Data Processing Agreement
Last updated: June 1, 2025
1. Scope & Purpose
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Data Controller”) and Northern Axis, LLC DBA Nordax Digital (“Data Processor”) for the processing of personal data through the Nordax AI platform.
This DPA applies to enterprise customers and organizations that manage entity profiles containing personal data of individuals (e.g., sole proprietors, professional service providers).
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Data Subject: The individual to whom personal data relates.
- Sub-Processor: A third-party data processor engaged by Nordax AI to process personal data.
3. Data Processing Details
3.1 Categories of Data
- Contact information (name, email, phone, address)
- Business information (entity name, services, descriptions)
- Account and authentication data
- Usage and analytics data
- Payment information (processed by Stripe)
3.2 Purpose of Processing
Personal data is processed to provide the Nordax AI platform services, including entity profile creation and management, AI visibility scoring, structured data generation, and publication on the entity network.
3.3 Duration
Processing continues for the duration of the service agreement, plus the data retention period specified in our Privacy Policy.
4. Obligations of the Data Processor
Nordax AI, as Data Processor, shall:
- Process personal data only on documented instructions from the Data Controller
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with prior general authorization and a written agreement
- Assist the Data Controller in responding to data subject requests
- Assist with data protection impact assessments where required
- Delete or return all personal data at the end of the service period, upon request
- Make available all information necessary to demonstrate compliance
5. Sub-Processors
The following sub-processors are authorized to process personal data:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication & identity | United States |
| Stripe | Payment processing | United States |
| Neon | Database hosting | United States |
| Vercel | Application hosting | United States (Edge) |
| Resend | Transactional email | United States |
We will notify enterprise customers at least 30 days before engaging a new sub-processor, providing an opportunity to object.
6. Security Measures
We implement the following technical and organizational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication with multi-factor authentication support
- Role-based access controls within the platform
- Regular security assessments and vulnerability monitoring
- Incident detection and response procedures
- Employee access limited to need-to-know basis
- Regular backups with tested recovery procedures
7. Data Breach Notification
In the event of a personal data breach, we will notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Data Subject Rights
We will assist the Data Controller in fulfilling data subject requests including access, rectification, erasure, restriction, portability, and objection. Requests should be directed to privacy@nordax.ai.
9. International Transfers
Personal data is primarily processed in the United States. For transfers outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Audit Rights
Enterprise customers may request an audit of our data processing practices with reasonable notice. We will make available relevant documentation, certifications, and audit reports. On-site audits may be arranged with 30 days' notice.
11. Contact
For DPA-related inquiries:
Northern Axis, LLC DBA Nordax Digital
1741 Newnan Crossing Blvd E Ste I #2189
Newnan, GA 30265
Email: dpa@nordax.ai
Website: nordaxdigital.com