Data Processing Policy

This Data Processing Policy describes how Achiral AI processes Customer Content and organization data for business customers using the Service.

This policy supplements the Terms of Service, Privacy Policy, and any applicable data processing addendum or written customer agreement.

For business Customer Content, the customer organization generally acts as controller or business, and Achiral AI acts as processor or service provider, unless a written agreement states otherwise.

For account administration, billing, security, website analytics, and our own business operations, Achiral AI may act as an independent controller.

Customer Content may include prompts, messages, outputs, memories, documents, files, embeddings, retrieval results, connector data, organization settings, metadata, audit logs, support context, and user information needed to operate the tenant.

Connector data may include data from systems you authorize, such as collaboration tools, documents, customer systems, issue trackers, source repositories, calendars, email, CRM systems, and other business applications.

We process Customer Content to provide the Service, maintain tenant memory, perform retrieval and inference, operate connectors, deliver support, secure the platform, troubleshoot issues, comply with law, and follow documented customer instructions.

Customers are responsible for ensuring they have the rights, notices, permissions, and legal bases needed to submit Customer Content and connect third-party systems.

Achiral AI does not use business Customer Content to train shared foundation models unless the customer expressly agrees in a separate written agreement or opt-in control.

We may use aggregated, de-identified, or operational telemetry to improve reliability, safety, security, routing, latency, and product quality, provided it is not used to identify a customer or reconstruct Customer Content.

Each organization is assigned a tenant boundary for memory, retrieval, and organization data. Controls may include logical tenant separation, access controls, encryption, logging, monitoring, backups, and role-based administrative permissions.

Higher-tier or custom plans may include additional controls such as dedicated infrastructure, custom retention, enhanced audit review, SSO, or negotiated security obligations.

Customer administrators control user access, connector access, and organization configuration. Achiral AI personnel access Customer Content only when needed to provide support, maintain security, investigate incidents, comply with law, or perform services authorized by the customer.

AI Shepherds may assist with setup, memory quality, connector troubleshooting, retrieval/inference quality, and account support. Their access should be limited to the support task and applicable plan or customer agreement.

We may use subprocessors for hosting, storage, analytics, billing, communications, security, support, and other operational services. We require subprocessors to protect data according to contractual obligations appropriate to their role.

Where required by an applicable agreement, we will provide notice of material subprocessor changes and an opportunity to object.

Customer Content is retained according to organization settings, plan terms, connector behavior, backups, security requirements, legal obligations, and any applicable written agreement.

Deleted data may persist for a limited period in backups, logs, caches, or security systems before being overwritten or removed according to standard retention processes, unless longer retention is required by law or necessary to protect the Service.

If we determine that a security incident has affected Customer Content, we will notify affected customers without undue delay and provide information reasonably available to help customers meet their own obligations.

Data processing questions may be sent to [email protected]. Security reports may be sent to [email protected].