Last updated:
This page summarises the standard Data Processing Agreement (DPA) that customers enter into with NvisionData when we process personal data on their behalf. The full, signature-ready PDF is linked at the bottom. If you need redlines, contact legal@nvisiondata.com.
Under the GDPR (and the equivalent UK and Swiss laws), if you process personal data of residents of those regions through a vendor, you need a written agreement that sets out how the vendor handles that data. NvisionData provides a standard DPA at no extra cost.
If you only use NvisionData to track non-EU/UK/CH visitors, a DPA is not legally required, but you're welcome to sign anyway — the protections apply to all the data we hold for you.
For the analytics events you collect through NvisionData, you are the data controller — you decide what to collect, why, and what consent to ask for. NvisionData is the processor — we handle the data on your documented instructions and don't use it for our own purposes.
The DPA reflects this split. Where the SPEC describes us as a controller — for our customers' account and billing data — that's covered by the Privacy Policy, not the DPA.
The DPA covers the personal data your end-users send through our ingest pipeline:
We process this data for one purpose only: providing the NvisionData service the way you've configured it. We don't train models on your data, sell it, share it with advertisers, or use it for our own research.
Running the platform requires a small number of vendors — hosting, database, email delivery, payment processing. The complete current list lives at /legal/sub-processors and is updated whenever the list changes.
By signing the DPA you give general authorisation for the sub-processors on that list. When we add a new sub-processor we post the change at least 30 days in advance, and you can object during that window.
NvisionData Cloud is EU-resident by default. Personal data of EU subjects stays in EU datacentres for ingestion, processing, and storage. A small number of operational vendors (Stripe for billing, Sentry for error reporting, Cloudflare for edge traffic) are headquartered in the United States; for those flows we rely on the European Commission's Standard Contractual Clauses (SCCs) plus the additional safeguards each vendor publishes.
The SCCs are incorporated by reference into the DPA. If you self-host NvisionData, your instance runs on your own infrastructure — no transfer happens unless you opt in to a cloud destination yourself.
The DPA commits us to the security measures listed in our Privacy Policy — TLS in transit, encryption at rest, scoped credentials, the separated identity vault, dependency hygiene, and the SOC 2 Type I roadmap (we don't claim it's complete).
If we discover a personal-data breach affecting your data, we notify you without undue delay and at the latest within 72 hours of becoming aware. The notification includes the nature of the breach, the data involved, our assessment of the risk, and the steps we're taking.
You can audit our compliance with the DPA up to once a year at your cost, with at least 30 days' notice and during business hours. We'll happily replace an on-site audit with our SOC 2 Type I report once it's available. In the interim, we share our internal control summary, the sub-processor list, and the security measures inventory on request to legal@nvisiondata.com.
On request, and on termination, we return or delete the personal data we hold for you, at your choice. Backups are purged within 60 days of deletion. If a law forces us to keep something longer (tax, accounting), we tell you what and why.
Download the standard DPA, counter-sign it, and email a copy to legal@nvisiondata.com. We'll counter-sign and return within two business days.
The PDF below is a template the site operator uploads at deploy time. If the link 404s your operator hasn't uploaded a file yet — email us and we'll send the latest version directly.
Operator note: place a counter-signed PDF at public/legal/dpa.pdf on the deployed console; the link above resolves to it. Self-host operators should replace the template with one their counsel has reviewed.