Data Processing Addendum

Last updated: January 17, 2026

This Data Processing Addendum (“DPA”) is entered into between Ulisse AI Ltd (d/b/a Novis), a company registered under the laws of England and Wales with registered office address in 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, and Company number 15280517 (“Supplier”) and the Customer identified in the relevant Order Form (“Customer”) (each a “Party” and together the “Parties”). This DPA is supplemental to, and forms part of, the Customer Terms of Service or other written agreement between the Supplier and Customer (in either case, the “Agreement”).

  1. DEFINITIONS

    In this DPA, the following terms have the following meanings:

    Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

    Controller” means the entity which determines the purposes and means of the Processing of Relevant Personal Data.

    Customer Affiliate” means any of the Customer's Affiliate(s) that (a) (i) are subject to Data Protection Laws and (ii) permitted to use the Services pursuant to the Agreement between the Customer and Supplier, and have signed their own Order Form, (b) if and to the extent Supplier processes Relevant Personal Data for which such Customer Affiliate(s) qualify as the Controller.

    Data Protection Laws” means all data protection and privacy laws applicable to the respective Party in its role in the Processing of Relevant Personal Data under the Agreement. These laws may include, for example, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation, as it forms part of UK law by virtue of section 3 of the EU (Withdrawal) Act 2018, (“UK GDPR”) and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws”), the revised Swiss Federal Act on Data Protection of 25 September 2020 ("FADP").

    Data Subject” means the identified or identifiable person to whom Personal Data relates.

    Data Subject Request” means any request from a Data Subject to exercise the rights afforded to the Data Subject under Data Protection Laws in respect of Relevant Personal Data.

    Instructions” means any reasonable instructions provided by Customer (e.g., via email or support tickets) under this DPA that are consistent with the terms of the Agreement.

    Order Form” has the meaning given to that term in the Agreement.

    Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under Data Protection Laws.

    Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    Processor” means the entity that Processes Personal Data on behalf of the Controller.

    Relevant Personal Data” means any Personal Data that is comprised in Customer Data.

    Regulator Correspondence” means any correspondence or communication received from a Supervisory Authority or other regulatory authority relating to Relevant Personal Data.

    Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Relevant Personal Data.

    Sub-processor” means any entity engaged by Supplier to Process Relevant Personal Data in connection with the Services.

    Supervisory Authority” means an independent public authority tasked with the regulation and enforcement of Data Protection Laws.

    Third Party Request” means a written request from any third party for the disclosure of Relevant Personal Data, where compliance with such a request is required or purported to be required by applicable law or regulation.

    Capitalised terms, or any other terms, used in this DPA that are not defined in this clause 1 (Definitions) shall have the meaning ascribed to them elsewhere in this DPA and/or the Agreement or in Data Protection Laws unless otherwise specified.

  2. PROCESSING OF RELEVANT PERSONAL DATA

    1. Customer Obligations. Customer shall, in its use of the Services and provision of the Instructions, Process Relevant Personal Data in accordance with the requirements of Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Relevant Personal Data and the means by which Customer acquired such Relevant Personal Data.
    2. Supplier’s Processing of Relevant Personal Data. As Customer’s Processor, Supplier shall only Process Relevant Personal Data in accordance with Customer’s Instructions which include the Agreement and this DPA.
    3. Supplier shall immediately inform Customer if, in Supplier’s opinion, Customer’s Instructions infringe Data Protection Laws.
    4. Supplier shall ensure that all Supplier personnel (including employees, agents, contractors and subcontractors) who Supplier authorises to Process any Relevant Personal Data have entered into appropriate confidentiality obligations.
    5. Details of the Processing. The Parties acknowledge and agree that Schedule 1 (Description of Processing Activities) to this DPA is an accurate description of the Processing carried out under this DPA.

  3. SUB-PROCESSORS

    1. Appointment of Sub-processors. Customer acknowledges and agrees that Supplier may engage third-party Sub-processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Relevant Personal Data, Supplier will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Relevant Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. Where the Sub-processor is located in a jurisdiction that does not provide the same level of data protection as the GDPR, UK GDPR or FADP (as applicable), the transfer may only take place where the Sub-processor ensures appropriate safeguards (such as those pursuant to Articles 46 or 47 UK GDPR) are in place with respect to the transfer in question. Customer agrees that Supplier may appoint Sub-processors in accordance with clause 3.2 below.
    2. List of Current Sub-processors and Notification of New Sub-processors. A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible via https://novis.ai/legal/sub-processors. Customer hereby consents to these Sub-processors, their locations and Processing activities as it pertains to Relevant Personal Data. The list of Sub-processors contains a mechanism to subscribe to notifications of new Sub-processors, and if Customer subscribes, Supplier shall provide notification of new Sub-processor(s) before authorising such new Sub-processor(s) to Process Relevant Personal Data in connection with the provision of the applicable Services.
    3. Objection Right for New Sub-processors. Customer may reasonably object to Supplier’s use of a new Sub-processor) by notifying Supplier promptly in writing within ten (10) days after the notice of the change of Sub-processors is sent. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Subprocessor, Supplier will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Relevant Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Supplier is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Supplier without the use of the objected-to new Sub-processor by providing written notice to Supplier. Supplier will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
    4. Liability. Supplier shall be liable for the acts and omissions of its Sub-processors to the same extent Supplier would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.
    5. Customer Data Hosting. For European customers, Customer Data stored at rest is hosted exclusively within servers deployed in the European Union. Customer acknowledges that certain transient processing (e.g., via Content Delivery Networks or realtime messaging infrastructure) may occur globally to ensure Service performance.

  4. REQUESTS FOR RELEVANT PERSONAL DATA

    1. Data Subject Requests. Supplier shall, to the extent legally permitted, promptly notify Customer if Supplier receives a Data Subject Request. Taking into account the nature of the Processing, Supplier shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request as required by Data Protection Laws.
    2. Regulator Correspondence. Supplier shall promptly notify Customer on receipt of any Regulator Correspondence or Third Party Request, unless Supplier is prohibited from so notifying Customer by applicable law. Supplier will not disclose any Relevant Personal Data in response to such Regulator Correspondence or Third Party Request without first consulting with, and obtaining, Customer’s prior written authorisation, unless legally compelled to do so.

  5. SECURITY

    1. Security Measures. Supplier shall maintain appropriate technical and organisational measures for the protection of the security, confidentiality, and integrity of Relevant Personal Data (including protection against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Relevant Personal Data)
    2. Security Incidents. Supplier shall notify Customer without undue delay of any Security Incident. Any such notification by Supplier to Customer of a Security Incident shall contain the following information, but only to the extent that Supplier has details of same: (i) a description of the nature of the Security Incident (including, where possible, the categories and approximate number of Data Subjects and data records concerned); (ii) the details of a contact point where more information concerning the Security Incident can be obtained; and (iii) its likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects. Customer agrees that Supplier may provide the foregoing information in phases. Supplier shall provide commercially reasonable cooperation and assistance in identifying the cause of such Security Incident and shall take commercially reasonable steps to remediate the cause to the extent the remediation is within Supplier’s control. Except as required by Data Protection Laws, the obligations herein shall not apply to incidents that are caused by Customer.

  6. RECORD-KEEPING

    1. Data Protection Impact Assessment. Where applicable and upon Customer’s request, Supplier shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Supplier. Supplier shall provide reasonable assistance to Customer in cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.

  7. AUDIT RIGHTS

    1. Customer shall have the right, no more than once in any rolling twelve (12) month period and upon providing at least sixty (60) days’ prior written notice, to request access to information reasonably necessary to demonstrate Supplier’s compliance with this DPA and applicable Data Protection Laws. Supplier may satisfy this obligation by providing relevant third-party certifications, summary audit reports, or other documentation, unless such information is demonstrably insufficient to confirm compliance.
    2. If, and only to the extent that, the information provided under clause 9.1 is demonstrably insufficient to confirm Supplier’s compliance, Customer may conduct an audit, including an on-site inspection of Supplier’s relevant data processing facilities. Any such audit shall:
      1. be limited to the scope necessary to assess compliance with this DPA and applicable Data Protection Laws;
      2. be conducted during normal business hours and in a manner that minimizes disruption to Supplier’s operations;
      3. be performed by Customer or an independent third-party auditor, not a competitor of Supplier, who is bound by appropriate confidentiality obligations;
    3. Customer acknowledges that Supplier provides services to multiple customers, some of whom may be subject to statutory or professional confidentiality obligations (including, but not limited to, banks, financial institutions, and law firms). Accordingly, any audit or inspection shall not include access to information, systems, or premises relating to Supplier’s other customers or Supplier’s own confidential or proprietary information unrelated to the Services.
    4. Supplier shall cooperate with and contribute to any such audit or inspection as reasonably required to demonstrate compliance with this DPA and applicable Data Protection Laws.
    5. All costs and expenses associated with any audit or inspection shall be borne by Customer, except where an audit reveals a material breach of Supplier’s obligations under this DPA, in which case Supplier shall reimburse Customer for reasonable and properly documented costs directly arising from such audit.

  8. GENERAL

    1. Relationship with the Agreement. Subject to clause 8.3, if there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent that conflict relates to the Processing of Personal Data.
    2. Return and Deletion of Relevant Personal Data. Upon termination of the Services for which Supplier is Processing Relevant Personal Data, Supplier shall, after thirty (30) days, subject to the limitations described in the Agreement, securely destroy all Relevant Personal Data, unless Customer has notified Supplier before the expiration of the foregoing 30-day period that it requests the return to Customer of such Relevant Personal Data. Supplier shall demonstrate to the satisfaction of Customer that it has taken such measures, upon written request of the Customer, unless applicable law prevents it from returning or destroying all or part of such Relevant Personal Data.
    3. Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Controller Affiliates and Supplier, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions set out in the Agreement, and any reference to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Supplier and its Affiliates’ total liability for all claims from Customer and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Controller Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Controller Affiliate that is a contractual party to any such DPA.
    4. Updates to DPA. In the event of changes to Data Protection Laws, including, but not limited to, the amendment, revision or introduction of new laws, regulations, or other legally binding requirements to which either Party is subject, the Parties agree to revisit the terms of this DPA, and negotiate any appropriate or necessary updates in good faith, including the addition, amendment, or replacement of any schedules.
    5. Any matter that is not regulated by this DPA shall be governed by the Agreement or other subsequent contract concluded or exchanged between the parties to this DPA. If any part of this DPA is found to be invalid, illegal, or unenforceable in any respect, it will not affect the validity or enforceability of the remainder of the DPA. Any failure to exercise or enforce any right or the provision of this DPA shall not constitute a waiver of such right or provision.

SCHEDULE 1

DESCRIPTION OF PROCESSING ACTIVITIES

Data subjects

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

  • Authorised Users;
  • Employees of Customer;
  • Consultants of Customer;
  • Contractors / sub-contractors of Customer;
  • Agents of Customer

Categories of data

The Personal Data transferred concerns the following categories of data:

Any Personal Data comprised in Customer Data. This may include, for example:

  • Documents,
  • Text,
  • Images,
  • Video recordings,
  • Voice recordings,
  • other Personal Data included in the Customer Data.

Special categories of data

Supplier will not process special categories of Personal Data as defined in Article 9 GDPR.

Processing operations

The Personal Data transferred will be processed in accordance with this DPA, the Agreement and any Order Form and may be subject to the following processing activities:

  • Collection of Relevant Personal Data on behalf of Customer through the Services from Customer’s personnel or other data subjects.
  • Development of the content requested by the Customer using Customer Data (which may include Relevant Personal Data) provided for that purpose.
  • Storage and other processing necessary to provide, maintain, and update the Services provided to Customer;
  • To provide customer and technical support to Customer; and disclosures in accordance with the Agreement, as compelled by law.

Duration of the Processing

The Relevant Personal Data Processed by Supplier will be retained for the duration of the Processing by Supplier in the context of the provision of Services under the Agreement, and thereafter in order to comply with applicable law, including Data Protection Laws.

Ulisse AI Ltd (d/b/a Novis)

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Company number 15280517

Email: support@novis.ai

Legal notices: legal@novis.ai