Data Processing Agreement
GDPR-compliant data processing terms
Last updated: January 2026
GDPR Compliant
Fully compliant with EU data protection regulations
EU Data Processing
Primary data processing within EU/EEA region
AES-256 Encryption
Enterprise-grade encryption at rest and in transit
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
**Data Controller**: Your organization ("Customer")
**Data Processor**: NIS2 Platform operated by Kyberbezpecnost.cloud s.r.o. ("Processor")
This DPA supplements the Terms of Service and governs the processing of personal data.
2. Definitions
**Personal Data**: Any information relating to an identified or identifiable natural person.
**Processing**: Any operation performed on personal data.
**Sub-processor**: A third party engaged by the Processor to process personal data.
**Data Subject**: An individual whose personal data is processed.
3. Scope of Processing
The Processor processes personal data on behalf of the Controller for the purpose of providing the NIS2 compliance platform services, including:
- User account management
- Compliance assessment and tracking
- Document generation
- AI-powered analysis (with consent)
- Integration with third-party systems
4. Processor Obligations
The Processor shall:
- Process data only on documented instructions from the Controller
- Ensure personnel are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller with data subject requests
- Delete or return all personal data upon termination
- Make available information necessary to demonstrate compliance
5. Sub-processors
The Controller authorizes the Processor to engage sub-processors listed on our Sub-processors page. The Processor will notify the Controller of any intended changes to sub-processors, allowing time to object.
6. Security Measures
The Processor implements:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- Business continuity measures
7. Data Breach Notification
The Processor will notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach, providing:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken to address the breach
8. International Transfers
Personal data is primarily processed within the EU/EEA. For any transfers outside the EU/EEA, appropriate safeguards are implemented (Standard Contractual Clauses, adequacy decisions).
9. Duration and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will delete all personal data within 30 days, unless retention is required by law.
10. Contact
For questions regarding this DPA or to exercise data protection rights:
Data Protection Officer
Email: dpo@kyberbezpecnost.cloud
Address: Prazakova 1008/69, 639 00 Brno, Czech Republic