NIZU

Data Processing Agreement

This Data Processing Agreement (hereinafter: "DPA") defines the data protection obligations of the contractual parties, and the data processing that takes place as a result of the Client's main contract with NIZU OÜ. The DPA applies to all activities relevant to the main contract in which employees of NIZU or third parties commissioned by NIZU process personal data on behalf of the Client.

This DPA is structured in parallel with, and is dependent upon, the Data Processing Agreement between NIZU OÜ and Hetzner Online GmbH — NIZU's primary infrastructure provider. Where this DPA refers to Technical and Organisational Measures (TOMs) or sub-processor arrangements, these are bound by and do not exceed the measures and guarantees provided by Hetzner Online GmbH under their own DPA and TOMs.

View Hetzner DPA →    View Hetzner TOMs →

Document Reference: NIZU-DPA-001  ·  Version: 1.0  ·  Governing Law: Republic of Estonia · European Union

§ 1. Subject Matter & Duration

This DPA governs the processing of personal data by NIZU OÜ (the "Supplier" / Data Processor) on behalf of the Client (the "Controller"), as a result of the main contract constituted by the NIZU WorkSpace product description and Terms of Service (NIZU-TOS-001). The Client is considered the Controller within the scope of Art. 4 No. 7 GDPR and is solely responsible for compliance with data protection regulations, including the lawfulness of all data transfers to NIZU.

This DPA is dependent on the existence of the main contractual relationship. Cancellation or termination of the main contract simultaneously terminates this DPA.

NIZU has no legal relationship with the Client's end-users. NIZU has no legal relationship, obligation, or liability of any kind towards the Client's own customers, users, employees, or third parties. The Client is solely and exclusively responsible for all GDPR obligations owed to its own end-users. NIZU shall not respond to data subject requests from the Client's end-users directly.

§ 2. Object, Nature & Purpose of Processing

The object, nature, and purpose of any possible collection, processing, or use of personal data, the nature of the data, and the Data Subjects are described in Appendix 1 of this DPA, as completed by the Client. Processing is carried out exclusively to enable the delivery, operation, security, and maintenance of the NIZU WorkSpace Service.

§ 3. Third Country Data Transfer

Data processing will occur exclusively within a member state of the European Union or EEA, to the extent technically possible given the Hetzner GmbH infrastructure. Any transfer to a third country requires the prior consent of the Client and may only occur where the conditions in Articles 44 et seq. GDPR are fulfilled, including by one of the following mechanisms:

  • Adequacy decision of the European Commission (Art. 45 GDPR);
  • Standard Contractual Clauses (SCCs) — Art. 46(2)(c) GDPR;
  • Binding Corporate Rules — Art. 47 GDPR;
  • Approved codes of conduct or certification mechanisms — Art. 46(2)(e)/(f) GDPR.

Note on EU-only data residency: If the Client selects a server location within the EU, data will be processed exclusively within the EU. Clients requiring EU-only data residency must select an EU server location when configuring their Workspace. Hetzner's approved sub-processors in the USA and Singapore are listed in Appendix 3.

§ 4. Technical & Organisational Measures (TOMs)

NIZU will implement TOMs ensuring adequate protection of the Client's data in compliance with Art. 32 GDPR, including assessment of risks to Data Subjects' rights and freedoms, and ensuring confidentiality, integrity, availability, and resilience of systems. TOMs are subject to technical progress; substantial changes will be documented.

NIZU OÜ's TOMs are based upon and aligned with those of Hetzner Online GmbH. Full TOM details are set out in Appendix 2 of this DPA. The current Hetzner TOMs — which form the technical foundation of NIZU's security posture — are published at hetzner.com/AV/TOM_en.pdf.

§ 5. Quality Assurance & Supplier Duties

The Supplier guarantees compliance with the following requirements:

  • Appointed DPO: NIZU has a designated Data Protection Officer, contactable at legal@nizu.io;
  • Confidentiality: Only employees bound by confidentiality obligations process the Client's data; this obligation continues after contract end;
  • TOM implementation: All necessary TOMs are implemented and followed as per § 4;
  • Supervisory authority cooperation: NIZU will cooperate with any supervisory authority upon request and immediately inform the Client of any inspections relating to this DPA;
  • Regulatory support: NIZU will support the Client in regulatory proceedings, inspections, or claims arising from processing under this Agreement;
  • Regular TOM review: NIZU regularly monitors internal processes and TOM effectiveness to ensure compliance;
  • Data subject request support: If a Data Subject contacts NIZU directly, NIZU will promptly refer them to the Client and forward the request immediately. This obligation applies only to Data Subjects with whom NIZU has a direct platform-level relationship — not to the Client's own end-users;
  • Breach reporting: NIZU will inform the Client immediately upon becoming aware of any personal data breach, including: the nature of the breach, categories and approximate number of affected Data Subjects and records, contact details of the DPO, likely consequences, and remedial measures taken or planned.

§ 6. The Client's Responsibilities

The Client must inform NIZU immediately and in full if they discover any errors or irregularities in processed data. The Client is solely and exclusively responsible for:

  • The lawfulness of all data processing within the Client's Workspace;
  • Appropriate legal bases under Art. 6 GDPR (and Art. 9 GDPR where applicable);
  • Required privacy notices and obtaining necessary consents from the Client's own end-users;
  • Fulfilling data subject rights requests directed at the Client;
  • Notifying the competent supervisory authority and/or data subjects of any breach within GDPR timeframes;
  • Maintaining independent backups of any data stored within the NIZU WorkSpace platform.

§ 7. Sub-contractual Relationships

The Client grants NIZU general authorisation to engage sub-processors for Service delivery. NIZU's primary infrastructure sub-processor is Hetzner Online GmbH. NIZU will inform the Client in good time before engaging or replacing a sub-processor. The Client has 14 days from notification to exercise data protection objection rights. Failure to object within this period constitutes acceptance. The Client agrees to the sub-processors listed in Appendix 3.

§ 8. Client's Inspection Rights

NIZU will provide the Client with all relevant information to verify compliance with this DPA upon request. Proof of compliance may be provided via codes of conduct, certifications, third-party auditor reports, or IT security audits. Hetzner audit results are published at accounts.hetzner.com/account/dpa and are made available to the Client without charge.

The Client may perform additional checks under Art. 28(3)(h) GDPR subject to: written notice of at least 30 calendar days; no more than once per calendar year; during normal business hours; at the Client's cost; without interrupting NIZU's operations. NIZU may object if the Client commissions a direct competitor to conduct the audit.

§ 9. Further Support Obligations (Arts. 32–36 GDPR)

NIZU will support the Client in complying with its obligations under Arts. 32–36 GDPR, including:

  • Implementing appropriate TOMs to ensure adequate protection and immediate detection of breaches;
  • Notifying the Client of personal data breaches without delay;
  • Supporting the Client with its duty to inform Data Subjects;
  • Supporting the Client with data protection impact assessments;
  • Supporting the Client in prior consultations with supervisory authorities.

NIZU may charge a fee for support services that go beyond its statutory responsibilities or that are not considered misconduct on NIZU's part.

§ 10. Client's Authority to Issue Instructions

NIZU and its personnel may process data under this DPA exclusively within the scope of the Client's main contract and in accordance with the Client's documented instructions, unless legally required otherwise. Instructions may be amended in writing or text form (including by email). NIZU will immediately inform the Client if it believes an instruction infringes the GDPR (duty to remonstrate) and may suspend implementation until the Client affirms or amends it.

§ 11. Deletion & Return of Personal Data

No copies or duplicates of data will be created without the Client's knowledge, except for backup copies necessary for proper processing and data required by statutory storage obligations. Upon the Client's written request following contract conclusion, data, data storage devices, and documents must be returned or deleted. If compliant deletion is not possible, NIZU will ensure data storage devices are destroyed in compliance with data protection regulations.

Retention limitation: NIZU's ability to retrieve or return data following termination is limited by the capabilities of the underlying Hetzner GmbH infrastructure. NIZU accepts no liability for data that cannot be recovered following the expiry of the applicable retention period. The Client is solely responsible for exporting all required data prior to termination.

§ 12. Reimbursement

Fees for support services under §§ 8, 9, and 11 that go beyond NIZU's statutory obligations will be agreed in advance, based on an hourly rate for the NIZU employee performing the relevant service. NIZU is not entitled to remuneration for services necessitated by NIZU's own data protection violations.

§ 13. Other Agreements

Choice of Law: This DPA is governed exclusively by the laws of the Republic of Estonia and applicable European Union law. The exclusive place of jurisdiction for all disputes is the competent courts of the Republic of Estonia, seated in Tallinn. No foreign court, arbitral body, or regulatory authority outside Estonia and the EU has jurisdiction.

Liability: The liability clause in the main contract (NIZU-TOS-001, § 4) also applies to data processing under this DPA.

Safekeeping: If Client data stored with NIZU is jeopardised by seizure, insolvency, or third-party action, NIZU will immediately inform the Client and notify all responsible parties that ownership of the data lies exclusively with the Client/Controller, unless prohibited by law or court order.

Amendments: Any amendments to this DPA require written agreement (which may be in electronic form), clearly stating that it is an amendment to this DPA.

Precedence: In the event of contradictions, the provisions of this DPA on data protection take precedence over the main contract.

Severability: If any part of this DPA becomes invalid, the validity of the remaining provisions is unaffected.

§ 14. External Storage Services — DPA Void

This DPA governs exclusively the processing of personal data that occurs within the NIZU WorkSpace platform infrastructure, hosted on servers operated by NIZU OÜ via Hetzner Online GmbH. The protections, obligations, and guarantees set out in this DPA apply solely to data that remains within this defined infrastructure boundary.

If the Client Administrator configures the Client Workspace to connect to, store data in, or transmit personal data to any external file storage, object storage, or cloud storage service not operated by NIZU OÜ or Hetzner Online GmbH, this DPA is automatically void and of no effect in relation to any personal data processed through or stored within such external service.

This includes, without limitation:

  • Amazon Web Services (AWS) — including Amazon S3, EFS, Glacier, and any other AWS storage product;
  • Google — including Google Drive, Google Cloud Storage, and any other Google storage product;
  • Backblaze — including Backblaze B2 Cloud Storage;
  • Cloudflare — including Cloudflare R2 Storage and any Cloudflare data services;
  • Microsoft — including Azure Blob Storage, OneDrive, and SharePoint;
  • Dropbox, Box, Wasabi, DigitalOcean Spaces, Vultr Object Storage, or any other third-party storage provider;
  • Any other external storage, backup, or file hosting service not expressly listed in Appendix 3 of this DPA.

Where the Client Administrator routes personal data to any external storage service: NIZU has no visibility, control, or oversight over the personal data once it leaves the NIZU WorkSpace infrastructure boundary. NIZU cannot and does not make any representation, warranty, or guarantee regarding the security, availability, integrity, or GDPR compliance of any external storage provider. NIZU OÜ accepts zero liability of any kind — whether contractual, tortious, regulatory, or otherwise — for any data protection failure, security incident, data breach, regulatory sanction, or harm to Data Subjects arising from the Client's use of any external storage service.

The Client becomes the sole Data Controller responsible for: a valid Data Processing Agreement directly with the external storage provider; cross-border transfer safeguards where the provider processes data outside the EEA; and the privacy rights of all Data Subjects whose data is transferred. The Client Administrator is responsible for notifying NIZU at legal@nizu.io if external storage services are integrated into the Client Workspace.

This DPA resumes full effect in respect of personal data that is returned to and stored exclusively within the NIZU WorkSpace infrastructure, provided the Client can demonstrate to NIZU's reasonable satisfaction that the data has not been further processed or exposed through any external storage service during the period of external storage.

§ 15. Contact

NIZU OÜ (Supplier / Data Processor)  ·  VAT: EE102264113
Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia
legal@nizu.io
Infrastructure Sub-Processor: Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany

Appendix 1 — Scope, Type & Purpose of Data Processing

Processing is carried out exclusively to enable the delivery, operation, security, and maintenance of the NIZU WorkSpace Service, as described in the main contract (NIZU-TOS-001).

Types of data that may be processed (as determined by the Client):

  • Personal master data (name, email address, username);
  • Communication data;
  • Contract and master data;
  • Log data (access logs, authentication events, session metadata);
  • Contract invoicing and payment reference data;
  • Any other data categories as specified by the Client in its use of the Service.

Data Subjects:

  • Customers and prospective customers of the Client;
  • Associates, employees, and contractors of the Client;
  • Any other natural persons whose data the Client introduces into the Workspace.

The categories above are defined by the Client as Data Controller. NIZU processes only such categories as the Client instructs. The Client is solely responsible for ensuring that its processing of any of the above categories has a lawful basis under the GDPR.

Appendix 2 — Technical & Organisational Measures (TOMs)

NIZU OÜ's TOMs are based upon and aligned with those implemented by Hetzner Online GmbH (published at hetzner.com/AV/TOM_en.pdf). Where a TOM category is the "Client's responsibility" in Hetzner's framework, it remains the Client's responsibility within the NIZU WorkSpace environment.

  • Physical access control: Electronic access control with logging, video monitoring, security fencing, visitor policy — managed by Hetzner at data centre facilities;
  • Electronic access control: Individual customer accounts, traceable access and change logs, password requirements with defined minimums, 2FA option, MFA for NIZU administrative access;
  • Internal access control: Role-based access controls for NIZU platform administration; maintaining/securing/updating data within Workspace is the Client's responsibility;
  • Transfer control: Defined data deletion process post-contract, physical destruction of drives where erasure is not possible, TLS 1.2+ encryption for data in transit;
  • Isolation control: Logical separation of data per Client Workspace; additional measures within the Workspace are the Client's responsibility;
  • Pseudonymisation: Platform-level usage metadata pseudonymised after 24 months; pseudonymisation within the Workspace is the Client's responsibility;
  • Confidentiality: NIZU employees bound by confidentiality agreements; regular data protection training; TLS 1.2+ for data in transit; encryption at rest within Workspace is the Client's responsibility;
  • Integrity: Audit-proof logging and virus/security scanning at Hetzner infrastructure level; data integrity within Workspace is the Client's responsibility;
  • Availability & resilience: 24/7 Hetzner data centre operations, UPS and emergency power, redundant cooling, fire protection, 99.9% network availability per Hetzner GTC, continuous DDoS recognition, Hetzner-managed firewall where applicable;
  • Regular testing & evaluation: Data protection and ISMS in place; designated DPO integrated into operations; privacy by default/design; incident response management; Hetzner ISO 27001, BSI C5 Type 2 certifications; annual TOM review by external provider.

Appendix 3 — Approved Sub-Processors

By entering into this DPA, the Client approves the following sub-processors. NIZU will notify the Client of any changes per § 7.

NIZU OÜ direct sub-processor:

  • Hetzner Online GmbH — Industriestraße 25, 91710 Gunzenhausen, Germany — cloud infrastructure, server hosting, data storage, network.

Hetzner Online GmbH sub-processors (infrastructure chain):

  • Hetzner Finland Oy — Huurrekuja 10, 04360 Tuusula, Finland — building rental, technical support (Finland);
  • Hetzner US LLC — 1500 Broadway, 19th Fl, New York, NY 10036, USA — server rental (USA);
  • NTT Global Data Centers Americas, Inc. — 1625 National Drive, Sacramento, CA 95834, USA — colocation (USA);
  • QTS Investment Properties Hillsboro, LLC — 12851 Foster Street, Overland Park, KS 66213, USA — colocation (USA);
  • Hetzner Singapore Pte. Ltd. — 1 Scotts Road, #21-10 Shaw Centre, Singapore 228208 — server rental (Singapore);
  • NTT Global Data Centers SG1 Pte Ltd — 8 Kallang Avenue #15-01/09, Aperia, 339509 Singapore — colocation (Singapore).

Please note: If the Client has chosen a server location within the EU, data will only be processed within the EU. Technical and customer support services for all server locations are provided within the EU. NIZU strongly recommends that Clients requiring EU-only data residency select an EU server location within their Workspace configuration.

Read our GDPR Policy