Legal
Data Processing Agreement
Last updated: 2026-05-07
This agreement is publicly viewable for transparency. A signed, executed DPA is available on request for Enterprise plan customers — contact privacy@nescoder.com.
1. Scope
This Data Processing Agreement ("DPA") supplements the Terms of Service and applies when NESCODER LTD ("Processor") processes personal data on behalf of the Customer ("Controller") as part of providing the Tilly service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person stored in the Service.
- Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, or deletion).
- Sub-processor: A third party engaged by NESCODER LTD to process Personal Data on behalf of the Controller.
3. Data Processing Details
Subject Matter: Provision of cloud-based POS and business management services.
Duration: For the term of the Customer's subscription plus 30 days for data retention.
Categories of Data Subjects: Customer's employees, end customers, and vendors.
Types of Personal Data: Names, phone numbers, email addresses, business transaction records, payment amounts.
4. Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with prior consent and equivalent data protection obligations
- Assist the Controller in responding to data subject rights requests
- Delete or return all Personal Data upon termination of the service
- Make available all information necessary to demonstrate compliance
5. Security Measures
NESCODER LTD implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest
- Bcrypt password hashing with automatic upgrade path
- Role-based access control (RBAC) with granular permissions
- Multi-tenant data isolation at the database query level
- Automated daily backups with configurable retention
- Comprehensive audit logging of all data modifications
- Rate limiting and brute-force protection
6. Sub-processors
The following sub-processors are currently engaged:
| Sub-processor | Purpose | Location |
|---|---|---|
| Paddle | Payment processing | UK/EU |
| GoDaddy | Cloud hosting & infrastructure | US |
| EmailJS | Contact form email delivery | US |
7. Data Breach Notification
In the event of a personal data breach, NESCODER LTD will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach, providing all relevant details.
8. Data Transfers
Where Personal Data is transferred outside the EEA, NESCODER LTD ensures adequate protection through Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by EU GDPR.
For transfers from the United Kingdom, NESCODER LTD relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the Information Commissioner's Office (ICO).
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted upon reasonable written notice (no less than 30 days), during normal business hours, and no more than once per calendar year unless required by a supervisory authority or following a data breach.
NESCODER LTD will provide reasonable assistance and access to relevant documentation, systems, and personnel as needed for the audit.
10. Contact
To request a signed copy of this DPA or for data protection inquiries, contact:
Data Protection Officer: privacy@nescoder.com
NESCODER LTD, 128 City Road, London, EC1V 2NX, United Kingdom.