Data Processing Addendum

Short Form  •  Effective Date: April 2, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between NightCurrent Labs LLC ("Processor" or "Service Provider") and the customer identified in the applicable order form or services agreement ("Customer" or "Controller").

1. Scope

This DPA applies to personal data processed by NightCurrent on behalf of Customer in connection with the Services.

2. Roles

The parties acknowledge that, with respect to personal data processed on behalf of Customer:

  • Customer is the controller or business; and
  • NightCurrent is the processor or service provider.

3. Processing Instructions

NightCurrent will process personal data only:

  • to provide the Services;
  • in accordance with Customer's documented instructions as reflected in the agreement, product configuration, support requests, or other mutually agreed written instructions; and
  • as otherwise required by applicable law.

4. Nature and Purpose of Processing

NightCurrent processes personal data to host, store, organize, transmit, analyze, and support customer communications, workflows, account administration, security, and related support functions.

5. Types of Personal Data

Depending on Customer's use of the Services, personal data may include:

  • contact details;
  • business identifiers;
  • message content and metadata;
  • account and authentication data;
  • device, log, and usage data; and
  • other personal data submitted by Customer or its users.

6. Categories of Data Subjects

Data subjects may include:

  • Customer personnel and account users;
  • Customer prospects, leads, or end users;
  • website visitors; and
  • support contacts.

7. Confidentiality and Security

NightCurrent will ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations and will implement reasonable administrative, technical, and physical safeguards designed to protect personal data.

8. Subprocessors

Customer authorizes NightCurrent to use subprocessors in connection with the Services, provided NightCurrent remains responsible for their performance of processing obligations to the extent required by law and contract.

Customer specifically acknowledges and consents to the following subprocessing activities that involve personal data in a material way:

  • Neon Database — all lead records, conversation history, user accounts, and settings are stored in a Neon-hosted serverless Postgres database;
  • Anthropic (Claude AI) — when the AI reply feature is enabled, the content of inbound SMS messages and widget chat conversations (including associated lead name, phone, and prior conversation history) is transmitted to Anthropic to generate automated responses; and
  • Plivo / Twilio / Vonage — SMS message content and phone numbers are transmitted through the selected telephony provider for delivery.

A full list of subprocessors is available at our Subprocessor & AI Disclosure Notice. NightCurrent will notify Customer of material subprocessor changes by updating that notice.

9. Assistance

Taking into account the nature of processing and the information available to NightCurrent, NightCurrent will provide reasonable assistance to Customer with responding to data subject requests; security and incident response obligations; and deletion or return of personal data at the end of the Services — in each case to the extent required by applicable law and reasonable under the circumstances.

10. Security Incidents

NightCurrent will notify Customer without undue delay after becoming aware of a confirmed security incident affecting personal data processed on Customer's behalf, and will provide information reasonably necessary for Customer to understand the incident and meet applicable obligations.

11. Deletion and Return

Upon termination of the Services and Customer's written request, NightCurrent will delete or return applicable personal data, unless retention is required by law, necessary for security, backup rotation, or dispute resolution, or otherwise permitted by the agreement.

12. Cross-Border Transfers

If Customer requires additional transfer terms, including standard contractual clauses or jurisdiction-specific addenda, the parties will discuss and execute them separately if appropriate.

13. Conflict

If there is a conflict between this DPA and the main services agreement, this DPA controls with respect to the subject matter of personal data processing.

Questions about this DPA may be sent to legal@nightcurrentlabs.com.