• Home
  • Cookies Policy

Data Processing Addendum (DPA)

Effective Date: August 10, 2025
(for Nassau Technologies, LLC – Devsey)


1. Introduction

This Data Processing Addendum (“Addendum” or “DPA”) forms part of the Terms of Service (“Agreement”) between Nassau Technologies, LLC (“Company,” “we,” “our,” or “us”) and the customer (“Customer,” “you,” or “your”). This Addendum governs the processing of Customer Data through the Devsey platform (“Service”) and applies when the Company processes personal information on behalf of Customer.


2. Definitions

  • “Customer Data” means all personal data, content, or information submitted by Customer or generated through Customer’s use of the Service, including test artifacts (screenshots, HAR files, console logs, DOM snapshots).
  • “Processing” has the meaning set forth in applicable data protection law and includes any operation performed on personal data.
  • “Controller” means the entity that determines the purposes and means of Processing.
  • “Processor/Service Provider” means the entity that Processes personal data on behalf of the Controller.
  • “Subprocessor” means any third party engaged by the Company to Process Customer Data in connection with the Service.

3. Roles of the Parties

  • Customer acts as the Controller.
  • The Company acts as the Processor/Service Provider.
  • Each party shall comply with its respective obligations under applicable data protection laws.

4. Scope and Purpose of Processing

The Company shall Process Customer Data solely:

  • To provide, operate, and improve the Service;
  • To execute browser tests and generate artifacts as directed by Customer;
  • To provide customer support and address technical issues;
  • To comply with applicable law or valid legal process.

The Company shall not:

  • Sell, lease, or disclose Customer Data for marketing purposes;
  • Retain, use, or disclose Customer Data for any purpose other than providing the Service.

5. Customer Responsibilities

  • Ensuring that Customer Data does not include personal information without proper legal basis, authorization, and consent;
  • Configuring tests to avoid capturing unnecessary sensitive information;
  • Complying with all applicable laws, including the New York SHIELD Act and U.S. federal data protection laws.

6. Security Measures

The Company shall implement administrative, technical, and physical safeguards appropriate to the nature of the Customer Data, including but not limited to:

  • Encryption of data in transit and at rest;
  • Secure storage of test artifacts;
  • Hashed password storage;
  • Access controls, multi-factor authentication, and role-based permissions;
  • Secure software development practices aligned with OWASP Top 10;
  • Vulnerability scanning and regular patch management.

7. Subprocessors

Customer acknowledges and authorizes the Company to engage Subprocessors to support the delivery of the Service. Current Subprocessors include:

  • Stripe, Inc. – for payment processing;
  • U.S.-based hosting providers – for infrastructure and storage services.

The Company shall provide Customer with notice of any new Subprocessors and permit Customer to object on reasonable grounds.


8. Data Retention and Deletion

  • Retention: Customer Data, including test artifacts, is retained for up to 90 days after creation, unless deleted earlier by Customer.
  • Deletion: Upon account termination or Customer’s request, the Company shall delete or anonymize Customer Data within 90 days, except where retention is required by law.
  • Backups: Encrypted backups containing Customer Data shall be subject to the same retention and deletion standards.

9. Breach Notification

In the event of a confirmed security breach affecting Customer Data, the Company shall notify Customer without undue delay and in no case later than seven (7) days after discovery. The notification shall describe:

  • The nature of the breach;
  • Categories of Customer Data affected;
  • Remedial actions taken;
  • Steps Customers may take to mitigate potential harm.

10. Law Enforcement and Government Requests

The Company will not disclose Customer Data to law enforcement or governmental authorities except as required by law. Where legally permitted, the Company shall promptly notify Customer of any such request.


11. Force Majeure

The Company shall not be liable for any failure or delay in Processing caused by events beyond its reasonable control, including acts of God, natural disasters, war, terrorism, power outages, Internet failures, or governmental actions.


12. Governing Law and Jurisdiction

This Addendum shall be governed by and construed in accordance with the laws of the State of New York, without regard to conflict-of-law principles. Any disputes shall be subject to arbitration and venue provisions set forth in the Terms of Service.


13. Entire Agreement

This Addendum, together with the Agreement and incorporated policies, constitutes the entire agreement between the parties with respect to data processing. It supersedes all prior discussions, negotiations, or representations, whether oral or written, concerning its subject matter.


14. Contact Information

For questions regarding this DPA, contact:
Nassau Technologies, LLC
Email: support@devsey.com