● Legal
Data Processing Agreement
Last updated: March 20, 2026
GovMatrixIQ is operated by DRx Consulting Group LLC.
Zero-Retention AI — Your Data Is Never Trained On. GovMatrixIQ uses a stateless API connection to Anthropic Claude. Prompts are transmitted for inference only and never stored.
1. Scope and Roles
This DPA supplements the Terms of Service and governs GovMatrixIQ's processing of personal data. GovMatrixIQ (operated by DRx Consulting Group LLC) acts as Processor; the Subscriber acts as Controller.
2. CUI Prohibition
This DPA does not authorize CUI processing. CUI handling requires FedRAMP-authorized infrastructure and a separate agreement.
3. Processor Obligations
- Process data only on Controller's documented instructions
- Maintain confidentiality obligations for all authorized personnel
- Implement security measures described in Section 4
- Assist with data subject rights requests within 10 business days
- Delete or return all data within 90 days of termination
- Notify Controller within 72 hours of a data breach
- Cooperate with data protection impact assessments
- Provide 30 days' notice of new sub-processor engagements
4. Security Measures
Encryption: TLS 1.2+ in transit, AES-256 at rest.
Access Controls: Row-Level Security for org isolation, RBAC with least privilege, JWT with 60-second expiry, FIDO2/WebAuthn MFA, configurable session timeouts.
Monitoring: Automated audit logging, system health monitoring with alerting, anomaly detection for auth events.
AI Safeguards: Stateless pipeline (no storage), CUI Mode PII masking, per-user token tracking, AI output labeling.
5. Sub-Processors
- Supabase Inc. — Database and storage (US)
- Clerk Inc. — Authentication (US)
- Stripe Inc. — Payments (US, PCI DSS)
- Anthropic PBC — AI inference, stateless, zero-retention (US)
- Render Inc. — Application hosting (US)
- Resend Inc. — Transactional email (US)
- Twilio Inc. — SMS notifications (US)
30 days' advance notice for new sub-processor engagements, with opportunity to object.
6. Data Retention
- Active data: during subscription term
- Post-termination: 90 days, then permanently deleted
- AI prompts: not retained (stateless)
- Audit logs: 3 years
- Payment records: per financial regulations (7 years)
7. International Transfers
All data processed in the US. EEA/UK/Switzerland: Standard Contractual Clauses (EU Decision 2021/914).
8. Right to Audit
Controller may audit once per year with 30 days' notice, during business hours. Controller bears audit cost.
9. Breach Notification
72-hour notification including: nature/scope, data categories, estimated individuals affected, consequences, and remedial measures.