Data Processing Agreement
GDPR-compliant terms for processing personal data on your behalf.
01 Parties & roles
This Data Processing Agreement (the "DPA") is entered into between the Customer (controller) and WEB rješenja d.o.o., OIB 97669668809, Zagreb, Croatia, operating the Nebion platform (the "Operator", processor).
It forms part of and is incorporated into the Terms of Service. It governs the processing of personal data carried out by the Operator on behalf of the Customer in connection with the Service.
02 Subject matter & duration
Subject matter: processing of Customer Personal Data necessary to deliver the Nebion hosting Service (compute, edge, shield, storage, stream, related dashboards and APIs).
Duration: for as long as the Operator processes Customer Personal Data under the Agreement, plus any limited retention period required by law or to support deletion procedures.
Nature and purpose: hosting, transmission, caching, storage, backup, and operational monitoring of Customer Data, as instructed by the Customer through use of the Service.
Categories of data subjects: end users of Customer's hosted Projects, Customer's employees and contractors, and any other individuals whose personal data the Customer chooses to process via the Service.
Categories of personal data: as determined by the Customer; typically identifiers, contact data, account data, content, and metadata associated with end-user interactions with Customer Projects.
03 Customer instructions
The Operator processes Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do so by EU or Member State law to which the Operator is subject. In that case, the Operator informs the Customer of that legal requirement before processing, unless the law prohibits such information.
The Customer's documented instructions are: (a) the Agreement and this DPA; (b) configuration choices made via the dashboard, API, or CLI; (c) written instructions sent to hello@ws.agency .
If the Operator considers an instruction to violate the GDPR or other applicable data protection law, it informs the Customer immediately.
04 Confidentiality of personnel
The Operator ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and trained on data protection responsibilities. Access is granted on a least-privilege, need-to-know basis.
05 Security measures (TOMs)
The Operator implements appropriate technical and organisational measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256) for production storage.
- Network isolation between tenants; per-Project credentials; principle of least privilege.
- Mandatory two-factor authentication for personnel with production access.
- Centralised, tamper-resistant audit logging of administrative actions.
- Regular vulnerability scanning, dependency monitoring, and at least annual independent penetration testing.
- Incident detection and response procedures with on-call coverage.
- Secure software development lifecycle, including code review and CI security checks.
- Documented backup and disaster-recovery procedures.
The full Technical and Organisational Measures (TOMs) document is provided on request to hello@ws.agency .
06 Sub-processors
The Customer authorises the Operator to engage sub-processors for parts of the processing. The current list of sub-processors is maintained at the URL communicated on request and includes name, location, and processing purpose.
| Category | Examples | Region |
|---|---|---|
| Compute / network providers | Datacentre operators | EU / US (opt-in) |
| Storage backbone | Object-storage providers | EU |
| Edge / CDN | Anycast networks | Global |
| Email delivery | Transactional email provider | EU |
| Customer support tooling | Helpdesk software | EU |
| Payments | Payment processor | EU |
The Operator notifies the Customer at least 30 days before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds. If the parties cannot agree on a remediation, the Customer may terminate the affected Service with prorated refund of prepaid unused fees.
07 International transfers
Where personal data is transferred outside the EEA, the Operator relies on the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable) and applies supplementary measures where appropriate, including encryption in transit and at rest.
The Customer can configure regional deployments to keep production data within the EU only.
08 Data subject requests
The Operator provides the tools necessary for the Customer to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) directly via the dashboard, API, and CLI.
Where a data subject contacts the Operator directly with a request relating to Customer Personal Data, the Operator forwards the request to the Customer without undue delay and does not respond on the merits without instruction.
09 Personal data breach notification
The Operator notifies the Customer without undue delay and in any case within 48 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, providing:
- The nature of the breach, categories and approximate number of data subjects and records concerned.
- Likely consequences and measures taken or proposed to address the breach and mitigate effects.
- Contact point for further information.
The Operator assists the Customer with notifications to supervisory authorities and data subjects where required.
10 Audits
The Operator makes available to the Customer all information necessary to demonstrate compliance with this DPA. Once per year, or after a documented incident, the Customer may request an audit conducted under reasonable conditions: with at least 30 days' notice, during business hours, by a qualified independent auditor bound by confidentiality, in a manner that does not disrupt the Service or compromise other tenants.
The Operator may satisfy audit obligations by providing recent third-party reports (e.g. SOC 2 Type II, ISO 27001 attestations) where available.
11 Return & deletion
On termination, and at the Customer's choice, the Operator deletes or returns all Customer Personal Data, and deletes existing copies, unless EU or Member State law requires storage. The Customer may export data via standard tools during a 14-day grace period after termination.
Backups containing Customer Personal Data are deleted within 90 days of termination, in accordance with backup rotation cycles.
12 General
Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
Conflict
If there is a conflict between this DPA and the Terms of Service in respect of personal data, this DPA prevails.
Governing law
This DPA is governed by the laws of the European Union and the Operator's place of establishment.
Contact
Privacy contact: hello@ws.agency .