Data Processing Agreement

2.1Parties

This agreement is between the customer identified at execution (Controller) and Nutan (Processor). Upon execution through the self-serve flow, a unique document ID is issued and the Controller's identity is recorded.

2.2Definitions

Capitalised terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or equivalent local laws. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" take their statutory meanings.

2.3Subject Matter and Duration

The subject matter is the processing of Personal Data incidental to the Controller's use of the Service. The duration is the term of the underlying subscription, plus any retention period required by law.

2.4Nature and Purpose of Processing

Nutan processes Personal Data solely to deliver the Service — authentication, optional cloud sync, optional CRM relay. Nutan does not derive secondary purposes and does not use Controller data for model training or advertising.

2.5Categories of Data Subjects

The data subjects whose Personal Data is processed may include: the Controller's authorised users, the Controller's customers and prospects (when referenced in meetings or deal data), and any individuals the Controller chooses to capture in the product.

2.6Categories of Personal Data

Depending on Controller configuration, the following categories may be processed:

• Identification data (name, email, job title)
• Contact data (business email, phone number)
• Professional data (employer, role, deal stage)
• Communication content (meeting transcripts, chat logs) — processed on-device, never transmitted unless Controller enables sync
• Technical data (session metadata, IP address, user agent)

2.7Processor Obligations

Nutan shall:

• Process Personal Data only on documented instructions from the Controller, including the instructions set out in this DPA and in the Controller's configuration of the Service
• Ensure that persons (and agents) authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation
• Take all measures required pursuant to Article 32 GDPR (security of processing)
• Respect the conditions for engaging another processor (Article 28(2) and (4))
• Assist the Controller in responding to data subject rights requests
• Assist the Controller with security, breach notification, DPIAs, and prior consultation
• At the Controller's choice, delete or return all Personal Data at the end of provision of services
• Make available to the Controller all information necessary to demonstrate compliance

2.8Security Measures (Article 32)

The technical and organisational measures are set out in full in the SOC 2 Type II Readiness Attestation (NUT-SOC2-001). Highlights:

• Pseudonymisation and encryption: industry-standard strong encryption at rest and in transit; field-level encryption of contact PII
• Ongoing confidentiality, integrity, availability, and resilience: immutable audit logging, automated rollback, local-first architecture
• Ability to restore availability: user-device primary plus optional encrypted cloud sync
• Regular testing: continuous automated attestation; reports regenerated on each release

2.9Sub-Processors

Nutan maintains a current list of Sub-Processors at nutan.ai/sub-processors. Nutan shall notify the Controller of any intended changes, giving the Controller the opportunity to object.

2.10International Transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, the transfer shall be governed by the 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor) or an equivalent valid transfer mechanism. The SCCs are incorporated by reference, and the Controller is the data exporter; Nutan is the data importer.

2.11Data Subject Rights

Nutan shall assist the Controller, by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights. Most requests can be fulfilled by the Controller directly using Nutan's in-product controls; Nutan shall assist with requests requiring internal action within 10 business days.

2.12Breach Notification

Nutan shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include the information required under Article 33(3) where available.

2.13Audit Rights

The Controller shall have the right to audit Nutan's compliance with this DPA, on reasonable notice and subject to confidentiality. Nutan's annual third-party audit reports (where available) shall be deemed to satisfy the audit right, unless the Controller has a specific reason to require additional assurance.

2.14Return or Destruction

On termination or on the Controller's written request, Nutan shall, at the Controller's election: (a) return all Personal Data in a commonly used, machine-readable format; or (b) delete all Personal Data and confirm in writing. Audit logs shall be retained to the minimum extent required by Article 17(3)(e).

2.15Liability

The liability of each party under this DPA is as set out in the underlying services agreement. This DPA does not create additional heads of liability beyond the statutory allocation under Article 82 GDPR.

2.16Governing Law

This DPA is governed by the laws of the jurisdiction of the Controller's establishment. Disputes shall be resolved in the courts of that jurisdiction, subject to any mandatory rules of data protection law.

2.17Execution

This DPA can be executed online via the self-serve flow at nutan.ai/trust-center/baa (the BAA flow accepts DPA execution as an alternative — same intake fields, same counter-signature). A unique document ID is issued on execution. No email round-trip is required.