Data Processing Agreement (DPA)

Last Update: May 14, 2024.


This Data Processing Agreement (“DPA”) is entered between Nelio Software S.L. (“Nelio”) and Customer, together referred to as the “Parties”.

The Parties agree that this Nelio Services Data Processing Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Customer Data, and Personal Data subject to Applicable Data Protection Laws in connection with the Services. The DPA is incorporated by reference into the Agreement. 

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Definitions

Nelio” means the Nelio Software S.L company.

Applicable Data Protection Laws” means, to the extent applicable:

(i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”), the UK Data Protection Act 2018 (“UK GDPR”), as well as any other laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom; and (ii) all privacy and data protection laws and regulations, worldwide (whether, national, state, provincial, local or otherwise), applicable to the Processing of Personal Data under the Agreement, as may be amended, extended, re-enacted, or interpreted from time-to-time; and including without limitation, any applicable jurisdiction-specific terms specified in Annex V.

Agreement” means the Nelio’s Terms of Service, Privacy Policy and other relevant documents announced on our website, which govern the provision of the Services to Customer, and which may be updated from time to time.

Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

Data Subject” means the identified or identifiable person to whom Personal Data relates.

Personal Data” means “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;

Process, Processing or Processed” means “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Data Protection Laws;

Processor” means the entity which Processes Personal Data on behalf of the Controller.

Sensitive Information” means any Personal Data that is defined as sensitive information or sensitive data under Applicable Data Protection Laws and that requires additional protections, safeguards or security measures under such applicable laws. Sensitive Information includes, but is not limited to, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses.

Standard Contractual Clauses” or“SCCs” means the “Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council” as adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914) – and where relevant the Data Protection Law are the laws of the United Kingdom, Standard Contractual Clauses and SCCs shall be interpreted to include any standard data protection clauses adopted under UK GDPR, Art.46. as set out in Annex IV,

Sub-processor” means any Processor engaged by Nelio to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties but shall exclude Nelio employees, contractors, or consultants.

Supervisory Authority” means an independent statutory regulatory authority with respect to Personal Data privacy under Applicable Data Protection Laws.

Third Country” means any country, organization or territory not acknowledged under Applicable Data Protection Laws as a safe country with an adequate level of data protection.

TOMs” means Nelio’s technical and organizational security measures as outlined in Section 3.2.

UK Addendum to the SCCs” means the United Kingdom Addendum B.1.0 to the Standard Contractual Clauses issued by the United Kingdom Commissioner’s Office.

2. Processing of Personal Data

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Data, Nelio is the Processor acting on behalf of Customer (whether itself a Crocessor or a Processor). Nelio may engage third-party Sub-processors set out in Annex III of this DPA (also accessible via

2.2 Compliance. The Parties have agreed that it may be necessary for the Processor to Process certain Personal Data on behalf of the Controller; in light of this Processing, the Parties have agreed to enter into this DPA to address the compliance obligations imposed upon the Controller pursuant to the Applicable Data Protection Laws.

2.3 Nelio’s Processing. Nelio shall only process Personal Data in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (including but not limited to email) where such instructions are consistent with the terms of the Agreement. Nelio shall be entitled to process Personal Data in countries acknowledged by the European Union based on Article 45 of GDPR as a safe country with an adequate level of data protection, including the United Kingdom and the United States, as well as Third Countries outside the EU/EEA.

2.4 Customer’s Processing of Personal Data. Customer shall, in its Services Use, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws. Customer’s instructions for the Processing of Personal Data must comply with Data Protection Laws. Customer shall have sole responsibility for –

2.4.1 the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including but not limited to the proper notice and consent required for such Personal Data;

2.4.2 ensuring that any transfers of Personal Data to third parties (other than Nelio and Sub-processors) which either (i) are enabled through accounts or connections set up and deployed by Customer when using the Services, or (ii) enabled by accounts or connections set up by Nelio pursuant to Customer’s instructions, comply with Data Protection Laws;

2.4.3 determining the Personal Data it transfers or instructs Nelio to transfer; assessing which Applicable Data Protection Laws apply to such transfer; and the selection and the terms of engagement of third-party transferees (including any assessment of the requirement for, and the sufficiency of, supplementary safeguard measures to ensure the protection of the Personal Data transferred in the country to which it is to be imported).

2.5 Customer acknowledges that Nelio (as Processor) has no contractual (or other) relationship with those third parties or any rights of oversight or control over them or their Processing operations which may change from time to time and that it is, therefore, reasonable that Customer should have sole responsibility for such compliance.

2.6 Customer shall ensure on an ongoing basis that the Processing of such Personal Data by such third parties shall comply with Applicable Data Protection Laws and shall inform Nelio immediately should it become aware that any transfer of such Personal Data by Nelio no longer complies with Applicable Data Protection Laws, in which case Nelio shall be entitled to discontinue such transfers and Customer shall promptly take such measures as are required to remedy such non-compliance.

2.7 Details of the Processing. The subject-matter of Processing of Personal Data by Nelio is with respect to its delivery of the Services to Customer. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex I.

3. Obligations of Processor

3.1 Nelio Resources, Personnel, and Employees

3.1.1 Confidentiality. Nelio shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Nelio shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.1.2 Reliability. Nelio shall take commercially reasonable steps to ensure the reliability of any Nelio personnel engaged in the Processing of Personal Data.

3.1.3 Assistance. Nelio shall provide reasonable assistance and co-operation in response to any request in writing by Customer to assist Customer to comply with its obligation to ensure that such transfers can be made in accordance with Applicable Data Protection Laws.

3.1.4 Limitation of Access. Nelio shall ensure that Nelio’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

3.2 Security Controls

3.2.1 Technical and Organizational Measures (“TOMs”). Nelio shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of the Customer Data. Nelio’s TOMs are published (and may be updated from time to time in Annex II of the DPA (also accessible via

3.2.2 Maintenance procedure. Nelio regularly monitors the effectiveness and compliance with the TOMs and responds to emerging risks, changes in applicable legal requirements, technical and organizational change.

3.2.3 Updates. The TOMs are subject to update from time to time for purposes of continuous improvement. Comparable or better levels of security will be maintained. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

3.2.4 Controls and Auditing. Nelio routinely controls its TOMs to assure effectiveness and evidence of continual use. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Nelio shall make available to Customer (or Customer’s independent, third-party auditor) documentation and other evidence of the effectiveness of the controls, as applicable, subject to the safeguarding of Nelio’s legitimate interests and to the extent commercially feasible. Nelio may decline to provide internal documentation to its competitors (whether this includes Customer or an auditor).

3.3 Customer Data Incident Management and Notification

3.3.1 Notice. Nelio shall notify Customer, without undue delay, and in no case more than seventy-two (72) hours after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored, or otherwise processed by Nelio or its Sub-processors of which Nelio becomes aware (“Customer Data Incident”).

3.3.2 Identify, Remediate and Inform. Upon becoming aware of a Customer Data Incident, Nelio shall promptly: (i) make all reasonable efforts to identify the cause of such Customer Data Incident, (ii) take those steps as Nelio deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Nelio’s reasonable control, (iii) provide Customer with all such information as Customer reasonably requests in connection with such incident, (iv) take such steps as Customer reasonably requires it to take to mitigate the detrimental effects of any such incident on any Data Subjects in relation to such Personal Data and/or on Customer, and (v) otherwise cooperate with Customer in investigating and dealing with such incident and its consequences. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

3.4 Deletion and/or Return of Customer Data

3.4.1. Nelio shall not acquire any rights in such Personal Data and, on Customer’s request or sixty (60) days after the termination or expiration of the Agreement, will to the extent allowed by applicable law, permanently destroy all copies of any such Personal Data in its possession (in any form or format whatsoever) using industry standard destruction methods. On the Customer’s request, data shall be returned to the Customer in a readable format. Cost to reformat returned data to Customer specifications is borne by the Customer.

4. Obligations of Controller

4.1 Data Protection Laws. Customer shall comply with its obligations as Controller in relation to its Processing of the Personal Data under Applicable Data Protection Laws.

4.2 Updating Nelio. Customer shall inform Nelio without undue delay and comprehensively about any errors or irregularities related to the Processing of Personal Data detected or if it identifies any Personal Data being processed in its use of the Services that contravenes Section 5 below and, where required by Nelio to do so, shall promptly take such steps as Nelio may require to bring its use of the Services into conformance with Section 5.

4.3 Implementation. Nelio provides the Service Plugins, which the Customer is then responsible for implementing (which may include, but is not limited to, customizing, and configuring the Services Plugins) (“Implementation”). Nelio will not have any responsibility or liability that may result from Customer’s Implementation.

5. Restrictions

5.1 Services Restrictions. Notwithstanding any use restriction contained elsewhere in this DPA, Nelio shall process Customer Data to perform the Services, for the purposes described in this DPA and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.

5.2 Sensitive Information. Nelio’s Services are not intended to process Sensitive Information. Customer is solely responsible for determining whether using the Service to process Sensitive Information complies with Applicable Data Protection Laws. If Customer processes Sensitive Information in its Use of the Software Service, Customer is acknowledging that Nelio’s TOMs are sufficient and satisfactory for its purposes in relation to its Processing of its Sensitive Information.

6. Data Subject Rights

6.1 Data Subject Request. As between the Parties, Customer has sole discretion and responsibility in responding to the rights asserted by any individual in relation to Personal Data (“Data Subject Request” or “DSR”). Nelio will promptly forward to Customer any Data Subject Request received by Nelio or its Sub-processors from an individual in relation to Personal Data. Nelio may advise the individual to contact Customer directly in relation to the Data Subject Request.

6.2 DSR Assistance.Taking into account the nature of Nelio’s Processing of Personal Data, Nelio will provide Customer with self-service functionality through the Services Plugins or other reasonable assistance as necessary for Customer to meet its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.

6.3 Incomplete and Duplicate DSRs. Customer must ensure that it does not send to Nelio incomplete or duplicative assistance requests in relation to Data Subject Requests.

6.4 Service Only. Nelioy shall only be obliged to provide assistance in relation to Data Subject Requests where the Personal Data is processed by Nelio, and any such obligation does not extend to any Personal Data processed outside of the Service.

7. DPA Audits

7.1 Audit rights. Customer may, subject to the confidentiality obligations under the Agreement, exercise the audit rights set out in this Section 7 in order to review the TOMs maintained by Nelio as it relates to Processing within Customer’s Service. Customer may appoint an independent third-party auditor (that is not a competitor of Nelio) (“Auditor”) to conduct its audit rights under this Section 7. Customer will document the resulting audit findings and provide Nelio an opportunity to document any inconsistencies. Customers may submit their requests by contacting ato

7.2 Examination of Nelio Information. Nelio shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. This information includes the most recent reports and/or extracts (“Information”) prepared by Nelio. Information also includes information pertaining to Nelio’s evaluation of Sub-processors. The Parties acknowledge that Customer’s review of Information provided by Nelio will be used as input to the Customer’s audit requirements and reduce the need or scope of a more detailed Audit under Section 7.3 below.

7.3 Audit. If the Examination of Nelio Information set out in Section 7.2 above does not provide, in Customer’s reasonable judgment, sufficient evidence to confirm Nelio’s compliance with the terms of this DPA, then Customer may conduct a more detailed audit (“Audit”). This Audit is subject to the following conditions:

7.3.1 The Audit will be subject to the requirements set out above in Section 7.1;

7.3.2 Customer may not Audit Nelio more than once annually (unless otherwise required by government regulator or Supervisory Authority or triggered by a security breach) and the scheduling of the Audit will be mutually agreed at least sixty (60) days in advance of an Audit start date;

7.3.3 Customer will submit a detailed audit plan (“Audit Plan”) at least 10 business days in advance and be mutually agreed by the Parties at least 5 business days in advance of the scheduled Audit date – any delay may require a re-scheduling of the Audit;

7.3.4 the Audit will be conducted during regular business hours and without interrupting Nelio’s business operations; Customer’s Audit expenses will be at Customer’s sole cost; and

7.3.5 if Customer’s current total yearly spend with Nelio is less than €30,000 euros per year, the Audit will be subject to prior agreement between the parties to cover Nelio’s costs for preparation and participation in the Audit on a professional services basis.

7.4 None of the conditions for the Audit in Section 7.3 limit any audit rights set out in Article 28 of GDPR.

8. Sub-processing

8.1 Authorized Sub-processors and Notification of New Sub-processor. Customer agrees that Nelio may engage third-party Sub-processors in connection with the provision of the Services. Nelio shall notify Customer if it adds or removes Sub-processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by requesting them at

8.2 Sub-processor obligations. Nelio shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Nelio to breach any of its obligations under this DPA. Customer acknowledges and agrees that, where applicable, Nelio fulfills its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) by complying with this Section 9 and that Nelio may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality restrictions but Nelio shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Subprocessor agreements.

8.3 List of Current Sub-processors. The Sub-processors currently engaged by Nelio are published (and us update from time to time) in Annex III of the DPA (also accessible via

8.4. Objection Right for New Sub-processors. Customer may object in writing to Nelio’s appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 8.1 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Nelio will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

9. International Transfers

9.1 SCCs. The Parties agree that the terms of the SCCs, as set out in Annex IV of this DPA, are hereby incorporated and apply to any transfers of Personal Data to a Third Country, either directly or via onward transfer, not otherwise covered by a suitable framework recognized under Applicable Data Protection Law as providing an adequate level of protection for Personal Data, including binding corporate rules for Processors.

10. Duties to Inform, Mandatory Written Form, Choice of Law, Additional terms

10.1 Search. Where Customer’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being processed, Nelio shall inform Customer without undue delay unless legally prohibited. Nelio shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Customer’s sole property and area of responsibility, that Personal Data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of Applicable Data Protection Laws.

10.2 DPA Updates. When Customer renews or purchases a new subscription to a Service, the then-current DPA will apply. Where updates to this DPA (including the TOMs) are required or are appropriate as a result of any changes to the requirements of Applicable Data Protection Laws, Nelio shall be entitled to amend this DPA upon giving Customer at least ninety (90) days’ prior written notice. Such amendments may include, for example, the introduction of replacement or additional SCCs in the form of any standard data protection clauses adopted under GDPR Art 46 from time to time.

Notwithstanding the foregoing limits on updates, when Nelio introduces features, addons or related software that are new (i.e., that were not previously included with the Services), Nelio may provide terms or make updates to the DPA that apply to Customer’s use of those new features, or addons or related software. If Customer does not install or use the new features, offerings, supplements, or related software, the corresponding new terms will not apply.

10.3 Invalidities. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.

10.4 Additional GDPR Specific Provisions:

10.4.1 GDPR. Nelio will process Personal Data in accordance with the GDPR requirements directly applicable to Nelio’s provision of its Service.

10.4.2 Data Protection Transfer Impact Assessment. Upon Customer’s reasonable request, Nelio shall provide Customer with commercially reasonable assistance to assist Customer in its obligation under Applicable Data Protection Laws to carry out a data protection transfer impact assessment related to Customer’s use of the Service – (“DPTIA”). Nelio’s obligation to assist is subject to Customer not otherwise having access to the relevant information, and to the extent such information is available to Nelio. Nelio shall also provide commercially reasonable assistance to Customer in its cooperation or any consultation with the applicable Supervisory Authority in respect to its assistance to Customer in its DPTIA to the extent required under Applicable Data Protection Laws.

ANNEX follow:

If your company requires this DPA signed by Nelio or have any questions, please email us.

Pages: 1 2 3 4 5 6