Data Processing Addendum
Last updated: April 2026 · Forms part of the agreement between Núvols and each merchant using the Services. See also the Privacy Policy and Subprocessors.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the merchant using the Núvols service ("Controller" or "Merchant") and Núvols ("Processor"). This DPA governs the Processing of Personal Data by Núvols on behalf of the Merchant in the context of providing Agentic Commerce integration services (the "Services").
By creating an account and using the Services, the Merchant agrees to this DPA.
1. Definitions
- • "Data Protection Laws" means all applicable worldwide privacy and data protection laws, including the EU General Data Protection Regulation (GDPR).
- • "Standard Contractual Clauses (SCCs)" means the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor).
- • Terms like "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" shall have the meanings given to them in the GDPR.
2. Processing of Personal Data
2.1 Role of the Parties.
For the Personal Data processed under this DPA, Merchant is the Controller and Núvols is the Processor acting on the Merchant's documented instructions.
2.2 Documented Instructions.
This DPA and the Terms of Service constitute the Merchant's complete and final instructions to Núvols for the Processing of Personal Data.
2.3 Nature, Purpose, and Duration.
The subject matter, nature, purpose, and duration of the Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1.
3. Subprocessing
3.1 General Authorization.
Merchant grants Núvols a general authorization to engage Subprocessors to process Personal Data on Merchant's behalf. The current list of Subprocessors is available at nuvols.app/subprocessors.
3.2 Notice of Changes.
Núvols shall provide at least thirty (30) days' prior notice to the Merchant (via email or dashboard notification) before adding or replacing any Subprocessor. Merchant may object to such changes in writing. If the parties cannot resolve the objection, Merchant's sole remedy is to terminate the Terms of Service.
3.3 Subprocessor Obligations.
Núvols shall impose data protection terms on any Subprocessor that are no less protective than those in this DPA.
4. Security Measures
4.1 Technical and Organizational Measures.
Núvols shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or accidental access, loss, alteration, or disclosure. These measures include encryption at rest (AES-256-GCM), transport security (TLS), and cryptographic request authentication (HMAC-SHA256, ECDSA P-256), as detailed in Annex 2.
5. Personal Data Breaches
5.1 Notification.
In the event of a confirmed Personal Data Breach affecting the Merchant's data, Núvols shall notify the Merchant without undue delay, and in any event within 72 hours of becoming aware of the breach.
5.2 Assistance.
Núvols shall provide reasonable assistance and information to the Merchant to enable the Merchant to fulfill its own breach notification obligations under the GDPR.
6. Data Subject Rights
Núvols will, to the extent legally permitted, promptly notify the Merchant if it receives a request from a Data Subject (such as a Buyer) to exercise their rights under Data Protection Laws. Núvols will not respond directly to the request except to route the Data Subject to the Merchant, and will provide reasonable assistance to the Merchant to fulfill the request.
7. Deletion and Return of Data
Upon termination of the Services or at the Merchant's written request, Núvols will delete or return all Merchant Personal Data. Specifically:
- • Transient checkout session state is destroyed immediately upon completion, cancellation, or 24 hours of idle time.
- • Merchant catalog data and cached configurations are removed within 30 days following plugin disconnection or account closure.
8. International Data Transfers
8.1 Transfer Mechanisms.
Where the Processing involves a transfer of Personal Data outside the European Economic Area (EEA) to a country not recognized as providing an adequate level of protection, such transfers shall be governed by:
- (a) The EU-US Data Privacy Framework (for certified Subprocessors); or
- (b) The Standard Contractual Clauses (Module 2).
8.2 Incorporation of SCCs.
For the purposes of the SCCs, the Merchant is the "data exporter" and Núvols is the "data importer." The SCCs are hereby incorporated by reference with the following choices:
- • Clause 7 (Docking Clause): Applicable.
- • Clause 9 (Use of Subprocessors): Option 2 (General Written Authorisation) applies, with a 30-day notice period.
- • Clause 11 (Redress): The optional language is not applicable.
- • Clause 17 (Governing Law): The laws of Spain.
- • Clause 18 (Choice of Forum): The courts of the Valencia Province, Spain.
Annex 1: Details of Processing
A. Categories of Data Subjects
- • Buyers: End-consumers who initiate and complete purchases at the Merchant's store via an AI agent (e.g., ChatGPT, Google Gemini).
- • Merchants: Authorized personnel of the Merchant managing the store integration.
B. Types of Personal Data
- • Buyer Data (during checkout): Name, email address, shipping address, billing address, tokenized payment references (via Google Pay / Stripe; raw card numbers are never processed), order contents (items, quantities, totals), and marketing consent choices.
- • Merchant Catalog Data: Product IDs, names, prices, images, stock status, and associated attributes.
C. Nature and Purpose of Processing
Núvols processes the data to provide Agentic Commerce integrations (UCP/ACP). This includes:
- • Syncing and caching Merchant product catalog data to serve AI agent discovery queries with low latency.
- • Orchestrating buyer checkout sessions (validating AI-agent requests, translating protocols, calling the Merchant's API to create orders).
- • Delivering order-event webhooks to AI agent platforms.
D. Duration of Processing
Data is processed for the duration of the Merchant's use of the Services. Buyer checkout data is transiently processed and destroyed upon session completion or within a maximum of 24 hours. Cached catalog data is deleted within 30 days of account termination.
Annex 2: Technical and Organizational Security Measures
Núvols implements the following baseline security measures:
- 1. Edge Network Security: All infrastructure runs on Cloudflare's global edge network, utilizing serverless computing to minimize persistent data storage.
- 2. Encryption in Transit: All traffic between AI agents, Núvols, and Merchant stores is strictly routed over TLS/HTTPS.
- 3. Encryption at Rest: All persistent datastores (including Cloudflare D1 for API secrets and credentials) are encrypted at rest using AES-256-GCM.
- 4. Authentication: Plugin-to-SaaS requests utilize encrypted HMAC-SHA256 shared secrets, rotated every 7 days. SaaS-to-plugin requests are signed with ECDSA P-256. HTTP Message Signatures (RFC 9421) are utilized for UCP order-event webhooks.
- 5. Transient Processing: Buyer checkout session data is managed via ephemeral durable objects that are programmatically destroyed once an order concludes.
Related
- • Terms of Service — the overall agreement this DPA forms part of.
- • Privacy Policy — how we process personal data across the Services.
- • Subprocessors — current list of authorised subprocessors.
- • For a countersigned copy of this DPA, contact us via the About page.