This Data Processing Agreement ("DPA" or "AVV") is entered into between:
Nodest (the data processor), operated by Janine Große-Beck, Grünewalder Straße 29-31, 42657 Solingen, Germany — hereinafter "Processor"
and
the Customer who has accepted Nodest's Terms of Service — hereinafter "Controller"
together referred to as the "Parties."
This DPA forms part of, and is incorporated into, the Terms of Service between the Parties. In the event of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA takes precedence.
1. Definitions
For the purposes of this DPA, the following definitions apply. Terms not defined here have the meanings given in the Terms of Service or in the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
"BDSG" means the German Federal Data Protection Act (Bundesdatenschutzgesetz) in its current version, as applicable alongside the GDPR.
"Personal Data" has the meaning given in Art. 4(1) GDPR — any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in Art. 4(2) GDPR — any operation or set of operations performed on personal data, whether or not by automated means.
"Controller" means the natural or legal person who determines the purposes and means of processing Personal Data — in the context of this DPA, the Nodest Customer.
"Processor" means Nodest, which processes Personal Data on behalf of the Controller in accordance with this DPA.
"Sub-Processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Automation" has the meaning given in the Terms of Service — a user-configured workflow within the Service that connects triggers, conditions, and actions via nodes to process, transform, or transmit data automatically.
"Automation Execution Data" means Personal Data that flows through an Automation when it runs, including trigger payloads, node inputs and outputs, API responses, webhook bodies, and any data stored in Execution Logs.
"Execution Log" means the stored record of an Automation run, including node-level input and output data, status, timestamps, and error messages.
"Instructions" means the documented instructions given by the Controller to the Processor regarding the processing of Personal Data, as set out in this DPA and as may be supplemented in writing from time to time.
"Personal Data Breach" has the meaning given in Art. 4(12) GDPR — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Security Measures" means the technical and organisational measures described in Annex II to this DPA.
"Supervisory Authority" means the competent data protection supervisory authority, primarily the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) for Nodest, and the relevant authority in the Controller's jurisdiction.
2. Subject Matter & Purpose
2.1 This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Processor's provision of the Nodest platform and related services (the "Service") as described in the Terms of Service.
2.2 The subject matter of the processing is the operation of Automations configured by the Controller, which may involve the processing of Personal Data as Automation Execution Data.
2.3 This DPA applies only to processing carried out by the Processor on behalf of the Controller as data processor within the meaning of Art. 28 GDPR. It does not apply to processing for which the Processor acts as an independent data controller (e.g. account registration data, billing records, and website analytics), which is governed by the Nodest Privacy Policy.
2.4 The Controller acknowledges that the nature of the Service means the Processor has no advance knowledge of the categories or content of Personal Data the Controller chooses to process through Automations, and that the Processor's processing is determined entirely by the Controller's configuration.
3. Duration
3.1 This DPA is effective from the date the Controller accepts the Nodest Terms of Service and continues for the duration of the contractual relationship between the Parties.
3.2 Obligations that by their nature survive termination — including those relating to confidentiality, deletion of data, and audit — continue after termination of this DPA.
4. Nature & Purpose of Processing
The Processor carries out the following processing activities on behalf of the Controller:
4.1 Automation execution. When an Automation is triggered — by a WordPress event, incoming webhook, scheduled cron, or manual trigger — the Processor's execution engine reads the trigger payload, processes it through the configured nodes in sequence according to the Controller's configuration, and routes outputs to subsequent nodes or Integrations. This processing is transient: data is held in memory for the duration of the execution and then persisted only in the Execution Log.
4.2 Execution Log storage. The Processor stores the input and output of each node for each Automation run in an Execution Log. Execution Logs are stored on the Processor's infrastructure (Hetzner, Germany) for the retention period applicable to the Controller's subscription plan. After the retention period, Execution Logs are permanently deleted.
4.3 Integration relay. Where an Automation is configured to send data to a third-party Integration (e.g. an external REST API, a webhook endpoint, or a connected service), the Processor transmits the configured data payload to that Integration on behalf of the Controller. The Processor does not control third-party Integrations and is not responsible for their processing of data once transmitted.
4.4 WordPress plugin communication. Where the Controller uses the Nodest WordPress plugin, the Processor receives event data from the Controller's WordPress environment over HTTPS and, where configured, transmits action data back to it.
4.5 No further use. The Processor does not process Automation Execution Data for any purpose other than those set out in this Section 4. In particular, the Processor does not: use Automation Execution Data for its own marketing or analytics purposes; combine Automation Execution Data with data from other Customers; or use Automation Execution Data to train or improve machine learning or AI models.
5. Types of Personal Data
The types of Personal Data processed under this DPA are determined entirely by the Controller through their Automation configurations. Based on the typical use cases for the Service, this may include:
Contact and identity data — names, email addresses, phone numbers, usernames, and other identifying information of WordPress users, WooCommerce customers, or contacts submitted via forms.
Transaction and order data — WooCommerce order details including customer name, billing and shipping address, order contents, order value, payment status, and order identifiers.
Form submission data — data submitted via WordPress contact forms, registration forms, or other web forms configured to trigger Automations, which may include names, email addresses, messages, and any other fields included in the form.
Webhook and API payload data — arbitrary data received from third-party APIs or webhook sources configured by the Controller, the content of which is determined by the Controller and the connected service.
Technical identifiers — IP addresses, user agent strings, session identifiers, or other technical data included in WordPress events or API payloads.
The Controller is solely responsible for determining what Personal Data is included in Automation configurations and ensuring that such data is processed lawfully. The Processor processes whatever data the Controller's Automation configuration causes to flow through the Service.
Special category data. The Processor's infrastructure does not distinguish or filter for special category data within the meaning of Art. 9 GDPR (e.g. health data, biometric data, data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). The Controller must not configure Automations to process special category data unless the Controller has ensured that all requirements of Art. 9(2) GDPR are met, including obtaining explicit consent from data subjects where required, and has implemented appropriate additional safeguards.
6. Categories of Data Subjects
The categories of data subjects whose Personal Data may be processed under this DPA are determined by the Controller and may include:
- Customers or clients of the Controller's business
- Visitors to the Controller's WordPress website(s)
- Users registered on the Controller's WordPress installation
- Individuals who have submitted contact forms, registration forms, or other web forms on the Controller's site
- Individuals whose data is contained in third-party API responses or webhook payloads configured by the Controller
- Employees or contractors of the Controller, where included in Automation configurations
- End clients of agencies using the Service to manage multiple WordPress environments
7. Controller's Instructions & Obligations
7.1 Instructions. The Controller instructs the Processor to process Personal Data solely for the purposes described in Section 4 and in accordance with this DPA. The Controller's Automation configurations within the Service constitute binding documented instructions within the meaning of Art. 28(3)(a) GDPR.
7.2 Lawful basis. The Controller represents and warrants that it has a valid lawful basis under Art. 6 GDPR (and Art. 9 GDPR for special category data, if applicable) for each category of Personal Data processed through Automations. The Controller is solely responsible for compliance with applicable data protection law in respect of the processing it instructs.
7.3 Data subjects. The Controller is responsible for ensuring that data subjects whose Personal Data is processed through the Service have been informed about such processing in the Controller's own privacy notices, to the extent required by applicable law.
7.4 Accuracy and minimisation. The Controller is responsible for the accuracy, completeness, and lawfulness of the Personal Data submitted to the Service. The Controller should implement data minimisation practices and avoid including Personal Data in Automations beyond what is necessary for the intended purpose.
7.5 Instruction changes. Additional or amended instructions must be provided in writing to privacy@nodest.com. The Processor will assess whether it can comply with such instructions and may charge for additional work required. If the Processor reasonably considers that an instruction would violate applicable data protection law, the Processor will inform the Controller and may decline to follow that instruction.
7.6 Controller's independent obligations. Nothing in this DPA relieves the Controller of its own obligations as data controller under GDPR, including maintaining records of processing activities under Art. 30 GDPR and conducting data protection impact assessments where required.
8. Processor's Obligations
The Processor agrees to the following obligations in accordance with Art. 28(3) GDPR:
8.1 Process only on instructions. The Processor will process Personal Data only on documented instructions from the Controller, as set out in this DPA, unless required to do so by EU or German law. If the Processor is required by law to process Personal Data beyond the scope of the Controller's instructions, it will inform the Controller to the extent permitted by law before or promptly after such processing.
8.2 No unauthorised use. The Processor will not process Personal Data for any purpose other than providing the Service as described in this DPA. In particular, the Processor will not sell, rent, or otherwise commercially exploit Automation Execution Data.
8.3 Confidentiality. The Processor will ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations. See Section 9.
8.4 Security. The Processor will implement and maintain the technical and organisational security measures described in Annex II. See Section 10.
8.5 Sub-Processors. The Processor will engage Sub-Processors only in accordance with Section 11.
8.6 Data subject rights. The Processor will assist the Controller in responding to data subject rights requests as described in Section 12.
8.7 Assistance. The Processor will assist the Controller with security obligations, breach notifications, DPIAs, and prior consultations as described in Sections 13, 14, and 15.
8.8 Deletion or return. Upon termination of this DPA, the Processor will delete or return Personal Data as described in Section 16.
8.9 Audit. The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA and will allow for audits as described in Section 17.
9. Confidentiality
9.1 The Processor will ensure that any personnel who process Personal Data under this DPA are subject to binding obligations of confidentiality, whether by employment contract, contractor agreement, or equivalent undertaking.
9.2 Access to Personal Data within the Processor's systems is restricted to personnel who require such access for the purpose of providing the Service. The Processor maintains access controls and reviews access permissions on a regular basis.
9.3 The Processor will not disclose Personal Data to any third party except: (a) to authorised Sub-Processors as permitted under Section 11; (b) as required by applicable law; or (c) with the Controller's prior written consent.
9.4 Confidentiality obligations survive the termination of this DPA.
10. Security of Processing
10.1 The Processor will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
10.2 The security measures currently implemented by the Processor are described in Annex II to this DPA. The Processor may update these measures over time, provided that the level of protection is not materially reduced.
10.3 The Controller acknowledges that the Processor cannot control the content of data sent through Automations and that the appropriate level of security applied by the Processor is based on the risk profile of a general-purpose automation platform, not on the specific sensitivity of any particular dataset.
10.4 The Controller is responsible for the security of its own account credentials, API keys, and WordPress environment. Loss of Personal Data caused by compromise of the Controller's credentials or environment is not the responsibility of the Processor.
11. Sub-Processors
11.1 General authorisation. The Controller provides general authorisation to the Processor to engage Sub-Processors for the processing of Personal Data under this DPA, subject to the conditions in this Section 11.
11.2 Current Sub-Processors. The Processor's current Sub-Processors involved in the processing of Personal Data under this DPA are listed at nodest.com/sub-processors. As of the effective date of this DPA, the relevant Sub-Processors are:
| Sub-processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting and infrastructure | Germany (EU) | DPA under Art. 28 GDPR |
| Stripe, Inc. | Payment processing | USA | Standard Contractual Clauses |
| Brevo (Sendinblue SAS) | Transactional email delivery and newsletter sending | France (EU) | DPA under Art. 28 GDPR |
11.3 Notification of planned changes. The Processor will notify the Controller of any intended addition or replacement of a Sub-Processor by updating the sub-processors list at nodest.com/sub-processors with a clearly visible "last updated" date. Controllers are responsible for monitoring this page. The Processor will update the page at least 10 days before any planned Sub-Processor change takes effect.
11.4 Right to object. The Controller may object to a new or replacement Sub-Processor by notifying the Processor in writing at privacy@nodest.com within 10 days of the sub-processors page being updated, stating the specific data protection grounds for the objection. If the Processor cannot reasonably accommodate the objection, either Party may terminate the affected subscription on 30 days' written notice without penalty. The Controller's continued use of the Service after the 10-day objection period without raising an objection constitutes acceptance.
11.5 Emergency Sub-Processor changes. Where a Sub-Processor becomes unexpectedly unavailable, ceases operations, terminates its services without notice, or where the Processor is required to replace a Sub-Processor immediately for legal, regulatory, or security reasons, the Processor may engage a replacement Sub-Processor without prior notice. In such cases, the Processor will update the sub-processors page and notify the Controller by email as soon as reasonably practicable and no later than 5 days after the change. The Controller retains the right to object under clause 11.4, with the objection period running from the date of notification. The Processor will make reasonable efforts to ensure any emergency replacement Sub-Processor offers an equivalent level of data protection.
11.6 Processor's obligations towards Sub-Processors. Where the Processor engages Sub-Processors, it will impose data protection obligations on them by contract that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its Sub-Processors in relation to their processing obligations under this DPA.
12. Data Subject Rights
12.1 The Processor will promptly notify the Controller — and in any event within 5 business days — if the Processor receives a request directly from a data subject in relation to Personal Data processed under this DPA. The Processor will not respond to such requests on its own initiative but will refer the data subject to the Controller and wait for the Controller's instructions.
12.2 The Processor will provide reasonable technical assistance to the Controller in responding to data subject rights requests to the extent the requested data is within the Processor's systems (e.g. exporting Execution Log data or confirming what data is stored for a specific Automation run).
12.3 The Processor will implement technical features that allow the Controller to access, export, and delete Automation Execution Data directly from within the Service where technically feasible, thereby enabling the Controller to fulfil data subject requests without requiring Processor involvement.
13. Assistance to Controller
13.1 Taking into account the nature of the processing and the information available to the Processor, the Processor will assist the Controller, upon written request, in meeting its obligations under the following GDPR provisions:
- Art. 32 GDPR — security of processing
- Art. 33–34 GDPR — notification of Personal Data Breaches
- Art. 35–36 GDPR — data protection impact assessments and prior consultation
- Art. 30 GDPR — records of processing activities, to the extent the Processor holds information necessary for the Controller's records
13.2 Such assistance will be provided to the extent that the information is within the Processor's reasonable knowledge and control, and is limited to information relating to the Processor's own processing activities. The Processor may charge a reasonable fee for assistance that goes beyond routine obligations under this DPA.
14. Notification of Personal Data Breaches
14.1 The Processor will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of a confirmed Personal Data Breach affecting Personal Data processed under this DPA. Where notification within 72 hours is not possible, the Processor will provide an initial notification followed by further information as it becomes available.
14.2 Notification will be made by email to the Controller's registered account email address and will include, to the extent known at the time:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of the Processor's contact point for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
14.3 The Processor will cooperate with the Controller and provide all reasonable assistance required for the Controller to comply with its own breach notification obligations under Art. 33 and Art. 34 GDPR.
14.4 Notification by the Processor of a Personal Data Breach under this Section does not constitute an acknowledgement of fault or liability.
15. Data Protection Impact Assessments
15.1 Where the Controller is required to carry out a data protection impact assessment (DPIA) under Art. 35 GDPR in relation to processing activities involving the Service, the Processor will, upon written request, provide the Controller with reasonable assistance, including:
- A description of the processing activities carried out by the Processor on behalf of the Controller
- Information about the technical and organisational security measures in place
- Identification of Sub-Processors and their processing activities
15.2 The Processor may charge a reasonable fee for DPIA assistance that goes beyond the information already publicly available in this DPA and the Privacy Policy.
15.3 The Controller is solely responsible for determining whether a DPIA is required for its use of the Service and for conducting and documenting any required DPIA.
16. Return & Deletion of Data
16.1 Upon termination. Upon termination or expiry of the Terms of Service, or upon written request from the Controller, the Processor will, at the Controller's election:
- Delete all Automation Execution Data and Execution Logs within the Processor's systems relating to the Controller's account; or
- Where technically feasible, export Automation Execution Data in a machine-readable format prior to deletion.
16.2 Timeline. Deletion will be completed within 60 days of the termination date or written request. The Processor will confirm in writing once deletion is complete.
16.3 Residual copies. The Processor may retain backups of deleted data for up to an additional 30 days as part of its standard backup rotation, after which backups are also purged. During this period, backup data is not accessible for normal operational purposes.
16.4 Legal retention obligations. The Processor may retain Personal Data to the extent and for the duration required by applicable EU or German law (e.g. billing records under § 147 AO), provided that such data is processed only for compliance purposes and isolated from operational processing.
16.5 Export during active subscription. During the term of this DPA, the Controller may export Execution Log data directly from within the Service at any time. The Processor will maintain export functionality for the duration of the Controller's active subscription.
17. Audit Rights
17.1 The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, including this DPA.
17.2 The Controller may conduct audits or inspections of the Processor's data processing activities related to this DPA. Prior to conducting an audit, the Controller must:
- Provide the Processor with at least 30 days' written notice, specifying the scope of the audit
- Confirm that the audit will be conducted during normal business hours and in a manner designed to minimise disruption to the Processor's operations
- Ensure that the auditor is bound by confidentiality obligations at least as protective as those in Section 9
17.3 Third-party audit reports. As an alternative to a direct audit, the Processor may provide the Controller with the Processor's most recent third-party security audit or penetration test report (if any) under confidentiality terms, which the Controller agrees to accept as sufficient evidence of compliance for the purposes of Art. 28(3)(h) GDPR unless the Controller has specific reasonable grounds to require a direct audit.
17.4 Audits may be conducted no more than once per calendar year unless the Controller has reasonable grounds to believe a material breach of this DPA has occurred, in which case an additional audit may be requested.
17.5 The costs of any audit shall be borne by the Controller unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear reasonable audit costs.
18. International Data Transfers
18.1 The Processor will not transfer Personal Data processed under this DPA to a country outside the European Economic Area (EEA) unless:
- The European Commission has issued an adequacy decision for that country under Art. 45 GDPR; or
- Appropriate safeguards are in place under Art. 46 GDPR, such as Standard Contractual Clauses (SCCs); or
- A derogation under Art. 49 GDPR applies.
18.2 As of the effective date of this DPA, Personal Data processed under this DPA is stored on Hetzner infrastructure in Germany. Transfers to Sub-Processors outside the EEA — specifically Stripe (USA) for billing data — are governed by the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914.
18.3 The Controller authorises the Processor to transfer Personal Data to Sub-Processors located outside the EEA as listed at nodest.com/sub-processors, provided that the Processor has ensured appropriate safeguards are in place in accordance with this Section 18.
18.4 The Processor will promptly inform the Controller if it becomes aware that the safeguards applicable to any international transfer are no longer sufficient to comply with GDPR, and will cooperate with the Controller to identify an appropriate solution.
19. Liability
19.1 The liability of each Party under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
19.2 Where the Controller or the Processor is held liable for damages caused by processing that infringes the GDPR, each Party is responsible for its own portion of the damage. The Processor may be partially or fully exonerated from liability if it proves that it was not at fault for the event giving rise to the damage, in accordance with Art. 82(3) GDPR.
19.3 The Processor is not liable for any damages arising from the Controller's failure to comply with its own obligations as data controller, including configuring Automations to process Personal Data without a lawful basis, processing special category data without appropriate safeguards, or failing to respond to data subject rights requests.
20. Governing Law & Jurisdiction
This DPA is governed by the laws of the Federal Republic of Germany. For any disputes between the Parties arising out of or in connection with this DPA, the provisions of the governing law and jurisdiction clause in the Terms of Service apply.
21. Amendments
The Processor may amend this DPA from time to time to reflect changes in applicable law or changes to the processing activities. Material amendments will be communicated to the Controller with at least 30 days' notice by email. The Controller's continued use of the Service after the effective date of any amendment constitutes acceptance. If the Controller does not accept a material amendment, the Controller may terminate the affected subscription before the amendment takes effect.
22. Precedence & Entire Agreement
22.1 This DPA, together with its Annexes, constitutes the complete agreement between the Parties regarding the processing of Personal Data under the Terms of Service and supersedes all prior understandings on that subject.
22.2 In the event of conflict between this DPA and the Terms of Service on matters relating to data protection and processing of Personal Data, this DPA takes precedence.
22.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions continue in full force and effect.
Annex I — Description of Processing
A. Subject matter and nature of processing The Processor provides an automation platform (the "Service") that allows the Controller to configure and execute automated workflows ("Automations") connecting WordPress events, webhooks, and third-party API integrations. When Automations run, Personal Data flows through the Processor's execution infrastructure and is stored in Execution Logs for a plan-dependent retention period.
B. Purpose of processing The sole purpose of the Processor's processing of Personal Data under this DPA is to operate and provide the Service as described in the Terms of Service — specifically, to execute the Controller's Automations and store Execution Logs for the Controller's review.
C. Duration of processing For the duration of the Terms of Service between the Parties, and thereafter as required by Section 16 of this DPA.
D. Types of personal data As described in Section 5 of this DPA — including but not limited to: contact and identity data, WooCommerce transaction and order data, contact form submission data, WordPress user data, and arbitrary webhook or API payload data as configured by the Controller.
E. Categories of data subjects As described in Section 6 of this DPA — including: customers and clients of the Controller, WordPress site visitors, registered WordPress users, form submitters, and any individuals whose data is contained in API or webhook payloads configured by the Controller.
F. Special category data The Processor's infrastructure does not specifically distinguish or filter for special category data. The Controller must not configure Automations to process special category data without ensuring compliance with Art. 9(2) GDPR.
G. Competent supervisory authority Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Husarenstraße 30, 53117 Bonn, Germany.
Annex II — Technical & Organisational Security Measures
The following technical and organisational measures are implemented by the Processor in accordance with Art. 32 GDPR:
Encryption
- All data in transit between clients, the WordPress plugin, and Nodest's servers is encrypted using TLS 1.2 or higher (HTTPS)
- Sensitive configuration data including API keys, tokens, and credentials are encrypted at rest using AES-256 encryption
- Passwords are stored as one-way bcrypt hashes and never in plain text
Access Controls
- Access to production systems is restricted to authorised personnel on a need-to-know basis
- Multi-factor authentication is required for administrative access to production infrastructure
- Role-based access control is enforced within the application
- Customer data is logically isolated — no Customer can access another Customer's Automation data or Execution Logs
Infrastructure Security
- The Service is hosted on Hetzner infrastructure in Germany, within the EU
- Network-level security measures including firewalls, intrusion detection, and DDoS mitigation are implemented at the infrastructure level
- Regular security patching and updates are applied to server operating systems and dependencies
Data Isolation
- Each Customer's Execution Logs and Automation configurations are logically isolated within the Processor's database
- Database access from application components is restricted to least-privilege service accounts
Backup & Recovery
- Regular automated backups of the database are performed
- Backups are stored in encrypted form on Hetzner infrastructure within the EU
- Recovery procedures are tested periodically
Incident Response
- The Processor maintains an internal incident response procedure for detecting, classifying, and responding to Personal Data Breaches
- Security events are logged and monitored
- The Processor will notify the Controller of confirmed Personal Data Breaches within 72 hours as described in Section 14
Personnel
- Personnel with access to Personal Data are bound by confidentiality obligations as described in Section 9
- Personnel receive appropriate awareness training on data protection obligations
Vendor Management
- Sub-Processors are required to implement security measures at least equivalent to those described in this Annex
- Sub-Processor agreements include data processing terms in accordance with Art. 28 GDPR
Annex III — Standard Contractual Clauses (International Transfers)
Where Personal Data is transferred to Sub-Processors located outside the EEA (currently Stripe, Inc. in the USA), such transfers are subject to the Standard Contractual Clauses (Module 3: Processor-to-Processor) adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
The Controller, by accepting this DPA, authorises the Processor to conclude such Standard Contractual Clauses with relevant Sub-Processors on the Controller's behalf where required by applicable data protection law.
A copy of the applicable Standard Contractual Clauses is available upon request at privacy@nodest.com.
This Data Processing Agreement is entered into by the Processor on behalf of Nodest and is binding on all Customers who process Personal Data through the Service.
Nodest
Janine Große-Beck
Grünewalder Straße 29-31
42657 Solingen Germany
