Data Protection Framework

This Data Protection Framework ("Framework") sets out Nesvra Inc.'s binding approach to the governance, processing, and security of personal data across all its services, products, infrastructure, and supply chain. It applies to:

• All Nesvra employees, contractors, and consultants who handle personal data.
• All client engagements where Nesvra processes personal data on behalf of clients (as a Data Processor).
• All operational systems, third-party integrations, and cloud infrastructure used by Nesvra.

This Framework is informed by and complies with the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), Nigeria Data Protection Act (NDPA 2023), and other applicable data protection laws. It is reviewed and updated no less than annually, or following significant changes in legislation or business operations.

Data Controller vs. Data Processor

Nesvra operates in two distinct capacities depending on the processing activity:

• As Data Controller: When collecting and using personal data for our own business purposes (e.g., prospecting, account management, marketing, HR). Nesvra determines the purposes and means of processing and bears full controller responsibility.
• As Data Processor: When processing personal data strictly on behalf of our clients within the scope of a tech subscription or platform deployment engagement. Nesvra processes only according to the client's documented instructions and the applicable Data Processing Agreement (DPA).

Key Roles

• Data Protection Officer (DPO): Responsible for overseeing compliance, conducting assessments, training, and serving as the regulatory contact point. Contact: dpo@nesvra.com.
• Chief Security Officer (CSO): Owns technical security controls, incident response, and infrastructure security policy.
• Engineering Leads: Responsible for privacy-by-design implementation and secure development practices within their product teams.

Every data processing activity at Nesvra is mapped to a valid legal basis under GDPR Article 6. We maintain an internal Record of Processing Activities (RoPA) documenting all processing operations. The lawful bases we rely on are:

• Contract (Art. 6(1)(b)): Processing necessary to deliver subscription services, process payments, and fulfill our contractual obligations to clients.
• Legitimate Interests (Art. 6(1)(f)): Improving services, preventing fraud, sending service-related communications, and conducting business development — balanced against individuals' rights through a documented Legitimate Interests Assessment (LIA).
• Consent (Art. 6(1)(a)): Marketing emails, newsletters, non-essential cookies, and any special category data. Consent is freely given, specific, informed, and unambiguous. It can be withdrawn at any time.
• Legal Obligation (Art. 6(1)(c)): Compliance with tax law, regulatory reporting, and law enforcement requests.

Nesvra processes the following categories of personal data, strictly limited to what is necessary:

We do not process special categories of data (e.g., health, racial, political, biometric) unless explicitly required by a client engagement and subject to additional safeguards, explicit consent, and a Data Protection Impact Assessment (DPIA).

Nesvra maintains a multi-layered security posture aligned with ISO/IEC 27001 and NIST CSF. Key controls include:

Encryption

• Data in transit: TLS 1.3 enforced across all endpoints.
• Data at rest: AES-256 encryption for databases, storage volumes, and backups.
• Key management: Hardware Security Modules (HSMs) and automated key rotation.

Access Controls

• Zero-Trust Architecture: no implicit trust — all access requires authentication and authorization.
• Multi-Factor Authentication (MFA) mandatory for all internal systems and client portals.
• Role-Based Access Control (RBAC) with principle of least privilege enforced company-wide.
• Privileged access reviewed quarterly and revoked within 24 hours of employee departure.

Infrastructure & Network Security

• Production environments hosted on AWS/GCP with VPC isolation, security groups, and Web Application Firewalls (WAF).
• DDoS protection via Cloudflare Enterprise.
• Automated vulnerability scanning (daily) and manual penetration testing (bi-annual).

Application Security

• Secure Software Development Lifecycle (SSDLC) with mandatory security code reviews.
• OWASP Top 10 mitigations applied to all web and API surfaces.
• Dependency vulnerability scanning (Snyk, Dependabot) integrated into CI/CD pipelines.

Nesvra operates with team members and infrastructure across the United States, United Kingdom, European Union, and Nigeria. When personal data is transferred to countries outside the EEA that do not benefit from an EU adequacy decision, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU Commission-approved 2021 SCCs are incorporated into all relevant sub-processor and client agreements where cross-border transfer occurs.
• Transfer Impact Assessments (TIAs): Conducted for all transfers to assess the legal framework of the destination country and any supplementary technical measures needed.
• Binding Corporate Rules (BCRs): Under review for future adoption as Nesvra's global footprint expands.

Clients who require data residency within a specific jurisdiction (e.g., EU-only hosting) may request this as part of a custom Enterprise agreement.

Nesvra uses a limited set of vetted, GDPR-compliant sub-processors to support our services. All sub-processors are bound by written Data Processing Agreements incorporating SCCs where applicable. We conduct due diligence before onboarding any new sub-processor and conduct annual reviews.

Clients will be notified of any new sub-processor additions at least 14 days in advance, and may object in writing within that period. The full sub-processor list is available upon request via legal@nesvra.com.

Nesvra maintains a formal procedure for handling Data Subject Access Requests (DSARs) and all data subject rights under GDPR. All requests are logged, tracked, and responded to within 30 days (extendable to 90 days for complex requests with notice).

Supported Rights

• Access & Portability: Provide a copy of personal data in structured, machine-readable format within 30 days.
• Rectification: Correct inaccurate data within 10 business days of verification.
• Erasure: Delete data unless overriding legal obligations apply (e.g., financial records retention law).
• Restriction & Objection: Halt processing while a complaint or dispute is under review.
• Withdraw Consent: Honour within 48 hours for marketing; immediately for any system-based processing.

Requests may be submitted to dpo@nesvra.com. Identity verification is required before disclosure of personal data. Nesvra does not charge fees for routine DSARs but may apply a reasonable charge for manifestly unfounded or excessive requests.

Nesvra maintains a documented Incident Response Plan (IRP). Upon detection of a suspected data breach:

• Containment (0–4 hours): Isolate affected systems, preserve forensic evidence, and convene the Incident Response Team (IRT).
• Assessment (4–24 hours): Determine the nature, scope, and likely impact of the breach. Assess risk to individuals' rights and freedoms.
• Notification — Supervisory Authority (24–72 hours): If the breach poses a risk to individuals, notify the relevant Data Protection Authority (e.g., ICO, CNIL) within 72 hours as required by GDPR Art. 33.
• Notification — Affected Individuals: If the breach is likely to result in high risk, affected data subjects are notified without undue delay (typically within 72 hours of the authority notification).
• Client Notification: Clients whose data is affected are notified within 24 hours of breach confirmation, regardless of regulatory obligations.
• Post-Incident Review: Root cause analysis, corrective actions, and Framework update within 30 days.

Nesvra conducts a Data Protection Impact Assessment (DPIA) for any new processing activity that is "likely to result in high risk" to individuals' rights and freedoms (GDPR Art. 35). This includes:

• Systematic profiling or automated decision-making with significant effect.
• Large-scale processing of sensitive/special category data.
• Systematic monitoring of publicly accessible areas (e.g., CCTV, web scraping).
• New technology deployments where the risk has not been previously assessed.

DPIAs are also completed for significant changes to existing processing activities. Results are documented, reviewed by the DPO, and — where residual risk remains high — submitted to the relevant supervisory authority for prior consultation.

For client-instructed processing, Nesvra will support clients in completing DPIAs where required, providing technical information, architecture diagrams, and security measures as inputs.

Nesvra applies defined retention schedules based on the type of data and applicable legal requirements. Data is not kept longer than necessary.

Upon expiry of the retention period, data is securely deleted using NIST SP 800-88 compliant methods (cryptographic erasure for cloud storage, secure shredding for any physical media). Backup data is purged within 90 days of the primary deletion cycle.

Nesvra maintains a culture of continuous accountability in data protection:

• Annual Framework Review: This Framework is reviewed and updated every 12 months or following material changes in law, operations, or threat landscape.
• Internal Audits: Quarterly data protection audits covering RoPA accuracy, consent records, DSAR log review, and sub-processor compliance.
• Employee Training: All staff complete mandatory data protection and security awareness training upon onboarding and annually thereafter. Role-specific training for engineers, legal, and support teams is provided.
• Supplier Audits: Critical sub-processors are reviewed annually including review of their security certifications and breach history.
• Board Reporting: The DPO provides quarterly data protection status reports to Nesvra's board, including incident summaries, DSAR metrics, and open risks.

Enterprise clients may request an annual summary of Nesvra's data protection audit findings and applicable certifications under NDA.

For all data protection matters including DPAs, DPIAs, DSARs, complaints, or regulatory inquiries, please contact our Data Protection Officer:

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact the supervisory authority in your Member State.