LegalPrivacyTermsDPASub-processors

Legal · DPA

Data Processing Agreement

Last updated:

Draft, under counsel review. This document describes our intended terms in plain language. The final binding version, reviewed by our solicitors, will be published before paid signups open. For the current draft of any specific clause, email paulo@myneatflow.com.

This DPA is the GDPR Article 28 agreement between you (the controller) and DoraPilot Ltd. (the processor) covering the personal data you put into the product. It also covers what we do for DORA Article 30 purposes when your customers ask about your sub-contractors. Plain language, no annexes you have to print and sign.

1. Who's who

You are the controller: you decide what personal data goes into the workspace, why, and for how long. DoraPilot Ltd. is the processor: we act only on your documented instructions. Our default instructions are these terms; you can issue further written instructions through your account.

2. What this covers

  • Subject matter — the processing necessary to provide the DoraPilot service to you.
  • Duration — for as long as your subscription is active, plus the 30-day export window after cancellation.
  • Nature and purpose — storing your assessment content, processing it through our application and through the sub-processors listed on our Sub-processors page, and generating outputs (drafts, exports, audit trail).
  • Types of data — business contact details (names, work emails, roles), vendor contractual data (counterparty names, addresses, contract metadata), assessment content, audit trail. We do not expect special category data under GDPR Art. 9; if you upload it, please tell us so we can apply extra controls.
  • Categories of data subjects— your employees, your customers' representatives, employees of your ICT vendors, and anyone else named in the assessment content you upload.

3. What we promise

  1. We process your personal data only on your instructions. If a law requires us to process it differently, we'll tell you first unless the law forbids that.
  2. Everyone on our team with access is under written confidentiality obligations and trained on data protection.
  3. We apply appropriate technical and organisational measuresper GDPR Art. 32. The controls are summarised in the "Security" section of our Privacy notice and described in detail in our Security whitepaper (available on request).
  4. We help you respond to data subject requestsin good time — exports, deletion, rectification — using the product's built-in tools.
  5. We notify you of a personal data breach without undue delay and within 48 hours of becoming aware, with the information you need to make your own notification under GDPR Art. 33.
  6. We support your DPIAs and prior consultations with supervisors by providing documentation about our processing on reasonable request.
  7. We delete or return your personal data at the end of the service, at your choice, except where retention is required by law.
  8. We make available the information needed to demonstrate our compliance with this DPA and contribute to audits as set out in section 6 below.

4. Sub-processors

You give general authorisation to use the sub-processors listed on our Sub-processors page. We will:

  • Keep that list current and tell you in advance of any additions or replacements (see the change-notification mechanism on that page).
  • Impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
  • Remain liable to you for the acts and omissions of our sub-processors as if they were our own.
  • Give you a fair opportunity to object to a new sub-processor on reasonable data-protection grounds. If we can't resolve the objection, you can terminate the affected service with a pro-rata refund.

5. International transfers

We process your personal data in the EU. Where a sub-processor is headquartered outside the EEA, we contract with its EU entity and use EU regions. If a transfer is ever necessary, we rely on the EU–US Data Privacy Framework where the recipient is certified, or on Standard Contractual Clauses with supplementary measures as fallback.

6. Audits

  • You may audit our compliance with this DPA once per year (or more often if a regulator orders it or a material incident occurs).
  • We'll usually satisfy audit requests by sharing our most recent independent assurance report (SOC 2 Type II and ISO 27001 once issued) under NDA. If that doesn't answer the question, we'll cooperate with an on-site audit with reasonable notice and scope.
  • If you're a regulated financial entity subject to DORA Art. 30, your audit rights and your supervisor's audit rights are unaffected. We won't use this DPA to limit a supervisor's right of access.

7. Liability and order of precedence

The liability cap in our Terms of service applies to this DPA, except where law says otherwise. If this DPA conflicts with another document we both signed, the order of precedence is: (1) any signed order form, (2) this DPA, (3) the Terms of service.

8. Term and termination

This DPA is effective when you start using DoraPilot and continues for as long as we process your personal data. Termination of the underlying service ends this DPA, with the deletion and export obligations in section 3(7) and the 30-day window in the Terms.

9. Updates

We'll publish updates to this DPA on this page. For material changes (anything that materially reduces your rights or our obligations) we give 30 days' notice by email.

10. Contact

Data protection matters and urgent incidents: paulo@myneatflow.com. We aim to acknowledge within one business day; dedicated incident response email and 24/7 monitoring will be set up before paid plans open.