Data Processing Agreement
Last updated: April 3, 2026
This DPA forms part of the neww.ai Terms of Service and governs the processing of Personal Data on behalf of customers. It is designed for GDPR Article 28, UK GDPR, and CCPA compliance. A countersigned, PDF version is available on request for procurement teams.
1. Subject matter and purpose
This Data Processing Agreement (DPA) applies whenever neww.ai Inc. ("Processor") processes Personal Data on behalf of a customer ("Controller") in the course of providing the neww.ai services under the Terms of Service. It supplements the Terms and governs the processing of Personal Data as defined by GDPR, UK GDPR, and applicable U.S. state privacy laws.
2. Roles and scope
Controller determines the purposes and means of processing. Processor processes Personal Data only on Controller's documented instructions, including with regard to international transfers. Where Processor is required by Union or Member State law to process Personal Data for other purposes, Processor shall inform Controller of that legal requirement unless prohibited by law.
3. Confidentiality
Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security measures
Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, pseudonymization where appropriate, regular testing, and incident response. See our Trust Center and Security documentation for the current state of our safeguards.
5. Sub-processors
Controller authorizes Processor to engage sub-processors listed on the Subprocessors page. Processor shall impose data protection obligations on sub-processors no less protective than this DPA and shall remain fully liable for their performance. Controller may object to new sub-processors by written notice within 30 days of publication.
6. Data subject rights
Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organizational measures to respond to requests from data subjects exercising their rights under GDPR Chapter III, including access, rectification, erasure, restriction, portability, and objection.
7. Security incidents
Processor shall notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data, and shall provide sufficient information to allow Controller to meet its obligations under Article 33.
8. Audits
Processor shall make available to Controller all information necessary to demonstrate compliance with Article 28 and allow for, and contribute to, audits — including inspections — conducted by Controller or an auditor mandated by Controller. Audits are subject to reasonable confidentiality, frequency, and cost provisions described in the Terms.
9. International transfers
Where Personal Data is transferred outside the EEA/UK/Switzerland, the parties rely on the EU Standard Contractual Clauses (Module Two — Controller to Processor, 2021) and the UK International Data Transfer Addendum, incorporated by reference. Additional supplementary measures are described in our Trust Center.
10. Return and deletion of data
On termination of the services, Processor shall, at Controller's choice, delete or return all Personal Data and delete existing copies, unless Union or Member State law requires storage. Deletion timelines are detailed in the Terms and Trust Center.
11. Liability and governing law
This DPA is governed by the law and venue provisions of the underlying Terms. Liability under this DPA is subject to the limitations set forth in the Terms, unless prohibited by applicable law.