Data Processing Addendum

Last updated: May 30, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Nodle (“Processor”, “we”) and the customer organization that uses the Service (the “Customer”, “Controller”). It applies where Nodle processes personal data on the Customer’s behalf in connection with the Service, to the extent that EU/UK GDPR, the CCPA/CPRA, or similar data-protection laws apply.

If a signed DPA is required for your organization, contact support@nodle.tech.

1. Roles and scope

The Customer is the controller (or processor acting for its own customers) of the Customer Content processed in the Service; Nodle is the processor (or sub-processor). Each party will comply with its obligations under applicable data-protection law. For Nodle’s own account, billing, and website data, Nodle acts as an independent controller as described in the Privacy Policy.

2. Subject matter, duration, nature, and purpose

Nodle processes Customer Content to provide, secure, and improve the Service as described in the Terms, for the duration of the Customer’s use of the Service and as needed afterward to meet legal obligations.

  • Nature and purpose: hosting, storage, transmission, AI-assisted processing (planning, document understanding, transcription, summarization, research), and related operations.
  • Categories of data subjects: the Customer’s personnel, collaborators, meeting participants, and other individuals referenced in Customer Content.
  • Categories of personal data: identification and contact details, project and task data, communications and meeting content (audio, transcripts, messages), uploaded documents, and usage/technical data. The Service is not intended for special-category data or payment card data.

3. Processor obligations

Nodle will:

  • process Customer Content only on the Customer’s documented instructions, including the Terms and use of the Service, unless required by law (in which case we will inform the Customer where permitted);
  • ensure personnel authorized to process Customer Content are bound by confidentiality;
  • implement appropriate technical and organizational security measures (Section 7 and Annex B);
  • assist the Customer, taking into account the nature of processing, with data-subject requests and with the Customer’s obligations regarding security, breach notification, and data-protection impact assessments; and
  • at the Customer’s choice, delete or return Customer Content at the end of the services, except where retention is required by law (Section 8).

4. Sub-processors

The Customer authorizes Nodle to engage the sub-processors listed on our Sub-processors page (Annex C). Nodle imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. We will provide notice of new sub-processors as required so the Customer may object on reasonable data-protection grounds.

5. International transfers

Where Nodle transfers Customer Content from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum/Swiss amendments as applicable), which are incorporated by reference.

6. Data-subject rights and requests

Nodle will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If Nodle receives such a request directly, it will, where lawful, direct the individual to the Customer.

7. Security

Nodle maintains a security program with measures appropriate to the risk, including access controls and authentication, encryption of data in transit, role-based access within workspaces, logical separation of customer data, monitoring, and restricted access to production systems. A summary is set out in Annex B.

8. Personal data breaches

Nodle will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Content and will provide information reasonably available to help the Customer meet its notification obligations.

9. Audits

Nodle will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality, scheduling, and security conditions.

10. Return and deletion

On termination or expiry of the Service, Nodle will, at the Customer’s choice, return or delete Customer Content within a reasonable period, except to the extent retention is required by law. Some data may persist in backups for a limited period before being overwritten.

11. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms.

Annexes

  • Annex A — Details of processing: as set out in Section 2.
  • Annex B — Technical and organizational measures: as summarized in Section 7.
  • Annex C — Sub-processors: the list maintained at /legal/subprocessors.

Contact

To request a signed DPA or ask questions: support@nodle.tech.