Data Processing Addendum

Last updated: May 18, 2026

How nomadall processes customer personal data on your behalf.

This Data Processing Addendum ("DPA") forms part of the agreement between nomadall ("Processor") and the customer ("Controller") for the processing of personal data in connection with the nomadall service. It is designed to support compliance with the EU GDPR, UK GDPR, and equivalent regimes such as the CCPA.

1. Roles and scope

The Controller determines the purposes and means of processing. nomadall acts as a Processor and processes personal data only on the Controller's documented instructions, which include the use of the service as configured in the account.

2. Subject matter and duration

Subject matter: provision of the nomadall platform. Duration: the term of the underlying agreement, plus any post-termination period required to return or delete data.

3. Nature and purpose

Processing supports tenant operations including dispatch, billing, leases, residents, vendors, hiring, and reporting, plus operational logging, support, abuse prevention, and service improvement.

4. Categories of data

Identification data, contact data, employment and tenancy data, financial and payment data, communications, device and usage telemetry, and any additional data the Controller chooses to upload.

5. Categories of data subjects

Controller's staff, customers, residents, applicants, vendors, and other individuals whose data the Controller submits to the service.

6. Sub-processors

The Controller authorizes nomadall to engage sub-processors for hosting, email delivery, payments, and analytics. A current list is available on request to privacy@nomadall.com; nomadall will give reasonable notice of new sub-processors and remains liable for their acts and omissions.

7. Security

nomadall implements appropriate technical and organizational measures including encryption in transit, encryption at rest, tenant isolation via row-level security, role-based access, audit logging, and least-privilege production access. See the Security page for current detail.

8. International transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, nomadall relies on Standard Contractual Clauses or equivalent transfer mechanisms together with supplementary measures.

9. Data subject requests

nomadall provides self-service tooling for access, correction, export, and deletion of personal data, and will reasonably assist the Controller in responding to data subject requests it cannot fulfill directly.

10. Personal data breach

nomadall will notify the Controller without undue delay (and in any event within 72 hours of confirmation) of any personal data breach affecting Controller data, with sufficient information to meet the Controller's notification obligations.

11. Audits

Upon reasonable written request, nomadall will make available information necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by the Controller or a mutually agreed independent auditor under appropriate confidentiality.

12. Return or deletion

On termination, nomadall will, at the Controller's choice, return or delete personal data within a reasonable period unless retention is required by law.

13. Contact

Questions about this DPA: privacy@nomadall.com.