← Back to Privacy Policy

Data Processing Agreement

Last updated: April 2026 · Version 1.0

Template. This is the standard DPA we offer by default. Enterprise customers with their own DPA template may propose an alternative for review — email privacy@chuhching.com.

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between the customer ("Controller") and Chuhching LLC ("Processor"). It governs Processor's handling of Personal Data that Controller makes available through the Chuhching service.

2. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Subprocessor", and "Data Subject" have the meanings set out in Articles 4 of Regulation (EU) 2016/679 ("GDPR"). "Applicable Law" means the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act, and any other data-protection law that applies to Controller's processing.

3. Roles

Controller is the controller of Personal Data. Processor processes Personal Data on Controller's behalf and only on Controller's documented instructions, which consist of (a) the Agreement, (b) this DPA, and (c) any configurations Controller makes in the product (audit log, export, retention, deletion).

4. Processor obligations

  • Process Personal Data only on documented instructions from Controller and for the purposes set out in Annex I.
  • Ensure that personnel authorised to process Personal Data are bound by confidentiality.
  • Implement the technical and organisational measures set out in Annex III, including encryption of sensitive data at rest and in transit.
  • Assist Controller, taking into account the nature of Processing, in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection).
  • Notify Controller without undue delay — and in any event within 72 hours — of becoming aware of a Personal Data breach affecting Controller's data.
  • Make available to Controller the information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by Controller or a mandated auditor, subject to reasonable notice and confidentiality.
  • At Controller's choice, delete or return all Personal Data after the end of provision of services, unless retention is required by Applicable Law.

5. Subprocessors

Controller grants Processor a general authorisation to engage Subprocessors. The current list is maintained at /legal/subprocessors (Annex II). Processor will give Controller at least 30 days' written notice before engaging a new Subprocessor or replacing an existing one that processes Personal Data. Controller may object on reasonable data-protection grounds during the notice period; if the parties cannot resolve the objection, Controller may terminate the affected portion of the Services.

Processor remains liable to Controller for the acts and omissions of its Subprocessors as if they were its own.

6. International transfers

Where Processor transfers Personal Data out of the European Economic Area, the United Kingdom, or Switzerland, the transfer is made under the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FADP addendum as applicable, each incorporated by reference. Module Two (controller-to-processor) applies by default.

7. Data subject rights

Controller can exercise most data-subject rights directly in the product: access via /vault/export and Settings → Privacy & data, rectification via profile edits, erasure via account deletion or per-entity trash (/vault/trash). For assisted requests, email privacy@chuhching.com and Processor will respond within 30 days.

8. Security incidents

Processor will notify Controller of a confirmed Personal Data breach at the Controller's notification email address within 72 hours of discovery, with the information required by Article 33(3) of the GDPR (nature, categories and approximate number of affected data subjects and records, likely consequences, measures taken or proposed). Additional detail will follow as the investigation proceeds.

9. Return and deletion

On termination or expiry of the Agreement, Controller may export all Personal Data from /vault/export. Processor will delete all remaining Personal Data within 30 days of termination, except where retention is required by Applicable Law (tax records, billing records for the statutory retention period). Backups containing Personal Data roll off within 30 days from their creation.

10. Liability

The liability of each party under or in connection with this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability where it cannot be limited under Applicable Law.

11. Conflict

If there is any conflict between this DPA and the Agreement, this DPA prevails in respect of the processing of Personal Data. If there is any conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail.

12. Changes

Processor may update this DPA to reflect changes in Applicable Law, the product, or the Subprocessor list. Material changes will be communicated to Controller with at least 30 days' notice. Continued use of the Services after the effective date constitutes acceptance.

13. Acceptance

This DPA is accepted by Controller (i) on creation of a paid account, (ii) on continued use of the Services after its publication, or (iii) on countersignature of a PDF copy. Customers who require a countersigned copy may request one from privacy@chuhching.com.

Annex I — Processing details

Nature and purpose
Providing the Chuhching service: account management, AI-drafted pitch generation, outreach delivery via your SMTP provider, response tracking, analytics, and the Business Vault (encrypted storage of credentials, documents, and renewal reminders).
Categories of data subjects
Controller's end users of the Chuhching product; media contacts Controller imports into target lists.
Types of Personal Data
Account data (name, email, profile), usage data (pitches drafted, sent, opened, replied), vault data (credentials, licenses, documents under Controller's control), and limited payment metadata via Stripe.
Duration
For the term of the Agreement, plus retention periods set out in Section 9.
Special categories
None processed by default. If Controller uploads special-category data into the Vault (e.g. health or religious identifiers), it does so on its own responsibility and in accordance with Applicable Law.

Annex II — Subprocessors

The current list is maintained at /legal/subprocessors. That page is incorporated into this DPA by reference and is updated under the 30-day notice process described in Section 5.

Annex III — Technical and organisational measures

  • Encryption in transit. TLS 1.2+ for all customer-facing and subprocessor connections.
  • Encryption at rest. AES-256-GCM application-layer encryption for Tier 3 vault values (credentials, tokens, secrets) with authenticated-associated-data binding to row context. Versioned master key registry supporting rotation without schema change.
  • Access control. Row-Level Security on every Supabase table. Application code authenticates via SSR cookies; admin operations require service-role credentials held only in the server environment. Database-level owner-only policies on vault entities and storage objects (path-prefix gate).
  • Step-up authentication. Password re-verification required to reveal Tier-3 plaintext or download a full data export. HMAC-signed 15-minute session flag; re-verification does not rotate the user session.
  • Audit logging. Append-only access log records every read, write, delete, restore, export, and download of vault data, with a step-up flag. Log rows survive entity deletion by design (no cascading foreign key).
  • Soft-delete and recovery. Deleted vault entities retain a 30-day grace window and are visible in a Trash surface before nightly hard-deletion.
  • Rate limiting and abuse controls. Tiered quotas on AI calls; Turnstile challenge on unauthenticated sign-up flows; CRON endpoints gated by shared secret with constant-time comparison.
  • Backups. Managed by Supabase with point-in-time recovery. Backup roll-off within 30 days.
  • Personnel. Production access limited to named engineering staff bound by confidentiality. Multi-factor authentication required for all cloud-provider consoles.
  • Incident response. On-call rotation, 72-hour breach notification commitment under Section 8.