Nova · DPA (Summary)

← Docs

This is a public summary of the Nova standard Data Processing Addendum. It is not legally binding. To execute a signed DPA (with Annex I — sub-processors and Annex II — technical & organisational measures), email legal@vxera.ai with your company name and counter-signatory.

1. Roles

You (the Customer) are the Controller. Vxera (the Processor) processes Personal Data on your documented instructions, namely: to provide and operate the Nova service.

2. Categories of data

Identification (name, email), professional (company, role), technical (IP, user agent), and Customer Content you submit to the service (prompts, files, generated code).

3. Data subjects

Customer's employees, contractors, end-users, and any individual whose personal data is included in Customer Content.

4. Security measures (Annex II)

See Security. We implement TLS 1.2+ in transit, AES-256 at rest, RLS-based tenant isolation, RBAC for admin operations, immutable audit logs, MFA + SSO support, and incident response within 72 hours.

5. Sub-processors (Annex I)

Vercel (hosting), Supabase (database/auth/storage), DeepSeek (LLM inference), Cloudflare (DDoS/DNS). 30-day notice for material changes.

6. Sub-processor change notification

We will notify you by email at the contact you provide for legal notices, at least 30 days before the change becomes effective. You may object in writing.

7. International transfers

Standard Contractual Clauses (Module 2: Controller-to-Processor) apply for transfers out of the EEA/UK. EU-US Data Privacy Framework is relied upon where applicable.

8. Data subject rights

We will assist you within 10 business days of a documented request to fulfil your obligations under Articles 15–22 GDPR.

9. Breach notification

Without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach, we will notify you with the information required under Article 33(3) GDPR.

10. Audit

You may, at your cost, audit our compliance once per 12-month period on 30 days' notice. Industry-standard certifications (e.g. SOC 2 reports, when available) shall satisfy this obligation.

11. Deletion / return

Within 30 days of termination, we will delete or return Customer Personal Data unless retention is required by law. Backups are purged within 90 days.

12. Liability and term

Liability and term mirror the underlying Master Services Agreement.