Narrative AINarrative AI← All Legal Documents

Data Processing Agreement

FirstLine Intelligence Systems, LLC  ·  Effective: May 1, 2026

By using the Narrative AI platform you agree to be bound by this document and all applicable Narrative AI policies.

This Data Processing Agreement ("DPA") is entered into between FirstLine Intelligence Systems, LLC ("Processor," "Company") and the subscribing law enforcement agency ("Controller," "Agency"). This DPA governs the processing of personal data by the Company on behalf of the Agency in connection with the Narrative AI platform ("Platform"). This DPA is incorporated into and subject to the Agency Agreement and Terms of Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person included in or associated with reports and data submitted through the Platform, including officer identity, subject identity, witness information, and incident participants.

"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.

"Sub-Processor" means any third-party service provider engaged by the Company to process Personal Data on behalf of the Agency.

2. Nature and Purpose of Processing

The Company processes Personal Data solely to provide the Platform's functionality, including: AI-assisted report generation, report storage and retrieval, IARE risk analysis, account management, and customer support. Processing occurs in accordance with the Agency's instructions as expressed through use of the Platform.

3. Categories of Data Processed

The Company may process the following categories of data on behalf of the Agency: (a) officer personal information (name, badge number, email, agency affiliation); (b) incident information (location, date, time, incident type); (c) subject and witness information as entered by officers (names, descriptions, statements); (d) evidence descriptions and case notes; (e) usage and audit log data.

4. Controller Instructions

The Agency, as Controller, instructs the Company to process Personal Data as necessary to provide the Platform services. The Agency represents that it has the legal authority to provide such instructions and that such instructions comply with applicable law. The Company will notify the Agency if it believes any instruction violates applicable law.

5. Security Measures

The Company implements the following technical and organizational security measures: (a) encryption of data in transit using TLS 1.2 or higher; (b) encryption of data at rest; (c) role-based access controls limiting employee access to customer data; (d) multi-factor authentication for administrative access; (e) regular security assessments and vulnerability scanning; (f) incident response procedures with 72-hour breach notification to affected agencies.

6. Sub-Processors

The Agency authorizes the Company to engage the following sub-processors to assist in providing the Platform:

  • OpenAI, L.L.C. — AI language model processing for report generation and IARE analysis. Data submitted via API is not used to train OpenAI models per OpenAI's API terms.
  • Supabase, Inc. — Database storage, authentication, and file storage.
  • Vercel, Inc. — Application hosting and edge delivery.
  • Resend, Inc. — Transactional email delivery.
  • Stripe, Inc. — Payment processing. Stripe's own privacy policy governs payment card data.

The Company will notify agencies of material changes to sub-processors. Agencies may object to new sub-processors by contacting info@narrative-ai.org within 14 days of notification.

7. Data Subject Rights

To the extent that individuals exercise data subject rights (access, correction, deletion, portability) in connection with data processed through the Platform, the Agency is the primary point of contact. The Company will assist the Agency in responding to such requests as technically feasible.

8. Data Retention and Deletion

The Company retains Personal Data for the duration of the subscription and for up to 90 days following termination, after which data is deleted from active systems. The Agency may request earlier deletion of specific data by contacting info@narrative-ai.org. Backup copies may persist for up to an additional 30 days following deletion from active systems.

9. Audit Rights

Upon 30 days' written notice, the Agency may request documentation of the Company's security practices and sub-processor agreements. The Company will respond to reasonable security questionnaires and may provide SOC reports or equivalent attestations where available.

10. Return or Destruction of Data

Upon termination, the Agency may request a data export within 30 days. After the export window, all Agency data will be deleted from active systems. The Company will confirm deletion in writing upon request.

11. Governing Law

This DPA is governed by the laws of the State of Oklahoma. To the extent federal or state data protection regulations impose additional requirements, this DPA shall be interpreted to comply with those requirements.

12. Contact

Data processing inquiries: info@narrative-ai.org. FirstLine Intelligence Systems, LLC · Oklahoma & Texas.

This document was last reviewed in May 2026. For questions, contact info@narrative-ai.org. Narrative AI is a product of FirstLine Intelligence Systems, LLC, Oklahoma & Texas.