Data Processing Agreement
Version: 1.0 Last updated: 21 May 2026
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: The Customer entity identified in the applicable Order Form ("Controller")
- Data Processor: TriStiX S.L., NIF B-26925016, registered in the Registro Mercantil de La Rioja, Spain ("Processor")
This DPA supplements the Terms of Service and governs the Processor's processing of personal data on behalf of the Controller pursuant to GDPR Art. 28.
1. Definitions
Terms not defined herein have the meanings given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service.
- "Personal Data" — Any information relating to an identified or identifiable natural person processed through the Service.
- "Processing" — Any operation performed on Personal Data, as defined in GDPR Art. 4(2).
- "Sub-processor" — A third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
2.1. The Processor processes Personal Data solely for the purpose of providing the NetSenX NDR platform and related services as described in the Terms of Service.
2.2. Categories of Data Subjects: Customer employees, contractors, and network users whose data traverses the monitored network.
2.3. Types of Personal Data: Network flow metadata, IP addresses, device identifiers, authentication logs, and account information.
2.4. Duration: Processing continues for the duration of the Subscription Term plus the data export period defined in the Terms of Service.
3. Obligations of the Processor (Art. 28(3))
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
(b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Pseudonymization of network identifiers where feasible
- Regular security testing and vulnerability assessments
- Incident response procedures with defined SLAs
- Access controls with role-based permissions and audit logging
(d) Respect the conditions for engaging sub-processors (see Section 5).
(e) Assist the Controller in fulfilling data subject rights requests (GDPR Art. 15-22) through appropriate technical and organizational measures.
(f) Assist the Controller in ensuring compliance with GDPR Art. 32-36 (security, breach notification, DPIA, prior consultation).
(g) At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by EU or Member State law.
(h) Make available to the Controller all information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Obligations of the Controller
The Controller shall:
4.1. Provide documented processing instructions to the Processor.
4.2. Ensure it has a valid legal basis for the processing under GDPR Art. 6.
4.3. Fulfill data subject rights requests and transparency obligations.
4.4. Notify the Processor of any changes to processing instructions.
5. Sub-processors
5.1. The Controller provides general written authorization for the Processor to engage sub-processors, subject to the conditions in this Section.
5.2. Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany |
| Cloudflare, Inc. | CDN, security, DNS | EU (with global edge) |
| Stripe, Inc. | Payment processing | USA (EU SCCs) |
| Resend, Inc. | Transactional email | USA (EU SCCs) |
| PostHog, Inc. | Product analytics | EU (Frankfurt) |
5.3. The Processor shall inform the Controller of any intended changes to sub-processors at least 30 days in advance, providing the Controller an opportunity to object.
5.4. If the Controller objects on reasonable data protection grounds, the parties shall work together in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the affected Service component.
5.5. The Processor shall impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
6. International Transfers
6.1. Personal Data shall be processed within the European Economic Area (EEA) unless otherwise agreed.
6.2. Transfers to third countries are only made pursuant to GDPR Art. 46(2)(c) (Standard Contractual Clauses) or Art. 45 (adequacy decisions).
6.3. The Processor shall execute SCCs with any sub-processor located outside the EEA.
7. Data Breach Notification
7.1. The Processor shall notify the Controller without undue delay, and in any case within 24 hours, after becoming aware of a Personal Data breach.
7.2. The notification shall include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to mitigate the breach
7.3. The Processor shall cooperate with the Controller to fulfill the Controller's notification obligations under GDPR Art. 33 (72-hour authority notification) and Art. 34 (data subject notification).
8. Audits
8.1. The Processor shall make available SOC 2 audit reports, ISO 27001 certification documentation, and penetration test summaries upon request.
8.2. The Controller may conduct or commission an on-site audit with 30 days written notice, during business hours, and no more than once per calendar year (unless required by a supervisory authority or following a data breach).
8.3. The Controller shall bear the costs of any audit initiated by the Controller.
9. Term and Termination
9.1. This DPA enters into force on the effective date of the Terms of Service and remains in effect for the duration of the processing.
9.2. Upon termination, the Processor shall, at the Controller's election:
- Return all Personal Data in a structured, machine-readable format; or
- Securely delete all Personal Data and certify deletion in writing.
9.3. The Processor may retain Personal Data to the extent required by applicable law, subject to continued confidentiality and security obligations.
10. Liability
The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.
11. Governing Law
This DPA is governed by the same law as the Terms of Service (Spanish law for EU customers, English law for non-EU customers).
TriStiX S.L. — NIF B-26925016 Registered in the Registro Mercantil de La Rioja, Spain
This DPA is a template. For executed copies, contact legal@netsenx.com.