Data Processing Agreement
Last updated: June 23, 2026
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms & Conditions or other written agreement (the “Agreement”) between Nuera, Inc. (“Nuera,” “Processor”) and the customer that uses the Nuera AI workspace (the “Customer,” “Controller”). It governs Nuera’s Processing of Personal Data contained in Customer Data on Customer’s behalf when Customer uses the Platform. In the event of a conflict between this DPA and the Agreement with respect to data protection, this DPA controls.
This DPA applies to the extent that Nuera Processes Personal Data subject to Applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss FADP, and the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement. “Applicable Data Protection Laws” means all privacy and data-protection laws applicable to the Processing. “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” and “Processing” have the meanings given under the GDPR (and equivalent terms such as “business,” “service provider,” and “consumer” under the CCPA apply correspondingly). “Customer Data” has the meaning given in the Agreement and includes the documents, databases, API content, prompts, and Run inputs and outputs that Customer submits to or processes through the Platform. “Subprocessor” means any third party engaged by Nuera to Process Personal Data. “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission for transfers of Personal Data to third countries.
2. Roles of the parties
With respect to Personal Data in Customer Data, Customer is the Controller (or a Processor acting on behalf of a third-party controller) and Nuera is the Processor. Where Nuera processes account, billing, and Site data for its own purposes (as described in the Privacy Policy), Nuera acts as an independent Controller; that Processing is outside the scope of this DPA. For the purposes of the CCPA, Nuera is a service provider and will not sell or share Personal Data and will not retain, use, or disclose it except to provide the Platform under the Agreement.
3. Scope and instructions
Nuera will Process Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Customer’s configuration and use of the Platform (for example, the agents, workflows, integrations, guardrails, and approvals Customer sets up). Nuera will not Process Personal Data for any other purpose. Nuera will not use Customer Data, including Personal Data, to train foundation models. Nuera will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws (without obligation to provide legal advice).
The details of Processing are described in Annex I.
4. Confidentiality
Nuera ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and are trained on their data-protection responsibilities. Access to Personal Data is limited to personnel who need it to provide and support the Platform.
5. Security measures
Nuera implements and maintains appropriate technical and organizational measures to protect Personal Data, as described in Annex II and in Nuera’s Security Policy, including encryption in transit and at rest, access controls (SSO, SAML, RBAC, MFA), tenant isolation, audit logging, monitoring, and a SOC 2 Type II program. Nuera may update these measures provided that the level of protection is not materially reduced.
6. Subprocessors
Customer provides general authorization for Nuera to engage Subprocessors to Process Personal Data to provide the Platform. Nuera: (a) maintains a current list of Subprocessors (Annex III); (b) imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA; (c) remains responsible for each Subprocessor’s performance; and (d) gives Customer reasonable prior notice of the addition or replacement of a Subprocessor and a mechanism to subscribe to such notices. Customer may object on reasonable, data-protection grounds, in which case the parties will work in good faith to resolve the concern; if it cannot be resolved, Customer may terminate the affected portion of the Platform.
7. Data subject requests
Taking into account the nature of the Processing, Nuera will provide reasonable assistance — through appropriate technical and organizational measures and the self-service features of the Platform — to help Customer respond to requests from Data Subjects to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection). If Nuera receives such a request directly, it will, unless legally prohibited, promptly inform the Data Subject to contact Customer and will not respond on Customer’s behalf except on Customer’s instructions.
8. Personal Data Breach
Nuera will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer’s Personal Data, and will provide information reasonably available to help Customer meet its breach-notification obligations. Nuera will take reasonable steps to investigate, contain, and remediate the breach. Nuera’s notification is not an acknowledgment of fault or liability.
9. Data protection impact assessments
Taking into account the nature of Processing and the information available to Nuera, Nuera will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Applicable Data Protection Laws.
10. International transfers
Where Nuera Processes Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the SCCs (together with the UK International Data Transfer Addendum and the Swiss amendments, as applicable) are incorporated into and form part of this DPA and apply to that transfer. For the SCCs, Customer is the data exporter and Nuera is the data importer; the relevant modules and the information in the Annexes apply. Nuera will implement supplementary measures where required to ensure an essentially equivalent level of protection.
11. Return and deletion
Upon termination or expiry of the Agreement, Nuera will, at Customer’s choice, delete or return Customer’s Personal Data, and delete existing copies, within a commercially reasonable export window, except to the extent retention is required by law. Backups are deleted in the ordinary course in line with Nuera’s retention schedule, and remain protected by this DPA until deleted.
12. Audits
Nuera will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including its SOC 2 Type II report and other documentation, under confidentiality obligations. Where Applicable Data Protection Laws grant Customer a right to audit, that right is satisfied by Nuera’s provision of such reports and responses to reasonable security questionnaires; on-site audits, where strictly required, will be conducted no more than once per year, on reasonable prior notice, during business hours, in a manner that does not disrupt Nuera’s operations, and subject to confidentiality.
13. Liability
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit any rights a Data Subject may have under Applicable Data Protection Laws.
14. Order of precedence and term
This DPA is effective for as long as Nuera Processes Personal Data on Customer’s behalf. In case of conflict, the SCCs prevail over this DPA, and this DPA prevails over the rest of the Agreement, in each case only with respect to data protection. All other terms of the Agreement remain in full force.
Annex I — Details of Processing
Parties. Data exporter: Customer (the Controller using the Nuera Platform). Data importer: Nuera, Inc., a provider of an AI workspace, San Francisco, California, United States.
Subject matter. Provision of the Nuera AI workspace, under which Customer connects data, tools, and workflows and configures autonomous agents that plan, act, and complete tasks.
Duration. For the term of the Agreement, plus the return/deletion period in Section 11.
Nature and purpose of Processing. Hosting, storage, transmission, retrieval, organization, analysis, and other Processing necessary to operate the Platform — including executing agent and workflow Runs, grounding agents on connected data, routing prompts and context to AI model providers for inference, performing actions through connected integrations, generating observability traces, providing security and support, and billing-related Processing.
Types of Personal Data. Determined by Customer through its use of the Platform, and may include: identifiers and contact details (names, email addresses, usernames); professional information; account and authentication identifiers; content within connected documents, databases, files, and integrations; prompts and instructions; and the inputs and outputs of Runs. Customer is responsible for not submitting special-category data unless appropriate safeguards are in place.
Categories of Data Subjects. Determined by Customer, and may include Customer’s personnel and authorized users, Customer’s own customers and end users, prospects, suppliers, and other individuals whose Personal Data appears in Customer Data.
Frequency. Continuous, for the duration of the Agreement, based on Customer’s use.
Competent supervisory authority (where the SCCs apply). Determined in accordance with the GDPR based on Customer’s EU representative or place of establishment.
Annex II — Technical and Organizational Measures
Nuera maintains the measures described in its Security Policy, including:
Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent), with managed key rotation.
Access controls including SSO, SAML, SCIM, role-based access control, MFA, and least-privilege administrative access that is reviewed regularly.
Logical tenant isolation segregating each Customer’s Workspace, data, agents, workflows, and Run traces; dedicated infrastructure available for Enterprise.
Built-in audit logging and observability/tracing of agent and workflow Runs.
Secure development lifecycle, code review, dependency and secret scanning, and regular third-party penetration testing.
Network protections including firewalls, web application firewall, DDoS protection, rate limiting, and segmentation.
Continuous monitoring, centralized logging and alerting, and a documented incident-response plan.
Regular, encrypted backups and tested business-continuity and disaster-recovery procedures, with a 99.9% uptime target.
Personnel background checks (where permitted), confidentiality obligations, and recurring security and privacy training.
A SOC 2 Type II program covering security, availability, and confidentiality.
Annex III — Subprocessors
Nuera engages the following categories of Subprocessors to Process Personal Data in connection with the Platform. The authoritative, current list is maintained by Nuera and made available to customers; Nuera provides advance notice of changes as described in Section 6.
Subprocessor | Purpose | Location |
|---|---|---|
Amazon Web Services, Inc. | Cloud hosting and infrastructure | United States |
Cloudflare, Inc. | CDN, DNS, DDoS protection, and WAF | United States |
OpenAI, L.L.C. | AI model inference | United States |
Anthropic, PBC | AI model inference | United States |
Google LLC (Google Cloud) | AI model inference and infrastructure | United States |
Stripe, Inc. | Payment processing and billing | United States |
Intercom, Inc. | In-product and support chat | United States |
Transactional email provider | Service and notification emails | United States |
Product analytics provider | Usage analytics and product telemetry | United States |
Framer B.V. | Marketing website hosting | Netherlands |
AI model providers process only the prompts and context required to perform a requested task and are contractually prohibited from using Customer Data to train their foundation models.
Contact
Nuera, Inc. — San Francisco, California, United States
Data protection / DPA requests: dpo@nuera.ai
Privacy: privacy@nuera.ai
Legal: legal@nuera.ai
To request a countersigned copy of this DPA or the current Subprocessor list, contact dpo@nuera.ai.