Data Processing Agreement

1. Parties

Role	Party	Details
Data Controller	The Client	The company or individual who has entered into a Service Agreement with OnyorAI. Identified in the order confirmation and account registration.
Data Processor	OnyorAI LLC	3700 Grand Avenue, Des Moines, IA 50312, USA • contact@onyorai.com

This DPA forms part of and is incorporated into the Terms of Service between the parties. In case of conflict between this DPA and the Terms of Service on data protection matters, this DPA shall prevail.

2. Subject Matter and Duration

Subject matter: OnyorAI will process personal data contained in documents submitted by the Controller for the sole purpose of providing AI-powered document digitization, data extraction, and structured output delivery services as described in the applicable pricing plan.

Duration: This DPA is effective from the date of the first order or account creation and remains in force for the duration of the services. Processing of personal data ceases upon: (a) completion and delivery of the processed output; (b) account termination; or (c) written request from the Controller. Source documents are permanently deleted within 72 hours of delivery.

3. Nature and Purpose of Processing

OnyorAI processes personal data only for the following specified purposes:

• Optical character recognition (OCR) and AI Vision extraction of text, numbers, and structured data from submitted documents
• Normalization, deduplication, and formatting of extracted data into structured output files (Excel, CSV, Airtable)
• Quality assurance review of extracted data to ensure accuracy before delivery
• Secure storage of source documents and output files during the processing and delivery window
• Customer support inquiries specifically related to the processing of submitted documents

4. Types of Personal Data and Data Subjects

The categories of personal data processed depend on the documents submitted by the Controller. Common categories include:

Document Type	Typical Personal Data Categories
Business documents	Names, addresses, email addresses, phone numbers, company details, financial amounts, invoice and reference numbers
Healthcare documents	Patient names, dates of birth, medical record numbers, health information (special category), medication details, insurance IDs
Legal documents	Parties’ names and contact information, case numbers, dates, legal terms
HR and employment records	Employee names, addresses, positions, employment dates, compensation data, performance records
Financial records	Account holder names, partial account numbers, transaction amounts, dates, tax IDs

The Controller is solely responsible for ensuring that all personal data submitted for processing has been collected and is being processed lawfully, and that data subjects have been informed of the processing where required.

5. Obligations of the Processor (OnyorAI)

OnyorAI agrees to:

• Process personal data only on documented instructions from the Controller (this DPA, the Terms of Service, and specific order instructions) unless required by applicable law
• Ensure all personnel authorized to process personal data are bound by confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 6
• Not engage any sub-processor without prior written authorization from the Controller, except as described in Section 7
• Assist the Controller in fulfilling its obligations to respond to data subject rights requests (Arts. 15–22 GDPR)
• Assist the Controller in meeting its obligations under Arts. 32–36 GDPR (security, breach notification, DPIAs)
• At the Controller’s option, delete or return all personal data upon termination of services, and delete existing copies unless EU or member state law requires storage
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits (Section 9)

6. Technical and Organizational Security Measures

OnyorAI has implemented the following measures in accordance with Article 32 GDPR:

Measure	Implementation
🔒 Encryption at Rest	AES-256 for all stored files and databases. Keys managed via AWS KMS with automatic annual rotation.
🔐 Encryption in Transit	TLS 1.3 enforced for all data transfers. HTTP Strict Transport Security (HSTS) enabled site-wide.
👤 Access Controls	Role-based access with least-privilege. Multi-factor authentication mandatory for all staff with data access.
📝 Audit Logging	Immutable timestamped logs of every data access event, retained 12 months and available to Controllers on request.
🗑 Data Deletion	Automated deletion of source documents within 72 hours of delivery. Verified and logged.
🕵 Pseudonymisation	Applied where technically feasible to reduce identification risk during processing.
🏘 Physical Security	Processing on AWS EU (Frankfurt) ISO 27001-certified data centers with 24/7 physical security controls.
👨‍🏫 Staff Training	Annual mandatory data protection training for all personnel with access to personal data.

7. Sub-Processors

The Controller grants OnyorAI general authorization to engage the following sub-processors. OnyorAI will notify the Controller with at least 14 days’ written notice of any intended addition or replacement, giving the Controller the opportunity to object:

Sub-Processor	Purpose	Location	Safeguard
Amazon Web Services	EU-based cloud infrastructure and encrypted file storage	EU (Frankfurt)	AWS DPA + SCCs
OpenAI, L.L.C.	AI Vision processing for handwritten and complex document fields	USA	Enterprise DPA; zero data retention
Nanonets, Inc.	Intelligent document processing and field extraction	USA	GDPR DPA + SCCs
Stripe, Inc.	Payment processing (billing data only; no document content)	USA	PCI DSS Level 1; SCCs

8. Data Breach Notification

In the event OnyorAI becomes aware of a personal data breach affecting data processed under this DPA, OnyorAI will:

• Notify the Controller within 48 hours of becoming aware of the breach via the Controller’s registered account email
• Provide, in the initial or follow-up notification: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed
• Cooperate fully with the Controller in fulfilling its obligation to notify the supervisory authority within 72 hours (Article 33 GDPR)
• Not make any public disclosure or notify data subjects directly without prior written authorization from the Controller, except where required by law

9. Audit Rights

OnyorAI will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Controller or a mandated auditor. Audits may be conducted:

• On reasonable written notice of at least 30 days
• During normal business hours (9 AM – 6 PM EST, Monday–Friday)
• At the Controller’s expense
• No more than once per calendar year (unless a breach has occurred)
• Subject to auditors signing a confidentiality agreement before proceeding

10. International Transfers

When personal data from EU/EEA data subjects is transferred to OnyorAI (US) or any US-based sub-processor, such transfers are governed by EU Commission Standard Contractual Clauses (Module 2: Controller-to-Processor, Decision 2021/914) incorporated by reference into this DPA.

OnyorAI commits that all client document processing occurs exclusively on AWS EU (Frankfurt) infrastructure. US-based sub-processors access only the minimum data necessary for their specific processing function and are contractually prohibited from using it for any other purpose.

11. Governing Law

This DPA is governed by the laws of the State of Iowa, United States, subject to any mandatory requirements of GDPR that apply by virtue of processing EU/EEA personal data. For EU clients, this DPA shall be interpreted in accordance with GDPR and applicable EU member state law where it conflicts with Iowa state law on data protection matters.

12. Request a Signed DPA