Data Processing Agreement
GDPR Article 28-compliant Data Processing Agreement (DPA) Niserva enters with customers acting as controllers.
This Data Processing Agreement ("DPA") is concluded between the Customer (acting as data controller) and MB „O zeniau“, operator of Niserva (acting as data processor), and sets out the terms under which Niserva processes the Customer's personal data while providing the service. The DPA supplements the Niserva Terms of Service and is drafted to comply with Article 28 of the GDPR.
1. Definitions
- Customer = data controller using the Niserva platform on behalf of an organization.
- Niserva (MB „O zeniau“) = data processor providing the platform service to the Customer.
- GDPR = Regulation (EU) 2016/679.
- Sub-processor = third party engaged by Niserva to process data on its behalf.
2. Subject matter, duration and nature of processing
Niserva processes personal data submitted by the Customer for the duration of the service contract, in order to provide the NIS2 compliance management platform. Processing is automated, performed in Niserva's infrastructure, and consists of typical SaaS operations — storage, retrieval, display, export.
3. Purpose of processing
- Delivery of the service under contract.
- Customer support and troubleshooting.
- Security, fraud and abuse prevention.
- Compliance management features (audit log, control tracking).
4. Categories of data processed
- Customer staff data — names, emails, roles, login records, MFA device markers.
- Customer vendor and counterparty data — names, contacts, risk assessments, entered by the Customer.
- Incident data — may include third parties (e.g. affected data subjects) where the Customer enters them when recording an incident.
5. Categories of data subjects
- Customer employees and account users.
- Customer vendors and third-party partners.
- Customer's customers or other persons affected by an incident (where mentioned).
- Job applicants in the Customer's organization (where the relevant features are used).
6. Processor obligations
As data processor Niserva commits to:
- Process personal data only on the Customer's documented instructions.
- Ensure that personnel authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Security page): encryption, access control, RLS, audit logging, MFA.
- Assist the Customer in responding to data subject requests (GDPR Articles 12–22) within a reasonable time.
- Notify the Customer of a personal data breach within 48 hours of detection.
- On termination, at the Customer's choice, delete or return all personal data, except where retention is required by law.
7. Sub-processors
The Customer grants Niserva a general authorization to engage sub-processors. Niserva will notify the Customer by email of any planned changes (new or replaced sub-processor) at least 30 days in advance. The Customer may reasonably object to such changes.
| Processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (eu-west-1) |
| Vercel Inc. | Hosting, edge infrastructure | EU + US (Frankfurt) |
| Anthropic PBC | AI Compliance Officer, AI policy generation | US (DPF + SCC) |
| Resend Inc. | Transactional email delivery | US (DPF + SCC) |
| Stripe Payments Europe Ltd. | Payment processing | Ireland + US (DPF) |
8. International transfers
Where data leaves the EU/EEA (e.g. Anthropic, Resend, Stripe US infrastructure), Niserva relies on appropriate safeguards — the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework (DPF). The primary database and evidence storage remain in EU regions (eu-west-1, Frankfurt).
9. Breach notification
Niserva will notify the Customer of personal data breaches affecting the Customer's data within 48 hours of detection. The notification will describe the nature of the breach, categories and approximate number of subjects and records concerned, likely consequences, and measures taken or proposed.
10. Audit rights
The Customer may, no more than once per year, request an audit report or certification (such as ISO 27001 or SOC 2 once available), which Niserva will provide electronically. On-site audits are only conducted where required by law or a supervisory authority, and on terms agreed separately.
11. Return and deletion of data
On termination the Customer has 30 days to export their data through the Niserva interface. After this period, Niserva deletes the data from active systems within 30 days and from backups within 90 days. Where Niserva is legally required to retain certain records, they are kept only for as long as the law requires.
12. Liability
The liability of each party under this DPA is governed by the limits set out in the Niserva Terms of Service, including the maximum aggregate liability cap.
13. Governing law
This DPA is governed by the laws of the Republic of Lithuania; disputes are decided by the Vilnius City District Court.
14. Contact
For questions about this DPA, personal data processing, or data subject rights, contact: info@nexdev.lt.