Legal & Compliance
Data Processing Addendum
Our data handling practices and your rights under CCPA and applicable law.
Data Processing Addendum
Effective Date: March 1, 2026 Last Updated: March 1, 2026
Draft Notice: This document is a working draft. It is provided for informational purposes and does not constitute legal advice. Clients subject to HIPAA, GLBA, FERPA, or other regulated data regimes should work with qualified legal counsel before processing regulated data with any third-party service provider.
1. Purpose
This Data Processing Addendum ("DPA") describes how Integral Business Intelligence ("Integral BI," "Processor") processes personal and business data on behalf of clients ("Controllers") when providing AI integration services. It supplements our Terms of Service and Privacy Policy.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Business Data: Proprietary, confidential, or non-public information belonging to a client organization.
- Processing: Any operation performed on data, including collection, storage, retrieval, use, disclosure, or deletion.
- Sub-processor: A third party engaged by Integral BI to process data on behalf of a client.
3. Categories of Data We Process
Depending on the services engaged, Integral BI may process the following categories of data:
| Category | Examples | Typical Service Context |
|---|---|---|
| Contact data | Names, emails, phone numbers | CRM integrations, automation workflows |
| Business records | Invoices, contracts, internal memos | Document processing, RAG knowledge bases |
| Operational data | Process logs, inventory records | Workflow automation |
| Communication data | Emails, messages, chat transcripts | Sentiment analysis, triage automation |
| Website interaction | Session logs, omnibar conversations | Analytics, proactive engagement |
We do not process Special Categories of Personal Data (e.g., health, financial account numbers, biometric data) unless explicitly agreed in a separate written agreement with appropriate safeguards.
4. How We Process Data
4.1 Local-First Architecture
Integral BI's core differentiator is on-premises or private-cloud inference. Client data submitted to AI models runs on hardware that we own and operate — not sent to public cloud AI APIs — unless explicitly agreed otherwise in writing.
This means:
- Your documents, prompts, and query results stay within your agreed-upon infrastructure perimeter.
- We do not route client data through OpenAI, Google, Anthropic, or similar public cloud model providers as part of core service delivery without your consent.
4.2 Website AI Assistant
The public AI assistant on this website (the omnibar) uses our local inference infrastructure. Conversations may be logged for quality improvement. Do not submit client-confidential information through the public chat interface.
4.3 Sub-processors
We currently use the following sub-processors for limited, non-inference purposes:
| Sub-processor | Purpose | Data Involved |
|---|---|---|
| Stripe | Payment processing | Payment card data (Integral BI does not store card numbers) |
| Cloudflare | Network security / CDN | IP addresses, request metadata |
| Hosting infrastructure | Website and service delivery | Website usage logs |
We will notify clients of material changes to sub-processors where a client data processing agreement is in place.
5. California Consumer Privacy Act (CCPA / CPRA)
For purposes of the CCPA:
- Integral BI acts as a Service Provider when processing personal information on behalf of clients under contract, and such processing is not considered a "sale."
- We do not sell or share personal information for cross-context behavioral advertising.
- Individuals with CCPA rights may submit requests as described in our Privacy Policy.
6. Data Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit: All client-facing communications use TLS 1.2 or higher.
- Encryption at rest: Sensitive data stores use encryption at rest where applicable.
- Access controls: Principle of least privilege applies to all systems accessing client data.
- Network segmentation: AI inference infrastructure is isolated from public-facing services.
- Audit logging: Access to data systems is logged and retained for security monitoring.
See our Security Practices page for additional detail.
7. Data Retention and Deletion
Unless otherwise specified in a service agreement:
- Project data is retained for the duration of the engagement plus 90 days, after which it is securely deleted upon client request.
- Website logs and analytics are retained for up to 24 months.
- Financial records are retained for 7 years per standard business practice.
Clients may request deletion of their data at any time by contacting us. We will confirm deletion within 30 days.
8. Data Subject Rights
Where Integral BI processes personal data on behalf of a client (as Processor), the client (as Controller) is responsible for responding to data subject requests. Integral BI will assist clients in fulfilling such requests upon written notice within a commercially reasonable timeframe.
9. Data Breach Notification
In the event of a confirmed data breach affecting client personal data, Integral BI will:
- Notify the affected client within 72 hours of discovery (or as soon as reasonably practicable).
- Provide details of the nature and scope of the incident.
- Cooperate with the client's response and notification obligations.
10. Regulated Industries
Clients in regulated industries (healthcare, finance, education, legal) should note:
- HIPAA: We are willing to execute a Business Associate Agreement (BAA) with covered entities or business associates. Contact us before sharing any Protected Health Information.
- GLBA / financial data: We do not currently maintain SOC 2 certification. Clients subject to GLBA should conduct appropriate vendor due diligence.
- FERPA / student data: We do not knowingly process student education records without explicit agreement and appropriate controls.
11. Contact
For data processing inquiries or to request a client-specific Data Processing Agreement:
Integral Business Intelligence Email: [email protected]
Questions about this document? Contact us at [email protected]