Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between NORJI Ltd ("NORJI", "we", "us", "our", the "Processor") and the customer ("Customer", "you", the "Controller") who subscribes to the NORJI Service (the "Service"). It governs the processing of personal data carried out by NORJI on the Customer's behalf in connection with the Service.

This DPA is issued to comply with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and, where applicable, Article 28 of Regulation (EU) 2016/679 ("EU GDPR"). It supplements, and where it conflicts overrides, the NORJI Terms of Service and Privacy Policy with respect to the processing of Customer Personal Data.

Standalone signature not required.

By accepting the NORJI Terms of Service or by continuing to use the Service after the effective date above, the Customer is deemed to have accepted this DPA. Customers requiring a signed copy may request one at hello@norji.co.uk.

1. Definitions

Capitalised terms used in this DPA have the meanings given below. Terms not defined here have the meanings given in the UK GDPR.

Controller means the natural or legal person who determines the purposes and means of processing personal data — the Customer, in respect of Customer Personal Data.
Processor means the natural or legal person who processes personal data on behalf of the Controller — NORJI, in respect of Customer Personal Data.
Customer Personal Data means personal data that is processed by NORJI on the Customer's behalf in connection with the Service, as further described in Annex A.
Sub-processor means any third party engaged by NORJI to process Customer Personal Data on its behalf.
Personal Data Breach has the meaning given in Article 4(12) UK GDPR.
Data Subject means an identified or identifiable natural person to whom Customer Personal Data relates.
Standard Contractual Clauses or "SCCs" means the standard contractual clauses approved by the UK Information Commissioner's Office or the European Commission for the transfer of personal data to third countries.

2. Scope and Roles

For the purposes of this DPA, the Customer is the Controller of Customer Personal Data and NORJI is the Processor. NORJI will process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers of Customer Personal Data outside the United Kingdom or the European Economic Area, unless otherwise required by applicable law.

Where NORJI processes personal data of its own users for its own purposes — for example, account creation, billing, or website analytics — NORJI acts as a Controller. Such processing is governed by the NORJI Privacy Policy and falls outside the scope of this DPA.

3. Subject Matter, Duration, Nature and Purpose

The subject matter, duration, nature, purpose, types of personal data, and categories of Data Subjects covered by this DPA are described in Annex A (Processing Details). The duration of processing is for the term of the Customer's subscription to the Service, plus any retention periods set out in the NORJI Privacy Policy or required by applicable law.

4. Customer Instructions

NORJI will process Customer Personal Data only on the Customer's documented instructions. The Customer's documented instructions are the NORJI Terms of Service, this DPA, the configuration and use of the Service by the Customer (including the commands the Customer or its authorised users send to the Service), and any further written instructions agreed between the parties.

NORJI will inform the Customer if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law.

5. Processor Obligations

NORJI will:

Process Customer Personal Data only as set out in this DPA and as instructed by the Customer;
Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
Implement and maintain the technical and organisational security measures described in Annex B;
Engage Sub-processors only in accordance with Section 7;
Assist the Customer, taking into account the nature of the processing and the information available to NORJI, in fulfilling its obligations to respond to Data Subject requests under Articles 12 to 23 UK GDPR (see Section 8);
Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to NORJI;
At the Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Service, in accordance with Section 11;
Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR, and allow for and contribute to audits, in accordance with Section 10.

6. Confidentiality

NORJI will treat Customer Personal Data as confidential and will not disclose it to any third party except (a) to Sub-processors engaged in accordance with Section 7, (b) where required by law (in which case NORJI will, where lawfully permitted, notify the Customer in advance), or (c) with the Customer's prior written authorisation.

7. Sub-processors

The Customer authorises NORJI to engage Sub-processors to process Customer Personal Data, subject to the conditions set out in this Section.

7.1 Current Sub-processors

NORJI currently engages the following Sub-processors. This list is also maintained in the NORJI Privacy Policy.

Sub-processor	Purpose	Location	Transfer safeguard
Anthropic, PBC	AI language model processing — command understanding, drafting, classification	USA	Standard Contractual Clauses (SCCs) and the UK Addendum. Anthropic Privacy Policy
OpenAI, L.L.C.	Supplemental AI language and embeddings processing where used	USA	Standard Contractual Clauses (SCCs) and the UK Addendum. OpenAI Privacy Policy
Stripe Payments Europe, Ltd.	Subscription billing, payment processing	Ireland (with parent operations in the USA)	UK adequacy decision / Standard Contractual Clauses. Stripe Privacy Policy
Vercel Inc.	Website and edge function hosting	USA / EEA	Standard Contractual Clauses (SCCs). Vercel Privacy Policy
Railway Corp.	Backend API hosting	USA	Standard Contractual Clauses (SCCs). Railway Privacy Policy
Telegram FZ-LLC	Message delivery interface between Customer's authorised users and the NORJI bot	UAE / distributed	Telegram's data processing terms. Telegram Privacy Policy

No-training contracts. NORJI uses Anthropic's and OpenAI's enterprise APIs under contracts that prohibit the use of Customer Personal Data to train, retrain, or improve their general-purpose models. Customer Personal Data submitted via the Service is not added to any AI training dataset.

7.2 Sub-processor Obligations

Before engaging any Sub-processor, NORJI will enter into a written contract with the Sub-processor that imposes data protection obligations no less protective than those set out in this DPA. NORJI remains liable to the Customer for any failure by a Sub-processor to fulfil its data protection obligations.

7.3 Changes to Sub-processors

NORJI will give the Customer prior written notice (by email to the account holder, or by a notice on this page) of the addition or replacement of any Sub-processor, including details of the processing to be undertaken. The Customer may object to the change on reasonable data protection grounds within 14 days of the notice. If the Customer reasonably objects and the parties cannot agree a resolution, the Customer may terminate the affected portion of the Service without penalty.

8. Data Subject Rights

Taking into account the nature of the processing, NORJI will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights under the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

If a Data Subject contacts NORJI directly with a request relating to Customer Personal Data, NORJI will (unless legally required to respond) refer the Data Subject to the Customer and notify the Customer of the request without undue delay.

The Customer is responsible for verifying the identity of the Data Subject and for the substantive response. NORJI may charge for assistance that is excessive or repetitive, on a time-and-materials basis at standard rates.

9. Security Measures

NORJI implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The current measures are described in Annex B. NORJI may update these measures from time to time, provided the level of security is not materially decreased.

10. Audit Rights

NORJI will, on the Customer's written request and no more than once in any 12-month period (except where required following a Personal Data Breach or by a competent supervisory authority), make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. This may include responses to a written security questionnaire, copies of relevant third-party audit reports (where available under confidentiality), and a written description of the technical and organisational measures.

Where the information made available is not reasonably sufficient and the Customer wishes to conduct an on-site audit, the Customer may do so with at least 30 days' written notice, at a mutually agreed time, during normal business hours, subject to NORJI's reasonable confidentiality and security requirements, and at the Customer's cost. The audit will not unreasonably interfere with NORJI's operations.

11. Personal Data Breach Notification

NORJI will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

A description of the nature of the Personal Data Breach;
The categories and approximate number of Data Subjects and personal data records concerned;
The likely consequences of the Personal Data Breach;
The measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects;
A point of contact at NORJI from whom further information can be obtained.

Where complete information is not available at the time of initial notification, NORJI will provide updates as soon as reasonably possible. Notification of a Personal Data Breach is not in itself an admission of fault or liability by NORJI.

12. International Transfers

To the extent that NORJI or any Sub-processor transfers Customer Personal Data outside the United Kingdom or the European Economic Area, NORJI will ensure that such transfers are made subject to an appropriate transfer mechanism under the UK GDPR or the EU GDPR, including:

UK adequacy regulations or European Commission adequacy decisions, where available;
The Standard Contractual Clauses approved by the UK Information Commissioner's Office or the European Commission, as applicable, including the UK International Data Transfer Addendum where transfers are made from the UK;
Any other lawful transfer mechanism recognised by applicable data protection law.

The transfer safeguards for each Sub-processor are listed in Section 7.1.

13. Return or Deletion of Customer Personal Data

On termination or expiry of the Customer's subscription to the Service, NORJI will, at the Customer's choice and as set out in the NORJI Privacy Policy:

Delete all Customer Personal Data within 30 days; or
Return all Customer Personal Data to the Customer in a structured, commonly used, machine-readable format on reasonable written request.

NORJI may retain Customer Personal Data to the extent and for the period required by applicable law (for example, financial and tax records). Any such retained data will continue to be protected by the security measures described in this DPA and will be deleted as soon as the legal basis for retention ends.

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the NORJI Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable law.

15. Conflict and Order of Precedence

In the event of a conflict between this DPA and the NORJI Terms of Service, this DPA prevails in respect of the processing of Customer Personal Data. In the event of a conflict between this DPA and any Standard Contractual Clauses incorporated by reference, the Standard Contractual Clauses prevail.

16. Changes to This DPA

NORJI may update this DPA from time to time. Where a change materially reduces the protection afforded to Customer Personal Data, NORJI will give the Customer at least 30 days' prior written notice. The current version will always be available at norji.co.uk/dpa.

17. Contact

Data Protection contact

NORJI Ltd
Email: hello@norji.co.uk
Subject line: "DPA enquiry"

NORJI has not appointed a statutory Data Protection Officer at present, as it is not required to do so under Article 37 UK GDPR. The contact above is the designated point of contact for data protection matters.

Annex A — Processing Details

A.1 Subject matter

The provision of the NORJI Service to the Customer, including the receipt and processing of commands, the drafting and surfacing of communications, the analysis of pipeline and compliance signals, and the integration with the Customer's connected accounts (e.g. Gmail, Google Calendar, Microsoft 365, where applicable).

A.2 Duration

The term of the Customer's subscription to the Service, plus any retention periods set out in the NORJI Privacy Policy or required by applicable law.

A.3 Nature and purpose

Hosted software-as-a-service for property professionals — the receipt of natural-language commands via Telegram (and additional channels as released), processing those commands using AI language model providers under no-training contracts, drafting communications and surfacing operational signals, and storing the resulting outputs in the Customer's isolated account.

A.4 Types of Customer Personal Data

Identifiers and contact details of the Customer's clients, leads, vendors, and counterparties (names, email addresses, phone numbers, Telegram handles where shared by the Customer);
Property-related information (addresses, listing details, viewing history, offers, completion dates);
Communication content drafted, sent, or received via the Service (emails, message drafts, summaries);
Compliance and transactional data the Customer chooses to provide (deposit-protection records, EPC details, RERA registrations, commission and fee data);
Calendar and scheduling data from connected accounts;
Any other personal data the Customer chooses to submit to the Service through commands or integrations.

A.5 Categories of Data Subjects

The Customer's clients, prospects, and leads (buyers, sellers, tenants, landlords);
The Customer's counterparties (vendors, solicitors, surveyors, agents at other firms);
The Customer's authorised users (the Customer's own employees or contractors using the Service);
Other natural persons referenced in commands, communications, or documents submitted by the Customer.

A.6 Special category data

The Service is not intended to process special category personal data (Article 9 UK GDPR) or personal data relating to criminal convictions and offences (Article 10 UK GDPR). The Customer agrees not to submit such data to the Service except where strictly necessary, lawful, and on the Customer's own established lawful basis.

Annex B — Security Measures

NORJI implements the following technical and organisational measures, which it may update from time to time provided the level of security is not materially decreased.

B.1 Encryption

TLS 1.2 or higher for all data in transit;
Encryption at rest for production databases and object storage;
Hashing of authentication credentials using industry-standard algorithms (e.g. bcrypt or argon2).

B.2 Access control

Role-based access control limiting administrative access to authorised personnel;
Multi-factor authentication for production system access;
Principle of least privilege applied to internal tooling and Sub-processor accounts;
Account isolation — Customer Personal Data is segregated by account, and one Customer's data is not accessible to another Customer.

B.3 Logging and monitoring

Audit logging of administrative actions on Customer accounts;
Server access logs retained for 90 days;
Command logs retained for 30 days for debugging and security purposes, then automatically deleted (as set out in the Privacy Policy);
Automated alerting on anomalous access patterns.

B.4 AI processing safeguards

Enterprise API contracts with AI Sub-processors that prohibit the use of Customer Personal Data to train general-purpose models;
Secret-pattern filtering applied to outbound prompts to reduce the risk of accidental disclosure of credentials and high-sensitivity tokens;
Approval-first workflow — outbound communications drafted by the Service are not sent without the Customer's explicit confirmation.

B.5 Operational security

Confidentiality obligations imposed on all personnel with access to Customer Personal Data;
Regular review of access rights;
Documented incident response procedure, including the breach notification process described in Section 11;
Backups of production data, with restore testing conducted periodically.

B.6 Vendor management

Sub-processors are selected on the basis of the technical and organisational measures they offer and the contractual data protection commitments they provide;
Sub-processor list maintained and published in this DPA and in the Privacy Policy.

— End of DPA —