Data Processing Agreement
Last updated: July 17, 2026
This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between you (the account holder, "Customer") and Client Chemistry ("we," "our," or "us"). It applies whenever we process personal information about your clients ("Client Personal Information") on your behalf. In that processing, you are the controller and we are your processor. For your own account information, we act as controller under our Privacy Policy. If there is a conflict between this DPA and the Terms about the processing of Client Personal Information, this DPA governs.
1. Definitions
"Controller," "processor," "personal information," "processing," and "data subject" have the meanings given in applicable privacy law, including PIPEDA, Quebec Law 25, and applicable US state privacy laws. "Applicable privacy law" means the privacy and data protection laws that apply to the processing of Client Personal Information under this DPA.
2. Scope and Roles
- You are the controller of Client Personal Information and are responsible for the accuracy of, and your right to provide, that information, and for having obtained any consent or other legal basis required from your clients.
- We are your processor and will process Client Personal Information only to provide and support the Service, and only on your documented instructions, which include the Terms, this DPA, and your use of the Service. We will tell you if we believe an instruction violates applicable privacy law.
- We will not sell Client Personal Information, will not use it for advertising, and will not use it for our own purposes, including training our own models.
3. Details of Processing
- Subject matter and duration: provision of the Service for the term of your subscription and as described in the Terms.
- Nature and purpose: hosting, storing, and processing communication style assessments to generate Chemistry Reports and related features for you.
- Types of personal information: client name, assessment responses, communication archetype, dimension scores, and, only if you supply it and only until the assessment is completed, a client email address. Meeting content is never collected.
- Categories of data subjects: the clients and contacts you choose to assess.
4. Our Obligations as Processor
- Confidentiality: we ensure that people authorized to process Client Personal Information are bound by confidentiality.
- Security: we maintain appropriate technical and organizational measures to protect Client Personal Information, as described in our security overview, including encryption in transit and at rest, database-enforced row-level isolation by firm, and hashed passwords.
- Assistance: taking into account the nature of the processing, we will provide reasonable assistance so that you can respond to data subject requests and meet your own security, breach-notification, and consultation obligations.
- Data subject requests: if we receive a request from one of your clients, we will not respond directly (except to confirm the request should go to you) and will promptly refer it to you.
- Deletion and return: on termination, or at your request, we will delete or return Client Personal Information, except where retention is required by law. Client email addresses are deleted as soon as the assessment is completed, in all cases.
- Records and information: we will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, respond to your reasonable audit inquiries about our processing.
5. Breach Notification
We will notify you without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Information, and will provide information reasonably available to us to help you meet your notification obligations to data subjects and regulators.
6. Subprocessors
You authorize us to engage the subprocessors below to process Client Personal Information. Each is bound by data protection obligations no less protective than those in this DPA, and we remain responsible for their performance. We will give notice before adding or replacing a subprocessor, so that you can object on reasonable data-protection grounds.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database storage and authentication | Canada |
| Vercel | Application hosting and cookieless analytics | Canada |
| Anthropic | AI report generation (first names, archetypes, and scores only) | United States |
| Stripe | Subscription billing (account holders only) | United States |
An AI assistant that you connect through the optional AI connection is engaged by you, under your own agreement with that provider, and is your processor rather than our subprocessor.
7. International Transfers
Client Personal Information is stored in Canada, where our database and hosting providers (Supabase and Vercel) operate. Limited data, specifically first names, archetypes, and dimension scores, is processed by Anthropic in the United States to generate reports. Where personal information is processed across borders, we rely on appropriate safeguards and on our subprocessors' own compliance programs. You are responsible for informing your clients about cross-border processing to the extent your own privacy obligations require it.
8. Liability
Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service.
9. Contact
For questions about this DPA or to raise a data protection matter, contact us at:
Client Chemistry