GDPR at NeoKivo

The GDPR is the European Union's data-protection law. NeoKivo is built by an operator based in Japan, but because we serve customers in the EU, the GDPR applies to us — so this page lays out, plainly, how we handle personal data and where every commitment is written down.

The starting point is roles. For your account and billing data we are the controller; for the CRM content inside your workspace you are the controller and NeoKivo is your processor, acting on your instructions. That split runs through everything below.

One thing we will not do is imply an endorsement we do not have. NeoKivo holds no formal data-protection certification and no third-party audit seal; instead of pointing at a badge, we state our practices directly and link each one to where you can verify it — in the Privacy Policy, in the product, or in the Data Processing Addendum on this page.

What we do, and where to check it

  • You can exercise your rights, and export everything

    Access, rectification, erasure, portability, restriction and objection are all honored, for every user regardless of location. Export is a first-class feature: CRM records as CSV, documents by download, at any time.

    Privacy Policy, section 12

  • Essential-only cookies, and no consent banner

    We use one kind of cookie: a session cookie that keeps you signed in after you log in. There are no advertising or cross-site tracking cookies, no analytics pixels, and no session-replay tools — so there is nothing that requires a consent banner, and we do not show one.

    Privacy Policy, sections 4 and 14

  • Encryption at rest and access control

    Documents are encrypted at rest with AES-256 envelope encryption, keyed per workspace. Passwords are stored only as hashes and API keys only as a SHA-256 hash. Access is governed by role-based permissions, per-deal visibility, and an audit log. Traffic runs over TLS.

    Privacy Policy, section 7

  • A short, named list of sub-processors

    We rely on a small set of providers — Stripe, Cloudflare, Resend, OpenAI and Google — each processing only what its function needs. The list is kept current, and material changes are reflected there with a revised date.

    Privacy Policy, section 9

  • International transfers on recognized safeguards

    Our providers operate globally. Where data leaves the European Economic Area, the transfer relies on the safeguards those providers offer, such as the Standard Contractual Clauses.

    Privacy Policy, section 9

  • We tell you promptly if there is a breach

    If we become aware of a personal-data breach affecting your workspace, we notify you without undue delay, and notify a supervisory authority within 72 hours where the GDPR requires it. We do not promise to detect every incident, but we commit to acting on the ones we find.

    Privacy Policy, section 8

  • Retention you control, and a 90-day safety net

    A lapsed or cancelled workspace becomes read-only rather than deleted, and stays retained, viewable and exportable for at least 90 days with prior notice before any permanent deletion — so an accidental lapse does not destroy your data.

    Privacy Policy, section 11

  • A real Data Processing Addendum, already in force

    For business customers, an Article 28 DPA is incorporated automatically — no signature needed. It covers roles, instructions, security, sub-processors, breach assistance, deletion, audit rights and transfers.

    Read the DPA below

Data Processing Addendum

Last updated: July 7, 2026

This Article 28 addendum applies to every workspace used for business purposes and is incorporated into your agreement automatically. No signature is required; a countersigned copy is available on request at hello@neokivo.com.

1. Parties and roles

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("you") and Julien Tielemans, operator of NeoKivo ("NeoKivo", "we", "us"), and governs the processing of personal data carried out on your behalf.

For the CRM content inside your workspace — contacts, companies, deals, notes, captured emails, documents and everything else you or your team put in — you are the controller and NeoKivo is the processor, as set out in section 2 of our Privacy Policy. This DPA governs that processing. Where NeoKivo acts as controller for your account and billing data, the Privacy Policy applies rather than this DPA.

2. Subject matter, duration, nature and purpose

The subject matter of the processing is the personal data contained in your workspace content. The nature and purpose is to provide the NeoKivo CRM service to you: to store, organize, display, search, export and otherwise process that content so you can run your business, together with the optional features you choose to enable.

The processing lasts for as long as your account exists, and then through the retention and deletion windows described in section 9 of this DPA and section 11 of the Privacy Policy.

3. Categories of data and data subjects

The personal data processed, and the categories of data subject, are determined by you, because you decide what to put into your workspace. Typically they include:

  • Data subjects — your contacts, leads, customers, and the members of your own team who use the workspace.
  • Categories of data — names, email addresses, phone numbers, company and role information, the content of notes and captured emails, uploaded documents, and any other personal data you choose to record in CRM fields.
  • You are responsible for not placing special categories of data (such as health or biometric data) into the workspace unless you have a lawful basis to do so; NeoKivo is not designed to process special-category data.

4. Processing on documented instructions

We process your workspace content only on your documented instructions, including as to international transfers, unless required to do otherwise by law that applies to us — in which case we will tell you first, unless the law forbids it. Your instructions are given through your use of the product and its settings, and through this DPA and the Privacy Policy. We will tell you if we believe an instruction infringes data-protection law.

5. Confidentiality

Access to your workspace content is restricted to the operator and, where applicable, to sub-processors bound by their own confidentiality and data-protection obligations. Any person authorized to process the data is committed to confidentiality. Because NeoKivo is run by its founder rather than a support organization, there is no wide pool of staff with access to your data.

6. Security measures

We implement appropriate technical and organizational measures to protect your workspace content, consistent with section 7 of the Privacy Policy. These include:

  • Documents encrypted at rest using AES-256 envelope encryption, with a distinct key derived per workspace.
  • Passwords stored only as hashes, never in plain text; API keys stored only as a SHA-256 hash.
  • Access governed by role-based permissions and per-deal visibility rules.
  • An audit log of security-relevant actions in a workspace.
  • Traffic to the service carried over TLS (HTTPS), terminated at our Cloudflare edge.

7. Sub-processors

You give general authorization for NeoKivo to engage sub-processors to help provide the service. Our current sub-processors are the ones listed in section 8 of the Privacy Policy: Stripe (billing), Cloudflare (delivery, document storage, email routing), Resend (some transactional email), OpenAI (AI assistant, only when you use it), and Google (Gmail sending and sign-in, only if you use those). Each is bound to protect the data it handles and processes only what its function needs.

We keep that list current on the Privacy Policy page. When we add or replace a sub-processor, we update the list there with a revised date, which serves as notice of the change and gives you the opportunity to object.

8. Assistance with your obligations

Taking into account the nature of the processing, we will assist you in meeting your own obligations under the GDPR:

  • Data-subject rights — the product lets you access, correct, export and delete records yourself; where a request cannot be handled through the product, we will help you respond. If one of your own contacts approaches us directly, we refer them to you as the controller (Privacy Policy section 13).
  • Breach notification — we will notify you without undue delay after becoming aware of a personal-data breach affecting your workspace, following the process in section 8 of the Privacy Policy, so you can meet your own notification duties.
  • Data-protection impact assessments — we will provide the information reasonably available to us to support an assessment or a prior consultation with a supervisory authority.

9. Deletion or return on termination

You can export your workspace content at any time — CRM records as CSV and documents by download — so return of the data is always in your hands. On termination, and consistent with section 11 of the Privacy Policy, we retain a cancelled or lapsed workspace in read-only form for at least 90 days, with prior notice, before permanent deletion, so an accidental lapse does not destroy your data. After that window, and on your request to delete, we delete the workspace content, except where the law requires us to keep certain records (such as billing and tax records) for longer.

10. Audit and information rights

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, and will answer your questions and provide documentation about our processing and security measures. Given that NeoKivo is a single-operator service, this takes the form of answering vendor-review questions and sharing documentation rather than hosting on-site audits or granting infrastructure access.

11. International transfers

Our sub-processors operate globally, so your data may be processed outside the European Economic Area. Where that happens, the transfer relies on the safeguards those providers offer, such as the Standard Contractual Clauses, consistent with section 8 of the Privacy Policy. We do not make onward transfers outside those safeguards.

12. Incorporation and precedence

This DPA applies to every NeoKivo workspace used for business purposes and is incorporated into the agreement automatically — these terms apply to every workspace, no signature is required, and a countersigned copy is available on request at hello@neokivo.com. If there is a conflict between this DPA and the rest of the agreement on the processing of workspace content, this DPA governs. It does not otherwise change the Terms of Service or the Privacy Policy.