Data Processing Agreement

Last Update: October 9, 2023.

This Data Processing Agreement (“DPA“) is the basis of the relationship between you, the Client, as the data controller and Nelio, the Service provider, as the data processor under data protection legislation, more specifically, the General Data Protection Regulation (“GDPR”).

This is an important agreement that forms the contractual basis for us to process data on your behalf. It explains how your data may be processed and its purpose. We process your personal data only as required and according to your instructions, as described in this agreement.

To ensure that accepting the new T&C, in compliance with the GDPR, takes as little time as possible, your company details are automatically populated in your account when you accept the Terms and Conditions and Privacy Policy, including this DPA.

This DPA assures you that we, as your data processors, comply with the requirements stipulated in the GDPR. In addition, you can be assured that we maintain the necessary agreements with third parties. Your data will always represent the most up-to-date information you have provided to us. The DPA is detailed below for your information.


Customer Name (the “Client“) [This information will be automatically populated once you have completed contracted a Nelio Service] effective as of the date of contracting. This DPA is incorporated into and forms part of the T&C.


Nelio Software, S.L, a company with Tax ID ESB66034794 and registered office at Pomaret 83, 08017 Barcelona, Spain, incorporated under the laws of Barcelona, Spain (“Nelio“).

Each of them is a “part” and together they are the “parts“.

HAVE AGREED to the terms of this DPA on personal data protection with respect to the processing of personal data. Nelio acts as Processor and will provide certain Services (detailed in the T&C) to the Client acting as Data Controller. The parties have agreed that, in order for Nelio to provide such Services, it will be necessary for Nelio to process certain Personal Data of the Client on behalf of the Client in accordance with the T&Cs. Each party agrees and shall ensure that the terms of this agreement shall also be fully applicable to its affiliates, which may be involved in Personal Data processing operations. Specifically, Nelio will ensure that all Subcontractors operate within the same terms as this DPA when processing the Client’s personal data. Both parties confirm their authority to sign the DPA by doing so.

1. Definitions

GDPR” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Services” refers to WordPress products, including the Nelio A/B Testing, Nelio Content and Nelio Unlocker Importer plugins, the Nelio Unlocker platform and any related information or support we provide to bloggers and businesses to improve their website and better promote their content.

Premium Services” refers to Services that are offered for a fee.

The definitions of the terms “Personal Data“, “Controller” and “Processor“, “Security Breach” are determined by the relevant data protection laws, including the EU General Data Protection Regulation 2016/679 of 27 April 2016 (hereinafter “GDPR”).

Subcontractors” means any external service provider engaged by Nelio to assist in fulfilling its obligations with respect to the provision of the Service in accordance with the T&Cs or this DPA. A list of Nelio’s external service providers can be found at Nelio’s Third Party Service Providers.

Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

Data Transfer” means:

  • a transfer of Client Personal Data from the Client to a Contracted Processor;
  • an onward transfer of Client Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

2. Responsibilities of the Data Processor

The Client instructs the Processor, Nelio, to process his Personal Data in the following manner:

  1. in accordance with all national and European laws;
  2. comply with its obligations under the terms of service application;
  3. as instructed by the data controller;
  4. as described in this DPA.

As a party providing the Service, Nelio is required to always provide the Client with the right solutions to accompany the continuous development of its business through the use of the Service. Nelio may track how the Client uses the Service in order to make the best suggestions, provide relevant services at all times, and commit to sending the most accurate communications in order to achieve ease of use and customer satisfaction. To the extent that the processing of personal data from the application is part of this, it is processed only in accordance with this DPA and applicable law and shared only as necessary to provide a better customer experience.

Taking into account the technology available and the cost of implementation, as well as the scope, context and purpose of the processing, Nelio is required to take all reasonable steps, including technical and organizational measures, to ensure a sufficient level of security in relation to the risk and the category of personal data to be protected. Nelio shall assist the Client with appropriate technical and organizational measures as necessary and taking into account the nature of the processing and the category of information available to Nelio to ensure compliance with the Controller’s obligations under the applicable Data Protection Laws.

Nelio shall notify the Client without undue delay if it becomes aware of a Security Breach. In addition, Nelio shall, to the extent possible and lawful, inform the Client if a request for data (data access request) is raised by the agencies required to provide it. Nelio will respond to such requests once the Client authorizes it to do so. Nelio will also not disclose information about this DPA unless Nelio is required by law to do so, such as by court order.

3. Responsibilities of the Data Controller

The Data Controller, the Client, confirms by signing this DPA, that, by contracting the Premium Services, Nelio may freely process his data in accordance with all legal data protection requirements, including the GDPR. The Customer explicitly consents to the processing of his/her personal data at all times when using a particular Service.

The Client may revoke this consent at any time, but doing so terminates the DPA in force and the Nelio will no longer be able to provide the Service.

The Client has a lawful basis for processing Personal Data with Nelio (including Subcontractors) with the use of the Services.

The Client is at all times responsible for the accuracy, completeness, content and reliability of the Personal Data processed by Nelio. Both have complied with all mandatory requirements in relation to notifying or obtaining permission from the relevant public authorities with respect to the processing of Personal Data. In addition, both have complied with their disclosure obligations with the relevant authorities with respect to the processing of Personal Data in accordance with EU Data Protection Laws.

4. Agreement for Data Transfer and Use of Subcontractors

To provide the Service to the Customer, Nelio uses Subcontractors. These Subcontractors may be external suppliers both within and outside the EU/EEA. Nelio ensures that all Subcontractors comply with the obligations and requirements of this DPA and has signed a Data Processing Agreement with each of them that complies with the requirements of the current legal framework of the EU Data Protection Laws.

Nelio may modify its external suppliers but undertakes to keep the list of external suppliers updated on Nelio’s website and to only enter into agreements with suppliers that comply with the obligations and requirements of this DPA.

If the Client objects to the use of the Subcontractor, it can terminate its subscription to the service, without the usual required notice period, and then ensure that the unwanted Subcontractor does not process its Personal Data.

5. Duration and Termination of the DPA

The DPA remains valid as long as Nelio processes Personal Data with the Client’s use of the Services and unless superseded by another signed DPA that communicates its primacy over this Agreement.
The DPA remains valid as long as Nelio processes personal data with the Customer’s use of the Services and unless superseded by another signed DPA that communicates its primacy over this DPA.

Upon termination of any Service, when the DPA terminates, Nelio will delete all Personal Data, except for that which it is required to retain under applicable legal requirements and in which case it will be stored in accordance with technical and organizational safeguards within Nelio.

When the Agreement terminates, Nelio will delete all Personal Data, except for that which it is required to retain under applicable legal requirements and in which case it will be stored in accordance with technical and organizational safeguards within Nelio.

The Client has full ability to retrieve all of its Personal Data from the use of a given Service. If the Client requests assistance for data recovery, the associated costs will be determined by mutual agreement between the parties and will be based on the complexity of the requested process and the time to fulfill it in the chosen format.

6. Changes in the DPA

Changes to the DPA should be attached as a separate annex to the DPA. If any of the provisions of the DPA are deemed invalid, this does not affect the remaining provisions. The parties shall replace the invalid provisions with a legal provision that reflects the intent of the invalid provision.

7. Audit Rights

Subject to this section 5, the Processor shall make available to the Client on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by the Subcontractors.

Information and audit rights of the Client only arise under section 7 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

8. General Terms

Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • (a) disclosure is required by law
  • (b) the relevant information is already in the public domain.

All notices and communications given under this DPA must be in writing and will be sent by email. The Client shall be notified by email sent to the address related to its use of the Service under the T&C. Nelio shall be notified by email sent to the address:

9. Governing Law and Jurisdiction

This DPA is governed by Spanish Law.

Any dispute between Nelio and the Client arising from the interpretation or performance of this DPA will be subject to the jurisdiction of the Courts and Tribunals of the City of Barcelona (Spain).

If your company requires this DPA signed by Nelio or have any questions, please email us.