Compliance & legal
niil's data-protection posture is backed by a legal pack your organization can review and sign. The default, EU-first versions are published here; your niil operator provides the binding versions with deployment-specific details reviewed by counsel.
The documents
- Data Processing Agreement (DPA) — the Art. 28 GDPR contract governing how niil processes personal data on your behalf.
- Technical & Organisational Measures (TOM) — the Art. 32 measures (encryption, access control, DLP, audit, isolation, backups) mapped to how niil implements them.
- Privacy policy — how personal data is handled (Datenschutzerklärung).
- Sub-processor list — the third parties involved in delivering the service, each with role and region (EU IaaS hosting, EU-pinned AI providers, EU-hosted Stripe if billing is enabled, and the email provider).
How the measures map to the product
| Requirement | Where it lives |
|---|---|
| Encryption at rest & in transit | Encryption |
| EU data residency | EU sovereignty & residency |
| Right to access / erasure | Data protection & GDPR |
| Access control & MFA | Authentication & MFA |
| Auditability | Immutable audit trail (Data protection) |
| Minimising third parties | No external vendors |
Binding versions
The documents above are niil's default reference versions. The authoritative, signed DPA, TOM, privacy policy and sub-processor list — with your operator's legal entity, contact details, and any deployment-specific values — come from your niil operator (or account contact).