Data Processing Agreement

Effective: June 27, 2026

This Data Processing Agreement (“DPA”) applies where Nimbalyst, Inc. (“Nimbalyst”) processes personal data on behalf of a customer (“Customer”) in providing Nimbalyst’s cloud features. It consists of:

  1. the Common Paper Standard Data Processing Agreement, Version 1.1 (the “Standard Terms”), incorporated by reference;
  2. the Cover Page below, which completes the Standard Terms; and
  3. the Nimbalyst Addendum below, which adds product-specific terms.

For customers using Nimbalyst’s cloud features, we offer this DPA as part of your agreement with us. To request a counter-signed copy for your records, email [email protected].

Cover Page

  • Processor: Nimbalyst, Inc., United States. Contact: [email protected].
  • Controller: the Customer identified in the Agreement.
  • Standard Terms: Common Paper Standard DPA, Version 1.1.
  • Sub-processors: as listed at nimbalyst.com/sub-processors.
  • Sub-processor change notice: 30 days, with a right to object.

Standard Contractual Clauses

For transfers of EU, UK, or Swiss personal data to the United States, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply as completed by the Standard Terms and this Cover Page:

  • Module Two (controller to processor) where Customer is a controller; Module Three (processor to processor) where Customer is a processor.
  • Clause 9: Option 2 (general authorization), using the 30-day notice period above.
  • Clause 17 governing law and Clause 18 forum: Ireland.
  • The UK International Data Transfer Addendum applies to UK transfers; the SCCs apply with Swiss FADP references for Swiss transfers.

Annex I — Description of processing

  • Categories of data subjects: Customer’s users and team members, and individuals whose personal data Customer’s users include in their content.
  • Categories of personal data: account and profile data (name, email, authentication identifiers); workspace and document content, which may contain any personal data the user includes; usage and device data; support communications.
  • Special categories: not intentionally processed.
  • Nature and purpose: hosting, storage, synchronization, sharing, transmission, and support of Customer content and account data to provide the product.
  • Duration: the term of the Agreement and until deletion or return of the data.

Annex II — Security measures

Encryption in transit and at rest; access controls and authentication; network security and monitoring; logging; secure development and change management; vendor due diligence; backup and recovery; personnel confidentiality and training; and incident response. These measures are evidenced by Nimbalyst’s SOC 2 Type II report, available under the audit terms of the Standard Terms.

Nimbalyst Addendum

These terms add to, and where they conflict prevail over, the Standard Terms for the Nimbalyst product.

  1. Local-first processing. The Nimbalyst desktop app stores workspace data on the user’s own device. Nimbalyst processes personal data as a processor only where Customer enables a cloud feature that syncs or shares content.
  2. AI providers (bring-your-own-key). When Customer or its users enable AI features, prompts and content are sent to the AI provider the user configures, for example Anthropic or OpenAI, using the user’s own key or subscription and under the user’s own agreement with that provider. That provider is Customer’s (or the user’s) processor, not a Nimbalyst sub-processor, and is not listed as a Nimbalyst sub-processor.
  3. Sub-processor list. The current sub-processors and the change-notification mechanism are published at nimbalyst.com/sub-processors.
  4. Audits. Nimbalyst meets the audit obligations of the Standard Terms primarily by providing its SOC 2 Type II report and security documentation under confidentiality.

Contact

[email protected]