Data Processing Agreement
Last updated: July 1, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between DevOpspolis LLC ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Nembl Terms of Service (the "Agreement"). This DPA applies to the extent that we process Personal Data on your behalf in providing the Nembl platform.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Service. "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion. "Sub-processor" means any third party engaged by us to process Personal Data on your behalf. "Data Subject" means the individual to whom Personal Data relates.
2. Scope and Roles
You are the Controller of Personal Data submitted to the Service by you or your authorized users. We are the Processor, processing Personal Data solely on your behalf and in accordance with your documented instructions as set forth in this DPA and the Agreement. We will not process Personal Data for any purpose other than providing the Service.
3. Categories of Data Processed
The Personal Data processed through the Service may include:
- User account data: names, email addresses, roles, and authentication credentials
- Workflow and request data: content submitted through forms, service requests, and workflow phases
- Activity data: audit logs, timestamps, and actions performed within the platform
- B2B data: information shared between companies through cross-company service requests
- Communication data: in-app notifications and chatbot interactions
4. Processing Instructions
We will process Personal Data only in accordance with your documented instructions, which include: (a) providing the Service as described in the Agreement, (b) processing initiated by authorized users through their use of the Service, and (c) as required by applicable law. If we are required by law to process Personal Data for any other purpose, we will inform you of that requirement before processing, unless prohibited by law.
5. Confidentiality and Personnel
We ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who need such access to perform the Service.
6. Security Measures
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Network isolation using AWS VPC with private subnets and security groups
- IAM-based access controls with role-based permissions and policy engine
- Audit logging of all data access and administrative actions
- Automated vulnerability scanning and dependency monitoring
- Incident response procedures for security breaches
- Regular review and updates to security measures
7. Sub-processors
You authorize us to engage the following categories of Sub-processors to assist in providing the Service:
- Amazon Web Services (AWS): Cloud infrastructure, compute, storage, and database services (US regions)
- Anthropic: AI language model processing for chatbot and workflow agent features
- Sentry: Error monitoring and application performance (error data only, no PII by design)
- Chargebee / Stripe: Subscription billing and payment processing
- Resend: Transactional email delivery
We will notify you before adding or replacing a Sub-processor, giving you the opportunity to object. Each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
8. Data Subject Rights
We will assist you in responding to requests from Data Subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection). We will promptly notify you if we receive a request directly from a Data Subject and will not respond to such request without your authorization, unless required by law.
9. Data Breach Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. We will cooperate with you and take reasonable steps to assist in mitigating the breach.
10. International Data Transfers
Personal Data is processed and stored in the United States using AWS infrastructure. If you are located outside the United States, you acknowledge that Personal Data will be transferred to and processed in the United States. We rely on appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) where required by applicable law.
11. Data Retention and Deletion
Upon termination of the Agreement, we will delete or return all Personal Data processed on your behalf within 30 days, unless retention is required by applicable law. You may request data export at any time during the term of the Agreement. Audit logs may be retained for up to 90 days after termination for compliance purposes, after which they will be deleted.
12. Audit Rights
We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. You may conduct an audit (or engage a qualified third-party auditor bound by confidentiality) no more than once per year with at least 30 days' written notice. We will cooperate with such audits and provide reasonable access to relevant facilities and records.
13. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is not permitted by law.
14. Term and Termination
This DPA is effective for as long as we process Personal Data on your behalf under the Agreement. It automatically terminates when the Agreement terminates, subject to the data retention and deletion obligations in Section 11.
15. Contact
For questions about this DPA or to exercise rights under it, contact us at privacy@devopspolis.com.