Legal document
Data Processing Agreement
- Effective:
- July 5, 2026
- Last updated:
- July 6, 2026
- Issuer:
- MorPhoe Tech Inc
This Data Processing Agreement (DPA) governs MorPhoe Tech Inc's processing of personal data on behalf of customers using the BizNerva platform. This DPA supplements and is incorporated into the BizNerva Terms of Service.
This Data Processing Agreement ("DPA") is entered into between MorPhoe Tech Inc, doing business as BizNerva ("Processor" or "we"), and the entity that has accepted the BizNerva Terms of Service ("Controller" or "you"). This DPA applies to the extent that BizNerva processes Personal Data on behalf of the Controller in connection with the BizNerva platform and services ("Services"). This DPA is governed by and supplements the Terms of Service and our Privacy Policy.
1Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Data Protection Laws"means all applicable data protection and privacy laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable national or state privacy legislation.
- "Controller" means the entity that determines the purposes and means of processing Personal Data (the Customer organization).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (MorPhoe Tech Inc / BizNerva).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
2Scope and Purpose
This DPA applies to the processing of Personal Data by BizNerva on behalf of the Controller in connection with the Services described in the Terms of Service. BizNerva processes Personal Data solely for the purpose of providing the Services and as further instructed by the Controller. The nature of processing includes storage, organization, retrieval, consultation, use, alignment, combination, restriction, erasure, and destruction of Personal Data as necessary to deliver the Services.
The duration of processing corresponds to the term of the Agreement between the Controller and BizNerva, plus the Export Window and any retained audit, security, billing, or legal records described in Section 11.
3Roles and Responsibilities
Controller responsibilities: The Controller determines the purposes and means of processing, ensures a lawful basis for processing under applicable Data Protection Laws, provides any required notices to Data Subjects, and ensures compliance with its own obligations under Data Protection Laws.
Processor responsibilities: BizNerva shall process Personal Data only on documented instructions from the Controller, except where required by applicable law. BizNerva shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4Processing Instructions
BizNerva shall process Personal Data only in accordance with the Controller's documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. If BizNerva is required by applicable law to process Personal Data other than as instructed by the Controller, BizNerva shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.
The Controller's instructions for processing are set forth in this DPA, the Terms of Service, and any additional written instructions agreed upon by the parties. BizNerva shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws.
5Categories of Data Processed
BizNerva processes the following categories of Personal Data on behalf of Controllers:
- Employee/staff data: Names, email addresses, job titles, roles, department assignments, employment dates, and organizational hierarchy information.
- Training records: Compliance training completion dates, scores, certification status, and training history.
- Incident reports: Workplace incident details, investigation notes, corrective actions, and related documentation (e.g., SB 553 workplace violence prevention).
- Compensation data: Salary ranges, pay bands, and wage records as required for California pay transparency compliance (Labor Code § 432.3, as amended by SB 1162 and SB 642).
- Compliance records: Audit evidence, policy documents, regulatory filings, risk assessments, and gap analysis results.
- Account data: Names, email addresses, login activity, and authentication information for platform users.
- HRIS integration data: Employee roster data (names, emails, job titles, departments) received via connected HRIS providers, along with sync logs, field mappings, and adoption metrics. Credential tokens are encrypted at rest.
Data subjects include: Customer employees, contractors, organizational administrators, and other individuals whose data is submitted to the platform by the Controller.
6Security Measures
BizNerva implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encryption: Personal Data is encrypted in transit (TLS 1.2+). Managed database and storage infrastructure apply encryption at rest, and high-risk PII fields, credentials, and secrets receive additional field-level encryption.
- Access controls: Role-based access control (RBAC) with row-level security (RLS) ensuring strict multi-tenant data isolation.
- Authentication: Multi-factor authentication (MFA) with TOTP support; administrator enforcement is configurable by role.
- Audit logging: Audit trails covering administrative actions, security events, and sensitive data operations.
- Infrastructure: Hosted on cloud infrastructure provided by sub-processors that report SOC 2 Type II certifications as of the effective date (Supabase, Vercel), with automatic backups and disaster recovery.
- Personnel: All personnel with access to Personal Data are bound by confidentiality obligations.
- Incident response: Documented incident response procedures with defined escalation paths.
7Sub-processors
The Controller authorizes BizNerva to engage Sub-processors for the processing of Personal Data. The current list of Sub-processors — including each provider's jurisdiction, processing purpose, and certifications — is maintained as the canonical source at /legal/subprocessors. That page is incorporated into this DPA by reference; updates to it are updates to this Section.
BizNerva shall notify the Controller of any intended changes to its Sub-processors by updating the subprocessors page. In addition, BizNerva will send email notification to the Controller's registered email address at least thirty (30) days before any new Sub-processor begins processing Personal Data. The Controller may object in writing within fourteen (14) days of receipt of such notice. If the Controller raises a reasonable objection and BizNerva cannot accommodate it, either party may terminate the Agreement with thirty (30) days' written notice.
BizNerva shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. BizNerva remains liable for the acts and omissions of its Sub-processors that result in a breach of BizNerva's obligations under this DPA, subject to the limitations of liability set forth in §14.
BizNerva does not use Controller Personal Data to train AI models, and engages AI sub-processors only under commercial terms that prohibit use of submitted data for model training.
Customer-selected integrations and public data sources. Controller-controlled integrations, including identity providers used for sign-in, connected HRIS providers, Slack or Microsoft Teams webhook destinations, and the Controller's own DocuSign account, are used at the Controller's direction under the Controller's own agreements with those providers. Separately, public and reference data sources that BizNerva queries to power Controller-enabled features, such as Etherscan for on-chain data and CoinGecko for market pricing, receive only public identifiers (for example wallet addresses and token identifiers) that the Controller selects for monitoring. Neither category is a Sub-processor of BizNerva unless BizNerva separately engages the provider to process Personal Data on BizNerva's behalf, in which case it will be listed on the subprocessors page and subject to this Section.
8Data Subject Rights
BizNerva shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
If BizNerva receives a request directly from a Data Subject, BizNerva shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.
The platform provides self-service data export, account deletion, and consent management features to facilitate Data Subject rights compliance.
BizNerva aims to respond to data subject access, deletion, and portability requests forwarded by the Controller within five (5) business days as a good-faith target, to enable the Controller to meet its obligations under applicable law. The procedural steps BizNerva follows on receipt of a forwarded request are described in BizNerva's internal DSAR Response Runbook (available to Controllers under NDA upon written request).
9Data Breach Notification
BizNerva shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. BizNerva targets notification within 72 hours of awareness as a good-faith operational goal, consistent with GDPR Article 33 expectations; the actual timeline depends on the nature and severity of the incident and the time required to confirm the affected scope. The procedural steps BizNerva follows on becoming aware of a Data Breach are described in BizNerva's internal Incident Response Runbook (available to Controllers under NDA upon written request). The notification shall include:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected.
- The name and contact details of BizNerva's point of contact for further information.
- A description of the likely consequences of the Data Breach.
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects.
BizNerva shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. For California-resident data processed on behalf of the Controller, BizNerva will notify the Controller without undue delay so the Controller can evaluate and make any notices required under California Civil Code § 1798.82 and subsequent amendments, including SB 446. The Controller is responsible for resident and regulator notifications unless applicable law requires BizNerva to provide a notice directly.
10International Data Transfers
BizNerva processes Personal Data primarily within the United States. If Personal Data is transferred outside the country of origin, BizNerva shall ensure that appropriate safeguards are in place as required by applicable Data Protection Laws, including:
- EU Standard Contractual Clauses (SCCs), UK transfer addendum, or other lawful transfer mechanism where required by applicable Data Protection Laws.
- Participation in applicable data transfer frameworks, including the EU-US Data Privacy Framework where a relevant provider is certified.
- Transfer risk assessments and supplementary measures where required.
BizNerva evaluates EU/UK-to-US data transfers and implements supplementary technical and organizational measures including: (a) field-level encryption for high-risk PII fields and secrets; (b) role-based access controls with Row Level Security; (c) audit logging for administrative actions, security events, and sensitive data operations; and (d) encryption of data in transit using TLS 1.2 or higher.
11Data Retention and Deletion
BizNerva acts as a data processor for all compliance records created within the platform. The Controller (the subscribing organization) is the data controller and is solely responsible for ensuring its records meet applicable retention requirements under law. BizNerva has no independent legal obligation to retain Controller compliance data beyond the subscription term.
Post-termination export window. Upon termination of the Agreement, BizNerva shall retain all Controller data for sixty (60) days(the “Export Window”) to allow the Controller to export its data. BizNerva will send reminder notifications approximately 30 days and 7 days before scheduled deletion from active production systems. After the Export Window, BizNerva will delete Controller data from active production systems in accordance with GDPR Article 28(3)(g). Backup copies, if any, expire through ordinary backup rotation and are not used to restore terminated Controller data except as necessary for disaster recovery, security, legal, or compliance purposes. Any terminated Controller data restored from backup will be re-deleted promptly after the purpose of the restoration is fulfilled. The Controller bears sole responsibility for exporting and retaining records required by applicable law before the Export Window expires.
Controller's regulatory retention obligations.The following minimum retention periods apply to the Controller's own records under applicable law. These are the Controller's obligations — not BizNerva's — after data is exported or the Agreement terminates:
- WVPP / SB 553 (Cal/OSHA LC §6401.9): Training records — 1 year minimum; incident reports — 5 years minimum
- Pay Transparency (Labor Code § 432.3): Job posting records — 3 years
- False Claims Act (FCA): Compliance records — 6–10 years
- NERC CIP (FERC/CMEP): CIP compliance records — 3+ years; some standards require up to 6 years
- OSHA (29 CFR § 1904): 300/300A/301 logs — 5 years
- Privacy / GDPR / CCPA–CPRA: Consent records and DSAR documentation — 3–5 years
- Labor Compliance / FLSA: Wage and hour records — 3 years (FLSA); state laws may require longer
- Web3 / BSA / FinCEN: BSA/AML records — 5 years; SARs — 5 years
- AI Governance: AI risk assessments and audit records — 3 years (EU AI Act Art. 18; NIST AI RMF)
- Underground Storage Tanks (UST / EPA 40 CFR Part 280): Inspection and compliance records — lifetime of tank
- Food Safety / FDA FSMA: HACCP plans and corrective action records — 2 years
- Tobacco Compliance: Age verification and retail compliance records — 3 years
- E-Commerce Marketing (FTC Act § 5): Marketing compliance records — 5 years
- E-Commerce Checkout (ROSCA 15 U.S.C. § 8403): Subscription and cancellation records — 5 years
- E-Commerce Sales Tax (Wayfair): Tax nexus records — 7 years
- E-Commerce UDAP (State UDAP statutes): Consumer protection compliance records — 5 years
- HRIS Integration data: Sync logs and adoption metrics — retained during active subscription; deleted with org data after the Export Window. Credential tokens are revoked on cancellation
- Platform audit logs (audit_logs): 7 years — BizNerva's own obligation. Retained as monthly partitions and dropped automatically once a partition is fully past the 7-year cutoff.
- Security events & activity timeline: 3 years (aligned with SOC 2 CC7.2 — BizNerva's own obligation). Retained as monthly partitions and dropped automatically once a partition is fully past the 3-year cutoff.
- Billing & invoice records: 7 years (IRS — BizNerva's own obligation). Authoritative billing records (invoices, payment transactions, subscription history) are retained by Stripe and Mercury as primary record-keepers in accordance with their own compliance obligations. BizNerva's internal webhook event records are operational processing artifacts used for deduplication and are not the authoritative billing record; they are retained for 3 years.
12Audit Rights
BizNerva shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days) and during normal business hours.
The Controller may exercise its audit rights no more than once per 12-month period, unless required by applicable law or a supervisory authority, or following a Data Breach. The foregoing limitation does not apply to audits or investigations required by a regulatory authority or court order, which BizNerva will accommodate promptly and in good faith regardless of the annual limit. BizNerva shall also provide, upon request, copies of relevant certifications or audit summaries, to the extent available. BizNerva is preparing for SOC 2 Type I attestation against the Security Trust Services Criterion; the report will be available under NDA upon issuance. SOC 2 Type II is planned to begin observation immediately after Type I issuance.
13CCPA/CPRA Provisions
To the extent that BizNerva processes Personal Data subject to the CCPA/CPRA, BizNerva acts as a "Service Provider" as defined under the CCPA/CPRA and shall not:
- Sell or share Personal Data received from or on behalf of the Controller.
- Retain, use, or disclose Personal Data for any purpose other than providing the Services as specified in the Agreement, or as otherwise permitted by the CCPA/CPRA.
- Retain, use, or disclose Personal Data outside of the direct business relationship between BizNerva and the Controller.
- Combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA/CPRA.
BizNerva certifies that it understands the restrictions set forth in this Section and will comply with them. BizNerva shall assist the Controller in responding to verifiable consumer requests, including requests to know, delete, correct, and opt out of the sale/sharing of Personal Data.
14Limitation of Liability
Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable Data Protection Laws that cannot be limited by contract.
15Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the provisions of this DPA relating to data deletion, retention, and confidentiality shall survive to the extent necessary to fulfill their purpose.
Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to cure such breach within 30 days of written notice.
16Contact
For questions about this DPA or to exercise rights under this agreement, contact:
- MorPhoe Tech Inc
- Email: contact@biznerva.com
- Subject line: "DPA Inquiry"