Last updated: January 14, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between NOVERGEME ("Processor") and the Customer ("Controller") for the provision of analytics consulting services.
Terms used in this DPA shall have the meanings given in the GDPR and the main agreement. "Personal Data," "Processing," "Data Subject," "Controller," and "Processor" shall have the meanings set forth in Article 4 of the GDPR.
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall not disclose Personal Data to any third party without the Controller's prior written consent.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2 and our Security page.
The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is available at our Sub-processors page.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
The Processor shall not transfer Personal Data outside the EEA unless appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient is in a country with an adequacy decision.
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, taking into account the nature of processing and the information available to the Processor.
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Such notification shall include all information reasonably required for the Controller to fulfill its breach reporting obligations under GDPR.
Upon termination of services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless applicable law requires storage of the Personal Data.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with obligations and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice, during normal business hours, and shall not unreasonably disrupt the Processor's operations.
Website visitors, prospective clients, existing clients
Contact information (name, email, phone), business information (website URL, industry), project requirements, communications
Lead management, service delivery, communication, analytics consulting, project collaboration, client support
For the duration of the service agreement plus applicable retention periods
The Processor implements the following categories of security measures (see Security page for details):