Iqidis Service Providers & Subprocessors Policy
Last Updated: August 25, 2025
Owner: Legal & Security, Iqidis, Inc.
Contact: security@iqidis.ai
1) Purpose & Scope
This Policy explains who processes Customer Data and Customer Content for Iqidis customers, how we control those processors, and what security/privacy safeguards apply. It covers:
- Iqidis’s first‑party (in‑house) processing (including our Knowledge Graph (KG), Retrieval‑Augmented Generation (RAG), and orchestration/multi‑agent layers);
- Third‑party Service Providers (infrastructure and platform services); and
- Third‑party Subprocessors that may process Customer Content for discrete inference tasks.
This Policy forms part of, and should be read together with, Iqidis’s Privacy & Data Policy, Terms of Service, and Acceptable Use Policy.
Roles. For Customer Data and Customer Content, customers act as controllers (or equivalent) and Iqidis acts as a processor/service provider; Iqidis may act as a controller only for limited account/admin data as described in the Privacy & Data Policy.
2) Definitions
- Customer Data: Personal data related to account/profile administration and service operation.
- Customer Content: Documents, prompts, files, and other content a customer inputs for processing; plus any model Output returned by the Services.
- Service Providers: Third parties supporting Iqidis’s infrastructure/operations (e.g., hosting, identity) and which may process Customer Data and limited telemetry.
- Subprocessors: Third parties that may process Customer Content (or its derivatives) to deliver a specific feature or inference step.
- Internal Processing Services: Iqidis‑operated, first‑party systems (KG/RAG/orchestration) running inside Iqidis‑controlled environments. These are not “subprocessors.”
3) Processing Architecture (Executive Summary): How Iqidis Differs From “ChatGPT” or Out‑of‑the‑Box LLMs
Iqidis is not a simple wrapper around a single model. We operate a hybrid architecture that maximizes confidentiality and control:
- In‑house backbone (default).
Most requests are handled inside Iqidis by our KG/RAG and orchestration services within Iqidis‑controlled infrastructure. Customer Content is containerized per tenant and per user profile—we do not pool or commingle Customer Content across firms or matters. This aligns with your Privacy & Data Policy commitments (real‑time processing; no training on Customer Content).
- Selective, discrete subprocessor calls (only when needed).
For certain discrete aspects of a query (e.g., language polish, translation, format transformation, general‑knowledge reasoning), our orchestrator may invoke a subprocessor (e.g., OpenAI, Anthropic, Google) for inference only. These calls are ephemeral (vendor caching/retention disabled), region‑aware where available, and contractually restricted from training on Customer Content. Payloads are minimized—often redacted or abstracted—limited strictly to the narrow task.
- Zero training on Customer Content; minimal retention at Iqidis; none at LLM vendors.
Iqidis does not use Customer Content to train Iqidis or third‑party models; third‑party models are used only for stateless inference with no vendor‑side retention enabled. Internally, any temporary access for support is purpose‑limited and deleted or anonymized under our Privacy & Data Policy (default within 30 days after issue resolution).
4) How this is different from default cloud “GPTs” and other legal service providers
- Local‑first, hybrid architecture. Iqidis runs processing in‑house via our Knowledge Graph (KG), RAG, and orchestration layers. We invoke third‑party LLMs for inference steps, with caching/retention disabled by actual design and contractual no‑training—reducing exposure and preserving confidentiality.
- Your data stays in your account/tenant—never conglomerated. Customer Content is stored and processed within your organization’s dedicated Iqidis tenant and per‑user profile containers. It is not pooled or commingled with other customers’ or matters’ data. (Regional routing is available where supported.)
- Scoped subprocessor use (what it actually means). When a subprocessor is invoked, we transmit the minimum payload needed for that task (e.g., language polish/translation/formatting or general‑knowledge reasoning). Vendors rely on their pre‑training to perform the task; they do not retain your prompts/outputs and do not train on your data.
- You own your data and output; Iqidis is your processor. You remain the data controller/owner of your User Content and Output. Iqidis acts solely as a data processor/service provider on your documented instructions—not a custodian or data owner—and claims no rights beyond the limited license necessary to provide the Services.
- No training on your data; no vendor retention. Customer Content is never used to train Iqidis or third‑party models. Vendor‑side caching is disabled. Internally, any temporary access for support is purpose‑limited and deleted/anonymized under our retention policy.
- Minimal, content‑free telemetry. For reliability and abuse detection we collect only behavioral/interaction metadata (e.g., clicks, navigation flows, request timing, status/error codes, coarse device/browser data). We do not log prompts, model outputs, or uploaded documents/files.
5) Legal Bases & Frameworks
Processing is conducted under GDPR/UK GDPR/CCPA‑CPRA and other applicable laws based on contract performance, legitimate interests (e.g., security), consent where required, and legal obligations, as described in the Privacy & Data Policy.
6) Security Measures
Iqidis maintains security controls aligned with SOC 2 and ISO 27001 frameworks, including:
- Encryption in transit and at rest;
- Access controls (least‑privilege, SSO/IdP, audited admin actions);
- Network security (segmentation, firewalls/WAF, IDS/IPS, rate‑limiting);
- Vulnerability management (scanning, independent pen‑testing);
- Monitoring & audit (central logging, anomaly detection, change control);
- Secure SDLC (code review, dependency security, environment segregation).
These measures complement the safeguards in the Privacy & Data Policy and AUP.
Breach Notification. If we become aware of a breach affecting Customer Data/Content, we will notify impacted customers without undue delay and no later than 72 hours of becoming aware, unless prohibited by law.
7) Data Location & Transfers
Data is processed primarily in the U.S. and E.U. Regional routing can be adjusted based on customer requirements and technical feasibility; cross‑border transfers use appropriate safeguards (e.g., SCCs/UK addendum) as described in the Privacy & Data Policy.
8) Subprocessor Selection, Contracts & Monitoring
Before engaging or materially changing a subprocessor, Iqidis performs:
- Due diligence: Security/privacy posture, certifications/controls.
- Contractual controls: Confidentiality, purpose limitation, no training, security, breach notice, deletion/return on termination.
- Configuration enforcement: Zero‑retention vendor settings; no optional features that store prompts/outputs; regional controls where available.
- Ongoing oversight: Periodic reviews, incident obligations, and service monitoring.
9) Change Management & Customer Right to Object
- Advance notice: Iqidis will provide ≥30 days’ prior notice of any new subprocessor or material change to subprocessing via customer communications or status page.
- Objection: Customers may reasonably object (privacy/security grounds) within the notice period. We will work in good faith to mitigate concerns (alternative vendor/config).
10) Data Handling, Retention & Telemetry
- At third‑party LLMs: No retention/caching; no training; no use beyond the specific inference request (settings locked down).
- At Iqidis: We practice data minimization. Temporary access for support/reliability is purpose‑limited and deleted or anonymized consistent with the Privacy & Data Policy (default within 30 days after issue resolution).
- Operational telemetry (clarified):
Iqidis collects minimal operational telemetry that excludes Customer Content and uploaded user content. Telemetry is limited to behavioral and interaction metadata (e.g., UI events/clicks, navigation flows, request timing, error/status codes, coarse device/browser metadata) used to ensure reliability, security, and abuse detection, as permitted by the Privacy & Data Policy and AUP. Telemetry does not include prompts, model outputs, or uploaded documents/files.
11) Customer Options & Regionalization
- Regional routing (where available): Upon request and subject to feature availability, Iqidis will route inference to designated regions (e.g., E.U.) and avoid optional vendor features that store data outside the selected region.
- Feature‑level controls: If a customer objects to a subprocessor used by a non‑core feature, Iqidis can disable that feature for the tenant.
12) Transparency & Assurance
- Reports & summaries: Upon reasonable request, Iqidis can provide summaries of third‑party audit reports (e.g., SOC 2/ISO‑aligned controls), recent pen‑test executive summaries, or equivalent assurances.
- Direct audit: Provided as required by law or agreed in a separate enterprise agreement.
13) Current Service Providers (infrastructure/operations)
These providers support the platform and may process Customer Data (e.g., identity, logs). They are not used to train models.
| Provider | Purpose | Typical Location(s) | Notes |
|---|
| Amazon Web Services (AWS) | Cloud infrastructure & hosting | U.S. | Primary compute/storage; encryption and baseline security controls. |
| Keycloak | Authentication & identity management | U.S. | IAM/SSO; handles identity data. |
| Vercel | Web hosting / edge delivery | U.S. | UI/edge delivery; limited request metadata processing. |
14) Current Subprocessors (process Customer Content for discrete inference/features)
These vendors may process Customer Content ephemerally for inference; Iqidis enforces no training and no retention/caching.
| Subprocessor | Purpose | Typical Location(s) | Retention at Vendor | Notes |
|---|
| OpenAI, L.L.C. | LLM inference | U.S. & E.U. | None | May be used selectively for GenAI responses; by design and architecture, no training; contractual no training. |
| Anthropic (Claude) | LLM inference | U.S. & E.U. | None | May be used selectively for GenAI responses; by design and architecture, no training; contractual no training. |
| Google (Gemini/Vertex) | LLM inference & compute | U.S. & E.U. | None | May be used selectively for GenAI responses; by design and architecture, no training; contractual no training. |
| Vercel | Hosting of AI components/UI delivery | U.S. | None | When used near inference microservices, content is not retained; primarily transport/edge compute. |
| Perplexity AI | External resource lookups | U.S. | None | Used selectively for GenAI responses; contractual no‑training. |
Many requests may be satisfied entirely in‑house (KG/RAG/orchestration) without calling an external LLM—further reducing third‑party exposure.
15) Internal Processing Services (Operated by Iqidis)
- Knowledge Graph (KG) & RAG: Proprietary services that index/link a customer’s authorized sources, perform targeted retrieval, and compose grounded prompts.
- Orchestration/Multi‑Agent Layer: Directs tool use, applies legal workflows, manages internal reasoning, and decides if/when to call an external LLM.
- Open‑source components: Where Iqidis uses open‑source libraries within these services, they run inside Iqidis‑controlled environments and do not function as independent subprocessors.
- Isolation: All internal services run with per‑tenant logical isolation and encryption. They are not subprocessors because Iqidis operates them directly.
This structure aligns with your Privacy & Data Policy representations (real‑time AI processing; no training on Customer Content; purpose‑limited access; deletion/anonymization timelines).
16) Data Subject Requests & Regulatory Inquiries
Iqidis will reasonably assist customers in responding to DSRs (access, deletion, correction, portability, restriction/objection) and regulatory inquiries, consistent with our role and the Privacy & Data Policy.
17) Prohibited Uses & Abuse Monitoring
Customer use must comply with the Acceptable Use Policy (e.g., no reverse engineering/benchmarking abuse; no unauthorized practice of law). Iqidis employs privacy‑preserving security analytics to detect abuse and protect the Service, consistent with the Privacy & Data Policy.
18) Changes to this Policy
We may update this Policy from time to time. Material updates (including any new subprocessor) will be communicated with ≥30 days’ advance notice. The Effective Date above always reflects the most recent version.