NIVAYA TECHNOLOGIES (PTY) LTD nitivai.com | nivaya.io | nivai.org
Privacy Policy
Nitivai AI Governance Certification Platform
Version: 1.1 Effective Date: April 2026 Issued by: Nivaya Technologies (Pty) Ltd Registered in South Africa
Introduction
This Privacy Policy explains how Nivaya Technologies (Pty) Ltd ('Nivaya Technologies', 'we', 'us', 'our'), the company behind the Nitivai platform (nitivai.com), collects, uses, stores, shares, and protects personal information when you use our services.
We are committed to protecting personal information in compliance with:
- The Protection of Personal Information Act 4 of 2013 (POPIA) - South Africa
- The General Data Protection Regulation (EU) 2016/679 (GDPR) - European Union
- The UK General Data Protection Regulation (UK GDPR) - United Kingdom
- All other applicable data protection laws in jurisdictions where our customers operate
This policy applies to: visitors to nitivai.com, nivai.org, and nivaya.io; organisations that register for and use the Nitivai platform; employees of those organisations who interact with the Nitivai Agent; and any individual whose personal information is processed as part of delivering the Nitivai service.
1. Who We Are
Nivaya Technologies (Pty) Ltd is a technology company incorporated in South Africa. We operate the Nitivai AI governance certification platform and the NIVAI - Institute for Verified AI Integrity certification body.
| Registered Name | Nivaya Technologies (Pty) Ltd |
| Country of Registration | South Africa |
| Data Protection Contact | privacy@nitivai.com |
| Platform | nitivai.com (Nitivai) |
Information Officer: privacy@nitivai.com
2. Information We Collect
2.1 Information You Provide Directly
- Account registration information: name, email address, organisation name, job title
- Payment information: processed by our payment provider, not stored by us directly
- Policy documents and governance records you upload to the platform
- Risk register, system inventory, vendor register, and other structured governance data you enter
- Support communications and feedback
2.2 Information We Collect Automatically via Connectors
When you connect third-party tools to Nitivai (including but not limited to identity providers, source control, cloud infrastructure, AI APIs, and communication tools), we collect technical configuration data from those tools including:
- User account lists and access configurations (from identity providers such as JumpCloud, Okta, Entra ID)
- Repository metadata, branch protection configurations, dependency information (from source control such as GitHub, GitLab)
- Infrastructure configuration, encryption status, monitoring configuration (from cloud providers such as AWS, Railway, GCP)
- AI model inventory, API tier information, usage metadata (from AI providers such as Anthropic, OpenAI)
- Workspace membership and application data (from communication tools such as Slack, Microsoft Teams)
We collect only the minimum data required to evaluate governance controls. We do not collect message content, personal communications, or individual-level behavioural data from these connectors.
2.3 Information Collected by the Nitivai Agent
The Nitivai Agent is a lightweight software application installed on employee machines by organisations that use Nitivai. The Agent collects the following information:
- Network destination logging: which AI tool domains are accessed (e.g. api.anthropic.com, chat.openai.com), connection frequency, and session counts
- Process and application detection: which AI-related applications (browser extensions, desktop applications, CLI tools) are running
- Department-level attribution: which department the device belongs to (set by the organisation's IT administrator, not automatically detected)
IMPORTANT - What the Agent does NOT collect:
- The content of any AI prompts, responses, or conversations
- Personal browsing history unrelated to AI tools
- Keystrokes, screenshots, or screen recordings
- Files, documents, or email content
Department aggregation and individual identification: Agent data is attributed at department level. However, where a department contains fewer than three individuals, there is a risk that department-level data could be used to identify individual usage patterns. Organisations deploying the Agent in departments of fewer than three people should be aware of this limitation and take appropriate measures under applicable employment and data protection law.
Organisations deploying the Nitivai Agent are required under the NIVAI-AGF standard (control AIPRV-001) to disclose to their employees that AI tool usage is monitored at department level for governance purposes, that no individual identification is intended, and how to contact the organisation's data protection officer or equivalent. Nivaya Technologies provides a template employee disclosure notice for this purpose.
2.4 Information Collected from Website Visitors
We do not use analytics tools or tracking scripts on our websites. We do not collect IP addresses, browsing behaviour, or referral data from website visitors. We do not set tracking cookies. The only cookies used are essential session cookies required for the platform to function (see Section 11).
3. How We Use Your Information
| Purpose | Description |
|---|---|
| Delivering the Nitivai platform | Evaluating governance controls, producing assessment scores, generating reports, issuing Nivaya Certified badges |
| Running the Nitivai Agent | Detecting AI tool usage at department level, feeding evidence to the assessment engine |
| Processing connector data | Evaluating technical governance controls from connected tools |
| Account management | Creating and managing your account, authentication, billing |
| Support | Responding to support requests, resolving technical issues |
| Security | Detecting fraud, abuse, and security threats |
| Legal compliance | Meeting our obligations under POPIA, GDPR, and applicable law |
| Service improvement | Analysing aggregate, anonymised usage patterns to improve the platform (never individual-level data) |
4. Legal Basis for Processing
Under GDPR and POPIA, we must have a lawful basis for processing personal information.
| Legal Basis | When We Rely on It |
|---|---|
| Contract performance | Processing necessary to deliver the Nitivai service under our Terms of Service |
| Legitimate interests | Security monitoring, fraud prevention, service improvement using aggregate anonymised data |
| Legal obligation | Compliance with applicable laws and regulatory requirements |
| Consent | Marketing communications, cookies (where applicable) - you can withdraw consent at any time |
5. Agent Monitoring - Special Disclosure
Because the Nitivai Agent monitors workplace activity on employee machines, we treat this with particular care and transparency.
5.1 What is monitored
The Agent monitors which AI tool domains and applications are accessed from a device. This data is attributed to the department (not the individual employee) and feeds into the organisation's AI governance assessment.
5.2 Who sees the data
The organisation's Nitivai administrators (typically the CISO or compliance lead) see department-level aggregated data. Individual employee identification is not provided. Nivaya Technologies sees the data as part of delivering the service.
5.3 Small department limitation
Where a department contains fewer than three individuals, department-level data may effectively identify individual usage. Organisations should consider this when deploying the Agent and ensure compliance with applicable employment and privacy law.
5.4 Employee rights
Employees have the right to be informed that monitoring takes place (the organisation is required to disclose this). Employees may contact their organisation's data protection officer or equivalent regarding this monitoring. Employees may also contact Nivaya Technologies at privacy@nitivai.com with questions about what data is collected.
5.5 Legal basis for Agent monitoring
The legal basis for Agent monitoring in the workplace is the legitimate interests of the organisation in maintaining AI governance compliance. Organisations are responsible for ensuring they have the appropriate legal basis under applicable employment and data protection law in their jurisdiction before deploying the Agent.
6. Data Sharing and Sub-Processors
We share your data only with the sub-processors listed below, and only to the extent necessary to deliver the Nitivai service. We do not sell your data to third parties.
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Anthropic PBC | Claude API for AI-powered document evaluation, under an enterprise agreement with no training on inputs | San Francisco, California, USA | Standard Contractual Clauses (Module 2) |
| Railway Corp | Cloud hosting and database infrastructure. | EU (Amsterdam, Netherlands) | Standard Contractual Clauses (Module 2) |
| SendGrid (Twilio Inc) | Transactional email delivery (account notifications, auto-replies). Processes email addresses and names. | United States | Standard Contractual Clauses (Module 2) |
Our database runs on Railway's infrastructure in the EU (Amsterdam, Netherlands). It is not publicly accessible and is accessed only via private network.
We will notify you at least 30 days in advance of adding any new sub-processor. You have the right to object.
7. International Data Transfers
If you are located in the European Economic Area (EEA), UK, or South Africa, and your data is transferred to countries that do not have an adequacy decision from your relevant authority, we ensure appropriate safeguards are in place:
- EEA: Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), Module 2 (Controller to Processor)
- UK: UK International Data Transfer Agreement (IDTA) for transfers from the UK
- South Africa: Data processing obligations set out in the Data Processing Agreement between the parties, incorporating equivalent protections to the SCCs
Anthropic PBC (United States) - data is transferred under Standard Contractual Clauses (Module 2). Railway Corp - data is hosted in the EU (Amsterdam, Netherlands).
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after closure |
| Assessment results and scores | Duration of account + 30 days after closure |
| Agent telemetry events | 90 days rolling (oldest automatically deleted) |
| Uploaded documents | Duration of account + 30 days after closure |
| Connector credentials | Until connector is disconnected or account is closed |
| Risk and system registers | Duration of account + 30 days after closure |
| Audit access logs | 12 months |
| Support communications | 24 months |
| Billing records | 7 years (South African tax law requirement, applicable when billing is introduced) |
After retention periods expire, data is permanently and irreversibly deleted from our systems. Sub-processors are instructed to delete data within 30 days of our deletion.
9. Your Rights
Depending on your location, you have the following rights:
Rights under POPIA (South Africa)
- Right to be notified: you must be notified when we collect your personal information
- Right to access: you can request a record of the personal information we hold about you
- Right to correction: you can request that we correct inaccurate personal information
- Right to deletion: you can request deletion of personal information we are not legally required to retain
- Right to object: you can object to processing based on legitimate interests
- Right to complain: you can lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za)
Additional rights under GDPR / UK GDPR
- Right to portability: you can receive your data in a structured, machine-readable format
- Right to restriction: you can request we restrict processing of your data in certain circumstances
- Right to withdraw consent: where processing is based on consent, you can withdraw at any time
- Right to lodge a complaint with your supervisory authority (e.g. the ICO in the UK, your national DPA in the EU)
To exercise any of these rights, contact us at privacy@nitivai.com. We will respond within 30 days. We may ask you to verify your identity before processing a request.
10. Security
We implement the following technical and organisational measures to protect your personal information:
- Encryption at rest for stored connector credentials
- Encryption in transit for all connections
- Encryption at rest for all data on Railway infrastructure
- Organisation-scoped data access - no organisation can access another organisation's data
- Token-based authentication with session expiry
- Rate limiting on authentication endpoints
- PII sanitisation before AI processing - personal identifiers are stripped from data sent to the Anthropic Claude API for document evaluation. AI tool names and technical identifiers are preserved as they are required for accurate evaluation.
- Staff access logging and audit trail
- Regular security reviews
Despite these measures, no system is completely immune to security risks. In the event of a breach affecting your personal information, we will notify you within 72 hours as required by GDPR and POPIA.
11. Cookies and Tracking
Nitivai uses only essential cookies required for the platform to function (session cookies, authentication tokens). We do not use advertising cookies or third-party tracking cookies.
Essential cookies are placed on the basis of contractual necessity (they are required for the platform to work). You can disable cookies in your browser settings, but this will prevent you from using the Nitivai platform.
12. Children
The Nitivai platform is intended for business use by adults aged 18 and over. We do not knowingly collect personal information from anyone under 18 years of age. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@nitivai.com.
13. Changes to This Policy
This policy may be updated from time to time to reflect changes in our practices, the platform, or applicable law. During the beta period, we will notify you by email at least 7 days before making material changes. After the beta period, we will provide at least 30 days' notice for material changes. For non-material changes (such as clarifications or corrections), we will update the policy and change the effective date. The current version is always available at nitivai.com/privacy.
14. Contact Us
| Data & Privacy | privacy@nitivai.com |
| General | certify@nitivai.com |
This Privacy Policy was last updated: April 2026. Version 1.1.