Data Processing Agreement

Effective Date: December 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between ClaimArmor, LLC (“Processor” or “ClaimArmor”) and the entity agreeing to these terms (“Controller” or “Customer”). This DPA applies when ClaimArmor processes Personal Data on behalf of the Customer.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • “Data Subject” means the individual to whom Personal Data relates.
  • “Sub-processor” means any third party engaged by ClaimArmor to process Personal Data.

2. Scope of Processing

ClaimArmor processes Personal Data solely to provide the services described in the Terms of Service. The types of Personal Data processed include:

  • Account information (name, email, professional credentials)
  • Usage data (session logs, feature usage)
  • Content data (documents and information submitted to the Service)
  • Payment information (processed through secure payment processors)

3. Processor Obligations

ClaimArmor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance

4. Security Measures

ClaimArmor implements and maintains:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Incident response procedures
  • Employee security training
  • Physical security at data center facilities

5. Sub-processors

The Controller authorizes ClaimArmor to engage sub-processors to assist in providing the Service. ClaimArmor maintains contracts with sub-processors imposing data protection obligations substantially similar to this DPA. Current sub-processors include:

  • Cloud Infrastructure: US-based data center providers
  • Payment Processing: Stripe, Inc.
  • AI Services: Anthropic, OpenAI (no personal data shared)

ClaimArmor will notify the Controller of any new sub-processors with an opportunity to object.

6. Data Transfers

All Personal Data is stored and processed exclusively within the United States. ClaimArmor does not transfer Personal Data outside the US. For customers subject to GDPR, we rely on the adequacy framework for US-EU data transfers where applicable.

7. Data Subject Rights

ClaimArmor will assist the Controller in responding to requests from Data Subjects to exercise their rights, including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure (“right to be forgotten”)
  • Data portability
  • Restriction of processing
  • Objection to processing

8. Data Breach Notification

ClaimArmor will notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Controller data. The notification will include available details about the nature of the breach, affected data, and remediation steps.

9. Audit Rights

ClaimArmor will make available to the Controller information necessary to demonstrate compliance with this DPA. Upon reasonable request and subject to confidentiality obligations, ClaimArmor will allow for audits or inspections conducted by the Controller or an appointed auditor.

10. Term and Termination

This DPA remains in effect for the duration of ClaimArmor’s processing of Personal Data. Upon termination, ClaimArmor will delete or return all Personal Data within 90 days unless retention is required by law.

Contact

For DPA-related inquiries:
Email: dpa@claimarmorai.com
Subject: “DPA Inquiry”