At NIZU, protecting personal data is a priority. Our ERP/CRM platform has been designed with GDPR (General Data Protection Regulation) at its core, ensuring compliance at every level: technical, organisational, and procedural. Below are the most common questions we receive from customers regarding GDPR compliance.

1. How does NIZU ensure data protection by design and by default?

NIZU was built with privacy by design principles. This means that all features involving personal data are developed with security and minimisation in mind. For example:

• Only the minimum necessary personal data is collected and stored.

• Access to data is role-based, ensuring that users only see what is relevant to their function.

• Strong encryption is applied to both data at rest and in transit.

2. Where is the data stored?

All customer data is stored on secure servers within the European Union, ensuring it remains under GDPR jurisdiction. We work exclusively with hosting providers who are themselves fully GDPR-compliant.

3. Can I exercise my data subject rights within NIZU?

Yes. NIZU makes it simple to handle GDPR rights such as:

• Right of access – Customers can request and export their data at any time.

• Right to rectification – Data can be updated directly through the platform.

• Right to erasure – Data can be permanently deleted when legally permissible.

• Right to portability – Exports are available in common, machine-readable formats.

4. How does NIZU handle data breaches?

We have a documented Incident Response Policy. If a breach occurs:

• Customers are notified without undue delay.

• Authorities are informed within 72 hours, as required by GDPR.

• The root cause is investigated, and corrective measures are implemented immediately.

5. Who has access to customer data?

Access is strictly limited to authorized users:

• Each organization controls who has access to its own ERP/CRM instance.

• Within NIZU, only specific support engineers (under NDA and bound by strict security protocols) may access data, and only when explicitly authorized by the customer.

6. Does NIZU use third-party services?

Yes, but only GDPR-compliant third-party providers are integrated into NIZU. All processors are carefully vetted, and Data Processing Agreements (DPAs) are in place with each one.

7. How long is data retained?

Data retention policies can be configured according to each organization’s requirements. By default, NIZU retains data only as long as it is necessary for providing services and legal compliance.

8. Does NIZU support Data Protection Impact Assessments (DPIAs)?

Yes. NIZU provides documentation and assistance to support customers conducting DPIAs when required.

9. What certifications and standards does NIZU follow?

Our infrastructure partners follow internationally recognized standards such as ISO 27001 for information security and ISO 27701 for privacy management.

10. Who can I contact about GDPR compliance?

We maintain a dedicated Data Protection Officer (DPO) who can be contacted at: privacy@nizu.io.

In summary

NIZU ensures GDPR compliance through:

• Privacy by design & default

• Secure EU-based data storage

• Full support for GDPR data subject rights

• Incident response and breach notification procedures

• Strict access control and vetted third-party providers

• Configurable data retention policies

Your trust is our highest priority, and GDPR compliance is a core part of how NIZU operates at all levels.