ChatMx Data Processing Agreement (DPA)

Last Updated: January 30, 2025

‍

This Data Processing Agreement (“DPA”) forms part of the agreement between Nostrade Inc. (operating as “Fermion AI Group”) (“Processor,” “ChatMx,” “we,” “us”) and the customer entity identified in the applicable Order Form or account registration (“Controller” or “Customer”).

‍

This DPA applies where ChatMx Processes Personal Data on behalf of Customer in connection with the Services.

‍

If there is a conflict between this DPA and the Terms of Service or other agreement governing the Services (“Agreement”), this DPA will control only with respect to data protection and privacy Processing terms.

‍

1. Definitions

‍

Capitalized terms not defined here have the meaning given in the Agreement.

‍

“Applicable Data Protection Laws” means all privacy and data protection laws applicable to Processing under this DPA, including (as applicable):

• Canada’s PIPEDA and provincial privacy laws
• The GDPR and UK GDPR
• Other similar privacy laws applicable to Customer’s jurisdiction

“Personal Data” means any information relating to an identified or identifiable individual that is Processed by ChatMx on behalf of Customer.

‍

“Processing” / “Process” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).

‍

“Subprocessor” means any third party engaged by ChatMx to Process Personal Data on behalf of Customer.

‍

“Customer Data” means data submitted to the Services by Customer or End Users, including chat transcripts, prompts, responses, and configuration/knowledge base content, to the extent such data contains Personal Data.

‍

‍

2. Roles of the Parties

‍

2.1 Customer as Controller

Customer is the Controller (or equivalent role) of Personal Data Processed through ChatMx when deployed on Customer’s website(s) or digital properties. Customer determines the purposes and means of Processing.

‍

2.2 ChatMx as Processor

ChatMx acts as Processor (or equivalent role) and Processes Personal Data only on documented instructions from Customer, including as necessary to provide, secure, and maintain the Services, unless required by law.

‍

2.3 Customer Responsibility

Customer is responsible for:

• Providing privacy notices to End Users
• Obtaining any required consents
• Ensuring a lawful basis for Processing
• Complying with applicable privacy laws
• Responding to End User requests (with Processor assistance where required)

3. Scope of Processing

‍

3.1 Subject Matter

Provision of the ChatMx AI chatbot widget and platform services, including conversation handling, analytics, account administration, and support.

‍

3.2 Duration

Processing continues for the term of the Agreement plus any period required for deletion or return as described in Section 10.

‍

3.3 Nature and Purpose

Processing is performed to:

• Enable chatbot conversations and generate responses
• Allow Customer to access and manage conversations
• Provide product support, maintenance, and security
• Prevent fraud, abuse, or unauthorized use
• Comply with applicable legal obligations

3.4 Categories of Data Subjects

• Website visitors and end customers (“End Users”)
• Customer employees and authorized agents
• Individuals whose information is included in Customer Data

3.5 Types of Personal Data

May include:

• Identifiers (name, email, phone if provided)
• Conversation content (messages, prompts, AI outputs)
• Technical data (IP address, browser/device metadata, timestamps)
• Account/admin data (login email, role-based access, audit logs)

3.6 Special Categories

Customer will not submit or instruct ChatMx to process:

• Health data / PHI
• Payment card information
• Sensitive biometric data
• Children’s personal information where prohibited

unless explicitly agreed in writing.

‍

4. Customer Instructions

‍

ChatMx will Process Personal Data only in accordance with Customer’s documented instructions, including as configured through Customer’s use of the Services.

If ChatMx believes an instruction violates Applicable Data Protection Laws, ChatMx will notify Customer where legally permissible.

‍

5. Confidentiality

‍

ChatMx ensures that personnel authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate security and privacy training.

‍

6. Security Measures

‍

ChatMx implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful access, loss, alteration, disclosure, or destruction.

Security measures are described in Annex 2.

‍

7. Subprocessors

‍

7.1 Authorization

Customer grants general authorization for ChatMx to engage Subprocessors to provide the Services.

‍

7.2 Subprocessor Obligations

ChatMx will:

• Impose contractual obligations consistent with this DPA
• Remain responsible for Subprocessor performance

7.3 Notice and Objection

ChatMx will maintain a list of Subprocessors in Annex 3 and provide reasonable notice of material changes. Customer may object on legitimate data protection grounds.

‍

8. Assistance

‍

8.1 Data Subject Requests

Customer remains responsible for responding to End User requests. ChatMx will provide reasonable assistance as required by Applicable Data Protection Laws.

‍

8.2 DPIAs and Regulatory Cooperation

ChatMx will provide reasonable information to assist Customer with DPIAs or consultations where legally required.

‍

9. Personal Data Breach

ChatMx will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will cooperate in mitigation and remediation as required by law.

‍

10. Return and Deletion

‍

10.1 Chat Log Retention

ChatMx retains chatbot conversation logs for thirty (30) days, after which they are deleted or anonymized unless:

• Required by law
• Necessary for security, fraud prevention, dispute resolution, or enforcement

10.2 Deletion Upon Termination

Upon termination, ChatMx will delete or return Customer Personal Data consistent with the Agreement, except as required by law or backups.

‍

10.3 Backups

Personal Data may persist temporarily in encrypted backups and will be deleted in accordance with ChatMx backup lifecycle policies.

‍

11. Cross-Border Transfers

‍

11.1 Data Hosting Location

Customer acknowledges that Customer Data is stored and processed in AWS data centers located in the United States (US-East region).

Customer is responsible for providing cross-border transfer disclosures where required under PIPEDA, GDPR, or other Applicable Laws.

‍

11.2 GDPR Transfers

Where GDPR applies and Personal Data is transferred outside the EEA/UK, the parties will rely on valid transfer safeguards such as the Standard Contractual Clauses (SCCs) and UK Addendum where applicable.

Annexes 1–3 of this DPA serve as the SCC Annexes.

‍

12. No Training on Customer Data

‍

ChatMx does not use Customer Data (including chat transcripts or Personal Data) to train or improve third-party foundation models.

Customer Data is processed solely to provide the Services.

ChatMx may use only aggregated and anonymized operational metrics (that do not identify Customer or any individual) to improve service reliability and performance.

‍

13. Audits

Upon reasonable written request, ChatMx will make available information necessary to demonstrate compliance with this DPA. Audits must:

• Occur no more than once annually
• Be conducted under confidentiality
• Not unreasonably interfere with operations
• Be satisfied where possible via third-party compliance reports (e.g., SOC 2)

‍

14. Limitation of Liability

The liability provisions of the Agreement apply to this DPA, except where prohibited by Applicable Data Protection Laws.

‍

15. Order of Precedence

SCCs/UK Addendum (if applicable) → This DPA → Agreement, but only regarding Processing terms.

‍

16. Contact

Privacy inquiries: info@fermionaigroup.com
Support: support@fermionaigroup.com

‍

Annex 1 — Details of Processing

Subject matter: ChatMx embedded AI chatbot services
Duration: Subscription term + deletion cycle
Nature: Collection, storage, retrieval, response generation, Customer access
Purpose: Customer support automation, conversation routing, Service improvement (non-identifying)
Data subjects: End Users, Customer admins
Personal data types: Identifiers, chat content, metadata, IP/device logs
Sensitive data: Not intended, prohibited unless agreed

‍

Annex 2 — Security Measures

ChatMx maintains commercially reasonable safeguards, including:

• Encryption in transit (TLS)
• Encryption at rest where applicable
• Role-based access controls and least privilege
• Authentication controls for admin access
• Monitoring and logging for anomalous activity
• Secure development lifecycle and vulnerability patching
• Incident response and escalation procedures
• Vendor risk management for Subprocessors
• Backup encryption and lifecycle deletion controls

‍

Annex 3 — Subprocessors

ChatMx may update this list with notice as described in Section 7.