LEGAL

Data Processing Agreement.

Last updated: 13 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between NarrativEye Ltd ("Processor") and the Customer ("Controller") for the provision of NarrativEye's Services. It applies where the Customer uploads or otherwise provides personal data to the NarrativEye platform in the course of using the Services.

This DPA is incorporated by reference into NarrativEye's Terms and Conditions. Capitalized terms not defined here have the meanings set out in the Terms.

1. Roles and scope

The Customer acts as the Controller of personal data it uploads or provides to the platform. NarrativEye acts as the Processor, processing personal data only on behalf of and under the documented instructions of the Controller.

This DPA does not cover personal data that NarrativEye collects directly from platform users in its capacity as a Controller (for example, account information). That processing is governed by NarrativEye's Privacy Policy.

2. Processing details

Element Details
Nature of processing Storage, analysis, classification, and retrieval of data uploaded by the Customer to the NarrativEye platform
Purpose Provision of the narrative intelligence Services as described in the subscription agreement
Duration For the term of the subscription agreement, plus any post-termination retention period specified in the Terms
Categories of data subjects As determined by the Controller — may include employees, contacts, or individuals named in uploaded documents
Categories of personal data As determined by the Controller — typically names, contact details, and professional information included in uploaded content
Special category data Should not be uploaded without prior agreement. Contact us before uploading any special category data.

3. Processor obligations

NarrativEye, as Processor, shall:

  • Process personal data only on documented instructions from the Controller, unless required to do so by law
  • Ensure persons authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational security measures (see Section 5)
  • Assist the Controller in responding to data subject rights requests, subject access requests, and regulatory enquiries
  • Delete or return all personal data to the Controller at the end of the Services, as directed
  • Provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA
  • Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach

4. Sub-processors

NarrativEye uses the following categories of sub-processors to provide the Services:

  • Cloud infrastructure: Cloudflare (CDN, serverless functions, storage)
  • Email delivery: Resend (transactional email)
  • Analytics: Plausible (cookieless, no personal data processed)

NarrativEye will provide reasonable notice of any intended changes to sub-processors. The Controller has the right to object to a new sub-processor on reasonable grounds. If NarrativEye proceeds despite an objection, the Controller may terminate the Services without penalty.

NarrativEye ensures sub-processors are subject to data protection obligations equivalent to those in this DPA.

5. Security measures

NarrativEye implements the following technical and organisational measures:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication, including MFA for staff accessing production systems
  • Logging and monitoring of access to personal data
  • Regular security testing and vulnerability assessments
  • Cyber Essentials Plus certification (current)
  • ISO 27001 implementation in progress
  • Staff information security training
  • Incident response procedures

For defence and government customers requiring classified environments, additional security measures apply. See our Defence Module for details.

6. International transfers

Where personal data is transferred outside the UK or EEA, NarrativEye will ensure appropriate safeguards are in place, including Standard Contractual Clauses or other lawful transfer mechanisms approved under UK GDPR.

7. Audits and demonstrations of compliance

NarrativEye will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and no more than once per year (unless a breach has occurred), will allow for and contribute to audits or inspections conducted by the Controller or an independent auditor appointed by the Controller.

8. Controller obligations

The Controller warrants that it has a lawful basis for processing any personal data it uploads or provides to NarrativEye, and that doing so complies with applicable data protection law. The Controller is responsible for the accuracy and legality of personal data it provides.

9. Governing law

This DPA is governed by applicable law and is subject to the jurisdiction of the applicable courts.

10. Contact

Data protection enquiries: privacy@narrativeye.ai

Enterprise customers requiring a countersigned DPA should contact their account manager or email legal@narrativeye.ai.