NudgePort — Simplified client approval portal
Sign inGet started

Data Processing Agreement

Last updated: 6/20/2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Processor: Nikali Ltd. (Unified Identification Code 207724645, VAT ID BG207724645, registered in Sofia, Bulgaria), the operator of the NudgePort service.

Controller: The NudgePort customer (the agency, freelancer, or other business entity) using the service to manage its own client approval workflows and client contacts.

This DPA supplements the NudgePort Terms of Service and applies where Nikali Ltd. processes personal data on behalf of the Controller.

2. Subject Matter, Duration, Nature and Purpose of Processing

Subject matter: Provision of the NudgePort client approval portal service.

Duration of processing: For the term of the customer’s account and subscription, and for any applicable retention period thereafter as described in this DPA or required by law.

Nature of processing: Hosting, organizing, displaying, transmitting, and recording approval-related data submitted by or on behalf of the Controller.

Purpose of processing: Enabling project review workflows, facilitating client feedback and comments, maintaining approval records and version tracking, managing portal access and permissions, sending notifications, and providing billing and account support.

3. Categories of Data Subjects

The personal data processed under this DPA relates to the following categories of data subjects:

  • Agency users (customers and their team members) who create and manage projects in NudgePort;
  • Agency team members invited by the customer to collaborate on projects;
  • Client contacts invited by the customer to review projects, submit feedback, and provide approvals;
  • Billing and account contacts, where applicable, for invoicing and subscription management.

4. Categories of Personal Data

The following categories of personal data may be processed:

  • Names (users, team members, client contacts);
  • Email addresses;
  • Agency account details (company name, role);
  • Client contact details (names, emails, associated projects);
  • Project metadata (titles, descriptions, labels, statuses);
  • External URLs linked to third-party content;
  • Version labels and identifiers;
  • Comments and feedback submitted during review;
  • Approval decisions (approved, rejected, changes requested);
  • Change requests and revision notes;
  • Timestamps (submission, approval, activity);
  • IP addresses and user-agent data;
  • Activity logs and audit records;
  • Notification and email delivery records;
  • Billing and customer identifiers, where applicable.

Important note: NudgePort stores external URLs and approval records. NudgePort does not store the original files, documents, videos, designs, or invoices linked through the service. The original content remains on the third-party platforms to which the URLs refer.

5. Controller Responsibilities

The Controller:

  • Determines the purposes and means of the processing of personal data within NudgePort;
  • Is responsible for ensuring it has a lawful basis for processing personal data under applicable data protection law;
  • Is responsible for ensuring it has the right to invite client contacts and to share external links with them;
  • Is responsible for the content, accuracy, permissions, and legality of external third-party links added to NudgePort projects;
  • Is responsible for complying with its own obligations as a data controller, including providing required notices to data subjects and responding to data subject rights requests.

6. Processor Obligations

As Processor, Nikali Ltd. shall:

  • Process personal data only on documented instructions from the Controller, including as set out in this DPA and the applicable Terms of Service, unless required by applicable law;
  • Ensure that persons authorized to process personal data are subject to an appropriate obligation of confidentiality;
  • Implement appropriate technical and organisational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, or disclosure;
  • Assist the Controller, where applicable and reasonable, in responding to data subject requests (access, rectification, erasure, restriction, portability, objection);
  • Assist the Controller, where applicable, in meeting its security and data protection obligations under applicable law;
  • Notify the Controller of any personal data breach without undue delay after becoming aware of it, to the extent permitted by law;
  • At the choice of the Controller, delete or return all personal data after the end of the provision of services, except where retention is required by applicable law, and delete existing copies unless storage is required by law.

7. Sub-processors

The Controller gives general authorization to the Processor to engage sub-processors as necessary to provide the NudgePort service. The Processor shall:

  • Impose data protection obligations on sub-processors that are substantially similar to those set out in this DPA;
  • Maintain a list of sub-processors used to provide the service and make it available to the Controller upon request;
  • Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller a reasonable opportunity to object where such changes may materially affect data protection. Objections shall be assessed in good faith and may be resolved by mutual agreement.

Sub-processor categories include:

  • Hosting and database infrastructure providers;
  • Email delivery and notification services;
  • Payment processing services;
  • Analytics, security monitoring, and operational infrastructure providers, where used.

8. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or another lawful transfer mechanism recognized under applicable data protection law.

9. Security Measures

The Processor implements the following technical and organisational measures to protect personal data processed through NudgePort:

  • Tenant isolation using database-level Row Level Security (RLS) policies to ensure customers can access only their own data;
  • Role-based access controls distinguishing between agency users, team members, and client portal visitors;
  • Hashed magic link tokens for secure, passwordless portal access, with tokens stored using strong hashing;
  • Service-role isolation — service role keys are never exposed to clients and are used only for trusted server-side operations;
  • TLS encryption in transit for all data transmitted between users and the NudgePort service;
  • Database access controls restricting direct database access to authorized server functions and infrastructure;
  • Audit and activity logs recording key actions (approvals, rejections, comments, version changes) for accountability;
  • Immutable approval records — once recorded, approval decisions are not altered to preserve workflow integrity;
  • Locked approved versions — approved versions are protected from further modification to maintain record consistency;
  • Portal action rate limiting to mitigate abuse of client-facing endpoints;
  • Least-privilege access for internal and infrastructure access to service components;
  • Provider backup and infrastructure controls as offered by the underlying hosting and database providers, including redundancy, failover, and automated backup procedures where applicable.

10. Audit and Information

The Controller has the right to audit the Processor’s compliance with this DPA. Audits shall be subject to the following conditions:

  • Audits shall be conducted no more than once per year, unless required by a regulatory authority or following a confirmed personal data breach;
  • The Controller must provide reasonable prior written notice of any audit request;
  • Audits must be conducted in a manner that does not compromise the security, confidentiality, or availability of the service for other customers;
  • The Processor may satisfy audit requests by providing relevant documentation, security summaries, third-party audit reports, or provider security information, where this provides the Controller with sufficient assurance of compliance.

11. Term and Deletion

This DPA applies for the duration of the service agreement between the Controller and the Processor (including any free trial or evaluation period).

Upon termination of the service agreement, the Processor will delete or return the Controller’s personal data within a reasonable period, unless retention is required by applicable law, billing or contractual obligations, security incident investigation, backups, or legitimate dispute or audit purposes.

Where personal data is retained in backups, deletion shall follow the normal backup lifecycle, and the Processor shall ensure that restored data is deleted when no longer required.

12. Contact

For questions or requests related to this Data Processing Agreement, please contact:

Email: support@nudgeport.com

Postal address: Nikali Ltd., Belite Borove 8, Sofia, Bulgaria