Skip to content

Compliance & legal

niil's data-protection posture is backed by a legal pack your organization can review and sign. The default, EU-first versions are published here; your niil operator provides the binding versions with deployment-specific details reviewed by counsel.

The documents

  • Data Processing Agreement (DPA) — the Art. 28 GDPR contract governing how niil processes personal data on your behalf.
  • Technical & Organisational Measures (TOM) — the Art. 32 measures (encryption, access control, DLP, audit, isolation, backups) mapped to how niil implements them.
  • Privacy policy — how personal data is handled (Datenschutzerklärung).
  • Sub-processor list — the third parties involved in delivering the service, each with role and region (EU IaaS hosting, EU-pinned AI providers, EU-hosted Stripe if billing is enabled, and the email provider).

How the measures map to the product

RequirementWhere it lives
Encryption at rest & in transitEncryption
EU data residencyEU sovereignty & residency
Right to access / erasureData protection & GDPR
Access control & MFAAuthentication & MFA
AuditabilityImmutable audit trail (Data protection)
Minimising third partiesNo external vendors

Binding versions

The documents above are niil's default reference versions. The authoritative, signed DPA, TOM, privacy policy and sub-processor list — with your operator's legal entity, contact details, and any deployment-specific values — come from your niil operator (or account contact).