Data Processing Agreement
Last updated: June 16, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Data Controller") and Ind!oogle Software Labs Limited, Zambia ("Novaabase", "we", "us", or "Data Processor"). This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- Personal Data means any information relating to an identified or identifiable natural person.
- Processing means any operation which is performed on Personal Data, whether or not by automated means.
- Data Controller means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
- Data Processor means the natural or legal person which Processes Personal Data on behalf of the Data Controller.
- Data Subject means the identified or identifiable natural person to whom Personal Data relates.
- Subprocessor means any third party engaged by Novaabase to assist in fulfilling its obligations with respect to providing the Services.
3. Details of Processing
| Subject matter | Processing of Personal Data to provide the Novaabase platform and related services. |
| Duration | For the duration of the Agreement, unless otherwise agreed upon in writing. |
| Nature and purpose | Storage, hosting, management, and other processing necessary to provide database, authentication, storage, edge functions, and related backend services. |
| Types of Personal Data | Name, email address, IP address, user-generated content, authentication credentials, and any other Personal Data uploaded by Customer to the Novaabase platform. |
| Categories of Data Subjects | Customer's end users, employees, customers, and any other individuals whose Personal Data is processed through the Novaabase platform. |
4. Obligations of Novaabase
Novaabase agrees to:
- Process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by Union or Member State law to which Novaabase is subject.
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.
- Assist the Data Controller in ensuring compliance with obligations relating to data subjects' rights, data breach notifications, and data protection impact assessments.
- At the choice of the Data Controller, delete or return all Personal Data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
- Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
5. Subprocessors
Novaabase may engage Subprocessors to assist in providing the Services. A current list of Subprocessors is available upon request. Novaabase will provide notice of any new Subprocessors and will ensure that any Subprocessor is bound by data protection obligations consistent with this DPA.
6. Data Subject Rights
Novaabase shall promptly notify the Data Controller of any request received directly from a Data Subject and shall not respond to such request unless authorized to do so by the Data Controller. Novaabase will assist the Data Controller in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights under applicable data protection laws.
7. Data Breaches
Novaabase shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach. Such notification will include details of the breach, the categories and approximate number of affected Data Subjects, and the measures taken or proposed to address the breach and mitigate its potential adverse effects.
8. Security Measures
Novaabase implements industry-standard security measures, including but not limited to:
- Encryption of data in transit using TLS 1.2 or higher.
- Encryption of data at rest using industry-standard encryption algorithms.
- Regular security assessments and vulnerability scanning.
- Role-based access controls and multi-factor authentication.
- Regular backups and disaster recovery procedures.
- Employee training on data protection and security awareness.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Novaabase shall ensure appropriate safeguards are in place in accordance with applicable data protection laws, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, Novaabase shall, at the direction of the Data Controller, return or delete all Personal Data, except where retention is required by applicable law.
11. Governing Law
This DPA shall be governed by the laws of the Republic of Zambia, without regard to its conflict of laws principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Republic of Zambia.
12. Contact
If you have any questions about this Data Processing Agreement, please contact us at privacy@novaabase.com.