Compliance, Security, and Privacy
CorpusIQ LLC, Scottsdale, Arizona. Last updated: December 31, 2025.
Table of Contents
Section 1
Product Scope
Section 2
Data Inventory and Flow
Your Data Sources
Read-only OAuth
CorpusIQ
AI Clients
- Encrypted retrieval: data is encrypted in transit and at rest, scoped per user.
- User-scoped isolation: each account operates in a separate namespace with no cross-access.
- Ephemeral context: only short-lived query context is passed to ChatGPT, never persisted.
| Class | Examples | Encryption | Retention |
|---|---|---|---|
| Account | Email, OAuth subject | AES-256 at rest | Until account deletion |
| Derived | Embeddings, chunk IDs | AES-256 at rest | Until connector revocation or account deletion |
| Operational | Audit logs, deletion receipts | AES-256 at rest | 24 months, security only |
Section 3
Security Controls
CASA Tier 2 Certified by DEKRA
Assessed by DEKRA · OWASP Top 10 Verified
Section 4
Privacy and Lawful Basis
Section 5
Retention and Deletion
We store zero customer data by default. Embeddings and metadata are retained only while the connector is active.
Connector revocation removes all associated embeddings and tokens immediately.
Audit receipts retained for 24 months for compliance purposes only.
Account deletion removes all data, tokens, and metadata with final audit receipt.
No backups of customer content retained after deletion.
DELETE https://api.corpusiq.io/v1/delete_my_data
Authorization: Bearer <token>
Response 200:
{
"status": "deleted",
"deleted_resources": ["embeddings","metadata","tokens"],
"audit_id": "del_01J9Z3R4A2",
"timestamp": "2025-10-14T15:32:10Z"
}Section 6
Subprocessors
| Vendor | Purpose | Data types | Region |
|---|---|---|---|
| OpenAI | Model inference | Prompts and derived embeddings | USA |
| Cloud hosting | Compute and storage | Encrypted data at rest | USA |
| Analytics (IP masked) | Product analytics | Anonymized events | USA |
Section 7
Incident Response
Detect and triage. Open a ticket, assign severity.
Contain, eradicate, and recover.
Notify affected users within 72 hours after confirmation, when legally required.
Retrospective with corrective actions and ownership.
Section 8
Annual Reviews and Audits
SOC 2 readiness program with quarterly control checks.
Independent pen-test at least once per year.
Vendor reviews and DPA renewals annually.
Section 9
User Data Rights
Users can request access, correction, export, and deletion of their data. Contact privacy@corpusiq.io. We respond within 30 days.
Access
Request a copy of all data we hold about you.
Correction
Ask us to correct inaccurate personal data.
Export
Receive your data in a machine-readable format.
Deletion
Permanently erase all data, tokens, and embeddings.
Section 10
Notes for Apple and OpenAI Reviewers
Apple
- Sign in with Apple is required for account creation.
- All data source connections are user-initiated via OAuth. We do not store raw content by default.
- Domain ownership verified. Callback:
/oauth/apple/callback
OpenAI
Actions use a documented OpenAPI spec with three endpoints:
/v1/query/v1/deep_search/v1/delete_my_data- We provide a reviewer account with synthetic data and a Postman collection.
- No background data extraction. Only user-invoked actions.
Section 11
Public API and Examples
OpenAPI spec v3.0.3 · Base: https://api.corpusiq.io · Endpoints: POST /v1/query · POST /v1/deep_search · DELETE /v1/delete_my_data
curl -s -X POST https://api.corpusiq.io/v1/query \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"q":"what is the renewal date for the ACME contract"}'curl -s -X POST https://api.corpusiq.io/v1/deep_search \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"q":"Q4 keyword performance report"}'curl -s -X DELETE https://api.corpusiq.io/v1/delete_my_data \ -H "Authorization: Bearer $TOKEN"
Section 12
Change Log
Questions about security?
Reach our security team directly or start your free trial with confidence.