This Data Processing Agreement (“DPA”) governs the data processing relationship between NUDGEO (the “Data Processor”) and the customer using the Service (the “Data Controller”). This DPA is incorporated by reference into the NUDGEO Terms of Service.
1. Definitions
- Personal Data — Information as defined in GDPR Article 4(1) and the Personal Information Protection Act (개인정보 보호법).
- Processing — Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- Subprocessor — A third party engaged by the Data Processor to carry out part of the Processing.
2. Scope of Processing
The Data Processor processes Personal Data solely on the Data Controller's instructions and only for the following purposes:
- Delivering the NUDGEO Service (measurement, content generation, automated publishing, dashboard).
- Fulfilling legal obligations.
- Any other purpose to which the Data Controller has explicitly consented.
3. Security Measures
The Data Processor implements the following technical and organizational security measures:
- Encryption — AES-256 at rest; TLS 1.3 in transit.
- Access control — Role-Based Access Control (RBAC) and Multi-Factor Authentication.
- Audit logs — Retained for 90 days with anomalous access alerting.
- Network isolation — VPC, private subnets, SSRF protection.
- Certifications — SOC 2 Type II; AWS Foundational Technical Review passed.
4. Subprocessor List
The Data Processor uses the following subprocessors. The Data Controller will be notified before any new subprocessor is added.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Infrastructure hosting, payment processing, database | ap-northeast-2 (Seoul) |
| OpenAI | Measurement query transmission (brand name only) | US |
| Anthropic | Measurement query transmission (brand name only) | US |
| Google (Gemini API) | Measurement query transmission (brand name only) | US |
| Perplexity | Measurement query transmission (brand name only) | US |
| Resend | Transactional email delivery | US / EU |
5. International Data Transfers
Raw Personal Data retained by the Data Processor is stored exclusively in AWS ap-northeast-2 (Seoul). For measurement purposes, non-identifying information (brand names only) may be transmitted to AI providers (OpenAI, Anthropic, Google, Perplexity). By agreeing to this DPA, the Data Controller authorizes these transfers.
6. Data Subject Rights Assistance
The Data Processor will provide reasonable assistance to the Data Controller in responding to data subject rights requests (access, correction, deletion, restriction of processing). Requests will be processed within 30 days.
7. Incident Notification
In the event of a Personal Data breach, the Data Processor will notify the Data Controller within 72 hours of becoming aware. The notification will include the scope of the breach, its impact, remediation actions taken, and measures to prevent recurrence.
8. Audit Rights
Enterprise plan customers may request an audit of the Data Processor's security and processing procedures up to once per year. Audit scope and scheduling are subject to prior agreement. Alternatively, third-party certifications such as a SOC 2 report may be provided in lieu of a direct audit.
9. Data Return and Deletion on Termination
Upon termination of the Service, the Data Processor will permanently delete all raw probe data and Personal Data within 30 days. A certificate of deletion will be issued upon the Data Controller's request.
10. Liability
The Data Processor's liability for damages suffered by the Data Controller due to a breach of this DPA or applicable law is governed by the liability provisions in the NUDGEO Terms of Service.
To request a signed copy of this DPA or an additional security checklist, contact security@nudgeo.com.