processing: Stripe, Inc. (United States) — billing, subscription management, customer portal, and tax calculation. Stripe is PCI-DSS Level 1 certified and acts as an independent controller for payment-method, billing-address, and transaction data under its privacy policy; payment-card numbers are tokenized at Stripe and are not stored by us.
  • Transactional email: email delivery provider (US/EU).
  • Error monitoring: error and performance monitoring provider (US/EU).
  • Customer support: helpdesk provider (US).

Signatures

By accepting the Terms or signing an order form that references this DPA, the parties agree to be bound by this DPA. To countersign, email michael@chabercompliance.com.