noctara . dpa

Data Processing Addendum.

a template for the personal-data terms that sit under the Master Services Agreement, for enterprise and B2B customers (VEX practices, Partners agencies) who need one. GDPR, UK GDPR, and CCPA shaped.

This Data Processing Addendum (the "DPA") supplements and forms part of the Master Services Agreement, order form, or other written agreement (the "Agreement") between Noctara, Inc. ("Noctara," "Processor," "we") and the customer that has entered into the Agreement ("Customer," "Controller," "you"). It applies to the extent Noctara processes Personal Data on Customer's behalf in connection with the services described in the Agreement (the "Services"). Where this DPA conflicts with the Agreement on the subject of personal-data processing, this DPA controls. All other terms of the Agreement remain in effect.

1. Definitions

Terms used and not defined here have the meanings given in applicable Data Protection Laws or in the Agreement.

term	meaning
Data Protection Laws	All laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
Controller	The entity that determines the purposes and means of the processing of Personal Data. Under the CCPA, the analogous role is "Business." For VEX and Partners engagements, the Customer (the practice or agency) is the Controller of its clients' and participants' data.
Processor	The entity that processes Personal Data on behalf of the Controller. Under the CCPA, the analogous role is "Service Provider." Noctara acts as Processor under this DPA.
Data Subject	The identified or identifiable natural person to whom Personal Data relates. Under the CCPA, the analogous term is "Consumer."
Personal Data	Any information relating to a Data Subject that is processed by Noctara on Customer's behalf under the Agreement. Under the CCPA, this corresponds to "Personal Information."
Processing	Any operation performed on Personal Data, whether by automated means or not, including collection, storage, use, disclosure, and erasure.
Subprocessor	Any third party engaged by Noctara to process Personal Data on Customer's behalf in connection with the Services.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA.
Standard Contractual Clauses ("SCCs")	The clauses approved by the European Commission for the transfer of Personal Data to processors in third countries, and the UK International Data Transfer Addendum where applicable.

2. Roles of the Parties

The parties acknowledge that, with respect to the processing of Personal Data under the Agreement, Customer is the Controller (or, where Customer is itself a processor for a third party, a processor) and Noctara is the Processor. Each party will comply with its obligations under applicable Data Protection Laws. Customer is responsible for the lawfulness of the Personal Data it provides to Noctara and for having a valid legal basis and any necessary consents or notices for the processing instructed under this DPA.

For VEX practices and Partners agencies, the practice or agency is the Controller of its own clients', members', or participants' Personal Data. Noctara processes that data only to provide the Services to the Customer. Where an individual end user holds a direct consumer relationship with Noctara (for example, a LUX reading purchased directly by that individual), Noctara acts as Controller for that relationship under its consumer privacy policy, not under this DPA.

3. Subject Matter and Duration

The subject matter of the processing is the provision of the Services under the Agreement. The duration of the processing is the term of the Agreement, plus any post-termination period required to return or delete Personal Data as described in Section 12. This DPA remains in effect for as long as Noctara processes Personal Data on Customer's behalf.

4. Nature and Purpose of Processing

Noctara processes Personal Data solely to provide, maintain, secure, and support the Services as described in the Agreement, and to comply with Customer's documented lawful instructions. Processing operations may include: receiving and storing data submitted to the Services; computing behavioral aggregates and identity outputs as described in the applicable product documentation; making results available to authorized Customer users; providing support; and performing backups, security, and incident response. Noctara does not sell Personal Data and does not retain, use, or disclose Personal Data for any purpose other than performing the Services or as otherwise permitted by Data Protection Laws.

5. Types of Personal Data and Categories of Data Subjects

The categories below describe the data typically processed for VEX and Partners engagements. The parties should confirm and, if needed, adjust these for the specific engagement.

Categories of Data Subjects

Customer's authorized administrators and users (for example, practitioners, coaches, agency staff).
Customer's clients, members, or participants who take part in an assessment or reading through the Services.

Types of Personal Data

Identification and contact data: name, email address, organization or role.
Account and authentication data: account identifiers, login records, consent records.
Submitted content: written answers to the identity intake and related responses.
Behavioral and derived data: keystroke timing aggregates, computed rhythm, diagnostic word, mark, and other compression outputs, to the extent these relate to an identifiable person.
Usage and session metadata: timestamps, device type, session duration, and similar technical data.

Noctara does not request or require special categories of data (such as health, biometric data used for the purpose of uniquely identifying a person under GDPR Article 9, racial or ethnic origin, or similar). Customer should not submit special-category data through the Services unless the parties have agreed appropriate additional safeguards in writing.

6. Processor Obligations

With respect to Personal Data processed under this DPA, Noctara will:

Process only on instructions. Process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law, in which case Noctara will inform Customer of that legal requirement before processing where the law permits. The Agreement, this DPA, and Customer's use of the configuration options in the Services constitute Customer's complete instructions. Noctara will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
Confidentiality. Ensure that persons authorized to process Personal Data are bound by an appropriate duty of confidentiality and process the data only as necessary to perform the Services.
Security measures. Implement and maintain appropriate technical and organizational measures to protect Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. Current measures include encryption in transit (TLS 1.2 or higher) and at rest, row-level access controls scoped per user, audit logging, and access limited on a need-to-know basis. A current description of these measures is maintained in the Security Posture document referenced on the trust page.
Assist with Data Subject requests. Taking into account the nature of the processing, provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws (such as access, correction, deletion, restriction, portability, and objection). If Noctara receives such a request directly, it will, unless legally prohibited, promptly notify Customer and will not respond to the request itself except on Customer's documented instructions.
Assist with compliance. Provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer's obligations relating to the security of processing, in each case to the extent these relate to Noctara's processing and the information is reasonably available to Noctara.
Breach notification. Notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences, and the measures taken or proposed to address it. Noctara will provide further information as it becomes available. This notice is not an acknowledgment of fault or liability.

7. Subprocessors

Customer provides general authorization for Noctara to engage Subprocessors to process Personal Data in connection with the Services. The current list of Subprocessors, including each one's role and processing region, is maintained at /subprocessors and summarized on the trust page.

Noctara will impose data protection obligations on each Subprocessor that are substantially the same as those set out in this DPA. Noctara remains responsible to Customer for the performance of each Subprocessor's obligations. Noctara will give Customer at least thirty (30) days written notice (which may be by email or by updating the Subprocessor list with a notification mechanism) before adding or replacing a Subprocessor. If Customer has a reasonable, data-protection-based objection to a new Subprocessor, the parties will work in good faith to resolve it; if it cannot be resolved, Customer may terminate the affected Services as provided in the Agreement.

8. International Transfers

Noctara and its current Subprocessors primarily process Personal Data in the United States, as described on the Subprocessor list. Where Noctara processes Personal Data that is subject to GDPR or UK GDPR and transfers it from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum) are incorporated into this DPA by reference and apply to that transfer, with Customer as data exporter and Noctara as data importer. The parties will complete the variable details of the SCCs consistent with this DPA, and the descriptions in Sections 3 through 5 populate the relevant annexes. Where an alternative lawful transfer mechanism applies, that mechanism governs instead.

9. Audit Rights

Noctara will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable prior written notice, and no more than once per twelve-month period unless required by a supervisory authority or following a Personal Data Breach, Customer may audit Noctara's compliance with this DPA. To the extent available, Noctara may satisfy an audit request by providing its then-current third-party audit reports, security certifications, or completed security questionnaires (for example, a SOC 2 report once available). Any on-site audit will be conducted during normal business hours, with reasonable notice, subject to Noctara's confidentiality and security requirements, in a manner that does not unreasonably disrupt Noctara's operations, and at Customer's expense.

10. CCPA Terms

To the extent the CCPA applies, the parties agree that Noctara acts as a Service Provider. Noctara will not sell or share Personal Data, will not retain, use, or disclose Personal Data except as necessary to perform the Services or as otherwise permitted by the CCPA, will not combine Personal Data received from Customer with data from other sources except as permitted by the CCPA, and will not process Personal Data outside the direct business relationship with Customer. Noctara certifies that it understands and will comply with these restrictions.

11. Confidentiality and Disclosure

Noctara will treat Personal Data as Customer's confidential information. If Noctara receives a legally binding demand from a public authority for Personal Data, it will, unless legally prohibited, notify Customer, challenge demands that appear unlawful or overbroad, and disclose only the minimum data legally required.

12. Deletion and Return on Termination

Upon termination or expiry of the Agreement, Noctara will, at Customer's choice, delete or return Customer's Personal Data, and delete existing copies, unless applicable law requires continued storage. Where Customer does not elect within a reasonable period, Noctara will delete the Personal Data. Active customer data is retained for the duration of the subscription plus a short wind-down period; backups containing Personal Data are deleted on the ordinary backup expiry cycle. Customer-initiated deletion of individual records during the term is honored as described in the product documentation and the trust page. Noctara may retain Personal Data to the limited extent required by law, in which case the protections of this DPA continue to apply.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement. Any reference in the Agreement to a party's liability means the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits either party's liability where such limitation is not permitted by Data Protection Laws.

14. General

This DPA is governed by the governing law and dispute-resolution provisions of the Agreement, except where Data Protection Laws or the SCCs require otherwise. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force. This DPA, together with the Agreement and the Subprocessor list, is the entire agreement of the parties on the processing of Personal Data and supersedes any prior arrangements on that subject.

This template reflects Noctara's standard processing posture for VEX and Partners engagements. Specific engagements may need tailored annexes, named entities, and signature blocks. We are glad to negotiate reasonable, customer-specific terms during the contracting process.

Signature (on execution)

A DPA is not in effect until both parties sign it. When the parties are ready to execute, the following details are completed and the document is signed by an authorized representative of each party.

Controller (Customer): legal entity name, signatory name and title, date.
Processor: Noctara, Inc., signatory name and title, date.
Effective date: date, or the effective date of the Agreement, whichever is later.

To execute a DPA, or to request a version tailored to your engagement, contact hello@noctaracorp.com. Privacy and data-rights questions can be directed to her@noctaracorp.com.

noctara, inc. is the operating subsidiary of pupul, inc. marietta, ohio.
this DPA is a template for convenience and counsel review. it is not executed and is not legal advice.
related: trust . subprocessors . terms . privacy
last refreshed 2026-06-18.