Data Processing Agreement
Last updated: 27 May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between novaverb ("Processor", "we") and you ("Controller", "Customer"). It governs how novaverb processes personal data on your behalf when you use the Service. It complies with:
- Regulation (EU) 2016/679 — General Data Protection Regulation ("GDPR")
- UK Data Protection Act 2018 + UK GDPR
- California Consumer Privacy Act ("CCPA") + California Privacy Rights Act ("CPRA")
- Singapore Personal Data Protection Act ("PDPA")
- Vietnam Decree 13/2023 on Personal Data Protection
1. Roles & responsibilities
- Customer = Controller — you determine the purposes and means of processing personal data uploaded to or generated by the Service (your end-users, your site visitors, your AI-generated content subjects)
- novaverb = Processor — we process that personal data on your instructions, for the limited purposes set out in the Service
For data novaverb collects directly (your account info as the Customer), novaverb is the Controller. That processing is governed by our Privacy Policy.
2. Categories of data processed
The personal data novaverb processes as Processor on your behalf may include:
- End-user identifiers — names, emails, IPs of visitors to your verified domain
- Content metadata — URLs, page content, search-engine query data from your GSC connection
- Analytics data — session counts, page views, click events from your GA4 connection
- Content artifacts — AI-generated briefs, drafts, and citation analyses
Data subjects: your end-users + the visitors / readers of your domain.
3. Subprocessors
novaverb engages the following subprocessors to deliver the Service. Each is bound by a written agreement with terms no less protective than this DPA:
| Subprocessor | Purpose | Region |
|---|---|---|
| Hostinger International Ltd. | Hosting infrastructure | EU / SG / US (per Customer plan) |
| OpenAI L.L.C. | AI text generation (when AI features used) | US |
| Anthropic PBC | AI text generation (when AI features used) | US |
| Google LLC | Gemini AI + Search Console + Analytics integration (when connected) | US / EU |
| Stripe, Inc. | Payment processing (paid plans only) | US |
| Resend / Amazon SES (configurable) | Transactional email delivery | US / EU |
We will give Customer 30 days' notice of any new subprocessor via email + a banner on the admin dashboard. Customer may object on reasonable grounds; we will work to substitute the subprocessor or, failing that, allow Customer to terminate the affected service without penalty.
4. Security measures
novaverb implements the following technical + organizational measures (TOMs):
- TLS 1.2+ encryption in transit (HTTPS for all endpoints)
- AES-256-CBC encryption at rest for OAuth tokens, payment tokens, encrypted-column data
- Bcrypt/argon2 password hashing (no plaintext storage)
- Two-factor authentication (TOTP) optional for users, required for admin accounts
- Step-up authentication for sensitive admin actions
- Hash-chained audit log — tamper-evident record of admin actions
- File-integrity monitoring + daily SHA hash of application code
- Daily automated backups, encrypted with per-installation keys
- Rate limiting + IP banning for known abuse patterns
- Annual penetration test (results available under NDA on request)
5. International transfers
Where personal data is transferred outside of the EEA, UK, or Vietnam, the transfer is protected by:
- EU Standard Contractual Clauses (SCCs) 2021/914 — incorporated by reference here
- UK International Data Transfer Addendum (IDTA) where applicable
- Equivalent safeguards under Vietnamese Decree 13/2023
Customer authorizes novaverb to make such transfers as necessary to provide the Service.
6. Data subject requests
If a data subject contacts you with a request (access, rectification, erasure, portability, restriction, objection):
- You are responsible for responding within statutory deadlines (typically 30 days under GDPR)
- novaverb will assist by providing tools — data export via the Account → Export feature, deletion via Account → Delete account, and tailored ad-hoc support on request
7. Breach notification
novaverb will notify Customer of a Personal Data Breach affecting Customer Data without undue delay and in any event within 72 hours of becoming aware. Notification will include:
- Nature of the breach + categories + approximate number of records
- Likely consequences
- Measures taken or proposed to mitigate
- Point of contact for further information
8. Audits
Customer may audit novaverb's compliance with this DPA once per year, on 30 days' written notice, during business hours, at Customer's expense. Audits may be substituted by review of novaverb's SOC 2 Type II report (when published) or equivalent third-party audit.
9. Return / deletion of data
Upon termination of the Service:
- Customer may export all Customer Data via the Account → Export feature within 30 days of termination (JSON format)
- After the 30-day grace period, novaverb will permanently delete Customer Data within 90 days, including from backups in the normal backup-rotation cycle
- Statutory retention obligations (Vietnamese tax law, court orders, etc.) override deletion to the extent legally required
10. Liability
Each party is liable for breaches of this DPA caused by its own acts or omissions. Joint and several liability under GDPR Article 82 is preserved with respect to data subjects. Aggregate liability between the parties is capped at the cap set in the Terms of Service.
11. Order of precedence
In case of conflict, the order of precedence is: (1) this DPA, (2) the Terms of Service, (3) any other written agreement between the parties.
12. Term
This DPA takes effect on the date you accept the Terms of Service or first use the Service. It remains in effect for as long as novaverb processes Customer Data + a reasonable wind-down period thereafter.
13. Contact
For DPA questions or to invoke audit / breach / transfer-impact-assessment procedures:
- Email: contact@novaverb.com (subject line "DPA")