Data Processing Agreement (DPA)

Version 1.1 - Last Updated: December 2025

This Data Processing Agreement (“DPA”) forms part of any contract, order form, subscription agreement, master services agreement, or terms governing the provision of services (“Agreement”) between:

Customer (the Data Controller)
and
NetNodes Limited, trading as DoorFlow and PassFlow (“NetNodes”, the Data Processor).

This DPA applies where NetNodes processes Personal Data on behalf of the Customer in delivering the Services.

1. Definitions

“Applicable Data Protection Laws”
Means all laws relating to the processing of Personal Data, including:

• UK GDPR & UK Data Protection Act 2018
• EU GDPR (Regulation (EU) 2016/679)
• Norwegian GDPR implementation (Lov om behandling av personopplysninger)
• CCPA/CPRA (to the extent applicable)
• Any other laws governing privacy, data protection, or security in relevant jurisdictions.

“Customer Data”
Means any Personal Data that the Customer provides, uploads, transmits, or stores within the Services.

“Sub-processor”
Means any third party engaged by NetNodes to process Personal Data on behalf of the Customer.

“Services”
Means the DoorFlow and/or PassFlow software platforms, APIs, infrastructure, and related services.

All other GDPR-defined terms (e.g., “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”) carry their standard meaning.

2. Roles of the Parties

• Customer is the Data Controller.
• NetNodes is the Data Processor.
• For US customers, Customer is the “business” and NetNodes is the “service provider” under the CCPA/CPRA.

NetNodes will process Customer Data strictly on documented instructions.

3. Scope of Processing

3.1 Nature and Purpose of Processing

NetNodes processes Customer Data only as needed to:

• Provide and maintain the Services
• Handle authentication and access control
• Deliver notifications, logs, system events, digital passes, updates, and backups
• Support, troubleshoot, secure, and improve the Services
• Perform analytics within the Customer’s environment or in aggregated/anonymous form
• Comply with applicable law or a lawful request

3.2 Categories of Personal Data

Depending on Customer configuration:

• Name, email, phone, profile photo (optional)
• Digital pass information (PassFlow)
• Access credentials and identifiers
• Access control events (DoorFlow)
• System log data
• User permissions, roles, and groups
• Device identifiers and API usage

3.3 Categories of Data Subjects

• Customer’s employees
• Contractors and third-party staff
• Visitors, members, customers, tenants, or pass holders
• Administrators and authorised users

3.4 Duration

This DPA applies for the duration of the underlying Agreement, and thereafter until all Customer Data is deleted.

4. Customer Instructions

NetNodes will process data only:

1. On documented instruction from the Customer
2. As required to provide the Services
3. As required by law

If NetNodes believes an instruction violates data protection law, NetNodes will notify the Customer.

5. Security Measures

NetNodes will implement and maintain industry-standard technical and organisational safeguards including, at minimum:

• Encryption in transit and at rest
• Network segmentation & firewalling
• Strict access controls and least-privilege enforcement
• Multi-factor authentication for administrative access
• Continuous monitoring and logging
• Regular vulnerability assessments and internal security reviews
• Secure development lifecycle practices
• Backup and disaster recovery policies
• Employee background checks where legally permitted
• Mandatory confidentiality agreements

A high-level security overview is available upon request.

6. Sub-processors

6.1 Authorised Sub-processors

Customer authorises NetNodes to engage Sub-processors necessary to provide the Services, including cloud hosting, email delivery, and support services.

A current list is available at: https://policy.netnodes.net/subprocessors

6.2 Sub-processor Obligations

NetNodes will:

• Notify customers of any changes by email and/or by posting an updated list at the URL provided.
• Ensure sub-processors are bound by data protection terms at least as protective as this DPA
• Remain fully liable for its sub-processors

Customer may object to a new sub-processor where reasonable, and NetNodes will work in good faith to resolve the objection.

7. International Data Transfers

Where Customer Data is transferred outside the UK/EEA:

• NetNodes will implement appropriate safeguards (e.g., SCCs, UK IDTA, adequacy decisions)
• Additional organisational and technical measures will be applied where required
• Customer will be notified of material changes to transfer mechanisms

NetNodes will not engage in any transfer that violates Applicable Data Protection Laws.

8. Data Subject Rights

NetNodes will assist the Customer in responding to:

• Access, rectification, erasure requests
• Restriction or objection requests
• Data portability
• Consent withdrawal (where applicable)

NetNodes will not respond to Data Subject requests directly unless legally required.

9. Personal Data Breach Notification

NetNodes will:

• Notify Customer without undue delay after becoming aware of a Personal Data Breach
• Provide available information to help the Customer meet regulatory obligations
• Assist with investigation, mitigation, and notification processes

Customer is responsible for notifying authorities or Data Subjects unless otherwise agreed.

10. Audit Rights

Upon reasonable notice:

• Customer may audit NetNodes’ compliance once per 12 months
• NetNodes may satisfy audits by providing certifications, summaries of internal audits, or third-party assessments
• On-site audits are permitted only where strictly necessary and subject to confidentiality and scheduling constraints

Audits must not interfere with NetNodes’ operations or security posture.

11. Data Deletion and Return

Upon termination of Services:

• NetNodes will delete all Customer Data from active systems within 90 days
• Backups will be securely destroyed on their natural rotation cycle
• Customer may request data export prior to deletion

NetNodes may retain minimal information necessary for legal, audit, or accounting obligations.

12. Confidentiality

NetNodes will ensure that employees and authorised personnel:

• Are subject to confidentiality obligations
• Access Customer Data only when necessary
• Are trained in data protection and security

13. Assistance with DPIAs & Compliance

NetNodes will cooperate as reasonably required with:

• Data Protection Impact Assessments (DPIAs)
• Prior consultations with supervisory authorities
• Security assessments requested by regulators

Reasonable administrative fees may apply for excessive or complex requests.

14. CCPA/CPRA Supplemental Terms (US Customers)

For US customers subject to the California Consumer Privacy Act:

• NetNodes acts as a service provider
• NetNodes will not sell or share Customer Data
• NetNodes will not retain, use, disclose, or combine Customer Data for any purpose outside the Services
• Customer retains all consumer rights under the CCPA/CPRA

15. Liability

Liability is governed by the underlying Agreement.
Nothing in this DPA limits statutory rights under GDPR or CCPA.

16. Termination

This DPA terminates automatically when the underlying Agreement terminates and all Customer Data is deleted.

17. Governing Law

Where the underlying Agreement does not specify:

• For EU/EEA/UK customers: UK law applies
• For US customers: the governing law of the Agreement applies
• For rest-of-world customers: English law applies

18. Order of Precedence

If this DPA conflicts with other terms of the Agreement, this DPA prevails to the extent required by data protection law.

19. Signatures

This DPA may be executed electronically or incorporated by reference into an online agreement.