Data Processing Agreement

1. Definitions

Terms defined in the GDPR (e.g. “personal data”, “processing”, “data subject”, “supervisory authority”) have the same meaning here. “Services” means the NotarAI scanning, signing, and certification platform as described in the Terms of Service. “Sub-processor” means any third party engaged by NotarAI to process personal data in connection with the Services.

2. Roles and subject matter

You are the data controller of personal data contained in or associated with files you upload to the Service. NotarAI acts as your data processor for that personal data, processing it only to provide the Services. NotarAI acts as an independent data controller for data collected directly for its own purposes (account data, billing records, security logs) as described in the Privacy Policy.

Where the same data is processed by NotarAI both as processor (on your instruction) and as controller (for its own legal obligations, e.g. billing record retention), the applicable regime is determined by the purpose of each specific processing activity.

3. Details of processing

4. Processor obligations

NotarAI will, in its capacity as processor:

• Process personal data only on documented instructions from the Customer, which are the Terms of Service and this DPA. If NotarAI is required by EU or Member State law to process personal data beyond those instructions, it will inform the Customer before doing so, unless that law prohibits such notification on grounds of public interest.
• Ensure that persons authorised to process the personal data are subject to confidentiality obligations.
• Implement appropriate technical and organisational measures (TOMs) as described in section 6 of this DPA.
• Respect the conditions for engaging sub-processors set out in section 5.
• Assist the Customer with its obligations to respond to data subject requests (rights under GDPR Art. 15–22), taking into account the nature of processing and information available to NotarAI, as reasonably possible.
• Assist the Customer in meeting its security, breach notification, data protection impact assessment, and prior consultation obligations under GDPR Art. 32–36.
• At the choice of the Customer: delete or return all personal data upon termination of the Services, unless EU or Member State law requires storage of the personal data. Deletion is subject to the retention schedules in the Privacy Policy (e.g. billing records are retained for 7 years under Belgian accounting law).
• Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits as described in section 8.

5. Sub-processors

The Customer grants NotarAI general written authorisation to engage sub-processors. NotarAI will notify the Customer of any intended addition or replacement of sub-processors via an update to this page at least 14 days in advance. If the Customer objects on reasonable data protection grounds, it may terminate the affected Services with 30 days' written notice.

Current sub-processors authorised under this DPA:

NotarAI imposes equivalent data protection obligations on all sub-processors via data processing agreements. NotarAI remains liable to the Customer for the performance of sub-processors' obligations to the extent NotarAI is liable under GDPR Art. 28(4).

6. Technical and organisational measures (TOMs)

NotarAI implements and maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (GDPR Art. 32). Current measures include:

• All data in transit encrypted with TLS 1.2 or higher.
• Data at rest encrypted using AES-256 at the infrastructure level (Supabase).
• API keys stored as one-way scrypt hashes; plaintext is never persisted.
• Database access restricted to application service accounts with least-privilege roles.
• File storage paths include unpredictable identifiers; objects are not enumerable.
• Error monitoring (Sentry) configured via SDK-side beforeSend hooks to strip out raw multipart form data, binary payloads, and Authorization headers before transmitting telemetry outside the EEA. File binary content is never present in Sentry error reports.
• File binary payloads are processed strictly within memory on stateless serverless functions and are persisted exclusively within the designated EEA storage zone (Supabase EU Frankfurt); application logging and crash-reporting layers are scrubbed of user binary payloads prior to any transmission outside the EEA.
• Uploaded files automatically deleted on the schedule set out in the Privacy Policy; no manual intervention required.
• Access to production infrastructure restricted to the operator; no third-party support access to customer data.

NotarAI may update TOMs over time to reflect improvements or changes in technology. Updates will not reduce the overall level of protection.

7. International transfers

File content is stored and processed exclusively in Supabase’s EU Frankfurt region and is not transferred outside the EEA. For sub-processors located in the United States, NotarAI relies on the following transfer mechanisms:

• Stripe and Vercel are certified under the EU-U.S. Data Privacy Framework (DPF) adequacy decision (Commission Decision of 10 July 2023). Standard Contractual Clauses (SCCs, Decision 2021/914) serve as a fallback safeguard.
• Resend and Sentry — NotarAI relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) as the appropriate safeguard under GDPR Art. 46(2)(c).

NotarAI has completed a transfer impact assessment for each USA-based sub-processor and assessed that the applicable transfer mechanism provides adequate protection given the nature and volume of personal data transferred.

8. Audit rights

NotarAI will, upon written request from the Customer, make available information reasonably necessary to demonstrate compliance with this DPA (GDPR Art. 28(3)(h)). This may include answering a reasonable questionnaire, providing relevant policy documents, or sharing applicable third-party certifications or audit summaries.

On-site audits may be requested with reasonable notice, conducted at the Customer’s expense, subject to reasonable confidentiality obligations, and limited to once per calendar year unless a documented breach justifies additional review. NotarAI may satisfy audit requests by providing a third-party audit report in lieu of an on-site audit.

9. Data breach notification

In the event of a personal data breach involving Customer personal data, NotarAI will notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach, to the extent this is possible. The notification will include:

• A description of the nature of the breach including categories and approximate number of data subjects and records affected.
• The name and contact details of the data protection contact point at NotarAI.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach.

Notification is to the email address associated with the Customer’s account. The Customer is responsible for any further notification to supervisory authorities or data subjects under GDPR Art. 33–34.

10. Return and deletion of data

Upon termination of the Customer’s subscription or upon a written deletion request, NotarAI will delete personal data processed on the Customer’s behalf in accordance with the retention schedules published in the Privacy Policy. Specifically:

• Uploaded files are deleted automatically per the applicable retention window (15 minutes to 45 days depending on plan).
• Account data is deleted within 30 days of an account deletion request.
• Permanent verification records (certificate ID, declaration, SHA-256 fingerprint) cannot be deleted, as they contain no file binaries and their continued availability is necessary for third-party verification integrity. Because SHA-256 hashes are mathematically irreversible one-way functions and contain no identifiable natural-language personal data, they do not constitute personal data under current European jurisprudence (CJEU C-582/14, Breyer) once the original underlying file asset has been permanently erased and the hash can no longer be linked to an identifiable natural person by any party using means reasonably likely to be used.
• Billing records are retained for 7 years under Belgian accounting law regardless of account status.

NotarAI does not offer data return in a portable format beyond what is available through the standard product export functionality.

11. Customer obligations

As data controller, the Customer is responsible for:

• Ensuring it has a valid legal basis under GDPR Art. 6 (and Art. 9 where applicable) for each type of personal data uploaded to the Service.
• Providing data subjects with required transparency notices covering the processing described in this DPA.
• Ensuring that personal data uploaded to the Service is limited to what is necessary for the intended purpose (data minimisation, GDPR Art. 5(1)(c)).
• Not uploading special category data (GDPR Art. 9) or criminal conviction data (Art. 10) unless the Customer has an explicit legal basis to do so and has notified NotarAI in advance.

12. Liability

Each party is liable for damages caused by its own GDPR non-compliance. Where both parties are responsible for the same damage, liability is apportioned in accordance with GDPR Art. 82. The liability cap in the Terms of Service applies to the extent permitted by applicable law, including GDPR. Liability for GDPR fines imposed directly on the Customer by a supervisory authority does not fall on NotarAI unless NotarAI was directly at fault.

13. Governing law

This DPA is governed by the laws of Belgium. Any dispute arising out of or in connection with this DPA is subject to the exclusive jurisdiction of the competent courts of Belgium, consistent with the Terms of Service.

14. Updates to this DPA

NotarAI may update this DPA to reflect changes in applicable law, the Services, or sub-processor arrangements. Material changes (including additions to the sub-processor list) will be communicated at least 14 days in advance by email and/or by a notice at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.

15. Contact

Data controller contact (for processor-side questions under this DPA): privacy@notarai.io
Operator: Arthur Temmerman, Belgium (VAT BE1031912625).