Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Controller in connection with the Services.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and any national implementing legislation.

"Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers.

The Processor shall Process Personal Data only to the extent necessary to provide the NebulaProof Services as described in the Agreement, including:

• Secure file storage and retrieval using zero-knowledge encryption
• Generation of cryptographic proofs for data integrity verification
• User authentication and access management
• Billing and subscription management
• Customer support and communication
• Service analytics and improvement (anonymized data only)

The following categories of Personal Data may be Processed:

This architecture means:

• We cannot read, access, or decrypt your stored files
• We cannot comply with requests to produce plaintext Customer Content
• You retain complete control over your encryption keys
• Loss of encryption keys results in permanent data loss

The Controller agrees to:

• Ensure that there is a lawful basis for the Processing of Personal Data
• Provide Data Subjects with required privacy notices
• Ensure accuracy and quality of Personal Data provided to the Processor
• Respond to Data Subject requests with Processor assistance as needed
• Maintain appropriate security measures for encryption keys
• Notify the Processor of any changes affecting Processing activities

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel authorized to Process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Engage Sub-processors only with prior authorization and equivalent obligations
• Assist the Controller in responding to Data Subject requests
• Delete or return Personal Data upon termination of Services
• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by the Controller

The Processor implements and maintains the following technical and organizational security measures:

The Controller authorizes the use of the following Sub-processors:

The Processor will notify the Controller at least 30 days before adding or replacing Sub-processors, allowing the Controller to object to such changes.

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not deemed adequate by relevant authorities, the parties agree to rely on:

• Standard Contractual Clauses (Module 2: Controller to Processor)
• Binding Corporate Rules where applicable
• Additional safeguards as required by Schrems II decision

Upon request, the Processor will execute the Standard Contractual Clauses with the Controller.

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of Access - Confirmation and copy of Personal Data
• Right to Rectification - Correction of inaccurate data
• Right to Erasure - Deletion of Personal Data
• Right to Restriction - Limiting Processing activities
• Right to Data Portability - Export in machine-readable format
• Right to Object - Objection to certain Processing

Note: Due to our zero-knowledge architecture, certain requests regarding encrypted Customer Content can only be fulfilled by the Controller using their encryption keys.

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay, and in any event within 24 hours of becoming aware of the breach
• Provide detailed information about the nature of the breach
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach
• Cooperate with the Controller in investigating and mitigating the breach
• Assist in notifying relevant supervisory authorities and Data Subjects

The Controller has the right to audit the Processor's compliance with this DPA:

• Documentation Audit - Request and review compliance documentation, certifications, and policies
• Third-Party Audit - Review SOC 2 Type II reports and other independent audit reports
• On-site Audit - Conduct on-site audits with reasonable notice (Enterprise tier only)

The Processor will make available the following upon request:

• SOC 2 Type II report
• Penetration test summaries
• Security policies and procedures
• Sub-processor agreements (redacted)

Upon termination of the Services:

• The Controller may export Customer Content for 30 days following termination
• After the export period, all Customer Content will be permanently deleted within 30 days
• Backup copies will be deleted within 90 daysof primary deletion
• Upon request, the Processor will provide written certification of deletion

Note: Certain data may be retained as required by law or for legitimate business purposes (e.g., billing records, audit logs). Such retention will be disclosed upon request.

For Processing of Personal Information of California residents:

• The Processor is a "Service Provider" as defined by CCPA
• Personal Information is processed only for the business purposes specified in this DPA
• The Processor will not sell Personal Information
• The Processor will not retain, use, or disclose Personal Information outside the direct business relationship
• The Processor certifies understanding of CCPA restrictions and will comply

For customers subject to the Health Insurance Portability and Accountability Act (HIPAA):

• A separate Business Associate Agreement (BAA) is required
• NebulaProof supports HIPAA-compliant deployments on Enterprise tier
• Zero-knowledge encryption provides additional PHI protection
• Contact compliance@nebulaproof.com to execute a BAA

Each party's liability arising out of or related to this DPA is subject to the limitations set forth in the Agreement, except that:

• No limitation shall apply to breaches of confidentiality obligations
• No limitation shall apply to willful misconduct or gross negligence
• Each party shall be liable for fines and penalties imposed by Data Protection Authorities to the extent caused by that party's breach of Data Protection Laws

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, subject to:

• Provisions regarding data return and deletion survive termination
• Audit rights survive for 2 years following termination
• Confidentiality obligations survive indefinitely

The Processor may update this DPA to reflect changes in:

• Data Protection Laws and regulatory guidance
• Sub-processor arrangements
• Security measures and certifications
• Service features affecting data processing

Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.