NoParrot NoParrot
Back to home

Data Processing Agreement

Last updated: March 25, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SumatoSoft, operating NoParrot.ai ("Processor", "we", "us"), and the user of the NoParrot service ("Controller", "you"). This DPA governs the processing of personal data in connection with your use of the NoParrot service.

1. Definitions

For the purposes of this DPA:

  • "Controller" means the natural or legal person who determines the purposes and means of the processing of Personal Data — i.e., you, the user of NoParrot.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller — i.e., SumatoSoft operating NoParrot.ai.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Personal Data" means any information relating to a Data Subject that can directly or indirectly identify them.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
  • "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for transferring Personal Data to countries outside the EEA.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely to provide the NoParrot service to the Controller. This includes:

  • Receiving and routing user queries to multiple AI providers for response generation.
  • Extracting, comparing, and scoring claims across AI model responses.
  • Storing query history and analysis results for the Controller's continued access.
  • Managing the Controller's account, authentication, and subscription.
  • Processing payments through Stripe.

The categories of Personal Data processed include: email address, display name, query text, AI responses, and usage metadata (query counts, timestamps, subscription tier). The Data Subjects are the Controller and any individuals whose information may be included in queries submitted by the Controller.

3. Obligations of the Processor

The Processor shall:

  1. Process on instructions only. Process Personal Data solely in accordance with the Controller's documented instructions, which are defined by the Controller's use of the service. The Processor shall not process Personal Data for any other purpose.
  2. Ensure confidentiality. Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  3. Implement security measures. Implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Section 6 of this DPA.
  4. Assist with Data Subject requests. Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). The Controller can deactivate their account at any time through account settings. Full erasure of personal data can be requested by emailing support@noparrot.ai.
  5. Assist with compliance obligations. Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, including data protection impact assessments and prior consultation with supervisory authorities where required.
  6. Delete data on request. Upon the Controller's written request (via email to support@noparrot.ai), delete all Personal Data within 30 days, except where retention is required by applicable law (such as payment records retained for tax compliance). Account deactivation through the service interface deactivates the account and cancels active subscriptions but does not automatically erase Personal Data.
  7. Make information available. Make available to the Controller all information necessary to demonstrate compliance with this DPA and the GDPR.

4. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors for the purposes described:

Sub-processor Purpose Location
Anthropic AI model provider (Claude) — processes query text United States
OpenAI AI model provider (GPT) — processes query text United States
Google AI model provider (Gemini) — processes query text United States
xAI AI model provider (Grok) — processes query text United States
Stripe Payment processing United States
Supabase Authentication (email, session management) United States
DigitalOcean Infrastructure hosting United States / Europe
Cloudflare CDN, DDoS protection, SSL termination Global (edge network)

The Processor shall notify the Controller of any intended changes to the list of Sub-processors by updating this page. The Controller may object to a new Sub-processor by contacting us within 30 days of notification. If the objection cannot be resolved, the Controller may terminate the service.

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

5. Data Transfers

Some Sub-processors operate outside the European Economic Area (EEA). Where Personal Data is transferred to countries that do not have an adequate level of data protection as determined by the European Commission, the Processor ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — where applicable, transfers are governed by the European Commission's Standard Contractual Clauses.
  • EU-US Data Privacy Framework — where Sub-processors are certified under the EU-US Data Privacy Framework, transfers rely on that certification.
  • Supplementary measures — additional technical measures (encryption in transit and at rest) are applied to protect data during transfer.

6. Security Measures

The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

  • Encryption at rest. Personally identifiable information stored in the database is encrypted using pgcrypto (PostgreSQL).
  • Encryption in transit. All data transmitted between the Controller's browser and the service, and between the service and Sub-processors, is encrypted using TLS/SSL.
  • Access controls. Database access is restricted to authorized application services. Administrative access is limited to an email allowlist. Role-based permissions are enforced throughout the system.
  • Authentication security. User authentication is handled by Supabase with industry-standard practices including password hashing, secure session tokens, and support for OAuth 2.0.
  • PII filtering. Sensitive personal information is filtered from analytics and logging data using configurable PII detection patterns.
  • Infrastructure security. The application runs on DigitalOcean with Cloudflare providing DDoS protection, WAF, and SSL certificate management.
  • Regular review. Security measures are reviewed and updated periodically to address emerging threats and vulnerabilities.

7. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  1. Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.
  2. Provide the Controller with sufficient information to allow the Controller to meet its obligations under Article 33 of the GDPR, including:
    • The nature of the breach, including the categories and approximate number of Data Subjects and records affected.
    • The likely consequences of the breach.
    • The measures taken or proposed to address the breach and mitigate its effects.
  3. Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. Term and Termination

This DPA is effective for as long as the Processor holds any Personal Data on behalf of the Controller. The service agreement ends when the Controller's account is deactivated or terminated, but this DPA remains in force until all Personal Data has been deleted or returned.

Account deactivation through the service interface deactivates the account and cancels active subscriptions but does not automatically erase Personal Data. To request full erasure, the Controller should email support@noparrot.ai. Upon receiving an erasure request, the Processor shall delete all Personal Data within 30 days, except where applicable law requires retention (such as payment records retained for tax compliance purposes). The DPA terminates once all Personal Data has been deleted or the legally required retention period expires.

The obligations in this DPA regarding confidentiality and data protection survive termination.

9. Contact

For questions about this Data Processing Agreement or to exercise your rights, contact us at:

Email: support@noparrot.ai
Operator: SumatoSoft