DRAFT — NOT LEGAL ADVICE, pending review. This page contains placeholder text only. It has not been reviewed by legal counsel and does not constitute a legally binding data processing agreement.

Legal

Data Processing Agreement

Last updated: Not yet published

This Data Processing Agreement (“DPA”) forms part of the agreement between Nodes-IP (“Processor”) and the customer (“Controller”) for the provision of our platform. It sets out the terms on which Nodes-IP processes personal data on behalf of customers in compliance with GDPR and applicable data protection law.

1. Definitions

[TODO: Define key terms used in this DPA — e.g., "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor" — as used in GDPR Art. 4.]

2. Scope

[TODO: Describe the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, and the categories of data subjects. Reference the main service agreement between Nodes-IP and the customer.]

3. Processor obligations

[TODO: Set out the obligations of Nodes-IP as data processor — e.g., process personal data only on documented instructions of the controller; ensure confidentiality obligations on authorised personnel; implement appropriate technical and organisational security measures; assist the controller with data subject requests; delete or return data at end of service; make available all information necessary to demonstrate compliance.]

4. Sub-processors

[TODO: Describe the process for engaging sub-processors, including the requirement for written authorisation or advance notice to the controller, and the obligation to flow down equivalent data protection obligations.] Our current list of sub-processors is available at /legal/sub-processors.

5. International transfers

[TODO: Address cross-border data transfers. Reference the EU Standard Contractual Clauses (Commission Decision 2021/914) as the transfer mechanism for transfers from the EEA to third countries. Confirm which module applies (Controller-to-Processor or Processor-to-Processor). Reference applicable UK IDTA or addendum as required.]

6. Security measures

[TODO: Describe the technical and organisational measures implemented to ensure appropriate security of personal data — e.g., encryption at rest and in transit, access controls, penetration testing, incident response procedures. This section should reference or annex a detailed security schedule.]

7. Data subject requests

[TODO: Describe the process by which the processor will assist the controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within applicable timeframes.]

8. Breach notification

[TODO: Set out the processor's obligation to notify the controller of personal data breaches without undue delay (and in any event within the timeframe agreed or required by applicable law), and the information to be included in such notification.]

9. Audit

[TODO: Describe the controller's right to audit the processor's compliance with this DPA, including through the use of third-party auditors, and any conditions or limitations on such audit rights.]

10. Return and deletion of data

[TODO: Specify the obligations on the processor to return or delete personal data at the end of the service term, including the timeframe and any data export formats available to the controller.]