● Legal

Data Processing Agreement

Last updated: March 20, 2026

GovMatrixIQ is operated by DRx Consulting Group LLC.

Zero-Retention AI — Your Data Is Never Trained On. GovMatrixIQ uses a stateless API connection to Anthropic Claude. Prompts are transmitted for inference only and never stored.

1. Scope and Roles

This DPA supplements the Terms of Service and governs GovMatrixIQ's processing of personal data. GovMatrixIQ (operated by DRx Consulting Group LLC) acts as Processor; the Subscriber acts as Controller.

2. CUI Prohibition

This DPA does not authorize CUI processing. CUI handling requires FedRAMP-authorized infrastructure and a separate agreement.

3. Processor Obligations

  • Process data only on Controller's documented instructions
  • Maintain confidentiality obligations for all authorized personnel
  • Implement security measures described in Section 4
  • Assist with data subject rights requests within 10 business days
  • Delete or return all data within 90 days of termination
  • Notify Controller within 72 hours of a data breach
  • Cooperate with data protection impact assessments
  • Provide 30 days' notice of new sub-processor engagements

4. Security Measures

Encryption: TLS 1.2+ in transit, AES-256 at rest.

Access Controls: Row-Level Security for org isolation, RBAC with least privilege, JWT with 60-second expiry, FIDO2/WebAuthn MFA, configurable session timeouts.

Monitoring: Automated audit logging, system health monitoring with alerting, anomaly detection for auth events.

AI Safeguards: Stateless pipeline (no storage), CUI Mode PII masking, per-user token tracking, AI output labeling.

5. Sub-Processors

  • Supabase Inc. — Database and storage (US)
  • Clerk Inc. — Authentication (US)
  • Stripe Inc. — Payments (US, PCI DSS)
  • Anthropic PBC — AI inference, stateless, zero-retention (US)
  • Render Inc. — Application hosting (US)
  • Resend Inc. — Transactional email (US)
  • Twilio Inc. — SMS notifications (US)

30 days' advance notice for new sub-processor engagements, with opportunity to object.

6. Data Retention

  • Active data: during subscription term
  • Post-termination: 90 days, then permanently deleted
  • AI prompts: not retained (stateless)
  • Audit logs: 3 years
  • Payment records: per financial regulations (7 years)

7. International Transfers

All data processed in the US. EEA/UK/Switzerland: Standard Contractual Clauses (EU Decision 2021/914).

8. Right to Audit

Controller may audit once per year with 30 days' notice, during business hours. Controller bears audit cost.

9. Breach Notification

72-hour notification including: nature/scope, data categories, estimated individuals affected, consequences, and remedial measures.

10. Contact

dpo@govmatrixiq.com · compliance@govmatrixiq.com