Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Controller" means the entity that determines the purposes and means of processing Personal Data (you, the customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (Chatlo Notes).
• "Sub-processor" means a third party engaged by the Processor to process Personal Data.

2. Scope of Processing

The Processor shall process Personal Data only as necessary to provide the Chatlo Notes service, including:

• Storing and organizing user-created notes, recordings, and documents.
• Processing voice recordings for transcription using AI services.
• Generating AI-powered summaries, flashcards, and quizzes from user content.
• Facilitating meeting recording and transcription via calendar integrations.
• Providing authentication and account management services.

3. Obligations of the Processor

Chatlo Notes shall:

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures (encryption, access controls, logging).
• Not engage sub-processors without prior written authorization from the Controller.
• Assist the Controller in responding to data subject access requests.
• Delete or return all Personal Data upon termination of the service, at the Controller's choice.
• Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-processors

The following sub-processors are authorized to process Personal Data:

5. Security Measures

The Processor implements the following security measures:

• Encryption in transit — TLS 1.3 for all data transfers.
• Encryption at rest — AES-256 for stored data via Google Cloud.
• Authentication — OAuth 2.0 via Google Sign-In; no passwords stored.
• Access control — Role-based access; Firestore security rules enforce user-level data isolation.
• Monitoring — Error logging and infrastructure monitoring.
• Data isolation — Each user's data is logically separated by user ID at the database level.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, approximate number of individuals affected, and measures taken to mitigate the breach. See our full Breach Notification Policy.

7. Data Retention and Deletion

• Personal Data is retained for the duration of the service agreement.
• Upon termination, all data is deleted within 30 days unless a longer retention is required by law.
• The Controller may request data export at any time via Settings → Export My Data.
• Complete account and data deletion is available via Settings → Delete Account.

8. International Transfers

Personal Data may be transferred to and processed in the United States, where our primary infrastructure is located. Where data is transferred outside the EEA, we rely on Google Cloud's Standard Contractual Clauses (SCCs) and data processing terms to ensure adequate protection.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the main Terms of Service. For EU data subjects, this DPA is supplemented by the provisions of the GDPR.

10. Contact

To request a signed copy of this DPA, please email privacy@chatlo.io with your company name and use case.