Privacy and data protection

Where Naneware processes personal data on behalf of a customer across the Core Platform, Finance, Commerce, or Climate ledgers, the customer acts as the controller or equivalent decision-maker and Nane Labs acts as a processor or service provider, except where Nane Labs independently determines the purpose of limited operational data such as billing, security, or compliance records.

Naneware will process customer personal data only on documented instructions from the customer unless otherwise required by applicable law.

Naneware maintains technical and organizational measures appropriate to the nature of the platform and the risks presented by customer personal data.

• Access controls and role-based permissions.
• Transport security and encryption where appropriate.
• System monitoring, logging, and evidence retention.
• Change management, backup, and recovery controls.

Naneware may use vetted subprocessors for hosting, communications, support tooling, and infrastructure operations. Customers may request current subprocessor information relevant to their deployment.

Where personal data is transferred across borders, Naneware will use appropriate transfer mechanisms and safeguards required by applicable law.

Taking into account the nature of the processing, Naneware will provide commercially reasonable assistance to help customers respond to valid requests from data subjects or regulators, provided the customer remains responsible for evaluating and fulfilling those requests.

Naneware maintains procedures for identifying, triaging, containing, and remediating security incidents. Where required by law or contract, customers will be notified without undue delay after confirmation of a personal-data breach affecting customer environments.

At the end of the applicable services, Naneware will return or delete customer personal data in line with the governing agreement, unless retention is required by law, needed for legitimate security and audit purposes, or technically necessary for backup-cycle completion.

Subject to confidentiality, security, and proportionality requirements, Naneware will make available information reasonably necessary to demonstrate compliance with its data-protection commitments and will cooperate with appropriately scoped reviews or assessments required by the governing agreement.