Data Processing Agreement
Last updated: March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Data Controller") and Bonalogic, operating Nolorem ("Data Processor"), for the provision of the Nolorem platform services.
This DPA applies to all personal data processed by Nolorem sub-processors on behalf of the Data Controller in connection with the use of the Service.
2. Definitions
- Controller: The customer who determines the purposes and means of processing personal data through the Service.
- Processor: Bonalogic (Nolorem), which processes personal data on behalf of the Controller.
- Sub-processor: A third-party service engaged by the Processor to assist in processing personal data.
- Personal data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
3. Processing Details
The Processor processes the following categories of personal data on behalf of the Controller:
- Account data: Name, email address, organization name, and authentication credentials for user account management.
- Content data: Blog posts, social media content, research queries, topic outlines, and generated text and images.
- Billing data: Subscription tier, payment method references, and invoice records processed through Stripe.
- Usage data: Feature usage, page views, and interaction logs for service improvement.
Data is processed for the duration of the Controller's use of the Service and deleted within 30 days of account termination.
4. Sub-processors
The following sub-processors are engaged to deliver the Service. Each sub-processor is bound by data processing agreements consistent with GDPR requirements.
| Processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Supabase | Authentication & database | Account info, content, usage data | EU (Frankfurt) |
| Stripe | Payment processing | Billing info, email, payment details | US / EU |
| Anthropic | AI text generation | Content prompts, generated text | US |
| OpenAI | AI text generation (fallback) | Content prompts, generated text | US |
| Fal.ai | AI image generation | Image prompts, generated images | US |
| Postiz | Social media scheduling | Social content, channel tokens | EU |
| Apify | Content discovery scraping | Source URLs, scraped content | EU |
| DataForSEO | Keyword research | Keywords, search volumes | US |
| Perplexity | AI research (primary) | Research queries, results | US |
| Tavily | AI research (fallback) | Research queries, results | US |
| Resend | Transactional email | Email addresses, notification content | US |
The Controller will be notified of any changes to sub-processors. Objections to new sub-processors may be raised within 30 days of notification.
5. Data Security
The Processor implements appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit: All data transmitted between the platform and users is encrypted using TLS 1.2 or higher.
- Encryption at rest: Personal data stored in the database is encrypted at rest using AES-256.
- Access controls: Role-based access controls and organization-scoped Row Level Security (RLS) policies ensure data isolation between customers.
- Regular reviews: Security practices and sub-processor agreements are reviewed regularly.
6. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject rights requests under GDPR, including:
- Access to personal data
- Rectification of inaccurate data
- Erasure of personal data
- Data portability in machine-readable format
- Restriction of processing
- Objection to processing
The Processor will respond to Controller requests within 15 business days.
7. Data Breach Notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Audit Rights
The Controller may request information necessary to demonstrate compliance with GDPR obligations. The Processor will make available all information necessary and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
9. Termination
Upon termination of the DPA or the underlying service agreement, the Processor will, at the Controller's choice:
- Return all personal data to the Controller in a structured, commonly used format, or
- Delete all personal data within 30 days, unless retention is required by applicable law.
The Processor will provide written confirmation of data deletion upon request.
10. Contact
For questions about this Data Processing Agreement, to request an audit, or to report a data concern, contact us at:
- Email: privacy@nolorem.io
- Company: Bonalogic