For GDPR Article 28, the UK GDPR equivalent, the EU AI Act deployer obligations, and any other regime that requires a written processor-controller contract. Review, ask for a counter-signed copy, or attach to your MSA.
01 / How to get it signed
Most customers do not need a custom DPA. Our standard form covers GDPR Article 28, the UK GDPR equivalent, the EU AI Act deployer obligations, the new EU Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum. It incorporates the current Sub-processor list at /sub-processors by reference.
Fastest path. Download the standard DPA, fill in your entity details on page 1, sign, and return. We counter-sign within one business day and email back the executed copy. No negotiation cycle.
Version v1 (May 2026). Incorporates 2021 EU SCCs (Module 2, Controller-Processor) and the UK IDTA.
If your legal team uses an MSA-bound DPA exhibit, send your draft to privacy@northbeams.com. We review within five business days and either sign as-is or return redlines. The Sub-processor schedule on our standard form is the part most legal teams adopt by reference even when the surrounding contract is theirs.
02 / What the DPA covers
The standard form is short on purpose. The summary below is not the legal text; the PDF is.
03 / Annex schedule
Annex I.A: Parties. Customer and Northbeams Inc identifiers.
Annex I.B: Description of processing. Subject matter, duration, nature, purpose, data categories, data subjects, frequency, retention.
Annex I.C: Competent supervisory authority. Determined by the customer's EU establishment.
Annex II: Technical and organisational measures. Reference to the Security page plus a static list current as of the executed date.
Annex III: Sub-processors. Reference to northbeams.com/sub-processors plus a static snapshot current as of the executed date.
UK IDTA. Tables 1 to 4 completed; the international data transfer addendum is appended.
04 / Special-case agreements
Required if your workspace processes Protected Health Information through Northbeams. BAA available on the Fleet tier; today's PHI handling is documented in the engagement notes. Email privacy@northbeams.com with your covered-entity status to start.
Available on Fleet. Workspace data is pinned to an EU Firestore region; logs and backups stay inside the EU. Add as a paid line item to your DPA execution.
SOC 2 Type II audit is in progress with our auditor. Until the first report issues, our customer-generated Evidence Packs (signed PDFs covering EU AI Act, ISO 42001, NIST AI RMF, and SOC 2 readiness controls) are the audit-ready artifact we provide. See /compliance.
05 / Contact
DPA requests, sub-processor change subscriptions, data subject requests, and breach notifications all reach the same inbox. We reply within one business day.