This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Nevind AI Terms of Service between:
Processor
Sinreh Digital
Toronto, Ontario, Canada — operating as Nevind AI
Provides the Nevind AI platform and services as described in the Terms of Service.
Controller
You (the Customer)
The business entity or individual who has accepted the Nevind AI Terms of Service.
This DPA sets out the terms under which Nevind AI (as Processor) processes personal data on behalf of the Customer (as Controller) in connection with the Nevind AI platform, in compliance with GDPR Article 28, Quebec Law 25 s.18.4, and applicable privacy regulations.
Definitions
"Personal Data"Any information relating to an identified or identifiable natural person, as defined under applicable law (GDPR Art. 4(1); PIPEDA s.2).
"Processing"Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Controller"The Customer, who determines the purposes and means of processing Personal Data.
"Processor"Sinreh Digital (operating as Nevind AI), which processes Personal Data on the Controller's behalf.
"Sub-Processor"A third party engaged by Nevind AI to process Personal Data in connection with the Service.
"Data Subject"The individual whose Personal Data is processed (e.g. callers, appointment clients, email recipients).
"SCCs"Standard Contractual Clauses for international data transfers, as adopted by the European Commission.
Processing Details
Subject matter
Operation of the Nevind AI platform on behalf of the Customer
Duration
For the duration of the Customer's active subscription, plus any post-termination retention required by law
Nature & purpose
Providing AI voice reception, appointment booking, B2B lead generation, email outreach, and knowledge base services
Types of personal data
Caller phone numbers; appointment client names, emails, phone numbers; business contact emails (B2B leads); call recordings and transcripts; account holder email and business details
Categories of data subjects
Callers who contact the Customer's AI phone number; clients who book appointments; business contacts receiving outreach emails; Customer's own account holders
Processor Obligations (Nevind AI)
4.1Lawful processing
Nevind AI shall process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by applicable law.
4.2Confidentiality
Nevind AI shall ensure that personnel authorised to process Personal Data are under appropriate obligations of confidentiality.
4.3Security
Nevind AI shall implement the technical and organisational measures set out in §8 of this DPA.
4.4Sub-processing
Nevind AI shall not engage a new Sub-Processor without prior written notice to the Controller (minimum 10 days). The Controller may object on reasonable grounds within that period.
4.5Data subject rights
Nevind AI shall assist the Controller in responding to Data Subject rights requests (access, erasure, portability, correction) within the timeframes required by applicable law.
4.6Data Protection Impact Assessments
Nevind AI shall provide reasonable assistance to the Controller in conducting DPIAs where required under GDPR Art. 35.
4.7Deletion on termination
Upon termination of the Service, Nevind AI shall delete or return all Personal Data (at the Controller's option), except to the extent retention is required by law. Deletion shall occur within 30 days of termination.
Controller Obligations (Customer)
5.1Lawful basis
The Controller shall ensure it has a valid lawful basis for collecting and directing the processing of Personal Data through the Service.
5.2Caller consent
Where call recording or AI transcription is enabled, the Controller is responsible for notifying callers and, where required, obtaining their consent prior to the call being handled by the AI.
5.3No PHI
The Controller shall not use the Service to process Protected Health Information (PHI) under PHIPA or equivalent legislation without a separate written agreement with Nevind AI.
5.4CASL compliance
The Controller is responsible for ensuring that any email addresses uploaded to the Service for outreach purposes are covered by appropriate consent or implied consent under CASL.
Approved Sub-Processors
The Controller grants general authorisation to Nevind AI to engage the following Sub-Processors. The current list is maintained below and updated with 10 days' notice of any material change.
Category
Location
Purpose
Transfer Mechanism
Cloud database provider
Canada
Database, authentication, storage
In-country
AI voice processing provider
United States
AI voice calls, transcription
SCCs
AI inference provider
United States
AI inference, knowledge retrieval
SCCs
Telephony provider
United States
Phone number provisioning & PSTN routing
SCCs
Payment processor
United States
Subscription & billing
SCCs + adequacy
Email delivery provider
United States
Transactional & outreach email
SCCs
Mapping data provider
United States
Business search (lead generation)
SCCs
International Data Transfers
7.1Primary storage in Canada
Personal Data is primarily stored in Canada. Canada is recognised as providing adequate protection under GDPR (European Commission adequacy decision, 2001, PIPEDA scope).
7.2US transfers
Where Personal Data is transferred to Sub-Processors in the United States (see §6), such transfers are governed by the European Commission Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference into each Sub-Processor agreement.
7.3Controller-initiated transfers
The Controller acknowledges that by directing Nevind AI to process call audio and AI inference through our contracted sub-processors, the Controller authorises those transfers under this DPA.
Technical & Organisational Measures (TOMs)
Nevind AI implements the following measures to ensure security appropriate to the risk:
Encryption at rest
AES-256 encryption for all database storage.
Encryption in transit
TLS 1.3 enforced for all data transmitted between services and users.
Access control
Row-Level Security (RLS) on all database tables. Principle of least privilege for all internal access.
Authentication
Secure session tokens with rotating refresh. No plaintext passwords stored.
API security
HMAC-SHA256 signature verification on all webhook endpoints. Rate limiting on all API routes.
Secrets management
API keys stored in encrypted server-side secret stores only. Never committed to source control or exposed to the browser.
Incident monitoring
Infrastructure alerts for anomalous access patterns. Breach response procedure in place.
Vendor due diligence
Sub-Processors selected based on their security certifications (SOC 2, ISO 27001 where applicable).
For a full technical security overview, see our Security page.
Security Incident & Breach Response
9.1Notification to Controller
Nevind AI shall notify the Controller without undue delay (and no later than 48 hours after becoming aware) of any Personal Data breach affecting the Controller's data.
9.2Notification content
Breach notifications shall include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
9.3Supervisory authority notification
The Controller is responsible for notifying its relevant supervisory authority (OPC, CAI, or EU DPA) within the required timeframe. Nevind AI will provide all information necessary to facilitate that notification.
9.4Incident records
Nevind AI shall maintain a record of all security incidents, including those that do not constitute a reportable breach, for a minimum of 24 months (PIPEDA) / as required by GDPR.
Audits & Cooperation
10.1Audit rights
Nevind AI shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable prior notice (minimum 30 days) and confidentiality obligations.
10.2Certification equivalence
Where Nevind AI or its Sub-Processors hold relevant certifications (e.g. SOC 2 Type II), sharing those reports shall be deemed sufficient to satisfy audit requirements for the relevant scope.
Term & Termination
11.1Term
This DPA is effective from the date the Customer accepts the Nevind AI Terms of Service and remains in effect until the termination of the Service agreement.
11.2Data return or deletion
Upon written request at termination, Nevind AI shall either return a complete export of the Controller's Personal Data in JSON format, or confirm secure deletion, within 30 days. Retention required by law (e.g. billing records for 7 years) is excluded.
11.3Survival
Confidentiality obligations and audit rights survive termination for 3 years.
Contact & Signing
This DPA is incorporated by reference into the Nevind AI Terms of Service and is binding on all Customers who use the Service. Enterprise customers requiring a separately signed copy for their compliance records may request one:
Request a Signed DPA
Email privacy@nevind.com with your company name, jurisdiction, and the compliance framework requiring the DPA (GDPR / Quebec Law 25 / other). We will countersign and return within 5 business days.