Data Processing Addendum
The terms under which OpsIQ processes personal data on behalf of our customers — covering roles, documented instructions, security measures, sub-processors, breach handling and international transfer safeguards.
You stay in control
You are the data controller. OpsIQ is the processor and acts only on your documented instructions.
Secured by design
AES-256 at rest, TLS 1.3 in transit, signed webhooks, per-tenant isolation and audit logs.
No AI training
OpsIQ never trains models on your data. Inference goes only to the AI provider you select.
Transfers safeguarded
EU/UK data hosted in EU by default; cross-border transfers rely on Standard Contractual Clauses.
This Data Processing Addendum ("DPA") sets out how Nabtech Digitalnet Limited (operating as OpsIQ) processes personal data on behalf of its customers. It is written to be readable: each section opens with a plain-language "In short" line, and the three Annexes give you the full data-map, the security measures and the approved sub-processor list as tables you can hand to your own data-protection team.
1Definitions
Capitalised terms not defined here have the meaning given in the Agreement or the applicable Data Protection Laws.
- Controller — the entity that determines the purposes and means of processing Personal Data. With respect to End-User Data, the Customer is the Controller.
- Processor — the entity that processes Personal Data on behalf of the Controller. With respect to End-User Data, Nabtech Digitalnet Limited (OpsIQ) is the Processor.
- Sub-processor — any third party engaged by OpsIQ to process Personal Data in connection with the Services.
- Personal Data — any information relating to an identified or identifiable natural person that OpsIQ processes on the Customer's behalf under the Agreement.
- Data Subject — the natural person to whom Personal Data relates (e.g. the Customer's visitors, end-users and contacts).
- End-User Data — Personal Data of the Customer's visitors, end-users and contacts processed through the Services.
- Data Protection Laws — all applicable data-protection and privacy laws, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the CCPA as amended by the CPRA, the Nigeria Data Protection Act 2023, and equivalent laws elsewhere.
- Processing, Personal Data Breach, Supervisory Authority and Standard Contractual Clauses ("SCCs") have the meanings given in the applicable Data Protection Laws.
2Roles & scope
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the agreement between Nabtech Digitalnet Limited ("OpsIQ", "we", "us", "Processor"), of www.nabtech.co, and the customer ("Customer", "you", "Controller") governing use of the OpsIQ platform — the AI chat widget, native ticketing, CRM, promotions studio, site/SEO intelligence, visitor analytics, webhooks, surveys, cookie-consent platform and AI actions, delivered as Cloud (SaaS) or Self-Hosted (licensed) software (the "Services").
For End-User Data processed through the Services, the Customer is the Controller (or a processor acting for a third-party controller) and OpsIQ is the Processor. OpsIQ acts as an independent Controller only for its own account, billing and marketing data, which is governed by the OpsIQ Privacy Policy and not by this DPA.
Where this DPA conflicts with the rest of the Agreement, this DPA prevails on the subject matter of data processing. A signed counterpart is available on request to [email protected]. The subject matter, nature, purpose, categories of Data Subjects and categories of Personal Data are detailed in Annex I.
Categories of Data Subjects
- The Customer's website visitors and prospective customers
- The Customer's registered end-users and account holders
- The Customer's contacts, leads and ticket submitters
- The Customer's own staff and agents who operate the workspace
Categories of Personal Data
| Category | Examples |
|---|---|
| Identifiers | Name, email, phone, customer/account ID, visitor/session ID |
| Online identifiers & device data | IP address, user-agent, browser/OS, cookie and localStorage identifiers |
| Location data | Approximate country/city derived from IP (GeoIP) |
| Usage & behavioural data | Pages visited, traffic source, scroll depth, time on page, events |
| Communications content | Chat conversations, ticket subject/body/replies/notes, attachments, survey responses |
| CRM & commercial data | Contact records, deal/lead data, promotion interactions, consent records |
| Special categories | Not requested by OpsIQ. The Customer must not submit special-category data unless lawful and configured with appropriate safeguards. |
3Processing instructions
OpsIQ shall process Personal Data only on the Customer's documented instructions, including the configuration of the Services, this DPA and the Agreement, unless required to do otherwise by law (in which case OpsIQ will inform the Customer of that legal requirement, unless legally prohibited from doing so).
OpsIQ will immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. OpsIQ does not sell Personal Data and does not train AI models on Customer or End-User Data (see Section 15).
| Element | Description |
|---|---|
| Subject matter | Provision of the OpsIQ Services as configured by the Customer. |
| Nature & purpose | Hosting, storage, transmission, retrieval, analysis and display of End-User Data to deliver AI chat, ticketing, CRM, analytics, promotions, surveys, consent management and AI actions. |
| Documented instructions | The Agreement, this DPA, and the in-product settings the Customer chooses. |
4Duration of processing
OpsIQ processes Personal Data for the term of the Agreement, plus the post-termination export and deletion period set out in Section 12. Processing is continuous for the duration of the Agreement, on the frequency described in Annex I.
Customer-controlled retention settings within the workspace apply during the term; see also the Compliance overview.
5Confidentiality
OpsIQ ensures that any person authorised to process Personal Data is committed to confidentiality (whether by a contractual or statutory obligation) and is granted access strictly on a need-to-know basis.
- Personnel are bound by appropriate confidentiality undertakings that survive the end of their engagement.
- Personnel receive data-protection and security training appropriate to their role.
- Access to production systems holding Personal Data is least-privilege and logged (see Section 6 and Annex II).
6Security measures
OpsIQ implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption: AES-256 for Personal Data at rest; TLS 1.3 for data in transit.
- Integrity & authenticity: HMAC-SHA256 signatures on every outbound webhook delivery.
- Tenant isolation: per-tenant encryption keys and logical isolation on the Cloud platform.
- Access controls: role-based access, least-privilege administration, and authentication controls for OpsIQ personnel.
- Secrets hygiene: credentials and configuration secrets are stored outside the web root, not in the served document tree.
- Auditability: per-action audit logs recording security-relevant operations.
- Resilience: backups on a rotating cycle and documented recovery procedures.
A fuller description of the security program is published in our Trust Center and itemised in Annex II.
7Sub-processors
The Customer provides a general authorisation for OpsIQ to engage the Sub-processors listed in Annex III. OpsIQ imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable to the Customer for each Sub-processor's performance.
OpsIQ will give the Customer prior notice of the addition or replacement of any Sub-processor. The Customer may object on reasonable, data-protection-related grounds within 30 days of notice; if the objection cannot be resolved, the Customer may terminate the affected Services. The current list is set out in Annex III.
8Data subject rights assistance
Taking into account the nature of the processing, OpsIQ will assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection).
- The Services provide self-serve export and deletion tools that let the Customer action most requests directly within its workspace.
- Where OpsIQ receives a request directly from a Data Subject relating to End-User Data, OpsIQ will, unless legally prohibited, promptly forward it to the Customer and will not respond except on the Customer's instructions.
9Personal data breach
OpsIQ will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. To the extent available, the notification will include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach and mitigate its effects;
- A contact point for further information.
OpsIQ will cooperate with the Customer and take reasonable steps to assist its breach-notification obligations to Supervisory Authorities and Data Subjects. Notification is sent to the security contact on the Customer's account; the Customer must keep that contact current.
10DPIA & prior consultation
Taking into account the nature of the processing and the information available to it, OpsIQ will assist the Customer in carrying out data-protection impact assessments ("DPIAs") and any prior consultation with a Supervisory Authority that the Customer is required to perform under Data Protection Laws.
This assistance includes making available relevant security documentation, processing details and the contents of the Annexes to this DPA, and responding to reasonable, scoped questions about how the Services process Personal Data.
11International transfers (SCCs)
EU/EEA and UK Customer data is hosted in EU regions by default. Where OpsIQ transfers Personal Data outside the EEA, the UK or other jurisdictions imposing transfer restrictions, OpsIQ relies on an appropriate transfer mechanism, including:
- The EU Standard Contractual Clauses (Module Two: Controller-to-Processor; and Module Three where onward transfers to Sub-processors apply), incorporated by reference and completed by the details in the Annexes;
- The UK International Data Transfer Addendum to the EU SCCs for transfers subject to UK GDPR;
- Adequacy decisions where available, and supplementary measures where required.
OpsIQ will assist the Customer in completing any transfer-impact assessment on request. In a conflict, the SCCs take precedence over this DPA on the matters they govern (see Section 13).
12Deletion & return
On termination or expiry of the Agreement, OpsIQ will, at the Customer's choice, delete or return all Personal Data processed on the Customer's behalf, and delete existing copies, unless retention is required by law.
- The Customer has a 30-day export window after termination to retrieve its data using the self-serve export tools.
- After the export window, active-system Personal Data is deleted.
- Residual copies in backups are purged on the rolling backup cycle (typically within 30 days), after which they are not restored.
13Audits & inspections
OpsIQ will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On the Customer's reasonable written request (no more than once per year, except following a Personal Data Breach or where required by a Supervisory Authority), OpsIQ will permit and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.
To minimise disruption, OpsIQ may satisfy audit requests by providing third-party certifications, audit reports and security documentation where these reasonably address the Customer's requirements. Audits are subject to confidentiality and to reasonable scheduling, scope and security constraints.
14Liability & order of precedence
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law.
Order of precedence: in the event of any conflict, the documents govern in the following order with respect to data processing: (1) the SCCs (where applicable); (2) this DPA; (3) the remainder of the Agreement. The Annexes form an integral part of this DPA.
15AI processing & no-training clause
OpsIQ does not train, fine-tune or improve any AI model on Customer or End-User Data. AI inference requests are forwarded to the model provider the Customer selects, carrying only the live conversation context required to generate a response.
- The selected AI provider acts as a Sub-processor for that inference only; see Annex III.
- OpsIQ does not retain prompts or completions for model-training purposes and does not pool Customer data across tenants for AI.
- The Customer is responsible for choosing a provider whose terms are compatible with its own obligations, and for not submitting data it is not permitted to send to that provider.
16Self-hosted clarification
Where the Customer deploys OpsIQ as Self-Hosted (licensed) software on infrastructure the Customer controls, the Customer operates the software, hosting and storage itself.
- In that deployment, OpsIQ does not host, store, transmit or otherwise process End-User Data on the Customer's behalf, and acts as a software licensor rather than a Processor.
- Sections of this DPA that describe OpsIQ's processor activities (e.g. Cloud hosting, sub-processors and transfers) apply only to the extent OpsIQ actually performs processing — which, for a pure self-hosted deployment, it does not.
- The Customer remains the Controller and is responsible for the security, transfers and sub-processors of its own environment. OpsIQ-selected AI providers still act for the Customer when the Customer routes inference to them.
17Governing law
This DPA is governed by, and construed in accordance with, the governing law of the Agreement, without prejudice to any mandatory provisions of Data Protection Laws applicable to the Customer or the Data Subjects.
Where the SCCs apply, the governing law and forum for the SCCs are as specified within those clauses and prevail for matters within their scope.
18Annex I — Details of processing
| Item | Detail |
|---|---|
| Data exporter / Controller | The Customer using the OpsIQ Services. |
| Data importer / Processor | Nabtech Digitalnet Limited (OpsIQ) — www.nabtech.co. |
| Roles | Customer = Controller; OpsIQ = Processor. |
| Subject matter | Provision of the OpsIQ Services as configured by the Customer. |
| Categories of Data Subjects | Visitors, end-users, contacts/leads, ticket submitters and Customer staff (see Section 2). |
| Categories of Personal Data | Identifiers, online/device data, location, usage/behavioural data, communications content, CRM/commercial data (see Section 2). |
| Special categories | None requested or required by OpsIQ; the Customer must not submit special-category data without lawful basis and safeguards. |
| Nature & purpose | Hosting, processing, analysis and display of End-User Data to deliver AI chat, ticketing, CRM, analytics, promotions, surveys, consent and AI actions. |
| Duration | Term of the Agreement plus the export and deletion period (Section 12). |
| Frequency | Continuous, for the duration of the Agreement. |
| Competent Supervisory Authority | That of the Customer's place of establishment within the EEA/UK, as applicable. |
19Annex II — Security measures
| Domain | Measure |
|---|---|
| Encryption at rest | AES-256. |
| Encryption in transit | TLS 1.3. |
| Webhook integrity | HMAC-SHA256 signatures on all deliveries. |
| Tenant isolation | Per-tenant keys and logical separation (Cloud). |
| Access control | Role-based access, least privilege, authentication controls. |
| Secrets management | Credentials and config stored outside the web root. |
| Logging & monitoring | Per-action audit logs of security-relevant operations. |
| Resilience & recovery | Rotating backups and documented recovery procedures. |
| Confidentiality | Personnel confidentiality undertakings and training. |
| AI handling | No model training on Customer/End-User Data; customer-selected inference provider only. |
20Annex III — Approved sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting, storage, backups | EU / West Africa |
| Stripe / Paystack / PayPal | Payment processing | Global |
| Anthropic / OpenAI / Gemini / Grok | AI model inference (the provider the Customer chooses) | US / EU |
| Mailgun / SendGrid / SMTP relay | Transactional email delivery | EU / US |
| Cloudflare | CDN, DDoS protection | Global |
OpsIQ-selected AI providers process Personal Data only for the inference the Customer routes to them, and only as Sub-processors under Section 15.
21Contact
Data Protection Officer: [email protected]
Privacy enquiries: [email protected]
Security enquiries: [email protected]
Legal enquiries: [email protected]
To request a signed counterpart of this DPA, email [email protected]. See also our Privacy Policy, Compliance overview and Trust Center.
This document is provided for transparency and does not constitute legal advice. Customers in regulated industries should review it with their own counsel before deployment.