Data Processing Agreement
Roles: The Customer is the Controller. Noryn (Noryn System Ltd) is the Processor.
1. Subject Matter
This Data Processing Agreement ("DPA") governs the processing of personal data of the Customer's contacts, leads, and clients by the Provider on behalf of the Customer, in connection with the provision of the Virtual Employees service.
2. Duration
This DPA is effective for the duration of the Customer's Subscription and for 30 days thereafter (the data export window). On expiry of the export window, personal data is deleted or anonymised in accordance with clause 10.
3. Nature and Purpose of Processing
The Provider processes personal data to:
- Generate AI-assisted message responses and reply drafts on behalf of the Customer
- Handle scheduling, calendar management, and appointment booking
- Log and manage conversation history for context continuity
- Route and classify inbound messages
- Assist with lead follow-up and CRM-adjacent tasks as configured by the Customer
Processing is automated. The Customer remains solely responsible for the decisions made using AI-generated output.
4. Types of Personal Data Processed
- Names and contact details (email, phone, social media handles)
- Message content and conversation history
- Scheduling preferences and appointment information
- Business context shared by the data subject in conversation
Special-category data is not permitted unless the Customer has obtained explicit consent from data subjects AND notified the Provider in writing. Processing health, biometric, political, racial/ethnic, religious, sexual orientation, trade union, or criminal record data requires a separate addendum.
5. Categories of Data Subjects
- The Customer's leads and prospects
- The Customer's existing clients and customers
- Any individual who initiates contact with the Customer's Virtual Employees
Children's data (under 13) is prohibited. The Customer must ensure Virtual Employees are not accessible to children.
6. Obligations of the Processor
6.1 Documented instructions
The Provider shall process personal data only on documented instructions from the Controller. The Customer's configuration of Virtual Employees (system prompts, integrations, FAQ content) constitutes documented instructions. The Provider will notify the Customer if it believes any instruction infringes UK GDPR.
6.2 Confidentiality
All Provider personnel with access to Customer personal data are bound by confidentiality obligations (contractual or statutory).
6.3 Security
The Provider implements appropriate technical and organisational measures per Article 32 UK GDPR, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and regular security reviews. See our Security Statement at /legal/security for details.
6.4 Sub-processors
The Customer provides general written authorisation for the Provider to use sub-processors. The current sub-processor list is at /legal/sub-processors. The Provider will give 30 days' notice of any new sub-processor. If the Customer objects, they may terminate with written notice during the 30-day period.
6.5 Data subject rights
The Provider will assist the Customer in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) through the tools available at /dashboard/privacy/requests. The Provider cannot respond directly to data subjects on the Customer's behalf without the Customer's authorisation.
6.6 Security and DPIA assistance
The Provider will assist the Customer in fulfilling obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs) by providing relevant documentation on request.
6.7 Breach notification
The Provider will notify the Customer without undue delay (and no later than 48 hours after becoming aware) of any personal data breach affecting the Customer's data, providing sufficient information to enable the Customer to meet their 72-hour ICO notification obligation.
6.8 Deletion or return
On termination of the Subscription, the Customer has 30 days to export their data using the dashboard export tool. After the export window, the Provider will delete all Customer personal data unless retention is required by law (invoice records retained 6 years for HMRC).
6.9 Audit
The Provider will make available to the Customer all information necessary to demonstrate compliance with this DPA and will permit reasonable audits by the Customer or an appointed auditor. In practice, audits are conducted by questionnaire. Where the Provider holds a current SOC 2 or ISO 27001 attestation, providing that report satisfies the audit obligation for the matters it covers.
7. International Transfers
Where personal data is transferred outside the UK (primarily to US-based sub-processors), the Provider relies on Standard Contractual Clauses with the UK Addendum as the lawful transfer mechanism. These flow down to sub-processors via their respective DPAs listed at /legal/sub-processors.
8. Sub-processor List
Current sub-processors are listed at /legal/sub-processors. The Provider will update this list and notify the Customer 30 days before adding any new sub-processor.
9. Liability
The Provider's liability under this DPA is subject to the same cap as under the Terms of Service (the greater of fees paid in the prior 12 months or £1,000). Each party is liable to the other and to data subjects only for the damage caused by the breach of its own obligations under this DPA.
10. Governing Law
This DPA is governed by the laws of England and Wales.
11. Effective Date and Acceptance
This DPA is effective from the date the Customer creates an account. Acceptance is captured electronically at the time of account creation. The Provider maintains records of all acceptances including timestamp, IP address, and document version.
Noryn · Noryn System Ltd · ICO Reg [ICO reg. no.] · privacy@norynsystem.com