GDPR Compliance — NinjaIT

1. Our Commitment

NinjaIT is committed to protecting the privacy and security of personal data in compliance with the EU General Data Protection Regulation (GDPR). This page describes how we comply with GDPR requirements and outlines your rights as a data subject.

Whether you are a customer, prospective customer, or website visitor in the European Economic Area (EEA), we process your data in accordance with GDPR principles.

2. Roles and Responsibilities

2.1 NinjaIT as Data Controller

When we collect and process data about our customers (account information, billing, website usage), NinjaIT acts as the data controller. We determine the purposes and means of processing this data.

2.2 NinjaIT as Data Processor

When our customers use NinjaIT to monitor and manage their clients' devices, NinjaIT acts as a data processor on behalf of the customer (who is the data controller). In this role, we process device telemetry and endpoint data strictly according to our customers' instructions and the terms of our Data Processing Agreement (DPA).

3. Lawful Basis for Processing

We process personal data under the following legal bases:

Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you signed up for — account management, device monitoring, alerting, and support.
Legitimate interests (Article 6(1)(f)): Processing for fraud prevention, security, product improvement, and analytics, where our interests do not override your rights.
Consent (Article 6(1)(a)): Processing based on your explicit consent, such as marketing communications and optional analytics cookies. You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements such as tax regulations and law enforcement requests.

4. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

Right of Access (Article 15)

Request a copy of the personal data we hold about you, along with information about how it is processed.

Right to Rectification (Article 16)

Request correction of inaccurate personal data, or completion of incomplete data.

Right to Erasure (Article 17)

Request deletion of your personal data when it is no longer necessary for the original purpose, or when you withdraw consent.

Right to Restrict Processing (Article 18)

Request that we limit the processing of your data in certain circumstances, such as while verifying accuracy.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

Right Not to Be Subject to Automated Decisions (Article 22)

Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email us at privacy@ninjait.app. We will respond within 30 days. In complex cases, we may extend this by an additional 60 days with prior notice.

5. Data Processing Agreement

For customers who process personal data of EU/EEA individuals through NinjaIT, we provide a Data Processing Agreement (DPA) that includes:

Description of the processing activities and data categories
Obligations and rights of the data controller and processor
Technical and organizational security measures
Sub-processor management and notification procedures
Data breach notification obligations (within 72 hours)
Provisions for audits and inspections
Standard Contractual Clauses (SCCs) for international transfers

To request a DPA, contact us at legal@ninjait.app.

6. International Data Transfers

When personal data is transferred outside the EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for data transfers to third countries
Adequacy decisions: Transferring data to countries deemed adequate by the European Commission
Supplementary measures: Additional technical safeguards such as encryption and pseudonymization where required

7. Data Breach Notification

In the event of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required)
Notify affected data subjects without undue delay when the breach is likely to result in high risk to their rights
Notify our customers (as data controllers) without undue delay when we process data on their behalf
Document all breaches, including facts, effects, and remedial actions taken

8. Sub-Processors

We use the following categories of sub-processors to operate the Service:

Cloud infrastructure: Hosting and computing services
Payment processing: Secure payment handling
Email delivery: Transactional and notification emails
Analytics: Anonymized usage analytics
Support: Customer support tools

All sub-processors are bound by data processing agreements that meet GDPR requirements. We maintain an up-to-date list of sub-processors and will notify customers of any changes at least 30 days in advance.

9. Technical and Organizational Measures

We implement comprehensive security measures including:

AES-256 encryption for data at rest
TLS 1.3 for data in transit
Role-based access control (RBAC) with multi-tenant data isolation
Regular security assessments and penetration testing
Employee security awareness training
Incident response procedures and data breach protocols
Encrypted backups with disaster recovery capabilities
Audit logging for all data access and modifications

10. Supervisory Authority

If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first at privacy@ninjait.app so we can address your concerns directly.

11. Contact Our Data Protection Team

For any GDPR-related inquiries, data subject requests, or DPA requests: