Data Processing Agreement

GDPR Compliance

Last updated: April 19, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between NaN Logic LLC (“Processor,” “we,” “us”) and you, the customer (“Controller,” “you”), governing the processing of personal data in connection with your use of the NaNDesk service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR) and supplements our Terms of Service and Privacy Policy.

Key Principle: NaNDesk is a hosted service. NaN Logic acts as your data processor when visitor messages transit our infrastructure and are routed to our AI sub-processor (OpenAI) to generate responses. We retain only widget configuration, account data, per-day conversation counts, and webhook delivery logs — we do not persist raw visitor transcripts and do not use visitor content to train models. This DPA addresses the processing of visitor personal data and account data that NaN Logic performs on your behalf.

1. Parties and Roles

For the purposes of this DPA and applicable data protection law (including but not limited to the GDPR):

Controller (You)

You, the customer, determine the purposes and means of processing personal data collected through your NaNDesk widget. You are the data controller for visitor data captured by, or generated in, your deployment.

Processor (NaN Logic)

NaN Logic LLC acts as your data processor for visitor messages transiently processed to generate AI responses, webhook delivery, account management, and service operations.

This DPA applies to the processing of personal data by NaN Logic in the course of providing the NaNDesk service as described in our Terms of Service. It supplements and is incorporated into the Terms of Service.

2. Scope of Processing

NaN Logic processes personal data strictly for the following purposes:

Widget Configuration

Storing and delivering your widget settings, field definitions, greeting text, and style configuration to end-user browsers.

Account Management

Managing your NaN Logic account, authentication, billing, and subscription status.

Usage Metrics

Collecting aggregate, non-personally-identifiable usage statistics (chat counts, widget load counts) for service improvement and billing.

Service Operations

Maintaining platform security, fraud prevention, error monitoring, and uptime of the control-plane infrastructure.

Purpose Limitation: NaN Logic shall process personal data only on your documented instructions and solely for the purposes described above. We shall not process personal data for any other purpose, including marketing, profiling, or sale to third parties.

Data Minimization: We process only the data necessary to operate the service. Visitor messages are handled transiently to generate responses and are not retained. Structured lead fields you configure are forwarded to your destination of choice and are not retained by NaN Logic after delivery.

3. NaNDesk Data Flow

Understanding the data flow is critical to this DPA. NaNDesk is a hosted service:

1
Widget Configuration: NaN Logic stores and serves widget config (fields, styling, greetings, domain allowlist).
2
Visitor Conversations: Messages flow from the visitor's browser to NaN Logic's chat API over TLS, are forwarded to OpenAI to generate a response, and streamed back in real time. Raw transcripts are not persisted by NaN Logic.
3
AI Processing: NaN Logic routes prompts to OpenAI using our own API key. OpenAI is bound by its data processing terms (no training on API data). You do not manage keys or AI contracts.
4
Data Delivery: Structured lead fields produced by the assistant are delivered to your configured destination (email, webhook, Zapier, calendar). Delivery logs are retained by NaN Logic for troubleshooting.
5
Usage Metrics: NaN Logic records per-day conversation counts per widget for billing, quota enforcement, and overage accrual. No visitor PII is included in these metrics.

4. Sub-processors

NaN Logic uses the following sub-processors. Each sub-processor is bound by data protection agreements consistent with this DPA:

OpenAI (AI inference — NaNDesk visitor chat, transient)Vercel (Hosting — application infrastructure, APIs, static assets)Supabase (Database — widget configuration, account data, conversation counts)Clerk (Authentication — NaN Logic dashboard accounts)Stripe (Payments — subscription billing and invoicing, once enabled)Sentry (Error Monitoring — NaN Logic services)

OpenAI Processing Terms

OpenAI processes visitor messages solely to generate the assistant’s response, under OpenAI’s API data usage policy: content submitted through the API is not used to train OpenAI’s models. Response data is returned to NaN Logic and streamed to the visitor. Retention at OpenAI follows OpenAI’s published policies.

We will notify you of any intended changes to our sub-processor list at least 30 days before the change takes effect, giving you the opportunity to object. If you object and we cannot reasonably accommodate your objection, you may terminate the affected service.

5. Security Measures

NaN Logic implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption in Transit

All data transmitted between your browser, our APIs, and our sub-processors is encrypted using TLS 1.2 or higher.

Encryption at Rest

Data stored in our databases (widget configuration, account data) is encrypted at rest using AES-256.

Access Controls

Role-based access control, multi-factor authentication for internal systems, and least-privilege principles for all team members.

Infrastructure Security

Hosted on Vercel and Supabase with SOC 2 Type II compliance. Automated vulnerability scanning and dependency auditing.

Monitoring & Logging

Real-time monitoring of the control-plane infrastructure with automated alerting for anomalies and unauthorized access attempts.

Regular Review

Security measures are reviewed and updated at least annually to address evolving threats and maintain alignment with industry best practices.

6. Data Breach Notification

72-Hour Notification Commitment

In the event of a personal data breach affecting data processed on your behalf, NaN Logic will notify you without undue delay and in any case within 72 hours of becoming aware of the breach.

Our breach notification will include:

1A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
2The name and contact details of our data protection contact point
3A description of the likely consequences of the breach
4A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Because visitor transcripts are not persisted by NaN Logic, a breach of NaN Logic systems would expose at most: widget configuration, per-day conversation counts, webhook delivery logs, and account data. Any breach at your configured delivery destinations (email provider, webhook endpoint, Zapier, calendar) is your responsibility to detect, investigate, and report under applicable law.

Processor Obligation to Inform

In accordance with Article 28(3)(h) of the GDPR, NaN Logic shall immediately inform you if, in our opinion, an instruction from you infringes the GDPR or other applicable data protection provisions. We may suspend the relevant processing until you confirm or modify the instruction.

7. Data Subject Rights

NaN Logic will assist you in fulfilling your obligations to respond to data subject requests under applicable data protection law. This includes requests for access, rectification, erasure, restriction, portability, and objection.

How We Assist

If a data subject contacts NaN Logic directly regarding data you control, we will promptly redirect them to you. Where the request relates to data NaN Logic holds (such as account data or widget configuration), we will respond to it or assist you in responding, as appropriate, within 30 days.

For visitor conversation transcripts: NaN Logic does not persist these beyond transient inference, so there is typically nothing to return or erase on our side. Requests that relate to lead data delivered to your configured destination must be handled by you at that destination.

8. Data Retention

Visitor Conversations

Processed transiently to generate AI responses and streamed back to the visitor. Raw transcripts are not persisted by NaN Logic. Per-day conversation counts per widget are retained for billing.

Usage Metrics

Aggregate, non-PII usage statistics (chat counts, widget loads) are retained for 90 days, then automatically purged.

Widget Configuration

Retained for the duration of your active subscription. Upon account deletion, configuration data is purged within 30 days.

Account Data

Retained while your account is active. Upon deletion or contract termination, account data is purged within 30 days except as required by law.

Upon termination of the service agreement, NaN Logic will delete or return all personal data processed on your behalf within 30 days, unless retention is required by applicable law. You may request a copy of your data before deletion.

9. Audit Rights

NaN Logic will make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection law.

You may request a written summary of our current security measures and data processing practices at any time
You may conduct or commission a third-party audit of our processing activities, with reasonable advance notice (at least 30 days) and during normal business hours
Audits shall be conducted at your expense and shall not unreasonably interfere with our business operations
We will provide reasonable cooperation and access to relevant documentation, systems, and personnel
Audit findings and all information disclosed during the audit shall be treated as confidential

10. International Data Transfers

NaN Logic and certain sub-processors are based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, personal data processed under this DPA may be transferred to, stored, and processed in the United States or other countries outside your jurisdiction.

Transfer Safeguards

For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, NaN Logic relies on the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational measures where appropriate. Specifically:

Module Two (Controller to Processor) of the SCCs applies to data transfers between you (Controller) and NaN Logic (Processor)
Module Three (Processor to Sub-processor) of the SCCs applies to data transfers between NaN Logic and our sub-processors
For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies
For Swiss transfers, the applicable amendments required by the Swiss Federal Data Protection Act apply

By entering into this DPA, you are deemed to have executed the SCCs (as applicable) with NaN Logic. A copy of the executed SCCs is available upon request at privacy@nanlogic.com.

11. Duration of Processing

NaN Logic will process personal data on your behalf for the duration of your active NaNDesk subscription. Processing begins when you create a NaN Logic account and activate the NaNDesk service, and ceases upon termination or expiration of the service agreement, subject to the data retention and deletion obligations set out in Section 8 of this DPA.

This DPA automatically terminates upon termination of all service agreements between you and NaN Logic under which NaN Logic processes personal data on your behalf. Obligations that by their nature should survive termination (including data deletion, confidentiality, and liability provisions) shall survive.

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of applicable data protection law to the extent such limitation is prohibited by that law.

Controller Liability

You are responsible for the lawfulness of your processing instructions, your widget configuration (including what fields you collect and on which pages), and any connected destinations (email providers, webhook endpoints, Zapier, calendar). Any data breach at a destination you configured is your responsibility.

Processor Liability

NaN Logic is liable for damage caused by processing that does not comply with this DPA or applicable data protection law, or where we have acted outside of or contrary to your lawful instructions.

13. Governing Law

This DPA is governed by the laws of the State of Illinois, United States, without regard to its conflict of laws principles, consistent with the governing law provisions in our Terms of Service.

To the extent that mandatory data protection laws of the EEA, UK, or Switzerland apply, those laws shall take precedence over the governing law of this DPA with respect to data protection obligations. Any dispute arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

14. Contact Us

Get in touch

Official Address

NaN Logic LLC
Attn: Data Protection Officer
8840 Mason Ave
Morton Grove, IL 60053
United States