Data Processing Agreement

Version 1.0 | Last updated: 10 January 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NICE-AV LTD ("Processor", "we", "us") and the Customer ("Controller", "you") for the Magpie remote monitoring service.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
  • Data Subject: An individual whose personal data is processed.
  • GDPR: The UK General Data Protection Regulation and Data Protection Act 2018.

3. Categories of Data Processed

The following categories of personal data may be processed through the Magpie service:

  • Device identifiers and network information
  • User account information (name, email, password hashes)
  • Screenshot images from monitored devices
  • System logs and diagnostic data
  • IP addresses and geolocation data
  • Usage and analytics data

4. Purpose of Processing

Personal data is processed solely for the following purposes:

  • Providing the remote monitoring service
  • Device health monitoring and alerting
  • User authentication and access control
  • Service improvement and troubleshooting
  • Compliance with legal obligations

5. Sub-processors

We may engage the following categories of sub-processors:

  • Cloud Infrastructure: Hosting and compute services
  • Database Services: Data storage and backup
  • Email Services: Transactional email delivery
  • Security Services: DDoS protection and security monitoring

For more details, see our Subprocessors page. Subprocessors may change from time to time. For any questions, contact privacy@nice-av.co.uk.

6. Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object

7. Security Measures

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and authentication
  • Regular security assessments
  • Staff training on data protection
  • Incident response procedures

8. Data Retention

Personal data is retained only as long as necessary for the purposes for which it was collected, or as required by law. Configurable retention periods are available for:

  • Screenshots: Default 7 days, configurable 1-90 days
  • Device logs: Default 30 days, configurable 7-365 days
  • Audit logs: Minimum 1 year, as required for compliance

9. International Transfers

Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

10. Data Deletion and Return

Upon termination of the service agreement:

  • Customers may request an export of their operational data prior to termination. Export functionality is available within the platform or upon request.
  • Unless an export is requested, operational data (including device data, screenshots, and logs) will be deleted within a reasonable timeframe following termination.
  • We may retain billing records, account information, and audit logs as required for legal, regulatory, or accounting purposes.
  • Deletion of data does not affect any backups that may be retained for a limited period in accordance with standard backup retention practices.

For additional information on data retention and deletion, please refer to our Privacy Policy.

11. Audit Rights

Upon reasonable written request, we will provide customers with information regarding our data processing practices, security measures, and compliance with this DPA.

On-site audits are not included by default and would require a separate written agreement, including reasonable notice and mutually agreed terms. Any costs associated with such audits would be borne by the requesting party.

We maintain internal documentation of our security practices and may provide summaries or certifications upon request.

12. Breach Notification

In the event of a personal data breach affecting customer data, we will notify the affected customer without undue delay after becoming aware of the breach.

Notification will include, to the extent known:

  • A description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

We will cooperate with customers in their obligations under applicable data protection law, including UK GDPR requirements for notifying supervisory authorities where required.

13. Contact Information

For data protection enquiries:

NICE-AV LTD
Company No. 16174933
Email: privacy@nice-av.co.uk

Terms of Service Privacy Policy Subprocessors