Zookeeper.Sign in
Legal

Data Processing Addendum

Last updated: June 1, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies when Nivalmi processes personal data on behalf of a customer organization ("Controller"). Where applicable data-protection law (such as GDPR or UK GDPR) requires a written agreement between controller and processor, this DPA forms part of the Terms.

1. Roles

Controller determines purpose and means of processing participant data. Nivalmi acts as Processor and processes data only on documented instructions from Controller, which include the use of the Service in accordance with the Terms.

2. Subject matter & duration

Subject matter: delivery of the Zoo Insights assessment and related platform features. Duration: the term of the customer's account, plus any limited retention required by law.

3. Nature, purpose & categories of data

  • Data subjects: Controller's employees, contractors, team members, and authorized users.
  • Categories of data: identification (name, email), organizational metadata (team, role), assessment responses and results, communications and usage logs.
  • Purpose: running the assessment, generating reports, enabling team-effectiveness insights.

4. Sub-processors

Controller authorizes Nivalmi to engage the sub-processors listed in the Privacy Policy (currently Lovable Cloud / Supabase, Stripe, the 24x7 assessment platform, our email-delivery provider, Microsoft Clarity, and Contentsquare). We will give reasonable notice of material changes and remain responsible for sub-processor performance.

5. Security measures

  • Encryption in transit (TLS) and at rest for the database.
  • Role-based access controls and row-level security on participant data.
  • Principle-of-least-privilege service credentials and audit logs.
  • Authentication via Supabase Auth with hashed passwords and short-lived JWTs.
  • Webhook and cross-service requests verified by HMAC signatures.
  • Regular dependency and security scans.

6. International transfers

Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, the parties rely on Standard Contractual Clauses and equivalent UK addenda incorporated by reference.

7. Data subject requests

Nivalmi will, taking the nature of the processing into account, assist Controller by appropriate technical and organizational measures to respond to requests from data subjects. Requests received directly by Nivalmi will be forwarded to Controller.

8. Incident notification

Nivalmi will notify Controller without undue delay after becoming aware of a personal-data breach affecting Controller's data, and will provide reasonable information to enable Controller to meet its own notification obligations.

9. Deletion & return

On termination, Nivalmi will delete or return personal data within a reasonable period, except where storage is required by law.

10. Audits

Nivalmi will make available information reasonably necessary to demonstrate compliance with this DPA. Customers may request a summary of our most recent security review by contacting hello@nivalmizookeeper.com.