This Data Processing Addendum (“DPA”) forms part of the Agreement between:
Client (“Customer,” “you,” “Data Controller”), and
Netraon Ltd, a Mauritian company (“Netraon,” “Processor,” “we,” or “us”).
1. Definitions
Capitalized terms not defined herein shall have the meanings assigned to them in:
• the Agreement,
• Applicable Data Protection Laws, or
• the EU Standard Contractual Clauses (if applicable).
“Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the parties’ processing of Personal Data, including the GDPR, UK GDPR, CCPA, and any local equivalents.
“Personal Data” means any data relating to an identified or identifiable natural person.
“Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-Processor”, and “Personal Data Breach” have the meanings defined in the GDPR.
“Shared Personal Data” means Personal Data exchanged under a controller-to-controller model, where each party processes data independently in accordance with their respective privacy obligations.
2. Roles and Scope
2.1. Data Controller/Processor Model
Where Netraon acts on your behalf to provide access to our Services or process data under your instruction, Netraon is your Processor and you are the Controller.
2.2. Controller-Controller Model
Where the exchange of data is part of a collaborative commercial relationship (e.g. co-branded research, user feedback, client business contacts), both parties may act as independent Controllers, not joint Controllers.
3. Legal Compliance
Each party agrees to:
• Comply with all applicable privacy laws and regulations.
• Have a valid legal basis for any Personal Data it processes or shares.
• Maintain accurate records of processing activities as required.
• Notify the other party of any material non-compliance with data laws.
4. Processor Obligations (Where Netraon Acts as Processor)
Netraon will:
4.1. Process Personal Data only in accordance with Customer’s written instructions, except where required by law. Instructions may be provided via written agreement, customer support ticket, email, or the customer account dashboard unless otherwise agreed.
4.2. Implement appropriate technical and organizational security measures to protect Personal Data.
4.3. Ensure personnel authorized to process data are under confidentiality obligations.
4.4. Assist the Customer with:
Data Subject rights requests,
• Personal Data Breach notifications,
• Data Protection Impact Assessments (DPIAs),
• Consultations with regulators.
4.5. Notify Customer without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach.
4.6. Delete or return all Personal Data at the end of service provision unless retention is legally required.
4.7. Provide information necessary to demonstrate compliance and allow for audits (subject to confidentiality and reasonable scheduling).
5. Sub-Processors
Netraon may engage Sub-Processors for data processing. We will:
• Maintain an updated list (provided upon request),
• Impose data protection obligations equivalent to this DPA,
• Remain liable for all Sub-Processor acts and omissions.
Customers may object to a new Sub-Processor on reasonable data protection grounds.
6. Security Measures
Each party will:
• Maintain appropriate technical and organizational measures, including encryption, access controls, monitoring, and incident response capabilities.
• Make information on its security practices available upon request.
• Cooperate on breach notifications regardless of liability.
See Appendix 2: Security Statement for full detail.
7. Cross-Border Data Transfers
Netraon may transfer Personal Data outside your jurisdiction. When doing so, we ensure lawful safeguards, including:
• Adequacy decisions by the EU/UK,
• Standard Contractual Clauses (SCCs) as applicable,
• Additional technical protections (e.g. encryption at rest, pseudonymization),
• Execution of appropriate SCC modules or use of relevant annexes.
See Appendix 1: SCC Transfer Clauses for more.
8. Confidentiality
Each party shall ensure personnel or agents processing Shared or Processed Personal Data are under enforceable confidentiality obligations.
9. Data Subject Rights
Each party agrees to:
• Respect the rights of Data Subjects, including rights of access, rectification, deletion, objection, restriction, and data portability.
• Cooperate with the other party in responding to such requests in a timely and lawful manner.
10. Termination and Data Deletion
Upon termination of the Agreement:
• Netraon will delete or return Personal Data unless otherwise required by law,
• All copies (including backups) will be securely removed within a reasonable time.
11. Liability and Indemnity
Each party agrees to:
• Be liable for its own breaches of Applicable Data Protection Laws,
• Indemnify the other party against losses arising from such breaches, including reasonable legal fees, regulatory penalties, and associated costs,
• Provide timely notice and cooperation in the event of third-party claims.
12. General Provisions
• In case of conflict between this DPA and the Agreement, this DPA prevails.
• This DPA will survive the termination of the Agreement as long as data remains in either party’s possession.
• Parties agree to cooperate in good faith if applicable laws or transfer mechanisms change.
Appendix 1: Standard Contractual Clauses (International Transfers)
If data is transferred outside the EEA/UK to jurisdictions lacking adequacy decisions, the parties agree that:
• The applicable Standard Contractual Clauses (SCCs) shall apply,
• SCCs will be executed or referenced as legally binding,
• Netraon and Customer will adopt “MODULE ONE” (Controller-to-Controller) and/or “MODULE TWO” (Controller-to-Processor) as relevant,
• No modifications may be made to the official SCC text.
The Customer authorizes Netraon to execute these clauses with Sub-Processors under appropriate conditions and safeguard requirements.
Appendix 2: Security Statement
Netraon’s security program includes:
• Data encryption (in transit and at rest)
• Logical access control and authentication
• 24/7 monitoring, anomaly detection, and rate limiting
• Endpoint security, internal audits, and logging
• Business continuity and disaster recovery plans
• Staff training in privacy and data protection
More information available upon request
Appendix 3: Processing Details
Category | Description |
|---|---|
Data Subjects | Client personnel, authorized users, subscribers, respondents |
Types of Data | Name, email, job title, login, preferences, IP, device/browser, analytics, feedback |
Purpose of Processing | Deliver insights, support users, improve Services, detect abuse |
Duration | Term of Agreement + required retention period |
Location of Processing | Mauritius, EU, US (with safeguards) |
Sub-Processors | AWS, Stripe/Paddle, Google, Mailchimp, Brevo, Notion, HubSpot, etc. |
If you have any questions or concerns regarding this DPA, please contact us at: dataprotection@netraon.com
Last updated July 2025.