Data Processing Agreement (DPA)
Processor Agreement (Art. 28 GDPR)
Parties and definitions
Data Controller: Nodalix client acting as controller of personal data. Data Processor: Nodalix Consulting S.L., which processes data on behalf of the Controller.
Object and scope
The Processor shall process personal data exclusively for: providing the private AI portal service, maintaining technical infrastructure, performing security backups, and handling requests from end users of the Controller.
Processor obligations
(a) Process data only according to documented instructions from the Controller; (b) Ensure confidentiality of authorized personnel; (c) Implement security measures from Annex II; (d) Obtain prior authorization for subprocessors; (e) Assist the Controller in exercising rights; (f) Report security breaches without undue delay; (g) Return or destroy data upon termination; (h) Maintain records of activities.
Authorized subprocessors
Hetzner Online GmbH (hosting), Resend Inc. (email service), Anthropic PBC (AI processing, with DPA SCC), OpenAI LLC (AI processing, with DPA SCC). The Processor will inform of any changes 30 days in advance.
Technical and organizational measures
AES-256-GCM encryption at rest and TLS 1.3 in transit. Per-client isolation via Docker. Mandatory multi-factor authentication. Log auditing with 24-month retention. Encrypted backups at rest. Quarterly credential rotation.
Audit and inspection
The Controller has the right to audit compliance with the DPA annually or upon a security incident. Audits shall be conducted during business hours with 15 days notice, via questionnaire or remote inspection.
Duration and termination
The DPA is formalized together with the service contract. Upon termination, the Processor shall return the data in standard format (GDPR art. 20 export) and destroy copies, except where legally required to retain.
Need a signed DPA?
Nodalix clients receive an individualized DPA as part of the onboarding process. Contact us to start.
Request diagnostic →