Nerve Core
The Company AI Brain
 Home
Compliance

Data Processing Addendum

Last updated May 27, 2026

This Data Processing Addendum (the "DPA") applies when Nerve Core processes personal data on behalf of a customer subject to GDPR, UK GDPR, the California Consumer Privacy Act and CPRA, or other applicable data-protection laws. It supplements the Terms of Service and the Privacy Policy.

1. Scope and roles

This DPA governs the processing of personal data by Nerve Core (the "Processor" or "Service Provider") on behalf of a customer (the "Controller" or "Business") in connection with the Nerve Core platform.

For information that Nerve Core collects directly from website visitors and waitlist members, Nerve Core acts as a controller, and our Privacy Policy applies instead of this DPA.

2. Definitions

Terms such as "personal data," "processing," "controller," "processor," "data subject," "sale," and "sharing" have the meanings given in applicable law (GDPR, UK GDPR, CCPA and CPRA, and equivalent US state laws). For California purposes, Nerve Core is a "service provider" and the customer is a "business."

3. Processing instructions

Nerve Core processes personal data only on documented instructions from the customer, including:

  • To deliver the platform and services described in the Terms of Service and any applicable order form.
  • To run scans across AI assistants, build the company brain, generate capture assets, and report results.
  • To provide support, secure the service, and comply with law.

Nerve Core will not sell personal data, will not share personal data for cross-context behavioral advertising, will not retain or use personal data outside the direct business relationship with the customer, and will not combine personal data received from the customer with personal data from other sources, except as permitted by applicable law and as required to operate the service.

If Nerve Core believes an instruction violates applicable law, we will notify the customer.

4. Subprocessors

The customer authorizes Nerve Core to engage subprocessors to deliver the service. A current list is available at /subprocessors. We will:

  • Impose data-protection obligations on each subprocessor that are no less protective than those in this DPA.
  • Remain responsible for the acts and omissions of subprocessors that cause Nerve Core to breach this DPA.
  • Provide notice of new subprocessors at least 30 days before they begin processing personal data. The customer may object on reasonable data-protection grounds during that period.

5. Security measures

Nerve Core maintains the technical and organizational measures described in our Security Overview, including encryption in transit, encryption at rest for production data stores, access controls, authentication, logging, vulnerability management, vendor diligence, and an incident response process. We periodically review and improve these measures.

6. Data subject rights

To the extent the customer cannot fulfill a data subject request on its own through self-service controls, Nerve Core will assist the customer in responding to requests for access, correction, deletion, restriction, objection, and portability. Requests from data subjects sent directly to Nerve Core will be referred to the customer.

7. Incident notification

Nerve Core will notify the customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting customer data. The notice will include the information reasonably available to us at the time, with updates as the investigation progresses.

8. Audits

On reasonable written notice and not more than once per 12-month period (or more frequently if required by a regulator or after a confirmed incident), Nerve Core will make available the information necessary to demonstrate compliance with this DPA. This may include third-party audit reports, security questionnaires, and written responses. Onsite audits are by mutual agreement, at the customer's expense, and subject to confidentiality and security restrictions.

9. International transfers

Nerve Core is based in the United States. Where personal data subject to GDPR or UK GDPR is transferred outside the EEA or UK, the parties agree that the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK International Data Transfer Addendum to the SCCs are hereby incorporated by reference and form part of this DPA. The applicable optional clauses are selected to maximize protection of data subjects. Equivalent transfer mechanisms apply for other jurisdictions as required.

10. Return and deletion

On termination or expiration of the underlying service, Nerve Core will, at the customer's choice, return or delete personal data within 90 days, subject to limited retention for backup, legal, or security purposes. The customer may request earlier deletion at any time through the platform or by emailing privacy@nervecore.io.

11. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a data subject's rights under applicable law.

12. Order of precedence

If there is a conflict between this DPA and the Terms of Service or any order form, this DPA prevails for matters of personal data processing. Standard Contractual Clauses prevail over this DPA where they apply.

Need a signed copy?Customers under GDPR, UK GDPR, or comparable laws can request a countersigned DPA by emailing privacy@nervecore.io with their company name, contact, and jurisdiction.