How NivaDesk processes customer personal data on behalf of workspace customers, including roles, subprocessors, security measures, transfers, deletion and compliance assistance.
Last updated: 13 May 2026
This Data Processing Agreement forms part of the Terms of Service between EGGCRAFT LIMITED, trading as NivaDesk, and the customer using NivaDesk.
This DPA supports UK GDPR and EU GDPR compliance for customer personal data processed through NivaDesk.
This Data Processing Agreement ("DPA") is entered into between:
Customer: the individual, company, organisation, workspace owner, or other legal entity using NivaDesk ("Customer", "you", or "your").
Processor: EGGCRAFT LIMITED, a company registered in England and Wales, operating NivaDesk ("NivaDesk", "we", "us", or "our").
EGGCRAFT LIMITED 141 Randolph Avenue London W9 1DN United Kingdom Email: contact@nivadesk.co.uk
This DPA forms part of and is incorporated into the NivaDesk Terms of Service or any other written agreement between the parties that governs the use of NivaDesk (the "Agreement").
If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA will apply to that processing.
For the purposes of this DPA:
For Customer Personal Data, Customer is the Controller and NivaDesk is the Processor, unless the parties have agreed otherwise in writing.
Customer is responsible for ensuring that it has a lawful basis and all required permissions, notices, and rights to collect, use, upload, disclose, and process Customer Personal Data through NivaDesk.
NivaDesk will process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, Customer's use of the Services, and Customer's configuration of workspace settings and integrations.
NivaDesk processes Customer Personal Data to provide, maintain, secure, support, and improve the Services.
This may include:
Customer Personal Data may relate to the following categories of data subjects:
Depending on how Customer uses NivaDesk, Customer Personal Data may include:
Customer should not upload special category data, highly sensitive data, regulated data, or unnecessary personal data unless Customer has a lawful basis and has assessed whether NivaDesk is suitable for that data.
Customer instructs NivaDesk to process Customer Personal Data as necessary to provide the Services and as otherwise described in this DPA.
Customer may provide additional instructions through account settings, workspace configuration, integrations, support requests, or written communication. NivaDesk is not required to follow instructions that, in our reasonable opinion, violate Applicable Data Protection Laws or create a security, legal, or operational risk.
NivaDesk will ensure that people authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
Access to Customer Personal Data will be limited to personnel and service providers who need such access to provide, secure, maintain, or support the Services.
NivaDesk will implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures may include, as appropriate:
NivaDesk's security measures may evolve over time, provided they do not materially reduce the overall level of protection for Customer Personal Data.
Customer authorises NivaDesk to engage Subprocessors to provide the Services. Subprocessors may include hosting providers, cloud storage providers, authentication services, payment processors, email delivery services, analytics, crash reporting, and support tools.
NivaDesk will maintain a list of Subprocessors, which may be published on the NivaDesk website or provided on request.
NivaDesk will require Subprocessors to protect Customer Personal Data under written terms that provide a level of protection substantially similar to this DPA, to the extent applicable to the services they provide.
NivaDesk remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Laws.
NivaDesk may add or replace Subprocessors from time to time. Where required by Applicable Data Protection Laws, NivaDesk will provide reasonable notice of material Subprocessor changes, for example by updating a Subprocessors page, sending notice, or providing in-app notice.
Customer may object to a new Subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected Services or terminate the applicable paid subscription in accordance with the Agreement.
Customer Personal Data may be processed in the United Kingdom, European Economic Area, United States, or other locations where NivaDesk or its Subprocessors operate.
Where Customer Personal Data is transferred outside the UK or EEA and legal safeguards are required, NivaDesk will use appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or other lawful mechanisms.
Taking into account the nature of the processing, NivaDesk will provide reasonable assistance to Customer in responding to data subject requests relating to Customer Personal Data, where Customer cannot reasonably fulfil the request through the Services.
Customer is responsible for verifying the identity of the requester and deciding whether and how to respond to the request.
If NivaDesk receives a request directly from a data subject relating to Customer Personal Data, NivaDesk may direct the requester to Customer unless legally required to respond otherwise.
NivaDesk will provide reasonable assistance to Customer, taking into account the nature of the processing and information available to NivaDesk, with Customer's obligations relating to security, breach notification, data protection impact assessments, and consultation with supervisory authorities where required by Applicable Data Protection Laws.
NivaDesk may charge reasonable fees for assistance that is outside the standard Services, unless such assistance is required because of NivaDesk's breach of this DPA.
NivaDesk will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
The notification will include information reasonably available to NivaDesk, such as the nature of the incident, categories of data affected, likely consequences, measures taken or proposed, and contact point for further information.
NivaDesk's notification of a breach is not an admission of fault or liability.
During the term of the Agreement, Customer may access, export, or delete certain Customer Personal Data through the Services where those features are available.
After termination or expiry of the Agreement, NivaDesk will delete or return Customer Personal Data in accordance with the Agreement, the Privacy Policy, product functionality, backup practices, legal obligations, and technical limitations.
Customer Personal Data may remain in backups for a limited period before deletion according to NivaDesk's backup retention processes. NivaDesk may retain data where required by law, dispute resolution, security, fraud prevention, accounting, or legitimate business obligations.
NivaDesk will make available information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, policy documents, Subprocessor information, and responses to reasonable data protection questionnaires.
Where required by Applicable Data Protection Laws, Customer may request an audit. Audits must be reasonable in scope, frequency, timing, and method, and must not compromise the security, confidentiality, or availability of NivaDesk or other customers' data.
NivaDesk may satisfy audit requests by providing independent reports, certifications, written responses, or other appropriate evidence where available.
Customer is responsible for:
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.
Nothing in this DPA limits liability where it would be unlawful to do so.
This DPA remains in effect for as long as NivaDesk processes Customer Personal Data on behalf of Customer.
This DPA is governed by the same governing law and jurisdiction as the Agreement, unless Applicable Data Protection Laws require otherwise.
Provision of NivaDesk as a business management workspace for orders, clients, tasks, files, workflow, timelines, team access, and related services.
For the term of the Agreement and any period during which NivaDesk processes Customer Personal Data.
To provide, maintain, secure, support, and improve NivaDesk and related services selected or configured by Customer.
Hosting, storage, syncing, transmission, display, backup, retrieval, deletion, support, security monitoring, troubleshooting, and processing required for workspace features.
Customer's clients, customers, team members, employees, contractors, suppliers, collaborators, business contacts, and other individuals included in Customer's workspace content.
Contact details, order records, addresses, notes, tasks, workflow data, dates, uploaded files, file metadata, role data, user activity, support information, and technical data.
NivaDesk is not designed for special category data or highly sensitive regulated data unless Customer has assessed suitability and has a lawful basis.
For questions about this DPA, please contact:
EGGCRAFT LIMITED
141 Randolph Avenue
London
W9 1DN
United Kingdom
Email: contact@nivadesk.co.uk
