Data Processing Agreement
Data Processing Agreement (DPA)
Version: 1.0
Effective date: February 13th, 2026
This DPA forms part of the Nevorth SaaS Terms and applies where Nevorth processes personal data on behalf of Customer.
1. Roles
Customer is Controller.
Nevorth is Processor.
2. Subject matter; duration; nature and purpose
Nevorth processes personal data to provide the Decision Referee service, including receiving decision inputs via Slack, generating AI-assisted outputs, operating integrations (Cloudflare Worker and Make scenarios), and providing support/security. Processing continues for the term and any limited period required for deletion/backup cycling.
3. Types of personal data and data subjects
Data subjects: Customer employees (Authorized Users) and other individuals whose identifiers may appear in Slack metadata.
Personal data categories (typical):
Slack workspace, user, channel identifiers; message metadata; timestamps
Decision input text may inadvertently include personal data despite Customer prohibitions
Nevorth does not intend to process special category data; Customer must not submit it.
4. Processor obligations
Nevorth shall:
process personal data only on documented instructions from Customer (as set out in the Terms and this DPA);
ensure personnel confidentiality;
implement reasonable security measures (see Annex 2);
assist Customer with data subject requests to the extent applicable and technically feasible;
assist Customer with DPIAs/consultation where required to the extent the Service is involved;
notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data;
at termination, delete or return personal data under Nevorth's control as described in Section 9.
5. Subprocessors
5.1. General authorization. Customer provides general authorization for Nevorth to engage Subprocessors.
5.2. List and changes. Current Subprocessors are listed at https://www.nevorth.com/subprocessors. Nevorth will provide notice of material changes by updating the list and, where reasonable, by email to Customer's notice address.
5.3. Flow-down. Nevorth will impose data protection obligations on Subprocessors substantially similar to this DPA.
6. International transfers
Customer acknowledges that Subprocessors may process data outside the EEA. Where required, transfers will be made under appropriate safeguards (e.g., SCCs) as implemented by the relevant Subprocessor and/or Nevorth.
7. Security
Security measures are described in Annex 2. Customer acknowledges the Service relies on third-party platforms and their controls.
8. Audits
Upon written request not more than once per year, Nevorth will provide reasonable information to demonstrate compliance (e.g., written summaries, policies, vendor documentation). On-site audits are not included unless agreed in an enterprise Order Form, and will be subject to confidentiality, scope limits, and cost reimbursement.
9. Deletion/return
Within 30 days after termination/expiration, Nevorth will delete personal data under its control, unless legally required to retain it. Residual copies in backups and Subprocessor systems may persist for up to 90 days or per Subprocessor retention cycles.
10. Liability
Liability under this DPA is subject to the limitation of liability in the Terms unless otherwise agreed in an enterprise Order Form.
Annex 1 — Processing details
As set out in Sections 2–3 above.
Annex 2 — Security measures (summary)
Encryption in transit: TLS/HTTPS for external communications
Access restriction: administrative access limited to authorized personnel
Operational logging for troubleshooting and service operation
Periodic updates/patching of configurations and dependencies where applicable
Reliance on Subprocessor security controls for hosting/integration layers (Slack, Make, Cloudflare, OpenAI, Stripe, Webnode)