Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Nexvio AI ("Processor") and the entity agreeing to these terms ("Controller") for the provision of AI-powered customer support services.
This DPA establishes the terms under which Nexvio AI will process personal data on behalf of the Controller in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) 2016/679, the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA).
1. Interpretation
In this DPA, the following terms have the meanings set out below:
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Processor" means Nexvio AI, which processes Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to the EU General Data Protection Regulation (GDPR) 2016/679, the UK Data Protection Act 2018, UK GDPR, and the California Consumer Privacy Act (CCPA), as amended from time to time.
- "Subprocessor" means any third party engaged by Nexvio AI to process Personal Data on behalf of the Controller.
2. Relationship of the Parties
With respect to Personal Data processed under this DPA:
- The Controller determines the purposes and means of processing Personal Data.
- Nexvio AI acts as a Processor and shall process Personal Data only in accordance with the Controller's documented instructions.
- The Controller warrants that its instructions comply with all applicable Data Protection Laws.
- Nexvio AI shall inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
3. Processing of Personal Data
3.1 Purposes of Processing
Nexvio AI processes Personal Data for the following purposes:
- Providing AI-powered customer support and chatbot services
- Processing and responding to customer inquiries
- Training and improving AI models based on conversation data
- Delivering notifications and communications
- Ensuring service functionality and security
- Analytics and performance monitoring
- Billing and account management
3.2 Categories of Personal Data
The following categories of Personal Data may be processed:
- Contact information (name, email address, phone number)
- Account credentials and authentication data
- Communication content and conversation history
- Usage patterns and interaction data
- Device and browser information
- IP addresses and location data
- Billing information (processed via secure payment providers)
3.3 Categories of Data Subjects
Personal Data may be processed relating to:
- Controller's employees and authorized users
- Controller's customers and end-users
- Visitors interacting with the Controller's chatbot or support channels
4. Technical and Organizational Measures
Nexvio AI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Access Controls: Role-based access controls limiting access to Personal Data to authorized personnel only.
- Encryption: Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Infrastructure Security: Hosting on secure cloud infrastructure with industry-standard security certifications.
- Regular Updates: Regular security updates and vulnerability assessments.
- Backups: Regular secure backups with appropriate retention and recovery procedures.
- Personnel Training: Data protection and security awareness training for all personnel.
- Incident Response: Documented incident response procedures for security events.
5. Subprocessors
The Controller authorizes Nexvio AI to engage the following categories of Subprocessors to assist in providing the services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Cloud hosting and infrastructure | United States |
| Amazon Web Services (AWS) | Cloud hosting and data storage | United States / EU (region-dependent) |
| OpenAI | AI inference and language model processing | United States |
| Anthropic | AI inference and language model processing | United States |
Nexvio AI ensures that all Subprocessors are bound by data protection obligations equivalent to those in this DPA. The Controller may object to the appointment of a new Subprocessor by providing written notice within 14 days of being informed.
6. Data Subject Rights
Nexvio AI shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of Access: The right to obtain confirmation of processing and access to Personal Data.
- Right to Rectification: The right to correct inaccurate or incomplete Personal Data.
- Right to Erasure: The right to request deletion of Personal Data under certain circumstances.
- Right to Restrict Processing: The right to limit how Personal Data is used.
- Right to Data Portability: The right to receive Personal Data in a structured, commonly used format.
- Right to Object: The right to object to processing in certain circumstances.
Nexvio AI shall notify the Controller without undue delay upon receiving any request from a Data Subject.
7. Personal Data Breach
In the event of a Personal Data breach, Nexvio AI shall:
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach.
- Provide the Controller with sufficient information to enable compliance with breach notification obligations.
- Cooperate with the Controller in investigating and mitigating the effects of the breach.
- Take reasonable steps to prevent recurrence of such breaches.
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Nexvio AI ensures appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) for transfers to third countries.
- Adequacy decisions by the European Commission where applicable.
- Supplementary technical and organizational measures to ensure data protection.
9. Data Retention and Deletion
Nexvio AI shall:
- Process Personal Data only for the duration necessary to fulfill the purposes outlined in this DPA.
- Upon termination of services or upon the Controller's written request, delete or return all Personal Data unless retention is required by applicable law.
- Certify deletion of Personal Data upon the Controller's request.
10. Audits and Compliance
Nexvio AI shall:
- Maintain records of processing activities as required by Data Protection Laws.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
- Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
11. Contact Information
For questions or concerns regarding this DPA or data protection matters, please contact:
W3 Dev LLC (operating as Nexvio AI)
1309 Coffeen Avenue
Sheridan, WY 82801
United States
Email: [email protected]
12. Changes to this DPA
Nexvio AI may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify Controllers of any material changes in accordance with applicable legal requirements. Continued use of our services after such notification constitutes acceptance of the updated DPA.
13. Effective Date
This Data Processing Agreement is effective as of January 24, 2026.