Nest.

Data Processing Addendum

Effective date: June 4, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Mule Digital LLC, operator of the Nest platform (“Nest,” “we,” “us”), and the customer (“Customer,” “you”). It applies where we process, on your behalf, the personal information of your clients, leads, and contacts (“Client Personal Information”) that you submit to the Service. For your own account information, our Privacy Policy governs.

1. Roles of the parties

For Client Personal Information, you are the controller (and, under California law, the “business”) and we are your processor (and “service provider”). You determine the purposes and means of processing; we process only as described here and on your documented instructions. You are responsible for the lawfulness of the Client Personal Information you provide and for having all necessary consents, notices, and lawful bases to provide it and have us process it.

2. Scope and instructions

We will process Client Personal Information only: (a) to provide and support the Service; (b) as documented in the Terms, this DPA, and the product’s configuration and features as you use them; and (c) as otherwise instructed by you in writing, unless legally required to do otherwise (in which case we will inform you unless prohibited by law). We will tell you if we believe an instruction violates applicable data- protection law.

3. Nature and details of processing

  • Subject matter and duration: processing for the term of the Terms and any wind-down period.
  • Nature and purpose: hosting, storage, organization, retrieval, transmission, display, AI-assisted drafting, and deletion of Client Personal Information to provide the CRM, document vault, communications, illustration, and related features.
  • Categories of data subjects: your clients, prospects, leads, and contacts.
  • Categories of data: identifiers and contact details; policy, product, and insurance information; financial and commission- related information; documents you upload; notes and communications. You control what you submit; the Service is not designed for, and you should not submit, unnecessary sensitive data.

4. Confidentiality

We ensure that personnel authorized to process Client Personal Information are bound by appropriate confidentiality obligations and access it only as needed to provide the Service.

5. Security

We maintain appropriate technical and organizational measures designed to protect Client Personal Information, including encryption in transit (TLS 1.2+) and at rest (AES-256), application-layer encryption of integration credentials, role- and organization-scoped access controls, audit logging on document-vault reads and writes, and segregation that prevents cross-organization access by design. These measures are described further in the Privacy Policy.

6. Sub-processors

You authorize us to engage the sub-processors needed to operate the Service. Each is bound by data-protection obligations no less protective than this DPA. Our current sub-processors include:

  • Clerk — identity and authentication
  • Neon — database hosting
  • Vercel — application hosting, Blob storage, analytics, and AI Gateway
  • Stripe — payment processing
  • Resend — transactional email
  • OpenAI — voice transcription (zero-retention API)
  • Google — AI text generation (via the Vercel AI Gateway)

We will give notice before adding or replacing a sub-processor (for example, by updating this page or notifying you). If you reasonably object on data-protection grounds, you may notify us promptly and, if we cannot reasonably accommodate the objection, you may terminate the affected Service as your exclusive remedy.

7. Assistance with data-subject requests

Taking into account the nature of the processing, we will provide reasonable assistance — including the Service’s self-service access, export, correction, and deletion tools — to help you respond to requests from data subjects to exercise their rights. If we receive such a request directly, we will, unless legally required to act, refer the requester to you.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Client Personal Information, and will provide information reasonably available to help you meet your own notification obligations.

9. Deletion and return

On termination, you may export Client Personal Information through the Service for a limited period. After that, we will delete or return Client Personal Information except where retention is required by law or for limited backup cycles, after which it is deleted.

10. Audits and information

On reasonable written request, and no more than once per year unless required by a regulator or following a breach, we will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and to protecting the security of the Service and other customers.

11. California service-provider terms

With respect to personal information subject to the CCPA/CPRA, we act as a “service provider.” We will not: (a) sell or share such personal information; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Terms and this DPA, or as otherwise permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship; or (d) combine it with personal information from other sources except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.

12. International transfers

The Service is operated for United States customers and their U.S.-based data subjects. If processing of personal data subject to non-U.S. law becomes in scope, the parties will put in place an appropriate transfer mechanism (such as the Standard Contractual Clauses) before such processing.

13. Liability and precedence

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of Client Personal Information, this DPA controls.

14. Contact

Mule Digital LLCNest
[PRINCIPAL ADDRESS]
hello@nestannuity.com