Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and Numra Ltd ("Processor") for the provision of inbox automation services (the "Services"), as set out in the applicable service agreement, memorandum of understanding, or order form between the parties (the "Agreement").

This DPA is entered into to ensure that the processing of personal data by the Processor on behalf of the Controller complies with Regulation (EU) 2016/679 (the "GDPR") and any applicable national implementing legislation.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

In this DPA, unless the context otherwise requires:

• "Customer Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Services.
• "Data Protection Laws" means the GDPR, the Data Protection Act 2018 (Ireland), and any other applicable data protection or privacy legislation.
• "Personal Data Breach" has the meaning given to it in Article 4(12) of the GDPR.
• "Sub-processor" means any third party engaged by the Processor to process Customer Data on behalf of the Controller.

Terms not defined in this DPA shall have the meanings given to them in the GDPR or the Agreement.

3. Scope and Details of Processing

The Processor shall process Customer Data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject.

4. Obligations of the Processor

The Processor shall:

• Process Customer Data only on documented instructions from the Controller, unless required by applicable law. Where the Processor is required by law to process Customer Data, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.
• Ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 6 of this DPA.
• Respect the conditions for engaging Sub-processors as set out in Section 8 of this DPA.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Customer Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the personal data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis for the processing of personal data in accordance with the GDPR prior to instructing the Processor to process Customer Data.
• Provide documented instructions to the Processor regarding the processing of Customer Data.
• Be responsible for granting appropriate access permissions (e.g. OAuth scopes) and managing user access within its own systems.
• Notify the Processor promptly of any security incidents affecting shared credentials or data.
• Ensure that any data subject notices or consents required under Data Protection Laws have been obtained in connection with the processing contemplated by this DPA.

6. Security Measures

The Processor shall implement and maintain the following technical and organisational security measures to protect Customer Data:

6.1 Encryption

• All data encrypted in transit using TLS 1.2 or higher.
• All data encrypted at rest using AES-256 encryption.

6.2 Access Controls

• Access to Customer Data is restricted to authorised Numra personnel only, on a need-to-know basis.
• Least-privilege access model is enforced across all systems.
• All access to Customer Data is logged and auditable.
• Customer credentials (e.g. OAuth tokens) are stored securely and are never shared.

6.3 Infrastructure

• Cloud infrastructure is hosted on Heroku (Salesforce, Inc.) within the European Union (Ireland).
• Infrastructure isolation is maintained across compute, storage, and network layers.
• Single-tenant, dedicated environments are available on request.
• Regular security updates and patching are applied.
• Application-level logging and monitoring are in place.
• The Processor maintains a documented incident response process.

6.4 AI and Large Language Models

• The Service uses commercial large language model (LLM) providers via enterprise APIs.
• Customer Data is not used to train any AI or machine learning models.
• Data sent to LLM providers is governed by enterprise data processing terms that prohibit model training on customer data. Model requests and responses are processed with zero data retention at rest on the provider's servers.

7. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data.

The notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
• The name and contact details of the Processor's contact point from whom more information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall cooperate with and assist the Controller in relation to any investigation, mitigation, or remediation of any Personal Data Breach and in any communication with regulatory authorities or affected data subjects.

8. Sub-processors

The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in the table below. The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

* Sub-processors marked with an asterisk process data in the United States and are certified under the EU-U.S. Data Privacy Framework. See Section 9 for further details on international transfer mechanisms.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller a reasonable opportunity to object to such changes. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached, the Controller may terminate the Agreement on written notice.

Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor shall remain liable to the Controller for the performance of the Sub-processor's obligations.

An up-to-date list of Sub-processors is available on request by contacting conor@numrahq.com.

9. International Data Transfers

The majority of Customer Data is processed and stored within the European Union. Where the Processor engages Sub-processors located outside the European Economic Area (EEA), as identified in Section 8, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR.

As at the date of this DPA, the following Sub-processors process Customer Data in the United States and rely on the EU-U.S. Data Privacy Framework (DPF) as the legal basis for transfer:

• OpenAI — self-certified under the EU-U.S. Data Privacy Framework. Email content and attachments are processed with zero data retention at rest on the provider's servers.
• Clerk, Inc. — self-certified under the EU-U.S. Data Privacy Framework. Processing is limited to user authentication and identity management data.

In the event that the EU-U.S. Data Privacy Framework is invalidated or ceases to apply, the Processor shall promptly implement an alternative transfer mechanism, such as the Standard Contractual Clauses approved by the European Commission, to ensure the continued lawful transfer of Customer Data.

The Processor shall not transfer Customer Data to any country outside the EEA that has not been deemed adequate by the European Commission unless an appropriate safeguard under Article 46 of the GDPR is in place. The Processor shall inform the Controller in advance of any proposed change to the transfer mechanisms relied upon.

10. Data Retention and Deletion

Email content and attachments are processed in real time to apply the relevant automation rules. The Processor retains limited operational logs (e.g. that an email was received and a rule was applied) for the duration of the Agreement, for the purposes of visibility and auditability.

The Processor does not retain raw email content, attachments, or sensitive information (such as bank details) beyond the time required to process the relevant email.

Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election, either delete or return all Customer Data within 30 days, and certify such deletion in writing. The Processor may retain Customer Data to the extent required by applicable law, provided the Processor ensures the confidentiality of such data and processes it only for the purpose of compliance with that legal obligation.

11. Data Subject Rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.

The Processor shall promptly notify the Controller if it receives a request from a data subject in respect of Customer Data, and shall not respond to such request except on the documented instructions of the Controller or as required by applicable law.

12. Audit Rights

The Processor shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

The Controller or its appointed third-party auditor may conduct audits and inspections of the Processor's processing activities covered by this DPA, subject to:

• Reasonable prior written notice of no less than 30 days, except in the event of a Personal Data Breach or regulatory investigation where shorter notice may be given.
• Audits being conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations.
• The auditor entering into appropriate confidentiality obligations with the Processor.

13. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in the preparation of any data protection impact assessment (DPIA) required under Article 35 of the GDPR, and any prior consultation with a supervisory authority required under Article 36 of the GDPR, in each case solely in relation to the processing of Customer Data and taking into account the nature of the processing and the information available to the Processor.

14. Term and Termination

This DPA shall come into effect on the date of last signature below, and shall remain in effect for as long as the Processor processes Customer Data on behalf of the Controller.

Termination or expiry of the Agreement shall not release either party from its obligations under this DPA with respect to any Customer Data that remains in the Processor's possession or control.

The provisions of this DPA that by their nature should survive termination shall survive, including but not limited to Sections 7 (Personal Data Breach Notification), 10 (Data Retention and Deletion), and 12 (Audit Rights).

15. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit or exclude the liability of either party for any matter for which liability cannot be excluded or limited under applicable law.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Ireland.

Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Ireland.

17. General Provisions

• This DPA may not be amended except by a written instrument signed by both parties.
• If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
• This DPA may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument.
• Any notice required under this DPA shall be in writing and delivered by email to the address set out in the Agreement or as otherwise notified by one party to the other.

18. Contact

For enquiries regarding this DPA or data privacy matters: