This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Nerchr Ltd ("Processor", "we", "us") and the entity agreeing to the Terms of Service ("Controller", "Customer", "you"). It sits alongside our Privacy Policy, Acceptable Use Policy, Fair Use Policy, and Cookie Policy.
This DPA applies to the extent that Nerchr processes Personal Data on behalf of the Customer in the course of providing the Service. It is incorporated into and subject to the Terms of Service.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given to them in the Terms of Service.
"Applicable Data Protection Laws" means all laws and regulations relating to the processing of Personal Data that apply to the processing contemplated by this DPA, including (as applicable) the UK GDPR, the Data Protection Act 2018, the EU GDPR (Regulation 2016/679), the Swiss Federal Act on Data Protection, and any other applicable national or state data protection or privacy laws.
"Controller" means the Customer, who determines the purposes and means of the processing of Personal Data through its use of the Service.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"EEA" means the European Economic Area.
"International Data Transfer Agreement" or "IDTA" means the international data transfer agreement issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
"Personal Data" means any information relating to a Data Subject that is processed by Nerchr on behalf of the Customer through the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" (and "process", "processed", "processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means Nerchr Ltd, which processes Personal Data on behalf of the Controller.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), as supplemented by any applicable UK Addendum.
"Sub-processor" means any third party engaged by Nerchr to process Personal Data on behalf of the Customer.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
"UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
The Customer is the Controller. Nerchr is the Processor. The Customer determines the purposes and means of Processing. Nerchr processes Personal Data only on behalf of and in accordance with the documented instructions of the Customer.
This DPA applies to all Personal Data processed by Nerchr in connection with providing the Service, including (but not limited to):
The details of Processing are set out in Schedule 1 (Details of Processing) to this DPA.
The Customer is responsible for ensuring that there is a valid legal basis for the Processing of Personal Data under Applicable Data Protection Laws, including obtaining any necessary consents from Data Subjects where required.
The Customer's instructions to Nerchr regarding the Processing of Personal Data are set out in this DPA and the Terms of Service. The Customer may issue additional reasonable instructions, provided they are consistent with the terms of the Agreement and Applicable Data Protection Laws. If Nerchr considers that an instruction infringes Applicable Data Protection Laws, Nerchr will promptly inform the Customer.
The Customer shall comply with all Applicable Data Protection Laws in connection with its use of the Service, including (but not limited to) providing appropriate privacy notices to Data Subjects and ensuring it has the right to transfer Personal Data to Nerchr for Processing.
Where the Customer uses the Service to transmit Personal Data to third-party advertising platforms via Conversion API features, the Customer is responsible for ensuring that such transmission complies with Applicable Data Protection Laws and the terms of the relevant advertising platform. Nerchr transmits data to advertising platforms based on workflows and configurations set by the Customer.
Nerchr shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data outside the UK or EEA, unless required to do so by applicable law. Where Nerchr is required by applicable law to process Personal Data other than on the Customer's instructions, Nerchr will inform the Customer of that legal requirement before processing, unless prohibited from doing so by law.
Nerchr shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Nerchr shall implement and maintain appropriate technical and organisational measures to protect Personal Data against Personal Data Breaches, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
These measures include, as appropriate:
Nerchr shall not engage a Sub-processor without the Customer's prior authorisation. The Customer provides general authorisation for Nerchr to engage Sub-processors, subject to the following conditions:
(a) Nerchr shall maintain a current list of Sub-processors, which is available at www.nerchr.io/sub-processors (or such other URL as Nerchr may notify the Customer of).
(b) Nerchr shall notify the Customer of any intended changes to Sub-processors (additions or replacements) by updating the Sub-processor list and providing at least 30 days' notice before the new Sub-processor begins processing Personal Data. Nerchr may provide this notice by email or through the Service.
(c) If the Customer has a reasonable objection to a new Sub-processor on data protection grounds, the Customer shall notify Nerchr in writing within 15 days of receiving notice. The parties shall discuss the objection in good faith with a view to achieving a resolution. If the parties cannot resolve the objection within 30 days, the Customer may terminate the affected part of the Service (or the entire Agreement if the Sub-processor is integral to the Service) by providing written notice. Any prepaid fees for the terminated portion of the Service shall be refunded on a pro-rata basis.
(d) Nerchr shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. Nerchr remains fully liable to the Customer for the performance of each Sub-processor's obligations.
Nerchr shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
If Nerchr receives a request directly from a Data Subject, Nerchr shall promptly redirect the Data Subject to the Customer and notify the Customer, unless otherwise instructed by the Customer or required by applicable law.
Nerchr shall assist the Customer in ensuring compliance with the Customer's obligations under Applicable Data Protection Laws in respect of:
Such assistance shall be provided taking into account the nature of Processing and the information available to Nerchr, and may be subject to a reasonable charge where the request is excessive or goes beyond what is required by Applicable Data Protection Laws.
Nerchr shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.
The notification shall, to the extent possible, include:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
(b) The name and contact details of Nerchr's point of contact for further information
(c) A description of the likely consequences of the Personal Data Breach
(d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects
Where it is not possible to provide all information at the same time, information may be provided in phases without undue further delay.
Nerchr shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.
Upon termination of the Agreement, Nerchr shall, at the Customer's choice:
(a) Return all Personal Data to the Customer in a commonly used, machine-readable format (the Customer may export data through the Service's export functionality during the 30-day post-termination period specified in the Terms of Service); or
(b) Delete all Personal Data and existing copies, unless applicable law requires continued storage.
Nerchr shall confirm deletion in writing upon the Customer's request.
Nerchr shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
Nerchr shall allow for and contribute to audits, including inspections, conducted by the Customer or a qualified third-party auditor mandated by the Customer, subject to the following conditions:
(a) The Customer shall provide at least 30 days' written notice of an audit request.
(b) Audits shall be conducted during normal business hours and in a manner that minimises disruption to Nerchr's operations.
(c) The Customer (and any third-party auditor) shall comply with reasonable confidentiality obligations regarding any information accessed during the audit.
(d) Audits shall be limited to no more than one per 12-month period, unless required by a supervisory authority or following a Personal Data Breach.
(e) Where Nerchr has obtained relevant third-party certifications or audit reports (such as SOC 2 or ISO 27001), Nerchr may satisfy audit requests by providing copies of such reports, provided they are current and address the Customer's reasonable concerns.
The costs of any audit shall be borne by the Customer, except where an audit reveals material non-compliance by Nerchr with this DPA, in which case Nerchr shall bear the reasonable costs.
Nerchr shall not transfer Personal Data outside the United Kingdom or EEA unless appropriate safeguards are in place as required by Applicable Data Protection Laws.
Where Personal Data is transferred outside the UK or EEA in connection with the Service, Nerchr shall ensure that one or more of the following safeguards is in place:
(a) The transfer is to a country that has been deemed to provide an adequate level of data protection by the UK Secretary of State or the European Commission (as applicable).
(b) Standard Contractual Clauses (with the UK Addendum where applicable) are in place between the relevant parties.
(c) The International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner is in place.
(d) Another approved transfer mechanism under Applicable Data Protection Laws applies.
Where a Sub-processor processes Personal Data outside the UK or EEA, Nerchr shall ensure that appropriate transfer mechanisms are in place with that Sub-processor before any transfer occurs.
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any disputes arising from or in connection with this DPA, consistent with the Terms of Service.
This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate when the Agreement terminates, subject to Section 4.8 (Deletion and Return of Data).
For any questions about this DPA or any data protection matter, please contact our Data Protection Officer:
Processing of Personal Data in connection with the provision of the Nerchr Service, for the duration of the Customer's subscription (plus any post-termination data retention period as specified in the Terms of Service).
The Service is not designed for the processing of special categories of Personal Data (as defined in Article 9 of the UK GDPR). However, the Customer may collect such data through funnel question fields depending on their configuration. Where the Customer processes special categories of Personal Data through the Service, the Customer is solely responsible for ensuring a valid legal basis and appropriate safeguards are in place.
Personal Data is retained for the duration of the Customer's subscription. Upon termination, Personal Data is available for export for 30 days, after which it is deleted in accordance with the Terms of Service.
Nerchr uses the following Sub-processors in connection with the provision of the Service. The current list is also maintained at www.nerchr.io/sub-processors.
The following services only receive Personal Data when the Customer actively configures connections and workflows. They are listed for transparency but do not process Personal Data unless the Customer initiates the connection.
Nerchr implements the following categories of security measures. Specific measures may be updated from time to time to reflect improvements in security practices and technology.
This Data Processing Agreement is effective as of 16 April 2026.
