Data Processing Agreement (DPA)
Last Updated: 2026-06-19 Version: 2 Effective Date: 2026-06-19
This is the standard DPA for B2B customers (Team and Enterprise) processing personal data of their employees, customers, or other data subjects through the NoParrot Service. Self-serve customers (Free, Pro individual) typically do not need a separate DPA — the Privacy Policy covers individual users.
Parties
Controller (“Customer”): the organisation entering into a subscription agreement with NoParrot under which it acts as a “controller” (GDPR Art. 4(7)) for personal data of its own employees, customers, or other data subjects (“Customer Data”).
Processor (“NoParrot”): Individual Entrepreneur ARTEM KHAUSTOV, a Georgian Individual Entrepreneur registered under ID 302302657 with registered address at Georgia, Tbilisi, Chugureti district, Mikheil Tsinamsavrishvili street, N 52, Georgia, acting as a “processor” (GDPR Art. 4(8)) for Customer Data.
1. Subject matter and duration
1.1 Subject matter
This DPA governs the processing of Customer Data by NoParrot on behalf of Customer in connection with the NoParrot Service (“Service”). It supplements the parties’ subscription agreement, including the Terms of Service.
1.2 Duration
This DPA is effective from the date Customer’s subscription begins and continues until 30 days after termination of the subscription, plus any additional periods required by law for record retention.
1.3 Purpose
The sole purpose of processing is to provide the Service to Customer, including:
- Transcribing audio/video files uploaded by Customer’s authorised users
- Generating filenames, summaries, and template-based outputs
- Optionally pushing transcripts to Customer’s configured integrations (e.g., Notion)
- Optionally exporting transcripts to Customer’s RAG/vector databases
2. Categories of personal data and data subjects
2.1 Categories of personal data processed
| Category | Examples |
|---|---|
| Account data | Email, name, role within Customer organisation |
| Authentication data | Hashed passwords, JWT tokens |
| Audio content (transient, opt-in) | Audio file content when Customer opts into cloud processing |
| Transcript content | Text outputs derived from audio |
| Usage metadata | File counts, processing durations, feature usage |
| Hardware fingerprints | Device identifiers (hashed) for license enforcement |
| IP addresses | Hashed at /24 subnet level |
2.2 Special-category data (Art. 9 GDPR)
Customer Data may incidentally include special-category data (e.g., health discussions in medical-context recordings, religious or political opinions in interview content, biometric voice data through diarisation). Customer represents that it has appropriate legal bases and safeguards for processing such data.
2.3 Categories of data subjects
- Customer’s employees and contractors
- Participants in Customer’s meetings or recordings
- Third parties referenced in transcribed content
3. Obligations of the Processor (NoParrot)
We will:
3.1 Process per documented instructions
Process Customer Data only on the documented instructions of Customer, including with regard to transfers of personal data to a third country. Customer’s instructions are documented in:
- This DPA
- The Service configuration (e.g., enabled cloud-region preferences)
- The Customer’s use of the Service’s UI/API
We will inform Customer if, in our opinion, an instruction infringes GDPR or other applicable data protection law before complying.
3.2 Ensure confidentiality
Ensure persons authorised to process Customer Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
3.3 Implement appropriate security (Art. 32)
Implement technical and organisational measures appropriate to the risk, as described in Annex 2 — Technical and Organisational Measures.
3.4 Engage sub-processors
May only engage sub-processors with Customer’s general written authorisation. The current list of sub-processors is at /legal/subprocessors. We will inform Customer of any intended addition or replacement of sub-processors at least 30 days in advance, allowing Customer to object on reasonable grounds related to data protection. If Customer objects, we will work in good faith to find a mutually acceptable solution; if we cannot, Customer may terminate the subscription pro-rata.
For emergency sub-processor replacements (e.g., insolvency, breach), we will provide notice as soon as practicable.
3.5 Assist with data subject rights
Taking into account the nature of processing, we will assist Customer by appropriate technical and organisational measures (insofar as possible) in fulfilling Customer’s obligation to respond to data subject requests under Articles 12–22 GDPR.
We provide automated tools (data export, account deletion, telemetry purge) accessible by Customer’s admin users.
3.6 Assist with DPIA, breach notification, and prior consultation
Assist Customer in ensuring compliance with Articles 32–36 GDPR by:
- Providing information necessary to demonstrate compliance.
- Notifying Customer without undue delay (and in any event within 24 hours) of any personal data breach affecting Customer Data, providing all information reasonably required to enable Customer to fulfil its own breach-notification obligations to supervisory authorities and data subjects.
- Providing reasonable assistance with Data Protection Impact Assessments and prior consultations with supervisory authorities.
3.7 Return or delete Customer Data on termination
Upon termination of the subscription and at Customer’s choice, we will:
- Delete all Customer Data within 30 days of termination, OR
- Return Customer Data in a structured machine-readable format (JSON/CSV) before deletion.
We may retain Customer Data only to the extent and for the period required by law (e.g., tax records — see Privacy Policy §7).
3.8 Allow audits
Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or an auditor mandated by Customer:
- Documentation-based audits: free of charge, response within 30 days
- On-site audits: subject to reasonable notice (≥30 days), mutually-agreed scope, and reimbursement of our reasonable costs.
- For audits of our sub-processors, we will request equivalent audit cooperation under our sub-processor agreements; certain technical SaaS providers (Cloudflare, Fly.io) provide SOC-2 / ISO-27001 reports in lieu of on-site audits.
4. Sub-processors
The current sub-processors are listed at /legal/subprocessors. By signing this DPA, Customer provides general written authorisation for these sub-processors and any new sub-processors added with 30-day notice.
We remain liable for the acts and omissions of our sub-processors as if they were our own.
5. International transfers
Customer Data may be processed in the EU, UK, USA, and Georgia, depending on the sub-processor.
For transfers from the EU/EEA to third countries (USA, Georgia), the parties agree:
- The EU Standard Contractual Clauses (SCC) Module 2 (Decision 2021/914) for controller-to-processor transfers are incorporated by reference into this DPA and apply to transfers from the EEA to third countries without an adequacy decision.
- The EU adequacy decision for the United Kingdom (Decision (EU) 2021/1772) covers transfers to UK-based sub-processors (including the Merchant of Record, Paddle); no additional safeguard is required while that decision remains in force.
- Where NoParrot and Customer act as joint controllers under Section 6 of this DPA, the SCC Module 1 (controller-to-controller) is incorporated by reference and applies to any controller-to-controller transfer arising from that arrangement.
- The UK International Data Transfer Addendum (IDTA) under Section 119A Data Protection Act 2018 applies to transfers from the UK.
- The Swiss SCC addendum applies to transfers from Switzerland.
A Transfer Impact Assessment (TIA) for each US-located sub-processor is documented internally and available to Customer on request.
6. Joint-controller scenarios (B2B)
For certain processing related to product analytics and abuse prevention (e.g., usage telemetry attributed to a Customer Employee), NoParrot may act as a joint controller with Customer under GDPR Article 26.
The parties agree:
- Each party is responsible for providing transparent information about the processing to data subjects (Customer informs its employees; NoParrot publishes the Privacy Policy).
- Data subjects may exercise their rights with either party; the parties will cooperate to ensure responses.
- NoParrot is the primary contact for data subject requests originating from the Service.
7. Customer obligations
Customer:
- Acts as data controller for Customer Data and is responsible for the lawfulness of its collection and the legitimacy of instructions to NoParrot.
- Will obtain all necessary consents and provide appropriate notices to data subjects.
- For special-category data (Art. 9), will have an appropriate basis (explicit consent or member-state law authorisation).
- Will use the Service in accordance with the Acceptable Use Policy.
8. Liability
The parties’ liability is governed by the Terms of Service §13, except as modified by mandatory provisions of GDPR Article 82.
9. Conflict
In case of conflict between this DPA and the Terms of Service regarding processing of Customer Data, this DPA controls.
10. Execution
This DPA is effective upon signature of both parties (email signature, e-signature, or equivalent) or upon Customer’s acceptance through the Customer Portal at the time of Team/Enterprise subscription purchase.
For Customer: ____________________ (signature) ____________________ (printed name) ____________________ (title) ____________________ (date)
For NoParrot: ____________________ (signature) Individual Entrepreneur ARTEM KHAUSTOV ____________________ (date)
Annex 1 — Description of processing
(Already covered in Section 1 and Section 2 above.)
Annex 2 — Technical and Organisational Measures
We implement the following technical and organisational measures appropriate to the risk:
Confidentiality
- Access controls: Role-based access control (RBAC) with least-privilege defaults.
- MFA: Multi-factor authentication required for all administrative access to production systems.
- Encryption at rest: AES-256 for sensitive fields (passwords hashed with bcrypt; hardware fingerprints as SHA-256 hashes; license tokens as PASETO v4.public Ed25519-signed).
- Encryption in transit: TLS 1.3 with strong ciphers; HTTPS Strict Transport Security (HSTS).
Integrity
- Audit logs: All admin actions and data-subject-rights actions are logged with actor identity, timestamp, target, and result; retained for the audit-log retention period appropriate to Customer’s tier.
- Schema-version constraints: Database schema migrations are versioned and reversible.
- Webhook idempotency: Payment provider webhook events are deduplicated via idempotency keys to prevent double-charging.
Availability and resilience
- Backups: Daily encrypted database backups, retained for 30 days.
- Disaster recovery: Documented runbook with target RTO/RPO appropriate to the Service tier.
- Multi-region option: Available for Enterprise customers.
Testing and evaluation
- Vulnerability scanning: Continuous CodeQL, OSV scanner, pip-audit, gitleaks in CI.
- Pre-commit secret scanning to prevent credential leaks at commit time.
- Penetration testing: Conducted subject to budget; planned for major releases.
Sub-processor management
- Due diligence: Each sub-processor reviewed for security posture, DPA capability, and contractual data-protection terms.
- Contractual obligations: All sub-processors are bound by data processing terms equivalent to those in this DPA.
Incident response
- Breach detection: Monitoring for unauthorised access attempts, anomalous database queries, and suspicious patterns.
- Notification SOP: 72-hour notification to Customer for any breach affecting Customer Data (per GDPR Art. 33).
- Cyber insurance: Carried with reasonable coverage levels appropriate to Service scale.
Data minimisation
- No collection of unnecessary data: We collect only data necessary to operate the Service (no advertising data, no behavioural profiling).
- Pseudonymisation: IP addresses hashed at /24 subnet; hardware fingerprints stored as one-way hashes.
- Retention limits: Defined per data category — see Privacy Policy §7.
Data subject rights
- Self-service tools: Account deletion, data export, telemetry purge, devices management.
- Response times: 30 days for standard requests (extendable to 90 days for complex requests with notice).
For specific TOMs related to your processing or audit needs, contact support@noparrot.com to
schedule a discussion.