Data Processing Addendum

The customer is the controller/business for customer personal data submitted to or connected with Nuvid. Nuvid is the processor/service provider for that customer personal data. Nuvid remains controller for its own account, billing, security, website, analytics and business operations data.

Nuvid will process customer personal data only to provide, secure, maintain and improve the Service, follow documented customer instructions, comply with law, and perform obligations described in the Terms, Privacy Policy, order forms and dashboard settings.

• Data subjects: customer users, team members, ecommerce customers, leads, creators, partners, contacts and end users whose data is submitted or connected by the customer.
• Data categories: names, emails, company information, store data, product data, campaign data, connected-account metadata, analytics, comments, prompts, files, generated outputs and identifiers needed to operate the Service.
• Special categories: customers must not submit sensitive personal data unless expressly agreed in writing and supported by the Service.

Nuvid will require personnel and contractors with access to customer personal data to protect it confidentially. Nuvid maintains technical and organizational measures designed to protect customer personal data, including TLS in transit, access controls, scoped credentials, separation of platform secrets and client tokens, logging where appropriate and least-privilege operational access.

Customer authorizes Nuvid to use subprocessors needed to provide the Service, including hosting, storage, AI inference, authentication, email, payments, analytics, error monitoring and customer-authorized integrations. Nuvid remains responsible for subprocessors' processing of customer personal data under this DPA and will use a written agreement requiring appropriate data-protection commitments.

Subprocessor categories include Cloudflare infrastructure, Stripe payments, Resend email, OpenAI/Google AI services and connected platforms such as Google, Meta, TikTok, Shopify, WooCommerce and YouTube when a customer enables those integrations.

Where customer personal data protected by GDPR or UK GDPR is transferred outside the EEA, Switzerland or the United Kingdom, Nuvid will use appropriate safeguards such as Standard Contractual Clauses, UK transfer mechanisms, adequacy decisions or another lawful transfer mechanism.

Taking into account the nature of the processing, Nuvid will provide reasonable assistance for data subject requests, security obligations, DPIAs and regulator consultations where required by applicable data protection law and where the requested information is not otherwise available to the customer.

Nuvid will notify affected customers without undue delay after becoming aware of a personal data breach involving customer personal data, where required by law. The notice will include information reasonably available to help the customer meet its own notification obligations.

On termination or written request, Nuvid will delete or return customer personal data within a reasonable time unless retention is required by law, security, backup, dispute-resolution or legitimate operational needs. Backup deletion may follow normal backup lifecycle schedules.

Nuvid will make reasonable compliance information available to customers on request. Audits must be reasonable, limited to what is necessary to demonstrate compliance, protect other customers and systems, and avoid disruption to the Service.

Data protection questions: privacy@nuvid.ai. Security questions: security@nuvid.ai.