Data Processing Agreement
Controller: Users or entities subscribing to the NaS_OS Service ("Controller" or "Client")
Data Processor: NOT A STUDIO LLC, registered in Wyoming, United States, address: 30 N Gould St, STE R, Sheridan, WY 82801, USA, operating NaS_OS at https://nas-os.io ("Processor")
This DPA forms part of and supplements the Terms of Service between the parties with respect to the processing of personal data.
1. Definitions
- "GDPR" means EU Regulation 2016/679
- "Personal Data", "Processing", "Data Subject", "Supervisory Authority" have the meanings in Article 4 GDPR
- "Client Content" means documents, data, and materials uploaded by the Controller to the Service
- "AI Outputs" means Information Memorandums, summaries, extractions, and other outputs generated by the Service from Client Content
- "Sub-processor" means any processor engaged by the Processor to process Personal Data
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, or unauthorized access to Personal Data
2. Roles of the Parties
The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data only on behalf of and on documented instructions from the Controller.
The Processor processes Personal Data solely to provide the NaS_OS Service — specifically to ingest, analyze, and generate outputs from Client Content — as described in Schedule 1 and the Terms of Service.
The Processor does not use Personal Data contained in Client Content to train AI models or for any purpose beyond Service delivery, without the Controller's explicit written consent.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure all personnel with access to Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 5)
- Not engage new sub-processors without prior notice to the Controller (see Section 6)
- Assist the Controller in responding to Data Subject rights requests under GDPR Articles 15-22
- Assist the Controller with GDPR Articles 32-36 obligations (security, breach notification, DPIAs)
- Delete or return all Personal Data upon termination, and delete existing copies unless required by law
- Make available all information necessary to demonstrate compliance and cooperate with audits
4. Controller Obligations
The Controller represents and warrants that:
- It has a lawful basis under GDPR for all Personal Data transferred to the Processor
- It has provided all required notices to Data Subjects and obtained necessary consents
- Its instructions to the Processor comply with applicable law
- It has the right to transfer Personal Data for the purposes described in Schedule 1
- It has conducted appropriate due diligence on the use of AI-powered tools for processing deal-related data
5. Technical and Organizational Security Measures
The Processor implements and maintains the following measures:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Pseudonymization of data where technically feasible and appropriate
- Role-based access controls and multi-factor authentication
- Ongoing confidentiality, integrity, and availability of processing systems
- Ability to restore availability and access to data in a timely manner following an incident
- Regular testing, assessment, and evaluation of security effectiveness
- Infrastructure hosted exclusively in Frankfurt, Germany (EU Central) with appropriate physical and environmental security
- Access logging and monitoring for anomaly detection
6. Sub-processors
6.1 Authorization
The Controller authorizes the Processor to engage the sub-processors listed in Schedule 1. An up-to-date list is maintained at nas-os.io/subprocessors.
6.2 New Sub-processors
The Processor will notify the Controller at least 14 days before engaging any new sub-processor. The Controller may object on reasonable grounds within 10 days of notification.
6.3 Sub-processor Obligations
Each sub-processor is bound by a written data processing agreement with obligations no less protective than this DPA.
7. Data Subject Rights
The Processor will provide prompt technical and organizational assistance to enable the Controller to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within applicable legal timelines.
8. Security Incidents
The Processor will notify the Controller without undue delay, and within 72 hours, of becoming aware of a Security Incident affecting Personal Data processed under this DPA.
Notification will include, to the extent available: the nature of the incident; categories and approximate number of affected Data Subjects; categories and volume of affected Personal Data; likely consequences; and measures taken or proposed to address the incident.
9. Data Protection Impact Assessments
Where required under GDPR Article 35, the Processor will provide reasonable assistance to the Controller in carrying out DPIAs and, where applicable, prior consultation with the relevant Supervisory Authority.
10. International Transfers
Personal Data is stored primarily in Frankfurt, Germany (EU Central). Any transfer of Personal Data outside the EEA is made only in compliance with GDPR Chapter V, using Standard Contractual Clauses (SCCs) or other appropriate safeguards.
11. Audit Rights
The Controller may, with reasonable written notice and no more than once per calendar year, request information to demonstrate compliance. The Processor will cooperate with such requests.
On-site audits require prior agreement on scope, timing, and cost allocation.
12. Term and Termination
This DPA is effective for the duration of the subscription agreement and terminates automatically upon its termination.
Upon termination, at the Controller's written request, the Processor will return all Personal Data in a structured, machine-readable format or securely delete it. Unless instructed otherwise, Personal Data will be deleted 30 days after termination, with written confirmation provided upon request.
13. Governing Law
This DPA is governed by the same law applicable to the Terms of Service. For EU clients, this DPA is interpreted in accordance with GDPR requirements. In case of conflict between this DPA and applicable data protection law, applicable law prevails.
14. Order of Precedence
In case of conflict between this DPA and the Terms of Service regarding Personal Data processing, this DPA prevails.
Schedule 1 — Details of Processing
Nature of processing
Automated ingestion, parsing, extraction, structuring, and cross-document analysis of deal-related documents; AI-powered generation of Information Memorandums and structured deal outputs; discrepancy detection; storage and retrieval of processed data and AI-generated outputs
Purpose of processing
Provision of the NaS_OS SaaS platform as described in the Terms of Service
Duration of processing
For the term of the subscription agreement plus 30 days post-termination retention period
Types of personal data
Names, email addresses, job titles, and any other personal data contained in deal documents uploaded by the Controller (e.g., names of company officers, directors, shareholders, advisors, or counterparties)
Categories of data subjects
Employees, officers, directors, advisors, shareholders, and counterparties of the Controller and their clients, whose personal data may be incidentally contained in uploaded deal documents
Sub-processors
Supabase Inc. (database and storage, EU-Frankfurt region); AI infrastructure providers (document processing); full list maintained at nas-os.io/subprocessors
Signatures
By executing this DPA (by signature below or by electronic acceptance of the Terms of Service), the parties agree to be bound by its terms.
On behalf of the Controller (Client):
Name
Title
Date
On behalf of the Processor (NOT A STUDIO LLC):
Name
Title
Date
© 2026 NOT A STUDIO LLC. All rights reserved.