Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of and supplements the applicable NexNodo Terms of Service, Cloud Service Agreement, Enterprise Agreement, Order Form, or other applicable customer agreement entered into between NexNodo Inc. (“NexNodo”) and the applicable customer (“Customer”).This DPA establishes the Parties’ respective obligations regarding the processing of Personal Data in connection with the NexNodo platform, cloud services, infrastructure services, marketplace services, and related operational activities.

Unless otherwise defined herein, capitalized terms shall have the meanings assigned under the Master Agreement.

1. PURPOSE AND SCOPE

The purpose of this DPA is to define the Parties’ respective obligations regarding:

processing of Personal Data
data protection compliance
cross-border transfers
security obligations
subprocessor management
incident handling
data subject rights support
and operational cooperation relating to Personal Data processed in connection with the Master Agreement.

This DPA applies to Personal Data processed through or in connection with:

the NexNodo platform
cloud infrastructure environments
GPU infrastructure environments
Kubernetes environments
OpenStack environments
Rancher environments
billing systems
marketplace systems
deployment tooling
monitoring systems
operational telemetry
support operations
authentication systems
or substantially equivalent operational environments.

2. DEFINITIONS

For purposes of this DPA:

“Applicable Data Protection Law” means applicable privacy, data protection, cybersecurity, consumer privacy, or Personal Data processing laws applicable to the Parties, including where applicable:

GDPR
UK GDPR
EU Member State privacy laws
CCPA/CPRA
or substantially equivalent legal frameworks.

“Controller” means the entity determining the purposes and means of Personal Data processing.

“Processor” means the entity processing Personal Data on behalf of a Controller.

“Subprocessor” means a Processor engaged by another Processor to process Personal Data.

“Personal Data” means information relating to an identified or identifiable natural person, or equivalent legally protected personal information under Applicable Data Protection Law.

Personal Data processed under this DPA may include, without limitation:

customer account information
user identifiers
email addresses
authentication metadata
IP addresses
billing metadata
usage metadata
deployment metadata
operational logs
support communications
monitoring information
infrastructure telemetry
Kubernetes operational metadata
OpenStack operational metadata
Rancher operational metadata
or substantially equivalent operational data categories.

“Processing” shall have the meaning assigned under Applicable Data Protection Law and includes collection, recording, storage, organization, hosting, use, disclosure, transfer, deletion, analysis, access, or substantially equivalent operations performed on Personal Data.

3. ROLE OF THE PARTIES

The Parties acknowledge that processing roles may vary depending on the applicable operational, technical, contractual, or regulatory context.

Accordingly, depending on the applicable processing activity, NexNodo and Partner may operate in one or more of the following capacities:

Controller
Processor
Subprocessor
Business
Service Provider
Infrastructure Processor
Infrastructure Subprocessor
or substantially equivalent legally recognized processing roles.

3.1 NEXNODO OPERATIONAL ROLE

Without limitation, NexNodo may act as:

Controller
Processor
Business
Service Provider
or substantially equivalent role,

depending upon the applicable operational context.

Examples may include:

customer onboarding
customer lifecycle management
commercial operations
billing operations
marketplace administration
customer support operations
platform telemetry
service administration
or customer-hosted workload processing.

3.2 PARTNER OPERATIONAL ROLE

Without limitation, Partner may act as:

Processor
Infrastructure Processor
Subprocessor
Infrastructure Subprocessor
Hosting Provider
or substantially equivalent operational role.

Examples may include:

infrastructure hosting
storage operations
backup operations
monitoring operations
deployment environments
operational telemetry
operational logging
GPU hosting
Kubernetes hosting
OpenStack hosting
Rancher environments
or associated infrastructure operations.

3.3 PROCESSING CHAIN FLEXIBILITY

The Parties acknowledge that processing relationships may vary based upon service model, deployment architecture, customer relationship model, regulatory requirements, or infrastructure arrangement.

Examples may include:

Customer → Controller → NexNodo → Processor → Partner → Infrastructure Subprocessor.
NexNodo → Controller → Partner → Processor.
NexNodo → Processor → Partner → Infrastructure Subprocessor.
or substantially equivalent processing chains.

Nothing in this DPA shall prohibit lawful role variations reasonably required by applicable operational models.

4. PROCESSING INSTRUCTIONS

To the extent Partner acts as Processor or Subprocessor, Partner shall process Personal Data solely:

on documented instructions from NexNodo
as reasonably necessary to perform obligations under the Master Agreement
to comply with applicable legal obligations
or as otherwise permitted under Applicable Data Protection Law.

Partner shall not:

sell Personal Data
commercialize Personal Data
use Personal Data for unrelated commercial activities
use Personal Data for competitive intelligence activities
profile Personal Data for unrelated purposes
or process Personal Data for purposes inconsistent with the Master Agreement or this DPA.

Where Partner believes an instruction violates Applicable Data Protection Law, Partner shall promptly notify NexNodo unless legally prohibited from doing so.

5. CONFIDENTIALITY OF PROCESSING

Partner shall ensure that personnel authorized to process Personal Data:

are bound by confidentiality obligations
receive appropriate access limitations
maintain commercially reasonable security awareness
and process Personal Data solely to the extent reasonably necessary for authorized purposes.

Confidentiality obligations may arise pursuant to:

employment obligations
contractual obligations
professional obligations
policy obligations
or substantially equivalent confidentiality frameworks.

Partner shall remain responsible for authorized personnel processing Personal Data under its responsibility.

6. SECURITY OF PROCESSING

The Parties shall implement commercially reasonable administrative, technical, operational, organizational, and security measures reasonably appropriate to the nature, sensitivity, volume, and operational context of Personal Data processed under this DPA.

Without limitation, such measures may include:

access controls
authentication controls
least-privilege methodologies
logging controls
monitoring practices
credential management controls
network protections
secure storage methodologies
backup protections
incident handling procedures
or substantially equivalent safeguards.

Additional security measures applicable to this DPA are described in the Security Measures Annex attached hereto.

7. SUBPROCESSORS

NexNodo may engage subprocessors, vendors, cloud providers, payment providers, infrastructure vendors, observability vendors, communications providers, authentication providers, analytics providers, or substantially equivalent third parties in connection with services contemplated under the Master Agreement.

Examples may include:

payment processors
cloud infrastructure providers
identity providers
monitoring providers
logging providers
communications providers
customer enablement tooling
or equivalent operational providers.

Partner authorizes NexNodo’s use of subprocessors provided that NexNodo maintains commercially reasonable measures regarding subprocessor governance.

7.1 SUBPROCESSOR OBLIGATIONS

Where NexNodo engages subprocessors reasonably involved in Personal Data processing, NexNodo shall use commercially reasonable efforts to ensure such subprocessors are bound by data protection obligations reasonably appropriate to the nature of processing involved.

7.2 PARTNER SUBPROCESSORS

To the extent Partner engages subprocessors in connection with processing activities falling within this DPA, Partner shall remain responsible for such subprocessors and shall implement commercially reasonable subprocessor governance measures reasonably aligned with this DPA.

8. INTERNATIONAL AND CROSS-BORDER TRANSFERS

The Parties acknowledge that Personal Data processed under this DPA may be processed, hosted, accessed, stored, transferred, replicated, backed up, or operationally supported across multiple jurisdictions.

Where cross-border transfers occur, the Parties shall use commercially reasonable efforts to implement legally appropriate safeguards reasonably aligned with Applicable Data Protection Law.

Such safeguards may include:

contractual safeguards
organizational safeguards
technical safeguards
transfer mechanisms
SCC-compatible contractual frameworks
or substantially equivalent lawful transfer mechanisms.

Nothing in this DPA requires either Party to implement transfer mechanisms inconsistent with applicable law.

8.1 — EU AND UK TRANSFER SAFEGUARDS

Where processing activities involve Personal Data protected under GDPR, UK GDPR, or substantially equivalent European data protection frameworks, the Parties shall use commercially reasonable efforts to implement legally appropriate transfer safeguards.

Such safeguards may include:

European Commission Standard Contractual Clauses (SCCs)
UK transfer mechanisms
supplementary contractual safeguards
technical safeguards
organizational safeguards
or substantially equivalent lawful transfer frameworks.

Where required under Applicable Data Protection Law, the Parties shall cooperate in good faith regarding implementation of such safeguards.

9. DATA SUBJECT RIGHTS ASSISTANCE

To the extent required under Applicable Data Protection Law and taking into account the nature of processing involved, Partner shall use commercially reasonable efforts to reasonably assist NexNodo regarding:

access requests
deletion requests
rectification requests
restriction requests
portability requests
objection requests
or substantially equivalent legally protected data subject rights.

Unless prohibited by law, Partner shall promptly notify NexNodo regarding material data subject requests reasonably relating to Personal Data processed under this DPA.

10. PERSONAL DATA BREACH NOTIFICATION

Partner shall notify NexNodo regarding Personal Data Breaches affecting Personal Data processed under this DPA.

Notification shall occur:

without undue delay, and where reasonably practicable, within seventy-two (72) hours following awareness of the applicable Personal Data Breach.

Such notification shall include, where reasonably available:

nature of incident
known affected data categories
known operational impact
known remediation status
known mitigation measures
or substantially equivalent operational information.

Partner shall use commercially reasonable efforts to cooperate regarding remediation, mitigation, investigation, and legally required notification activities.

11. DELETION, RETURN, AND RETENTION OF PERSONAL DATA

Upon expiration or termination of the applicable Master Agreement, or upon reasonably documented request where operationally appropriate, Partner shall, subject to applicable legal, regulatory, accounting, archival, backup, security, litigation hold, or compliance requirements:

return Personal Data
delete Personal Data
render Personal Data inaccessible
or implement substantially equivalent commercially reasonable handling measures.

Notwithstanding the foregoing, Partner may retain:

routine backup copies
archival materials
compliance records
security logs
audit materials
legally required retention copies
or substantially equivalent operational retention materials,

provided such retained information remains subject to the confidentiality, security, and data protection obligations contained within this DPA.

Secure deletion practices may include commercially reasonable deletion methodologies, logical deletion procedures, cryptographic destruction, storage lifecycle management practices, or substantially equivalent operational measures.

12. AUDIT RIGHTS AND COMPLIANCE COOPERATION

To the extent reasonably required under Applicable Data Protection Law and taking into account the nature, scope, operational sensitivity, and infrastructure context of applicable processing activities, the Parties shall cooperate in good faith regarding reasonable compliance verification activities.

Compliance cooperation may include:

written questionnaires
security attestations
certification information
reasonable policy summaries
operational documentation summaries
security control descriptions
or substantially equivalent commercially reasonable compliance evidence.

Unless otherwise required under Applicable Data Protection Law or expressly agreed in writing, this DPA does not create:

unlimited onsite audit rights
unrestricted technical inspection rights
continuous monitoring rights
unrestricted penetration testing rights
source code access rights
or invasive operational audit rights.

The Parties shall use commercially reasonable efforts to avoid unnecessary operational disruption, security risk, or disclosure of confidential information during compliance verification activities.

13. LIABILITY ALIGNMENT WITH MASTER AGREEMENT

Except where prohibited by Applicable Data Protection Law, the liability framework, limitation of liability provisions, disclaimer provisions, indemnification provisions, dispute resolution framework, and related commercial protections established under the Master Agreement shall apply to this DPA.

Nothing in this DPA shall be interpreted as expanding liability beyond the framework established under the Master Agreement unless expressly required under non-waivable Applicable Data Protection Law.

14. TERM AND SURVIVAL

This DPA shall become effective upon effectiveness of the applicable Master Agreement.

This DPA shall remain effective for so long as Personal Data processing activities governed by this DPA continue.

Expiration or termination of the Master Agreement shall not automatically terminate obligations which by their nature should survive, including:

confidentiality obligations
security obligations
cross-border transfer obligations
breach notification obligations
deletion and retention obligations
audit cooperation obligations
or substantially equivalent obligations intended to survive.

15. RELATIONSHIP TO MASTER AGREEMENT

This DPA supplements and forms part of the applicable Master Agreement.

To the extent of direct conflict between this DPA and the Master Agreement regarding Personal Data processing matters, this DPA shall govern solely with respect to Personal Data processing obligations.

Except as expressly modified herein, the Master Agreement shall remain in full force and effect.

16. GOVERNING LAW

This DPA shall be governed by and construed in accordance with the laws specified under the applicable Master Agreement.

Disputes arising from this DPA shall be resolved pursuant to the dispute resolution framework established under the Master Agreement unless otherwise required by non-waivable Applicable Data Protection Law.

17. MISCELLANEOUS

This DPA constitutes the complete agreement of the Parties concerning Personal Data processing obligations addressed herein and supersedes prior understandings relating solely to such subject matter.

No amendment, modification, waiver, or supplement to this DPA shall be effective unless made in writing and executed by authorized representatives of the Parties.

If any provision of this DPA is determined to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

Failure to enforce any provision shall not constitute waiver.

ANNEX A — SECURITY MEASURES ANNEX

The Parties shall maintain commercially reasonable administrative, organizational, technical, operational, and security measures reasonably appropriate to the nature of Personal Data processing contemplated under this DPA.

Without limitation, commercially reasonable measures may include the following categories.

A.1 ACCESS CONTROL

Commercially reasonable access control measures may include:

least-privilege methodologies
role-based access controls
named user accounts
authorization controls
session management controls
access approval procedures
and substantially equivalent access governance measures.

A.2 AUTHENTICATION SECURITY

Security controls may include:

multi-factor authentication (MFA)
two-factor authentication (2FA)
credential management controls
commercially reasonable password practices
authentication monitoring
credential lifecycle management
or substantially equivalent authentication safeguards.

A.3 NETWORK AND INFRASTRUCTURE SECURITY

Commercially reasonable safeguards may include:

network segmentation
firewall controls
monitoring controls
secure communications protocols
network visibility measures
traffic protections
endpoint protections
or substantially equivalent network security measures.

A.4 ENCRYPTION

Where commercially reasonable and operationally appropriate, safeguards may include:

encryption in transit
encryption at rest
key management controls
secure communications methodologies
or substantially equivalent cryptographic protections.

A.5 LOGGING AND MONITORING

Operational safeguards may include:

logging controls
security monitoring
audit logging
operational alerting
event monitoring
access monitoring
or substantially equivalent observability controls.

A.6 INCIDENT RESPONSE

Commercially reasonable operational safeguards may include:

incident response procedures
incident escalation processes
containment methodologies
recovery procedures
investigation procedures
or substantially equivalent incident management controls.

A.7 CHANGE MANAGEMENT

Operational governance controls may include:

change approval procedures
deployment governance
configuration controls
release management procedures
rollback procedures
or substantially equivalent operational governance safeguards.

A.8 BACKUP, RECOVERY, AND RESILIENCE

Commercially reasonable resilience controls may include:

backup protections
disaster recovery measures
availability protections
redundancy practices
restoration procedures
or substantially equivalent resilience safeguards.

A.9 SECURE DELETION

Operational controls may include:

secure deletion practices
logical deletion methodologies
storage lifecycle management practices
cryptographic destruction techniques
or substantially equivalent secure disposal measures.

A.10 PERSONNEL SECURITY AND CONFIDENTIALITY

Commercially reasonable personnel safeguards may include:

confidentiality obligations
security awareness activities
access limitation measures
personnel governance practices
or substantially equivalent organizational safeguards.

ANNEX B — PROCESSING DETAILS APPENDIX

Subject Matter of Processing

Personal Data processing relating to services, infrastructure operations, hosting activities, commercial activities, platform operations, marketplace activities, customer enablement activities, operational support activities, and related activities contemplated under the Master Agreement.

Duration of Processing

For the duration of the Master Agreement and any survival period reasonably required by operational, legal, security, backup, archival, or compliance obligations.

Categories of Personal Data

Personal Data categories may include:

customer account data
user identifiers
emails
authentication metadata
billing metadata
IP addresses
usage data
support information
monitoring information
operational logs
deployment metadata
infrastructure telemetry
or substantially equivalent operational data categories.

Categories of Data Subjects

Data Subjects may include:

customers
end users
customer personnel
authorized users
administrators
operators
support personnel
or substantially equivalent individuals.

Nature and Purpose of Processing

Processing activities may include:

hosting
storage
monitoring
authentication
billing support
deployment operations
infrastructure operations
GPU hosting
Kubernetes operations
OpenStack operations
Rancher operations
customer support activities
security monitoring
backup operations
or substantially equivalent operational processing activities.