Data Processing Agreement

The Customer acts as the Controller of the personal data submitted to the service. Nurion acts as the Processor and processes personal data only on the Controller's documented instructions, which consist of the subscription order, the Terms of Service, and this DPA.

Subject matter: provision of the Nurion services subscribed to by the Controller.

Duration: for the term of the subscription, plus the return/deletion period set out in section 11.

Nature and purpose: hosting, processing, transmitting, transcribing, summarising, and analysing personal data submitted by the Controller and its authorised users to deliver the service.

Nurion Desk

Categories: account data, work content (notes, tasks, embeddings), calendar metadata, contact records, telemetry. Data subjects: customer staff and contacts they record.

Nurion Meet

Categories: account data, meeting audio (transient), diarized transcripts, summaries, attendee identifiers. Data subjects: customer staff and meeting participants.

Nurion Funnel

Categories: account data, lead and prospect records, customer journey events, attribution and click identifiers. Data subjects: customer staff, leads, prospects, and customers.

Nurion will (a) process personal data only on documented instructions from the Controller, including with regard to international transfers; (b) ensure that persons authorised to process personal data have committed themselves to confidentiality; (c) take all measures required pursuant to Art. 32 GDPR (see section 7); (d) respect the conditions for engaging another processor referred to in Art. 28(2) and (4) GDPR (see section 5); (e) assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to requests from data subjects (see section 8); (f) assist the Controller in ensuring compliance with its obligations under Arts. 32 to 36 GDPR; (g) at the Controller's choice, delete or return all personal data after the end of the provision of services (see section 11); and (h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

Nurion will immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data-protection provisions (Art. 28(3) sentence 3 GDPR).

The Controller grants Nurion a general written authorisation to engage subprocessors. The current list of subprocessors is maintained at nurion.com/legal/subprocessors.

Nurion will inform the Controller of intended changes concerning the addition or replacement of subprocessors processing personal data, giving the Controller a fourteen (14) day window from notification to object. A reasonable objection that cannot be resolved entitles the Controller to terminate the affected processing on a pro-rata refund of pre-paid fees attributable to the affected period.

Where Nurion engages a subprocessor for carrying out specific processing activities on behalf of the Controller, Nurion will impose on that subprocessor, by way of a written contract, the same data-protection obligations as set out in this DPA — in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR (Art. 28(4) GDPR). Where the subprocessor fails to fulfil its data-protection obligations, Nurion remains fully liable to the Controller for the performance of those obligations.

Production data is hosted in the European Economic Area. Where a subprocessor is established outside the EEA, the transfer mechanism is identified on the public subprocessors page (adequacy decision, Standard Contractual Clauses 2021/914, or EU-US Data Privacy Framework, as applicable).

Nurion implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures are described on our public Security overview page and are reviewed at least annually.

Taking into account the nature of the processing, Nurion will assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data subject requests (Arts. 12–22 GDPR) and to comply with Arts. 32–36 GDPR.

Nurion will notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware, of any personal data breach affecting Controller data, and will provide the information required under Art. 33(3) GDPR to the extent available. Nurion does not commit to a notification SLA shorter than the statutory 72-hour period.

The Controller has the right to verify Nurion's compliance with this DPA. Nurion will, on written request, provide the most recent available SOC 2 or ISO 27001 attestation reports if and when such attestations are completed. Where statutory audit rights cannot be satisfied by such reports, the Controller may, at its expense, conduct an on-site audit limited to one (1) audit per calendar year, on at least thirty (30) days' written notice, conducted by an independent auditor bound by confidentiality, and only to the extent strictly necessary to verify compliance with this DPA.

On termination of the subscription, the Controller may within thirty (30) days request the return of personal data in a structured, commonly used, machine-readable format, or its deletion. Absent a request, Nurion will delete Controller personal data from production systems within thirty (30) days of termination. Encrypted backups are deleted on rotation in line with the schedule on the Security overview. A deletion certification is provided on written request.

In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA prevails. In all other respects the Terms of Service apply.

The parties' liability arising under or in connection with this DPA is governed by the limitation-of-liability provisions of the Terms of Service (section 7), including the twelve-month fee cap and the carve-outs for intent and gross negligence under § 276 BGB, personal injury, fraud, and confidentiality. Nothing in this DPA limits or excludes the liability of either party towards data subjects under Art. 82 GDPR or under any other liability that cannot be limited by law.

This DPA is governed by the laws of the Federal Republic of Germany. The competent courts of Bremen have exclusive jurisdiction, where permitted by law.

The Controller accepts this DPA by reference at checkout. A signed counterpart, identical in substance to this public version, is made available to annual customers on written request to legal@nurion.com.