Data Processing Addendum (DPA) — Nuvi | Gourmet Gift Baskets, Artisan Cheeses, Specialty Foods

Last updated: April 30, 2026

1. Roles

For data you process on behalf of your customers using the Nuvi platform, you are the controller and Nuvi is the processor. This DPA applies to that relationship and is incorporated into your Terms of Service.

2. Subject matter & nature

Subject matter: provision of the Nuvi platform. Nature: hosted SaaS for e-commerce, content, AI, payments. Duration: for the term of the agreement plus a 30-day data-export window.

3. Categories of data subjects & data

Subjects: your customers, leads, employees that you choose to onboard.
Data: name, contact, address, order history, payment metadata (no full PAN), behavioural analytics if you enable them.

4. Sub-processors

You authorize us to engage the sub-processors listed in our Privacy Policy. We post 30-day notice before adding or replacing any sub-processor. You may object to a new sub-processor in good faith and either reach an alternative arrangement or terminate without penalty.

5. Security measures

Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access control: SSO + MFA for all Nuvi staff; least-privilege RBAC.
Logging: tamper-evident audit logs with 90-day retention.
Backups: daily encrypted backups with 30-day retention; tested quarterly.
Pen-tests: annual third-party penetration test; remediation tracked publicly.

6. Personal data breach notification

We notify you without undue delay (and within 72 hours where feasible) of any confirmed personal-data breach affecting your data, with the information required by GDPR Art. 33(3).

7. Data subject requests

We forward DSRs we receive directly to you and provide self-service tools (export, delete, restrict) so you can fulfil requests within statutory deadlines.

8. International transfers

For transfers outside the EEA / Türkiye, we rely on Standard Contractual Clauses (SCCs) and supplementary measures as required.

9. Audits

You may audit our compliance with this DPA once per year, on 30 days’ notice, at your expense, under reasonable confidentiality terms. Independent third-party reports (e.g. ISO/SOC) typically satisfy this.

10. Return / deletion of data

On termination you have 30 days to export. After that we delete your data within 90 days from production and within 12 months from backups, except where retention is legally required.

11. Liability

Liability under this DPA is subject to the limits in the Terms of Service.

12. Contact

Data Protection Officer: dpo@usenuvi.com