Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Inori ("Processor") and the organization using the Service ("Controller"). This DPA governs the processing of personal data by Inori on behalf of the Controller.
Definitions
- Personal Data — Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
- Processing — Any operation performed on personal data, including collection, storage, retrieval, analysis, transmission, and deletion.
- Sub-processor — A third party engaged by Inori to process personal data on behalf of the Controller.
- Data Subject — The individual to whom personal data relates.
Scope of Processing
Inori processes personal data solely to provide the Service as described in the Terms of Service. The categories of data processed include:
- Contact information — Names and email addresses of team members and vendors.
- Certificate data — Insurance certificate content submitted for compliance analysis.
- Usage data — Service interaction logs, IP addresses, and session information.
Processing occurs for the duration of the Controller's subscription and for 90 days following termination to enable data export.
Controller Obligations
The Controller warrants that it has a lawful basis for providing personal data to Inori and that it has provided appropriate notice to data subjects regarding the processing.
Security Measures
Inori implements appropriate technical and organizational measures to protect personal data, including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.3).
- Role-based access controls for all internal systems.
- Regular access reviews and principle of least privilege.
- Automated vulnerability scanning and annual penetration testing.
- Employee security training and confidentiality agreements.
Sub-processors
Inori uses the following sub-processors:
| Sub-processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting and authentication | United States | supabase.com/privacy |
| Stripe | Payment processing | United States | stripe.com/privacy |
| Anthropic (Claude API) | AI document analysis | United States | anthropic.com/privacy |
| PostHog | Product analytics (session-level, anonymized) | United States / EU | posthog.com/privacy |
| Sentry | Error monitoring and performance tracing | United States | sentry.io/privacy |
| Resend | Transactional email delivery | United States | resend.com/privacy |
PostHog and Sentry note: Both sub-processors receive session metadata and error traces that may incidentally include email addresses or tenant identifiers. Data is retained for 90 days. Users may opt out of PostHog and Sentry capture independently via Settings → Privacy, or by sending the
Sec-GPC: 1header (Global Privacy Control), which Inori honors automatically.
Inori will notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object to a new sub-processor by contacting Inori within that period.
Data Transfers
All data is processed and stored within the United States. If data is transferred outside the United States, Inori will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
Data Subject Requests
Inori will assist the Controller in responding to data subject requests (access, correction, deletion, portability) by providing relevant tools and cooperation within 30 days of the request.
Breach Notification
In the event of a personal data breach, Inori will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, estimated number of data subjects, and measures taken to mitigate the breach.
Audit Rights
The Controller may request information about Inori's data processing practices and security measures. Inori will make available relevant audit reports, certifications, and documentation upon reasonable request.
Termination
Upon termination of the Service, Inori will delete or return all personal data within 90 days, unless retention is required by law. The Controller may export data at any time during the subscription period.
Contact
For questions about this DPA, contact us at ask@askinori.com.