← Back to Noorelia
Noorelia
// Data Processing Agreement Template
Data Processing Agreement
Version 1.0 · Effective 04 June 2026
How to use this document: This is the standard Data Processing Agreement
(DPA) governing personal data processed by Noorelia on behalf of funeral home customers
(the "Controller"). It supplements our
Terms of Use and
Privacy Policy. To execute, complete Schedule 4 and
email a signed copy to
privacy@noorelia.com.
A countersigned copy will be returned within 5 business days.
1. Definitions
- "Controller" — the funeral home customer who is the controller of personal data within the meaning of GDPR Article 4(7)
- "Processor" — Noorelia, operating www.noorelia.com, who processes Personal Data on behalf of the Controller
- "Personal Data" — any information relating to an identified or identifiable natural person processed under this DPA
- "Data Subject" — the natural person to whom Personal Data relates (typically funeral home staff and family members of deceased persons)
- "GDPR" — Regulation (EU) 2016/679 (the General Data Protection Regulation), and the UK General Data Protection Regulation as incorporated into UK law
- "Subprocessor" — any third party engaged by Processor that processes Personal Data on Processor's behalf
- "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses adopted by the European Commission under Decision (EU) 2021/914
2. Subject matter and duration
This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the Controller's use of the Noorelia platform. The DPA takes effect when both parties sign and remains in force for the duration of the Controller's subscription, plus any data-retention period that follows termination.
3. Nature and purpose of processing
The Processor processes Personal Data solely to provide the Noorelia platform to the Controller, including:
- Storing case data (deceased's information, family contacts, documents, milestones)
- Sending transactional emails to families on the Controller's behalf
- Generating AI-assisted draft messages, obituaries, and translations
- Operating the family portal with photo sharing, messaging, and e-signatures
- Processing subscription payments and providing customer support
- Maintaining audit logs and security telemetry
The Processor shall not process Personal Data for any other purpose, including for its own commercial purposes, marketing, or AI model training, except as documented in this DPA or instructed in writing by the Controller.
4. Categories of Data Subjects and Personal Data
| Data Subjects | Personal Data Categories |
|---|
| Funeral home staff and directors | Name, email, phone, role, sign-in timestamp, IP address, hashed password |
| Family members of deceased persons | Name, email, phone, relationship to deceased, language preference, IP address (during portal access), e-signature audit record (name typed, IP, browser, timestamp), photos and messages they share, payment information if family payments are enabled |
| Deceased persons | Full name, date of death, place of death, religious or cultural tradition, photos. Note: GDPR does not apply to deceased persons in the UK and most EU member states; this data may still indirectly identify living relatives. |
| Vendors / clergy / third parties referenced in case data | Name, contact info, role, scheduling preferences |
5. Controller obligations
The Controller:
- Has and will maintain a lawful basis under GDPR Article 6 for processing Personal Data via the platform (typically Article 6(1)(b) — performance of the funeral arrangement contract — and Article 6(1)(c) — legal obligations in respect of death registration)
- Will respond to Data Subject requests directed to the Controller (the platform supports export and deletion to assist with these)
- Will not enter Personal Data into the platform that exceeds the scope of the funeral arrangement, including special-category data (GDPR Article 9) beyond what is necessary for the service (e.g. religious affiliation captured as the deceased's tradition)
- Will ensure each Data Subject whose Personal Data is entered has been informed about the processing in line with GDPR Articles 13–14, and where required, has consented
- Will comply with all applicable funeral-industry laws including, where relevant, the US FTC Funeral Rule (16 CFR §453), state licensure requirements, UK Cremation Regulations 2008, and equivalent regimes in other jurisdictions
6. Processor obligations
The Processor:
(a) Processing only on Controller's documented instructions
The Processor will process Personal Data only on the Controller's documented instructions, including with regard to international transfers. The Controller's instructions are set out in (i) this DPA, (ii) the Terms of Use, (iii) the Controller's configuration of the platform, and (iv) any written instructions the Controller subsequently provides.
(b) Confidentiality
The Processor will ensure that persons authorised to process Personal Data are bound by confidentiality obligations or under appropriate statutory obligation of confidentiality.
(c) Security measures
The Processor will implement appropriate technical and organisational measures including:
- HTTPS / TLS 1.2+ encryption in transit
- Encryption at rest for documents and database backups
- Row-level security in the database, restricting each funeral home's access to its own data
- Bcrypt password hashing managed by Supabase Auth
- Rate limiting on authentication and sensitive endpoints
- HMAC signature verification on webhook callbacks
- Audit logging of staff actions, e-signatures, and administrative changes
- Optional multi-factor authentication for directors and staff
- Backup and disaster-recovery procedures with point-in-time recovery
- Regular security review of source code and infrastructure
(d) Subprocessor engagement
The Controller authorises the Processor to engage the Subprocessors listed in Schedule 1 to process Personal Data on the Controller's behalf. The Processor will:
- Ensure each Subprocessor is bound by a written contract imposing data-protection obligations no less protective than those set out in this DPA
- Remain liable to the Controller for the acts and omissions of its Subprocessors
- Provide at least 30 days' notice before adding or replacing a Subprocessor. Notice will be by email to the Controller's primary contact and published on the Subprocessor list at our Privacy Policy. The Controller may object on reasonable data-protection grounds within that period; if objections cannot be resolved, the Controller may terminate the affected portion of the service and receive a pro-rata refund
(e) Assistance with Data Subject rights
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures to fulfil obligations to respond to Data Subject requests under GDPR Articles 15–22. The platform provides Controllers with:
- Export of all case data, family-shared content, and audit records in CSV/JSON format
- Deletion of cases (subject to e-signature retention requirements set out in Schedule 3)
- Correction tools for any field stored in the system
- Search and lookup tools to locate Data Subject records on request
If a Data Subject contacts the Processor directly with a request, the Processor will (i) acknowledge receipt without responding to the substance of the request, (ii) forward the request to the Controller within 3 business days, and (iii) assist the Controller in responding as instructed.
(f) Breach notification
The Processor will notify the Controller of a Personal Data breach affecting the Controller's data without undue delay and in any event within 72 hours of becoming aware. The notification will include:
- A description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned
- The name and contact details of the Data Protection Officer or other point of contact
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its adverse effects
The Processor will cooperate with the Controller's notification to supervisory authorities and to affected Data Subjects to the extent required by GDPR.
(g) Data Protection Impact Assessments and consultation
The Processor will provide the Controller with reasonable assistance with Data Protection Impact Assessments (DPIAs) under GDPR Article 35 and prior consultations with supervisory authorities under Article 36, taking into account the information available to the Processor.
(h) Audit
The Controller may, no more than once per twelve-month period (except where required by a supervisory authority or following a security incident), audit the Processor's compliance with this DPA by:
- Reviewing this DPA, the Subprocessor list, and any certifications or third-party audit reports the Processor makes available
- Submitting a written security questionnaire to which the Processor will respond within 30 days
- Requesting a remote audit session of up to 2 hours during business hours on 30 days' notice
Audits are at the Controller's expense and must be conducted in a manner that does not unreasonably interfere with the Processor's operations or other customers' confidentiality.
(i) Return or deletion at end of processing
At the Controller's election, on termination of the Controller's subscription:
- The Processor will export all Personal Data in a structured, machine-readable format for the Controller within 14 days of the request
- The Processor will then delete Personal Data from active systems within 30 days, and from backups within a further 30 days
- Exception: e-signature audit records will be retained for the period specified in Schedule 3 to comply with E-SIGN, eIDAS, UETA and equivalent regimes, and billing records will be retained for the period required by applicable tax law
7. International transfers
Personal Data is primarily stored in the European Union (Frankfurt, Germany). Some processing involves transfers to third countries — see Schedule 1 — covered by:
- The EU Standard Contractual Clauses (Decision (EU) 2021/914), Module 2 (Controller to Processor) where the Processor is in a third country, or Module 3 (Processor to Subprocessor) for onward transfers
- The UK International Data Transfer Addendum where transfers originate in the UK
- The EU-US Data Privacy Framework where applicable to US-based Subprocessors
- The model contractual provisions issued under the UAE Personal Data Protection Law for Controllers based in the UAE
The SCCs are hereby incorporated by reference. The Processor is "data importer" and the Controller is "data exporter" in respect of any transfers from the Controller's jurisdiction to the Processor.
8. Liability
The liability provisions in the Terms of Use, Section 13 apply to this DPA, except that they do not limit:
- Liability that cannot be excluded under GDPR (Article 82) or other mandatory law
- Each party's liability for indemnification of the other under any judgment, settlement, or administrative fine under GDPR caused by that party's breach of this DPA
9. Order of precedence
To the extent of any conflict between documents:
- This DPA (including Schedules)
- The EU Standard Contractual Clauses where they apply
- The Terms of Use
- The Privacy Policy
10. Changes to this DPA
The Processor may update this DPA to reflect changes in law or service. Material changes will be notified at least 30 days in advance by email to the Controller's primary contact, and the updated version will be posted at this URL. Continued use of the platform after the change takes effect indicates acceptance.
Schedule 1 — Subprocessors
As of the effective date of this DPA, the Processor engages the following Subprocessors. The current list is maintained at our Privacy Policy, Section 6.
| Subprocessor | Role | Region |
|---|
| Supabase | Primary database, file storage, authentication | EU (Frankfurt) |
| Cloudflare | Edge proxy, API backend (Worker), DDoS protection | Global edge |
| Netlify | Static frontend hosting | Global CDN |
| Resend | Transactional email delivery | USA (transient) |
| Anthropic | AI generation (milestone updates, aftercare drafts, translations, chat assistant, obituary drafts) — Anthropic does NOT train its models on data submitted via the API | USA (transient) |
| Stripe | Subscription billing for funeral home subscriptions to Noorelia | USA / Ireland |
| DocuSign | Optional eSignature envelope delivery for documents requiring legal-grade signatures | USA |
| Sentry | Error monitoring (stack trace + user-agent only; no body content) | EU (Frankfurt) |
Schedule 2 — Security measures
Without limiting Section 6(c), the Processor implements the following technical and organisational measures:
Access control
- Database access restricted by row-level security with one tenancy boundary per funeral home
- Production access limited to authorised personnel only; access logged and reviewed
- Service-role keys never exposed to browser clients; held only as encrypted environment variables
Encryption
- TLS 1.2+ on all client connections, HSTS enforced
- Encryption at rest for stored documents and database
- Bcrypt password hashing via Supabase Auth
Network & application security
- Web Application Firewall via Cloudflare
- Rate limiting on authentication, password reset, e-signature, and family portal verification
- HMAC signature verification on Stripe and DocuSign webhooks
- Content Security Policy and X-Frame-Options on browser-served pages
- Regular dependency security updates
Operational
- Automated daily backups with point-in-time recovery (Supabase Pro)
- Monitored uptime via UptimeRobot; status page at stats.uptimerobot.com/l9I8wNhcMM
- Error monitoring via Sentry with PII scrubbing rules
- Audit log of staff actions, role changes, document access, and e-signature events
Personnel
- Confidentiality obligations binding all personnel with access to Personal Data
- Training on data-protection and security responsibilities
- Background screening commensurate with role
Schedule 3 — Retention
| Data category | Retention period |
|---|
| Active case data | For the duration of the Controller's subscription |
| Cancelled / terminated account data | 30 days from cancellation, then permanently deleted; backup deletion within a further 30 days |
| E-signature audit records | 7 years (E-SIGN, eIDAS, UETA compliance) |
| Billing records | As required by applicable tax law (typically 6–7 years) |
| Authentication logs | 12 months |
| Sentry error events | 30 days |
| Backups | 7 days rolling (Supabase Pro) |
Schedule 4 — Signatures
Processor (Noorelia)
Noorelia — operated as a sole-trader micro-business — noorelia.com
Contact: privacy@noorelia.com
Name & Title
Tony Sammak, Founder
Controller (Funeral Home Customer)
Please complete:
Authorised signatory name
Once signed, email a scan or PDF copy to privacy@noorelia.com. A countersigned copy will be returned within 5 business days. For questions about the terms of this DPA before signing, please contact the same address.
© 2026 Noorelia · noorelia.com