GDPR Compliance

Heka Services Inc. (“we”, “us”) is committed to protecting the personal data of all individuals who use the NARA platform. We comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR for all users located in the European Economic Area (EEA), United Kingdom, and Switzerland.

This page outlines the specific technical and organizational measures we implement, how we handle data subject rights, and how we manage international data transfers.

Depending on the context, we act as either a data controller or a data processor:

• Controller— For account registration data, billing information, and marketing website analytics. We determine the purposes and means of processing.
• Processor— For organizational data entered by our customers (tasks, messages, files, time entries, objectives). The Organization Owner determines why and how this data is processed; we process it on their behalf to provide the Service.

We implement the following technical safeguards to ensure data protection by design and by default:

Encryption

• All data in transit is encrypted using TLS 1.2 or higher between your browser and our servers, and between our servers and sub-processors.
• All data at rest is encrypted using AES-256 in our database (Supabase PostgreSQL) and file storage.
• Passwords are hashed using bcrypt — we never store plaintext passwords.

Row Level Security (RLS) — Data Isolation

Every table in our PostgreSQL database has Row Level Security enabled. RLS policies enforce that:

• Users can only access data belonging to their active Organization. The org_id is embedded in the JWT token and checked on every query.
• Organization A's data is never accessible to Organization B, even if a user belongs to both — access is scoped to the currently active organization.
• Role-based policies further restrict access within an organization (e.g., employees cannot access admin settings).

Authentication

• JWT-based authentication with short-lived access tokens and refresh token rotation.
• Strong password policy enforced: minimum 10 characters, uppercase, lowercase, digit, and special character.
• Session management via Supabase Auth with automatic token refresh and cookie-based storage.

Infrastructure

• Application hosted on Vercel with automatic DDoS protection and edge caching.
• Database hosted on Supabase with automated daily backups and point-in-time recovery.
• Dependency auditing and regular security patches.

• Access control— Access to production systems and databases is restricted to authorized personnel on a need-to-know basis, using multi-factor authentication.
• Employee awareness — All team members handling personal data receive training on data protection obligations and security best practices.
• Vendor management— All sub-processors are evaluated for their data protection practices and bound by data processing agreements before we share any data with them.
• Incident response plan — We maintain a documented incident response procedure that is reviewed and tested regularly.
• Data minimization— We collect and process only the data necessary to provide and improve the Service. We do not sell or share personal data for advertising purposes.

For customers on the Enterprise plan, we provide a Data Processing Agreement that formalizes:

• The scope and purpose of data processing
• Categories of personal data and data subjects
• Obligations and rights of the controller (customer) and processor (us)
• Sub-processor engagement rules and notification obligations
• Technical and organizational security measures
• Data return and deletion procedures upon contract termination
• Audit rights for the controller
• Breach notification commitments

To request a copy of our DPA or to initiate the signing process, contact privacy@nara.app. DPAs for Business plan customers are also available upon request.

Under the GDPR, individuals located in the EEA, UK, and Switzerland have the following rights. Here is how to exercise each one:

All requests are handled free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, providing an explanation.

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

• Notify the supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34).
• Notify Organization Owners (our customers acting as controllers) immediately so they can fulfill their own notification obligations.

Breach notifications will include:

• A description of the nature of the breach
• Categories and approximate number of individuals affected
• Likely consequences of the breach
• Measures taken or proposed to mitigate the breach
• Contact details of our Data Protection team

NARA's infrastructure providers (Vercel, Supabase, Anthropic) are headquartered in the United States. Data from users in the EEA, UK, and Switzerland may be transferred to the US for processing.

We protect these transfers using:

• Standard Contractual Clauses (SCCs) — EU Commission-approved clauses are in place with all sub-processors to ensure adequate protection of personal data transferred outside the EEA.
• Supplementary measures — Encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and contractual commitments to challenge disproportionate government access requests.
• Sub-processor compliance — Vercel and Supabase maintain SOC 2 Type II certifications. Anthropic operates under their commercial privacy commitments.

A Transfer Impact Assessment (TIA) has been conducted for each sub-processor. Copies are available upon request for Enterprise customers.

For all matters related to GDPR compliance, data protection, or to exercise your rights, contact our Data Protection team:

• Email: privacy@nara.app
• Company: Heka Services Inc.
• Address: Montreal, QC, Canada

You also have the right to lodge a complaint with your local supervisory authority. For EEA residents, a list of supervisory authorities is available on the EDPB website.

We will update this page whenever we make changes to our GDPR compliance measures, sub-processors, or data handling practices. The “Last updated” date at the top of the page reflects the most recent revision. Material changes will be communicated via email to Organization Owners.