Skip to content
NORA
Last updated: April 19, 2026
Legal

Data Processing Agreement

Last updated: April 19, 2026. This is a template. Contact legal@norafoundation.io for execution. This document does not create binding obligations until signed by both parties.

Notice: This Data Processing Agreement is a template provided for informational purposes. It must be reviewed by qualified legal counsel and executed by authorized representatives of both parties before it takes effect. Contact legal@norafoundation.io to initiate the execution process.

1. Parties and definitions

This Data Processing Agreement ("DPA") is entered into between the entity identified on the order form or subscription agreement ("Controller") and NORA Foundation ("Processor"), collectively the "Parties."

"Personal Data," "Processing," "Data Subject," "Sub-processor," and "Supervisory Authority" have the meanings given in applicable data protection law (including, where applicable, the General Data Protection Regulation, Regulation (EU) 2016/679).

"Services" means the Meridian workspace, archive, Canon attestation, and AI-assisted features provided by the Processor under the underlying service agreement.

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Controller for the duration of the underlying service agreement, plus any post-termination period required for data return or deletion as specified in Section 9.

3. Nature and purpose of processing

The Processor processes Personal Data to provide the Services, including:

  • Document archival. Ingestion, storage, indexing, and retrieval of documents submitted by the Controller or its authorized users within isolated per-user databases.
  • AI-assisted search and analysis. Processing of document content and metadata through machine-learning models to enable search, summarization, and contextual retrieval features.
  • Attestation generation. Creation and management of Canon-format attestations, custody chains, and cryptographic seals that reference document content and metadata.
  • Authentication and access control. Processing of user identifiers and session data to enforce per-user database isolation and role-based access.

4. Types of personal data

The categories of Personal Data processed under this DPA may include:

  • Documents and attachments uploaded to the archive (which may contain any category of data the Controller chooses to submit).
  • Document metadata: filenames, content hashes, timestamps, submitter identifiers, custody-chain entries.
  • User account information: email addresses, display names, profile details as provided through the authentication provider.
  • Usage logs: access timestamps, feature interactions, API call records, search queries.

5. Data subject categories

Data Subjects may include the Controller's employees, contractors, clients, and any individuals whose Personal Data is contained within documents submitted to the Services.

6. Processor obligations

6.1 Security measures

The Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in the Appendix to this DPA and include, at minimum, encryption in transit and at rest, per-user database isolation, access controls, and regular security assessments.

6.2 Sub-processor management

The Processor may engage Sub-processors to assist in providing the Services. A current list of Sub-processors is maintained at norafoundation.io/legal/subprocessors. The Processor will notify the Controller of any intended changes to Sub-processors with reasonable advance notice. The Processor will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.

6.3 Breach notification

The Processor will notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data breach. Notification will include, to the extent available: the nature of the breach, the categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

6.4 Confidentiality

The Processor will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

7. Data subject rights assistance

The Processor will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor will promptly redirect any Data Subject request received directly to the Controller, unless otherwise instructed.

8. Data protection impact assessments

The Processor will provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required by applicable law and to the extent that the Controller does not otherwise have access to the relevant information.

9. Return and deletion of data

Upon termination of the service agreement, or upon the Controller's written request, the Processor will:

  • Make available to the Controller all Personal Data in a structured, commonly used, and machine-readable format.
  • Delete all Personal Data from active systems within thirty (30) calendar days, consistent with the account deletion flow and recovery window described in the Privacy Policy.
  • Remove Personal Data from backup systems within ninety (90) calendar days, unless retention is required by applicable law.

The thirty-day recovery window allows the Controller to reverse an accidental deletion request. After this window closes, deletion is irreversible.

10. Audit rights

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits will be subject to reasonable advance notice (no less than thirty days), confidentiality obligations, and reasonable scope limitations to avoid disruption to the Processor's operations or compromise of other customers' data.

11. Cross-border transfers

If the processing involves transfer of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, the Processor will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other mechanisms permitted by applicable law. The current Sub-processor list indicates the location of each Sub-processor.

Appendix: Technical and organizational measures

The following measures are implemented by the Processor as of the effective date. These measures are subject to continuous improvement and may be updated provided that the overall level of protection is not materially diminished.

  • Encryption. All data encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Tenant isolation. Per-user PostgreSQL databases with connection-level isolation. No shared tables between tenants.
  • Authentication. Multi-factor authentication available via Clerk. Session tokens with configurable expiration.
  • Access control. Role-based access within organizational accounts. Principle of least privilege for infrastructure access.
  • Logging and monitoring. Audit logs for data access and administrative actions. Error monitoring via Sentry with PII scrubbing enabled.
  • Backup and recovery. Automated database backups with point-in-time recovery. Backups encrypted at rest.
  • Incident response. Documented incident response procedure with defined escalation paths and post-incident review.
  • Vendor management. Sub-processors evaluated for security posture prior to engagement. DPAs in place with all Sub-processors handling Personal Data.