Version 1.0 · Issued 24 May 2026 · Self-authored draft adapted from the IAPP free sample. Not yet solicitor-reviewed; not for execution as-is. Negotiated and executed copies on request: legal@nuregroup.com.
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Nure Group Limited (“Processor”) and the customer organisation (“Controller”) using NureComp. It governs the processing of Personal Data by us on the Controller's behalf in connection with the NureComp service.
1. Definitions
Capitalised terms have the meaning given in UK GDPR / EU GDPR Article 4, or in the NureComp Terms of Service.
2. Roles and responsibilities
- The Controller determines the purposes and means of the processing.
- The Processor processes Personal Data on the Controller's documented instructions only. The configuration the Controller selects in NureComp (SSO mode vs email mode, tier choice, opt-in AI features) constitutes those instructions.
- For SSO-mode tenants, the Processor holds only pseudonymous staff identifiers — never names or emails. The DPA scope is correspondingly minimal.
3. Subject matter, duration, nature, purpose
| Subject matter | Provision of the NureComp compliance platform |
| Duration | The term of the subscription, plus the deletion grace period |
| Nature | Hosting, storage, retrieval, display, analysis, and generation of training records and evidence artefacts |
| Purpose | Supporting the Controller's compliance with EU AI Act Article 4 |
| Types of Personal Data | For SSO tenants: pseudonyms. For email tenants: names, work emails, training records, certificates. Plus admin contact details. |
| Categories of Data Subject | Controller's employees, contractors, and other persons assigned training |
4. Processor obligations
- Process Personal Data only on Controller's documented instructions
- Ensure that persons authorised to process the Personal Data are under appropriate confidentiality obligations
- Implement appropriate technical and organisational measures per the Information Security Policy
- Assist the Controller in responding to data-subject requests (the platform's admin tools surface self-service export/delete; Processor support available on request)
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach
- Provide reasonable assistance with the Controller's data-protection impact assessments and prior consultations
5. Sub-processors
The Processor uses the sub-processors listed at /legal/sub-processors to deliver the service. The Controller's entry into the Terms of Service constitutes general authorisation for these sub-processors. The Processor will give the Controller at least 30 days' notice of any addition or replacement of a sub-processor; the Controller may object on reasonable data-protection grounds.
6. International transfers
All processing is in the EU/UK jurisdiction by default. Any transfer outside the UK or EU is governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and/or the UK International Data Transfer Addendum, as appropriate to the destination jurisdiction. The active mechanism per sub-processor is identified on the sub-processor list.
7. Audit
The Controller may once per twelve-month period:
- Receive a copy of the most recent independent audit report (SOC 2 / ISO 27001) once available
- Receive a penetration-test summary on request under reasonable confidentiality terms
- Request a written response to a reasonable due-diligence questionnaire focused on this DPA's subject matter
On-site audit rights are available to Enterprise-tier Controllers on a cost-recovery basis, subject to a mutually-agreed scope and reasonable advance notice.
8. Deletion or return of data
Within 90 days of termination of the subscription, the Processor will, at the Controller's choice, delete or return all Personal Data, except where law requires retention. Training records and audit log entries are retained for six years per the Privacy Policy, in accordance with the Processor's legitimate interest in evidencing past Controller compliance — the Controller acknowledges this is a non-negotiable retention for evidence integrity purposes.
9. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.
10. Order of precedence
In case of conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails.
11. Changes
The Processor may update this DPA where required by law or to reflect a change in the platform. Material changes will be notified at least 30 days in advance.
Adapted from the IAPP free DPA sample. Will be re-issued under solicitor review for execution against Enterprise customers' procurement teams.