This Data Processing Agreement (“DPA”) forms part of the Terms of Service between narve.ai (the “Processor”) and the customer (the “Controller”), and applies where narve.ai processes personal data on behalf of the Controller in the course of providing the Service.
This DPA is drafted to support compliance with the UK General Data Protection Regulation, the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018.
“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
“Processing” means any operation performed on Personal Data, whether or not by automated means.
“GDPR” means the UK GDPR and the EU GDPR, as applicable.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.
narve.ai processes Personal Data only to the extent necessary to deliver the prediction market intelligence service to the Controller. Typical processing activities include:
narve.ai acts as a Data Processor when processing Personal Data on behalf of the Controller, and as a Data Controller for its own independent processing (e.g. account management, billing, legal obligations).
narve.ai shall:
3.1 Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country.
3.2 Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
3.4 Not engage any sub-processor without prior authorisation. The Controller provides general authorisation for the sub-processors listed in Section 7 and will be informed of any intended changes at least 30 days in advance, with the right to object.
3.5 Assist the Controller, taking into account the nature of the processing and the information available to narve.ai, in fulfilling the Controller’s obligations regarding:
3.6 At the Controller’s choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law.
3.7 Make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
narve.ai will, insofar as possible and taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in responding to requests from Data Subjects exercising their rights under applicable data protection law (access, rectification, erasure, restriction, portability, and objection).
Self-service controls are available from Account Settings for account holders, and account deletion can be initiated from Profile Settings.
narve.ai shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects.
The notification will include, at a minimum:
Personal Data may be transferred to, and processed in, countries outside the United Kingdom and the European Economic Area. Where such transfers occur, narve.ai ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner, and any supplementary measures required by case law.
The following sub-processors are authorised to process Personal Data on behalf of narve.ai as of the effective date above. The primary application database is hosted on narve.ai’s own infrastructure — there is no third-party database sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, WAF, and secure tunnel for inbound traffic | Global (edge network) |
| Functional Software, Inc. (Sentry) | Error monitoring and crash reporting (anonymised) | United States |
| Stripe, Inc. | Payment processing (active where billing is enabled) | United States / Ireland |
| MailChannels / SMTP relay | Transactional email delivery (account, security, billing messages) | Varies by deployment |
| Anthropic PBC | AI model inference for Signal Search (prompt data only, no stored PII) | United States |
The current list of sub-processors is also available on request from [email protected]. We will notify the Controller of any material changes to this list with at least 30 days’ notice.
narve.ai will provide the Controller with the information necessary to demonstrate compliance with this DPA. On reasonable written notice and no more than once per calendar year (except where required by a supervisory authority or following a Personal Data breach), the Controller may request an audit of narve.ai’s processing activities relevant to this DPA, subject to reasonable confidentiality obligations.
This DPA remains in force for the duration of the service agreement between the Controller and narve.ai. On termination, narve.ai will delete or return all Personal Data within 30 days at the Controller’s choice, unless retention is required by applicable law.
The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement. Nothing in this DPA excludes or limits a party’s liability where such exclusion or limitation is prohibited by applicable law.
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales, without prejudice to any mandatory rules of the Controller’s place of establishment.
Where narve.ai is established outside the European Union and the GDPR applies to our processing of Personal Data of Data Subjects in the EU, we will appoint (or have appointed) a representative in the Union pursuant to Article 27 GDPR.
Current EU representative: to be confirmed. Until a representative is formally appointed, EU Data Subjects and supervisory authorities may address representation-related enquiries to [email protected] with subject line “EU Art. 27 representative”. We commit to publishing the appointed representative’s contact details here as soon as the appointment is in force.
Addressing correspondence to the EU representative does not preclude also contacting narve.ai directly; it provides an additional contact option for Data Subjects and supervisory authorities within the Union.
Where narve.ai is established outside the United Kingdom and the UK GDPR applies to our processing of Personal Data of Data Subjects in the UK, we will appoint (or have appointed) a representative in the United Kingdom pursuant to Article 27 UK GDPR.
Current UK representative: to be confirmed. Until a representative is formally appointed, UK Data Subjects and the Information Commissioner’s Office may address representation-related enquiries to [email protected] with subject line “UK Art. 27 representative”. The appointed representative’s contact details will be published here as soon as the appointment is in force.
To request a countersigned copy of this DPA, to raise a data protection query, or to notify narve.ai of a change in your processing instructions, please contact:
Legal & DPA requests: [email protected]
Privacy & Data Subject rights: [email protected]
For enterprise DPA requests, please include your company name, registration number, Data Protection Officer contact details, and a short description of the processing activities in scope.