Legal
Data Processing Addendum
Effective date: April 1, 2026
Last updated: April 18, 2026
1. Scope and Purpose
This Data Processing Addendum ("DPA") forms part of the Agreement between Nesika AI Pty Ltd ("Processor") and the Customer ("Controller") for the provision of pricing intelligence services. This DPA sets out the terms governing the processing of personal data by the Processor on behalf of the Controller in compliance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Australian Privacy Act 1988.
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person processed through the Services.
- Processing: any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Sub-processor: a third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Data Processing Details
| Subject Matter | Provision of pricing intelligence, product matching, and competitive analysis services. |
| Duration | For the term of the Agreement between Controller and Processor, plus any retention period required by law. |
| Nature & Purpose | Processing product catalog data, pricing data, and associated user account information to deliver competitive pricing intelligence. |
| Data Categories | User account information (name, email, role), product catalog data (SKUs, prices, descriptions), API usage logs. |
| Data Subjects | Customer employees and authorized users of the Services. |
4. Processor Obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in the Security Practices page.
- Assist the Controller in responding to data subject access requests within 30 days.
- Notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware.
- Delete or return all Personal Data upon termination of the Agreement, at the Controller's choice.
5. Sub-processors
The Processor maintains a list of authorized sub-processors. The Controller will be notified at least 30 days in advance of any intended additions or replacements.
The current list of sub-processors is available at nesika.ai/sub-processors.
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area, the Processor will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.
7. Contact
For DPA inquiries, requests for a signed copy, or data protection questions:
privacy@nesika.ai
Need a signed copy of this DPA? Contact us and we will provide a countersigned PDF within 2 business days.
Request signed DPA