Data Processing Agreement
This Data Processing Agreement forms part of the Terms of Service between EGGCRAFT LIMITED, trading as NivaDesk, and the customer using NivaDesk.
This DPA supports UK GDPR and EU GDPR compliance for customer personal data processed through NivaDesk.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Customer: the individual, company, organisation, workspace owner, or other legal entity using NivaDesk ("Customer", "you", or "your").
Processor: EGGCRAFT LIMITED, a company registered in England and Wales, operating NivaDesk ("NivaDesk", "we", "us", or "our").
EGGCRAFT LIMITED
141 Randolph Avenue
London
W9 1DN
United Kingdom
Email: contact@nivadesk.co.uk
2. Relationship with other terms
This DPA forms part of and is incorporated into the NivaDesk Terms of Service or any other written agreement between the parties that governs the use of NivaDesk (the "Agreement").
If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA will apply to that processing.
3. Definitions
For the purposes of this DPA:
- Applicable Data Protection Laws: UK GDPR, EU GDPR, the UK Data Protection Act 2018, the Privacy and Electronic Communications Regulations, and any other data protection laws that apply to the processing of Customer Personal Data.
- Customer Personal Data: personal data submitted to, stored in, or processed through NivaDesk by or on behalf of Customer, including personal data relating to Customer's clients, customers, team members, suppliers, contractors, or other third parties.
- Controller: the party that determines the purposes and means of processing personal data.
- Processor: the party that processes personal data on behalf of the Controller.
- Subprocessor: a third party engaged by NivaDesk to process Customer Personal Data on behalf of Customer.
- Services: the NivaDesk website, web app, mobile apps, desktop apps, software, storage, sync, support, and related services.
4. Roles of the parties
For Customer Personal Data, Customer is the Controller and NivaDesk is the Processor, unless the parties have agreed otherwise in writing.
Customer is responsible for ensuring that it has a lawful basis and all required permissions, notices, and rights to collect, use, upload, disclose, and process Customer Personal Data through NivaDesk.
NivaDesk will process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, Customer's use of the Services, and Customer's configuration of workspace settings and integrations.
5. Scope and purpose of processing
NivaDesk processes Customer Personal Data to provide, maintain, secure, support, and improve the Services.
This may include:
- creating and managing workspaces, accounts, roles, and permissions;
- storing and syncing orders, client records, tasks, notes, files, timelines, and workflow information;
- providing file upload, download, preview, metadata, and offline queue features;
- providing support, troubleshooting, security monitoring, abuse prevention, backups, and audit logs;
- processing plan limits, billing status, and subscription access;
- enabling optional integrations or connected features chosen by Customer.
6. Categories of data subjects
Customer Personal Data may relate to the following categories of data subjects:
- Customer's clients or customers;
- Customer's team members, employees, contractors, or workspace users;
- suppliers, couriers, collaborators, or business contacts;
- individuals referenced in orders, notes, tasks, files, addresses, communications, or workflow records.
7. Categories of personal data
Depending on how Customer uses NivaDesk, Customer Personal Data may include:
- names, email addresses, phone numbers, postal addresses, and contact details;
- order details, customer notes, delivery dates, workflow status, tasks, reminders, and history logs;
- uploaded files, images, PDFs, documents, design files, attachments, and related metadata;
- workspace roles, activity records, audit events, user IDs, and access permissions;
- technical information needed for sync, support, security, and troubleshooting.
Customer should not upload special category data, highly sensitive data, regulated data, or unnecessary personal data unless Customer has a lawful basis and has assessed whether NivaDesk is suitable for that data.
8. Customer instructions
Customer instructs NivaDesk to process Customer Personal Data as necessary to provide the Services and as otherwise described in this DPA.
Customer may provide additional instructions through account settings, workspace configuration, integrations, support requests, or written communication. NivaDesk is not required to follow instructions that, in our reasonable opinion, violate Applicable Data Protection Laws or create a security, legal, or operational risk.
9. Confidentiality
NivaDesk will ensure that people authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
Access to Customer Personal Data will be limited to personnel and service providers who need such access to provide, secure, maintain, or support the Services.
10. Security measures
NivaDesk will implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures may include, as appropriate:
- secure authentication and account access controls;
- workspace isolation and role-based permissions;
- restricted administrative access;
- encrypted connections where appropriate;
- cloud infrastructure security controls;
- file metadata and audit logging;
- monitoring, backups, and operational safeguards;
- procedures for handling security incidents and support access.
NivaDesk's security measures may evolve over time, provided they do not materially reduce the overall level of protection for Customer Personal Data.
11. Subprocessors
Customer authorises NivaDesk to engage Subprocessors to provide the Services. Subprocessors may include hosting providers, cloud storage providers, authentication services, payment processors, email delivery services, analytics, crash reporting, and support tools.
NivaDesk will maintain a list of Subprocessors, which may be published on the NivaDesk website or provided on request.
NivaDesk will require Subprocessors to protect Customer Personal Data under written terms that provide a level of protection substantially similar to this DPA, to the extent applicable to the services they provide.
NivaDesk remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Laws.
12. Changes to Subprocessors
NivaDesk may add or replace Subprocessors from time to time. Where required by Applicable Data Protection Laws, NivaDesk will provide reasonable notice of material Subprocessor changes, for example by updating a Subprocessors page, sending notice, or providing in-app notice.
Customer may object to a new Subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected Services or terminate the applicable paid subscription in accordance with the Agreement.
13. International transfers
Customer Personal Data may be processed in the United Kingdom, European Economic Area, United States, or other locations where NivaDesk or its Subprocessors operate.
Where Customer Personal Data is transferred outside the UK or EEA and legal safeguards are required, NivaDesk will use appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or other lawful mechanisms.
14. Assistance with data subject rights
Taking into account the nature of the processing, NivaDesk will provide reasonable assistance to Customer in responding to data subject requests relating to Customer Personal Data, where Customer cannot reasonably fulfil the request through the Services.
Customer is responsible for verifying the identity of the requester and deciding whether and how to respond to the request.
If NivaDesk receives a request directly from a data subject relating to Customer Personal Data, NivaDesk may direct the requester to Customer unless legally required to respond otherwise.
15. Assistance with compliance
NivaDesk will provide reasonable assistance to Customer, taking into account the nature of the processing and information available to NivaDesk, with Customer's obligations relating to security, breach notification, data protection impact assessments, and consultation with supervisory authorities where required by Applicable Data Protection Laws.
NivaDesk may charge reasonable fees for assistance that is outside the standard Services, unless such assistance is required because of NivaDesk's breach of this DPA.
16. Personal data breach
NivaDesk will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
The notification will include information reasonably available to NivaDesk, such as the nature of the incident, categories of data affected, likely consequences, measures taken or proposed, and contact point for further information.
NivaDesk's notification of a breach is not an admission of fault or liability.
17. Deletion and return of data
During the term of the Agreement, Customer may access, export, or delete certain Customer Personal Data through the Services where those features are available.
After termination or expiry of the Agreement, NivaDesk will delete or return Customer Personal Data in accordance with the Agreement, the Privacy Policy, product functionality, backup practices, legal obligations, and technical limitations.
Customer Personal Data may remain in backups for a limited period before deletion according to NivaDesk's backup retention processes. NivaDesk may retain data where required by law, dispute resolution, security, fraud prevention, accounting, or legitimate business obligations.
18. Audits and information
NivaDesk will make available information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, policy documents, Subprocessor information, and responses to reasonable data protection questionnaires.
Where required by Applicable Data Protection Laws, Customer may request an audit. Audits must be reasonable in scope, frequency, timing, and method, and must not compromise the security, confidentiality, or availability of NivaDesk or other customers' data.
NivaDesk may satisfy audit requests by providing independent reports, certifications, written responses, or other appropriate evidence where available.
19. Customer responsibilities
Customer is responsible for:
- using NivaDesk in compliance with Applicable Data Protection Laws;
- providing required notices to data subjects;
- obtaining required consents or other lawful bases;
- configuring workspace permissions appropriately;
- ensuring team members use the Services lawfully and securely;
- not uploading unnecessary or unsuitable sensitive data;
- responding to data subject requests and regulatory communications relating to Customer Personal Data;
- maintaining appropriate backups of important business records where needed.
20. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by Applicable Data Protection Laws.
Nothing in this DPA limits liability where it would be unlawful to do so.
21. Term
This DPA remains in effect for as long as NivaDesk processes Customer Personal Data on behalf of Customer.
22. Governing law
This DPA is governed by the same governing law and jurisdiction as the Agreement, unless Applicable Data Protection Laws require otherwise.
Schedule 1 - Processing Details
Subject matter
Provision of NivaDesk as a business management workspace for orders, clients, tasks, files, workflow, timelines, team access, and related services.
Duration
For the term of the Agreement and any period during which NivaDesk processes Customer Personal Data.
Purpose
To provide, maintain, secure, support, and improve NivaDesk and related services selected or configured by Customer.
Nature of processing
Hosting, storage, syncing, transmission, display, backup, retrieval, deletion, support, security monitoring, troubleshooting, and processing required for workspace features.
Categories of data subjects
Customer's clients, customers, team members, employees, contractors, suppliers, collaborators, business contacts, and other individuals included in Customer's workspace content.
Categories of data
Contact details, order records, addresses, notes, tasks, workflow data, dates, uploaded files, file metadata, role data, user activity, support information, and technical data.
Special categories
NivaDesk is not designed for special category data or highly sensitive regulated data unless Customer has assessed suitability and has a lawful basis.
Schedule 2 - Indicative Technical and Organisational Measures
- account authentication and access controls;
- workspace-level data separation and permissions;
- role-based access including owner, member, view-only, and workflow-only concepts where available;
- secure cloud infrastructure provided by trusted subprocessors;
- file upload limits, metadata, and access rules;
- audit logs or history logs for relevant workspace actions where available;
- encrypted transport where appropriate;
- administrative access limited to authorised personnel;
- incident response and support procedures;
- backup and recovery procedures appropriate to the Services.
Contact
For questions about this DPA, please contact:
EGGCRAFT LIMITED
141 Randolph Avenue
London
W9 1DN
United Kingdom
Email: contact@nivadesk.co.uk