Data Processing Agreement

Last updated: March 17, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Nurivion ("Processor") and you ("Controller") and governs the processing of personal data by Nurivion on your behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Controller" means you, the business that determines the purposes and means of processing Personal Data through Nurivion.
  • "Processor" means Nurivion, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means a third-party service provider engaged by Nurivion to assist in processing Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Applicable Data Protection Law" means GDPR, CCPA, and any other applicable data protection legislation.

2. Scope and Purpose of Processing

Nurivion processes Personal Data solely to provide the services described in our Terms of Service, including:

  • AI-powered chat and voice interactions with your customers (end users).
  • Lead capture: names, email addresses, phone numbers, and inquiry details provided by end users.
  • Appointment scheduling: calendar availability, booking confirmations, and reminders.
  • Conversation transcripts and metadata for analytics and reporting.
  • Voice call recordings and transcripts for quality and service delivery.
  • Business reputation data: publicly available reviews and ratings.

Categories of Data Subjects include your customers, website visitors, and callers who interact with your AI assistant.

3. Obligations of Nurivion as Processor

Nurivion shall:

  • Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller.
  • Assist the Controller in ensuring compliance with data protection obligations (security, breach notification, DPIAs, prior consultation).
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services.
  • Make available to the Controller all information necessary to demonstrate compliance with obligations.

4. Sub-processors

Nurivion uses the following sub-processors to deliver its services. The Controller authorizes the use of these sub-processors:

  • OpenAI (San Francisco, CA, USA) — AI language model processing for chat and voice responses. Data processed: conversation content, prompts. Privacy Policy
  • Twilio (San Francisco, CA, USA) — Voice call handling and SMS delivery. Data processed: phone numbers, call recordings, SMS content. Privacy Policy
  • SendGrid (Twilio) (Denver, CO, USA) — Transactional email delivery. Data processed: email addresses, email content. Privacy Policy
  • Stripe (San Francisco, CA, USA) — Payment processing. Data processed: billing information, payment methods. Privacy Policy
  • Supabase (Singapore / USA) — Database hosting and authentication. Data processed: all application data, authentication tokens. Privacy Policy

Nurivion will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If a new sub-processor is added, Nurivion will update this page and notify affected customers via email.

5. Data Security Measures

Nurivion implements the following technical and organizational security measures:

  • Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS).
  • Encryption at rest: Database storage is encrypted. Sensitive credentials (OAuth tokens) are encrypted with AES-256 (Fernet symmetric encryption).
  • Authentication: Asymmetric JWT (ES256 algorithm) verified via JWKS public key endpoint. No shared secrets.
  • Access control: Role-based access control (admin, owner, user). API endpoints enforce authentication and authorization.
  • Webhook integrity: Stripe webhook payloads are verified with HMAC-SHA256 signatures.
  • Rate limiting: API rate limiting and circuit breakers protect against abuse and denial of service.
  • Data isolation: Each business's data is logically isolated by company ID. No cross-tenant data access.
  • Infrastructure: Hosted on Railway (backend) and Vercel (frontend) with SOC 2 compliant infrastructure.

6. Data Subject Rights Assistance

Nurivion will assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:

  • Right of access: Nurivion can export all Personal Data associated with a Data Subject upon request.
  • Right to erasure: Nurivion can delete all Personal Data associated with a Data Subject, including conversation history, lead records, and appointment data.
  • Right to data portability: Data can be exported in machine-readable JSON format.
  • Right to rectification: The Controller can update Personal Data through the platform interface or by contacting support.

To submit a Data Subject request, contact privacy@nurivion.com. Nurivion will respond within 30 days.

7. Data Retention and Deletion

Nurivion applies the following default retention periods:

  • Conversation transcripts: 90 days, then automatically deleted.
  • Voice recordings: 30 days, then automatically deleted.
  • Lead data: Lost/inactive leads are cleaned up after 180 days.
  • Account data: Retained while the account is active. Upon termination, all data is permanently deleted within 30 days.

The Controller may configure custom retention periods through account settings. Upon termination of the service agreement, Nurivion will delete all Personal Data within 30 days unless retention is required by law.

8. Data Breach Notification

In the event of a Personal Data breach, Nurivion will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33.
  • Provide the Controller with sufficient information to meet its obligations to report the breach to the relevant supervisory authority and affected Data Subjects.
  • Include in the notification: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. International Data Transfers

Personal Data may be transferred to and processed in the United States, where Nurivion's infrastructure and sub-processors are located.

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Nurivion relies on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • Sub-processor DPAs that incorporate appropriate transfer mechanisms.
  • Where applicable, the EU-U.S. Data Privacy Framework certifications of sub-processors.

10. Audit Rights

The Controller has the right to audit Nurivion's compliance with this DPA. Nurivion will:

  • Make available all information necessary to demonstrate compliance with data processing obligations.
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
  • Provide reasonable notice (at least 30 days) for on-site audits, conducted during normal business hours, and no more than once per year unless required by a supervisory authority.

11. GDPR and CCPA Provisions

GDPR (EU/EEA)

To the extent that Nurivion processes Personal Data subject to the GDPR on behalf of the Controller:

  • Nurivion acts as a "Processor" within the meaning of Article 4(8) GDPR.
  • Processing is carried out in accordance with Article 28 GDPR.
  • Nurivion will assist the Controller with Data Protection Impact Assessments (DPIAs) where required.
  • Nurivion will cooperate with supervisory authorities in the performance of their tasks.

CCPA (California)

To the extent that Nurivion processes Personal Information subject to the California Consumer Privacy Act (CCPA):

  • Nurivion acts as a "Service Provider" as defined in the CCPA.
  • Nurivion will not sell Personal Information received from the Controller.
  • Nurivion will not retain, use, or disclose Personal Information for any purpose other than performing the services specified in the Terms of Service.
  • Nurivion will assist the Controller in responding to consumer rights requests under CCPA Sections 1798.100-1798.125.

12. Term and Termination

This DPA is effective for the duration of the service agreement between the Controller and Nurivion. Upon termination of the service agreement:

  • Nurivion will cease processing Personal Data on behalf of the Controller.
  • At the Controller's choice, Nurivion will either return or delete all Personal Data within 30 days.
  • The Controller may request a data export in machine-readable format before deletion.
  • Obligations under this DPA that by their nature should survive termination (confidentiality, liability) will survive.

Contact

For questions about this Data Processing Agreement or to exercise any rights described herein: