Back to Home

Data Processing Agreement

Last Updated: May 3, 2026

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written agreement between Nova AI Ops, Inc. ("Nova AI Ops", "we", "us", or "Processor") and the customer ("Customer", "you", or "Controller") that references or incorporates this DPA. It governs the processing of Personal Data by Nova AI Ops on behalf of Customer where applicable data protection law (including the EU GDPR, UK GDPR, and CCPA/CPRA) applies.

1. Definitions

Capitalised terms used but not defined in this DPA have the meanings given to them in the GDPR or in the Master Services Agreement. For clarity:

  • Personal Data: any information relating to an identified or identifiable natural person processed by Nova AI Ops on behalf of Customer.
  • Customer Data: data that Customer or Customer's authorised users submit, upload, or generate through the Nova AI Ops platform, including telemetry, logs, metrics, and incident records.
  • Sub-processor: a third party engaged by Nova AI Ops to process Personal Data on Customer's behalf in connection with the Services. The current list is published at novaaiops.com/sub-processors.
  • Standard Contractual Clauses (SCCs): the European Commission's standard contractual clauses for international data transfers (Module Two: Controller to Processor) adopted under Decision (EU) 2021/914.

2. Roles and Scope

Customer is the Controller of Personal Data submitted to the Nova AI Ops platform. Nova AI Ops acts as the Processor and processes Personal Data only on documented instructions from Customer, including for the transfer of Personal Data to a third country, unless required to do otherwise by Union or Member State law.

This DPA applies to:

  • The provision of the Nova AI Ops platform, including monitoring, incident response, AI agents, automation, and communication features.
  • Support and professional services provided by Nova AI Ops to Customer.
  • Technical assistance provided by Nova AI Ops staff in response to Customer requests.

3. Subject Matter, Duration, Nature, and Purpose of Processing

  • Subject matter: the processing of Personal Data submitted by Customer to the Nova AI Ops platform for the purpose of providing the Services.
  • Duration: for the term of the Master Services Agreement and until deletion or return of all Customer Data per Section 11.
  • Nature and purpose: hosting, processing, indexing, and serving Customer Data so the platform can deliver monitoring, alerting, AI-driven analysis, incident response, and reporting features.
  • Categories of data subjects: Customer's employees, contractors, end-users, and any natural persons whose Personal Data appears in Customer-uploaded telemetry or incident records.
  • Categories of Personal Data: identifiers (name, email, IP address, device ID), authentication credentials, usage and activity logs, telemetry and incident-related metadata, and any other Personal Data Customer chooses to submit.

4. Customer Instructions

Nova AI Ops processes Personal Data solely on Customer's documented instructions, which include:

  • The Master Services Agreement, Order Form(s), and the configuration choices Customer makes within the platform.
  • Instructions issued through Nova AI Ops APIs, admin consoles, support tickets, or written notices to privacy@novaaiops.com.

Nova AI Ops will inform Customer if, in its opinion, an instruction infringes the GDPR, UK GDPR, or other applicable data protection law.

5. Confidentiality of Personnel

Nova AI Ops ensures that all personnel authorised to process Personal Data are bound by written confidentiality obligations, receive ongoing data-protection and security training, and are granted access only on a least-privilege basis tied to documented business need.

6. Security Measures (Article 32)

Nova AI Ops implements technical and organisational measures designed to ensure a level of security appropriate to the risk. These include:

  • Encryption in transit: TLS 1.2 or higher for all data in transit between client, platform, and sub-processors.
  • Encryption at rest: AES-256 for stored Customer Data, including primary databases, backups, and object storage.
  • Access control: role-based access control (RBAC), single sign-on (SSO/SAML) for Customer admins on Enterprise plans, and mandatory multi-factor authentication for all Nova AI Ops personnel.
  • Network security: private-network isolation between tenants, DDoS mitigation, IP allowlisting on Enterprise, and continuous vulnerability scanning.
  • Logging and monitoring: tamper-evident audit logs of administrative actions, with retention aligned to Customer plan and applicable law.
  • Resilience and recovery: redundant infrastructure across availability zones, automated backups, and a documented disaster recovery program tested at least annually.
  • Vulnerability and patch management: tracked CVE remediation timelines, dependency scanning, and a coordinated disclosure program.

An updated description of Nova AI Ops' security program is available in the Trust Center at novaaiops.com/trust.

7. Sub-processors

Customer authorises Nova AI Ops to engage Sub-processors to assist in providing the Services, subject to the safeguards in this Section 7. The current list of Sub-processors is published at novaaiops.com/sub-processors.

  • General authorisation: Customer provides general written authorisation for Nova AI Ops' use of the Sub-processors listed at the link above.
  • Notice of changes: Nova AI Ops will provide at least 30 days' notice of the addition or replacement of any Sub-processor by updating the list and notifying Customer via in-product notification or the email on file.
  • Customer right to object: Customer may object to a new Sub-processor on reasonable grounds related to data protection within 30 days of notice. The parties will work in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected Service for the impacted Customer entity.
  • Sub-processor obligations: Nova AI Ops imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, by way of a written contract.
  • Liability: Nova AI Ops remains liable to Customer for the performance of its Sub-processors' obligations under this DPA.

8. Data Subject Requests

Taking into account the nature of the processing, Nova AI Ops will assist Customer by appropriate technical and organisational measures to fulfil Customer's obligations to respond to requests from data subjects exercising their rights under Articles 15 to 22 of the GDPR.

Where Customer cannot fulfil a data-subject request through the platform's self-service tools (export, deletion, redaction APIs), Customer may submit a request to privacy@novaaiops.com and Nova AI Ops will respond within commercially reasonable time, typically within 14 days.

9. Personal Data Breach Notification

Nova AI Ops will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification will include, to the extent known at the time:

  • The nature of the breach, including the categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate possible adverse effects.
  • Contact details of a designated point of contact for further information.

Nova AI Ops will provide reasonable assistance to Customer in fulfilling Customer's own breach-notification obligations under applicable law.

10. Data Protection Impact Assessment (DPIA)

Nova AI Ops will provide reasonable assistance to Customer with any DPIA or prior consultation with supervisory authorities required by Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to Nova AI Ops.

11. Return or Deletion of Personal Data

Upon termination of the Master Services Agreement or earlier written request from Customer, Nova AI Ops will, at Customer's choice, return or delete all Personal Data, including existing copies, unless retention is required by Union or Member State law. Standard deletion timeline:

  • Live database: deleted within 30 days of termination or written request.
  • Backups: overwritten on the standard backup-rotation cycle, completed within 90 days.
  • Audit logs and tax/compliance records: retained only as required by law and held under access control until purged.

12. Audits

Nova AI Ops will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may verify Nova AI Ops' compliance through:

  • Reviewing certifications, third-party reports (e.g., SOC 2 Type II once available), and the Trust Center.
  • Submitting written audit questionnaires which Nova AI Ops will respond to within 30 days.
  • An on-site or remote audit, no more than once per twelve-month period (except where required by a supervisory authority or following a confirmed breach), conducted at Customer's expense, scheduled in advance, and bound by confidentiality terms acceptable to Nova AI Ops.

13. International Data Transfers

Where transfer of Personal Data outside the EEA, UK, or Switzerland to a country not subject to an adequacy decision is required, the parties agree the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA and apply to such transfers, with the following selections:

  • Clause 7 (docking clause): not applied.
  • Clause 9(a) (sub-processor authorisation): Option 2, general written authorisation, with 30 days' notice as set out in Section 7.
  • Clause 11(a) (independent dispute resolution body): not applied.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum and jurisdiction): the courts of Ireland.
  • Annex I, II, and III of the SCCs are completed by the corresponding sections of this DPA, the Sub-processors page, and the security program described in the Trust Center.

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs (issued by the UK ICO) applies.

14. CCPA / CPRA Specifics

For Personal Data of California consumers, Nova AI Ops acts as a "Service Provider" as defined under the CCPA/CPRA. Nova AI Ops will not (a) sell or share Personal Data, (b) retain, use, or disclose Personal Data for any purpose other than performing the Services or as otherwise permitted by the CCPA/CPRA, or (c) combine Personal Data received from Customer with Personal Data received from other sources, except as permitted by the CCPA/CPRA.

15. Liability and Conflict

The liability provisions in the Master Services Agreement apply to this DPA. In the event of any conflict between this DPA and the Master Services Agreement, this DPA prevails with respect to data-protection matters.

16. Order of Precedence and Modifications

This DPA is intended to comply with the GDPR, UK GDPR, and CCPA/CPRA as in force on the Last Updated date. If applicable law changes such that this DPA no longer satisfies legal requirements, the parties will negotiate in good faith an amendment to bring the DPA into compliance.

17. Contact

Questions about this DPA, requests to execute a counter-signed copy, or data-subject inquiries should be directed to:

Data Protection Officer: privacy@novaaiops.com
Security: security@novaaiops.com
Mailing Address: Nova AI Ops, Inc., Houston, TX, United States

A counter-signed copy of this DPA is available on request via the Trust Center at novaaiops.com/trust.