Data Processing Agreement
Last updated: March 2026 · Version: 1.0 · Controller / Processor: TriStiX S.L.
1. Definitions
| Term | Definition |
|---|---|
| “Controller” | The organization or individual that subscribes to NetSenX and determines the purposes and means of processing personal data (the Customer). |
| “Processor” | TriStiX S.L., Alicante, Spain — the entity that processes personal data on behalf of the Controller under this DPA. |
| “Personal Data” | Any information relating to an identified or identifiable natural person processed through the NetSenX platform, including network flow metadata containing IP addresses. |
| “Processing” | Any operation performed on Personal Data, including collection, storage, analysis, and deletion, as defined in GDPR Art. 4(2). |
| “Sub-processor” | Any third party engaged by the Processor to process Personal Data on behalf of the Controller. |
| “Services” | The NetSenX network threat-detection platform, including the agent software, backend API, and web dashboard. |
2. Subject Matter and Duration
This DPA governs the processing of Personal Data by the Processor in connection with the provision of the Services.
Nature and purpose of processing
- Analysis of network traffic metadata to detect cybersecurity threats
- Generation of compliance reports (NIS2 Art. 23, GDPR Art. 33)
- Storage of alert data and audit logs for the duration of the subscription
- Transmission of threat-intelligence data to the detection engine
Duration
Processing begins upon activation of the NetSenX subscription and continues until termination. Upon termination, Personal Data is retained for a maximum of 90 days, after which it is permanently deleted, unless legal obligations require longer retention.
3. Categories of Personal Data and Data Subjects
Categories of data subjects:employees, contractors, and other authorised users of the Controller’s networks; the Controller’s administrative users of the NetSenX dashboard.
| Category | Examples | Legal basis (GDPR) |
|---|---|---|
| Network identifiers | Source/destination IP addresses, MAC addresses (on-premises only), hostname | Art. 6(1)(b) — contract performance |
| Traffic metadata | Ports, protocols, byte counts, packet counts, connection timestamps | Art. 6(1)(b) — contract performance |
| User account data | Email, name, role, login timestamps, login IP | Art. 6(1)(b) — contract performance |
| Audit events | Actions taken within the platform (who, what, when, source IP) | Art. 6(1)(f) — legitimate interest (security) |
Zero Payload Policy: The NetSenX agent never captures, buffers, stores, or transmits packet payloads. Only flow-level metadata is processed — equivalent to telephone billing records (call duration, numbers) rather than call recordings.
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or member-state law.
- Ensure that persons authorised to process Personal Data have committed to confidentiality.
- Implement appropriate technical and organisational measures (TOMs) per GDPR Art. 32 (see Section 7).
- Not engage Sub-processors without prior authorisation from the Controller (general authorisation granted per Section 6).
- Assist the Controller in responding to data-subject requests (Art. 15–22) within 72 hours of notification.
- Notify the Controller of any Personal Data breach within 24 hours of becoming aware of it, in line with Section 9.
- Delete or return all Personal Data on termination of services at the Controller’s choice (Section 13).
- Make available all information necessary to demonstrate compliance with GDPR Art. 28.
- Not transfer Personal Data outside the European Economic Area without adequate safeguards.
5. Obligations of the Controller
The Controller shall:
- Ensure a valid legal basis exists for processing Personal Data through the Services.
- Provide necessary privacy notices to data subjects whose data is processed via NetSenX.
- Ensure that processing complies with applicable data-protection laws in the Controller’s jurisdiction.
- Not instruct the Processor to process Personal Data in a manner that would violate applicable law.
- Promptly notify the Processor of any changes to applicable data-protection requirements that affect the Services.
- Be responsible for the security of credentials (API keys, user passwords) used to access the Services.
6. Sub-processors
The Controller grants general authorisation for the Processor to engage the following Sub-processors. The Processor will notify the Controller at least 14 days in advance of any changes to this list, giving the Controller the opportunity to object.
| Sub-processor | Role | Data processed | Location | Safeguard |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Underlying cloud infrastructure (EU regions only) | Encrypted storage and compute backing EU sub-processors | Frankfurt / Dublin, EU | EU Data Boundary + SOC 2 Type II + ISO 27001 |
| Supabase Inc. | Database and authentication | All Personal Data (encrypted at rest) | Frankfurt, EU (eu-central-1) | Standard Contractual Clauses + SOC 2 Type II |
| Fly.io Inc. | API hosting and compute | In-transit request data, logs | Madrid, EU (mad region) | Standard Contractual Clauses + SOC 2 Type II |
| Vercel Inc. | Dashboard frontend hosting | Session tokens, browser metadata | EU Edge Network | Standard Contractual Clauses + ISO 27001 |
| Cloudflare Inc. | DNS, WAF, DDoS protection, CDN, Pages hosting | IP addresses, request metadata (anonymised) | EU PoPs (data processed in EU) | Standard Contractual Clauses + ISO 27001 |
| Resend Inc. | Transactional email delivery | Email addresses, notification content | EU infrastructure | Standard Contractual Clauses + SOC 2 Type II |
| Functional Software, Inc. (Sentry) | Error and performance telemetry | Stack traces, anonymised user identifiers | Frankfurt, EU | EU data residency + Standard Contractual Clauses |
| PostHog Inc. | Product analytics (opt-in only) | Anonymised usage events | eu.posthog.com (Frankfurt, EU) | EU host + Standard Contractual Clauses |
| Intigriti BV | Bug-bounty / vulnerability disclosure platform | Researcher contact details and submitted vulnerability reports | Antwerp, EU | EU-headquartered + ISO 27001 |
7. Technical and Organisational Measures (GDPR Art. 32)
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256 for all stored data (managed by EU database provider) |
| Encryption in transit | TLS 1.3 minimum; TLS 1.0 and 1.1 disabled at the load-balancer level |
| Access control | Role-based access (Admin / Analyst / Viewer / Auditor); MFA mandatory for Admin |
| Data isolation | PostgreSQL Row-Level Security enforces per-tenant isolation at database level |
| Audit logging | Tamper-evident audit log (SHA-256 hash chain) for all user and system actions |
| Vulnerability management | Automated dependency scanning + SAST; security patches within 72h of disclosure |
| Backup | Automated daily backup, 30-day retention, EU region, encrypted at rest |
| Incident response | Documented procedure; Controller notified within 24h of confirmed breach |
| Zero payload policy | Network agent captures only flow metadata; packet payloads never stored or transmitted |
| Penetration testing | Annual security assessment using OWASP methodology |
| BYOK / HSM | Enterprise tier: customer-managed keys backed by FIPS 140-2 Level 3 hardware security modules |
8. Assistance with Data-Subject Rights
The Processor provides the following tools to assist the Controller in fulfilling data-subject rights:
| Right | GDPR Art. | Mechanism |
|---|---|---|
| Access (copy of data) | Art. 15 | Dashboard: Settings → Export Data (JSON / ZIP) |
| Erasure (“right to be forgotten”) | Art. 17 | Dashboard: Settings → Delete Account / API endpoint |
| Data portability | Art. 20 | Structured JSON export on demand |
| Restriction of processing | Art. 18 | Contact dpo@netsenx.com within 72h |
The Processor will respond to Controller requests within 72 hours and provide the requested data or action within 30 days.
9. Personal Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 24 hours of becoming aware of the breach.
- Provide, at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
- Provide a dedicated incident report (GDPR Art. 33 format) within 72 hours of the initial notification.
- Cooperate fully with the Controller’s notifications to supervisory authorities.
The Controller remains solely responsible for notifying the competent supervisory authority within 72 hours of becoming aware of a breach (GDPR Art. 33). NetSenX provides the technical documentation and report templates to facilitate this obligation.
10. International Data Transfers
All Personal Data processed under this DPA remains within the European Economic Area (EEA). Where a Sub-processor is headquartered outside the EEA (e.g., US-incorporated entities), processing is governed by Standard Contractual Clauses pursuant to GDPR Art. 46(2)(c) and, where applicable, supplementary measures per EDPB Recommendations 01/2020.
11. Audits and Inspections
The Controller has the right to conduct audits and inspections of the Processor’s data-processing activities, subject to the following conditions:
- Minimum 14 days’ written notice before any audit
- Conducted during business hours, minimising disruption
- Maximum one audit per 12-month period, unless there is reasonable cause for additional audits
- Audit costs borne by the Controller unless deficiencies are found attributable to the Processor
- Third-party audit reports (e.g., SOC 2 Type II) may be provided in lieu of direct audit access, at the Processor’s discretion
12. Liability
The Processor’s liability under this DPA is limited as set out in the NetSenX Terms of Service. Each party is liable for damages caused by processing that infringes this DPA or applicable data-protection law, in accordance with GDPR Art. 82.
13. Termination and Data Return
On termination of the Services agreement, the Processor shall, at the Controller’s choice:
- Return: provide a complete export of all Personal Data in JSON format within 30 days, or
- Delete: permanently delete all Personal Data within 90 days of termination.
Deletion is confirmed in writing. Backup copies are purged on the next scheduled backup cycle following the deletion date.
14. Contact and Governing Law
| Data-protection contact | dpo@netsenx.com |
|---|---|
| Processor | TriStiX S.L., Alicante, Spain |
| Governing law | Laws of Spain and applicable EU law, including GDPR (EU) 2016/679 |
| Dispute resolution | Courts of Alicante, Spain |
| Supervisory authority | AEPD — Agencia Española de Protección de Datos — www.aepd.es |
Enterprise customers requiring a signed DPA may request execution by emailing dpo@netsenx.com.