Data Processing Agreement

When Netta Tech processes personal data on behalf of a client — for example, when you use one of our SaaS products or when we operate a system we built for you — we act as a processor under Article 28 of the GDPR, and you act as the controller.

We sign a Data Processing Agreement (DPA) with every client before any production data is handled. This page summarises the terms; the signed document is the authoritative version.

Scope and roles

The DPA governs any personal data that the client, or its end users, provides to Netta Tech in connection with a service order. The client determines the purposes and means of processing; Netta Tech processes on documented instructions only.

Core commitments

• Process personal data only on the client's documented instructions, including as set out in the service order.
• Ensure that personnel authorised to process the data are under a duty of confidentiality.
• Implement appropriate technical and organisational measures (Art. 32 GDPR): encryption in transit and at rest, least-privilege access, audit logs, hardened hosting, regular backups, incident response.
• Assist the client in responding to data-subject requests and in meeting its obligations under Articles 32–36 GDPR.
• Notify the client of any personal-data breach without undue delay, and in any event within 72 hours of becoming aware of it.
• At the end of the engagement, delete or return all personal data, unless EU or Member State law requires retention.
• Make available all information necessary to demonstrate compliance, and allow for and contribute to audits.

Sub-processors

Netta Tech relies on a short, stable list of sub-processors to deliver its services. The default stack is:

• Hetzner Online GmbH (Germany, EU) — infrastructure hosting.
• Cloudflare, Inc. (USA) — DNS, edge security, TLS termination.
• Resend (Second Rodeo, Inc.) — transactional email delivery for contact-form notifications.
• Managed LLM providers — large-language-model inference, where the service requires it, under contractual terms prohibiting use of client data for model training.

The full list for a given engagement is annexed to the signed DPA. We give the client prior notice of any intended change and a right to object on reasonable grounds.

International transfers

Our default is to keep client data in the European Union. Where a transfer outside the EEA is necessary — for example, to a sub-processor in the United States — we rely on the EU–US Data Privacy Framework where available and otherwise on the European Commission's Standard Contractual Clauses, supplemented by the safeguards required under the Schrems II ruling.

Requesting the DPA

To receive the current DPA template for review by your legal or compliance team, or to discuss a bespoke arrangement, write to [email protected]. We will respond within two working days.