This Data Processing Agreement ("DPA") forms part of the agreement between Novaica LLC ("Processor") and the client ("Controller") and governs the processing of personal data in connection with the services provided by Novaica.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
- "Controller" means you, the client, who determines the purposes and means of processing Personal Data
- "Processor" means Novaica LLC, which processes Personal Data on behalf of the Controller
- "Sub-Processor" means a third party engaged by Novaica to process Personal Data
- "Applicable Data Protection Law" means all laws applicable to the processing of Personal Data, including GDPR, CCPA, and applicable US state laws
2. Scope & Purpose
Novaica processes Personal Data solely to provide the contracted services, including:
- Storing and managing contact data in the CRM platform
- Sending automated SMS and email communications on behalf of the Controller
- Processing form submissions and lead data from the Controller's website
- Managing review requests and customer follow-up sequences
- Providing analytics and reporting on marketing activities
Novaica will process Personal Data only in accordance with the Controller's documented instructions and applicable law.
3. Processor Obligations
As a Processor, Novaica agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure that personnel authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject rights requests
- Delete or return all Personal Data upon termination of services, at the Controller's choice
- Provide all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay of any personal data breach
4. Controller Obligations
As the Controller, you agree to:
- Ensure you have a lawful basis for processing the Personal Data you share with Novaica
- Provide all necessary notices and obtain all required consents from data subjects
- Comply with all applicable data protection laws in your jurisdiction
- Only instruct Novaica to process Personal Data in ways consistent with applicable law
- Maintain accurate and up-to-date contact lists and remove unsubscribers promptly
5. Sub-Processors
The Controller authorizes Novaica to engage the following categories of Sub-Processors:
- GoHighLevel โ CRM, automation, and communication platform
- Twilio โ SMS and voice communication delivery
- Mailgun / SendGrid โ Email delivery services
- Google โ Analytics, Business Profile management, and advertising
- Stripe โ Payment processing
- Cloudflare / AWS โ Website hosting and infrastructure
Novaica will inform the Controller of any intended changes to Sub-Processors and provide the opportunity to object. All Sub-Processors are bound by data protection obligations equivalent to those in this DPA.
6. Security Measures
Novaica implements the following technical and organizational measures:
- SSL/TLS encryption for all data in transit
- Encryption of data at rest using industry-standard algorithms
- Access controls and role-based permissions for all staff
- Regular security assessments and vulnerability scanning
- Secure backup procedures with regular testing
- Staff training on data protection and security practices
- Incident response procedures for data breaches
7. Data Breach Notification
In the event of a personal data breach, Novaica will:
- Notify the Controller without undue delay (and within 72 hours where feasible)
- Provide information about the nature of the breach, categories of data affected, and approximate number of individuals affected
- Describe likely consequences of the breach
- Describe measures taken or proposed to address the breach
8. Data Deletion & Return
Upon termination of services, Novaica will, at the Controller's choice:
- Return all Personal Data in a portable, machine-readable format (CSV or equivalent)
- Securely delete all Personal Data from our systems and Sub-Processors
- Provide written confirmation of deletion upon request
Data may be retained where required by applicable law, in which case Novaica will inform the Controller of the retention basis.
9. Audits & Compliance
Novaica will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice (minimum 30 days), Novaica will permit and cooperate with audits or inspections conducted by the Controller or a qualified third party.
10. International Transfers
Novaica may transfer Personal Data to Sub-Processors located outside your country. Such transfers are made in compliance with applicable data protection laws, using appropriate safeguards including Standard Contractual Clauses where required.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. To the extent permitted by law, Novaica's total liability for breaches of this DPA shall not exceed the fees paid in the 3 months preceding the claim.
For data protection inquiries or to exercise rights under this DPA: