Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Agreement between Nodaloom Inc. (“Processor” or “Nodaloom”) and the entity or individual identified in the applicable subscription or Order Form (“Controller” or “Customer”) for the provision of the Nodaloom Service.
This DPA sets out the terms under which Nodaloom processes personal data on behalf of the Customer in connection with the Service, in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Chilean Law on the Protection of Personal Data (Ley N° 21.719 and its predecessor Ley N° 19.628) (“Chilean Data Protection Law”), and any other applicable data protection legislation (“Data Protection Laws”).
Capitalised terms not defined herein have the meanings given to them in the Terms of Service or, where applicable, the GDPR.
1. Definitions
“Authorised Sub-processor” means a third party authorised by Nodaloom, in accordance with Section 7 of this DPA, to process Personal Data on behalf of the Customer.
“Data Protection Laws” means the GDPR, the UK GDPR, the Chilean Data Protection Law, and any other applicable data protection or privacy legislation, as amended or replaced from time to time.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.
“EEA” means the European Economic Area.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Nodaloom on behalf of the Customer in connection with the Service.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
2. Scope and Roles
2.1 Roles of the Parties
For the purposes of Data Protection Laws:
(a) The Customer is the data controller who determines the purposes and means of Processing Personal Data submitted to the Service.
(b) Nodaloom is the data processor who Processes Personal Data on behalf of the Customer in accordance with the Customer’s documented instructions and the terms of this DPA.
2.2 Subject Matter and Duration
This DPA applies to the Processing of Personal Data by Nodaloom in connection with the provision of the Service for the duration of the Agreement between the parties. Upon termination of the Agreement, this DPA shall continue to apply to any Personal Data retained by Nodaloom in accordance with Section 10.
2.3 Nature and Purpose of Processing
Nodaloom Processes Personal Data for the following purposes:
(a) Providing the AI-powered academic writing assistance functionalities of the Service, including transmitting User Content to Third-Party AI Providers for the generation of AI-Assisted Output.
(b) Account management, authentication, and billing.
(c) Technical operation, monitoring, and security of the Service.
(d) Compliance with applicable legal obligations.
The details of Processing activities are further described in Annex I to this DPA.
3. Obligations of Nodaloom
3.1 Processing Instructions
Nodaloom shall Process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law. The Agreement (including these Terms of Service and this DPA) constitutes the Customer’s complete instructions at the time of entering into the Agreement. Additional instructions may be agreed in writing between the parties.
3.2 Confidentiality
Nodaloom shall ensure that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
Nodaloom shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II to this DPA. Such measures shall include, as appropriate: encryption of Personal Data in transit and at rest; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
3.4 No Training on Personal Data
Nodaloom shall not use Personal Data processed on behalf of the Customer to train, fine-tune, or improve any machine learning model, whether proprietary to Nodaloom or operated by any Third-Party AI Provider.
4. Data Subject Rights
Nodaloom shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests for exercising Data Subject rights under applicable Data Protection Laws. If Nodaloom receives a request directly from a Data Subject, Nodaloom shall promptly redirect the Data Subject to the Customer and shall notify the Customer of the request without undue delay.
5. Personal Data Breach Notification
5.1
Nodaloom shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.
5.2
Such notification shall include, to the extent available: a description of the nature of the Personal Data Breach; the categories and approximate number of Data Subjects concerned; the likely consequences of the breach; and the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
5.3
Nodaloom shall cooperate with the Customer and take reasonable commercial measures to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
6. Data Protection Impact Assessments and Prior Consultations
Nodaloom shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to Nodaloom.
7. Sub-processors
7.1
The Customer authorises Nodaloom to engage the Authorised Sub-processors listed in Annex III to this DPA.
7.2
Nodaloom shall impose on each Authorised Sub-processor data protection obligations no less protective than those set out in this DPA, by way of a written contract.
7.3
Nodaloom shall inform the Customer of any intended changes concerning the addition or replacement of Authorised Sub-processors, providing the Customer with a reasonable opportunity to object to such changes. Nodaloom shall maintain an up-to-date list of Authorised Sub-processors at Annex III of this DPA and shall provide notice of changes by email or through the Service interface at least thirty (30) days before the new Sub-processor begins Processing Personal Data.
7.4
If the Customer objects to a new Authorised Sub-processor within fourteen (14) days of receiving notice, the parties shall discuss the Customer’s concerns in good faith. If no resolution is reached, the Customer may terminate the Agreement in respect of the affected processing activity without penalty.
8. International Data Transfers
8.1
Nodaloom may transfer Personal Data to countries outside the EEA, the United Kingdom, or Chile, where its Sub-processors are located (including the United States). All such transfers shall be made in compliance with Chapter V of the GDPR, the UK GDPR, and the Chilean Data Protection Law, as applicable.
8.2
For transfers from the EEA, the Standard Contractual Clauses (Module 2: Controller to Processor; and Module 3: Processor to Processor, as applicable) are hereby incorporated by reference into this DPA. The applicable options under the SCCs are:
(a) Clause 7 (Docking clause): included.
(b) Clause 9(a) (Sub-processor authorisation): Option 2 — General written authorisation, with prior notification.
(c) Clause 11(a) (Redress): optional clause not included.
(d) Clause 17 (Governing law): the laws of Ireland.
(e) Clause 18(b) (Choice of forum): the courts of Ireland.
8.3
For transfers from the United Kingdom, the UK Addendum to the EU SCCs shall apply and is incorporated by reference into this DPA.
8.4
For transfers from Chile, Nodaloom shall ensure compliance with the international transfer provisions of the Chilean Data Protection Law, including obtaining any necessary authorisations from the Agencia de Protección de Datos Personales (once operational).
9. Audits
9.1
Nodaloom shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
9.2
The Customer shall provide at least thirty (30) days’ prior written notice of any audit request. Audits shall be conducted during normal business hours, subject to reasonable confidentiality obligations, and at the Customer’s expense. The scope of any audit shall be limited to Nodaloom’s compliance with this DPA.
9.3
Where Nodaloom holds a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report, Nodaloom may make such report available to the Customer in lieu of an on-site audit, at Nodaloom’s discretion.
10. Data Deletion and Return
10.1
Upon termination of the Agreement, and at the Customer’s election, Nodaloom shall either delete or return all Personal Data processed on behalf of the Customer, and delete existing copies, within thirty (30) days of the termination date. Nodaloom shall provide written confirmation of deletion upon request.
10.2
Nodaloom may retain Personal Data to the extent required by applicable law, provided that Nodaloom shall ensure the confidentiality of such Personal Data and shall not Process it for any purpose other than compliance with applicable law.
11. General
11.1
This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service.
11.2
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
11.3
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
Annex I — Details of Processing
1. Categories of Data Subjects
- Individual researchers, academics, and students who use the Service.
- Staff and faculty of institutional customers.
2. Categories of Personal Data
- Account and identity data (name, email, institutional affiliation, academic role).
- User Content (manuscripts, research materials, prompts, queries submitted to the Service).
- Usage Data (feature usage, session data, navigation, performance metrics).
- Device and technical data (IP address, browser type, operating system).
- Payment data (processed by third-party payment processor; Nodaloom does not store full payment card numbers).
3. Special Categories of Data
None. The Service is not designed to process special categories of personal data. If a User incidentally includes such data in their Content, Nodaloom processes it solely for the purpose of providing the Service and does not seek to identify or extract it.
4. Processing Operations
- Authentication and account management.
- Transmission of User Content to Third-Party AI Providers for AI-Assisted Output generation.
- Storage and retrieval of User Content and account data.
- Collection and analysis of Usage Data for service improvement and new product development, in accordance with Clause 7.5 of the Terms of Service.
- Billing and payment processing (via third-party payment processor).
- Communication with Users (transactional and, where consented, marketing).
5. Duration
For the duration of the Agreement, plus any retention periods specified in the Privacy Policy or required by applicable law.
Annex II — Technical and Organisational Security Measures
1. Encryption
- All data in transit encrypted using TLS 1.2 or higher.
- All data at rest encrypted using AES-256 or equivalent.
- API keys and secrets managed through environment variables, not stored in code repositories.
2. Access Controls
- Role-based access control (RBAC) implemented across all systems.
- Multi-factor authentication (MFA) required for all administrative access.
- Principle of least privilege applied to all system and database access.
- Regular review of access permissions.
3. Infrastructure Security
- Application hosted on managed cloud infrastructure with SOC 2 compliance.
- Database hosted on managed PostgreSQL service with automated backups.
- Web application firewall and DDoS protection in place.
- Regular security patching and vulnerability management.
4. Monitoring and Incident Response
- Continuous monitoring of application and infrastructure logs.
- Automated alerting for anomalous activity and potential security incidents.
- Documented incident response plan with defined escalation procedures.
- 72-hour breach notification capability as required by this DPA.
5. Organisational Measures
- Confidentiality obligations for all personnel with access to Personal Data.
- Data protection awareness for relevant personnel.
- Incident response procedures, including escalation protocols and notification workflows.
- Vendor due diligence for all sub-processors.
6. Data Minimisation
- Collection of Personal Data limited to what is necessary for the provision of the Service.
- User Content processed transiently through Third-Party AI Providers and not retained for model training.
- Anonymisation or pseudonymisation applied where feasible for analytics, service improvement, and new product development.
Annex III — List of Authorised Sub-processors
| Sub-processor | Processing Activity | Location | Data Processed |
|---|---|---|---|
| Anthropic, PBC | AI model processing (Claude API) | United States | User Content (prompts, contextual data) |
| Google LLC | AI model processing (Gemini API) | United States | User Content (documents, queries) |
| Railway Corp. | Cloud application hosting | United States | Application data, User Content |
| Vercel Inc. | Web hosting and CDN | Global (edge) | Static assets, edge function data |
| Clerk Inc. | Authentication services | United States | Account data, auth tokens |
| Neon Inc. | Database hosting (PostgreSQL) | United States | Account data, consent records, session data |
| Paddle.com Market Ltd | Payment processing (Merchant of Record) | United Kingdom | Billing and payment data, transaction records |
| Google LLC (Workspace) | Email communications | United States | Transactional email content |
This list is current as of the Effective Date. Nodaloom shall notify the Customer of any changes in accordance with Section 7.3 of this DPA.
End of Data Processing Addendum