Data Processing Agreement

1. Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between NSOLVIA Inc. (“Processor”) and the merchant (“Controller”) using NSOLVIA services. This DPA applies where NSOLVIA processes personal data on behalf of the merchant in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Definitions

• Personal Data: any information relating to an identified or identifiable natural person
• Processing: any operation performed on personal data
• Controller: the merchant who determines the purposes and means of processing
• Processor: NSOLVIA Inc., which processes data on behalf of the Controller

3. Data Processed

NSOLVIA processes the following categories of data on behalf of the merchant:

• Merchant business information (name, email, domain)
• Publicly available product catalog data
• Shopper chat messages (processed in real-time, ephemeral)
• Anonymous session identifiers
• Aggregated interaction events

4. Obligations of the Processor

NSOLVIA shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior written authorization from the Controller
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of the service, at the Controller's choice
• Make available all information necessary to demonstrate compliance with data protection obligations

5. Sub-processors

NSOLVIA uses the following sub-processors:

• Supabase (database hosting) — United States
• Vercel (application hosting) — United States
• Stripe (payment processing) — United States
• Resend (email delivery) — United States

We will notify merchants before adding or replacing sub-processors. Merchants may object within 30 days.

6. Security Measures

NSOLVIA implements the following security measures:

• Encryption in transit (TLS) and at rest
• Token-based authentication for all API endpoints
• Separation of secrets per service integration
• No storage of payment card data (handled by Stripe)
• Automatic expiration of conversation data (10-minute TTL)

7. Data Breach Notification

In the event of a personal data breach, NSOLVIA will notify the merchant without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories of data affected, and the measures taken to address the breach.

8. International Transfers

Data is processed in the United States. For merchants in the EU/EEA, NSOLVIA relies on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers.

9. Duration and Termination

This DPA is effective for the duration of the merchant's subscription. Upon termination, NSOLVIA will delete all personal data within 30 days unless retention is required by law.

10. Contact

For DPA-related inquiries, contact us at team@nsolvia.com.