Join waitlistRequest early access
← Back to home
Legal · Data Processing Addendum

Data Processing Addendum

Data-processing terms between Nupick and business or enterprise customers who act as data controllers.

Effective June 9, 2026 · Last updated June 9, 2026

This DPA applies to business and enterprise customers acting as data controllers, and takes effect when it is incorporated into or referenced by your agreement with Nupick. To request a countersigned copy, email hello@nupick.ai.

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Nupick Terms of Service or other written agreement between Nupick AI Private Limited (“Nupick,” “Processor,” “we,” or “us”) and the customer that has entered into that agreement (“Customer,” “Controller,” or “you”) (the “Agreement”).

This DPA applies where, and to the extent that, Nupick processes Personal Data on behalf of Customer in connection with the Services and Applicable Data Protection Laws require a data processing agreement. If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls. Capitalised terms not defined in this DPA have the meaning given in the Agreement.

1. Definitions

1.1 “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”).

1.2 “Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing,” and “Personal Data Breach” have the meanings given under Applicable Data Protection Laws.

1.3 “Customer Personal Data” means Personal Data that Nupick processes on behalf of Customer under the Agreement.

1.4 “Services” means the Nupick desktop application and the related hosted services described in the Agreement, including telemetry and diagnostics, support, software updates, and account, licence, and cloud-connected features where enabled.

1.5 “Sub-processor” means any third party engaged by Nupick to process Customer Personal Data on Nupick’s behalf.

1.6 “Standard Contractual Clauses” means the contractual clauses approved by a competent authority for the transfer of Personal Data to third countries, including the European Commission’s 2021 Standard Contractual Clauses and the UK International Data Transfer Agreement or Addendum.

2. Roles of the Parties

2.1 As between the parties, Customer is the Controller and Nupick is the Processor of Customer Personal Data.

2.2 Where Customer acts as a processor on behalf of a third-party controller, Customer warrants that it is authorised to instruct Nupick as a sub-processor and that its instructions reflect that controller’s requirements.

2.3 Each party is responsible for complying with its own obligations under Applicable Data Protection Laws.

3. Scope and Local-First Exclusion

3.1 This DPA applies only to Customer Personal Data that Nupick actually processes on Customer’s behalf through the Services.

3.2 The Services are local-first. Data that remains on Customer-controlled devices — including chats, files, documents, embeddings, indexes, local memory, settings, and locally stored credentials — is not accessible to Nupick and is outside the scope of this DPA, unless and until Customer transmits it to a hosted service.

3.3 Nupick processes Customer Personal Data only where Customer transmits it through a feature that sends data outside the device, such as telemetry and diagnostics, support requests, account or licence features, software-update services, or a hosted cloud relay if one is introduced.

3.4 Where Customer configures the Services to connect directly to a third-party AI provider, connector, or data source using Customer’s own credentials or API keys, that third party acts as Customer’s own processor or as an independent controller, and is not a Sub-processor of Nupick.

4. Customer Instructions and Responsibilities

4.1 Nupick processes Customer Personal Data only on Customer’s documented instructions, including as set out in this DPA, the Agreement, the Services’ configuration and settings, and Customer’s use of the Services, unless required to process by law (in which case Nupick will, where legally permitted, inform Customer before processing).

4.2 Customer instructs Nupick to process Customer Personal Data as necessary to provide, secure, support, and maintain the Services.

4.3 Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the lawful basis on which it was collected, including providing any required notices and obtaining any required consents.

4.4 Customer must not transmit special categories of Personal Data, or other sensitive or regulated data, through the Services except where the Services are intended for such use and Customer has a lawful basis to do so.

4.5 If Nupick believes an instruction infringes Applicable Data Protection Laws, it will inform Customer without undue delay.

5. Nupick Processing Obligations

5.1 Nupick will process Customer Personal Data only for the purposes described in Annex 1 and in accordance with this DPA.

5.2 Nupick will not sell Customer Personal Data and will not use it for its own purposes, including advertising or the training of AI models.

5.3 Nupick will ensure that persons authorised to process Customer Personal Data are subject to appropriate obligations of confidentiality.

6. Confidentiality

6.1 Nupick will keep Customer Personal Data confidential and will limit access to personnel who need access to provide, secure, or support the Services.

6.2 These confidentiality obligations survive termination of the Agreement.

7. Security

7.1 Nupick will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

7.2 The measures Nupick maintains are described in Annex 2.

7.3 No method of transmission or storage is fully secure, and Customer remains responsible for the security of its own devices, accounts, credentials, and connected services as set out in the Agreement.

8. Sub-processors

8.1 Customer provides general authorisation for Nupick to engage Sub-processors to process Customer Personal Data. The categories of Sub-processors engaged as of the effective date are listed in Annex 3.

8.2 Nupick will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor’s performance of those obligations.

8.3 Nupick will make available a list of Sub-processors and will give Customer reasonable prior notice of any intended addition or replacement, giving Customer the opportunity to object on reasonable data-protection grounds.

9. Data Subject Requests

9.1 Taking into account the nature of the processing, Nupick will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

9.2 If Nupick receives a request from a Data Subject that relates to Customer Personal Data, it will, where legally permitted, refer the Data Subject to Customer and will not respond directly except on Customer’s instruction.

10. Assistance to Customer

10.1 Nupick will provide Customer with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Nupick.

11. Personal Data Breach Notification

11.1 Nupick will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

11.2 The notification will describe, to the extent known, the nature of the breach, its likely consequences, and the measures taken or proposed to address it, and Nupick will provide further information as it becomes available.

11.3 A notification under this Section is not an acknowledgement of fault or liability.

11.4 Security incidents affecting only data on Customer-controlled local devices are outside Nupick’s control and responsibility.

12. International Transfers

12.1 Nupick and its Sub-processors may process Customer Personal Data in countries other than the country in which it was collected.

12.2 Where such processing involves a transfer that requires a safeguard under Applicable Data Protection Laws, the parties will rely on an approved transfer mechanism, including an adequacy decision or the Standard Contractual Clauses, which are incorporated by reference and completed by reference to Annex 1.

13. Audits and Records

13.1 Nupick will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

13.2 Where Applicable Data Protection Laws require, Nupick will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, reasonable frequency limits, and Nupick’s security and operational requirements.

14. Deletion and Return

14.1 On expiry or termination of the Agreement, Nupick will, at Customer’s choice, delete or return the Customer Personal Data that Nupick controls, and delete existing copies, within a reasonable period not exceeding 90 days, unless storage is required by law.

14.2 Personal Data contained in routine backups and security logs will be deleted in accordance with Nupick’s standard retention cycles.

14.3 Personal Data stored on Customer-controlled devices remains Customer’s responsibility to delete.

15. Liability

15.1 Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

16. Term

16.1 This DPA takes effect when it is incorporated into or referenced by the Agreement and remains in effect for as long as Nupick processes Customer Personal Data, after which the surviving provisions continue to apply.

17. Governing Law

17.1 This DPA is governed by the law that governs the Agreement, unless Applicable Data Protection Laws require otherwise.

Annex 1 — Details of Processing

Subject matter: Nupick’s processing of Customer Personal Data in order to provide, secure, and support the Services.

Duration: For the term of the Agreement and until deletion or return of Customer Personal Data under Section 14.

Nature and purpose of processing: Hosting and operating telemetry and diagnostics, support, software-update, and account, licence, and cloud-connected features; and securing and maintaining the Services.

Categories of Data Subjects:

  • (a) Customer’s authorised users;
  • (b) Customer’s employees and contractors;
  • (c) Customer’s business contacts;
  • (d) individuals whose Personal Data appears in content that Customer transmits to a hosted service.

Categories of Personal Data:

  • (a) account and identity data, where accounts are used;
  • (b) contact data;
  • (c) support data, including messages, attachments, and diagnostics that Customer submits;
  • (d) telemetry and diagnostic data, including device and application information, logs, and event data;
  • (e) software-update and licence-status data;
  • (f) cloud-model request metadata, and cloud request content where a hosted relay is used;
  • (g) connector metadata, where transmitted to a hosted service.

Special categories of Personal Data: Not intended to be processed. Customer should not transmit special-category data through the Services except as expressly provided in the Agreement.

Annex 2 — Technical and Organisational Security Measures

Nupick maintains measures that include:

  • (a) a local-first architecture that minimises the Personal Data transmitted off the device;
  • (b) encryption of data in transit for communications with Nupick’s servers;
  • (c) protection of API keys and connector credentials using the operating-system keychain, where supported, on the user’s device;
  • (d) signed installers and signed or verified software updates;
  • (e) access controls and the principle of least privilege for personnel;
  • (f) logical separation and protection of telemetry and support infrastructure;
  • (g) retention limits, including retention of beta telemetry and logs until the relevant issue is resolved or for a maximum of 15 days, whichever is earlier, unless longer retention is required for security, legal, abuse-prevention, or dispute reasons;
  • (h) logging and monitoring of relevant systems;
  • (i) incident-response procedures.

Annex 3 — Sub-processors

The categories of Sub-processors that Nupick may engage include:

  • (a) cloud hosting and infrastructure providers;
  • (b) telemetry, logging, and diagnostics infrastructure providers;
  • (c) identity and authentication providers, where account features are used;
  • (d) payment processors, where paid features are used;
  • (e) customer-support tooling providers;
  • (f) software-update distribution providers.

Third-party AI providers, connectors, and data sources that Customer connects directly using Customer’s own credentials are not Sub-processors of Nupick, as described in Section 3.4.

← All legal documents

Early access

Start building your
private AI workspace.

Local-first, privacy-first, and built for people who want powerful AI without handing over everything.

Request early access Contact the team