Home Product Pilot Program Pricing Contact Book Demo

Data Processing Agreement

Version: 2.0

Effective date: March 16, 2026

This DPA forms part of the Nevorth SaaS Terms and applies where Nevorth processes personal data on behalf of Customer.

1. Roles

Customer is Controller.

Nevorth is Processor.

2. Subject matter; duration; nature and purpose

Nevorth processes personal data to provide the Decision Referee service. This includes:

  • Receiving decision inputs via Slack.
  • Generating AI-assisted outputs.
  • Storing decision history (prior decision inputs, analysis outputs, and outcome feedback) in Cloudflare D1 to enable contextual analysis for the same Customer over time.
  • Operating integrations (Cloudflare Worker, Cloudflare D1, and Make scenarios).
  • Providing support and maintaining service security.

Processing continues for the duration of the subscription term and any limited period required for deletion and backup cycling as described in Section 9.

3. Types of personal data and data subjects

Data subjects: Customer employees (Authorised Users) and other individuals whose identifiers may appear in Slack metadata.

Personal data categories (typical):

  • Slack workspace, user, and channel identifiers; message metadata; timestamps.
  • Decision input text submitted via Slack commands, which may inadvertently include personal data despite Customer prohibitions.
  • Decision history: stored records of prior decision inputs, analysis outputs, and outcome feedback, retained in Cloudflare D1.
  • Firm profile fields and business context, to the extent provided by Customer.

Nevorth does not intend to process special category data. Customer must not submit it.

4. Processor obligations

Nevorth shall:

  • Process personal data only on documented instructions from Customer (as set out in the Terms and this DPA).
  • Ensure personnel confidentiality.
  • Implement reasonable security measures (see Annex 2).
  • Assist Customer with data subject requests to the extent applicable and technically feasible.
  • Assist Customer with DPIAs/consultation where required to the extent the Service is involved.
  • Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
  • At termination, delete or return personal data under Nevorth's control as described in Section 9.

5. Subprocessors

5.1. General authorisation. Customer provides general authorisation for Nevorth to engage Subprocessors.

5.2. List and changes. Current Subprocessors are listed at https://www.nevorth.com/en/subprocessors. Nevorth will provide notice of material changes by updating the list and, where reasonable, by email to Customer's notice address.

5.3. Flow-down. Nevorth will impose data protection obligations on Subprocessors substantially similar to this DPA.

6. International transfers

Customer acknowledges that Subprocessors may process data outside the EEA. Where required, transfers will be made under appropriate safeguards (such as SCCs) as implemented by the relevant Subprocessor and/or Nevorth.

7. Security

Security measures are described in Annex 2. Customer acknowledges the Service relies on third-party platforms and their controls.

8. Audits

Upon written request not more than once per year, Nevorth will provide reasonable information to demonstrate compliance (written summaries, policies, vendor documentation). On-site audits are not included unless agreed in an enterprise Order Form, and will be subject to confidentiality, scope limits, and cost reimbursement.

9. Deletion/return

Within 30 days after termination/expiration, Nevorth will delete personal data under its control, including decision history stored in Cloudflare D1, unless legally required to retain it. Residual copies in backups and subprocessor systems may persist for up to 90 days or per subprocessor retention cycles.

Upon written request during the subscription term, Customer may request deletion of specific decision history records. Nevorth will use commercially reasonable efforts to fulfil such requests within 30 days.

10. Liability

Liability under this DPA is subject to the limitation of liability in the Terms unless otherwise agreed in an enterprise Order Form.

Annex 1 — Processing details

As set out in Sections 2 and 3 above.

Annex 2 — Security measures (summary)

  • Encryption in transit: TLS/HTTPS for external communications.
  • Encryption at rest: as provided by subprocessors, including Cloudflare D1.
  • Access restriction: administrative access limited to authorised personnel.
  • Operational logging for troubleshooting and service operation.
  • Periodic updates/patching of configurations and dependencies where applicable.
  • Reliance on subprocessor security controls for hosting/integration layers (Slack, Make, Cloudflare, OpenAI, Stripe, Webnode).