Cherokee AI Solutions
/ legal · dpa

Data Processing Addendum

Last updated: 2026-04-24

This Addendum forms part of the Terms of Service between Cherokee AI Solutions LLC ("Processor") and the Client ("Controller") and applies whenever Processor processes personal data of Controller's customers.

1. Roles

Controller determines the purposes and means of processing. Processor acts only on Controller's documented instructions, which are the Terms of Service, this Addendum, and Controller's configuration of the service.

2. Subject matter and duration

Subject matter: drafting and sending email communications, follow-up sequences, and review requests on Controller's behalf. Duration: while Controller's account is active, plus the 90-day post-cancellation retention period.

3. Categories of data processed

  • Customer email addresses, names, phone numbers (where provided).
  • Inbound email content from Controller's customers.
  • Job records (customer name, email, job type, date) entered by Controller.
  • Reply history and follow-up status.

4. Sub-processors

Processor uses these sub-processors:

  • Anthropic, PBC — AI inference for drafting replies. Data residency: United States.
  • Lemon Squeezy, Inc. / PayPal Holdings, Inc. / NOWPayments OÜ / Wise Payments Ltd. — payment processing only, varies by rail selected. No customer email content shared.
  • Resend, Inc. — transactional email (account verification, password reset, billing receipts). No customer email content shared.
  • Cloudflare, Inc. — DNS, TLS termination, DDoS mitigation. Edge-only; no payload retention.

Processor will give Controller 30 days' notice before adding a new sub-processor.

5. Security measures

  • TLS 1.2+ in transit.
  • Email app passwords encrypted at rest (AES-256).
  • Account passwords hashed with PBKDF2-SHA256 (200,000 iterations).
  • Database backups encrypted; production access restricted to the founder.
  • Audit logs of administrative actions.

6. Confidentiality

Personnel with access to personal data are bound by confidentiality obligations.

7. Data subject requests

Processor will assist Controller in responding to access, deletion, correction, and portability requests from Controller's customers. Controller can fulfill most requests directly via the Settings page or by emailing Processor.

8. Breach notification

Processor will notify Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach affecting Controller's data, with details sufficient for Controller to comply with its own notification obligations.

9. Audits

Processor will provide reasonable information to demonstrate compliance with this Addendum upon Controller's request. On-site audits are not generally available given Processor's single-tenant infrastructure; Processor will respond to written security questionnaires.

10. International transfers

If Controller is located outside the United States, Standard Contractual Clauses (where required by law) apply between Processor and Controller as the basis for transfer.

11. Return or deletion

On termination, Processor will return or delete all personal data within 90 days, except where retention is required by law.

12. Liability

Liability under this Addendum is governed by, and subject to the limitations in, the Terms of Service.

Terms of Service · Privacy Policy