IQOpsIQ
Home
Features
OpsIQ platformChoose the surface you want to improve.Every feature shares one customer timeline, one AI memory, and one operations layer.
View all
AI-First CRMPipeline, four AI agents, deal coaching, forecasting and a Trust Dial.Client Chat AICustomer-facing AI chat, handoff, identity, knowledge, and support flows.Promotion StudioPop-ups, bars and campaigns — visual builder, targeting, A/B, lead capture.Site IntelligenceCrawls, rank tracking, backlinks, competitors and an AI SEO analyst.Admin AI ChatAI command center for teams, decisions, and safe admin actions.Surveys & CSATCSAT, NPS and feedback intelligence — post-resolution prompts, AI analysis and detractor recovery.Ticket SystemDepartments, SLA, routing, rich replies, attachments and Inbox Copilot.AI AnalyticsVisitor intelligence, live sessions, geography, leads, and conversion insight.Consent & GDPRCookie-consent studio that enforces, plus a consent ledger and DSAR.OpsIQ WritingAI replies, ticket drafts, article writing, announcements, and support content.Webhooks & ActionsTriggers, action endpoints, HMAC signing, and developer automation.Email ChannelInbox-to-ticket, AI email replies, transactional + broadcast, SPF/DKIM.Security2FA, OIDC SSO, SCIM, blocking, audit and safe access.Remote SitesConnect websites and platforms into one OpsIQ intelligence workspace.IntegrationsWHMCS, Stripe, Shopify, WordPress, Slack, Zendesk, webhooks and custom connectors.
SolutionsPricingDevelopersContact
Log inStart free
HomePublic overviewPricingPlans and value
Product surfaces
All features AI-First CRM Client Chat AI Promotion Studio Site Intelligence Admin AI Chat Surveys & CSAT Ticket System AI Analytics Consent & GDPR OpsIQ Writing Webhooks & Actions Email Channel Security Remote Sites
Use casesSolutionsRole and workflow pathsCustomer storiesProof from teamsIntegrationsConnect your stack
ResourcesDevelopersAPI and webhook toolsDocsGuides and referencesFAQsCommon answersContactTalk to the team
Company and trustAboutCompany profileTrust centerSecurity postureSecurityControls and accessCompliancePolicies and auditsStatusSystem health
Log in Start free
Legal

Data Processing Addendum

The terms under which OpsIQ processes personal data on behalf of our customers — covering roles, documented instructions, security measures, sub-processors, breach handling and international transfer safeguards.

Effective July 12, 2026Version 2026.06Reviewed by OpsIQ Legal
RelatedPrivacyTermsComplianceTrust Center
SCC SAFEGUARDED Controller Processor

You stay in control

You are the data controller. OpsIQ is the processor and acts only on your documented instructions.

Secured by design

AES-256 at rest, TLS 1.3 in transit, signed webhooks, per-tenant isolation and audit logs.

No AI training

OpsIQ never trains models on your data. Inference goes only to the AI provider you select.

Transfers safeguarded

EU/UK data hosted in EU by default; cross-border transfers rely on Standard Contractual Clauses.

This Data Processing Addendum ("DPA") sets out how Nabtech Digitalnet Limited (operating as OpsIQ) processes personal data on behalf of its customers. It is written to be readable: each section opens with a plain-language "In short" line, and the three Annexes give you the full data-map, the security measures and the approved sub-processor list as tables you can hand to your own data-protection team.

On this page
1Definitions2Roles & scope3Processing instructions4Duration of processing5Confidentiality6Security measures7Sub-processors8Data subject rights assistance9Personal data breach10DPIA & prior consultation11International transfers (SCCs)12Deletion & return13Audits & inspections14Liability & order of precedence15AI processing & no-training clause16Self-hosted clarification17Governing law18Annex I — Details of processing19Annex II — Security measures20Annex III — Approved sub-processors21Contact↑ Back to top

1Definitions

In short: Plain meanings for the key terms used throughout — who the controller and processor are, and what counts as personal data.

Capitalised terms not defined here have the meaning given in the Agreement or the applicable Data Protection Laws.

  • Controller — the entity that determines the purposes and means of processing Personal Data. With respect to End-User Data, the Customer is the Controller.
  • Processor — the entity that processes Personal Data on behalf of the Controller. With respect to End-User Data, Nabtech Digitalnet Limited (OpsIQ) is the Processor.
  • Sub-processor — any third party engaged by OpsIQ to process Personal Data in connection with the Services.
  • Personal Data — any information relating to an identified or identifiable natural person that OpsIQ processes on the Customer's behalf under the Agreement.
  • Data Subject — the natural person to whom Personal Data relates (e.g. the Customer's visitors, end-users and contacts).
  • End-User Data — Personal Data of the Customer's visitors, end-users and contacts processed through the Services.
  • Data Protection Laws — all applicable data-protection and privacy laws, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR and Data Protection Act 2018, the CCPA as amended by the CPRA, the Nigeria Data Protection Act 2023, and equivalent laws elsewhere.
  • Processing, Personal Data Breach, Supervisory Authority and Standard Contractual Clauses ("SCCs") have the meanings given in the applicable Data Protection Laws.

2Roles & scope

In short: You decide what data is processed and why — you are the controller. OpsIQ only acts on your behalf as the processor.

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the agreement between Nabtech Digitalnet Limited ("OpsIQ", "we", "us", "Processor"), of www.nabtech.co, and the customer ("Customer", "you", "Controller") governing use of the OpsIQ platform — the AI chat widget, native ticketing, CRM, promotions studio, site/SEO intelligence, visitor analytics, webhooks, surveys, cookie-consent platform and AI actions, delivered as Cloud (SaaS) or Self-Hosted (licensed) software (the "Services").

For End-User Data processed through the Services, the Customer is the Controller (or a processor acting for a third-party controller) and OpsIQ is the Processor. OpsIQ acts as an independent Controller only for its own account, billing and marketing data, which is governed by the OpsIQ Privacy Policy and not by this DPA.

Where this DPA conflicts with the rest of the Agreement, this DPA prevails on the subject matter of data processing. A signed counterpart is available on request to [email protected]. The subject matter, nature, purpose, categories of Data Subjects and categories of Personal Data are detailed in Annex I.

Categories of Data Subjects

  • The Customer's website visitors and prospective customers
  • The Customer's registered end-users and account holders
  • The Customer's contacts, leads and ticket submitters
  • The Customer's own staff and agents who operate the workspace

Categories of Personal Data

CategoryExamples
IdentifiersName, email, phone, customer/account ID, visitor/session ID
Online identifiers & device dataIP address, user-agent, browser/OS, cookie and localStorage identifiers
Location dataApproximate country/city derived from IP (GeoIP)
Usage & behavioural dataPages visited, traffic source, scroll depth, time on page, events
Communications contentChat conversations, ticket subject/body/replies/notes, attachments, survey responses
CRM & commercial dataContact records, deal/lead data, promotion interactions, consent records
Special categoriesNot requested by OpsIQ. The Customer must not submit special-category data unless lawful and configured with appropriate safeguards.

3Processing instructions

In short: OpsIQ only processes your data the way you tell it to — through your configuration, this DPA and the Agreement. Nothing else.

OpsIQ shall process Personal Data only on the Customer's documented instructions, including the configuration of the Services, this DPA and the Agreement, unless required to do otherwise by law (in which case OpsIQ will inform the Customer of that legal requirement, unless legally prohibited from doing so).

OpsIQ will immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. OpsIQ does not sell Personal Data and does not train AI models on Customer or End-User Data (see Section 15).

ElementDescription
Subject matterProvision of the OpsIQ Services as configured by the Customer.
Nature & purposeHosting, storage, transmission, retrieval, analysis and display of End-User Data to deliver AI chat, ticketing, CRM, analytics, promotions, surveys, consent management and AI actions.
Documented instructionsThe Agreement, this DPA, and the in-product settings the Customer chooses.

4Duration of processing

In short: Processing lasts for as long as your contract runs, plus a short, defined wind-down for export and deletion.

OpsIQ processes Personal Data for the term of the Agreement, plus the post-termination export and deletion period set out in Section 12. Processing is continuous for the duration of the Agreement, on the frequency described in Annex I.

Customer-controlled retention settings within the workspace apply during the term; see also the Compliance overview.

5Confidentiality

In short: Everyone at OpsIQ who can touch your data is bound by confidentiality and trained on data protection.

OpsIQ ensures that any person authorised to process Personal Data is committed to confidentiality (whether by a contractual or statutory obligation) and is granted access strictly on a need-to-know basis.

  • Personnel are bound by appropriate confidentiality undertakings that survive the end of their engagement.
  • Personnel receive data-protection and security training appropriate to their role.
  • Access to production systems holding Personal Data is least-privilege and logged (see Section 6 and Annex II).

6Security measures

In short: Your data is encrypted at rest and in transit, isolated per tenant on Cloud, access-controlled and audit-logged.

OpsIQ implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: AES-256 for Personal Data at rest; TLS 1.3 for data in transit.
  • Integrity & authenticity: HMAC-SHA256 signatures on every outbound webhook delivery.
  • Tenant isolation: per-tenant encryption keys and logical isolation on the Cloud platform.
  • Access controls: role-based access, least-privilege administration, and authentication controls for OpsIQ personnel.
  • Secrets hygiene: credentials and configuration secrets are stored outside the web root, not in the served document tree.
  • Auditability: per-action audit logs recording security-relevant operations.
  • Resilience: backups on a rotating cycle and documented recovery procedures.

A fuller description of the security program is published in our Trust Center and itemised in Annex II.

7Sub-processors

In short: You approve our current sub-processor list; we tell you before adding new ones and you can object.

The Customer provides a general authorisation for OpsIQ to engage the Sub-processors listed in Annex III. OpsIQ imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable to the Customer for each Sub-processor's performance.

OpsIQ will give the Customer prior notice of the addition or replacement of any Sub-processor. The Customer may object on reasonable, data-protection-related grounds within 30 days of notice; if the objection cannot be resolved, the Customer may terminate the affected Services. The current list is set out in Annex III.

8Data subject rights assistance

In short: OpsIQ helps you answer access, deletion and other rights requests — and forwards any it receives directly to you.

Taking into account the nature of the processing, OpsIQ will assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection).

  • The Services provide self-serve export and deletion tools that let the Customer action most requests directly within its workspace.
  • Where OpsIQ receives a request directly from a Data Subject relating to End-User Data, OpsIQ will, unless legally prohibited, promptly forward it to the Customer and will not respond except on the Customer's instructions.

9Personal data breach

In short: If a breach affects your data, OpsIQ tells you without undue delay and helps you meet your own notification duties.

OpsIQ will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. To the extent available, the notification will include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate its effects;
  • A contact point for further information.

OpsIQ will cooperate with the Customer and take reasonable steps to assist its breach-notification obligations to Supervisory Authorities and Data Subjects. Notification is sent to the security contact on the Customer's account; the Customer must keep that contact current.

10DPIA & prior consultation

In short: OpsIQ gives you the information you need to run data-protection impact assessments and consult regulators.

Taking into account the nature of the processing and the information available to it, OpsIQ will assist the Customer in carrying out data-protection impact assessments ("DPIAs") and any prior consultation with a Supervisory Authority that the Customer is required to perform under Data Protection Laws.

This assistance includes making available relevant security documentation, processing details and the contents of the Annexes to this DPA, and responding to reasonable, scoped questions about how the Services process Personal Data.

11International transfers (SCCs)

In short: EU/UK data stays in EU regions by default; any cross-border transfer relies on Standard Contractual Clauses and safeguards.

EU/EEA and UK Customer data is hosted in EU regions by default. Where OpsIQ transfers Personal Data outside the EEA, the UK or other jurisdictions imposing transfer restrictions, OpsIQ relies on an appropriate transfer mechanism, including:

  • The EU Standard Contractual Clauses (Module Two: Controller-to-Processor; and Module Three where onward transfers to Sub-processors apply), incorporated by reference and completed by the details in the Annexes;
  • The UK International Data Transfer Addendum to the EU SCCs for transfers subject to UK GDPR;
  • Adequacy decisions where available, and supplementary measures where required.

OpsIQ will assist the Customer in completing any transfer-impact assessment on request. In a conflict, the SCCs take precedence over this DPA on the matters they govern (see Section 13).

12Deletion & return

In short: When the contract ends you choose: export or delete. After a 30-day window, data is deleted and backups age out.

On termination or expiry of the Agreement, OpsIQ will, at the Customer's choice, delete or return all Personal Data processed on the Customer's behalf, and delete existing copies, unless retention is required by law.

  • The Customer has a 30-day export window after termination to retrieve its data using the self-serve export tools.
  • After the export window, active-system Personal Data is deleted.
  • Residual copies in backups are purged on the rolling backup cycle (typically within 30 days), after which they are not restored.

13Audits & inspections

In short: You can verify our compliance once a year (or after a breach) via documentation, certifications, or an audit.

OpsIQ will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On the Customer's reasonable written request (no more than once per year, except following a Personal Data Breach or where required by a Supervisory Authority), OpsIQ will permit and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

To minimise disruption, OpsIQ may satisfy audit requests by providing third-party certifications, audit reports and security documentation where these reasonably address the Customer's requirements. Audits are subject to confidentiality and to reasonable scheduling, scope and security constraints.

14Liability & order of precedence

In short: Liability follows the limits in your main Agreement; if documents conflict, the SCCs win, then this DPA, then the Agreement.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law.

Order of precedence: in the event of any conflict, the documents govern in the following order with respect to data processing: (1) the SCCs (where applicable); (2) this DPA; (3) the remainder of the Agreement. The Annexes form an integral part of this DPA.

15AI processing & no-training clause

In short: OpsIQ never trains models on your data. AI requests go only to the model provider you select, carrying just the live context.

OpsIQ does not train, fine-tune or improve any AI model on Customer or End-User Data. AI inference requests are forwarded to the model provider the Customer selects, carrying only the live conversation context required to generate a response.

  • The selected AI provider acts as a Sub-processor for that inference only; see Annex III.
  • OpsIQ does not retain prompts or completions for model-training purposes and does not pool Customer data across tenants for AI.
  • The Customer is responsible for choosing a provider whose terms are compatible with its own obligations, and for not submitting data it is not permitted to send to that provider.

16Self-hosted clarification

In short: If you run OpsIQ on your own infrastructure, you control the data and OpsIQ processes nothing on your behalf.

Where the Customer deploys OpsIQ as Self-Hosted (licensed) software on infrastructure the Customer controls, the Customer operates the software, hosting and storage itself.

  • In that deployment, OpsIQ does not host, store, transmit or otherwise process End-User Data on the Customer's behalf, and acts as a software licensor rather than a Processor.
  • Sections of this DPA that describe OpsIQ's processor activities (e.g. Cloud hosting, sub-processors and transfers) apply only to the extent OpsIQ actually performs processing — which, for a pure self-hosted deployment, it does not.
  • The Customer remains the Controller and is responsible for the security, transfers and sub-processors of its own environment. OpsIQ-selected AI providers still act for the Customer when the Customer routes inference to them.

17Governing law

In short: This DPA follows the governing law of your main Agreement; mandatory local data-protection law still applies.

This DPA is governed by, and construed in accordance with, the governing law of the Agreement, without prejudice to any mandatory provisions of Data Protection Laws applicable to the Customer or the Data Subjects.

Where the SCCs apply, the governing law and forum for the SCCs are as specified within those clauses and prevail for matters within their scope.

18Annex I — Details of processing

In short: The full data-map: who the parties are, what data is processed, for whom, and for how long.
ItemDetail
Data exporter / ControllerThe Customer using the OpsIQ Services.
Data importer / ProcessorNabtech Digitalnet Limited (OpsIQ) — www.nabtech.co.
RolesCustomer = Controller; OpsIQ = Processor.
Subject matterProvision of the OpsIQ Services as configured by the Customer.
Categories of Data SubjectsVisitors, end-users, contacts/leads, ticket submitters and Customer staff (see Section 2).
Categories of Personal DataIdentifiers, online/device data, location, usage/behavioural data, communications content, CRM/commercial data (see Section 2).
Special categoriesNone requested or required by OpsIQ; the Customer must not submit special-category data without lawful basis and safeguards.
Nature & purposeHosting, processing, analysis and display of End-User Data to deliver AI chat, ticketing, CRM, analytics, promotions, surveys, consent and AI actions.
DurationTerm of the Agreement plus the export and deletion period (Section 12).
FrequencyContinuous, for the duration of the Agreement.
Competent Supervisory AuthorityThat of the Customer's place of establishment within the EEA/UK, as applicable.

19Annex II — Security measures

In short: A line-by-line list of the technical and organisational measures protecting your data.
DomainMeasure
Encryption at restAES-256.
Encryption in transitTLS 1.3.
Webhook integrityHMAC-SHA256 signatures on all deliveries.
Tenant isolationPer-tenant keys and logical separation (Cloud).
Access controlRole-based access, least privilege, authentication controls.
Secrets managementCredentials and config stored outside the web root.
Logging & monitoringPer-action audit logs of security-relevant operations.
Resilience & recoveryRotating backups and documented recovery procedures.
ConfidentialityPersonnel confidentiality undertakings and training.
AI handlingNo model training on Customer/End-User Data; customer-selected inference provider only.

20Annex III — Approved sub-processors

In short: The current third parties OpsIQ uses, what each does, and where they operate.
Sub-processorPurposeLocation
Cloud infrastructure providerHosting, storage, backupsEU / West Africa
Stripe / Paystack / PayPalPayment processingGlobal
Anthropic / OpenAI / Gemini / GrokAI model inference (the provider the Customer chooses)US / EU
Mailgun / SendGrid / SMTP relayTransactional email deliveryEU / US
CloudflareCDN, DDoS protectionGlobal

OpsIQ-selected AI providers process Personal Data only for the inference the Customer routes to them, and only as Sub-processors under Section 15.

21Contact

In short: Where to reach our DPO, privacy, security and legal teams, and how to request a signed counterpart.

Data Protection Officer: [email protected]

Privacy enquiries: [email protected]

Security enquiries: [email protected]

Legal enquiries: [email protected]

To request a signed counterpart of this DPA, email [email protected]. See also our Privacy Policy, Compliance overview and Trust Center.

This document is provided for transparency and does not constitute legal advice. Customers in regulated industries should review it with their own counsel before deployment.

Need a hand?

Questions about this policy?

Our team is happy to clarify anything on this page — reach out any time.

Contact us Trust Center
IQOpsIQ

AI-first operations, customer support, licensing, and analytics for modern software teams.

TrackingAI SupportAutomationAnalyticsWebhooksTickets
Stay in the loop

A short, founder-written email — every couple of weeks. No fluff, unsubscribe anytime.

Product
All Features→AI CRM→Client Chat AI→Admin Chat AI→OpsIQ Writing→AI Analytics→Visitor Intelligence→AI Actions→
Operations
Tickets→Email Channel→Promotion Studio→Site Intelligence→Consent & GDPR→Sales Bridge→Webhooks→Surveys→Remote Sites→
Use cases
Solutions→Customer stories→Integrations→Compare→Pricing→
Resources
Developers→Docs→FAQs→Contact→Roadmap→Status→
Company
About→Partners→Brand kit→Trust center→Security→Compliance→
Legal
Privacy→Terms→Acceptable use→DPA→Refunds→Cookies→
OpsIQ © 2026 Nabtech Digitalnet Ltd. All rights reserved. All systems operational
Display currency
$USDUS Dollar₦NGNNigerian Naira€EUREuro£GBPBritish Pounds
Verify License Privacy Terms