Data Processing Agreement

This document is a working draft published for transparency and is awaiting review by qualified data-protection counsel. Until the executed version is signed by both parties, please treat this page as informational. The signed DPA that applies to your processing activities is provided on request to [email protected] or upon contract execution.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [Company Name] ("Nuvi", the "Processor") and the customer signing up for the Service ("Customer", the "Controller"). The DPA applies whenever Nuvi processes Personal Data on behalf of the Customer in connection with the Service.

Defined terms not specified herein have the meaning given in Regulation (EU) 2016/679 ("GDPR") and, where applicable, in the Turkish Personal Data Protection Law No. 6698 ("KVKK").

Subject-matter: provision of the Nuvi platform — a multi-tenant e-commerce, content, and AI-assistant service hosted at usenuvi.com — including processing of Personal Data submitted by the Customer or its end-users in the course of using the Service.

Duration: this DPA remains in force for as long as the Customer holds an active Nuvi subscription, plus the post-termination retention period defined in Section 9.

Data subjects: the Customer's end-customers, employees, suppliers, and site visitors whose Personal Data is collected through the Service.

Categories of Personal Data: identification data (name, email, phone), account credentials (hashed), addresses (billing, shipping), order history, payment-method tokens (full PAN never stored by Nuvi), interaction logs, and any other Personal Data the Customer chooses to store via the Service.

Nuvi processes Personal Data solely to provide the Service to the Customer in accordance with the Customer's documented instructions. This includes: hosting, storage, transmission, backup, search, indexing, support requests handled at the Customer's request, and any feature-specific operations the Customer enables (e.g. AI assistant, automation flows, email delivery).

Nuvi shall (a) process Personal Data only on documented instructions from the Customer; (b) ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations; (c) implement and maintain appropriate technical and organizational measures (Section 7); (d) respect the conditions for engaging sub-processors set out in Section 6; (e) assist the Customer in fulfilling its obligations to respond to requests from data subjects; (f) assist the Customer in ensuring compliance with Articles 32 to 36 of GDPR (security, breach notification, DPIA, prior consultation); and (g) at the Customer's choice, delete or return all Personal Data after the end of the provision of services, except where retention is required by Union or Member-State law.

Nuvi shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable scope, scheduling, and confidentiality terms.

The Customer authorizes Nuvi to engage sub-processors for the provision of the Service. The current list of sub-processors is published at /subprocessors and updated from time to time.

Nuvi shall provide reasonable advance notice of any intended additions or replacements to the sub-processor list. The Customer may object to such changes on reasonable data-protection grounds within 30 days of notice; in such cases the parties shall work in good faith to find a resolution.

Nuvi shall enter into a written contract with each sub-processor containing data-protection obligations no less protective than those in this DPA. Nuvi remains fully liable to the Customer for the performance of each sub-processor's obligations.

Nuvi maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.3 with HSTS preload), encryption at rest (AES-256 for database volumes and object storage), per-tenant logical isolation, least-privilege access controls with audit logging, secret-vault storage for OAuth tokens and API credentials, automated dependency scanning, vulnerability monitoring, incident-response procedures, and personnel security training.

A more detailed description of operational practices is published at /security and forms part of this DPA.

Personal Data is primarily stored within the European Economic Area. Where transfers to a third country are necessary to provide the Service (for example because a sub-processor is established outside the EEA), Nuvi will rely on a transfer mechanism recognized under Chapter V of GDPR — typically the European Commission's Standard Contractual Clauses, where applicable — and shall implement supplementary measures where required by case law.

Nuvi shall notify the Customer without undue delay after becoming aware of a Personal Data breach affecting the Customer's Personal Data, providing such information as is reasonably available to enable the Customer to comply with its breach-notification obligations. Where the full information is not yet available, Nuvi will provide it in phases as it becomes available.

Upon termination or expiry of the Service, Nuvi shall — at the Customer's choice — delete or return all Personal Data, and delete existing copies, unless Union or Member-State law requires retention.

Customer-initiated export is available at any time through the dashboard or API. Default deletion timeline upon account closure is 30 days, subject to legally-mandated retention periods.

The liability provisions of the Terms of Service apply equally to this DPA. In the event of a conflict between this DPA and the Terms of Service in matters of data protection, this DPA prevails.

Nothing in this DPA limits any rights or remedies available to either party under applicable data-protection law.

This DPA is governed by the law specified in the Terms of Service. Disputes arising out of or in connection with this DPA shall be resolved as set out in the Terms of Service.