Compliance, Security, and Privacy
CorpusIQ LLC, Scottsdale, Arizona. Last updated:
.
Contact:
security@corpusiq.io,
privacy@corpusiq.io.
Purpose
This page documents the technical and organizational measures we apply to protect user data. It also provides exact answers for Apple and OpenAI reviewers.
Product scope
- Sources: iCloud Mail, iCloud Drive. User-authorized only. No device agents. No browser extensions.
- Outputs: in-chat answers, ranked references, and optional deep search results.
- Storage: embeddings and minimal metadata. No raw file bodies in the active memory store by default.
- Controls: per user namespace, hard retention limits, immediate deletion endpoint, immutable audit trail.
Data inventory and flow
Data types
- Identifiers: email address, Apple OAuth subject, internal user ID.
- Content derived data: text chunks and vector embeddings.
- Operational data: access logs, deletion receipts, billing records.
Excluded data
- No sale of personal data.
- No third party ads. No trackers beyond analytics with IP masking.
- No raw credentials storage. Tokens are scoped and revocable.
High level flow
- User signs in with Apple. We receive an OAuth subject and a short lived token.
- User connects iCloud Mail or Drive using app specific credentials or Apple APIs.
- Backend converts text to embeddings. Raw text can be streamed only for processing, then discarded after chunking unless the user enables deep archive.
- At query time we retrieve top results by similarity, generate an answer, and show citations.
- Deletion removes embeddings, metadata, and tokens. An audit entry records the deletion event.
Data classification
| Class | Examples | Encryption | Retention |
|---|---|---|---|
| Account | Email, OAuth subject | AES-256 at rest | Until account deletion |
| Derived | Embeddings, chunk IDs | AES-256 at rest | 30 days default, 12 months if deep archive is enabled |
| Operational | Audit logs, deletion receipts | AES-256 at rest | 24 months, security only |
Security controls
- Transport security: TLS 1.3 only, HSTS, forward secrecy.
- Encryption at rest: AES-256, managed keys, key rotation every 90 days.
- Network: private subnets, deny by default, WAF and rate limits on all public endpoints.
- Access: SSO, least privilege, hardware key for production access. Production data is not copied to developer laptops.
- Secrets: stored in a dedicated secrets manager, never in source control.
- Logging: structured logs, immutable audit stream, retention as stated.
- Pen-testing: independent assessment at least annually, remediation tracked to closure.
- Business continuity: daily encrypted backups, restore tests every 30 days.
- Change control: versioned IaC, peer review, and staged rollouts.
Privacy and lawful basis
- Lawful basis: user consent at connection time, with clear scopes.
- Children: not directed to children under 16.
- Do not sell personal information. No cross context behavioral advertising.
- International transfers: standard contractual clauses where relevant.
Retention and deletion
- Active memory: 30 days rolling limit.
- Deep archive: optional, up to 12 months. Off by default.
- Immediate user deletion via API and in app controls.
- Audit receipt returned on deletion. Example below.
Deletion API
DELETE https://api.corpusiq.io/v1/delete_my_data
Authorization: Bearer <token>
Response 200
{
"status": "deleted",
"deleted_resources": ["embeddings","metadata","tokens"],
"audit_id": "del_01J9Z3R4A2",
"timestamp": "2025-10-14T15:32:10Z"
}
Subprocessors
| Vendor | Purpose | Data types | Region | DPAs |
|---|---|---|---|---|
| OpenAI | Model inference | Prompts and derived embeddings | USA | Data protection terms published by vendor |
| Cloud hosting provider | Compute and storage | Encrypted data at rest | USA | DPA in place |
| Analytics with IP masking | Product analytics | Anonymized events | USA | DPA in place |
Incident response
- Detect and triage. Open a ticket, assign severity.
- Contain, eradicate, and recover.
- Notify affected users within 72 hours after confirmation, when legally required.
- Retrospective with corrective actions and ownership.
Annual reviews and audits
- SOC 2 readiness program with quarterly control checks.
- Independent pen-test at least once per year.
- Vendor reviews and DPA renewals annually.
User data rights
Users can request access, correction, export, and deletion of their data. Contact privacy@corpusiq.io. We respond within 30 days.
Notes for Apple and OpenAI reviewers
Apple
- Sign in with Apple is required for account creation.
- iCloud Mail and Drive connections are user initiated. We do not store raw Apple content by default.
- Domain ownership verified. Callback: /oauth/apple/callback.
OpenAI
- Actions use a documented OpenAPI spec with three endpoints: /v1/query, /v1/deep_search, /v1/delete_my_data.
- We provide a reviewer account with synthetic data and a Postman collection.
- No background data extraction. Only user invoked actions.
Public API and examples
OpenAPI
{
"openapi": "3.0.3",
"info": {"title": "CorpusIQ API", "version": "1.0.0"},
"servers": [{"url": "https://api.corpusiq.io"}],
"paths": {
"/v1/query": {"post": {"summary": "Query active memory", "requestBody": {"required": true}, "responses": {"200": {"description": "OK"}}}},
"/v1/deep_search": {"post": {"summary": "Query deep archive", "requestBody": {"required": true}, "responses": {"200": {"description": "OK"}}}},
"/v1/delete_my_data": {"delete": {"summary": "Delete user data", "responses": {"200": {"description": "Deleted"}}}}
}
}cURL examples
# Query
curl -s -X POST https://api.corpusiq.io/v1/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"q":"what is the renewal date for the ACME contract"}'
# Deep search
curl -s -X POST https://api.corpusiq.io/v1/deep_search \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"q":"Q4 keyword performance report"}'
# Deletion
curl -s -X DELETE https://api.corpusiq.io/v1/delete_my_data \
-H "Authorization: Bearer $TOKEN"Change log
- 2025-10-14, initial publication with reviewer notes and API examples.