Data Processing Agreement
GDPR Article 28 compliant agreement governing how Nubiq processes personal data on your behalf.
Last updated: March 2026
1. Definitions
For the purposes of this Data Processing Agreement ("DPA"), the following terms apply: "Controller" means the Customer — the entity that determines the purposes and means of processing personal data through the Nubiq AI platform. "Processor" means Nubiq AI — the entity that processes personal data on behalf of the Controller to provide the Service. "Data Subject" means an identified or identifiable natural person whose personal data is processed. This includes your end-users, website visitors, and any individuals whose data passes through the platform. "Personal Data" means any information relating to a Data Subject, as defined in GDPR Article 4(1). This includes names, email addresses, conversation content, IP addresses, and any other data uploaded to or generated within the Service. "Subprocessor" means a third party engaged by the Processor to assist in processing personal data on behalf of the Controller. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This DPA supplements the Terms of Service (/terms) and applies when Nubiq processes personal data on your behalf as defined by GDPR Article 28.
2. Scope & Purpose
This DPA governs the processing of personal data that the Controller entrusts to Nubiq in connection with the Service. Purpose of processing: Nubiq processes personal data solely to provide the AI Chat Platform services described in the Terms of Service, including: • Receiving and delivering chat messages across configured channels (web widget, WhatsApp, Telegram, Discord) • Processing uploaded documents to generate vector embeddings for retrieval-augmented generation (RAG) • Storing conversation history and metadata for the Controller's operational use • Routing messages through AI models to generate responses based on the Controller's knowledge base • Managing appointment scheduling, ticket creation, and contact information as configured by the Controller • Sending notifications and alerts as configured by the Controller Categories of data subjects: End-users who interact with the Controller's chatbot, the Controller's team members (agents, admins), and any individuals whose data is contained in uploaded documents. Types of personal data: Names, email addresses, phone numbers, conversation content, uploaded document content, IP addresses, device information, and any other personal data submitted through the Service. Duration: Processing continues for the duration of the Controller's subscription and for 30 days thereafter to allow data export.
3. Customer Obligations (Controller)
As the Controller, you are responsible for: • Ensuring that you have a lawful basis for processing personal data through the Service (e.g., consent, contract, legitimate interest) • Providing appropriate privacy notices to your end-users informing them that their data will be processed by an AI chatbot platform • Responding to Data Subject requests (with our reasonable assistance as described in Section 4) • Ensuring that the data you upload and process through the Service complies with applicable data protection laws • Configuring data retention periods appropriate to your legal and business requirements • Notifying Nubiq promptly if you become aware of any data protection issue that may affect the processing • Ensuring that your use of the Service, including AI-generated responses, complies with applicable laws in your jurisdiction You acknowledge that Nubiq processes data based on your documented instructions. The configuration of channels, AI behavior, data retention, and access controls constitutes your instructions to us.
4. Nubiq Obligations (Processor)
As the Processor, Nubiq commits to the following obligations: Documented instructions: We process personal data only on the basis of your documented instructions (including the configuration of the Service) and in accordance with this DPA. If we believe an instruction violates applicable data protection law, we will inform you. Confidentiality: All personnel authorized to process personal data are bound by obligations of confidentiality. Access to personal data is restricted to personnel who need it to provide the Service. Security measures: We implement appropriate technical and organizational measures to protect personal data (detailed in Section 6). Subprocessors: We engage subprocessors only with your prior authorization and under written agreements that impose equivalent data protection obligations (detailed in Section 5). Data Subject requests: We will promptly notify you of any Data Subject request we receive directly and will assist you in fulfilling your obligations to respond to such requests, including access, rectification, erasure, and portability requests. Breach notification: We will notify you of any Data Breach without undue delay (detailed in Section 7). Deletion: Upon termination of the Service, we will delete or return all personal data as described in Section 8. Audit support: We will make available information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9.
5. Subprocessors
Nubiq uses the following categories of subprocessors to deliver the Service: • AI model providers (for generating chat responses and document embeddings) • Cloud storage providers (for document storage) • Payment processors (for subscription billing) • Security tools (for malware scanning — self-hosted) A current, detailed list of subprocessors including their names, purposes, locations, and links to their DPAs is maintained at /legal/subprocessors. Before engaging a new subprocessor or changing an existing one, we will: • Notify you at least 30 days in advance via email • Provide details about the new subprocessor's identity, location, and processing activities • Allow you to object to the new subprocessor within 14 days of notification If you reasonably object to a new subprocessor and we cannot accommodate your objection, either party may terminate the affected Service component without penalty. We ensure that all subprocessors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.
6. Data Security Measures
Nubiq implements the following technical and organizational security measures to protect personal data: Encryption: • Data in transit: TLS 1.3 for all API communications, WebSocket connections, and webhook deliveries • Data at rest: AES-256 encryption for documents in Cloudflare R2 storage and database backups Access controls: • Role-based access control (RBAC) with distinct roles: owner, admin, supervisor, agent, viewer • JWT-based authentication with short-lived access tokens and refresh token rotation • Multi-factor authentication (MFA) via TOTP for all team member accounts • SSO integration via OIDC and SAML for enterprise customers Infrastructure security: • ClamAV malware scanning on all uploaded documents • Ed25519 signature verification for Discord webhook interactions • HMAC-SHA256 validation for WhatsApp webhook payloads • CSRF protection on all state-changing endpoints • Rate limiting on authentication and API endpoints Monitoring and logging: • Comprehensive audit logs for administrative actions • Real-time security monitoring and anomaly detection • Automated daily database backups with encryption Development practices: • Regular dependency security scanning • Automated CI/CD pipeline with security gates • Principle of least privilege for all system components
7. Data Breach Notification
In the event of a Data Breach affecting personal data processed on your behalf, Nubiq will: 1. Notify you without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. 2. Provide the following information (to the extent available): • Nature of the breach, including categories and approximate number of Data Subjects affected • Categories and approximate volume of personal data records affected • Likely consequences of the breach • Measures taken or proposed to address the breach and mitigate its effects • Contact point for further information 3. Cooperate with you in investigating the breach and fulfilling your notification obligations to supervisory authorities and Data Subjects. 4. Document all Data Breaches, including their effects and the remedial action taken. 5. Take immediate steps to contain and remediate the breach. Notification of a breach is not an acknowledgment of fault or liability. The obligation to notify supervisory authorities and Data Subjects under GDPR Articles 33 and 34 remains with you as the Controller.
8. Data Deletion
Upon termination or expiration of the Service: • Export period: You will have 30 days from the date of termination to export your data through the Service's export functionality or API. • Deletion: After the 30-day export period, we will permanently delete all personal data processed on your behalf from our active systems, including: - Conversation data and message history - Uploaded documents and generated vector embeddings - Contact information and ticket data - Agent profiles and configuration data • Backup retention: Personal data may persist in encrypted backups for up to 90 days after deletion from active systems. Backups are automatically purged on a rolling schedule. • Exceptions: We may retain limited data where required by applicable law (e.g., billing records for tax purposes). Such retained data will be processed only for the legally required purpose. • Certification: Upon request, we will provide written confirmation that personal data has been deleted in accordance with this section. You may also request deletion of specific data during the term of the Service through Dashboard → Settings or by contacting support@nubiq.ai.
9. Audits
To demonstrate compliance with this DPA and GDPR Article 28: Information access: Nubiq will make available to you all information reasonably necessary to demonstrate compliance with our obligations under this DPA. Audit rights: You (or an independent third-party auditor appointed by you) may conduct audits of our data processing activities, subject to the following conditions: • Reasonable notice: Audits require at least 30 days' written notice. • Scope: Audits are limited to processing activities related to your data and this DPA. • Frequency: One audit per 12-month period, unless a Data Breach or supervisory authority requirement justifies additional audits. • Confidentiality: Auditors must agree to confidentiality obligations before accessing our systems or documentation. • Cost: Audit costs are borne by the requesting party, except where an audit reveals material non-compliance, in which case Nubiq will bear reasonable costs. • Cooperation: Nubiq will cooperate with audits and provide reasonable access to relevant documentation, systems, and personnel. Where available, we may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation from independent assessors.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service (/terms), except where applicable law prohibits such limitation. Both parties agree to: • Indemnify the other party for damages arising from their breach of this DPA • Cooperate in good faith to resolve any data protection disputes • Maintain appropriate insurance coverage for data processing activities Nothing in this DPA limits either party's liability for: • Fraud or fraudulent misrepresentation • Death or personal injury caused by negligence • Any liability that cannot be limited by applicable law • Fines or penalties imposed directly on a party by a supervisory authority for that party's own violations
11. Duration & Termination
This DPA takes effect when you start using the Service and remains in effect for as long as Nubiq processes personal data on your behalf. • This DPA automatically terminates when the Terms of Service terminate and all personal data has been deleted or returned in accordance with Section 8. • Obligations that by their nature should survive termination (including confidentiality, data deletion, audit rights, and liability) will remain in effect. • If any provision of this DPA conflicts with the Terms of Service, this DPA will take precedence with respect to data processing matters. • This DPA may be updated to reflect changes in applicable law. Material changes will be communicated at least 30 days in advance. For questions about this DPA, contact dpo@nubiq.ai.
Related documents: Terms of Service · Privacy Policy · Subprocessors