Skip to content
Nivlo

Data Processing Agreement (DPA)

Ultima actualizare: April 2026

This is a convenience translation. The Romanian version prevails in case of conflict.

Data Processing Agreement — pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR) · Version 1.0

Contracting Parties

This Data Processing Agreement (hereinafter "DPA" or "Agreement") is entered into between:

THE CONTROLLER (the Client) — the legal entity using the Nivlo platform, identified by the activated account and accepted Terms and Conditions.

THE PROCESSOR: SC Teachels Media SRL · Str. Veteranilor nr. 1A, Darabani, Botoșani County, Romania · Tax ID: RO43112733 · Reg. No.: J07/539/2020 · Legal representative: Daniel Robert Dinu (hereinafter "Processor" or "Nivlo").

This DPA is an annex to and forms an integral part of the Terms and Conditions for the use of the Nivlo platform (hereinafter "Main Agreement").

1. Definitions

Terms used have the meanings attributed by GDPR. In addition:

  • "Personal Data" — any information relating to an identified or identifiable natural person, processed by the Processor on behalf of the Controller through the Nivlo Platform.
  • "Processing" — any operation on personal data: collection, storage, organization, structuring, modification, consultation, use, disclosure, erasure, or destruction.
  • "Platform" — the cloud Digital Asset Management (DAM) service operated by Nivlo, accessible at nivlo.com and associated subdomains.
  • "Sub-processor" — any third party engaged by the Processor to carry out processing operations.
  • "Security Breach" — a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.
  • "Documented Instructions" — the Controller's written instructions, including this DPA, the Main Agreement, and any subsequent written instructions.

2. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller solely for the purpose of providing Digital Asset Management services through the Nivlo Platform, in accordance with the Main Agreement.

The duration of processing corresponds to the duration of the Main Agreement (including renewals), plus the retention periods set out in section 11.

The details of processing (categories of data, categories of data subjects, nature and purpose) are described in Annex A.

3. Obligations of the Processor

The Processor undertakes to:

3.1. Process in accordance with instructions

Process personal data solely on the basis of the Controller's documented instructions, including regarding transfers to a third country, unless required to do so by EU or national law.

3.2. Confidentiality

Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation.

3.3. Security

Implement the appropriate technical and organizational measures required by Art. 32 GDPR and detailed in Annex B.

3.4. Sub-processors

Comply with the conditions in section 5 for engaging sub-processors.

3.5. Assistance

Assist the Controller by appropriate technical and organizational measures in fulfilling the obligation to respond to data subject requests.

3.6. Deletion or return

Upon termination of the Main Agreement, comply with the procedure in section 11.

3.7. Audit

Make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits as set out in section 10.

3.8. Notification of unlawful instructions

Immediately inform the Controller if an instruction infringes GDPR or other EU or national data protection provisions.

4. Obligations of the Controller

The Controller undertakes to:

  • ensure processing through the Platform has a valid legal basis under Art. 6 GDPR;
  • inform data subjects in accordance with Art. 13 and 14 GDPR;
  • provide documented, lawful, and accurate processing instructions;
  • ensure that content uploaded to the Platform complies with applicable legislation, including data subjects' rights;
  • notify the Processor of any data subject request requiring action;
  • assess whether the security measures are adequate for the risks of processing.

5. Sub-processors

5.1. General authorization

The Controller grants the Processor a general written authorization to engage sub-processors. The list as of the signing date is in Annex C.

5.2. Notification of changes

The Processor shall notify the Controller by email at least 30 calendar days before adding or replacing a sub-processor.

5.3. Right to object

If the Controller raises justified objections within 15 days, the parties shall negotiate an alternative solution. If no solution is reached in 30 days, the Controller may terminate the Main Agreement without penalty.

5.4. Contractual obligations

The Processor shall impose on sub-processors, by written contract, the same data protection obligations. The Processor remains fully liable to the Controller.

6. International Transfers

Personal data is stored and processed exclusively within the European Economic Area (EEA).

The Processor shall not transfer personal data outside the EEA without the Controller's written consent and without ensuring one of:

  • An adequacy decision by the European Commission (Art. 45 GDPR);
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR);
  • Binding Corporate Rules (Art. 47 GDPR);
  • Another transfer mechanism recognized by GDPR.

The same obligation applies to sub-processors.

7. Assistance to the Controller

7.1. Data subject requests

The Processor assists in handling data subject requests (access, rectification, erasure, restriction, portability, objection):

  • notifying the Controller within 3 business days of receiving a direct request;
  • providing technical tools within the Platform for autonomous response;
  • additional technical assistance at reasonable cost if exceeding standard Platform capabilities.

7.2. Compliance obligations

The Processor assists with Art. 32-36 GDPR obligations (security, breach notification, impact assessment, prior consultation).

8. Security Breach Notification

8.1. Notification timeline

The Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of a security breach.

8.2. Notification content

The notification shall include:

  • a description of the nature of the breach, categories and approximate number of data subjects and records affected;
  • the Processor's contact details;
  • a description of the likely consequences;
  • measures taken or proposed to remediate and mitigate.

8.3. Cooperation

The Processor cooperates in investigating, remediating, and mitigating breach effects. Assists in notification obligations to ANSPDCP (Art. 33) and to data subjects (Art. 34).

9. Data Protection Impact Assessment (DPIA)

The Processor assists the Controller in carrying out DPIAs under Art. 35 GDPR, by providing information about:

  • the nature, scope, and context of processing through the Platform;
  • the technical and organizational measures implemented;
  • the results of internal security assessments.

10. Audit and Inspections

10.1. Right to audit

The Controller (or a third-party auditor) has the right to conduct audits, subject to:

  • written notice of at least 30 calendar days in advance;
  • audit during normal business hours;
  • third-party auditor signs a confidentiality agreement;
  • audit does not disproportionately affect Processor operations or other clients' security;
  • maximum one audit per year, with exceptions for breaches or supervisory authority investigations.

10.2. Alternatives to audit

The Processor may provide:

  • third-party audit reports (SOC 2, ISO 27001, or similar);
  • completed security questionnaires;
  • relevant compliance certificates.

10.3. Costs

Audit costs are borne by the requesting Controller. Processor staff time is billed at the standard rate.

11. Return and Deletion of Data

11.1. Upon contract termination

Upon termination of the Main Agreement, the Processor shall:

  • make Platform export features available for 30 calendar days from the date of termination;
  • at the Controller's written request, return all data in a structured, commonly used, machine-readable format;
  • after the 30-day period, permanently delete all personal data from production systems, including backups, within an additional 30 calendar days.

11.2. Confirmation

At the Controller's request, the Processor provides written confirmation of deletion.

11.3. Exceptions

The Processor may retain personal data after termination only if required by EU or national law. In such cases, the Processor informs the Controller and ensures confidentiality.

12. Technical and Organizational Measures

The Processor implements the measures detailed in Annex B, including:

  • encryption of data in transit (TLS 1.2+) and at rest;
  • role-based access control (RBAC), with the principle of least privilege;
  • secure authentication;
  • access and operation logging;
  • regular backups with separate storage within the EU;
  • logical data separation between clients (secure multi-tenancy);
  • security incident management procedures;
  • regular security patches;
  • staff training on data protection.

13. Liability

Each party is liable for GDPR breaches attributable to it under Art. 82 GDPR.

The Processor is liable for damages caused by processing only to the extent that it has not complied with obligations specifically directed at processors under GDPR or has acted outside of or contrary to the Controller's lawful instructions.

The limitations of liability in the Main Agreement also apply to this DPA, to the extent permitted by applicable law.

14. Term and Termination

This DPA enters into force on the date of signature (or electronic acceptance of the Terms) and remains in force for the duration of the Main Agreement.

Obligations of confidentiality, data deletion/return, and cooperation in audits survive termination.

15. Final Provisions

This DPA prevails over conflicting provisions in the Main Agreement regarding personal data processing.

Any amendment shall be made in writing, by mutual agreement.

This DPA is governed by Romanian law. Disputes shall be resolved per the Main Agreement.

Annex A — Processing Details

Nature of processing

Storage, organization, indexing, thumbnail and preview generation, transcoding, transmission, and display of digital assets and associated metadata, in accordance with the Controller's instructions, through the Nivlo Platform.

Purpose of processing

Provision of the Digital Asset Management service: secure file storage, team collaboration, controlled asset sharing, version management, search and filtering.

Duration of processing

For the duration of the Main Agreement + retention periods as per section 11.

Categories of data subjects

  • employees and contractors of the Controller;
  • clients and business partners of the Controller;
  • individuals appearing in managed photo/video materials (models, event attendees, public figures);
  • any other category of data subjects whose data is included in the content uploaded by the Controller.

Categories of personal data

  • Visual identification data — images of identifiable persons, portraits, event photographs (uploaded by Controller).
  • EXIF/IPTC metadata — GPS coordinates, capture date/time, device information, descriptions, keywords (embedded in files).
  • Textual identification data — person names in descriptions, tags, comments, file names (metadata added by Controller).
  • Contact data — email addresses, phone numbers (if included in managed documents).

Special categories of data (Art. 9 GDPR)

The Platform is not designed for systematic processing of special categories of data. However, visual content (photographs) may indirectly reveal biometric data, racial/ethnic origin, or other special categories. The Controller is responsible for assessing necessity and legal basis.

Annex B — Technical and Organizational Measures

B.1. Encryption (Art. 32(1)(a))

  • Encryption in transit: TLS 1.2 or higher for all communications.
  • Encryption at rest: storage-level encryption for all persistent data.
  • Encryption keys managed separately from encrypted data.

B.2. Confidentiality and integrity (Art. 32(1)(b))

  • Role-based access control (RBAC) with the principle of least privilege.
  • Password authentication, with the possibility of integrating corporate authentication mechanisms.
  • Logical data separation between client organizations (multi-tenancy).
  • Logging of all data access and operations.
  • Confidentiality agreements for all personnel with data access.

B.3. Availability and resilience (Art. 32(1)(b))

  • Regular backups, stored in geographically separate locations within the EU.
  • Periodic verification of backup integrity and restoration tests.
  • Infrastructure with storage-level redundancy.
  • Continuous service availability monitoring.

B.4. Restore capability (Art. 32(1)(c))

  • Documented disaster recovery procedures.
  • Recovery Time Objective (RTO): 24 hours.
  • Recovery Point Objective (RPO): 24 hours.

B.5. Periodic assessment (Art. 32(1)(d))

  • Periodic security assessments of application and infrastructure.
  • Regular application of security patches.
  • Annual review of security measures.

B.6. Organizational measures

  • Production system access strictly limited to authorized personnel.
  • Staff training on data protection and information security.
  • Documented security incident management procedures.
  • Data retention and deletion policy.

Annex C — List of Authorized Sub-processors

As of the date of this Agreement, the Processor uses the following sub-processors:

Hetzner Online GmbH

Office: Germany (EU) · Service: Dedicated server infrastructure and storage (S3-compatible Object Storage) · Processing location: EU (Germany / Finland).

Cloudflare, Inc.

Office: USA · Service: CDN, DDoS protection, secure tunnels · Processing location: Global (cached data — EU points of presence prioritized).

Cloudflare is certified under the EU-U.S. Data Privacy Framework. Nivlo uses Cloudflare exclusively for secure tunnels and content distribution, without persistent storage of personal data on Cloudflare servers.

Amazon Web Services, Inc. (Amazon WorkMail)

Office: USA · Service: Email (service communications, notifications, billing) · Processing location: EU (Ireland, eu-west-1).

The company is headquartered in the USA; however, the Amazon WorkMail instance used by Nivlo is configured in the EU region. AWS is certified under the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses.

An updated list of sub-processors is available upon request at [email protected].

Contact and Signatures

For formal signing of this DPA with Nivlo (signable version with signature blocks), contact us at [email protected]. Acceptance of the Terms and Conditions for using the Nivlo platform constitutes acceptance of this DPA for standard service usage.