GDPR Compliance
1. Our Commitment to GDPR
Nimaxiom Service Private Limited, operating as NimeDocs ("the Company," "we," "us," or "our"), is committed to protecting the privacy and fundamental rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation as retained by the European Union (Withdrawal) Act 2018.
We recognise that data protection is not merely a regulatory obligation but a cornerstone of trust between the Company, its customers, and the individuals whose personal data may be processed. This page describes how we comply with GDPR across our operations and, critically, how the architecture of NimeDocs itself provides the strongest possible data protection by design.
2. How NimeDocs Processes Data
NimeDocs is a 100% Salesforce-native managed package listed on the Salesforce AppExchange. This architectural decision has profound data protection implications:
- Customer data never leaves the customer's Salesforce org. All document generation, template merging, and data processing occurs entirely within the customer's own Salesforce instance. There are no external servers, no middleware, and no third-party data processing infrastructure.
- We do not have access to customer CRM data. Because NimeDocs executes within the customer's Salesforce security boundary, the Company does not have the ability to access, view, extract, or store any customer records, contacts, opportunities, or other CRM data.
- Data residency is determined by the customer. Each customer chooses their Salesforce data centre location. NimeDocs inherits this choice — if a customer's Salesforce org is hosted in the EU (e.g., Frankfurt, Paris), all NimeDocs processing occurs within the EU.
- No telemetry or analytics data is transmitted from the customer's org to any external system operated by Nimaxiom.
This architecture represents the strongest possible data protection model for a SaaS document automation product: the vendor (Nimaxiom) never processes, stores, or has access to the customer's personal data.
3. Data Controller vs. Data Processor
Under GDPR, the roles of "data controller" and "data processor" determine obligations and responsibilities. The following table clarifies these roles in the context of NimeDocs:
| Processing Activity | Data Controller | Data Processor | Explanation |
|---|---|---|---|
| Customer CRM data processed by NimeDocs within Salesforce | Customer | Not applicable* | NimeDocs code executes within the customer's org. Nimaxiom does not process this data and is not a data processor for it. (*Salesforce is the infrastructure sub-processor under the customer's agreement with Salesforce.) |
| Website visitor data (nimedocs.com) | Nimaxiom | Analytics/hosting providers | We collect browsing data, cookies, and form submissions via our website. We are the controller for this data. |
| Marketing communications | Nimaxiom | Email service provider | We are the controller for contact information provided for marketing purposes. |
| Customer support interactions | Customer (of their end-user data); Nimaxiom (of contact/ticket data) | Nimaxiom (if customer shares personal data during support) | If a customer shares screenshots or data containing personal data during a support interaction, we act as a processor for that specific data. |
| Billing and payment processing | Nimaxiom | Stripe, Inc. | We are the controller for billing contact details. Payment card data is handled by Stripe, our PCI-compliant payment processor. |
4. Lawful Basis for Processing
Pursuant to Article 6(1) of the GDPR, we rely on the following lawful bases for processing personal data that we control:
| Lawful Basis | Processing Activities |
|---|---|
| Consent — Art. 6(1)(a) | Marketing emails, newsletter subscriptions, non-essential cookies and analytics tracking (see our Cookie Policy for details). Consent is freely given, specific, informed, and unambiguous. Consent may be withdrawn at any time without affecting the lawfulness of prior processing. |
| Performance of a contract — Art. 6(1)(b) | Providing the NimeDocs service, managing subscriptions, processing payments, account administration, and delivering customer support. |
| Legitimate interests — Art. 6(1)(f) | Security monitoring and fraud prevention, product improvement based on aggregated usage analytics, enforcing our terms of service, and responding to legal claims. We conduct balancing tests to ensure our interests do not override data subjects' fundamental rights and freedoms. |
| Legal obligation — Art. 6(1)(c) | Tax reporting, financial record-keeping, responding to lawful requests from regulatory authorities. |
5. Data Subject Rights
Under GDPR, data subjects have the following rights with respect to their personal data. To exercise any of these rights, please contact us at privacy@nimaxiom.com. We will respond without undue delay and in any event within one month of receipt of your request, as required by Article 12(3). This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
| Right | GDPR Article | Description | How to Exercise |
|---|---|---|---|
| Right of access | Art. 15 | Obtain confirmation of whether your personal data is being processed, and if so, access to that data and supplementary information. | Email privacy@nimaxiom.com with "Data Access Request" in the subject line. |
| Right to rectification | Art. 16 | Have inaccurate personal data corrected and incomplete data completed. | Email privacy@nimaxiom.com specifying the data to be corrected. |
| Right to erasure ("right to be forgotten") | Art. 17 | Request deletion of your personal data where there is no compelling reason for its continued processing. | Email privacy@nimaxiom.com with "Erasure Request" in the subject line. |
| Right to restriction of processing | Art. 18 | Request that processing of your personal data be restricted in certain circumstances (e.g., while accuracy is contested). | Email privacy@nimaxiom.com with details of the restriction requested. |
| Right to data portability | Art. 20 | Receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller. | Email privacy@nimaxiom.com with "Data Portability Request" in the subject line. |
| Right to object | Art. 21 | Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds. | Email privacy@nimaxiom.com or use the unsubscribe link in any marketing email. |
| Right not to be subject to automated decision-making | Art. 22 | Not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. | Email privacy@nimaxiom.com. Note: NimeDocs does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals. |
Important note for NimeDocs customers: If you are an end user of a company that uses NimeDocs within their Salesforce org, your personal data is controlled by that company, not by Nimaxiom. Please direct any data subject requests to your employer or the company that holds your data in their Salesforce org.
6. Data Protection Contact
Nimaxiom has designated a data protection point of contact (note: this is not a formally appointed Data Protection Officer under Articles 37–39 GDPR, as our processing activities do not require mandatory DPO appointment). For all data protection inquiries, requests, or concerns, you may contact:
- Email: privacy@nimaxiom.com
- Postal address: Data Protection, Nimaxiom Service Private Limited, A47, Gurjar ki Thadi, Gopal Pura Bypass, Jaipur, Rajasthan 302015, India
You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, pursuant to Article 77 GDPR. A list of EU supervisory authorities is available at edpb.europa.eu. For individuals in the United Kingdom, the relevant supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom (https://ico.org.uk).
7. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers of personal data to countries that have not received an adequacy decision.
- Adequacy decisions: Where the European Commission has determined that a third country ensures an adequate level of data protection (Article 45 GDPR), transfers may be made on that basis.
- Supplementary measures: Where required by the circumstances of the transfer (consistent with the CJEU's Schrems II judgment, Case C-311/18), we implement additional technical and organisational safeguards, including encryption in transit and at rest, access controls, and data minimisation.
NimeDocs customer data: As noted above, NimeDocs processes customer CRM data exclusively within the customer's Salesforce org. The data centre location is determined by the customer's Salesforce contract. Customers who select EU-based Salesforce instances (e.g., EU Central, EU West) ensure that their data remains within the EU. Nimaxiom does not independently transfer customer CRM data across borders.
8. Data Breach Notification
In the event of a personal data breach as defined in Article 4(12) GDPR, we will:
- Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. If notification is not made within 72 hours, we will provide a reasoned justification for the delay.
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR. Notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and the contact details of our data protection point of contact.
- Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken, in our internal breach register in accordance with Article 33(5) GDPR.
- Notify affected customers where a breach may affect data they have entrusted to us during support interactions or account management, enabling them to fulfil their own notification obligations.
NimeDocs customer data: Since NimeDocs does not have access to customer CRM data within Salesforce, a breach of Nimaxiom's systems would not expose customer CRM data. Any security incident affecting data within a customer's Salesforce org would be governed by the customer's agreement with Salesforce and Salesforce's breach notification procedures.
9. Data Processing Agreement
Where Nimaxiom acts as a data processor on behalf of a customer (for example, when personal data is shared during support interactions), we will enter into a Data Processing Agreement ("DPA") in accordance with Article 28 GDPR. Our DPA includes:
- The subject matter, duration, nature, and purpose of the processing;
- The types of personal data processed and categories of data subjects;
- The obligations and rights of the controller;
- Instructions for processing, including restrictions on sub-processing;
- Technical and organisational security measures (Article 32 GDPR);
- Obligations regarding data breach notification;
- Return or deletion of personal data upon termination;
- Audit and inspection rights.
To request a copy of our Data Processing Agreement, please email legal@nimaxiom.com.
10. Sub-Processors
In accordance with Article 28(2) GDPR, we maintain a list of sub-processors that may process personal data on our behalf. We conduct due diligence on all sub-processors and require contractual commitments that provide at least the same level of data protection as our DPA.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Salesforce, Inc. | Platform infrastructure for NimeDocs managed package | NimeDocs application metadata; customer CRM data is governed by the customer's own agreement with Salesforce | Customer-selected data centre region (US, EU, APAC, etc.) |
| Stripe, Inc. | Subscription billing and payment processing | Billing contact details, transaction records; payment card data handled directly by Stripe (PCI DSS Level 1 compliant) | United States (with EU data processing available); see Stripe Privacy Policy |
We will notify customers of any intended changes to the list of sub-processors, providing them with an opportunity to object in accordance with the terms of our DPA.
11. Privacy by Design & Default
In accordance with Article 25 GDPR, the Company implements data protection by design and by default across all processing activities. The NimeDocs architecture exemplifies this principle:
- Minimal data footprint: NimeDocs is 100% Salesforce-native. No customer CRM data is transmitted to, stored on, or processed by any external server operated by Nimaxiom. This eliminates entire categories of data protection risk.
- No data duplication: Documents are generated in real time within the customer's org and stored as Salesforce ContentVersion records. No copies are created outside the org.
- Inherited security controls: NimeDocs inherits the customer's Salesforce security configuration, including sharing rules, field-level security, profiles, permission sets, and encryption (Salesforce Shield, where enabled).
- Data minimisation: We collect only the personal data strictly necessary for each processing purpose. Website analytics are anonymised where possible.
- Pseudonymisation and encryption: Personal data we control (website, marketing, billing) is protected using encryption in transit (TLS 1.2+) and at rest, with access restricted on a need-to-know basis.
- Regular review: Our data protection practices are reviewed periodically and updated to reflect changes in technology, regulation, and business operations.
12. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods include:
- Account and billing data: Retained for the duration of the customer relationship and for a period of seven (7) years thereafter to comply with tax and financial record-keeping obligations.
- Marketing consent records: Retained for as long as the individual remains subscribed, plus three (3) years after unsubscription (as evidence of consent).
- Support interaction data: Retained for two (2) years from the date of resolution to support ongoing service quality and dispute resolution.
- Website analytics data: Aggregated analytics data retained indefinitely; identifiable data deleted or anonymised within twenty-four (24) months.
NimeDocs customer data: Data within the customer's Salesforce org is retained and deleted in accordance with the customer's own data retention policies. Nimaxiom does not control the retention or deletion of data within customer orgs.
Contact
For any questions regarding this GDPR compliance page, or to exercise your data subject rights, please contact:
Data Protection Contact
Nimaxiom Service Private Limited
A47, Gurjar ki Thadi, Gopal Pura Bypass
Jaipur, Rajasthan 302015, India
Email: privacy@nimaxiom.com
Website: https://nimedocs.com