Data Processing Agreement
Last updated: May 1, 2026 Effective: May 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Novus ("Processor", "we") and the customer identified in the Agreement ("Controller", "you"). It governs the Processing of Personal Data by us on your behalf in connection with the Service.
In the event of conflict between the Agreement and this DPA, this DPA controls with respect to data protection matters.
1. Definitions
Capitalized terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, and the California Consumer Privacy Act ("CCPA") as applicable. "Personal Data" means any information relating to an identified or identifiable natural person that you submit to or generate within the Service.
2. Roles and Scope
You are the Controller (or, where applicable, Processor on behalf of a third-party controller) of Personal Data. We are the Processor. We will Process Personal Data only on your documented instructions, including those set out in the Agreement and this DPA, and as necessary to provide the Service.
3. Subject Matter, Duration, Nature, and Purpose
| Item | Description |
|---|---|
| Subject matter | Provision of the AI-driven sales engagement Service. |
| Duration | Term of the Agreement plus any post-termination retention period. |
| Nature | Hosting, transmitting, analyzing, and generating outbound communications. |
| Purpose | Enabling Controller to research prospects and conduct outbound sales activities. |
| Categories of data subjects | Controller's employees, contractors, prospects, and recipients of communications. |
| Categories of Personal Data | Names, business contact details, employer, role, professional activities, message content, engagement metadata, and data Controller uploads or authorizes via integrations. |
| Sensitive data | None expected. Controller agrees not to upload special-category data without prior written consent from us. |
4. Sub-processors
You authorize us to engage sub-processors to provide the Service. A current list of sub-processors is available on request to legal@novusasi.com. Categories include: cloud hosting, email infrastructure, AI inference, analytics, customer support, and CRM/outreach integrations you connect.
We will give at least 30 days' prior notice (via email or in-product notice) of any new sub-processor. You may object on reasonable data-protection grounds; if objection cannot be resolved, you may terminate the affected Service component for a pro-rata refund.
We remain responsible for sub-processors' performance of obligations equivalent to those in this DPA.
5. Confidentiality
We will ensure personnel authorized to Process Personal Data are bound by confidentiality obligations and have received appropriate data-protection training.
6. Security Measures
We implement and maintain appropriate technical and organizational measures designed to protect Personal Data, including:
- encryption in transit (TLS 1.2+) and at rest (AES-256);
- role-based access control with least privilege;
- audit logging of administrative access;
- secrets management with rotation;
- vulnerability scanning and dependency monitoring;
- vendor security review for sub-processors;
- documented incident response procedures;
- regular backup and tested restoration.
A more detailed description is available on request to security@novusasi.com.
7. Data Subject Rights
We will provide reasonable assistance, taking into account the nature of the Processing, to enable you to respond to requests from data subjects to exercise their rights under applicable law (access, rectification, erasure, restriction, portability, objection). Where data subjects contact us directly, we will refer them to you and notify you without undue delay.
8. Personal Data Breach
We will notify you without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting your Personal Data. The notice will include the information required by Article 33(3) GDPR to the extent then known, with updates as the investigation progresses.
9. Data Protection Impact Assessments
We will provide reasonable assistance to support your data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to us.
10. International Transfers
Where Processing involves the transfer of Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate, the parties agree to be bound by:
- the European Commission Standard Contractual Clauses (Module 2: Controller-to-Processor) dated 4 June 2021, completed as set out in Annex A;
- the UK International Data Transfer Addendum (issued by the UK ICO) for transfers subject to UK GDPR; and
- the Swiss FDPIC amendments where transfers are subject to Swiss FADP.
These instruments are incorporated by reference and prevail over any inconsistent terms.
11. Audits
You may, at your cost and on at least 30 days' notice, request information reasonably necessary to demonstrate compliance with this DPA. We will respond by providing summaries of relevant third-party audits (e.g., SOC 2, ISO 27001, where available) and answering reasonable written questions. On-site audits are by mutual agreement and limited to once per year except in the event of a confirmed breach or regulatory requirement.
12. Return or Deletion
Upon termination of the Service, we will delete or, at your written request, return Personal Data within 90 days, except to the extent retention is required by law or necessary for legitimate business purposes (e.g., fraud prevention, tax records).
13. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
14. Governing Law
This DPA is governed by the law specified in the Agreement, except where applicable data protection law requires otherwise (e.g., the SCCs and UK Addendum are governed by their own designated laws).
15. Order of Precedence
In the event of conflict among (i) the SCCs/UK Addendum, (ii) this DPA, and (iii) the Agreement, the order of precedence is (i), (ii), (iii).
16. Contact
Data protection questions or requests under this DPA: legal@novusasi.com (general) or privacy@novusasi.com (data subject matters).
Annex A — SCCs Information
Data exporter: As identified in the executed Order Form between the parties. Data importer: Novus (legal@novusasi.com) Module: Module 2 (Controller-to-Processor) Optional Clause 7 (Docking): Adopted Clause 9 (Sub-processors): Option 2 — General written authorization (notice period: 30 days) Clause 11 (Independent dispute resolution): Not adopted Clause 17 (Governing law): Law of Ireland Clause 18 (Forum): Courts of Ireland
Annex B — Description of Processing
See Section 3 above.
Annex C — Technical and Organizational Measures
See Section 6 above. Detailed control descriptions available on request to security@novusasi.com.