NIVAYA TECHNOLOGIES (PTY) LTD nitivai.com | nivaya.io | nivai.org
Data Processing Agreement
Between Nivaya Technologies and Customer
Version: 1.1 Effective Date: April 2026 Issued by: Nivaya Technologies (Pty) Ltd Registered in South Africa
Parties
This Data Processing Agreement ('DPA') is entered into between:
| Data Controller / Responsible Party | The Customer organisation named in the Nitivai account registration ('Customer', 'Controller', 'Responsible Party') |
| Data Processor / Operator | Nivaya Technologies (Pty) Ltd, South Africa ('Nivaya Technologies', 'Processor', 'Operator') |
This DPA supplements and forms part of the Terms of Service between the parties. The Customer accepts this DPA by accepting the Terms of Service. In the event of a conflict between the DPA and the Terms of Service regarding data processing, the DPA governs.
1. Definitions
In this DPA:
- 'Personal Data' means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1) and POPIA Section 1
- 'Processing' means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction
- 'Data Subject' means the natural person to whom Personal Data relates
- 'Sub-processor' means any third party engaged by Nivaya Technologies to process Personal Data on behalf of the Customer
- 'GDPR' means EU Regulation 2016/679
- 'POPIA' means the Protection of Personal Information Act 4 of 2013 (South Africa)
- 'Standard Contractual Clauses' or 'SCCs' means the clauses adopted by the European Commission (Decision 2021/914) for international data transfers
2. Subject Matter and Nature of Processing
2.1 Instructions
Nivaya Technologies shall process Personal Data only on documented instructions from the Customer. The Customer's instructions for processing Personal Data are:
- To collect governance evidence from connected tools and the Nitivai Agent
- To evaluate governance evidence against the NIVAI-AGF standard
- To store and present assessment results, findings, and remediation guidance
- To process uploaded documents using the Anthropic Claude API for document evaluation (with PII sanitisation applied before transmission)
- To operate the Nitivai Agent and process agent telemetry at department level
2.2 Personal Data Categories
The Personal Data processed under this DPA includes:
- Identity data: names and email addresses of the Customer's personnel who use Nitivai
- Account data: job titles, roles, and organisational structure data provided during account setup
- Governance records: risk register entries, system inventory data, vendor information, training records that may include personal identifiers
- Agent telemetry: device-level data attributed to department (not individual), including AI tool access patterns. Note: where a department contains fewer than three individuals, department-level data may effectively identify individual usage patterns. The Customer is responsible for assessing this risk before deploying the Agent.
- Document content: uploaded policy documents that may contain references to named individuals
2.3 Data Subjects
The Data Subjects include: Customer's employees who use Nitivai or whose machines have the Nitivai Agent installed; Customer's administrators and compliance personnel; and any individual whose personal data appears in uploaded documents or register entries.
2.4 Duration
Processing will continue for the duration of the Terms of Service and, following termination, for 30 days to allow data export before deletion.
3. Obligations of Nivaya Technologies
3.1 Confidentiality
Nivaya Technologies shall ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training.
3.2 Technical and Organisational Measures
Nivaya Technologies shall implement and maintain the technical and organisational security measures set out in Schedule 2 of this DPA.
3.3 Sub-processors
The Customer hereby grants general authorisation for Nivaya Technologies to engage the sub-processors listed in Schedule 1 of this DPA. Nivaya Technologies shall:
- Inform the Customer at least 30 days before engaging any new sub-processor
- Impose data protection obligations on all sub-processors equivalent to those in this DPA
- Remain liable to the Customer for the acts and omissions of sub-processors
The Customer may object to a new sub-processor by notifying Nivaya Technologies in writing within 14 days of receiving notice. If the objection cannot be resolved, the Customer may terminate the Terms of Service and request data deletion.
3.4 Data Subject Rights
Nivaya Technologies shall assist the Customer in fulfilling its obligations to respond to Data Subject rights requests, including access, correction, deletion, portability, restriction, and objection requests. Nivaya Technologies shall forward any Data Subject request received directly to the Customer within 5 business days.
3.5 Data Breach Notification
Nivaya Technologies shall notify the Customer without undue delay and in any case within 72 hours of becoming aware of a Personal Data breach. The notification shall include: the nature of the breach; the categories and approximate number of Data Subjects affected; the categories and approximate volume of Personal Data records affected; the likely consequences; and the measures taken or proposed to address the breach.
3.6 Data Protection Impact Assessments
Nivaya Technologies shall provide reasonable assistance to the Customer in carrying out Data Protection Impact Assessments and prior consultation with supervisory authorities where required.
3.7 Deletion or Return of Data
At the Customer's choice, Nivaya Technologies shall delete or return all Personal Data at the end of the Terms of Service, and delete all copies of Personal Data in its possession within 30 days, unless applicable law requires continued retention (such as billing records under South African tax law, retained for 7 years).
3.8 Audit Rights
Nivaya Technologies shall make available all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer. The Customer shall give at least 30 calendar days' advance notice of any audit and shall bear the costs of any audit unless the audit reveals material non-compliance by Nivaya Technologies. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Nivaya Technologies' operations.
4. International Data Transfers
Where Personal Data is transferred from the European Economic Area, United Kingdom, or South Africa to countries that do not provide an equivalent level of data protection, the transfer shall be made on the basis of:
- EEA: Standard Contractual Clauses (European Commission Decision 2021/914), Module 2 (Controller to Processor), for transfers from the EEA
- UK: UK International Data Transfer Agreement (IDTA) for transfers from the UK
- South Africa: The data processing obligations in this DPA, providing sufficient protection as contemplated by POPIA Section 72, and incorporating protections equivalent to the Standard Contractual Clauses
The SCCs (Module 2 - Controller to Processor) are incorporated into this DPA by reference. In case of conflict between the SCCs and this DPA, the SCCs prevail with respect to transfers subject to them.
Customer data is hosted in the EU (Amsterdam, Netherlands). Document evaluation via the Anthropic Claude API involves transfer of sanitised document excerpts to Anthropic PBC in the United States under SCCs.
As a supplementary measure under the Schrems II framework, all personally identifiable information is stripped from document content before transmission to Anthropic's API. This materially reduces the risk of exposure to US surveillance laws, as the data transferred does not contain personal identifiers.
5. Obligations of the Customer
The Customer shall:
- Ensure it has a lawful basis for processing Personal Data and for instructing Nivaya Technologies to process it
- Ensure all required disclosures have been made to employees before deploying the Nitivai Agent
- Consider the privacy implications of deploying the Agent in departments with fewer than three individuals
- Comply with applicable data protection laws in all respects not covered by this DPA
- Provide accurate and complete instructions for the processing of Personal Data
- Promptly notify Nivaya Technologies of any change to instructions that may affect the processing
Schedule 1 - Approved Sub-Processors
| Sub-Processor | Role | Location | Transfer Mechanism |
|---|---|---|---|
| Anthropic PBC | Claude API for AI-powered document evaluation, under an enterprise agreement with no training on inputs | San Francisco, California, USA | Standard Contractual Clauses (Module 2) |
| Railway Corp | Cloud hosting and database infrastructure. | EU (Amsterdam, Netherlands) | Standard Contractual Clauses (Module 2) |
| SendGrid (Twilio Inc) | Transactional email delivery (account notifications, auto-replies). Processes email addresses and names. | United States | Standard Contractual Clauses (Module 2) |
Our database runs on Railway's infrastructure in the EU (Amsterdam, Netherlands). It is not publicly accessible and is accessed only via private network.
Schedule 2 - Technical and Organisational Measures
Nivaya Technologies implements the following measures:
Access Control
- All platform access requires authentication with session expiry
- Customer data is strictly scoped by organisation ID - no cross-customer access
- Nivaya Technologies personnel access to customer data is limited to authorised personnel only
- All personnel access is logged in an audit log
Cryptography
- Connector credentials: encrypted at rest
- All data in transit: encrypted
- Database encryption at rest: provided by hosting infrastructure
Data Minimisation in AI Processing
- Personal identifiers are stripped from data before transmission to the Anthropic Claude API for document evaluation
- AI tool names and technical identifiers required for evaluation are preserved
Availability and Resilience
- Hosted on Railway infrastructure in the EU
- Database backups maintained in accordance with hosting provider's infrastructure policies
- Incident response plan maintained and reviewed regularly
Monitoring and Logging
- All API access logged with timestamp, user, organisation, and action
- Rate limiting applied to authentication endpoints
- Security events monitored and alerted
Personnel
- All personnel processing Personal Data are bound by confidentiality obligations
- Data protection training completed by all personnel with data access
Acceptance
This DPA is entered into as of the date of the Customer's acceptance of the Nitivai Terms of Service, which incorporates this DPA by reference. By accepting the Terms of Service, the Customer accepts this DPA.
| Processor: |
| Organisation | Nivaya Technologies (Pty) Ltd |
| Signatory | Founder, Nivaya Technologies (Pty) Ltd |
| Contact | privacy@nitivai.com |
Customer (Controller):
| Organisation | ___________________________ |
| Signatory Name | ___________________________ |
| Title | ___________________________ |
| Date | ___________________________ |
For most customers, this DPA is accepted by accepting the Terms of Service during registration. Enterprise customers requiring a countersigned DPA may request one at privacy@nitivai.com.
This DPA was last updated: April 2026. Version 1.1.