Trust Center › Data Processing Agreement

Privacy & Data Last updated: 2026-03-01

Last updated: 1 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between NFC Tagify ("Processor") and you, the customer ("Controller"), and governs the processing of personal data in connection with the Service.

This DPA is required under Article 28 of the UK GDPR and EU GDPR.

---

1. Definitions

  • "Controller" means you, the customer, who determines the purposes and means of processing personal data
  • "Processor" means NFC Tagify, which processes personal data on behalf of the Controller
  • "Personal Data" has the meaning given in applicable Data Protection Legislation
  • "Data Protection Legislation" means the UK GDPR, EU GDPR, and any applicable national implementing legislation
  • "Sub-processor" means any third party appointed by NFC Tagify to process personal data

---

2. Scope of Processing

NFC Tagify processes personal data on your behalf in connection with providing the Service, including:

Categories of data subjects: Your employees, contractors, and contacts whose profiles are managed on the platform

Categories of personal data: Names, job titles, email addresses, phone numbers, profile images, and other profile fields you choose to populate

Nature of processing: Storage, display, transmission, analytics, and backup

Purpose of processing: Providing the digital business card and profile management Service as described in the Terms of Service

Duration: For the term of your subscription plus 90 days following termination

---

3. Processor Obligations

NFC Tagify shall:

  • Process personal data only on documented instructions from you (i.e., your use of the Service)
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures (see Section 6)
  • Assist you in responding to data subject requests (see Section 7)
  • Delete or return all personal data at the end of the service relationship, at your choice
  • Make available all information necessary to demonstrate compliance with this DPA
  • Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach

---

4. Controller Obligations

You shall:

  • Ensure you have a lawful basis for providing personal data to NFC Tagify
  • Ensure data subjects have been informed about processing as required by applicable law
  • Be responsible for the accuracy and legitimacy of personal data you provide
  • Not instruct NFC Tagify to process personal data in violation of applicable law

---

5. Sub-processors

NFC Tagify currently uses the following sub-processors:

| Sub-processor | Purpose | Location | Data Protection Mechanism |

|---|---|---|---|

| Supabase | Database hosting | EU/US | SCCs |

| DigitalOcean | Server infrastructure | EU/US | SCCs |

| Cloudflare | CDN and DDoS protection | Global | SCCs |

| Resend | Transactional email | US | SCCs |

| Stripe | Payment processing | US | SCCs |

NFC Tagify will notify you of any intended additions or replacements to sub-processors with at least 14 days' notice, giving you the opportunity to object. The procedure for objection is set out at the end of this DPA.

---

6. Security Measures

NFC Tagify implements the following technical and organisational security measures:

  • Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security policies on all database tables
  • Multi-factor authentication required for administrative access
  • Regular automated backups with tested restore procedures
  • Access controls based on the principle of least privilege
  • Logging and monitoring of access to personal data
  • Annual security review process

---

7. Data Subject Rights

NFC Tagify will assist you in fulfilling data subject rights requests. To request assistance, email privacy@nfctagify.com with the subject "DSR Assistance".

We will respond within 5 business days with the information needed for you to fulfil the request.

---

8. Data Transfers

Where personal data is transferred outside the UK or EEA, NFC Tagify ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms with each sub-processor.

---

9. Audit Rights

You have the right to conduct audits of NFC Tagify's data processing activities, subject to:

  • 30 days' prior written notice
  • Execution of a confidentiality agreement
  • Audit conducted during business hours at your expense
  • Maximum one audit per 12-month period (unless a personal data breach has occurred)

NFC Tagify may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2) in lieu of on-site audits.

---

10. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination, NFC Tagify will securely delete or return all personal data within 90 days, unless retention is required by applicable law.

---

11. Contact

For DPA-related enquiries or to exercise your rights under this DPA:

NFC Tagify — Data Protection

Email: privacy@nfctagify.com

To object to a new sub-processor appointment, email privacy@nfctagify.com with subject "Sub-processor Objection — [Sub-processor Name]" within 14 days of notification.