Data Processing Agreement
Last updated: November 24, 2025
Note: This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy between you ("Customer", "Controller") and Gannet Solutions ("Processor", "we", "us").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by us to process Personal Data.
- "Controller" means the entity that determines the purposes and means of Processing.
- "Processor" means the entity that Processes Personal Data on behalf of the Controller.
2. Scope and Roles
2.1 Controller and Processor
You are the Controller of Personal Data processed through the Service. We act as a Processor, processing Personal Data only on your behalf and in accordance with your documented instructions.
2.2 Subject Matter
We process Personal Data to provide the NirmIQ service, including:
- User account management
- Storage and retrieval of project data
- Collaboration features
- Analytics and reporting
- Technical support
2.3 Categories of Data Subjects
- Your employees and contractors with user accounts
- Third parties whose data you input into the Service
2.4 Types of Personal Data
- Account data: name, email, job title
- Usage data: login times, features used
- Content data: any Personal Data included in your requirements or documents
3. Processor Obligations
We commit to:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Engage Sub-processors only with prior authorization and binding agreements
- Assist you with data subject rights requests
- Assist with data protection impact assessments when required
- Delete or return Personal Data upon termination
- Make available information necessary for compliance audits
4. Security Measures
We implement the following security measures to protect Personal Data:
4.1 Technical Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Network security and firewalls
- Regular security testing and vulnerability assessments
- Intrusion detection systems
4.2 Organizational Measures
- Security policies and procedures
- Employee training and awareness
- Background checks for personnel
- Incident response procedures
- Business continuity planning
5. Sub-processors
We use the following categories of Sub-processors:
| Category | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, compute | US/EU |
| Database Provider | Data storage (Supabase) | US/EU |
| Payment Processor | Billing (Stripe) | US |
| Analytics | Usage analytics | US |
| Email Provider | Transactional emails | US |
You can request the current list of Sub-processors at privacy@nirmiq.com. We will notify you of any new Sub-processors at least 30 days before they begin processing.
6. International Transfers
Personal Data may be transferred to and processed in countries outside your jurisdiction. For transfers outside the EEA, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where available
- Other lawful transfer mechanisms as appropriate
7. Data Subject Rights
We will assist you in responding to Data Subject requests including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
If we receive a request directly from a Data Subject, we will redirect them to you unless legally required to respond directly.
8. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay (within 72 hours where feasible)
- Provide details about the nature and scope of the breach
- Describe measures taken to address and mitigate the breach
- Cooperate with your incident response
9. Audits
Upon reasonable request and subject to confidentiality obligations, we will:
- Provide documentation of our security practices
- Make available SOC 2 reports or equivalent certifications
- Allow audits by you or an independent third party (with reasonable notice)
10. Data Retention and Deletion
Upon termination of the Service:
- You may export your data within 30 days
- We will delete your Personal Data within 90 days of termination
- Some data may be retained longer if required by law
11. Liability
Each party is liable for damages caused by its breach of this DPA or applicable data protection law, subject to the liability limitations in the Terms of Service.
12. Contact
For questions about this DPA or to exercise rights under it:
Gannet Solutions - Data Protection
Email: privacy@nirmiq.com
Website: www.nirmiq.com