Legal

Data Processing Agreement

Last updated . This page is a template. To execute a signed DPA, email privacy@nextbite360.com. Also see our Privacy Policy and Terms of Service.

Template notice. This document is provided for transparency. A signed, counter-signed PDF version is available on request for customers with GDPR, UK GDPR, or other equivalent regulatory obligations. Contact privacy@nextbite360.com.

1. Parties

This Data Processing Agreement (the "DPA") is entered into between the Customer ("Controller") and NEXTbite Technologies ("Processor", "NEXTbite360"), together the "Parties". It supplements and forms part of the Terms of Service.

2. Scope and purpose

This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with providing the NEXTbite360 platform, including AI-assisted product formulation, reverse engineering, compliance, and research features.

3. Definitions

Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or equivalent legislation applicable to the Controller.

4. Categories of data and data subjects

  • Categories of data subjects: Controller employees, contractors, and authorised users of the platform.
  • Categories of Personal Data: account identifiers (name, email, organisation, role), product information submitted by the user, session telemetry, and audit logs.
  • Special categories: the platform is not designed to process special categories of personal data. The Controller agrees not to submit such data.

5. Processor obligations

  1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EEA.
  2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
  3. Implement appropriate technical and organisational measures (see Section 7).
  4. Assist the Controller in responding to data-subject requests and in meeting its obligations under Articles 32–36 GDPR.
  5. Delete or return all Personal Data at the end of the provision of services, at the Controller’s choice.
  6. Make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, subject to reasonable notice and confidentiality.

6. Authorised sub-processors

The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller of intended changes at least thirty days in advance.

  • Supabase, Inc. — Postgres database and storage. Hosted in the European Union by default.
  • Clerk, Inc. — authentication and session management.
  • Upstash, Inc. — rate-limiting and cache.
  • Vercel, Inc. — application hosting and edge functions.
  • Google LLC (Gemini API), Anthropic, PBC (Claude API), and OpenAI, L.L.C. — AI processing of user inputs. Each sub-processor operates under its own published DPA and zero-retention or limited-retention terms, available on request.

7. Security measures

  • Encryption of Personal Data in transit (TLS 1.2+).
  • Encryption at rest for database and object storage.
  • Role-based access control and MFA on all admin systems.
  • Least-privilege service accounts for all integrations.
  • Audit logging of privileged operations.
  • Scheduled dependency and secret scanning (gitleaks + npm / pip audits) in the CI pipeline.
  • Incident-response runbook with 72-hour notification target.

8. International transfers

Where Personal Data is transferred outside the European Economic Area, the Processor relies on the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor), incorporated by reference, together with supplementary measures required by the Schrems II judgment.

9. Personal data breach

The Processor will notify the Controller without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting Controller data. Notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed.

10. Liability and term

Liability under this DPA is capped and allocated as set out in the Terms of Service. The DPA terminates automatically upon termination of the Agreement. Clauses that by their nature should survive termination (Sections 5, 7, 8, and 9) continue to apply.

11. Contact

Requests to execute a signed version of this DPA or related data-protection enquiries should be sent to privacy@nextbite360.com. The Processor aims to acknowledge within two business days.