Log in
Get Started

HomeLegal CenterDATA PROTECTION ADDENDUM

DATA PROTECTION ADDENDUM

NYGMA.AI

Last Updated: March 18, 2025

This Data Protection Addendum (“Addendum”) supplements the Privacy Policy and Terms of Service of the Nygma.ai service (“Service”) operated by Genie9 LTD (“Genie9”, “we”, “us”, or “our”), a company registered in England and Wales with company registration number 08669198 and VAT number GB233163438.

This Addendum specifically addresses data protection requirements under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and other applicable data protection laws. It outlines the data processing activities, safeguards, and responsibilities related to personal data processed through the Service.

1. DEFINITIONS

1.1 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach”, and “Supervisory Authority” shall have the meanings given to them in the GDPR or UK GDPR, as applicable.

1.2 “User Personal Data” means Personal Data that you provide to us or generate through your use of the Service, such as account information, payment details, and usage data, but excludes Encrypted Content.

1.3 “Encrypted Content” means files, filenames, metadata, and other content that you upload to the Service in encrypted form using our zero-knowledge encryption system.

1.4 “Technical Impossibility Disclosure” refers to the fact that our zero-knowledge architecture technically prevents us from accessing your Encrypted Content, creating a technical impossibility that supersedes any contractual or legal obligation to produce such data in decrypted form.

2. DATA PROCESSING ROLES

2.1 Dual Roles. Depending on the context:

  • For User Personal Data: Genie9 acts as a Controller
  • For Encrypted Content: The user is the Controller and Genie9 is a Processor
  • For Technical Metadata: Genie9 acts as a Controller

2.2 Controller Activities. When acting as a Controller, Genie9:

  • Determines the purposes and means of processing User Personal Data
  • Handles account management, authentication, and billing
  • Manages service improvement and optimization
  • Ensures security and fraud prevention

2.3 Processor Activities. When acting as a Processor, Genie9:

  • Stores Encrypted Content according to your instructions
  • Processes Encrypted Content solely to provide the Service
  • Does not determine the purposes for which Encrypted Content is processed
  • Cannot access the contents of Encrypted Content due to zero-knowledge encryption

3. DATA PROCESSING DETAILS

3.1 Subject Matter and Duration

  • Subject Matter: Provision of the zero-knowledge encrypted cloud storage Service
  • Duration: Processing continues for the duration of your use of the Service

3.2 Nature and Purpose of Processing

  • Storage of Encrypted Content
  • Authentication and account management
  • Service delivery and maintenance
  • Technical support (limited to User Personal Data)
  • Security and fraud prevention

3.3 Categories of Personal Data

  • User Personal Data: Name, email address, payment information, IP address, device information, usage statistics
  • Encrypted Content: Any personal data contained within the encrypted files you upload, which we cannot access

3.4 Categories of Data Subjects

  • Service users
  • Individuals whose personal data may be contained in Encrypted Content
  • Recipients of shared content

4. PROCESSING LIMITATIONS AND ZERO-KNOWLEDGE ARCHITECTURE

4.1 Technical Impossibility. Our zero-knowledge architecture ensures that:

  • Encryption and decryption occur exclusively on your device
  • We do not have access to your encryption keys
  • We cannot access, view, or process the contents of your Encrypted Content
  • This creates a technical impossibility regarding data access that supersedes any contractual or legal obligation to produce such data in decrypted form

4.2 Limited Processing. We will only process User Personal Data and Encrypted Content:

  • In accordance with your instructions as outlined in this Addendum, the Terms of Service, and through your use of the Service
  • As necessary to provide, maintain, and improve the Service
  • As required by applicable law

4.3 Compliance with Instructions. We will comply with your instructions regarding the processing of Encrypted Content, subject to:

  • Technical limitations of our zero-knowledge architecture
  • Requirements of applicable law
  • Terms of Service and this Addendum

5. DATA SUBJECT RIGHTS

5.1 Facilitating Data Subject Rights. We will assist you in fulfilling your obligations to respond to data subject requests to exercise their rights under applicable data protection laws, taking into account the nature of the processing and the information available to us.

5.2 Direct Requests. If we receive a request from a data subject concerning their personal data contained within Encrypted Content, we will:

  • Promptly notify you of the request
  • Not respond directly to the request except as instructed by you or required by law
  • Direct the data subject to submit the request directly to you

5.3 Technical Limitations. Due to our zero-knowledge architecture:

  • We cannot access, retrieve, modify, or delete specific personal data within your Encrypted Content
  • Implementation of certain data subject rights must be handled by you as the Controller
  • We will assist to the extent technically possible

5.4 User Personal Data. For data subject rights requests concerning User Personal Data for which we are the Controller, we will respond directly in accordance with applicable data protection laws.

6. DATA SECURITY

6.1 Security Measures. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Zero-knowledge encryption architecture
  • TLS encryption for data in transit
  • Encrypted storage for data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and testing
  • Staff training on data protection
  • Incident response procedures

6.2 Security Documentation. We maintain documentation of our security measures as required by applicable law and make appropriate information available to you upon request.

6.3 Personnel. We ensure that our personnel authorized to process personal data:

  • Are bound by confidentiality obligations
  • Receive appropriate data protection training
  • Process personal data in accordance with this Addendum

6.4 Zero-Knowledge Security. Our zero-knowledge architecture provides enhanced security by:

  • Preventing unauthorized access to your Encrypted Content, even by Genie9 personnel
  • Ensuring data confidentiality through client-side encryption
  • Limiting the impact of potential data breaches

7. SUB-PROCESSORS

7.1 Authorization. You provide general authorization for Genie9 to engage sub-processors for the provision of the Service, subject to the conditions set out in this section.

7.2 Current Sub-processors. Our current sub-processors include:

  • Amazon Web Services (AWS) for hosting and storage
  • Stripe for payment processing

7.3 Sub-processor Requirements. When engaging sub-processors, we will:

  • Conduct appropriate due diligence
  • Impose data protection terms no less protective than those in this Addendum
  • Remain liable for the performance of the sub-processor’s obligations

7.4 Changes to Sub-processors. If we intend to add or replace a sub-processor, we will:

  • Provide advance notice through our website or direct communication
  • Allow you to object to such changes within a reasonable period
  • If you object to a new sub-processor, you may terminate your subscription and receive a pro-rated refund for any prepaid, unused fees

8. INTERNATIONAL DATA TRANSFERS

8.1 Data Storage Location. Your Encrypted Content is stored on servers located in the United States through Amazon Web Services.

8.2 Transfer Mechanisms. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not deemed to provide adequate protection, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • UK International Data Transfer Addendum or UK Standard Contractual Clauses, as applicable
  • Other valid transfer mechanisms as they become available

8.3 Transfer Impact Assessment. We have conducted a transfer impact assessment and implemented additional safeguards where necessary, taking into account:

  • The zero-knowledge encryption architecture
  • The nature of the personal data being transferred
  • The laws and practices in the destination country

8.4 Additional Safeguards. The zero-knowledge encryption architecture serves as an additional safeguard for international transfers, as the Encrypted Content cannot be accessed by us or government authorities in any country.

9. PERSONAL DATA BREACH

9.1 Breach Notification. In the event of a Personal Data Breach affecting your data, we will:

  • Notify you without undue delay upon becoming aware of the breach
  • Provide information to help you fulfill any notification obligations
  • Take reasonable steps to mitigate the effects and minimize the damage

9.2 Breach Information. Our notification will include, to the extent possible:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects concerned
  • The categories and approximate number of personal data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Contact details for more information

9.3 Zero-Knowledge Context. Due to our zero-knowledge architecture:

  • A breach affecting Encrypted Content would not expose the contents of your files
  • Encrypted data remains protected by your encryption keys
  • The risk to the rights and freedoms of data subjects is significantly reduced

9.4 Documentation. We will document all Personal Data Breaches, including facts, effects, and remedial actions taken, as required by applicable data protection laws.

10. DATA PROTECTION IMPACT ASSESSMENT

10.1 Assistance. Taking into account the nature of processing and information available to us, we will provide reasonable assistance with any data protection impact assessments and prior consultations with Supervisory Authorities that you are required to carry out under applicable data protection laws.

10.2 Assessment Considerations. When conducting your own data protection impact assessment, consider:

  • The zero-knowledge encryption architecture significantly reduces risks to data subjects
  • We cannot access the contents of Encrypted Content
  • Technical and organizational measures are in place to protect User Personal Data

11. DELETION AND RETURN

11.1 Deletion of Encrypted Content. We will delete your Encrypted Content:

  • Upon your deletion of such content through the Service
  • Upon termination of your account
  • As otherwise instructed by you through the Service

11.2 Retention Period. Following deletion:

  • Encrypted Content is immediately deleted from active systems
  • Backups containing deleted content are cycled out within 30 days
  • Due to the zero-knowledge nature of our Service, once deleted, data cannot be recovered

11.3 User Personal Data. We will retain User Personal Data as outlined in our Privacy Policy, subject to our legitimate business interests and legal requirements.

12. AUDIT AND COMPLIANCE

12.1 Documentation. We will make available to you information necessary to demonstrate compliance with the obligations set out in this Addendum and applicable data protection laws.

12.2 Audit Rights. You may audit our compliance with this Addendum by:

  • Reviewing documentation and certifications we make available
  • Submitting reasonable audit questions in writing
  • Requesting additional information specific to our data protection practices

12.3 Third-Party Audits. We may make available the results of third-party audits or certifications to satisfy audit requirements, at our discretion.

12.4 Confidentiality. Any information provided or made available by Genie9 under this section is confidential and may be subject to appropriate confidentiality agreements.

13. LIABILITY AND INDEMNIFICATION

13.1 Liability Limitation. IN NO EVENT SHALL GENIE9’S TOTAL LIABILITY TO YOU FOR ALL CLAIMS ARISING FROM OR RELATING TO THIS ADDENDUM EXCEED ONE HUNDRED U.S. DOLLARS ($100.00), REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE.

13.2 Technical Impossibility Clause. You acknowledge that due to the zero-knowledge architecture, Genie9 is technically unable to:

  • Access, modify, or delete specific data within your Encrypted Content
  • Comply with certain aspects of data subject requests regarding Encrypted Content
  • Provide decrypted Encrypted Content to authorities or other third parties

13.3 Indemnification. You agree to indemnify and hold harmless Genie9 against any claims, damages, or losses arising from:

  • Your instructions regarding the processing of personal data
  • Your failure to comply with your obligations under applicable data protection laws
  • Requests or demands to access Encrypted Content that Genie9 cannot provide due to the zero-knowledge architecture

14. GENERAL PROVISIONS

14.1 Precedence. In the event of any conflict or inconsistency between the provisions of this Addendum and the Terms of Service or Privacy Policy, this Addendum shall prevail to the extent of such conflict or inconsistency.

14.2 Severability. If any provision of this Addendum is invalid or unenforceable, the remaining provisions will continue in full force and effect.

14.3 Changes. We may update this Addendum from time to time to reflect changes in our practices or applicable laws. Material changes will be communicated to you.

14.4 Governing Law. This Addendum shall be governed by the laws specified in the Terms of Service, subject to any mandatory requirements of applicable data protection laws.

15. CONTACT INFORMATION

For questions about this Data Protection Addendum, please contact:

Genie9 LTD
 3 Shortlands
 W68DA, London
 United Kingdom
 Email: legal@genie9.com

END OF DATA PROTECTION ADDENDUM