This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service or Master Service Agreement (the "Agreement") between Elnora AI, Inc. or Elnora AI OU (collectively, "Elnora," "we," or "us") and the customer entity ("Customer," "you," or "your") governing Customer's use of the Elnora platform and services. This DPA applies to Elnora's processing of Customer Personal Data.
Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. If there is any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall govern with respect to data protection matters.
1. Definitions
"Applicable Data Protection Laws" means all applicable privacy, data protection, and data security laws and regulations, including, where applicable: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (iii) the Swiss Federal Act on Data Protection ("FADP"); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (v) any other applicable data protection laws.
"Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data. For purposes of the CCPA, "Controller" includes "business" as defined therein.
"Customer Data" means all data, content, materials, and information that Customer or Authorized Users upload, submit, or otherwise provide to the Platform.
"Customer Personal Data" means Personal Data contained within Customer Data that Elnora processes as a Processor on behalf of Customer.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Data Subject Request" means a request from a Data Subject to exercise their rights under Applicable Data Protection Laws.
"EEA" means the European Economic Area.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
"Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
"Processor" means a natural or legal person that processes Personal Data on behalf of a Controller. For purposes of the CCPA, "Processor" includes "service provider" as defined therein.
"Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection.
"SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
"Subprocessor" means a third party engaged by Elnora to Process Customer Personal Data.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.
2. Scope and Roles
2.1 Roles of the Parties
With respect to Customer Personal Data:
- Customer is the Controller (or acts as a Processor on behalf of a third-party Controller); and
- Elnora is the Processor (or sub-Processor, as applicable) acting on Customer's behalf.
Each party will comply with its respective obligations under Applicable Data Protection Laws.
2.2 Customer Responsibilities
Customer is responsible for:
(a) Ensuring it has all necessary rights, consents, and legal bases to provide Customer Personal Data to Elnora for Processing;
(b) Ensuring that Customer's instructions to Elnora comply with Applicable Data Protection Laws;
(c) Determining whether Elnora's security measures are appropriate for Customer's use case; and
(d) Responding to Data Subject Requests received directly from Data Subjects.
2.3 Processing Instructions
Elnora will Process Customer Personal Data only:
(a) To provide the Platform and services under the Agreement;
(b) In accordance with Customer's documented instructions as set forth in this DPA and the Agreement;
(c) As required by applicable law (in which case Elnora will inform Customer of such requirement, unless prohibited by law); and
(d) As otherwise agreed in writing between the parties.
If Elnora believes an instruction from Customer violates Applicable Data Protection Laws, Elnora will promptly inform Customer and may suspend Processing until the parties resolve the issue.
3. Processing Details
3.1 Subject Matter and Purpose
The subject matter of the Processing is Customer's use of the Elnora Platform for AI-powered biomedical protocol generation and optimization. The purpose is to provide the services described in the Agreement.
3.2 Duration
Processing continues for the duration of the Agreement, plus any post-termination retention period required for data return or deletion.
3.3 Categories of Data Subjects
Data Subjects may include:
- Customer's employees and contractors
- Customer's authorized users
- Researchers and scientists
- Any individuals whose Personal Data is included in Customer Data
3.4 Categories of Personal Data
Categories may include:
- Contact information (name, email, phone)
- Account credentials and authentication data
- User activity and usage logs
- IP addresses and device identifiers
- Any Personal Data included in protocols, experimental data, or research materials submitted by Customer
3.5 Sensitive Data
Customer represents and warrants that Customer Personal Data does not include, and Customer will not submit to the Platform, any:
(a) Protected health information (PHI) subject to HIPAA without a separate Business Associate Agreement;
(b) Genetic or genomic data of identifiable individuals without documented informed consent;
(c) Financial account credentials or payment card data subject to PCI-DSS;
(d) Government-issued identification numbers (e.g., Social Security numbers);
(e) Special categories of data under GDPR Article 9 (racial/ethnic origin, political opinions, religious beliefs, trade union membership, health data, sex life, sexual orientation, biometric data for identification), unless Customer has obtained explicit consent and has a lawful basis.
4. CCPA Compliance
Where the CCPA applies, Elnora certifies that it:
(a) Will not "sell" or "share" Customer Personal Data as those terms are defined under the CCPA;
(b) Will not retain, use, or disclose Customer Personal Data for any purpose other than providing the services under the Agreement, or as otherwise permitted by the CCPA;
(c) Will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer;
(d) Will not combine Customer Personal Data with Personal Data received from other sources, except as permitted by Applicable Data Protection Laws; and
(e) Will comply with all applicable CCPA requirements for service providers.
5. No Training on Customer Data
Elnora does not train artificial intelligence or machine learning models on Customer Personal Data. Elnora uses existing foundation models provided by third-party AI providers. Customer Personal Data will never be used to train, fine-tune, or improve AI models without Customer's explicit written consent.
Elnora's third-party AI providers are contractually prohibited from using Customer Data for model training. A list of subprocessors, including AI providers, is available at trust.elnora.ai/subprocessors.
6. Security Measures
6.1 Technical and Organizational Measures
Elnora implements and maintains technical and organizational security measures designed to protect Customer Personal Data, as described in Schedule 1 (Technical and Organizational Measures). These measures include:
(a) Encryption at Rest: AES-256 encryption for all stored Customer Data;
(b) Encryption in Transit: TLS 1.2 or higher for all data transmission;
(c) Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege;
(d) Data Separation: Logical separation of Customer Data between customers;
(e) Security Monitoring: Continuous monitoring, logging, and incident detection;
(f) Personnel Security: Background checks, confidentiality agreements, and security training for all personnel with access to Customer Data.
6.2 Security Certifications
Elnora maintains SOC 2 Type 2 certification and aligns its security program with ISO 27001 standards. Current certifications and security documentation are available at trust.elnora.ai.
6.3 Updates to Security Measures
Elnora may update security measures from time to time, provided that updates do not materially reduce the overall security of Customer Personal Data.
7. Subprocessors
7.1 Authorization
Customer grants Elnora general written authorization to engage Subprocessors to Process Customer Personal Data as necessary to provide the services.
7.2 Subprocessor Obligations
Elnora will:
(a) Enter into written agreements with each Subprocessor imposing data protection obligations substantially similar to those in this DPA;
(b) Require Subprocessors to implement appropriate technical and organizational measures;
(c) Prohibit Subprocessors from Processing Customer Personal Data for any purpose other than providing services to Elnora; and
(d) Remain liable to Customer for the acts and omissions of its Subprocessors.
7.3 List of Subprocessors
A current list of Subprocessors is available at trust.elnora.ai/subprocessors.
7.4 Notification of Changes
Elnora will provide at least thirty (30) days' notice before engaging a new Subprocessor that will Process Customer Personal Data. Customer may subscribe to notifications at trust.elnora.ai.
7.5 Objection to New Subprocessors
Customer may object to a new Subprocessor by providing written notice to privacy@elnora.ai within fifteen (15) days of receiving notification, stating reasonable data protection grounds for the objection. If Customer objects:
(a) The parties will work in good faith to find a mutually acceptable resolution;
(b) If no resolution is reached within thirty (30) days, Customer may terminate the affected services by providing written notice; and
(c) Such termination will not relieve Customer of fees owed for services rendered prior to termination.
If Customer does not object within the fifteen (15) day period, Customer is deemed to have accepted the new Subprocessor.
8. Data Subject Rights
8.1 Customer Responsibility
Customer is responsible for responding to Data Subject Requests. Elnora provides self-service functionality within the Platform to assist Customer in fulfilling such requests.
8.2 Elnora Assistance
Upon Customer's written request, and taking into account the nature of the Processing, Elnora will provide reasonable assistance to enable Customer to respond to Data Subject Requests, to the extent Customer cannot fulfill such requests independently through the Platform.
8.3 Requests Received by Elnora
If Elnora receives a Data Subject Request directly, Elnora will:
(a) Promptly notify Customer (unless prohibited by law);
(b) Advise the Data Subject to submit their request to Customer; and
(c) Not respond to the request without Customer's authorization, unless required by law.
9. Personal Data Breach Notification
9.1 Notification
Elnora will notify Customer of any Personal Data Breach without undue delay, and in any event within seventy-two (72) hours of Elnora confirming that a Personal Data Breach has occurred.
9.2 Notification Content
Elnora's notification will include, to the extent known:
(a) The nature of the Personal Data Breach;
(b) Categories and approximate number of Data Subjects affected;
(c) Categories and approximate number of Personal Data records affected;
(d) The likely consequences of the Personal Data Breach;
(e) Measures taken or proposed to address the Personal Data Breach; and
(f) Contact details for Elnora's point of contact.
Information may be provided in phases as it becomes available.
9.3 Assistance
Elnora will provide reasonable assistance to Customer in:
(a) Investigating the Personal Data Breach;
(b) Complying with Customer's notification obligations to supervisory authorities and Data Subjects; and
(c) Mitigating the effects of the Personal Data Breach.
9.4 No Admission
Elnora's notification of, or response to, a Personal Data Breach will not be construed as an acknowledgment of fault or liability.
10. Audits and Compliance
10.1 Audit Reports
Upon Customer's written request (no more than once annually), and subject to confidentiality obligations, Elnora will provide:
(a) A copy of Elnora's most recent SOC 2 Type 2 report;
(b) Summaries of penetration testing results; and
(c) Such other documentation reasonably necessary to demonstrate compliance with this DPA.
Customer agrees that these audit reports satisfy any audit rights granted under Applicable Data Protection Laws, except where additional audit is legally required.
10.2 On-Site Audit
Where Applicable Data Protection Laws require additional audit rights, or where audit reports are insufficient to demonstrate compliance, Customer may conduct or commission an audit, subject to:
(a) At least thirty (30) days' prior written notice;
(b) Conducting the audit during Elnora's regular business hours;
(c) Using an independent third-party auditor bound by confidentiality obligations;
(d) Limiting the audit to once per twelve (12) month period (unless required by a supervisory authority or in response to a Personal Data Breach);
(e) Restricting findings to information relevant to Customer; and
(f) Customer bearing all costs of the audit.
10.3 Data Protection Impact Assessment
Upon Customer's written request, Elnora will provide reasonable assistance with Customer's data protection impact assessments and consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws.
11. International Data Transfers
11.1 Transfer Authorization
Customer authorizes Elnora to transfer Customer Personal Data to countries outside the EEA, UK, or Switzerland as necessary to provide the services, subject to appropriate safeguards under Applicable Data Protection Laws.
11.2 Standard Contractual Clauses
For Restricted Transfers, the parties agree that the SCCs apply as follows:
For transfers from the EEA:
(a) Module Two (Controller to Processor) applies where Customer is a Controller;
(b) Module Three (Processor to Processor) applies where Customer is a Processor;
(c) Clause 7 (docking clause) applies;
(d) In Clause 9, Option 2 (general authorization) applies with notice period as set forth in Section 7.4;
(e) In Clause 11, the optional redress language does not apply;
(f) In Clause 17, Option 1 applies, governed by the laws of Ireland;
(g) In Clause 18(b), disputes are resolved before the courts of Ireland;
(h) Annex I is completed per this DPA and Schedule 2;
(i) Annex II is completed per Schedule 1 of this DPA.
11.3 UK Addendum
For transfers from the UK subject to UK GDPR, the UK Addendum applies, completed as follows:
(a) Tables 1-3 are completed with information from this DPA and the SCCs;
(b) In Table 4, "Importer" may end the UK Addendum.
11.4 Swiss Transfers
For transfers from Switzerland subject to the FADP:
(a) References to GDPR are interpreted as references to the FADP;
(b) The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
(c) The SCCs are governed by Swiss law;
(d) Disputes are resolved before the courts of Switzerland.
11.5 Alternative Transfer Mechanisms
If a transfer mechanism is invalidated, Elnora will work with Customer to implement an alternative lawful transfer mechanism.
12. Data Retention and Deletion
12.1 Retention During Agreement
Elnora retains Customer Personal Data for the duration of the Agreement as necessary to provide the services.
12.2 Post-Termination
Upon termination or expiration of the Agreement:
(a) Elnora will make Customer Data available for export for sixty (60) days;
(b) Following the export period, Elnora will delete Customer Personal Data within thirty (30) days, except where retention is required by applicable law or necessary to resolve disputes;
(c) Backup copies will be deleted in accordance with Elnora's standard backup rotation schedule, not to exceed ninety (90) days.
12.3 Deletion Certification
Upon Customer's written request, Elnora will provide written confirmation that Customer Personal Data has been deleted in accordance with this Section 12.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. Nothing in this DPA limits either party's liability for:
(a) Fraud or fraudulent misrepresentation;
(b) Death or personal injury caused by negligence; or
(c) Any liability that cannot be limited by applicable law.
14. General
14.1 Order of Precedence
In the event of conflict, the following order of precedence applies: (1) the SCCs (if applicable); (2) this DPA; (3) the Agreement.
14.2 Amendments
Elnora may update this DPA from time to time to reflect changes in Applicable Data Protection Laws. Material changes will be communicated with at least thirty (30) days' notice.
14.3 Contact Information
For questions about this DPA or data protection matters, contact:
Data Protection Officer: Carmen Kivisild privacy@elnora.ai
Legal: legal@elnora.ai
Schedule 1: Technical and Organizational Measures
Elnora implements and maintains the following technical and organizational measures to protect Customer Personal Data:
1. Encryption
| Measure | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.2 or higher for all network communications |
| Key Management | Keys stored in AWS KMS with annual rotation |
2. Access Controls
| Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication required for production systems |
| Authorization | Role-based access controls (RBAC) with principle of least privilege |
| Password Policy | Minimum 16 characters (human accounts), 32 characters (service accounts), complexity requirements, no reuse of last 24 passwords |
| Account Lockout | Automatic lockout after 6 failed attempts |
| Access Reviews | Quarterly reviews of all access privileges |
| Termination | Access revoked within 24 business hours of employment end |
3. Data Separation
| Measure | Implementation |
|---|---|
| Logical Separation | Customer Data stored in logically separated databases |
| No Cross-Customer Access | Customer Data never mixed or used as input for other customers |
| Environment Separation | Production, staging, and development environments are separated |
4. Network Security
| Measure | Implementation |
|---|---|
| Firewalls | Network firewalls with restrictive ingress/egress rules |
| Intrusion Detection | Continuous monitoring for suspicious activity |
| DDoS Protection | Cloud-based DDoS mitigation |
5. Monitoring and Logging
| Measure | Implementation |
|---|---|
| Audit Logging | All access to Customer Data is logged with timestamps and user IDs |
| Log Retention | Security logs retained for minimum 13 months |
| SIEM | Centralized security information and event management |
| Alerting | Real-time alerts for security events |
6. Vulnerability Management
| Measure | Implementation |
|---|---|
| Vulnerability Scanning | Quarterly scans of public-facing systems |
| Penetration Testing | Annual penetration testing by qualified third parties |
| Remediation SLAs | Critical: 7 days; High: 30 days; Medium: 90 days; Low: 180 days |
| Patch Management | Regular patching of systems and dependencies |
7. Personnel Security
| Measure | Implementation |
|---|---|
| Background Checks | Pre-employment background screening |
| Confidentiality | All employees sign confidentiality agreements |
| Security Training | Annual security awareness training |
| Acceptable Use | Documented acceptable use policies |
8. Business Continuity
| Measure | Implementation |
|---|---|
| Backups | Daily encrypted backups with geographic redundancy |
| Disaster Recovery | Documented DR plan with annual testing |
| Incident Response | Documented incident response procedures |
9. Physical Security
| Measure | Implementation |
|---|---|
| Cloud Infrastructure | AWS data centers with SOC 2, ISO 27001 certifications |
| Endpoint Security | Encrypted laptops, MDM for company devices |
10. Third-Party Management
| Measure | Implementation |
|---|---|
| Vendor Assessment | Security due diligence before engagement |
| Contractual Protections | Data protection clauses in vendor agreements |
| Annual Reviews | Annual security reviews of critical vendors |
Schedule 2: Processing Details
A. List of Parties
Data Exporter (Controller/Processor):
- Name: Customer (as identified in the Agreement)
- Address: As specified in the Agreement
- Contact: As specified in the Agreement
- Activities: Use of Elnora Platform for biomedical protocol generation
- Role: Controller (or Processor, if acting on behalf of a third-party Controller)
Data Importer (Processor):
- Name: Elnora AI, Inc. (or Elnora AI OU, as applicable)
- Address: 48 South Rio Grande Street, Salt Lake City, UT 84101, USA
- Contact: privacy@elnora.ai
- Activities: Provision of AI-powered biomedical protocol generation platform
- Role: Processor (or sub-Processor)
B. Description of Transfer
| Element | Details |
|---|---|
| Categories of Data Subjects | Customer employees, authorized users, researchers, individuals whose data is included in Customer Data |
| Categories of Personal Data | Contact information, account credentials, usage logs, IP addresses, Personal Data in submitted research data |
| Sensitive Data | None (unless Customer has appropriate safeguards and legal basis) |
| Frequency of Transfer | Continuous, for duration of Agreement |
| Nature of Processing | Collection, storage, organization, retrieval, use, disclosure for providing AI-powered protocol generation services |
| Purpose of Processing | To provide the Elnora Platform and services under the Agreement |
| Retention Period | Duration of Agreement plus post-termination export/deletion period |
C. Competent Supervisory Authority
- EEA: The supervisory authority of the EU Member State where Customer is established, or the Irish Data Protection Commission if Customer has no EU establishment
- UK: UK Information Commissioner's Office
- Switzerland: Swiss Federal Data Protection and Information Commissioner
Schedule 3: List of Subprocessors
A current list of Elnora's Subprocessors is maintained at:
https://trust.elnora.ai/subprocessors
Customers may subscribe to receive notifications of changes to this list.
Primary Subprocessors include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States, EU |
| Anthropic | AI/LLM services | United States |
| Microsoft Azure (OpenAI) | AI/LLM services | United States |
| Google Cloud Platform | AI/LLM services | United States |
All Subprocessors are bound by data processing agreements requiring equivalent data protection standards to this DPA, and are prohibited from using Customer Data for model training.