Data Processing Agreement (DPA)

NUEROFY DATA PROCESSING AGREEMENT

Effective Date: 02.06.26

This Data Processing Agreement (“DPA”) forms part of the agreement between Nuerofy (“Nuerofy”, “Processor”) and the Customer (“Controller”) and applies where Nuerofy processes Personal Data on behalf of the Customer.

This DPA is incorporated into the Nuerofy Subscription Order Form and Nuerofy Platform Terms and Conditions.

1. Definitions

The terms “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” shall have the meanings given to them under UK GDPR.

Applicable Data Protection Law means all laws relating to privacy and data protection applicable to the processing of Personal Data, including the UK GDPR and Data Protection Act 2018.

Customer Personal Data means Personal Data processed by Nuerofy on behalf of the Customer through the Platform.

2. Roles of the Parties

The Customer acts as the Controller of Customer Personal Data.

Nuerofy acts as the Processor of Customer Personal Data.

The parties acknowledge and agree that the Customer determines the purposes and means of processing Customer Personal Data.

3. Scope of Processing

Nuerofy shall process Customer Personal Data solely for the purpose of:

– Providing the Platform and Services.
– Hosting and storing Customer Data.
– Delivering learning, compliance and training functionality.
– Providing support and maintenance services.
– Delivering AI-powered platform functionality.
– Performing reporting and analytics requested by the Customer.

Categories of Data Subjects

Data Subjects may include:

– Employees
– Workers
– Contractors
– Temporary staff
– Learners
– Administrators
– Customers of the Customer
– Other individuals whose data is uploaded by the Customer

Categories of Personal Data

Personal Data may include:

– Names
– Email addresses
– Telephone numbers
– Job titles
– Learning records
– Assessment results
– Training completion records
– Login activity
– User account information
– Any other Personal Data uploaded by the Customer

Special Category Data

The Customer should avoid uploading Special Category Data unless necessary and lawful.

Where Special Category Data is processed, the Customer remains responsible for ensuring a lawful basis exists.

4. Processor Obligations

Nuerofy shall:

– Process Personal Data only on documented instructions from the Customer.
– Ensure personnel authorised to process Personal Data are subject to confidentiality obligations.
– Implement appropriate technical and organisational measures to protect Personal Data.
– Assist the Customer in complying with its obligations under Applicable Data Protection Law.
– Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
– Maintain records of processing activities where required by law.

5. Security Measures

Nuerofy shall implement reasonable technical and organisational measures appropriate to the risks associated with processing Personal Data.

Such measures may include:

– Access controls
– Password protection
– Multi-factor authentication where available
– Encryption in transit
– Secure hosting infrastructure
– Backup procedures
– Monitoring and logging
– Vulnerability management
– Staff confidentiality obligations

Nuerofy may update security measures from time to time provided such changes do not materially reduce the level of protection provided.

6. Sub-Processors

The Customer authorises Nuerofy to engage sub-processors to provide elements of the Services.

Current sub-processors may include providers of:

– Cloud hosting services
– Database services
– AI services
– Email delivery services
– Analytics services
– Customer support services

Nuerofy shall:

– Ensure appropriate contractual protections are in place with sub-processors.
– Remain responsible for the acts and omissions of its sub-processors in relation to Customer Personal Data.

An up-to-date list of sub-processors may be maintained by Nuerofy and made available upon request.

7. International Transfers

Nuerofy shall not transfer Customer Personal Data outside the United Kingdom unless:

– Appropriate safeguards are in place;
– The transfer is permitted under Applicable Data Protection Law; or
– The Customer has authorised such transfer.

Where required, Nuerofy shall implement recognised transfer mechanisms including International Data Transfer Agreements (IDTAs) or other lawful safeguards.

8. Data Subject Rights

Taking into account the nature of the processing, Nuerofy shall provide reasonable assistance to enable the Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

The Customer remains responsible for responding to Data Subject requests.

9. Personal Data Breaches

In the event of a Personal Data Breach affecting Customer Personal Data, Nuerofy shall:

– Notify the Customer without undue delay after becoming aware of the breach.
– Provide available information regarding the nature of the breach.
– Take reasonable steps to mitigate the effects of the breach.
– Cooperate with the Customer in relation to any investigation or notification obligations.

10. Audits and Information

Upon reasonable written request, Nuerofy shall provide information reasonably necessary to demonstrate compliance with this DPA.

Any audit request must:

– Be reasonable in scope.
– Be conducted during normal business hours.
– Avoid disruption to Nuerofy’s business operations.
– Not require disclosure of confidential information relating to other customers.

Existing certifications, policies and compliance documentation may be provided in place of on-site audits where appropriate.

11. Deletion and Return of Data

Upon termination of the Services and written request from the Customer, Nuerofy shall:

– Make Customer Data available for export for a reasonable period; and
– Delete Customer Personal Data following expiry of applicable retention periods unless retention is required by law.

Backup systems may retain archived copies for a limited period in accordance with standard backup procedures.

12. Liability

Liability under this DPA shall be subject to the limitations and exclusions contained within the Nuerofy Platform Terms and Conditions.

13. Order of Precedence

In the event of any conflict between this DPA and the Platform Terms and Conditions, this DPA shall prevail solely in relation to data protection matters.

14. Governing Law

This DPA shall be governed by the laws of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction over any dispute arising from this DPA.

15. AI Processing Services

Where the Customer uses AI-powered functionality within the Platform, Customer Content and Customer Data may be processed by approved AI service providers acting as authorised sub-processors.

Nuerofy shall take reasonable steps to ensure that such providers are subject to appropriate contractual, technical and organisational safeguards designed to protect Customer Data.

Nuerofy does not use Customer Content submitted through the Platform to train proprietary AI models owned by Nuerofy unless expressly agreed with the Customer.

Annex A – Processing Details

Subject Matter

Provision of the Nuerofy learning, training, compliance and AI-powered platform.

Duration

For the duration of the Customer’s subscription and any applicable data retention period.

Nature of Processing

Collection, storage, hosting, organisation, retrieval, transmission, analysis, reporting and deletion of Personal Data.

Purpose of Processing

Provision of learning management, training delivery, compliance management, reporting, support and related platform functionality.

Categories of Data Subjects

– Employees
– Learners
– Contractors
– Temporary workers
– Administrators
– Customer representatives

Categories of Personal Data

– Names
– Contact details
– Job titles
– User account data
– Training records
– Assessment records
– Compliance records
– Platform usage information

Special Category Data

Only where uploaded or processed by the Customer and permitted under Applicable Data Protection Law.

Annex B – Approved Sub-Processors

Nuerofy may use carefully selected third-party service providers to assist in the delivery of the Services.

As at the Effective Date, approved sub-processors include:

Provider: OpenAI

Purpose: Artificial intelligence services and content generation

Provider: Anthropic

Purpose: Artificial intelligence services and content generation 

Provider: Pinecone Systems Inc.

Purpose: Vector database and AI retrieval services

Provider: Mailjet

Purpose: Transactional and platform email delivery

Provider: Stripe

Purpose: Payment processing and subscription billing

Provider: Google Analytics

Purpose: Website analytics and usage monitoring

Provider: ANS Group Ltd

Purpose: Cloud hosting and infrastructure services

Nuerofy may update or replace sub-processors from time to time where reasonably necessary for the provision of the Services.

Nuerofy shall ensure that appropriate contractual and data protection safeguards are maintained with all sub-processors that process Personal Data on behalf of Customers.

The latest list of approved sub-processors may be published at:

www.nuerofy.com/sub-processors 

Contact

If you have any questions about this policy, please contact:

Nuerofy.com

Unit 1, Ryelands Business Centre

Rylands Lane

Elmley Lovett

WR9 0PT

Email: Sales@nuerofy.com