MortarIQSign in

Data Processing Addendum

Data Processing Addendum

Last updated June 11, 2026

This Data Processing Addendum (DPA) describes how Intellibricks Inc., operating MortarIQ, processes personal data on your behalf as a processor under the GDPR and similar laws. It forms part of our Terms of Service.

Roles

For personal data contained in the metadata we process, you (the customer) are the controller and Intellibricks Inc. (operating MortarIQ) is the processor under Article 28 of the GDPR. We process that data only on your documented instructions, which include using the service as configured in your account. Where the CCPA applies, we act as your service provider and do not sell or share personal information.

In practice MortarIQ reads warehouse metadata, not warehouse contents, so the personal data we touch is typically limited to identifiers that appear in schema metadata (such as column names) plus the account data of your users.

Nature and purpose of processing

Subject matter

Providing the AI data readiness assessment service.

Duration

The term of your subscription, plus the retention periods described in our Privacy Policy.

Categories of data

Warehouse schema metadata (INFORMATION_SCHEMA), assessment results derived from it, and account data (name, email, organization). We do not process warehouse row-level data. We never SELECT from your tables.

Data subjects

Your authorized users, and any individuals incidentally identifiable from schema metadata.

Confidentiality

We ensure that anyone we authorize to process your data is bound by an appropriate duty of confidentiality, whether contractual or statutory.

Subprocessors

You authorize us to engage the subprocessors below. Each is bound by data-protection terms no less protective than this addendum. We will give you at least 14 days' notice before adding or replacing a subprocessor, and an opportunity to object on reasonable data-protection grounds.

Anthropic

AI generation. Receives assessment results: scores, requirement outcomes, and metadata-derived diagnostics, which can include schema identifiers such as table and column names. Never receives warehouse data values or credentials. Does not train on API inputs.

Supabase

Database and storage (assessment results, encrypted connections).

Clerk

Authentication and organization management.

Stripe

Payment processing.

Railway

Application hosting.

Sentry

Error monitoring, with credentials and request bodies scrubbed before reports are sent.

PostHog

Product analytics.

Resend

Transactional and digest email delivery.

Security measures

Encryption at rest

Saved warehouse credentials are encrypted with AES-256-GCM. The key is held outside the database.

Encryption in transit

All connections use TLS.

Access control and isolation

Data access is scoped per organization through a single, tested set of access functions, with build-failing tests that enforce the scope.

Least privilege

We request metadata-read permissions only, and we publish the exact read-only SQL we run at /security/queries.

Your rights as controller

Data-subject requests

We will assist you in responding to access, deletion, correction, and portability requests, taking into account the nature of the processing. If a data subject contacts us directly about your data, we will refer them to you.

Audit

We will make available the information needed to demonstrate compliance with Article 28 and support reasonable audits, no more than once a year unless a breach or a regulator requires otherwise.

Instructions

We process only on your instructions, and we will tell you if we believe an instruction infringes data-protection law.

Impact assessments

We will provide reasonable assistance with data-protection impact assessments and consultations with supervisory authorities, where they relate to our processing.

Breach notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting your data. The notice will describe the nature of the breach, the likely consequences, and the measures taken or proposed, so you can meet your own notification obligations.

Return and deletion

On termination, or on your request, we delete or return your data and delete existing copies, except where the law requires retention. Residual copies in encrypted backups are purged on the backup rotation schedule. You can delete a saved connection at any time from Settings. Credentials are permanently removed, not soft-deleted.

International transfers

Where processing involves transferring personal data out of the EEA or UK, we rely on appropriate safeguards such as the Standard Contractual Clauses (and the UK Addendum where applicable), together with supplementary measures where required.

Liability and order of precedence

Each party's liability under this addendum is subject to the limitations of liability in the Terms of Service. If this addendum conflicts with the Terms, this addendum governs for data-protection matters.

Signing this DPA

This addendum supplements our Terms of Service and applies whenever we act as your processor. If your procurement process requires a countersigned copy, email support@intellibricks.app and we will execute one.

Questions?

Email support@intellibricks.app. See also our security practices.

© MortarIQ
AboutBlogDocsFAQSecurityPrivacyTermsDPA

All product names, logos, and brands are property of their respective owners and are used for identification purposes only.