Data Processing Addendum (DPA)

This Data Processing Addendum applies when Nopi processes personal data on behalf of a customer in connection with the Service and forms part of the applicable customer agreement.

1. Scope and Roles

For customer content, the customer is the controller (or business) and Nopi is the processor (or service provider), except where Nopi acts as an independent controller for business purposes described in the Privacy Policy.

2. Processing Details

• Subject matter: provision of visual feedback and issue tracking services.
• Duration: for the term of the service agreement, plus limited post-termination retention where legally required.
• Nature and purpose: storage, organization, retrieval, and display of customer-submitted content and related metadata.
• Data categories: identifiers, account data, screenshots, URLs, comments, and operational metadata.
• Data subjects: customer users, customer end users, and review portal participants, as applicable to customer usage.

3. Processor Commitments

• Process personal data only on documented customer instructions unless required by law.
• Ensure persons authorized to process personal data are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Assist customers with data subject rights requests where legally required and technically feasible.
• Assist with security incident handling and required notifications.
• Delete or return customer personal data at end of service, subject to legal retention obligations.

4. Subprocessors

Nopi uses subprocessors to provide infrastructure and service functionality. Current subprocessors are listed at /subprocessors. Nopi remains responsible for subprocessor performance as required by applicable law.

5. International Transfers

Where personal data is transferred internationally, Nopi applies appropriate safeguards, including contractual transfer measures where required, and transfer-risk controls consistent with applicable data protection law.

6. Security and Incidents

Nopi maintains security controls proportionate to the risk profile of the Service and will notify customers of confirmed personal-data incidents without undue delay, consistent with legal and contractual obligations.

7. Audits and Information Requests

Customers may request reasonable information necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and proportionality requirements.

8. How to Request Signature Version

For a signature-ready version of this DPA, contact hello@nopi.me.

9. Interpretation and Priority

Where this DPA conflicts with general terms related to data processing, this DPA governs to the extent of that conflict. Capitalized terms not defined here have the meaning given in applicable customer terms or applicable data protection law.