Data Processing Addendum

Customer is the data controller; Noah (End Point) is the data processor with respect to personal data submitted by Customer to Noah. Noah processes such data only on Customer’s documented instructions.

The subject matter is the provision of the Noah service. The duration matches the underlying agreement. Categories of data subjects and personal data are determined by Customer through the systems Customer chooses to connect.

Noah maintains the technical and organizational measures set out in our Security page — including encryption at rest (AES-256) and in transit (TLS 1.3), tool-level access controls, an immutable audit log, secret-vault storage of customer credentials, and SOC 2 readiness controls.

Noah engages a small set of vetted subprocessors (cloud infrastructure, transactional email, model providers). Each is bound by data-protection terms equivalent to those in this DPA. A current list is available on request and at least 30 days’ notice will be given before any new subprocessor is added.

Noah will assist Customer in responding to data subject requests, including access, correction, and deletion, where the underlying personal data is held within the service.

Noah will notify Customer without undue delay (and in any event within 48 hours) on becoming aware of a personal data breach affecting Customer’s data, and will provide reasonable assistance with Customer’s notification obligations.

On termination, Noah will return or delete Customer’s personal data within 30 days of written request, except where retention is required by law.

Where personal data is transferred out of the EEA, UK, or Switzerland, the transfer will be governed by the EU Standard Contractual Clauses (and the UK addendum where applicable), with supplementary measures as required.

Noah will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 reports once available.

DPA questions: hello@noah.enpointe.io.