NUOVABOT

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MediaNuova ("Nuovabot", "Processor") and the Customer ("Controller") who has accepted those Terms. It governs all processing of personal data carried out by Nuovabot on behalf of the Customer in connection with the Nuovabot platform and is entered into pursuant to Article 28(3) of Regulation (EU) 2016/679 (the "GDPR").

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Article 1 - Definitions

For the purposes of this DPA, the following definitions apply in addition to those set out in the GDPR:

• "Agreement" means the Nuovabot Terms of Service together with this DPA and all applicable Order Forms or subscription confirmations.
• "Controller" means the Customer (the business entity) that has subscribed to the Nuovabot platform and determines the purposes and means of processing End User personal data.
• "Processor" means MediaNuova, trading as "Nuovabot", which processes personal data on behalf of the Controller to provide the Service.
• "Service" means the Nuovabot B2B SaaS platform enabling Customers to build, configure, and deploy AI-powered chatbots.
• "End Users" means the natural persons who interact with chatbots deployed by the Controller via the Nuovabot platform.
• "Personal Data" has the meaning given in Article 4(1) GDPR.
• "Processing" has the meaning given in Article 4(2) GDPR.
• "Sub-Processor" means any third-party processor engaged by the Processor to carry out processing activities on behalf of the Controller.
• "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU.

Article 2 - Subject Matter, Nature, and Purpose of Processing

2.1 Subject Matter

This DPA governs the processing of personal data by Nuovabot (as Processor) on behalf of the Customer (as Controller) for the purpose of providing the Nuovabot chatbot platform, including all related features described in the Agreement.

2.2 Nature of Processing

The processing operations carried out by Nuovabot include: collection, storage, retrieval, structuring, transmission, and deletion of personal data strictly as required to operate the Service. Nuovabot does not analyse, mine, sell, or otherwise use Personal Data for purposes outside the scope of this DPA.

2.3 Purpose of Processing

Personal data is processed exclusively to:

• enable End Users to interact with AI-powered chatbots deployed by the Controller;
• store and retrieve conversation records in accordance with the Controller's chosen data retention plan;
• generate AI responses by transmitting End User messages and relevant document excerpts to the Processor's AI sub-processor (Anthropic);
• enable optional support-ticket creation, meeting booking, and live-handoff features where activated by the Controller;
• provide usage analytics and billing data to the Controller; and
• maintain the security, performance, and integrity of the Service.

Article 3 - Categories of Data Subjects and Personal Data

3.1 Categories of Data Subjects

The data subjects whose personal data is processed under this DPA are End Users - the natural persons who interact with chatbots deployed by the Controller on the Controller's own website, on a Nuovabot-hosted public chat page, or via the Controller's own API integration.

3.2 Categories of Personal Data

Nuovabot processes the following categories of personal data on behalf of the Controller:

No special categories of personal data within the meaning of Article 9 GDPR are intentionally collected. The Controller is responsible for ensuring that End Users do not submit special-category data through the chatbot interface.

3.3 Duration of Processing

Nuovabot processes personal data for the duration of the Customer's active subscription. After termination or expiry of the subscription, personal data is retained for a 30-day grace period to allow data export, after which it is permanently deleted in accordance with Article 10 of this DPA.

Within the subscription, conversation and message records are deleted on a rolling basis according to the Customer's selected retention plan:

Document files and chatbot configuration data are retained for as long as the Customer's account remains active and are deleted upon account termination (subject to the 30-day grace period).

Article 4 - Obligations of the Processor

Nuovabot shall, in its capacity as Processor:

4.1 Processing on Instructions Only

Process Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Agreement, unless required to do so by Union or Member State law to which Nuovabot is subject. In such a case, Nuovabot shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure on grounds of public interest.

4.2 Confidentiality

Ensure that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

Implement and maintain appropriate technical and organisational measures in accordance with Article 8 of this DPA to ensure a level of security appropriate to the risk presented by the processing.

4.4 Sub-Processors

Not engage Sub-Processors without the prior written or electronic authorisation of the Controller, except as provided in Article 6 of this DPA. Where Sub-Processors are authorised, Nuovabot shall impose data protection obligations on them equivalent to those set out in this DPA.

4.5 Assistance with Data Subject Rights

Taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights laid down in Chapter III of the GDPR (Articles 15-22). Requests received directly by Nuovabot from End Users will be forwarded to the Controller within five (5) business days.

4.6 Assistance with Controller's GDPR Obligations

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR (security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Nuovabot.

4.7 Deletion or Return of Data

At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies of such data, unless Union or Member State law requires storage of the Personal Data. The Controller may request deletion or export of data at any time via the dashboard or by contacting hello@nuovabot.com.

4.8 Audit and Inspection Rights

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. Nuovabot shall permit and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, provided that:

• the Controller provides at least thirty (30) days' prior written notice;
• audits are conducted during normal business hours and in a manner that does not unreasonably disrupt Nuovabot's operations;
• the parties agree in advance on a reasonable scope and methodology; and
• any third-party auditor is bound by appropriate confidentiality obligations.

Nuovabot may satisfy this obligation by providing a current third-party audit report (e.g. SOC 2 Type II or equivalent) in lieu of a direct audit, where available.

4.9 Notification of Conflicting Instructions

Inform the Controller immediately if, in Nuovabot's opinion, an instruction from the Controller infringes the GDPR or other applicable Union or Member State data protection law.

Article 5 - Obligations of the Controller

The Controller represents and warrants that it:

• has a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for all Personal Data submitted to Nuovabot for processing;
• has provided End Users with all required transparency information, including disclosure that their chat messages are processed by an AI service (Anthropic Claude) operated by a US-based third party;
• will not instruct Nuovabot to process Personal Data in a manner that would cause Nuovabot to violate applicable data protection law;
• is solely responsible for the content, accuracy, and lawfulness of all documents uploaded to the knowledge base;
• is responsible for the configuration, deployment, and behaviour of each chatbot, including any custom instructions, blocked topics, and persona settings; and
• will promptly notify Nuovabot of any changes in applicable data protection law that may affect the processing carried out under this DPA.

Article 6 - Sub-Processors

6.1 General Authorisation

The Controller hereby provides general written authorisation for Nuovabot to engage the Sub-Processors listed in Article 6.2. Nuovabot shall inform the Controller of any intended changes (addition or replacement of Sub-Processors) by email notification to the Controller's registered email address at least thirty (30) days in advance. The Controller may object in writing within fifteen (15) days of such notification. If no objection is raised within this period, the change is deemed accepted.

6.2 Approved Sub-Processors

6.3 Processor-to-Sub-Processor Obligations

Nuovabot shall impose data protection obligations on each Sub-Processor by means of a binding contract that provides at least the same level of protection for Personal Data as this DPA requires of Nuovabot. Where a Sub-Processor fails to fulfil its data protection obligations, Nuovabot shall remain fully liable to the Controller for the performance of those obligations.

Article 7 - International Transfers

7.1 Transfer Mechanism

Where Nuovabot transfers Personal Data to Sub-Processors established in third countries (countries outside the European Economic Area), including to Anthropic, OpenAI, Cloudflare, Fly.io, Vercel, and Stripe in the United States, such transfers shall be governed by Standard Contractual Clauses as adopted by European Commission Decision 2021/914/EU, in particular:

• Module 2 (Controller-to-Processor SCCs) where Nuovabot acts as Controller with respect to the Sub-Processor; and
• Module 3 (Processor-to-Processor SCCs) where Nuovabot acts as Processor on behalf of the Controller when onward-transferring to a Sub-Processor.

7.2 Transfer Impact Assessments

Nuovabot has conducted or relies on Transfer Impact Assessments (TIAs) for transfers to US-based Sub-Processors. Key mitigating factors include encryption of data in transit (TLS 1.2 or higher) and at rest, contractual restrictions on government access, and technical measures such as pseudonymisation and minimal data sharing.

7.3 Controller Acknowledgment

By entering into this DPA, the Controller acknowledges that Personal Data (including End User chat messages) will be transferred to and processed by Anthropic in the United States for the purpose of generating AI responses. This transfer is a fundamental and disclosed aspect of the Service.

Article 8 - Technical and Organisational Security Measures

Nuovabot implements the following technical and organisational security measures, as required by Article 32 GDPR:

8.1 Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest in the PostgreSQL database and Cloudflare R2 object storage is encrypted using AES-256 or equivalent.

8.2 Access Controls

• Access to production systems is restricted to authorised personnel on a need-to-know basis.
• Multi-factor authentication (MFA) is enforced for access to infrastructure and cloud provider consoles.
• Principle of least privilege is applied to all service accounts and database roles.

8.3 API Key Security

• Each chatbot API key is stored exclusively as a SHA-256 hash. The full plaintext key is displayed only once upon creation and is not recoverable thereafter.
• No secret credentials are stored in application source code or version control.

8.4 Isolation

• All Customer data is logically isolated by organisation. Row-level security policies in the database ensure one Customer cannot access another Customer's data.

8.5 Availability and Resilience

• The Service infrastructure is hosted in EU West (Ireland) with automated database backups.
• Background job queues and caching (Upstash Redis) are used to ensure service resilience under load.

8.6 Audit Logging

• Tool invocations (ticket creation, meeting booking, live handoff) are logged with inputs, outputs, and success/failure status for security and debugging purposes.

8.7 Personnel

• All personnel with access to Personal Data are bound by confidentiality obligations.
• Access is revoked promptly upon change of role or termination of employment.

Article 9 - Personal Data Breach Notification

9.1 Notification to Controller

In the event of a Security Incident affecting Personal Data processed under this DPA, Nuovabot shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of the Security Incident, by email to the Controller's registered email address.

9.2 Content of Notification

The notification shall, to the extent then known, include:

• a description of the nature of the Security Incident, including the categories and approximate number of data subjects affected and the categories and approximate number of personal data records concerned;
• the name and contact details of Nuovabot's data protection contact (hello@nuovabot.com);
• a description of the likely consequences of the Security Incident; and
• a description of measures taken or proposed by Nuovabot to address the Security Incident, including where appropriate measures to mitigate its possible adverse effects.

9.3 Cooperation

Nuovabot shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each Security Incident. Nuovabot's notification obligations under this Article shall not be construed as an acknowledgement of fault or liability.

Article 10 - Deletion and Return of Personal Data

10.1 Deletion on Termination

Upon termination or expiry of the Agreement for any reason, Nuovabot shall, at the Controller's election:

• delete all Personal Data processed on behalf of the Controller and provide written confirmation of such deletion; or
• provide the Controller with an export of Personal Data in a machine-readable format within the 30-day grace period.

After the 30-day grace period, Nuovabot shall permanently delete all remaining Personal Data, including all copies, and confirm such deletion in writing to the Controller.

10.2 Retention as Required by Law

Nuovabot may retain Personal Data beyond the periods described above only to the extent and for the duration required by applicable Union or Member State law, in which case Nuovabot shall notify the Controller of such requirement prior to deletion.

10.3 Automated Rolling Deletion

During the term of the Agreement, conversation and message records are automatically deleted on a rolling basis in accordance with the Controller's selected subscription plan retention period (see Article 3.3). This automated deletion operates independently of the termination provisions above.

Article 11 - Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Nuovabot Terms of Service. To the extent permitted by applicable law:

• Nuovabot's aggregate liability to the Controller under or in connection with this DPA shall not exceed the total fees paid by the Controller to Nuovabot in the twelve (12) months immediately preceding the event giving rise to the claim;
• neither party shall be liable for indirect, consequential, special, or incidental damages arising out of or related to this DPA; and
• nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited or excluded by law.

Nuovabot shall not be liable for processing activities carried out by the Controller in its capacity as Controller, including any failure by the Controller to obtain a valid legal basis for the processing of End User data.

Article 12 - Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions.

Any disputes arising out of or in connection with this DPA that cannot be resolved amicably between the parties shall be subject to the exclusive jurisdiction of the competent courts of the Netherlands.

Nothing in this Article affects any rights of data subjects to bring claims before their national supervisory authority or courts under applicable data protection law.

Article 13 - Amendments

Nuovabot may amend this DPA to reflect changes in applicable law, Sub-Processor arrangements, or the features of the Service. Nuovabot shall provide the Controller with at least thirty (30) days' advance written notice of any material changes, by email to the Controller's registered address.

Continued use of the Service after the effective date of an amendment constitutes acceptance of the updated DPA. If the Controller does not accept a material amendment, it may terminate the Agreement in accordance with the termination provisions in the Terms of Service before the amendment takes effect.

Article 14 - General

14.1 Entire Agreement

This DPA, together with the Terms of Service and any applicable Order Form or subscription confirmation, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements and understandings (written or oral) between the parties concerning the processing of personal data.

14.2 Severability

If any provision of this DPA is found to be unenforceable or invalid under applicable law, that provision shall be limited or eliminated to the minimum extent necessary so that this DPA shall otherwise remain in full force and effect.

14.3 Relationship of the Parties

The parties are independent controllers with respect to their own respective processing activities and are Processor and Controller (as applicable) only with respect to the processing activities described in this DPA. Nothing in this DPA creates any agency, partnership, joint venture, or employment relationship between the parties.

14.4 No Third-Party Beneficiaries

This DPA is entered into solely for the benefit of the parties and does not create any rights in favour of any third party, including End Users, except to the extent required by applicable law.

14.5 Precedence of SCCs

In the event of any inconsistency between this DPA and any applicable SCCs concluded between the parties or incorporated by reference herein, the SCCs shall prevail to the extent of such inconsistency.

Execution

By accepting the Nuovabot Terms of Service (including by electronic signature, click-through acceptance on the Nuovabot dashboard, or continued use of the Service), the Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.

This DPA shall be deemed entered into on the date the Customer first accepts the Terms of Service.