Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement ("DPA") forms part of Nova's Terms and Conditions and governs how Nova (the "Processor") processes personal data on behalf of the Customer (the "Controller") under Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws.
1. Scope and purpose
Nova provides analytics for Amazon seller accounts. When a Customer connects their Seller Central, Vendor Central, or Advertising accounts, Nova ingests order, inventory, advertising and settlement data. Some of that data may contain personal data of the Customer's end-customers (for example shipping names and addresses in order data). Nova processes this data solely to operate the Services, on the Customer's documented instructions.
2. Roles
The Customer is the Controller. Nova is the Processor. Nova's sub-processors (cloud hosting and database providers) act as further Processors under written agreements that impose data-protection obligations equivalent to those in this DPA.
3. Nova's obligations
- Process personal data only on the Customer's documented instructions.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures (encryption in transit and at rest, role-based access control, audit logging).
- Assist the Customer with data-subject requests and with security, breach-notification and DPIA obligations.
- Notify the Customer without undue delay after becoming aware of a personal-data breach.
- On termination, return or delete personal data at the Customer's choice (subject to legal retention requirements).
4. Sub-processors
The Customer authorizes Nova to engage sub-processors for hosting, database, email delivery and customer-support tooling. A current list is available on request. Nova will notify the Customer of any intended changes and give the Customer a reasonable opportunity to object.
5. International transfers
Where Nova transfers personal data outside the EEA / UK, transfers rely on the European Commission's Standard Contractual Clauses (2021/914) or an adequacy decision, with supplementary measures where required.
6. Audit
Nova will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and will allow for and contribute to audits, including inspections, on reasonable notice and subject to confidentiality.
7. Signed copy
A countersigned PDF of this DPA is available to any Nova customer on request. Email privacy@novadata.io and we will return a signed copy within 5 working days.
8. Contact
Questions about this DPA or about how Nova processes personal data: privacy@novadata.io.