This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service or Master Service Agreement (the "Agreement") between Elnora AI, Inc. or Elnora AI OÜ (collectively, "Elnora," "we," or "us") and the customer entity ("Customer," "you," or "your") governing Customer's use of the Elnora platform and services. This DPA applies to Elnora's processing of Customer Personal Data.
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. If there is any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall govern with respect to data protection matters.
1. Definitions
"Applicable Data Protection Laws" means all applicable privacy, data protection, and data security laws and regulations, including, where applicable: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (iii) the Swiss Federal Act on Data Protection ("FADP"); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (v) any other applicable data protection laws.
"Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data. For purposes of the CCPA, "Controller" includes "business" as defined therein.
"Customer Data" means all data, content, materials, and information that Customer or Authorized Users upload, submit, or otherwise provide to the Platform.
"Customer Personal Data" means Personal Data contained within Customer Data that Elnora processes as a Processor on behalf of Customer.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Data Subject Request" means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws.
"EEA" means the European Economic Area.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. Where an event also constitutes a security incident, the same event may trigger more than one notification obligation; each applicable notification clock under §9 runs independently for its respective audience, and meeting one notification obligation does not waive the others.
"Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
"Processor" means a natural or legal person that processes Personal Data on behalf of a Controller. For purposes of the CCPA, "Processor" includes "service provider" as defined therein.
"Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection.
"SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
"Subprocessor" means a third party engaged by Elnora to Process Customer Personal Data.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.
2. Scope and Roles
2.1 Roles of the Parties
With respect to Customer Personal Data:
- Customer is the Controller (or acts as a Processor on behalf of a third-party Controller); and
- Elnora is the Processor (or sub-Processor, as applicable) acting on Customer's behalf.
Each party will comply with its respective obligations under Applicable Data Protection Laws.
2.2 Customer Responsibilities
Customer is responsible for:
(a) Ensuring it has all necessary rights, consents, and legal bases to provide Customer Personal Data to Elnora for Processing;
(b) Ensuring that Customer's instructions to Elnora comply with Applicable Data Protection Laws;
(c) Determining whether Elnora's security measures are appropriate for Customer's use case; and
(d) Responding to Data Subject Requests received directly from Data Subjects.
2.3 Processing Instructions
Elnora will Process Customer Personal Data only:
(a) To provide the Platform and services under the Agreement;
(b) In accordance with Customer's documented instructions as set forth in this DPA and the Agreement;
(c) As required by applicable law (in which case Elnora will inform Customer of such requirement, unless prohibited by law); and
(d) As otherwise agreed in writing between the parties.
If Elnora believes an instruction from Customer violates Applicable Data Protection Laws, Elnora will promptly inform Customer and may suspend Processing until the parties resolve the issue.
2.4 Confidentiality of Authorized Persons
Elnora will ensure that all persons authorized to Process Customer Personal Data are subject to a binding obligation of confidentiality with respect to such data, whether by contract or applicable statutory obligation, and that such obligation survives termination of the individual's engagement with Elnora. Elnora will not permit any person who has not undertaken such a confidentiality obligation to Process Customer Personal Data.
3. Processing Details
3.1 Subject Matter and Purpose
The subject matter of the Processing is Customer's use of the Elnora Platform for AI-powered biomedical protocol generation and optimization. The purpose is to provide the services described in the Agreement.
3.2 Duration
Processing continues for the duration of the Agreement, plus any post-termination retention period required for data return or deletion.
3.3 Categories of Data Subjects
Data Subjects may include:
- Customer's employees and contractors
- Customer's authorized users
- Researchers and scientists
- Any individuals whose Personal Data is included in Customer Data
3.4 Categories of Personal Data
Categories may include:
- Contact information (name, email, phone)
- Account credentials and authentication data
- User activity and usage logs
- IP addresses and device identifiers
- Any Personal Data included in protocols, experimental data, or research materials submitted by Customer
3.5 Sensitive Data
Customer represents and warrants that Customer Personal Data does not include, and Customer will not submit to the Platform, any:
(a) Protected health information (PHI) subject to HIPAA without a separate Business Associate Agreement;
(b) Genetic or genomic data of identifiable individuals without documented informed consent;
(c) Financial account credentials or payment card data subject to PCI-DSS;
(d) Government-issued identification numbers (e.g., Social Security numbers);
(e) Special categories of data under GDPR Article 9 (racial/ethnic origin, political opinions, religious beliefs, trade union membership, health data, sex life, sexual orientation, biometric data for identification), unless Customer has obtained explicit consent and has a lawful basis.
4. CCPA Compliance
Where the CCPA applies, Elnora certifies that it:
(a) Will not "sell" or "share" Customer Personal Data as those terms are defined under the CCPA;
(b) Will not use or disclose Customer Personal Data for "cross-context behavioral advertising" as defined under the CCPA;
(c) Will not retain, use, or disclose Customer Personal Data for any purpose other than providing the services under the Agreement, or as otherwise permitted by the CCPA;
(d) Will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer;
(e) Will not combine Customer Personal Data with Personal Data received from other sources, except as permitted by Applicable Data Protection Laws; and
(f) Will comply with all applicable CCPA requirements for service providers and, where applicable, contractors.
5. AI Subprocessor Processing
5.1 No Training on Customer Data
Elnora does not use Customer Data to train, fine-tune, or otherwise develop the training datasets of any artificial intelligence or machine learning models. Elnora does not develop its own models; it uses existing foundation models provided by third-party AI providers, which are contractually prohibited from using Customer Data for model training. Elnora will not use Customer Data to train, fine-tune, or develop the training datasets of models unless Customer gives explicit written consent in an executed amendment to the Agreement.
A list of subprocessors, including AI providers, is available at trust.elnora.ai/subprocessors.
5.2 Inference-Time Processing
Customer Data submitted to AI subprocessors is transmitted only for the purpose of generating the requested output and is processed under each AI subprocessor's standard commercial data-processing terms (listed in Schedule 3), which prohibit the use of Customer Data for model training. Under those terms, the subprocessor's default abuse-monitoring retention applies to prompt and completion content (typically up to thirty (30) days, and longer only for content the subprocessor flags as a suspected policy violation or where retention is required by law), with no use of Customer Data for model training in any case. Where a subprocessor offers Zero Data Retention ("ZDR"), which suppresses persistent storage of prompt and completion content, Elnora may enable it for a specific engagement on request; Elnora does not rely on ZDR as a baseline control.
Structured inference metadata (request IDs, latency, token counts, error codes) is retained by Elnora for thirty (30) days for operational monitoring. This operational metadata is not Customer Personal Data for purposes of this DPA and is not subject to the no-training commitment in §5.1, which addresses training-dataset inclusion only. Separately, the AI subprocessor may perform in-memory abuse screening and may retain prompt and completion content for its standard abuse-monitoring period as described above; neither involves the use of Customer Data for model training.
6. Security Measures
6.1 Technical and Organizational Measures
Elnora implements and maintains technical and organizational security measures designed to protect Customer Personal Data, as described in Schedule 1 (Technical and Organizational Measures). These measures include:
(a) Encryption at Rest: AES-256 encryption for all stored Customer Data;
(b) Encryption in Transit: TLS 1.2 or higher for all data transmission;
(c) Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege;
(d) Data Separation: Logical separation of Customer Data between customers;
(e) Security Monitoring: Continuous monitoring, logging, and incident detection;
(f) Personnel Security: Background checks, confidentiality agreements, and security training for all personnel with access to Customer Data.
6.2 Security Program
Elnora holds an ISO/IEC 27001:2022 certification and a SOC 2 Type 2 attestation. Current certification status and security documentation are available at trust.elnora.ai. Audit reports are available on request under standard confidentiality terms.
6.3 Updates to Security Measures
Elnora may update security measures from time to time, provided that updates do not materially reduce the overall security of Customer Personal Data.
7. Subprocessors
7.1 Authorization
Customer grants Elnora general written authorization to engage Subprocessors to Process Customer Personal Data as necessary to provide the services.
7.2 Subprocessor Obligations
Elnora will:
(a) Enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA;
(b) Require Subprocessors to implement appropriate technical and organizational measures;
(c) Prohibit Subprocessors from Processing Customer Personal Data for any purpose other than providing services to Elnora;
(d) Require each Subprocessor, on termination of its services, to delete Customer Personal Data — including backup copies — on the same basis and within the same time frame set out in Section 12.2; and
(e) Remain responsible for its Subprocessors' compliance with the data protection obligations in this DPA, as required by Article 28(4) of the GDPR. Elnora's liability for the acts and omissions of its Subprocessors is subject to the limitations and aggregate cap on liability in Section 13 of this DPA and in the Agreement.
7.3 List of Subprocessors
A current list of Subprocessors is available at trust.elnora.ai/subprocessors.
7.4 Notification of Changes
Elnora will provide at least thirty (30) days' notice before engaging a new Subprocessor that will Process Customer Personal Data. Customer may subscribe to notifications at trust.elnora.ai.
7.5 Objection to New Subprocessors
Customer may object to a new Subprocessor by providing written notice to privacy@elnora.ai within thirty (30) days of receiving notification, stating reasonable data protection grounds for the objection. If Customer objects:
(a) The parties will work in good faith to find a mutually acceptable resolution;
(b) If no resolution is reached within thirty (30) days, Customer may terminate the affected services by providing written notice; and
(c) Such termination will not relieve Customer of fees owed for services rendered prior to termination; and
(d) Where Customer terminates an affected service under this §7.5, Elnora will refund any prepaid fees covering the portion of the subscription term after the effective date of termination for that service.
If Customer does not object within the thirty (30) day period, Customer is deemed to have accepted the new Subprocessor.
8. Data Subject Rights
8.1 Customer Responsibility
Customer is responsible for responding to Data Subject Requests. Elnora provides self-service functionality within the Platform to assist Customer in fulfilling such requests.
8.2 Elnora Assistance
Upon Customer's written request, and taking into account the nature of the Processing, Elnora will provide reasonable assistance to enable Customer to respond to Data Subject Requests within five (5) business days of receiving Customer's written request, to the extent Customer cannot fulfill such requests independently through the Platform. Elnora's assistance obligation is limited to the Processing Elnora performs on Customer's behalf and does not extend to data held or controlled solely by Customer.
8.3 Requests Received by Elnora
If Elnora receives a Data Subject Request directly, Elnora will:
(a) Promptly notify Customer (unless prohibited by law);
(b) Advise the Data Subject to submit their request to Customer; and
(c) Not respond to the request without Customer's authorization, unless required by law.
9. Personal Data Breach Notification
9.1 Notification
Elnora will notify Customer of any Personal Data Breach without undue delay, and in any event within seventy-two (72) hours of Elnora becoming aware that a Personal Data Breach has occurred. Where the full scope of the breach is not yet established, an initial notification will be made within the seventy-two (72) hour period and supplemented as further information becomes available, in accordance with §9.2.
9.2 Notification Content
Elnora's notification will include, to the extent known:
(a) The nature of the Personal Data Breach;
(b) Categories and approximate number of Data Subjects affected;
(c) Categories and approximate number of Personal Data records affected;
(d) The likely consequences of the Personal Data Breach;
(e) Measures taken or proposed to address the Personal Data Breach; and
(f) Contact details for Elnora's point of contact.
Information may be provided in phases as it becomes available.
9.3 Assistance
Elnora will provide reasonable assistance to Customer in:
(a) Investigating the Personal Data Breach;
(b) Complying with Customer's notification obligations to supervisory authorities under GDPR Article 33 and to Data Subjects under GDPR Article 34; and
(c) Mitigating the effects of the Personal Data Breach.
9.4 No Admission
Elnora's notification of, or response to, a Personal Data Breach will not be construed as an acknowledgment of fault or liability.
10. Audits and Compliance
10.1 Audit Reports
Upon Customer's written request (no more than once annually), and subject to confidentiality obligations, Elnora will provide:
(a) A copy of Elnora's most recent SOC 2 Type 2 report;
(b) Summaries of penetration testing results; and
(c) Such other documentation reasonably necessary to demonstrate compliance with this DPA.
Customer agrees that these audit reports satisfy any audit rights granted under Applicable Data Protection Laws, except where additional audit is legally required.
10.2 On-Site Audit
Where Applicable Data Protection Laws require additional audit rights, or where audit reports are insufficient to demonstrate compliance, Customer may conduct or commission an audit, subject to:
(a) At least thirty (30) days' prior written notice;
(b) Conducting the audit during Elnora's regular business hours;
(c) Using an independent third-party auditor bound by confidentiality obligations;
(d) Limiting the audit to once per twelve (12) month period (unless required by a supervisory authority or in response to a Personal Data Breach);
(e) Restricting findings to information relevant to Customer; and
(f) Customer bearing the reasonable costs of the audit, except that Elnora bears its own costs of cooperation and will bear the auditor's reasonable costs where the audit reveals a material breach by Elnora of this DPA or Applicable Data Protection Laws, or where the audit is conducted in response to a Personal Data Breach attributable to Elnora.
10.3 Data Protection Impact Assessment and Prior Consultation
Upon Customer's written request, Elnora will provide reasonable assistance with Customer's data protection impact assessments under GDPR Article 35 and, where required, with prior consultations with supervisory authorities under GDPR Article 36, to the extent that such assistance relates to Elnora's Processing of Customer Personal Data and is required by Applicable Data Protection Laws.
10.4 Demonstrable Compliance
Elnora will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and with the obligations of a processor under Applicable Data Protection Laws, including GDPR Article 28. Elnora will promptly inform Customer if any instruction received pursuant to this DPA would, in Elnora's reasonable assessment, result in a breach of Applicable Data Protection Laws.
11. International Data Transfers
11.1 Transfer Authorization
Customer authorizes Elnora to transfer Customer Personal Data to countries outside the EEA, UK, or Switzerland as necessary to provide the services, subject to appropriate safeguards under Applicable Data Protection Laws.
11.2 Standard Contractual Clauses
For Restricted Transfers, the parties agree that the SCCs apply as follows:
For transfers from the EEA:
(a) Module Two (Controller to Processor) applies where Customer is a Controller;
(b) Module Three (Processor to Processor) applies where Customer is a Processor;
(c) Clause 7 (docking clause) applies;
(d) In Clause 9, Option 2 (general authorization) applies with notice period as set forth in Section 7.4;
(e) In Clause 11, the optional redress language does not apply;
(f) In Clause 17, Option 1 applies, governed by the laws of Ireland;
(g) In Clause 18(b), disputes are resolved before the courts of Ireland;
(h) Annex I is completed per this DPA and Schedule 2;
(i) Annex II is completed per Schedule 1 of this DPA; and
(j) Annex III (list of sub-processors) is completed per Schedule 3 of this DPA.
11.3 UK Transfers
For transfers from the UK subject to UK GDPR, the parties adopt the UK Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022). The completed Tables 1–4 are set out in Schedule 4 to this DPA.
If the UK ICO revokes, replaces, or amends the UK Addendum, or if a different transfer mechanism (such as the International Data Transfer Agreement) becomes the required mechanism for UK transfers, the parties agree to execute, at either party's written request, a replacement transfer mechanism in the form then approved by the UK ICO, and this DPA will be deemed amended accordingly.
11.4 Swiss Transfers
For transfers from Switzerland subject to the FADP:
(a) References to GDPR are interpreted as references to the FADP;
(b) The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
(c) The SCCs are governed by Swiss law;
(d) Disputes are resolved before the courts of Switzerland;
(e) the term "Member State" in the SCCs is not interpreted so as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs.
11.5 Alternative Transfer Mechanisms
If a transfer mechanism is invalidated, Elnora will work with Customer to implement an alternative lawful transfer mechanism.
11.6 Transfer Impact Assessment
Elnora maintains a Transfer Impact Assessment ("TIA") covering personal data transfers from the EEA, UK, and Switzerland to the United States, prepared in accordance with EDPB Recommendations 01/2020 and the UK ICO Transfer Risk Assessment tool. The TIA is classified Confidential and is available to Customer upon written request to privacy@elnora.ai. Elnora will re-issue the TIA upon any material change to US surveillance law, the EU-US Data Privacy Framework, its UK Extension, or the Swiss-US Data Privacy Framework, or Elnora's sub-processor footprint, and at minimum on an annual review cycle.
11.7 Public Authority Access
Elnora's representations and disclosures regarding access by US and other public authorities (including the laws to which Elnora is subject, applicable mitigations, and the absence of any pending or threatened data-protection regulatory investigation) are set out in Elnora's Public Authority Access Disclosure, incorporated by reference. Elnora will notify Customer of any government access request affecting Customer Personal Data within twenty-four (24) hours of receipt where legally permitted, will challenge over-broad requests, and will disclose only the minimum strictly required.
12. Data Retention and Deletion
12.1 Retention During Agreement
Elnora retains Customer Personal Data for the duration of the Agreement as necessary to provide the services. Customer may, at any time during the Agreement, issue a written instruction to Elnora to delete a specific dataset or category of Customer Personal Data. Elnora will carry out such mid-term deletion within thirty (30) days of receiving the instruction, subject to any retention period required by applicable law, and will confirm completion in writing upon request. Deletion under this clause does not affect Customer's obligations to pay fees for services rendered.
12.2 Post-Termination
Upon termination or expiration of the Agreement, and unless Customer instructs otherwise in writing:
(a) Elnora will permanently delete all Customer Data — including Customer Personal Data and any records Elnora has derived from Customer Data — within thirty (30) days of the termination or expiration date, except where, and only for as long as, retention is required by applicable law or to establish, exercise, or defend legal claims;
(b) Deletion under (a) includes all backup copies. Elnora will not retain Customer Data in backups beyond the thirty (30) day period unless a longer period is required by applicable law or is expressly approved by Customer in writing;
(c) Customer may export Customer Data through the Platform's self-service export functionality at any time during the Agreement and during the thirty (30) day period following termination or expiration. Any hands-on transition assistance is provided as set out in the Agreement; and
(d) Following deletion, Elnora and its Subprocessors will cease all use of Customer Data. Elnora will ensure that its Subprocessors delete Customer Data, including backup copies, on the same basis and within the same thirty (30) day period.
12.3 Deletion Certification
Upon Customer's written request, Elnora will provide written confirmation that Customer Personal Data has been deleted in accordance with this Section 12.
13. Liability
Each party's aggregate liability arising out of or relating to this DPA is capped at two (2) times the total fees paid or payable by Customer to Elnora under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim, subject to a maximum cap of one million U.S. dollars (USD 1,000,000). This cap operates as a super-cap above the general liability cap in the Agreement for claims arising out of this DPA, and the two caps are not cumulative. Where fees under the Agreement are denominated in a currency other than U.S. dollars, the USD 1,000,000 ceiling will be applied using the equivalent amount in the Agreement's billing currency, converted at the European Central Bank reference rate in effect on the date the event giving rise to the claim occurred.
Nothing in this DPA limits either party's liability for:
(a) Fraud or fraudulent misrepresentation;
(b) Death or personal injury caused by negligence;
(c) Wilful misconduct; or
(d) Any liability that cannot be limited or excluded under applicable law, including liability under Article 82 of the GDPR or equivalent statutory non-excludable liability under UK GDPR or other Applicable Data Protection Laws; or
(e) Customer's indemnification obligations under the Agreement and Customer's breach of its representations and warranties in §2.2 and §3.5 of this DPA, which remain subject to the limitations of liability in the Agreement and are not reduced by the cap in this Section 13.
14. General
14.1 Order of Precedence
In the event of conflict, the following order of precedence applies: (1) the SCCs (if applicable); (2) this DPA; (3) the Agreement.
14.2 Amendments
Elnora may propose updates to this DPA from time to time to reflect changes in Applicable Data Protection Laws or Elnora's operations. Elnora will provide Customer at least thirty (30) days' written notice of any material change. If Customer reasonably objects to a material change on data-protection grounds within that period, the parties will work in good faith toward a resolution; absent resolution, Customer may terminate the affected services on written notice. No amendment to the SCCs, the UK Addendum, or their Annexes will take effect except as agreed in writing by both parties or as automatically updated by operation of the relevant approved transfer mechanism. Non-material and legally required changes take effect on the notice date.
14.3 Contact Information
For questions about this DPA or data protection matters, contact:
Privacy Contact: privacy@elnora.ai
Legal: legal@elnora.ai
Schedule 1: Technical and Organizational Measures (SCC Annex II)
This Schedule constitutes Annex II to the Standard Contractual Clauses (Module Two: Controller to Processor and Module Three: Processor to Processor) approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, describing the technical and organisational security measures implemented by the data importer.
Elnora implements and maintains the following technical and organizational measures to protect Customer Personal Data:
1. Encryption
| Measure | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.2 or higher for all network communications |
| Key Management | Keys stored in AWS KMS with annual rotation |
2. Access Controls
| Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication required for production systems |
| Authorization | Role-based access controls (RBAC) with principle of least privilege |
| Password Policy | Minimum 14 characters (human accounts) with upper, lower, number, and special-character complexity; 32 characters (service accounts); no reuse of last 24 passwords. Enforced organization-wide via the company password manager and identity-provider settings. (Maintained in line with Elnora's Access Control Policy; values above are illustrative of the enforced baseline.) |
| Account Lockout | Automatic lockout after 6 failed attempts |
| Access Reviews | Quarterly reviews of all access privileges |
| Termination | Access revoked within 4 business hours of employment end for privileged accounts and within 1 business day for all other accounts |
3. Data Separation
| Measure | Implementation |
|---|---|
| Logical Separation | Customer Data stored in logically separated databases |
| No Cross-Customer Access | Customer Data never mixed or used as input for other customers |
| Environment Separation | Production and development environments are logically separated; production data is not used in development |
4. Network Security
| Measure | Implementation |
|---|---|
| Firewalls | Network firewalls with restrictive ingress/egress rules |
| Intrusion Detection | Continuous monitoring for suspicious activity |
| DDoS Protection | Cloud-based DDoS mitigation |
5. Monitoring and Logging
| Measure | Implementation |
|---|---|
| Audit Logging | All access to Customer Data is logged with timestamps and user IDs |
| Log Retention | Security logs retained for minimum 13 months |
| SIEM | Centralized security information and event management |
| Alerting | Real-time alerts for security events |
6. Vulnerability Management
| Measure | Implementation |
|---|---|
| Vulnerability Scanning | Quarterly scans of public-facing systems |
| Penetration Testing | Annual penetration testing by qualified third parties |
| Remediation SLAs | Critical (CVSS 9.0–10.0): 15 days; High (CVSS 7.0–8.9): 30 days; Medium (CVSS 4.0–6.9): 60 days; Low (CVSS 0.1–3.9): 90 days |
| Patch Management | Regular patching of systems and dependencies |
7. Personnel Security
| Measure | Implementation |
|---|---|
| Background Checks | Pre-employment background screening |
| Confidentiality | All employees sign confidentiality agreements |
| Security Training | Annual security awareness training |
| Acceptable Use | Documented acceptable use policies |
8. Business Continuity
| Measure | Implementation |
|---|---|
| Backups | Daily encrypted backups with geographic redundancy |
| Disaster Recovery | Documented DR plan with annual testing |
| Incident Response | Documented incident response procedures |
9. Physical Security
| Measure | Implementation |
|---|---|
| Cloud Infrastructure | AWS data centers with SOC 2, ISO 27001 certifications |
| Endpoint Security | Full-disk encryption required on all devices accessing Customer Data, enforced via BYOD policy and annual attestation |
10. Third-Party Management
| Measure | Implementation |
|---|---|
| Vendor Assessment | Security due diligence before engagement |
| Contractual Protections | Data protection clauses in vendor agreements |
| Annual Reviews | Annual security reviews of critical vendors |
Schedule 2: Processing Details (SCC Annex I)
This Schedule constitutes Annex I to the Standard Contractual Clauses (Module Two: Controller to Processor and Module Three: Processor to Processor) approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
Annex I.A — List of Parties
Data Exporter (Controller/Processor):
- Name: Customer (as identified in the Agreement)
- Address: As specified in the Agreement
- Contact: As specified in the Agreement
- Activities: Use of Elnora Platform for biomedical protocol generation
- Role: Controller (or Processor, if acting on behalf of a third-party Controller)
Data Importer (Processor):
- Name: Elnora AI, Inc. (or Elnora AI OÜ, as applicable)
- Address: 48 South Rio Grande Street, Salt Lake City, UT 84101, USA (Elnora AI, Inc.); or Vesiroosi tn 6, Laagri alevik, Saue vald, Harju maakond, 76401, Estonia (Elnora AI OÜ), as applicable
- Contact: privacy@elnora.ai
- Activities: Provision of AI-powered biomedical protocol generation platform
- Role: Processor (or sub-Processor)
Annex I.B — Description of Transfer
| Element | Details |
|---|---|
| Categories of Data Subjects | Customer employees, authorized users, researchers, individuals whose data is included in Customer Data |
| Categories of Personal Data | Contact information, account credentials, usage logs, IP addresses, Personal Data in submitted research data |
| Sensitive Data | None by default. Customer must not submit special categories of data under GDPR Article 9 (including health, genetic, or biometric data) or other sensitive data except where Customer has a lawful basis and, where required, explicit consent. Where such data is submitted in accordance with §3.5, the technical and organisational measures in Schedule 1 (encryption at rest and in transit, role-based least-privilege access controls, restricted personnel access) apply. |
| Frequency of Transfer | Continuous, for duration of Agreement |
| Nature of Processing | Collection, storage, organization, retrieval, use, disclosure for providing AI-powered protocol generation services |
| Purpose of Processing | To provide the Elnora Platform and services under the Agreement |
| Retention Period | Duration of the Agreement, plus deletion within thirty (30) days of termination or expiration (see §12.2) |
Annex I.C — Competent Supervisory Authority
- EEA: The supervisory authority of the EU Member State where Customer is established, or the Irish Data Protection Commission if Customer has no EU establishment
- UK: UK Information Commissioner's Office
- Switzerland: Swiss Federal Data Protection and Information Commissioner
Schedule 3: List of Subprocessors (SCC Annex III)
This Schedule constitutes Annex III to the Standard Contractual Clauses (Module Two and Module Three) approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, listing the sub-processors authorised by the data importer.
The authoritative and current list of Elnora's Subprocessors is maintained at trust.elnora.ai/subprocessors. Schedule 3 names the Subprocessors engaged in Customer Personal Data processing as of the effective date of this DPA; customers should refer to the Trust Center for the live list and subscribe there to receive advance notifications of changes pursuant to §7.4.
Primary Subprocessors include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure — hosting, compute, storage | United States |
| Cloudflare, Inc. ‡ | AI gateway and request routing for LLM and embedding API calls | United States |
| Anthropic | LLM inference (Claude models) | United States |
| Microsoft Azure (OpenAI) | LLM inference (OpenAI models, hosted on Azure) | United States |
| Google Cloud Platform / Gemini | LLM inference (Gemini models) | United States |
| Greenflash | Observability — traces, logs, prompts, and outputs | United States |
| Perplexity AI | Search API — web-grounded retrieval | United States |
| Tavily | Search API — web and literature retrieval | United States |
| Exa | Search API — semantic search and retrieval | United States |
| Valyu | Search API — knowledge retrieval | United States |
| Firecrawl (SideGuide Technologies, Inc.) | Web scraping, crawling, and extraction | United States |
| Stripe | Payment processing | United States |
| E2B (FoundryLabs, Inc.) † | Secure cloud sandbox for executing AI-generated code during agent tasks | United States |
All Subprocessors are bound by data processing agreements requiring equivalent data protection standards to this DPA, and are prohibited from using Customer Data for model training. The search, retrieval, and web-extraction providers (Perplexity, Tavily, Exa, Valyu, and Firecrawl) receive only the inputs the agent composes — search queries and, for web extraction, public URLs and extraction prompts — and not Customer files, datasets, or Outputs.
‡ Cloudflare, Inc. operates the AI Gateway through which Elnora routes LLM and embedding API calls; in that role it receives request-routing metadata. Cloudflare is engaged under a data processing agreement incorporating the EU SCCs and is already published on the Trust Center subprocessor list; it is reflected here to bring Schedule 3 into line with that list.
† E2B (FoundryLabs, Inc.) was added by 30-day advance notice posted on the Trust Center and becomes an active Subprocessor effective 16 July 2026; it does not Process Customer Personal Data before that date. Customers may exercise the objection right under §§7.4–7.5 during the notice period.
Note on internal-only tools. Tools used by Elnora exclusively for internal business operations and that do not Process Customer Personal Data on Customer's behalf — currently including Slack (Salesforce, Inc.) for internal team communications — are not Subprocessors under GDPR Article 28 and are not listed above. If Elnora opens a Slack Connect channel with Customer, or otherwise routes Customer Personal Data through Slack, Slack will be added to this Schedule and notified under §7.4 before any such processing begins.
Schedule 4: UK Addendum to the EU SCCs (Completed Tables)
This Schedule sets out the populated Tables 1–4 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0 (in force 21 March 2022), issued by the UK Information Commissioner's Office (the "UK Addendum"). Where this Schedule is silent, the mandatory Part 2 clauses of the UK Addendum apply unchanged.
Table 1: Parties
| Element | Exporter | Importer |
|---|---|---|
| Start date | The Effective Date of the Agreement | The Effective Date of the Agreement |
| Parties' details | Customer (as identified in the Agreement) | Elnora AI, Inc., 48 South Rio Grande Street, Salt Lake City, UT 84101, United States |
| Key contact | As specified in the Agreement | privacy@elnora.ai |
| Signatures | Executed by reference through the Agreement and this DPA | Executed by reference through the Agreement and this DPA |
Table 2: Selected SCCs, Modules and Selected Clauses
| Element | Selection |
|---|---|
| Addendum EU SCCs | The version of the Approved EU SCCs to which this UK Addendum applies is the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as incorporated by reference in §11.2 of this DPA |
| Module | Module Two (Controller-to-Processor) where Customer is a Controller; Module Three (Processor-to-Processor) where Customer is a Processor |
| Clause 7 (Docking Clause) | Included |
| Clause 11 (Independent dispute resolution) | Optional redress language does not apply |
| Clause 17 (Governing law) | Option 1 — Irish law |
| Clause 18 (Choice of forum) | Courts of Ireland |
Table 3: Appendix Information
| Element | Source |
|---|---|
| Annex 1A (List of Parties) | Schedule 2, Annex I.A of this DPA |
| Annex 1B (Description of Transfer) | Schedule 2, Annex I.B of this DPA |
| Annex II (Technical and Organisational Measures) | Schedule 1 of this DPA |
| Annex III (List of Sub-processors) | Schedule 3 of this DPA |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Element | Selection |
|---|---|
| Which Parties may end this Addendum as set out in Section 19 | Importer |
This Data Processing Addendum is effective as of June 16, 2026 and supersedes all prior versions.
Elnora AI, Inc. 48 South Rio Grande Street Salt Lake City, UT 84101 United States
Elnora AI OÜ Harju maakond, Saue vald, Laagri alevik Vesiroosi tn 6, 76401 Estonia