Trust · DPA

Data Processing Agreement.

For GDPR Article 28, the UK GDPR equivalent, the EU AI Act deployer obligations, and any other regime that requires a written processor-controller contract. Review, ask for a counter-signed copy, or attach to your MSA.

01 / How to get it signed

Two paths. Pick what your legal team prefers.

Most customers do not need a custom DPA. Our standard form covers GDPR Article 28, the UK GDPR equivalent, the EU AI Act deployer obligations, the new EU Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum. It incorporates the current Sub-processor list at /sub-processors by reference.

A. Counter-sign the standard DPA

Fastest path. Download the standard DPA, fill in your entity details on page 1, sign, and return. We counter-sign within one business day and email back the executed copy. No negotiation cycle.

Version v1 (May 2026). Incorporates 2021 EU SCCs (Module 2, Controller-Processor) and the UK IDTA.

B. Attach to your MSA

If your legal team uses an MSA-bound DPA exhibit, send your draft to privacy@northbeams.com. We review within five business days and either sign as-is or return redlines. The Sub-processor schedule on our standard form is the part most legal teams adopt by reference even when the surrounding contract is theirs.

02 / What the DPA covers

Summary in plain English.

The standard form is short on purpose. The summary below is not the legal text; the PDF is.

03 / Annex schedule

What's in the PDF.

Annex I.A: Parties. Customer and Northbeams Inc identifiers.

Annex I.B: Description of processing. Subject matter, duration, nature, purpose, data categories, data subjects, frequency, retention.

Annex I.C: Competent supervisory authority. Determined by the customer's EU establishment.

Annex II: Technical and organisational measures. Reference to the Security page plus a static list current as of the executed date.

Annex III: Sub-processors. Reference to northbeams.com/sub-processors plus a static snapshot current as of the executed date.

UK IDTA. Tables 1 to 4 completed; the international data transfer addendum is appended.

04 / Special-case agreements

When the standard DPA is not enough.

HIPAA Business Associate Agreement (BAA)

Required if your workspace processes Protected Health Information through Northbeams. BAA available on the Fleet tier; today's PHI handling is documented in the engagement notes. Email privacy@northbeams.com with your covered-entity status to start.

EU-only data residency

Available on Fleet. Workspace data is pinned to an EU Firestore region; logs and backups stay inside the EU. Add as a paid line item to your DPA execution.

SOC 2 Type II report

SOC 2 Type II audit is in progress with our auditor. Until the first report issues, our customer-generated Evidence Packs (signed PDFs covering EU AI Act, ISO 42001, NIST AI RMF, and SOC 2 readiness controls) are the audit-ready artifact we provide. See /compliance.

05 / Contact

privacy@northbeams.com

DPA requests, sub-processor change subscriptions, data subject requests, and breach notifications all reach the same inbox. We reply within one business day.