Data Processing Agreement
Effective: February 12, 2026
Chaman Ventures, SAS au capital de 100 €
RCS Paris 989 498 902 — TVA FR92989498902
229 Rue Saint-Honoré, 75001 Paris, France
1. Roles
You (the Customer) are the data Controller. Chaman Ventures, SAS, registered at 229 Rue Saint-Honoré, 75001 Paris, France (RCS Paris 989 498 902, TVA FR92989498902) acts as the data Processor. Where you connect third-party integrations, those providers act as sub-processors under this agreement.
2. Scope of processing
We process personal data solely to provide the ContractSpec Studio service: evidence ingestion, correlation, impact analysis, artifact generation, work item export, and stakeholder notifications. Processing is performed on documented instructions from you.
3. Data residency
Primary database resides in the EU (eu-west-1) via Supabase. Analytics data is processed in the EU via PostHog. LLM inference may route through US-based providers; EU-only inference is available via Mistral AI. Enterprise plans support single-tenant or on-premises deployment for full data sovereignty.
4. Security measures
OAuth tokens encrypted at rest (AES-256). PII automatically redacted at evidence ingestion. Role-based access control with organization-level permissions. Full audit trail on every operation. SOC 2 Type I in progress. Penetration test results available under NDA.
5. Breach notification
We will notify you of a confirmed personal data breach within 72 hours of becoming aware. Notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
6. Data retention and deletion
Retention is configurable per workspace (30 days to 12 months). Data is hard-deleted on schedule with no recovery. On-demand purge is available at any time. On contract termination, all data is deleted within the configured retention window.
7. Audit rights
You may request information necessary to demonstrate compliance with this agreement. We respond to audit and security review requests within 48 hours. SOC 2 Type I report is available under NDA. We support third-party audits at your expense with reasonable advance notice.
8. International transfers
Where data is transferred outside the EEA (e.g., to US-based LLM providers), transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. You may restrict processing to EU-only providers via workspace settings.
9. Sub-processor changes
We maintain the sub-processor list below. We will notify you at least 30 days before adding a new platform-level sub-processor. You may object to a new sub-processor by contacting us within that period.
Platform-level sub-processors
Active for all customers as part of normal operations.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Vercel | Hosting, serverless functions | HTTP requests, page views | Configurable |
| Supabase | Managed PostgreSQL database | All persistent application data | EU (eu-west-1) |
| PostHog | Product analytics, feature flags | User behavior events, feature flag evaluations | EU |
| Stripe | Payment processing, subscriptions | Customer PII (name, email), payment methods | Global |
| OpenAI | LLM inference, embeddings | User content processed through analysis pipelines | US |
| Anthropic | LLM inference | User content processed through analysis pipelines | US |
| Mistral AI | LLM inference, embeddings | User content processed through analysis and embedding | EU (France) |
| Groq | Fast LLM inference | Meeting transcripts for evidence extraction | US |
| OAuth, Drive, Gmail, Calendar APIs | User identity, authorized file access, email | Global | |
| Resend | Transactional email | Recipient emails, email content | US |
| Scaleway | Message queues, transactional email | Application events, email delivery | EU (Paris) |
| Telnyx | SMS messaging | Phone numbers, message content | US |
| fal.ai | AI image generation | Text prompts derived from user content | US |
| Gradium | Text-to-speech synthesis | Text scripts converted to audio | EU / US |
| DeepL | Text translation | Text submitted for translation | EU (Germany) |
| Jina AI | Web content extraction | URLs for content retrieval (no direct PII) | EU (Germany) |
| Linear | Work item export | Exported work items and task descriptions | US |
User-configurable sub-processors
Only active when explicitly connected by you through integrations settings.
| Provider | Purpose | Data processed when connected |
|---|---|---|
| Slack | Thread import, brief posting | Messages, thread content |
| GitHub | Codebase analysis, PR ingestion | Repository content, pull request data |
| Jira | Issue export | Work items, project data |
| Notion | Document export | Document content, wiki pages |
| Zendesk | Support ticket ingestion | Ticket content, customer interactions |
| Post import, engagement data | Organization posts, engagement metrics | |
| Microsoft OneDrive | File import | Document content |
| Google Drive | File import | Document content |
| Granola / tl;dv / Fireflies.ai / Fathom | Meeting notes and transcript import | Meeting transcripts, highlights |
| Twilio / Postmark | SMS and email delivery | Phone numbers, email addresses, message content |
| ElevenLabs | Voice synthesis | Text scripts |
| Qdrant | Vector similarity search | Embedded content vectors |
| Powens | Open banking aggregation | Financial transaction data |
| Google Calendar | Calendar event access | Calendar events, scheduling data |