Data Processing Agreement

ChatMx Data Processing Agreement

ChatMx works best when your knowledge is structured, escalation is intentional, and teams respond using real conversation data — not guesses.

ChatMx Data Processing Agreement (DPA)

Last update: June 4th, 2026

This Data Processing Agreement (“Agreement”) forms part of the User Subscription Agreement between Fermion AI Apps Corp. (the “Company”, the “Processor”) and you (the “Controller", "User", “You” or “Your”). This Agreement is a legally binding agreement between the Processor and the Controller. If you are entering into this Agreement on behalf of a business or other legal entity, you represent that you have the authority to bind such entity to this Agreement, in which case the terms "Controller",  “User”, “You” or “Your” shall refer to such entity. This Agreement sets out the parties' respective rights and obligations on when and how the Processor processes data on behalf of the Controller pursuant to the User Subscription Agreement. 

1. INTERPRETATIONS

Agreement means this Data Processing Agreement that forms the agreement between the Processor and the Controller regarding the use of the Application;

Application means the proprietary conversational software interface, known as "ChatMX," made available by the Company as a web-based service for integration into the User’s website or platform, including all updates, cloud-based components, and associated executable scripts;

Company (referred to as either "the Company", “the Processor”, "We", "Us" or "Our" in this Agreement) refers to Fermion AI Apps Corp., a duly incorporated company in Canada; 

Confidential Information means all non-public, proprietary, or confidential information disclosed by the Controller to the Processor, including but not limited to personal information, business information, business processes, customer data, financial information, technical specifications, strategic plans, and general conversations;

Controller means the User of the Application, that is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; 

Data Protection Laws means any applicable local, national, or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of personal data, as amended, replaced, or superseded from time to time. Depending on where the Controller is based, this may include but is not limited to: (a) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) ; (b) the California Consumer Privacy Act (CCPA); the California Privacy Rights Act (CPRA); and (c) the General Data Protection Regulation (EU) (GDPR);

Data Subject means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Deliverables means all work products, documents, designs, configurations, customizations, prompt designs, knowledge bases, and other materials created by the Company;

Personal Data means any personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement;

Processor means the entity, ChatMX for the purposes of this Agreement, which processes Personal Data on behalf of, and based on instruction from, the Controller. 

Sub-processor means any third party, including but not limited to service providers, software vendors, cloud infrastructure platforms, or AI processing entities, engaged by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Agreement.

2. APPLICABILITY

2.1 This Agreement will apply only to the extent that the Company processes, on behalf of the User, Personal Data to which Data Protection Laws applies.

2.2 The Company and the User acknowledge and agree that, in relation to the processing of Personal Data, the Company acts as a Processor, while the User is either a Controller or Processor (referred to only as Processor for the purposes of this Agreement). The Company shall process Personal Data in accordance with the User’s documented instructions, Data Protection Laws and the Company’s Privacy Policy.

3. CONTROLLER’S OBLIGATION

=

3.1 The Controller shall comply with the Data Protection Laws in processing Personal Data ahead of sharing such data with ChatMX. The Controller shall ensure the same level of compliance from its affiliates or third parties who may use the Application.

3.2 The Controller warrants on an ongoing basis that it has an appropriate lawful basis under Data Protection Laws to share Personal Data with ChatMX. Where the Controller is acting as a Processor under Data Protection Laws, the relevant controller has authorized: (i) the Controller’s Personal Data Processing instructions to ChatMX (as set out in this Agreement); (ii) the Controller’s appointment of ChatMX as a Sub-Processor; and (iii) ChatMX’s use of further Sub-Processors as described in Section 9: Use of Sub-Processors.

3.3 The Controller shall refrain from taking, or causing ChatMX to take, any action that would result in a breach of Data Protection Laws or infringe the rights of any Data Subject. The Controller shall reasonably assist ChatMX in meeting its obligations under Data Protection Laws, including by agreeing to any necessary updates or additions to this Agreement to reflect changes in the processing activities of either party.

4. PROCESSOR’S OBLIGATION

4.1  The Processor shall process Personal Data in accordance with all applicable Data Protection Laws, in addition to all regulations, or any rules, directives or policies imposed by a governmental authority, such as and without limitation, applicable Canadian privacy laws, U.S. privacy laws, and EU data protection laws. 

4.2 The Processor shall process Personal Data only on the documented instructions of the Controller. If the Processor believes an instruction infringes upon applicable Data Protection Laws, it shall promptly notify the Controller in writing. The Processor shall provide reasonable assistance and functional tools to enable the Controller to respond to requests from individuals exercising their rights (access, correction, deletion, or portability) under applicable law. The Processor will promptly notify the Controller if it concludes that it is no longer able to comply with its obligations under Data Protection Laws or this Agreement.

4.2 In fulfilling consumer rights requests under applicable Data Protection Laws, the Processor shall honour the Controller’s right to know and/or access personal information, delete personal information, correct inaccurate personal information, opt-out of sale/sharing of personal information, limit use of sensitive personal information.

4.3 To the extent that the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) apply to the processing of Personal Data, the Processor shall not: (a) sell or otherwise disclose such data to any third party in exchange for monetary or other valuable consideration; (b) use Personal Data for advertising or commercial purposes; (c) retain, use, or disclose such data for any purpose other than the business purposes set out in this Agreement or as permitted under applicable law; (d) retain, use, or disclose such data outside the scope of the parties’ direct business relationship; or (e) except as otherwise permitted by U.S. data protection laws, combine Personal Data with personal data that ChatMX receives from or on behalf of another person or persons, or collects from its own interaction with the a Data Subject.

4.4 For transfers of personal data across borders, the Processor shall adhere to Section 12: Data Transfer and Cross-Border Processing to implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms as required by applicable Data Protection Laws.

5. CONFIDENTIALITY

5.1 The Processor acknowledges that, in connection with this Agreement, it may gain access to Confidential Information and Personal Data. Each party shall not disclose or use any Confidential Information of the other Party for any purpose other than as reasonably necessary to exercise its rights or perform its obligations under this Agreement, provided that each party may disclose Confidential Information to the limited extent required to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party. These confidentiality obligations shall survive the termination of this Agreement for a period of five [5] years. 

6. PROCESSING OF CONFIDENTIAL INFORMATION AND PERSONAL DATA

6.1 As Processor, the Company will carry out processing in accordance with (a) the Controller’s instructions as set forth in the User Subscription Agreement and as reasonably required to for access to the Application (including for purposes such as investigating security incidents, preventing misuse or abuse and any obligations imposed by applicable law, including relevant data protection legislation); and (b) any additional purposes expressly agreed in writing between the parties. 

6.2 As such, the Processor shall: (a) ensure all employees handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements; (b) provide adequate training to all employees handling Personal Data on data protection requirements and procedures; (c) be held liable for any processing activities conducted outside the scope of documented instructions.

6.3 ChatMX processes Personal Data for the purposes of producing a customized chatbot interface for a trial period and/or to be housed on the Controller’s website or platform following the trial.

7. SECURITY MEASURES

7.1 The Processor shall have in place at all times appropriate technical and organizational measures to prevent unauthorized or unlawful processing, as well as accidental loss, destruction, or damage of Personal Data. In determining the appropriate level of security, the Processor shall consider factors including the cost of implementation, the nature and scope of the processing activities, and the potential risks to the rights and freedoms of affected Data Subjects. Such security measures may include:

  1. Encryption: All client data is encrypted using industry-standard encryption protocols;
  2. Data Storage: The Processor only stores Personal Data necessary for authentication, production and use of its Application and in accordance with its Privacy Policy and User Subscription Agreement;
  3. Access Controls: Role-based access control limiting data access to authorized personnel only;
  4. Data Minimization: Personal Data is retained according to configured retention policies;
  5. Infrastructure Security: Regular security assessments, automated security updates, and comprehensive incident response procedures.
  6. Risk Assessment: In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from a Personal Data breach.

7.2 The Processor may periodically update its technical and organizational security measures to reflect technological advancements and industry developments; provided, however, that such revisions shall not materially diminish the overall security of the Services or the protection of Personal Data. All updates must maintain compliance with applicable Data Protection Laws and align with recognized industry standards (such as SOC 2 or ISO/IEC 27001). The Processor will provide the Controller with prompt written notice of any significant modifications that materially alter the existing security framework.

7.3 The Processor shall notify the Controller of a personal data breach without undue delay. Such notification shall, to the extent available, include a description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records. It shall also include the name and contact details of the data protection officer or other relevant contact point, a description of the likely consequences of the breach, and a summary of the measures taken or proposed to be taken to address the breach, including, where appropriate, steps to mitigate any potential adverse effects. Where it is not possible to provide all such information at the same time, the information may be provided in phases without undue delay.

7.4 A notification or response by the Processor regarding a security breach shall not, in itself, be construed as an admission of fault or liability, provided that such notification is made in accordance with the Processor’s legal and contractual obligations. The Controller maintains responsibility for its use of the Application, including ensuring the Application’s security configurations align with the Controller’s specific risk profile, safeguarding all access credentials and systems utilized to reach the Application, and maintaining independent backups of Personal Data to the extent required for the Controller’s business continuity.

8. DELETION OF CUSTOMER PERSONAL DATA

8.1 Personal information used for analytics or artificial intelligence system development, testing, validation, or improvement will be retained only for as long as reasonably necessary for those purposes and will be subject to periodic review and deletion or de-identification where appropriate.

8.2 Upon user account deletion, the Processor shall delete all Personal Data immediately, except for data required to be retained by law, Deliverables owned by the Processor, aggregated, anonymized data that cannot identify Controller.

8.3 Upon the Controller’s written request, the Processor shall delete all Personal Data as soon as reasonably practicable and, in any event, within a maximum of thirty [30] days; provided, however, that the Processor may retain such data only to the extent required by applicable law, or hereunder as necessary to fulfill its remaining obligations under this Agreement.

9. USE OF SUB-PROCESSORS

9.1 The Controller hereby agrees that the Processor may engage the following Sub-processors as outlined in Attachment 1.

9.2 Before engaging or providing any Sub-processor with access to Personal Data, the Processor shall conduct thorough due diligence on their data privacy and security measures, including performing a data protection impact assessment where the nature of the processing poses a high risk to the rights and freedoms of data subjects. All selected Sub-processors shall be bound by written data protection and confidentiality obligations substantially equivalent to those in this Agreement, requiring them to maintain compliance with applicable Data Protection Laws, process Personal Data only for the specific purposes authorized by the Controller, and implement appropriate technical and organizational security measures.

9.3 The Processor may, by giving reasonable notice to the Controller, change and/or add to their list of Sub-processors. In such an event, the Processor shall provide at least thirty [30] days' prior written notice. The Controller may reasonably object to such changes within fourteen [14] days if the changes do not meet required data protection standards.

10. DATA SUBJECT RIGHTS

10.1 At the Controller’s request, and considering the nature of the processing, the Processor will provide reasonable assistance, where feasible and at the Controller’s expense, to support the Controller in responding to Data Subject rights requests under applicable Data Protection Laws.

10.2 If either party receives (a) a request from a Data Subject seeking to exercise rights under applicable Data Protection Laws, or (b) any third party request relating to the other party’s processing of account data or Personal Data, that party shall promptly notify the other in writing. In the event the Controller received such a request, it shall not respond to that request except on the documented instructions of the Processor or as required by applicable laws.

11. AUDIT RIGHTS

11.1 Upon the Controller’s reasonable written request, the Processor shall make available all information necessary to demonstrate compliance with the obligations set forth in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Such audits shall be conducted during regular business hours, no more than once per calendar year (unless following a security breach), and subject to reasonable confidentiality restrictions and advance notice of at least thirty [30] days.

12. DATA TRANSFER AND CROSS-BORDER PROCESSING

12.1 The Controller acknowledges and agrees that the provision of the Application may involve the transfer and processing of Personal Data by the Processor or its Sub-processors in jurisdictions outside of the Controller’s home country, including Canada, the United States, and other regions where the Processor’s infrastructure or Sub-processors are located. The Processor shall ensure that any such cross-border transfer complies with applicable Data Protection Laws and provides a level of protection for Personal Data comparable to that required under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec’s Law 25.

12.2 For any transfers of Personal Data originating from the European Union or European Economic Area to countries without an adequacy decision, the parties shall implement and rely upon the EU-approved Standard Contractual Clauses (SCCs).

12.3 To the extent the Controller is subject to specific data localization requirements, the Controller must notify the Processor in writing prior to the transfer of such data. The Processor shall not transfer Personal Data to a jurisdiction subject to comprehensive trade sanctions or where the Processor determines that it cannot maintain the security and confidentiality obligations set forth in this Agreement.

13. MISCELLANEOUS

13.1  Jurisdiction: This Agreement shall be interpreted and governed in accordance with the laws of the Province of Ontario or by the laws of the jurisdiction where the Processor is headquartered, as applicable.

13.2 This Agreement constitutes the entire agreement between the parties with respect to the Application and supersedes and replaces any and all other representations, understandings, negotiations and previous agreements, written or oral, express or implied with respect to the Application. 

Annex 1: Subprocessors

List of Approved Sub-Processors

The Controller agrees to the Processor engaging the following sub-processors with actual or potential access to Personal Data as specified in the Agreement:

Subprocessor Purpose Location
Pinecone Systems, Inc. Vector database for AI-powered semantic search, embeddings storage, and similarity retrieval United States
OpenAI, L.P. AI processing and analysis services United States
Anthropic PBC AI language model services United States
MongoDB, Inc. / MongoDB Atlas Cloud database hosting, storage, backups, and database infrastructure Location depends on selected Atlas region
Stripe, Inc. / Stripe, LLC Payment processing, billing, subscriptions, invoicing, and fraud prevention United States
Google LLC / Firebase Application backend services including authentication, database, storage, hosting, cloud functions, and notifications Location depends on selected Firebase / Google Cloud region
AC PM LLC / ActiveCampaign – Postmark Transactional email delivery, email templates, bounce handling, and delivery analytics United States
PostHog Inc. Product analytics, event tracking, usage analytics, feature flags, experiments, and session / product insights United States
Slack Technologies, LLC Internal team communication and workflow automation notifications United States
Atlassian Pty Ltd / Trello Internal project management, bug tracking, and development ticketing Australia

Instant Answers. More Leads.

Grow faster with a website that helps you convert more customers.
See ChatMx Live
Skip to main content