This Data Processing Agreement ("DPA") is incorporated into and forms part of the Nvoyce Terms of Service between Nvoyce AI LLC ("Nvoyce", "Processor") and the user of the Nvoyce platform ("Controller"). It governs Nvoyce's processing of personal data on the Controller's behalf in accordance with applicable data protection law, including the GDPR where applicable.
As used in this DPA:
This DPA applies to Personal Data that the Controller uploads, enters, or generates through the Service, including client names, email addresses, phone numbers, company names, and any other contact details entered into the Nvoyce platform.
Nvoyce processes Personal Data solely to provide the Service — specifically to generate, send, and track invoices and proposals on the Controller's behalf. Nvoyce does not use Personal Data for its own commercial purposes, advertising, or analytics beyond what is necessary to operate the Service.
The Data Subjects are the Controller's clients and prospective clients whose contact information is entered into the platform.
Processing continues for the duration of the Controller's active Nvoyce account, and is terminated as described in Section 12.
Nvoyce, as Processor, agrees to:
The Controller authorises Nvoyce to engage the following sub-processors, each of whom has agreed to data protection obligations consistent with this DPA:
| Sub-processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase, Inc. | Database hosting and storage | USA (AWS us-west-2) | Privacy Policy ↗ |
| Clerk, Inc. | Authentication and user management | USA | Privacy Policy ↗ |
| Stripe, Inc. | Payment processing | USA | Privacy Policy ↗ |
| Resend, Inc. | Transactional email delivery | USA | Privacy Policy ↗ |
| Vercel, Inc. | Application hosting and CDN | USA (AWS / Edge) | Privacy Policy ↗ |
| Anthropic, PBC | AI-powered document generation (Claude) | USA | Privacy Policy ↗ |
Nvoyce will notify the Controller of any intended addition or replacement of sub-processors by updating this DPA and, where feasible, by email notice. The Controller may object to a new sub-processor within 14 days of notification by contacting legal@nvoyce.ai.
Nvoyce will assist the Controller in fulfilling its obligations to respond to Data Subject requests (including access, rectification, erasure, restriction, portability, and objection rights) under applicable law. The Controller, as the primary relationship holder with its clients, is responsible for receiving and triaging such requests.
If a Data Subject contacts Nvoyce directly regarding their rights, Nvoyce will forward the request to the Controller within 5 business days and will not respond to the Data Subject on the Controller's behalf without the Controller's authorisation.
For requests involving the Controller's own personal data (i.e., data about the Controller as an individual), please use the account deletion flow in Settings or email support@nvoyce.ai.
Nvoyce implements and maintains the following technical and organisational measures to protect Personal Data:
Nvoyce continuously evaluates and improves its security posture. The specific measures described above reflect the state of the Service as of the effective date and may be updated to reflect improvements.
Nvoyce and its sub-processors operate primarily in the United States. Where Personal Data of EU/EEA residents is transferred to the United States, Nvoyce relies on one or more of the following transfer mechanisms:
A copy of applicable SCCs or transfer mechanism documentation is available upon request at legal@nvoyce.ai.
Nvoyce retains Personal Data for as long as the Controller's account is active or as necessary to provide the Service.
The Controller may delete individual client records at any time through the Clients section of the dashboard. Deletion removes the record from Nvoyce's database. Residual copies in backups are purged on the applicable backup rotation cycle (typically 7–30 days depending on the sub-processor).
Upon account deletion (via Settings → Danger Zone or by request to support@nvoyce.ai), Nvoyce will delete all Personal Data associated with the account within 30 days, except where retention is required by law (e.g., financial records for tax or audit purposes, which may be retained for up to 7 years).
The Controller may request an export of their data by contacting support@nvoyce.ai prior to account deletion. Nvoyce will provide a machine-readable export within 30 days of request.
In the event of a Personal Data breach affecting data processed under this DPA, Nvoyce will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will include, to the extent known at the time:
The Controller is responsible for notifying relevant supervisory authorities and Data Subjects as required by applicable law. Nvoyce will cooperate in providing information needed for such notifications.
Breach notifications will be sent to the email address associated with the Controller's Nvoyce account.
Nvoyce will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. This includes:
More extensive audits (e.g., on-site inspections) may be conducted by the Controller or an independent third party, subject to at least 30 days' prior written notice to legal@nvoyce.ai, during normal business hours, and at the Controller's expense. Nvoyce may require the auditor to sign a confidentiality agreement before granting access.
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Nvoyce Terms of Service. Where applicable data protection law imposes liability that cannot be limited by contract, such mandatory provisions shall apply.
As between Nvoyce and the Controller, the Controller is responsible for ensuring it has a valid legal basis for processing the Personal Data of its clients and for providing any required notices to Data Subjects.
This DPA takes effect on the date the Controller accepts the Nvoyce Terms of Service and remains in force for the duration of the Service relationship.
This DPA automatically terminates when the Terms of Service terminate. Sections 5, 6, 8, 9, 10, and 11 survive termination to the extent necessary to give them effect.
Upon termination, Nvoyce will delete or return Personal Data as described in Section 8.3, unless applicable law requires otherwise.
This DPA is governed by the laws of the State of California, USA, without regard to conflict-of-law principles. Where GDPR applies, the parties acknowledge that the DPA is intended to satisfy Article 28 GDPR requirements, and any conflict between this DPA and GDPR shall be resolved in favour of GDPR compliance.
Disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
Questions about this DPA?
For data protection enquiries, sub-processor documentation, or to exercise rights under this agreement, contact our privacy team.
legal@nvoyce.aiQuestions? legal@nvoyce.ai