Data Processing Agreement
Last updated: 2 July 2026. This document is a launch draft and remains subject to legal review.
Status: lawyer-ready draft. Not legal advice.
This Data Processing Agreement forms part of the Nucleus customer terms between the customer and Nucleus. It applies where Nucleus processes personal data on behalf of the customer.
1. Roles
1. The customer is the controller of customer personal data unless the law says otherwise. 2. Nucleus is the processor of customer personal data. 3. Where a customer uses Nucleus for its own clients, the customer is responsible for having lawful terms with those clients.
2. Subject Matter
Nucleus provides CRM, lead capture, automation, support intake, API, and agent operation tools. Nucleus processes customer personal data only to provide and secure those services.
3. Categories Of Personal Data
The service may process:
- Names.
- Email addresses.
- Phone numbers if the customer imports or enters them.
- Business names and job titles.
- Lead source and campaign information.
- CRM notes, tasks, deals, pipeline data, tags, and custom fields.
- Support requests and feature suggestions.
- Login, API, audit, device, and IP metadata.
- Billing identifiers from Stripe, but not full card numbers.
The customer controls what data is entered into Nucleus.
4. Categories Of Data Subjects
The service may process data about:
- Customer users.
- Customer leads and contacts.
- Customer clients and prospects.
- Reseller users and their client-account users.
- Support requesters.
5. Processing Instructions
Nucleus will process customer personal data only:
- To provide the service.
- To maintain security, availability, and support.
- To comply with lawful written customer instructions.
- To comply with applicable law.
Nucleus will tell the customer if an instruction appears to violate applicable data protection law, unless the law prevents that notice.
6. Security Measures
Nucleus will maintain appropriate technical and organisational measures, including:
- Tenant isolation.
- Scoped API keys.
- Role based access controls.
- Audit logging for sensitive actions.
- Encrypted secret storage outside the codebase.
- HTTPS in production.
- Server-side input validation.
- Rate limits on public and authenticated routes.
- Turnstile on public lead capture and signup routes where configured.
- Watchdog checks and operational alerts.
- Backup and restore procedures.
7. Confidentiality
Nucleus will ensure that people authorised to process customer personal data are bound by confidentiality obligations or an appropriate legal duty of confidentiality.
8. Subprocessors
The customer authorises Nucleus to use subprocessors listed on the Nucleus subprocessor page. Nucleus remains responsible for subprocessor performance of data protection obligations.
Nucleus will provide notice of material subprocessor changes where required by law or the customer agreement.
9. International Transfers
Where personal data is transferred outside the UK, EEA, or other protected region, Nucleus will use an appropriate transfer mechanism, such as the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or another lawful mechanism.
10. Data Subject Requests
Nucleus will provide reasonable assistance for customer responses to data subject access, correction, deletion, restriction, objection, and portability requests where the customer cannot reasonably fulfil the request through the service.
11. Deletion And Return
On termination, Nucleus will delete or return customer personal data according to the customer agreement and backup retention process, unless law requires retention.
Suggested operational target for lawyer review:
- Account data export available during active subscription.
- Deletion or anonymisation within 30 days of confirmed deletion request where no legal hold applies.
- Backup expiry according to the published backup retention schedule.
12. Personal Data Breach
Nucleus will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data. Notice will include known facts, likely consequences, and mitigation steps where available.
13. Audit Rights
Nucleus will provide reasonable information needed to demonstrate compliance. Any direct audit must be scoped, reasonable, confidential, and avoid disrupting the service or exposing other tenants.
14. Customer Responsibilities
The customer is responsible for:
- Having a lawful basis for the data it enters or imports.
- Providing privacy notices to its own contacts and users.
- Using permissions correctly.
- Keeping user accounts secure.
- Not uploading prohibited data unless the service terms expressly permit it.
- Honouring opt-outs and deletion requests in its own business processes.
15. Liability And Order Of Precedence
Liability, caps, exclusions, and order of precedence must match the main customer terms. A lawyer must align this section with the final commercial agreement.