Legal

Nesta Data Processing Agreement

Data processing terms that apply when Nesta processes Customer Personal Information on behalf of customers.

Effective November 29, 2024Last updated May 4, 2026

1. Overview

This Data Processing Agreement ("DPA") forms part of the agreement between NESTA SITES INC. ("Company," "Processor," "Service Provider," "Contractor," "we," "us," or "our") and the customer entity accepting it ("Customer," "Controller," or "Business") and applies to the extent we process Customer Personal Information on Customer's behalf in connection with Nesta and related services.

This DPA supplements the Terms of Service or other principal services agreement between the parties (the "Agreement"). If there is a conflict between this DPA and the Agreement as to processing of Customer Personal Information, this DPA controls to that extent.

2. Definitions

For purposes of this DPA:

  • "Customer Personal Information" means personal information, personal data, or similar data that Customer or its authorized users submit to the Services, or instruct us to process, where we act on Customer's behalf.
  • "Data Protection Laws" means privacy, security, breach notification, and data processing laws applicable to the processing of Customer Personal Information under this DPA.
  • "Subprocessor" means a third party engaged by us to process Customer Personal Information on our behalf in connection with the Services.
  • "Security Incident" means unauthorized access to, acquisition of, or disclosure of Customer Personal Information in our possession or control, excluding unsuccessful attempts that do not result in unauthorized access, such as routine scans or pings.

Capitalized terms not defined here have the meanings given in the Agreement.

3. Roles of the Parties

3.1 Customer Role

Customer acts as the controller, business, organization, or other primary decision-maker with respect to Customer Personal Information, including information collected through Customer's hosted websites, forms, lead capture flows, or connected accounts.

3.2 Company Role

We act as:

  • a processor, service provider, or contractor when processing Customer Personal Information on Customer's behalf to provide the Services; and
  • an independent controller or business for our own account, billing, support, usage, security, fraud prevention, public audit, and legal compliance data, as described in our Privacy Policy.

4. Scope of Processing

We will process Customer Personal Information only:

  • to provide, operate, maintain, and support the Services;
  • on Customer's documented instructions, including instructions reflected in Customer's configuration and use of the Services;
  • as required to comply with applicable law; or
  • as otherwise permitted by the Agreement and this DPA.

Customer instructs us to process Customer Personal Information as reasonably necessary to:

  • host and publish Customer websites and content;
  • receive, store, route, and notify Customer about website leads and form submissions;
  • provide analytics, reporting, and conversion tracking features;
  • process connected-account and integration data at Customer's direction;
  • provide customer support, troubleshooting, backups, and security functions; and
  • prevent abuse, fraud, or misuse of the Services.

5. Customer Responsibilities

Customer is responsible for:

  • providing all required notices and obtaining all required permissions, consents, and lawful bases for collection and processing;
  • ensuring Customer Personal Information and Customer instructions comply with Data Protection Laws;
  • determining whether the Services are appropriate for Customer's intended use cases;
  • responding to data subject or consumer requests relating to Customer Personal Information, except to the extent our assistance is required under this DPA; and
  • not using the Services to process restricted or high-risk data except where we expressly agree in writing.

Customer will not instruct us to process Customer Personal Information in a manner that violates applicable law.

6. Company Obligations

6.1 Processing Limits

We will not:

  • sell Customer Personal Information;
  • share Customer Personal Information for cross-context behavioral advertising on our own behalf;
  • retain, use, or disclose Customer Personal Information outside the direct business relationship with Customer except as permitted by the Agreement, this DPA, or applicable law; or
  • combine Customer Personal Information with personal information received from another customer except as permitted for security, operational, or legal compliance purposes under Data Protection Laws.

6.2 Confidentiality

We will ensure that personnel authorized to process Customer Personal Information are subject to appropriate confidentiality obligations.

6.3 Security

We will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Information against unauthorized access, loss, misuse, alteration, or disclosure, taking into account the nature of the information and the Services.

6.4 Assistance

Taking into account the nature of the processing and the functionality of the Services, we will provide reasonable assistance to Customer for:

  • access, correction, deletion, portability, or similar requests directed to Customer;
  • privacy or security assessments Customer reasonably requires for the Services; and
  • Customer's investigation of a Security Incident affecting Customer Personal Information.

6.5 Security Incident Notice

We will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Information and provide information reasonably available to us about the nature of the incident, the categories of data involved, and the remediation steps taken or planned.

7. Subprocessors

Customer authorizes us to use Subprocessors in connection with the Services.

We will:

  • maintain a Subprocessor List identifying material Subprocessors;
  • impose data protection obligations on Subprocessors appropriate to the nature of the services they provide; and
  • remain responsible for our Subprocessors' processing of Customer Personal Information to the extent required by applicable law and our contracts with them.

If our Agreement requires notice of new Subprocessors, we may provide that notice by updating the Subprocessor List or by another reasonable method.

8. Data Subject and Consumer Requests

If we receive a request directly from an individual relating to Customer Personal Information for which we act on Customer's behalf, we may:

  • direct the requester to Customer;
  • notify Customer of the request; or
  • respond only as instructed by Customer or required by law.

9. Deletion and Return

Upon termination or expiration of the Services, and subject to the Agreement, we may delete or anonymize Customer Personal Information after the retention period described in our Privacy Policy, product documentation, or internal retention schedules, unless applicable law requires longer retention.

Customer is responsible for exporting data before deletion where the Services provide export tools or reasonable access for retrieval.

10. Audits and Information Rights

Upon reasonable written request, and no more than once in any 12-month period unless required by law or triggered by a Security Incident, we will provide information reasonably necessary to demonstrate our compliance with this DPA, such as summaries of security controls, questionnaire responses, or other documentation.

Any audit or assessment must:

  • be limited to information relevant to the Services;
  • avoid unreasonable disruption to our operations or other customers;
  • protect confidential and security-sensitive information; and
  • be subject to reasonable confidentiality obligations.

11. Cross-Border Processing

Customer acknowledges that the Services may be operated from, and Customer Personal Information may be processed in, Canada, the United States, and other jurisdictions where we or our Subprocessors operate.

Customer authorizes those transfers to the extent necessary to provide the Services.

If Customer later requires additional transfer terms for jurisdictions not currently in scope for launch, the parties may execute an additional transfer addendum.

12. Restricted Data

Unless we expressly agree otherwise in writing, Customer will not use the Services to process:

  • protected health information or electronic protected health information subject to HIPAA;
  • payment card data outside approved payment processor fields or flows;
  • government-issued identification numbers;
  • biometric identification data;
  • personal information of children under 13 directed to or knowingly collected from children;
  • highly sensitive financial account credentials; or
  • other regulated or special-category data requiring sector-specific contractual commitments.

13. Liability

Liability under this DPA is subject to the limitations, exclusions, and allocations of risk set out in the Agreement, except to the extent prohibited by applicable law.

14. Order of Precedence

This DPA remains effective for so long as we process Customer Personal Information on Customer's behalf.

Annex 1: Processing Summary

Subject Matter

Provision of the Nesta software platform, including hosted website, lead capture, analytics, reporting, AI, and connected-account features.

Duration

For the duration of the Agreement and any reasonably necessary retention period afterward.

Categories of Data Subjects

  • Customer account owners and administrators
  • Customer authorized users
  • Customer prospects, leads, and website visitors
  • Individuals whose information Customer submits through integrations or content

Categories of Customer Personal Information

  • account and business contact details
  • website content and uploaded assets
  • hosted form submissions and lead details
  • IP address, browser, user agent, and usage metadata
  • analytics and conversion event data
  • connected-account and integration data
  • support-related content submitted by Customer

Nature and Purpose of Processing

  • hosting and delivery of content
  • storage and routing of submissions and communications
  • analytics, reporting, and troubleshooting
  • security, fraud prevention, backup, and recovery
  • customer support and service administration

Annex 2: Security Controls Summary

Our controls are designed to be appropriate to the nature of the Services and may evolve over time. They generally include:

  • access controls and role-based access practices
  • authentication and credential management controls
  • encryption in transit
  • logging, monitoring, and alerting
  • backup and recovery procedures
  • vulnerability and dependency management
  • incident response and escalation procedures
  • vendor and Subprocessor review processes