Data Processing Addendum (DPA)

1) Availability

A signed DPA is available for B2B and enterprise customers, or for customers who need one for procurement or compliance review. To request one, email legal@nimriz.com.

2) Processing scope (high level)

• Account and workspace data (e.g. user identity, membership, settings).
• Domain and link configuration data required to operate redirects.
• Privacy-aware click analytics dimensions used for reporting and abuse prevention.
• Consent-gated product analytics data, including event data, user properties, account-level properties, and related identifiers used in Amplitude.

Nimriz does not store raw IP addresses or full User-Agent strings in analytics events. When privacy mode is disabled, Nimriz may store only daily-salted hashes to support short-lived deduplication and abuse detection.

For more on privacy controls and analytics handling, see Privacy Policy and Trust.

3) Subprocessors

Nimriz relies on service providers to host and operate the service. Subprocessors may include:

• Cloudflare (edge redirects, Analytics Engine, and privacy-safe archives or exports where applicable).
• Supabase (Postgres database for configuration and aggregated analytics).
• Amplitude (product analytics and related analytics features in the EU residency environment).
• Google (Tag Manager for other consent-gated tags, where configured).

4) Security measures

We implement safety controls on link creation and redirect behavior and maintain privacy-aware defaults for analytics. For an overview of controls, encryption, and incident handling, see Security.

5) Related terms

For the standard service terms that apply outside a negotiated DPA, see our Terms of Service, Privacy Policy, and Refund Policy.