Skip to content
Nextriv

Data Processing Agreement (DPA)

TEMPLATE — pending legal review. This draft data processing agreement (Art. 28 GDPR) describes the terms under which Nextriv — as a processor — processes personal data on behalf of a customer (the controller) using the Nextriv service. The document is provided for information; the binding version is concluded together with the service agreement.

Last updated:

Draft version — pending legal review

The PDF version will be available soon — once legal review is complete.

1. Parties and nature of the agreement

This data processing agreement (the “Agreement”) is concluded between a customer of the Nextriv service — the data controller within the meaning of Art. 4(7) GDPR (the “Controller”) — and Thermonext Michał Sendrowski with its registered office at ul. Olszowa 8B, 18-400 Konarzyce, Poland, tax ID (NIP) 7182165488, acting as a processor within the meaning of Art. 4(8) GDPR (the “Processor”).

The Agreement constitutes a processing agreement under Art. 28(3) GDPR and is concluded as part of the agreement for the provision of the Nextriv service (the “Main Agreement”). In case of conflict regarding personal data protection, this Agreement prevails.

2. Subject matter and duration of processing

The Controller entrusts the Processor with the processing of personal data to the extent necessary to provide the Nextriv service — a cloud-based environmental monitoring system (collection of measurement data, alerts and notifications, reports, management of user accounts within the Controller's organisation).

The processing lasts for the term of the Main Agreement. Termination of the Main Agreement ends the processing, subject to the obligations described in section 6 (deletion or return of data).

3. Nature and purpose of processing

Nature of processing: automated operations performed within the service infrastructure, in particular collection, recording, storage, organisation, consultation, use for generating notifications and reports, disclosure to users authorised by the Controller, and erasure.

Purpose of processing: provision of the Nextriv service in accordance with the Main Agreement and the Controller's documented instructions. The Processor does not process the entrusted data for its own purposes.

4. Categories of data and data subjects

The processing covers the following categories of ordinary data:

  • identification and contact data of account users within the Controller's organisation: name, business e-mail address, optionally phone number (SMS notifications), system role;
  • data of external contacts designated by the Controller as notification recipients: name, e-mail address, phone number;
  • user activity data within the service: event logs, audit trail entries, session metadata (e.g. IP address);
  • content entered by users (e.g. location names, notes, alarm comments) — to the extent it contains personal data.

5. Data subjects and prohibition of special categories

Data subjects include in particular: the Controller's employees and contractors using the service, and persons designated by the Controller as notification recipients.

The service is not intended for processing special categories of data (Art. 9 GDPR) or data relating to criminal convictions (Art. 10 GDPR). The Controller undertakes not to enter such data into the service.

6. Obligations of the Processor

The Processor undertakes to:

  • process data only on the Controller's documented instructions (deemed to include the Main Agreement and the service configuration made by the Controller), unless processing is required by Union or Member State law;
  • ensure that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement the technical and organisational measures required by Art. 32 GDPR — including encrypted transmission (TLS), data isolation between organisations (Row-Level Security), role-based access control, two-factor authentication and security event logging;
  • assist the Controller, insofar as possible and taking into account the nature of processing, in responding to data subject requests (Art. 12–22 GDPR) and in complying with the obligations under Art. 32–36 GDPR;
  • notify the Controller without undue delay after becoming aware of a personal data breach concerning the entrusted data, providing the information necessary to assess the breach and to notify the supervisory authority where required;
  • after the end of the provision of services — at the Controller's choice — delete the entrusted data or enable their return (export in open formats), and then delete existing copies, unless Union or Member State law requires their storage;
  • make available to the Controller the information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

7. Sub-processing (sub-processors)

The Controller gives general authorisation for the Processor to engage further processors (sub-processors) to the extent necessary to provide the service — in particular cloud infrastructure and hosting providers, e-mail delivery services (Resend), an SMS gateway (SMSAPI), network and security services (Cloudflare), and Google and Microsoft tools.

The current list of sub-processors is made available to the Controller [LOCATION OF THE SUB-PROCESSOR LIST — to be completed]. The Processor informs the Controller of intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 14 days of notification.

The Processor imposes on each sub-processor — by way of a contract — the same data protection obligations as set out in this Agreement, and remains liable to the Controller for the performance of the sub-processors' obligations.

Where sub-processors process data outside the European Economic Area, the transfer relies on the mechanisms of Chapter V GDPR (adequacy decisions, Standard Contractual Clauses).

8. Right of audit

The Controller has the right to carry out audits or inspections of compliance with this Agreement — directly or through an authorised auditor that is not a competitor of the Processor.

An audit is announced at least 14 days in advance, conducted during business hours in a manner that does not unreasonably disrupt the Processor's operations, and no more than once a year — unless the audit follows an identified breach or a supervisory authority's request.

The Processor satisfies the right of audit primarily by providing documentation, descriptions of security measures and the results of internal audits. The parties may agree that the costs of an audit going beyond this scope are borne by the Controller.

9. Liability

Each party is liable for damage caused by its processing that infringes the GDPR or this Agreement, in accordance with Art. 82 GDPR.

The limitations of liability provided in the Main Agreement apply to this Agreement to the extent permitted by mandatory provisions of law. [FOR LEGAL REVIEW: scope and caps of liability.]

10. Final provisions

The Agreement remains in force for the term of the Main Agreement and expires with it, subject to obligations that by their nature survive its termination (confidentiality, deletion/return of data).

The Agreement is governed by Polish law. Matters not regulated herein are subject to the GDPR and national data protection provisions.

This document is a template provided for information and does not constitute an offer. The binding content of the processing agreement is established when concluding the Main Agreement; at the customer's request, the DPA may be concluded in written or electronic form.