Back to homeSign in

Data Processing Addendum

Effective: 2026-04-17

Template notice. A production-grade DPA must be reviewed by counsel. Enterprise customers can request a signed DPA (including EU SCCs and UK IDTA) by emailing info@newlightai.com.

1. Parties and scope

This Addendum ("DPA") supplements the Terms of Service between Newlight Technologies, Inc. ("Processor") and the customer ("Controller") and applies to processing of Personal Data by Newlight on behalf of Controller in connection with the Service.

2. Definitions

Terms such as "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in Regulation (EU) 2016/679 (GDPR) and equivalent UK and US state laws.

3. Subject-matter and duration

  • Subject-matter: hosting and processing of Controller's content in the Service.
  • Duration: for the term of the customer's subscription.
  • Nature and purpose: providing an AI-assisted software delivery platform.
  • Categories of Data Subjects: Controller's employees, contractors, and end users.
  • Categories of Personal Data: names, email addresses, role, content created in the platform.

4. Obligations of Newlight (Processor)

  • Process Personal Data only on documented instructions from Controller.
  • Ensure personnel with access are subject to confidentiality obligations.
  • Implement technical and organisational measures (TOMs) described in Annex II.
  • Engage Subprocessors only under written agreements providing equivalent protections, and maintain a current list at /legal/subprocessors.
  • Assist Controller with Data Subject requests, DPIAs, and breach notifications.
  • Delete or return Personal Data at end of the Service, subject to legal retention requirements.

5. International transfers

Where Personal Data is transferred outside the EEA/UK/Switzerland to a country without an adequacy decision, the parties rely on Standard Contractual Clauses (SCCs) and, for UK transfers, the International Data Transfer Addendum (IDTA), incorporated by reference.

6. Breach notification

We notify Controller without undue delay (and in any event within 72 hours of awareness) of any Personal Data Breach affecting Controller's data, with all information reasonably required for Controller to fulfill its own notification obligations.

7. Audits

Controller may request, no more than once per year, evidence of Newlight's compliance with this DPA. We make available our latest SOC 2 report and penetration test summary under NDA.

8. Annex I — Parties

Controller: as identified in the Service account.
Processor: Newlight Solutions LLC, info@newlightai.com.
Data Protection Officer: info@newlightai.com.

9. Annex II — Technical and Organisational Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Least-privilege access controls; MFA for production access.
  • Centralized audit logging of access to Personal Data.
  • Annual third-party penetration testing.
  • SOC 2 Type II audit (in progress; report available post-certification).
  • Documented incident-response runbooks and on-call rotation.
  • Automated backups with point-in-time recovery and quarterly restore drills.

10. Annex III — Subprocessors

Current list available at /legal/subprocessors. We will notify Controller at least 30 days before adding a new Subprocessor, during which Controller may object on reasonable grounds.