Data Processing Agreement
This agreement governs how Saberra, a Delaware Public Benefit Corporation, processes personal data on behalf of client organizations. Version 1.1.
Governed by the laws of the State of Delaware. For questions, contact legal@saberra.com.
| Data Controller | The client organization named in the Saberra Services Agreement |
| Data Processor | Saberra, a Delaware Public Benefit Corporation |
| Governing Law | State of Delaware, United States |
| Version | 1.1 -- DRAFT |
1. Definitions
Personal Data means any information relating to an identified or identifiable natural person. Processing means any operation performed on Personal Data. Sub-processor means any third party engaged by Saberra to carry out processing on behalf of the Controller. Canon means approved, human-reviewed institutional memory records stored in the Controller's Notion workspace. Candidate Record means an AI-generated draft record awaiting human review. Applicable Law means all federal, state, and local privacy, data protection, and security laws applicable to the processing of Personal Data, including the Delaware Personal Data Privacy Act (DPDPA).
2. Scope and Purpose of Processing
Saberra processes Personal Data solely to provide the institutional memory service: ingesting email and meeting content, extracting structured Candidate Records via AI, storing records in the Controller's Notion workspace, and enabling natural-language Q&A over approved Canon records via Sera. Processing is strictly limited to this purpose and shall not be used for any other purpose without the Controller's prior written consent.
3. Controller Obligations
The Controller determines what content is submitted to the Saberra capture inbox and warrants that it has a lawful basis under Applicable Law for processing any Personal Data submitted. The Controller is responsible for ensuring that student data, health data, and other sensitive categories are not submitted unless separately agreed in writing. The Controller maintains ownership of and full responsibility for all records stored in their Notion workspace.
4. Processor Obligations
Saberra shall: process Personal Data only on documented instructions from the Controller; ensure authorized personnel are bound by confidentiality obligations; implement the security measures described in Section 6; provide prior written notice before engaging or replacing Sub-processors; assist with data subject rights requests to the extent technically feasible; notify the Controller of any breach within 72 hours; and delete or return all Personal Data within five (5) business days of termination.
4.1. No Model Training or Secondary Use
Saberra shall not use, and shall contractually prohibit its Sub-processors from using, Controller Personal Data, source content, transcripts, audio, email content, meeting content, prompts, inputs, outputs, Candidate Records, Canon records, embeddings, metadata, or derived institutional memory records for machine learning model training, retraining, model improvement, or fine-tuning, except with the Controller's prior written consent. Saberra may process such data only as necessary to provide, secure, troubleshoot, and support the Services described in this DPA.
5. Sub-processors
Saberra engages four Sub-processors: Notion Labs, Inc. (primary data storage in the Controller's own Notion workspace); Anthropic, PBC (transient AI extraction via Claude API -- Anthropic does not retain or train on API customer data); Railway, Inc. (dedicated cloud infrastructure per client); and Google, LLC (meeting asset access and outbound email notifications). Saberra will provide 30 days prior written notice of any intended addition or replacement.
6. Security Measures
Saberra maintains: TLS 1.2+ encryption in transit; credential isolation via environment variables never committed to code; a sensitive content gate routing flagged Personal Data to an admin-only review queue; a human review gate enforced at the architectural level so no AI-extracted content becomes searchable Canon without explicit human approval; a full audit trail in a Processing Events database; crash-safe ingestion with Notion deduplication; client-controlled revocation via Notion integration token removal; and a dedicated cloud environment per client.
7. Data Subject Rights
Under Applicable Law, data subjects may have rights of access, correction, deletion, portability, and opt-out. The Controller is the primary party responsible for responding to these requests. Upon written request, Saberra will within ten (10) business days provide information about Personal Data present in the workspace, delete Personal Data from Candidate and Canon records to the extent technically feasible, and provide an export in machine-readable format.
8. Data Transfers
Saberra is incorporated in Delaware, United States, and all Sub-processors are US-based. Processing occurs within the United States. Controllers located outside the United States are responsible for ensuring cross-border transfers comply with their local law. For Controllers in jurisdictions requiring additional transfer mechanisms (EU/EEA SCCs, UK IDTA, etc.), Saberra will execute appropriate instruments upon written request.
9. Data Retention and Deletion
Source Email records and approved Canon records are retained in the workspace until deleted by the Controller. Candidate Records are retained until reviewed; rejected records are archived for audit trail purposes and may be deleted by the Controller at any time. Processing Events audit logs are retained for 12 months by default. On termination, Saberra revokes all access within five (5) business days. No Personal Data is retained by Saberra following access revocation.
10. Personal Data Breaches
In the event of a breach, Saberra will notify the Controller within 72 hours with the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken. Saberra will cooperate with the Controller in preparing any required regulatory notification. The Controller is responsible for determining whether notification to any authority or data subjects is required.
11. Audit Rights
The Controller may request an audit of Saberra's data processing activities with 30 days prior written notice, no more than once per calendar year. Saberra will provide reasonable cooperation and relevant documentation subject to confidentiality obligations owed to other clients. Audit costs are borne by the Controller unless the audit reveals a material breach by Saberra.
12. Liability
Each party is liable for damage arising from a breach of this DPA caused by its own acts or omissions. Saberra's aggregate liability under this DPA shall not exceed the fees paid by the Controller in the twelve (12) months preceding the event, except in cases of fraud, willful misconduct, or gross negligence. The Controller shall indemnify Saberra against claims arising from the failure to comply with its obligations.
13. Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to conflict of law provisions. Disputes shall first be addressed through 30 days of good-faith negotiation, then submitted to binding JAMS arbitration in Wilmington, Delaware. Either party may seek injunctive relief in any court of competent jurisdiction to prevent irreparable harm.
Authorized Sub-processors
| Sub-processor | Role | Data Location |
|---|---|---|
| Notion Labs, Inc. | Primary data storage | United States |
| Anthropic, PBC | AI extraction (transient) | United States |
| Railway, Inc. | Cloud infrastructure | United States |
| Google, LLC | Meeting asset access + outbound email | United States |
Download the full DPA for your records or to share with your legal team.
Download DPA v1.1 (PDF)Questions? Email legal@saberra.com