Data Processing Agreement

1. Definitions

Terms not defined here (including "Personal Data", "Data Subject", "Processing", "Controller", "Processor") take the meaning given in the UK GDPR. The "Services" refers to the Noor platform and any related support delivered under the MSA.

2. Subject-matter, duration, nature, and purpose

Subject matter:processing of Personal Data of the Controller's clients, fee-earners, and other matter stakeholders by the Noor platform.

Duration: for the term of the MSA plus any post-termination retention window expressly consented to in writing.

Nature and purpose: to provide multilingual messaging, document OCR, tribunal-grade audit bundles, and associated practice- management tooling.

3. Categories of data subjects and data

Data subjects:the Controller's own clients; sponsors, dependents, witnesses, and other individuals named within matter files; the Controller's fee-earners and support staff.

Categories of Personal Data (non-exhaustive): names, contact details (including WhatsApp numbers), identity documents (passports, BRPs, CNICs, asylum registration cards), biographical data (DOB, country of origin, marital status, dependents), matter narratives (written and voice), immigration history and current UK status, sponsor financial information, and any other data a client chooses to share in the course of their matter.

Special-category data (UK GDPR Art. 9): the Services routinely process data on racial or ethnic origin, religious beliefs, political opinions (in asylum contexts), health, and sex life or sexual orientation. Processor treats all such data under the Art. 9(2)(f) legal-claims ground; the Controller warrants a matching lawful basis under its own retainer with each client.

4. Instructions from Controller

Processor processes Personal Data only on documented instructions from Controller, including with regard to transfers to a third country, unless required to do otherwise by UK or EU law. Where Processor is so required, it will inform Controller of the requirement before processing unless the applicable law prohibits such notification.

5. Processor obligations

1. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality (or are subject to a statutory duty of confidentiality).
2. Take all measures required under UK GDPR Art. 32 (security of processing), including pseudonymisation and encryption in transit and at rest, ongoing confidentiality/integrity/availability, and regular testing of the effectiveness of security measures. Detail is in §9 below and on /security.
3. Respect the conditions in §6 and §7 below for engaging another processor.
4. Taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures for the fulfilment of data-subject requests.
5. Assist Controller in ensuring compliance with UK GDPR Arts. 32–36 (security, breach notification, DPIA, prior consultation).
6. At Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless UK or EU law requires storage.
7. Make available to Controller all information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Inspections are co-ordinated with reasonable notice and carried out no more than once annually except in the case of a confirmed security incident.

6. Sub-processors

Controller provides a general written authorisation for Processor to engage the sub-processors listed at /legal/sub-processors. Processor will notify Controller of any intended changes concerning the addition or replacement of sub-processors (by email to the admin contact on record, and through an update to the register) no fewer than 30 days in advance, thereby giving Controller the opportunity to object.

Where Processor engages a sub-processor, the same data-protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

7. International transfers

Processor does not transfer Personal Data outside the UK/EEA except where a sub-processor's infrastructure requires it. Any such transfer is made on the basis of UK Addendum + EU Standard Contractual Clauses (2021) and following a documented Transfer Impact Assessment. The current status for each sub-processor is published on the sub-processors register.

AI models powering translation, OCR, and transcription run under Zero Data Retention (ZDR) terms with their providers — the content is not retained, not used for training, and not shared with other customers.

8. Data-subject rights

Processor assists Controller with data-subject rights requests by providing self-service export, rectification, and deletion tools within the Services. For requests that cannot be fulfilled self-serve, Processor responds to the Controller's written instruction within 5 working days and completes the requested action within 20 working days at no additional cost (consistent with UK GDPR's one-month response window).

9. Security measures

• TLS 1.2+ for all traffic; AES-256 for data at rest.
• SHA-256 chain-of-custody hash on every message, document, and bundle; audit log is append-only and schema-enforced.
• Password hashes stored via scrypt with per-user salt. No plaintext passwords leave the user's browser. Session tokens rotated every 30 days.
• Environment secrets stored in an encrypted vault, accessible only to named principals with multi-factor authentication.
• Daily encrypted backups retained for 30 days then purged. Backups sit in the same UK region as live data.
• Documented incident-response runbook; qualifying breaches reported to Controller without undue delay and within 48 hours of Processor's knowledge, together with the information listed in UK GDPR Art. 33(3).
• Role-based access inside the application, enforced in the query/mutation layer (see requireProfile and requireSupervisor guards). Every authorisation failure is logged.

10. Audit and inspection

Processor will make available to Controller the most recent: penetration-test summary, vulnerability scan report, SOC 2 report (when achieved), sub-processor DPAs, and its current information- security policy, on request and subject to confidentiality undertakings. Controller may carry out or mandate an inspection of Processor's processing once per year at Controller's cost, with reasonable notice and during business hours, without disproportionate disruption to Processor or other customers.

11. Return and deletion

On termination, Controller may within 30 days download an archive of all Personal Data in machine-readable JSON + PDF (per matter). After 30 days, Processor deletes Personal Data from live systems within 7 days and from backups on the next scheduled rotation. A certificate of deletion is provided on request, listing the categories deleted and the date of deletion.

12. Liability, governing law, and jurisdiction

Liability under this DPA is capped in accordance with the MSA. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction in respect of any disputes arising out of or in connection with it.

13. Order of precedence

In the event of conflict between this DPA and any other agreement between the parties, including the MSA, this DPA prevails in so far as it relates to the processing of Personal Data.