This Data Processing Agreement (“DPA”) forms part of the pilot agreement between you (the “Customer”) and Nooterra, Inc. (“Nooterra”) for the Atlas product. Customers receive a signed, countersigned, and execution-dated PDF as part of the pilot agreement. This page is the public form.
1. Roles
Customer is the data controller of customer personal data. Nooterra is the processor. Where Nooterra subprocessors process personal data, they act as sub-processors.
2. Subject matter and duration
The subject matter is the provision of the Atlas product during the pilot. The duration is the term of the pilot agreement. Nooterra processes personal data only for the purpose of providing the product, on documented instructions from the Customer.
3. Categories of data subjects
- Customer’s end customers (accounts, contacts, users)
- Customer’s employees with access to Atlas
- Other natural persons identifiable in source records connected via connectors
4. Categories of personal data
- Identifiers (name, email, role, organization)
- Commercial information (subscription state, ARR, support tickets, contracts)
- Internet/network activity (product telemetry events from connected sources)
- Professional information (job title, manager, team)
- Decision records, evidence claims, approvals, action records, outcomes
5. Connectors and credentials
Connector credentials are encrypted at rest and never displayed in plaintext. They are scoped to least privilege per integration and are revocable at any time. We do not store credentials we are not actively using.
6. Subprocessors
Customer authorizes Nooterra to engage the subprocessors listed at nooterra.ai/security#subprocessors. Nooterra provides 30 days’ notice before engaging any new subprocessor with access to customer personal data.
7. Security measures
Nooterra implements the technical and organizational measures described at nooterra.ai/security, including: encryption in transit and at rest, tenant isolation, RBAC, audit logging, dry-run-before-execute action gateway, and security review packet on request.
8. International transfers
Where personal data is transferred outside the EEA or UK, the parties rely on the applicable Standard Contractual Clauses, which are incorporated into the signed customer DPA by reference.
9. Data subject requests
Nooterra assists Customer with responding to data subject requests under applicable law, including access, correction, deletion, restriction, objection, and portability. Requests directed to Nooterra are forwarded to Customer within 5 business days.
10. Personal data breach
Nooterra notifies Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer personal data. The notice includes the nature of the breach, the categories and approximate number of data subjects, and the measures Nooterra has taken or proposes to take.
11. Audits
Customer may audit Nooterra’s compliance with this DPA upon reasonable written notice. Nooterra makes available its security documentation as the primary audit mechanism.
12. Deletion or return
On termination, Nooterra deletes or returns Customer personal data within 30 days, except where retention is required by law. Audit logs are retained for the period required to meet our compliance obligations.
13. Liability
The liability cap, indemnities, and exclusions are governed by the pilot agreement and apply to breaches of this DPA on the same terms.
14. How to sign
To execute the DPA, send a request to legal@nooterra.ai or reply to your existing pilot agreement thread. We countersign within three business days.