Data Processing Agreement
Last Updated: June 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween HAMIDINCOM LLC, operating as Nevuto ("Nevuto," "Processor"), and any merchant who uses the Nevuto platform ("Controller" or "you"). It governs Nevuto's processing of personal data on your behalf in connection with the Services.
This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent provisions under the UK GDPR, Switzerland's Federal Act on Data Protection (FADP), and other applicable data protection laws that impose obligations on data processors.
By using the Services you confirm your agreement to this DPA as a Controller. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have authority to bind that entity.
1. Definitions
Terms not defined here have the meanings given in the Terms of Service or the GDPR.
- "Personal Data" — any information relating to an identified or identifiable natural person that is processed by Nevuto on your behalf in connection with the Services.
- "Processing" — any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Controller" — you, the merchant, who determines the purposes and means of processing Personal Data collected through your Nevuto-powered store.
- "Processor" — Nevuto, which processes Personal Data on your behalf and according to your instructions.
- "Sub-processor" — any third party engaged by Nevuto to process Personal Data in connection with the Services.
- "Data Subject" — an identified or identifiable natural person whose Personal Data is processed; typically your end-customers.
- "Supervisory Authority" — an independent public authority responsible for monitoring data protection law compliance.
- "Standard Contractual Clauses (SCCs)" — the European Commission's approved clauses for international data transfers.
2. Subject Matter, Nature & Purpose of Processing
Nevuto processes Personal Data on your behalf solely to provide the Services described in the Terms of Service. The nature and purpose of processing includes:
- Storing and displaying your store's customer order records, contact information, and transaction history.
- Processing payments and managing order fulfillment workflows on your behalf.
- Enabling email marketing and automated communications that you configure and send to your customers.
- Providing analytics and reporting on your store's performance.
- Operating the Nevuto platform infrastructure (hosting, backup, security monitoring).
3. Categories of Personal Data & Data Subjects
The categories of Personal Data processed and the corresponding Data Subjects are determined by you as the Controller. They typically include:
| Data Subjects | Categories of Personal Data |
|---|---|
| Your end-customers (buyers) | Name, email address, shipping/billing address, phone number, order history, payment method metadata (not full card numbers), IP address, device information |
| Your store visitors | IP address, browser type, pages visited, session data |
| Your email subscribers | Email address, name, marketing preferences, engagement data |
Nevuto does not process special categories of Personal Data (sensitive data as defined under Article 9 GDPR) unless you explicitly configure your store to collect such data, in which case you bear sole responsibility for the lawful basis and appropriate safeguards.
4. Duration of Processing
Nevuto processes Personal Data for the duration of the Terms of Service or until you instruct deletion, whichever is earlier, subject to the retention obligations set out in Section 11 below and applicable law.
5. Obligations of the Controller (You)
As the Controller, you are responsible for:
- Ensuring that you have a lawful basis for each processing activity and that the processing you instruct Nevuto to carry out is compliant with applicable data protection law.
- Providing Data Subjects with clear, transparent privacy information (your store privacy policy) explaining how their data is collected, used, and shared.
- Obtaining all necessary consents — including consent for marketing communications — before instructing Nevuto to send communications to your customers.
- Responding to Data Subject requests (access, erasure, portability, etc.) within legally required timeframes, using the tools available in the Nevuto dashboard or by contacting Nevuto support.
- Notifying Nevuto promptly if you receive a complaint, inquiry, or regulatory investigation relating to the processing of Personal Data through the Services.
6. Obligations of the Processor (Nevuto)
Nevuto agrees to the following obligations in its role as Processor:
- Process only on instructions. Nevuto will process Personal Data only on your documented instructions, including with regard to transfers to third countries, unless required to do so by applicable law. In such cases, Nevuto will inform you before processing unless prohibited by law.
- Confidentiality. Nevuto ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.
- Security. Nevuto implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or destruction, as further described in Section 9.
- Sub-processors. Nevuto will only engage Sub-processors in accordance with Section 7 of this DPA.
- Data Subject rights. Nevuto will assist you in responding to Data Subject requests by providing reasonable tools within the platform dashboard. Where requests cannot be fulfilled through the dashboard, Nevuto will respond to your written requests within a reasonable timeframe.
- Assistance. Nevuto will provide reasonable assistance to enable you to comply with your obligations under applicable data protection law, including with respect to security, breach notification, Data Protection Impact Assessments (DPIAs), and prior consultation with Supervisory Authorities.
- No selling or sharing. Nevuto will not sell, rent, or share your customers' Personal Data with third parties for their own marketing or commercial purposes.
7. Sub-processors
7.1 Authorization
You grant Nevuto general authorization to engage Sub-processors. Nevuto will maintain an up-to-date list of Sub-processors below and will provide at least30 days' notice of any material changes (additions or replacements) by updating this page and notifying you via email or in-product notification.
If you object to a new Sub-processor on legitimate data protection grounds, you must notify Nevuto within 14 days of the notice. Nevuto will use reasonable efforts to address your concern. If the parties cannot resolve the objection within 30 days, either party may terminate the Services on 30 days' written notice without penalty.
7.2 Current Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | USA / EU regions | Cloud infrastructure, storage, compute |
| Vercel Inc. | USA | Website hosting and edge delivery |
| Crisp IM SARL | France | Customer support chat |
| Payment processor(s) | USA / EU | Payment processing and fraud prevention |
Analytics and advertising Sub-processors (Google, Meta, TikTok, Mixpanel, Segment) operate under Nevuto's direct data controllership for nevuto.com traffic and are not Sub-processors for your store's End-Customer data unless you independently configure those integrations within your store.
7.3 Sub-processor Obligations
Nevuto will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, including requirements around security, confidentiality, and data deletion.
8. International Data Transfers
Nevuto is headquartered in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or another country not deemed adequate by the European Commission, Nevuto relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller-to-Processor, where applicable); and
- The UK International Data Transfer Agreement (IDTA) for UK transfers.
By entering into this DPA you agree that the SCCs are incorporated by reference and form part of this agreement for any such transfers. Nevuto will provide a signed copy of the applicable SCCs on request.
9. Security Measures
Nevuto implements and maintains technical and organizational security measures appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Access controls and role-based permissions limiting access to Personal Data to authorized personnel on a need-to-know basis.
- Regular security assessments, vulnerability scanning, and penetration testing.
- Incident response procedures, including detection, containment, and recovery protocols.
- Physical security controls at data center facilities operated by our infrastructure Sub-processors.
- Employee security awareness training and confidentiality obligations.
Nevuto will review and update these measures periodically in line with technological developments and evolving threats.
10. Personal Data Breach Notification
In the event of a Personal Data breach affecting your End-Customer data, Nevuto will:
- Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
- Provide you with sufficient information to enable you to meet your own breach notification obligations to Supervisory Authorities and affected Data Subjects.
- Cooperate with your reasonable requests to investigate and remediate the breach.
Breach notifications will be sent to the email address associated with your Account. It is your responsibility to keep your contact email up to date.
11. Deletion & Return of Personal Data
Upon termination of the Terms of Service, or upon your written request, Nevuto will — at your choice — delete or return all Personal Data processed on your behalf, except to the extent that applicable law requires continued retention. Deletion will occur within 30 days of the termination date or receipt of your request.
You may export your store data (customer records, order history) at any time via the export tools available in your Nevuto dashboard before account closure.
12. Audit Rights
Nevuto will make available to you, on reasonable written request (no more than once per calendar year absent a documented security incident), all information reasonably necessary to demonstrate compliance with this DPA. Nevuto may satisfy this obligation by providing:
- Up-to-date security certifications or third-party audit reports (e.g., SOC 2, ISO 27001); or
- Responses to a written information security questionnaire.
Any on-site audit must be conducted with at least 30 days' prior written notice, during Nevuto's regular business hours, at your sole cost and expense, and must not unreasonably disrupt Nevuto's operations.
13. Data Protection Impact Assessments
Where a processing activity you instruct is likely to result in a high risk to the rights and freedoms of Data Subjects, Nevuto will provide reasonable assistance to support your Data Protection Impact Assessment (DPIA) as required under Article 35 GDPR.
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or Supervisory Authorities as provided by applicable data protection law.
15. Term & Termination
This DPA is effective for the duration of the Terms of Service. It automatically terminates upon the expiry or termination of the Terms of Service. Sections 6, 8, 9, 11, and 14 survive termination.
16. Governing Law
This DPA is governed by the laws of the State of Delaware. To the extent that GDPR or UK GDPR provisions are applicable, those provisions take precedence over conflicting national law provisions to the extent required.
17. Contact & DPA Requests
For questions about this DPA, to request a signed copy, or to submit data subject assistance requests, contact:
HAMIDINCOM LLC (Nevuto)
Email: support@nevuto.com
Subject line: "DPA Request"