Data Processing Agreement

The customer (“Controller”) acts as the data controller for the personal data submitted to the Managed Cloud service in the course of its use. Novantra (“Processor”) acts as the data processor on the Controller’s behalf and processes that personal data only on documented instructions. The Service’s configuration (the Controller’s order form, the entitlements granted to the organisation, and the governance workflows the Controller publishes inside the platform) constitute the Controller’s documented instructions for the duration of the subscription.

Subject matter.Operation of the Managed Cloud service for the Controller, including governance lifecycles, evidence capture, audit-trail maintenance, and authenticated access for the Controller’s staff and external participants.

Duration.The active life of the Controller’s subscription. Personal data is deleted after termination in line with the retention windows in the General Privacy Statement.

Nature and purpose.Hosting, storing, retrieving, processing, transmitting, and otherwise operating on the Controller’s Customer Data to provide the governance, evidence, and audit functions of the Service.

Categories of personal data.Identifiers and contact data (email, name), organisational role, governance attestations (signed approvals, sign-offs, acknowledgements), free-text content the Controller’s users write into the platform (narratives, evidence notes), authentication events, audit-trail entries, and security telemetry.

Categories of data subjects.The Controller’s staff and contractors; vendors and other third parties the Controller registers in its governance workflows; end users of the Controller’s public-access surfaces (forms, evidence-collection links) where the Controller chooses to publish them.

Novantra implements the technical and organisational measures described in section 7 of the General Privacy Statement: AES-256-GCM column encryption for personal identifiers and free-text content; HMAC-SHA256 blind index for privacy-preserving lookup; TLS 1.2+ in transit; database-per-organisation isolation on Managed Cloud with no shared business schema; hash-chained, source-traced audit logs in a per-organisation append-only event store; mandatory MFA for administrator access; role-based access control gating every governed action. Customer-controlled keys (AWS KMS, Azure Key Vault) and BYO Storage are available under the cloud.byok and cloud.byo_storage entitlements. Where the customer-controlled key provider is unreachable, the platform fails closed for the affected organisation; there is no silent fallback to a platform-managed key. The encrypted-storage driver wraps all artefact I/O so the customer-chosen storage binding holds end-to-end.

The Controller authorises Novantra to engage the subprocessors listed on the Subprocessors page for the purposes described there. Novantra notifies the Controller at least 30 days before a new subprocessor begins handling Customer Data. The Controller may object to a new subprocessor within that 30-day window by writing to privacy@novantra.io; the DPA describes the steps the parties take if the objection cannot be resolved (which include, in the last resort, termination of the affected component of the Service).

The Managed Cloud service is hosted in eu-central-1 (AWS Frankfurt) across compute (Amazon EC2), database (Neon), and transactional email (Amazon SES), so the bulk of processing remains within the European Economic Area. Limited transfers outside the EEA occur for Stripe webhook ingestion (United States with EU data plane), Cloudflare Turnstile (global anycast), and the Controller’s optional use of Google or GitHub OAuth (United States). For those transfers Novantra relies on the European Commission’s Standard Contractual Clauses or an equivalent transfer mechanism. The DPA includes the SCCs as a signed annex.

Novantra will assist the Controller, taking into account the nature of the processing, in responding to data-subject requests received by the Controller. The Service exposes the technical hooks needed to fulfil the most common requests: per-tenant export of personal data, per-tenant erasure that resolves rows via the blind index without requiring plaintext, and audit-trail extracts scoped to a data subject. Novantra acknowledges Controller-relayed requests within 5 business days and responds substantively within 30 days from receipt, aligned with GDPR Article 12 timelines. Complex requests may be extended by up to a further 60 days with notice.

The Controller has the right to audit Novantra’s compliance with the DPA. In normal course, that right is satisfied by an annual third-party assurance report (SOC 2 or ISO 27001) and by the documentation Novantra makes available on request. Specific third-party assurance reports are to be confirmed before general availability and will be published here when complete. The Controller may request an on-site audit for cause, with 60 days’ notice and at the Controller’s reasonable expense; the audit must not unreasonably interfere with Novantra’s operations or the rights of other customers.

To execute or request a copy of the Data Processing Agreement, contact legal@novantra.io.