Data Processing Agreement (Auftragsverarbeitungsvertrag)

Last updated: April 9, 2026

Summary: This Data Processing Agreement (DPA) specifies the terms under which NETCUBE Inc., as a processor, processes personal data on behalf of our customers (data controllers) in compliance with GDPR Article 28. A full detailed DPA is available upon request.

1. Scope and Purpose

This DPA applies to the processing of personal data by NETCUBE Inc. (hereinafter "Processor") on behalf of our customers (hereinafter "Controller") through the npass.io service. This DPA is concluded pursuant to GDPR Article 28 and complements our Terms of Service.

By using npass.io and accepting our Terms of Service, you agree to the processing of personal data as described in this DPA.

2. Subject Matter and Duration

Subject Matter: Processing of personal data including user identities, device information, authentication logs, network access requests, and audit trail data.

Duration: This DPA is effective as of the date you accept the Terms of Service and continues for the duration of the contract. Upon termination, personal data is processed according to Section 8 of this DPA.

3. Type of Personal Data and Data Subjects

Categories of Personal Data:

Identification data (name, email, username)
Device information (device ID, MAC address, device name, OS type)
Network data (IP addresses, network access logs)
Authentication data (login timestamps, session information)
Usage data (API calls, feature usage, configuration changes)
Audit trail data (security events, policy violations)
Optional: Company information, phone numbers, billing addresses

Categories of Data Subjects:

End-users of the Controller's organization
Device users and administrators
Employees and contractors of the Controller
Network administrators and IT personnel

4. Obligations of the Processor

4.1 Processing Instructions

NETCUBE Inc. processes personal data only on documented instructions from the Controller. The Controller authorizes processing for the purposes of providing the npass.io service as described in the Terms of Service.

4.2 Confidentiality

All persons authorized to process personal data (employees, contractors, sub-processors) are committed to confidentiality, whether this commitment is contractual or statutory.

4.3 Security Measures

NETCUBE Inc. implements appropriate technical and organizational measures (TOM) to ensure security and protection against unauthorized processing. See Section 6 for details.

4.4 Sub-processors

The Processor uses the following sub-processors for processing personal data. See Section 5 for details. The Controller is notified of changes to sub-processors 30 days in advance and may object to new sub-processors.

5. Sub-processors and Locations

NETCUBE Inc. engages the following sub-processors to assist in data processing:

Sub-processor	Purpose	Location	DPA Status
Amazon Web Services (AWS)	Infrastructure hosting, data storage, and compute services	Frankfurt, Germany (eu-central-1)	Data Processing Addendum in place
Paddle	Payment processing and billing (not personal data processing)	London, UK / Amsterdam, NL	Standard Contractual Clauses
Google Cloud (optional)	Identity Provider federation relay (if SSO enabled)	European Union	Standard Contractual Clauses

5.1 Sub-processor Changes

NETCUBE Inc. will notify the Controller of any changes to sub-processors (additions, replacements, or removals) at least 30 days in advance. If the Controller objects to a new sub-processor on grounds of data protection, NETCUBE Inc. will work with the Controller to resolve the matter or suspend the new sub-processor.

6. Technical and Organizational Measures (TOM)

NETCUBE Inc. implements the following technical and organizational measures to protect personal data:

Technical Measures:

Encryption at Rest: AES-256 encryption for stored data
Encryption in Transit: TLS 1.3 for all data transmissions
Network Security: Firewalls, DDoS protection, intrusion detection
Access Control: Role-based access control (RBAC) and multi-factor authentication (MFA)
Data Isolation: Per-tenant data isolation at the application and database level
Backup and Recovery: Automated daily backups with geographic redundancy
Logging: Comprehensive audit logging of all data access and modifications

Organizational Measures:

Employee data protection training and NDAs
Access control policies and least-privilege principles
Background checks for employees with data access
Incident response and business continuity plans
Regular security assessments and penetration testing
Compliance monitoring and audit procedures

7. Data Subject Rights

NETCUBE Inc. will support the Controller in fulfilling data subject requests for:

Right of access (Article 15 GDPR)
Right to rectification (Article 16 GDPR)
Right to erasure (Article 17 GDPR)
Right to restrict processing (Article 18 GDPR)
Right to data portability (Article 20 GDPR)
Right to object (Article 21 GDPR)

Data subject requests should be submitted to the Controller. The Controller will forward requests to NETCUBE Inc. as needed. NETCUBE Inc. will respond within 30 days of receipt.

8. Data Breach Notification

In the event of a personal data breach, NETCUBE Inc. will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

Nature of the personal data breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to remedy the breach
Contact point for further information

NETCUBE Inc. will provide reasonable assistance to the Controller in preparing breach notifications to supervisory authorities and affected data subjects.

9. Return or Deletion of Data

Upon termination of the contract, NETCUBE Inc. will, at the Controller's choice, return or securely delete all personal data processed under this DPA, unless applicable law requires storage. The deletion will be certified in writing.

The Controller may request deletion within 30 days of termination. Data not claimed will be securely deleted after 90 days.

10. Audit Rights

The Controller has the right to audit NETCUBE Inc.'s processing of personal data, including:

Reviewing technical and organizational measures
Inspecting processing records and documentation
Conducting audits with reasonable notice (30 days)
Engaging independent auditors (under confidentiality agreements)

NETCUBE Inc. will cooperate with audits and provide evidence of compliance. Audits must not unreasonably disrupt service operations.

11. International Transfers

All data is processed within the European Economic Area (EEA), primarily in Frankfurt, Germany. NETCUBE Inc. does not transfer personal data outside the EEA unless:

The Controller provides explicit written consent
Appropriate safeguards are in place (Standard Contractual Clauses, Binding Corporate Rules)
The transfer is otherwise permitted under GDPR

12. Full DPA

This page provides a summary of key DPA provisions. A comprehensive Data Processing Agreement with additional clauses, schedules, and appendices is available upon request. To request the full DPA, please contact:

Email: datenschutz@netcube.com
Phone: +49 30 408174005

13. Changes to This DPA

NETCUBE Inc. may update this DPA to reflect changes in data processing, security measures, or legal requirements. Material changes will be communicated to the Controller 30 days in advance. Continued use of npass.io constitutes acceptance of updated DPA terms.

14. Governing Law

This DPA is governed by the laws of Germany and the EU General Data Protection Regulation (GDPR). Any disputes will be subject to the jurisdiction of German courts.

Contact for DPA Inquiries:
Data Protection Officer
NETCUBE Inc.
datenschutz@netcube.com