This Data Processing Agreement (the "DPA") forms part of the Master Services Agreement or Order Form between Nova Software Infrastructure Limited ("Processor") and the entity identified as Customer ("Controller") and governs the processing of personal data carried out by Processor on behalf of Controller in the course of providing the Services.
1. Definitions
1.1
Terms not defined herein bear the meaning given in the GDPR. "Standard Contractual Clauses" or "SCCs" means the clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2. Subject-Matter & Duration
2.1
Subject-matter: processing of personal data necessary for Processor to provide the Services to Controller.
2.2
Duration: the term of the underlying agreement, plus any retention period required by applicable law.
3. Nature & Purpose of Processing
Hosting; storage; transmission; aggregation for security and abuse prevention; provision of operational telemetry to Controller; execution of API calls to Issuing Partners on Controller's documented instructions.
4. Categories of Data & Data Subjects
| Category | Examples | Data Subjects |
|---|---|---|
| Identifiers | Customer-supplied user ID, email, business name | Controller's end-customers and personnel |
| Operational | IP address, user agent, API request metadata | Controller's end-customers and personnel |
| Tokenized payment | Network tokens, last four digits, BIN | Cardholders |
5. Processor Obligations
5.1
Processor shall process personal data only on Controller's documented instructions, including with regard to transfers to a third country, unless required to do so by EU or Member State law.
5.2
Processor shall ensure that persons authorised to process personal data are bound by enforceable obligations of confidentiality.
5.3
Processor shall implement the technical and organizational measures described in Annex II below and assist Controller in ensuring compliance with Articles 32–36 GDPR.
6. Sub-Processors
6.1
Controller grants Processor general written authorisation to engage sub-processors, subject to (a) Processor maintaining an up-to-date list at
nova.dev/legal/subprocessors, (b) providing at least thirty (30) days' prior notice of new sub-processors, and (c) flowing down obligations no less protective than those of this DPA.7. International Transfers
7.1
Where Processor transfers personal data originating from the EEA, Switzerland or the United Kingdom to a country not benefiting from an adequacy decision, Module Two (Controller-to-Processor) of the SCCs is incorporated into this DPA by reference, supplemented by the UK Addendum where applicable.
8. Security Incident
8.1
Processor shall notify Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a Personal Data Breach. The notification shall include the information required by Article 33(3) GDPR to the extent then known.
9. Audits
9.1
Processor shall make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR, including Processor's SOC 2 Type II report and PCI-DSS Attestation of Compliance, on request and under NDA, no more than once per twelve (12) month period save where required by a competent supervisory authority.
10. Deletion & Return
10.1
Upon termination, Processor shall, at Controller's option, return or delete all personal data, save for copies required to be retained under applicable law (e.g., AML record-keeping obligations).
Annex I — Description of Processing
As set out in Section 3 (Nature & Purpose) and Section 4 (Categories of Data & Data Subjects) above.
Annex II — Technical & Organisational Measures
- AES-256 encryption at rest; TLS 1.3 in transit.
- Key custody in FIPS 140-2 Level 3 hardware security modules.
- Multi-region active-active architecture with daily restore drills.
- Role-based access control, MFA mandatory, just-in-time elevation.
- Continuous SAST, DAST and dependency scanning; annual third-party penetration test.
- Externally audited SOC 2 Type II and PCI-DSS Level 1 programs.
- 24×7 on-call security response; defined Personal Data Breach playbook.