Palanor: Liquidity76.6+0.54Palanor: Geopolitical Stress83.0-0.03Palanor: Risk Appetite61.5+1.34Palanor: Inflation Pulse55.8+1.22Palanor: Industrial Pulse64.20.00Palanor: Capital Tightness22.1-0.70Palanor: Consumer Confidence56.8-0.61Palanor: US Dollar Strength49.9-1.45Palanor: US Jobs Health31.7+0.05Palanor: Uncertainty Index54.7-5.53Palanor: AI Margin Compression50.5+0.55Palanor: Energy Transition34.50.00Palanor: Steward Confidence68.9+0.67Palanor: US vs China46.3+9.11Palanor: Sino Domestic Fragility67.70.00Palanor: AI Substitution32.8+0.20Palanor: Recession Vocabulary29.5+3.95Palanor: Quit Pressure37.7+17.85Palanor: Reshoring Sentiment23.8+2.43Palanor: Geopolitical Anxiety25.2+0.39The Palanor Index33.9-1.28Palanor: Labor Heat54.3+2.59
PalanorPalanor

Legal · For enterprise contracts

Data Processing Agreement

Last updated · 27 May 2026 · Version 1.1 · Template

This Data Processing Agreement (“DPA”) is a template Palanor, Inc. (“Palanor,” the “Processor”) makes available to customers (each, a “Controller”) whose processing of personal data triggers the GDPR, UK GDPR, Swiss FADP, or equivalent. A signed copy can be requested at privacy@palanor.com; it forms part of the master services agreement (MSA) once executed.

1. Definitions

Terms not defined here have the meanings in Article 4 of the GDPR. “Customer Personal Data” means personal data processed by Palanor on the Controller’s behalf in the course of providing the service.

2. Subject matter, duration, nature, and purpose of processing

  • Subject matter: Hosting, processing, and displaying Customer Personal Data inside the Palanor Enterprise Intelligence Platform.
  • Duration: As long as the MSA is in force, plus 90 days for data export and deletion.
  • Nature: Storage, retrieval, analytical processing (LLM-driven where contracted), email delivery, and visualization.
  • Purpose: Deliver the Palanor service to the Controller and the Controller’s authorized users.

3. Types of personal data and categories of data subjects

Categories of data subjects: the Controller’s employees and authorized end users; the Controller’s customers, prospects, vendors, partners, and competitors (entered as entities in the CRM); end-users of the Controller’s services if the Controller chooses to load that data.

Types of personal data: contact identifiers (name, email, phone, work address); employment identifiers (title, role, organization); social media handles; notes and meeting records loaded by the Controller’s authorized users; CRM activity logs; audit logs.

4. Roles and responsibilities

The Controller is the controller of Customer Personal Data. Palanor is the processor and processes Customer Personal Data only on documented instructions from the Controller (the MSA, this DPA, and any in-product configuration).

5. Subprocessors

Palanor uses subprocessors listed at palanor.com/subprocessors. Palanor will provide at least 30 days’ notice of any change. The Controller may object on reasonable grounds; if the parties cannot resolve the objection, the Controller may terminate the affected service with a pro-rata refund.

6. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, Palanor relies on the EU Standard Contractual Clauses (Module Two, Controller to Processor, 2021/914) and the UK International Data Transfer Addendum. SCCs are incorporated by reference and apply with the standard options (clause 7 docking enabled; clause 11(a) optional language not included; clause 17 governing law Ireland; clause 18 venue Ireland; UK Addendum table options as standard).

7. Security measures

Palanor maintains the technical and organizational measures (TOMs) described in Annex II below, and the full operational posture published at palanor.com/security. Material updates to either are subject to the change-notice provisions of Section 5 (Subprocessors) where they involve sub-processor changes, or to the change-notice provisions of the MSA where they involve Palanor-internal posture changes.

8. Data subject requests

Palanor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timelines set by the GDPR. Customer admins can fulfill most requests directly through the product; for the rest, contact privacy@palanor.com.

9. Personal data breaches

Palanor will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and the measures taken or proposed.

10. Audit

The Controller may audit Palanor’s compliance with this DPA once per twelve-month period, on at least 30 days’ written notice, during business hours, and subject to confidentiality. Palanor may satisfy audit requests by providing third-party attestations (SOC 2, ISO 27001) when available, or by responding in writing to a reasonable security questionnaire.

11. Return and deletion of Customer Personal Data

On termination or expiration of the MSA, Palanor will at the Controller’s option return or delete Customer Personal Data within 90 days, subject to legal retention requirements. Backups are deleted on the same 90-day rolling window.

12. General provisions

This DPA forms part of the MSA. In case of conflict, the order of precedence is: (i) the SCCs, (ii) this DPA, (iii) the MSA, (iv) any order form. The DPA is governed by the law specified in the MSA.

Annex I — Parties, processing, supervisory authority

  • I.A · Parties: Controller and Processor (Palanor, Inc.) as set out in the executed signature page.
  • I.B · Description of processing: as described in Sections 2 and 3 above.
  • I.C · Competent supervisory authority: as designated under SCC Clause 13(a). Default: the supervisory authority of the EU member state where the Controller is established, or the Irish Data Protection Commission where the Controller is established outside the EU.

Annex II — Technical and organizational measures

The current TOMs in effect under this DPA are:

  • Encryption in transit. TLS 1.2 or higher on every connection. HTTP Strict Transport Security enabled on all domains.
  • Encryption at rest — infrastructure. Supabase Postgres + Storage encrypted at rest by Supabase using AES-256 with AWS-managed keys. Vercel build artifacts and logs encrypted at rest by Vercel.
  • Encryption at rest — application sensitive data. Customer LLM provider API keys (BYOLLM) encrypted with AES-256-GCM application-side before persistence; master key in encrypted environment store; per-row IV + authentication tag for tamper detection.
  • Tenant isolation. Row-Level Security policies on every customer table enforce organization-scoped reads and writes at the database layer.
  • Authentication. Email + password via Supabase Auth (SOC 2 Type II); optional TOTP-based MFA available to every user. SMS-based MFA deliberately not offered.
  • Authorization. Role-based access (owner / admin / member / reader / researcher) per organization. Palanor employee production access is allow-listed and routes through the Supabase service role; the browser-facing anonymous role cannot bypass Row-Level Security.
  • Vendor governance. Sub-processors listed at /subprocessors with location and data category. Each subject to a Data Processing Agreement; customers receive at least 30 days’ notice of changes.
  • Vulnerability management. Automated dependency scanning via Dependabot on the production repository; high-severity advisories remediated within 24 hours, medium within one week. Annual third-party penetration test commissioned alongside SOC 2 Type II (target Q3 2026).
  • Logging + monitoring. Server-side request logs retained 18 months. Cron + agent + admin actions audit-logged in the database with the same retention.
  • Incident response. Documented detect → triage → contain → eradicate → recover → post-mortem playbook. Customer-affecting incidents disclosed to the Controller within 72 hours of confirmation (Section 9 above).
  • Backups + recovery. Daily encrypted backups retained 7 days with point-in-time recovery. RTO 4 hours; RPO 24 hours.
  • AI handling. Customer data is not used to train Palanor models or any third-party model. Anthropic, OpenAI, and ElevenLabs commercial terms prohibit training on API content; Palanor inherits and enforces those terms.
  • Personnel. Production access limited to allow-listed Palanor personnel. Multi-factor authentication required on every administrative account. Joiner-mover-leaver process documented and enforced.

This Annex II is updated whenever a material control changes. The latest version always lives at this URL; the “Last updated” date at the top of the DPA reflects the most recent change.

Annex III — Subprocessors

Current list published at palanor.com/subprocessors. Customers may subscribe to change notifications at privacy@palanor.com.