Legal

Data Processing Agreement

Draft — this document is in review with our solicitors and may change before general availability. Contact legal@trynoor.legal for the negotiable version.

Scope

This Data Processing Agreement ("DPA") supplements the Master Services Agreement between the customer firm ("Controller") and Noor Legal Ltd ("Processor") and applies whenever Processor processes Personal Data on behalf of Controller.

1. Subject matter & duration

Processor processes Personal Data strictly to provide the Services. The Agreement's duration governs — no retention beyond termination other than as required by law or the agreed post-termination period.

2. Nature and purpose of processing

Translation, transcription, document OCR, storage, and audit-bundle generation of communications between Controller and Controller's clients, strictly to support the Services.

3. Categories of data subjects and personal data

Data subjects:Controller's clients, Controller's staff, and any party referenced in communications.

Categories: contact data, case data, communications content (including sensitive data when voluntarily provided by data subjects to their solicitor), and derived metadata (hashes, timestamps, language detection).

4. Sub-processors

The current list is published at trynoor.legal/legal/sub-processorsand forms part of this DPA. Controller will receive 30 days' written notice before any change takes effect on their tenant.

5. International transfers

Personal Data is stored and processed in the UK. Any transfers to sub-processors outside the UK are covered by UK International Data Transfer Agreements (IDTA) or UK Addendum to the EU Standard Contractual Clauses.

6. Security measures

TLS 1.3 in transit, AES-256 at rest, role-based access controls, encryption key management via Convex, constant-time HMAC on webhook verification, no training of AI models on Controller data.

7. Personal data breach

Processor notifies Controller without undue delay, and in any case within 24 hours of becoming aware, of any Personal Data Breach affecting Controller Personal Data.

8. Data subject rights

Processor assists Controller in fulfilling Controller's obligations to respond to data subject requests (access, rectification, erasure, portability, objection) via in-app caseworker actions or, if needed, engineering support within 72 hours.

9. Audits

Controller may audit Processor's compliance once per year with 30 days' notice, at Controller's expense, subject to confidentiality.

10. Return or deletion

Upon termination, Processor exports Controller data in a portable format and hard-deletes within 30 days, unless retention is required by law.

A negotiable Word/PDF copy of this DPA is available on request — legal@trynoor.legal.