Safety Company News
Get Workers

Data Processing Agreement

This agreement governs how Neuraphic processes personal data on behalf of customers who use our products and services. Last updated April 1, 2026.

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Where terms are not defined here, they have the meanings ascribed to them in the principal service agreement between Neuraphic and the Customer (the "Agreement").

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller with respect to Customer Data.

"Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Neuraphic is the Processor with respect to Customer Data.

"Subprocessor" means any third party engaged by Neuraphic to process Customer Data on behalf of the Customer. Subprocessors include infrastructure providers, hosting services, and other third parties that access or process Customer Data in connection with the provision of the Services.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined by applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), the UK Data Protection Act 2018, Brazil's Lei Geral de Protecao de Dados ("LGPD"), and other applicable privacy legislation.

"Customer Data" means any data, including Personal Data, that the Customer or its authorized users submit to, transmit through, or store within the Services, including inputs provided to Neuraphic models and APIs and the outputs generated in response.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as amended or replaced from time to time.

2. Scope and Purpose

This DPA applies to all Processing of Customer Data by Neuraphic in connection with the provision of the Services under the Agreement. It forms part of and is incorporated into the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

The purpose of Processing under this DPA is to enable Neuraphic to provide the Services to the Customer as described in the Agreement, including the processing of inputs through Neuraphic's AI models and APIs and the delivery of outputs to the Customer. Processing activities may include the reception, storage, computation, transformation, and transmission of Customer Data as necessary to fulfill the Services.

The categories of Data Subjects whose Personal Data may be processed include the Customer's employees, contractors, customers, end users, and any other individuals whose data is submitted to the Services. The types of Personal Data processed will depend on the Customer's use of the Services and may include names, contact information, identification numbers, professional information, and any other data included in inputs to the Services.

3. Neuraphic's Role as Processor

When Neuraphic processes Customer Data in connection with the provision of the Services, Neuraphic acts as a Processor on behalf of the Customer, who acts as the Controller. Neuraphic shall process Customer Data only in accordance with the Customer's documented instructions, as described in this DPA and the Agreement, unless required to do otherwise by applicable law, in which case Neuraphic shall inform the Customer of the legal requirement before processing (unless prohibited by law from doing so).

Neuraphic shall not process Customer Data for any purpose other than providing the Services as described in the Agreement and this DPA, unless the Customer provides separate, explicit written instructions authorizing additional processing.

4. AI-Specific Data Processing Terms

No use of Customer Data for model training. Neuraphic shall not use Customer Data submitted through the API or any other Service to train, fine-tune, improve, or develop Neuraphic's artificial intelligence models, machine learning systems, or any other products or services, unless the Customer has provided separate, explicit written consent specifically authorizing such use. This commitment applies to both the inputs submitted by the Customer and the outputs generated by the Services.

Transient processing. Customer Data submitted through the API is processed transiently for the purpose of generating responses and is not retained beyond the duration necessary to complete the requested operation, except as required for short-term caching to ensure service performance, compliance with applicable legal obligations, or as otherwise specified in the Agreement.

Logs and metadata. Neuraphic may retain limited operational metadata (such as timestamps, token counts, error codes, and API endpoint identifiers) for the purposes of billing, service monitoring, abuse prevention, and debugging. Such metadata is retained in a manner that minimizes the inclusion of Personal Data and is subject to the security measures described in this DPA.

The restrictions in this Section apply regardless of whether Customer Data has been aggregated, anonymized, or de-identified. Neuraphic shall not use Customer Data, or any data derived from Customer Data, for model training, fine-tuning, or improvement of any kind, except with the Customer's explicit written consent. The safety training and de-identification exceptions described in the Privacy Policy do not apply to data processed under this Agreement.

Separation of data. Neuraphic maintains logical separation between Customer Data from different customers. Customer Data is not commingled across customer accounts, and access controls ensure that one customer's data is not accessible to another customer or used in the processing of another customer's requests.

5. Data Processing Instructions

The Customer instructs Neuraphic to process Customer Data to the extent necessary to provide the Services in accordance with the Agreement. The Customer's instructions are documented in this DPA and the Agreement, and any additional instructions must be agreed upon in writing.

Neuraphic shall promptly inform the Customer if, in Neuraphic's opinion, an instruction from the Customer infringes applicable data protection law. Neuraphic shall not be required to assess the lawfulness of the Customer's instructions beyond what is reasonably apparent, but shall act in good faith to alert the Customer to potential concerns.

The Customer acknowledges that the nature of the Services requires the Customer to exercise judgment regarding the types of data submitted. The Customer is responsible for ensuring that it has an appropriate legal basis for submitting Personal Data to the Services and that such submission is consistent with its obligations to Data Subjects.

6. Security Measures

Neuraphic shall implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be appropriate to the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects. Neuraphic's security measures include, but are not limited to:

Encryption. Customer Data is encrypted at rest using AES-256 or equivalent encryption standards and in transit using TLS 1.2 or higher. Encryption keys are managed through secure key management systems with appropriate access controls and rotation schedules.

Access controls. Access to Customer Data is restricted to authorized Neuraphic personnel on a need-to-know basis. Neuraphic implements role-based access controls, multi-factor authentication, and the principle of least privilege for all systems that process Customer Data.

Audit logs. Neuraphic maintains comprehensive audit logs of access to and operations on Customer Data. Audit logs are protected against tampering and are retained for a period sufficient to support security investigations and compliance requirements.

Infrastructure security. Neuraphic maintains security measures for its infrastructure, including network segmentation, intrusion detection and prevention systems, vulnerability management programs, and regular security assessments. Production systems are hardened and maintained in accordance with industry security standards.

Personnel security. All Neuraphic personnel with access to Customer Data are subject to confidentiality obligations and receive regular training on data protection and security practices. Background checks are conducted in accordance with applicable law.

Incident response. Neuraphic maintains an incident response plan that provides for the timely detection, investigation, and remediation of Security Incidents. The incident response plan is tested regularly and updated to reflect evolving threats and best practices.

7. Subprocessor Management

The Customer provides general authorization for Neuraphic to engage Subprocessors in connection with the provision of the Services, subject to the requirements of this section.

Subprocessor list. Neuraphic maintains a current list of Subprocessors, which is available upon request by contacting [email protected]. The list includes the name, location, and nature of processing performed by each Subprocessor.

Prior notice. Neuraphic shall provide the Customer with at least thirty (30) days' prior written notice before engaging a new Subprocessor or materially changing the scope of processing by an existing Subprocessor. Notice shall be provided via email to the Customer's designated contact or through the Neuraphic console.

Objection rights. The Customer may object to the engagement of a new Subprocessor by notifying Neuraphic in writing within fifteen (15) days of receiving notice. If the Customer objects, Neuraphic shall use reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Subprocessor. If no alternative is reasonably available, either party may terminate the affected Services upon thirty (30) days' written notice without penalty.

Flow-down obligations. Neuraphic shall enter into written agreements with all Subprocessors that impose data protection obligations no less protective than those set out in this DPA. Neuraphic remains fully liable to the Customer for the acts and omissions of its Subprocessors with respect to Customer Data.

8. Data Subject Rights Assistance

Neuraphic shall assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.

If Neuraphic receives a request directly from a Data Subject relating to Customer Data, Neuraphic shall promptly redirect the request to the Customer and shall not respond to the Data Subject directly, unless required by applicable law or authorized by the Customer.

Neuraphic shall provide the Customer with the technical capabilities and reasonable cooperation necessary to enable the Customer to respond to Data Subject requests within the timeframes required by applicable law. Where the Customer's ability to address a Data Subject request depends on Neuraphic's assistance, Neuraphic shall provide such assistance without undue delay.

9. Data Breach Notification

In the event of a Security Incident affecting Customer Data, Neuraphic shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident. Notification shall be provided to the Customer's designated security contact via email and, where available, through the Neuraphic console.

The notification shall include, to the extent known at the time of notification: the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected; a description of the likely consequences of the Security Incident; a description of the measures taken or proposed to be taken to address the Security Incident and mitigate its effects; and the contact details of Neuraphic's data protection officer or other point of contact for further information.

Neuraphic shall cooperate with the Customer in investigating and remediating the Security Incident and shall provide the Customer with timely updates as additional information becomes available. Neuraphic shall take all reasonable measures to contain and mitigate the effects of the Security Incident and to prevent recurrence.

Neuraphic's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability. The obligations under this section are without prejudice to any other notification obligations that Neuraphic may have under applicable law.

10. Audit Rights

The Customer may, upon reasonable notice and no more than once per calendar year (unless a Security Incident or regulatory requirement necessitates additional audits), audit Neuraphic's compliance with this DPA. Audits may be conducted by the Customer or by a qualified, independent third-party auditor selected by the Customer and approved by Neuraphic (such approval not to be unreasonably withheld).

Neuraphic shall cooperate with audits by providing access to relevant documentation, facilities, and personnel. Audits shall be conducted during normal business hours and in a manner that minimizes disruption to Neuraphic's operations. The Customer shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by Neuraphic, in which case Neuraphic shall bear the costs.

In lieu of or in addition to on-site audits, Neuraphic may provide the Customer with copies of relevant certifications, audit reports (such as SOC 2 Type II reports), or other evidence of compliance with this DPA. Where such documentation reasonably addresses the Customer's audit requirements, the Customer shall accept such documentation in satisfaction of its audit rights under this section.

11. Data Deletion and Return

Upon termination or expiration of the Agreement, or upon the Customer's written request at any time during the term, Neuraphic shall, at the Customer's election, return all Customer Data to the Customer in a commonly used, machine-readable format or securely delete all Customer Data in its possession and in the possession of its Subprocessors.

Deletion shall be completed within thirty (30) days of the Customer's request or the effective date of termination, whichever is later. Neuraphic shall certify in writing that deletion has been completed. Where applicable law requires Neuraphic to retain certain Customer Data beyond this period, Neuraphic shall inform the Customer of the retention requirement, limit processing of the retained data to the purposes required by law, and apply the security measures described in this DPA to the retained data for the duration of the retention period.

Data that has been incorporated into backup systems or archived in accordance with standard operational procedures shall be deleted in the ordinary course of backup rotation and shall not be actively processed after the deletion request or termination date.

12. International Transfers

Where the provision of the Services involves the transfer of Customer Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, Neuraphic shall ensure that appropriate safeguards are in place in accordance with applicable data protection law.

Standard Contractual Clauses. For transfers of Personal Data from the EEA, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission Decision 2021/914, which are hereby incorporated by reference into this DPA. For transfers from the United Kingdom, the parties agree to be bound by the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office. For transfers from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection Act.

Supplementary measures. Neuraphic shall implement supplementary technical, organizational, and contractual measures as necessary to ensure that the transferred data receives a level of protection that is essentially equivalent to that guaranteed within the EEA, taking into account the legal framework of the destination country. Supplementary measures may include enhanced encryption, pseudonymization, and access restrictions.

Where the Customer is subject to data protection laws in other jurisdictions that impose transfer restrictions (such as the LGPD, PIPA, or PDPA), Neuraphic shall cooperate with the Customer to implement the transfer mechanisms required by applicable law.

13. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement and for so long as Neuraphic processes Customer Data on behalf of the Customer. The obligations of Neuraphic under this DPA shall survive termination or expiration of the Agreement to the extent necessary to complete the return or deletion of Customer Data and to address any ongoing obligations under applicable data protection law.

Either party may terminate this DPA in the event of a material breach by the other party that remains uncured for thirty (30) days after written notice of the breach. Termination of this DPA shall constitute a material breach of the Agreement and may result in termination of the Agreement.

Upon termination of this DPA, the provisions of Sections 6 (Security Measures), 9 (Data Breach Notification), 11 (Data Deletion and Return), and 12 (International Transfers) shall survive to the extent necessary to give effect to their purpose.

14. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall be construed to limit either party's liability for breaches of applicable data protection law to the extent that such limitation would be prohibited by law.

Where Neuraphic is found to be liable for damages caused by processing that does not comply with this DPA or applicable data protection law, Neuraphic's liability shall be limited to the damages directly attributable to Neuraphic's failure to comply with its obligations as a Processor. Where Neuraphic is jointly liable with the Customer for damages caused to a Data Subject, each party shall be liable for its respective share of the damage.

15. Amendments

Neuraphic may update this DPA from time to time to reflect changes in applicable data protection law, industry standards, or Neuraphic's data processing practices. Non-material changes shall be communicated to the Customer with at least thirty (30) days' prior written notice; if the Customer does not object within fifteen (15) days of receiving notice, the updated DPA shall become effective. Material amendments that expand the scope of processing, reduce security protections, or modify the restrictions on the use of Customer Data for model training require mutual written agreement or the Customer's affirmative opt-in and shall not become effective through the Customer's silence or continued use of the Services alone. If the Customer objects to any proposed change, the parties shall negotiate in good faith to resolve the objection; if resolution is not reached within thirty (30) days, either party may terminate the affected Services upon written notice without penalty.

16. Contact

For questions or requests relating to this Data Processing Agreement, please contact:

General inquiries: [email protected]
DPA-specific requests: [email protected]

Neuraphic, Inc.
A Delaware C Corporation
United States of America