Data Processing Agreement
Effective date: March 1, 2026 · Last updated: March 1, 2026
This Data Processing Agreement (“DPA”) is entered into between the customer (“Controller” or “Customer”) and CorpusFabric, Inc. (“Processor” or “CorpusFabric”) and supplements the Terms of Service. This DPA applies where CorpusFabric processes Personal Data on behalf of the Customer in the course of providing the Service.
This DPA is designed to meet the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. Government customers may require this DPA as part of their procurement process.
1. Definitions
- “Controller” means the Customer, who determines the purposes and means of processing Personal Data by using the Service.
- “Processor” means CorpusFabric, Inc., which processes Personal Data on behalf of the Controller.
- “Sub-processor” means a third party engaged by CorpusFabric to assist in processing Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
- “Service” means the CorpusFabric platform and related services as described in the Terms of Service.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose of Processing
CorpusFabric processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service and as instructed by the Controller. The types of Personal Data processed may include:
- Account information (names, email addresses, organization details)
- Document content uploaded by the Controller, which may contain Personal Data
- Usage data and interaction logs
- Chat queries and AI-generated responses
Data Subjects may include the Controller's employees, contractors, customers, constituents, residents, and other individuals whose information appears in uploaded documents or who interact with the Service.
3. Data Processing Instructions
CorpusFabric will process Personal Data only in accordance with the Controller's documented instructions. The Controller's instructions are defined by the Terms of Service, this DPA, and any additional written instructions agreed upon by both parties.
If CorpusFabric believes that an instruction from the Controller infringes applicable data protection laws, we will promptly notify the Controller and await further instructions before proceeding with the relevant processing.
CorpusFabric will not process Personal Data for any purpose other than providing the Service, unless required to do so by applicable law, in which case we will inform the Controller before processing (unless prohibited by law from doing so).
4. Security Measures
CorpusFabric implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption at rest: All data stored on our infrastructure is encrypted using AES-256 encryption
- Encryption in transit: All data transmitted between systems uses TLS 1.2 or higher
- Access controls: Role-based access controls with least-privilege principles; multi-factor authentication for all administrative access
- Network security: Network isolation, firewall rules, and intrusion detection systems
- Monitoring and logging: Continuous monitoring of infrastructure and comprehensive audit logging
- Employee training: Regular security and privacy training for all personnel with access to Personal Data
- Incident response: Documented incident response procedures with defined roles and escalation paths
- Business continuity: Regular backups, disaster recovery procedures, and redundant infrastructure
- Vulnerability management: Regular vulnerability scanning, penetration testing, and prompt patching of security issues
5. Sub-processors
The Controller provides general authorization for CorpusFabric to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is as follows:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, computing | United States |
| Anthropic | AI language model for generating responses from document content | United States |
| Voyage AI | Embedding model for semantic search and vector generation | United States |
| Clerk | Authentication and user identity management | United States |
| Stripe | Payment processing and subscription billing | United States |
CorpusFabric will notify the Controller at least 30 days in advance of adding or replacing a Sub-processor. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the affected Service.
CorpusFabric ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA. CorpusFabric remains liable for the acts and omissions of its Sub-processors.
6. Data Breach Notification
In the event of a Data Breach involving Personal Data processed on behalf of the Controller, CorpusFabric will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach
- Provide the Controller with sufficient information to enable the Controller to meet its own notification obligations under applicable law
- Include in the notification: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach
- Document all Data Breaches, including the facts, effects, and remedial actions taken
7. Data Subject Rights
CorpusFabric will assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection laws, including rights of:
- Access to their Personal Data
- Rectification of inaccurate Personal Data
- Erasure (“right to be forgotten”)
- Restriction of processing
- Data portability
- Objection to processing
If CorpusFabric receives a request directly from a Data Subject, we will promptly redirect the request to the Controller, unless legally required to respond directly.
8. Data Deletion and Return
Upon termination or expiration of the Service agreement, or upon the Controller's written request, CorpusFabric will:
- Provide the Controller with the ability to export all Customer Data in a standard, machine-readable format within 30 days
- Delete all Personal Data from active systems within 30 days of termination or the Controller's request
- Purge Personal Data from backup systems within 90 days of deletion from active systems
- Provide written confirmation of deletion upon request
Exceptions apply only where retention is required by applicable law, in which case CorpusFabric will inform the Controller of the legal requirement and limit processing to that purpose.
9. Audit Rights
The Controller has the right to audit CorpusFabric's compliance with this DPA. CorpusFabric will:
- Make available all information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits and inspections conducted by the Controller or an independent auditor appointed by the Controller
- Provide audit reports, certifications, and summaries of third-party security assessments upon reasonable request
Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that minimizes disruption to CorpusFabric's operations. The Controller shall bear its own costs for audits, unless the audit reveals material non-compliance by CorpusFabric.
10. International Data Transfers
Personal Data processed under this DPA may be transferred to and processed in the United States. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland, CorpusFabric relies on:
- Standard Contractual Clauses (SCCs): CorpusFabric executes the European Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries
- Supplementary measures: Additional technical and organizational measures to ensure the level of protection required by applicable law, including encryption and access controls
CorpusFabric will cooperate with the Controller to implement any additional transfer mechanisms required by applicable law.
11. Confidentiality
CorpusFabric ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Access to Personal Data is limited to personnel who require it to perform their duties in connection with the Service.
12. Liability
The liability of each party under this DPA is subject to the limitations set forth in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection obligations that cannot be limited under applicable law.
13. Term and Termination
This DPA takes effect when the Controller begins using the Service and remains in effect as long as CorpusFabric processes Personal Data on behalf of the Controller. The obligations regarding data deletion and return survive termination of this DPA.
14. Contact
For questions about this DPA or to exercise any rights under it, contact:
- Email: dpo@corpusfabric.com
- Mail: CorpusFabric, Inc.