Data Processing Agreement
Nico AI LLC · 1981 Brevard Rd, Arden, NC 28704 · harry.demere@gmail.com
1. Purpose and Roles
This Data Processing Agreement ("DPA") governs the processing of Employee Data in connection with Nico AI LLC's products and services, including the PEO Chat Bot and ExpensePath Expense Management platform.
- Controller: The PEO subscribing to the Services.
- Processor: Nico AI LLC.
2. Scope of Processing
Nico AI processes Employee HR data (pay, benefits, PTO) live via the PrismHR API. For the Chat Bot, this data is processed in memory and is never persisted or stored in Nico AI databases.
For ExpensePath, expense reports, line items, receipt images, and approval records are stored encrypted for the duration of the service agreement to enable ongoing expense management workflows.
3. Sub-Processors
The Processor engages the following sub-processors to deliver the Services:
| Service | Purpose | Compliance |
|---|---|---|
| Vercel | Application hosting | SOC 2 Type II, ISO 27001 |
| Supabase | Encrypted database & storage | SOC 2 Type II, HIPAA |
| Anthropic (Claude) | AI generation | SOC 2 Type II, zero data retention |
| OpenAI | Document embedding | No retention on API tier |
| PrismHR | Source HR data provider | SOC 2 Type II, ISO 27001, HIPAA |
| Stripe | Billing & payments | PCI DSS Level 1 |
4. Security Measures
Processor implements industry-standard security, including:
- Encryption: TLS/HTTPS for data in transit; AES-256-GCM for data at rest, including all stored credentials.
- Isolation: Multi-tenant isolation by PEO ID and Client ID. No cross-tenant data access is possible.
- Access: Read-only API access to PrismHR. Role-based access control enforced across all endpoints.
- Audit Logging: All administrative actions are logged with user identity, IP address, timestamp, and action details.
5. Data Retention & Breach Notification
- Retention: Employee HR data and conversation content from the Chat Bot are not retained. Expense data is retained for the duration of the service agreement. PEO credentials and all stored data are deleted within 30 days of termination.
- Breach: Processor will notify Controller within 72 hours of discovering a data breach affecting Employee Data.
For questions about this DPA, contact harry.demere@gmail.com.