Data Processing Addendum
Last Updated: December 28, 2024
This Data Processing Addendum ("DPA") is incorporated into the Master Services Agreement. It reflects the parties’ agreement with respect to the processing of Personal Data in connection with the Data Protection Laws of Switzerland (Swiss FADP) and the European Economic Area (GDPR).
1. Definitions and Interpretation
Terms such as "Controller", "Processor", "Data Subject", and "Personal Data" shall have the meanings ascribed to them in the GDPR/FADP. For the purposes of this DPA, Customer is the Controller and Nevskiy is the Processor.
2. Security of Processing
2.1 Technical Measures: Nevskiy shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption at Rest: All persistent storage volumes (NVMe/SSD) are encrypted using AES-256-XTS standards.
- Encryption in Transit: All control plane traffic is encapsulated in TLS 1.3 tunnels.
- Physical Security: Data centers utilize biometric access controls, 24/7 manned security, and mantrap entry points.
3. Sub-processors
3.1 Authorization: Customer grants general authorization for Nevskiy to engage third-party sub-processors to support the delivery of Services.
3.2 List of Sub-processors:
| Entity | Service | Location |
|---|---|---|
| Stripe, Inc. | Payment Processing | USA / Global |
| Equinix | Colocation Facilities | CH, IS, SG |
| Cloudflare | DDoS Protection | Global Anycast |
4. Data Breach Notification
In the event of a Personal Data Breach affecting Customer Data, Nevskiy shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of the breach. Notification shall describe the nature of the breach, likely consequences, and measures taken to mitigate it.