Legal • Updated May 22, 2026

Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between NeuroAPI ('Processor') and the Customer ('Controller') and applies when NeuroAPI processes personal data on the Customer's behalf.

1. Scope & roles

For Customer Personal Data submitted to the Service, NeuroAPI acts as Processor and the Customer as Controller. NeuroAPI processes data only on documented instructions from the Customer, except as required by law.

2. Subprocessors

The Customer authorizes the following subprocessors:

  • Cloudflare, Inc. — edge compute & CDN (US, global)
  • Supabase, Inc. — managed Postgres & auth (US/EU)
  • Stripe, Inc. — payment processing (US)
  • Resend, Inc. — transactional email (US)

NeuroAPI gives 30 days' notice before adding or replacing subprocessors. The Customer may object in writing; if the objection is not resolved, the Customer may terminate the affected Service.

3. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, the parties rely on the EU Standard Contractual Clauses (Modules 2 and 3) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA.

4. Security measures

  • TLS 1.2+ in transit, AES-256 at rest
  • Argon2id password hashing
  • Role-based access controls and least-privilege
  • Centralized audit logging and 24/7 monitoring
  • Annual penetration tests and continuous vulnerability scanning
  • Documented incident response plan with 72-hour breach notification

5. Data subject requests

NeuroAPI will, taking into account the nature of the processing, assist the Controller in fulfilling its obligation to respond to data subject requests, including access, rectification, erasure, restriction, portability, and objection.

6. Breach notification

NeuroAPI will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach.

7. Audits

Once per year, on 30 days' written notice and during normal business hours, the Controller may audit NeuroAPI's compliance with this DPA, subject to confidentiality and reasonable cost reimbursement.

8. Deletion

On termination, NeuroAPI will delete or return all Customer Personal Data within 30 days, except where retention is required by law.

9. Execution

This DPA is effective without signature for any Customer who accepts our Terms of Service. For a counter-signed copy, email legal@neuroapi.me.

Questions? Email legal@neuroapi.me.