Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tokenfactory.nebius.com/llms.txt

Use this file to discover all available pages before exploring further.

This is an old version of the document, which expired on April 1, 2025. The current version is available at: https://docs.tokenfactory.nebius.com/legal/dpa. By Nebius B.V. (“Nebius” or “the Processor”), having its legal seat in The Netherlands, at Gustav Mahlerlaan 300, 1082 MA, in Amsterdam, and the Controller, (“Controller”), in connection with Processor’s provision of services to the Controller, pursuant to the applicable service agreement between the parties. Both parties shall be referred to as the “Parties” and each, a “Party”. In consideration of the mutual obligations set out herein, the Parties hereby agree that conditions set out below shall be added as an Addendum integral to the agreement established between the Parties and set out on https://docs.nebius.com/legal/studio/terms-of-use/ and accepted by Controller. In the event of any conflict between certain provisions of this DPA and the provisions of the Terms of Services the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.

1. Definitions

1.1. The Terms used in this Addendum have the same meaning as those used in the Terms of Services, unless explicitly provided otherwise in this Addendum. If there are any conflicts or inconsistencies between this Addendum and the Terms of Services, the provisions of this Addendum prevails. Capitalized terms not defined herein shall have the meaning assigned to such terms in the Terms of Services. 1.2. The terms, “Controller”, “Member State”, “Processor”, “Processing” and “Supervisory Authority”, “Data Subject”, “Personal Data”, “Personal Information”, “Sub-Processor”, “Personal Data Breach”, “Supervisory Authority”, shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” shall have the same meaning as in the CCPA. 1.3. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 1.4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as may be amended from time to time, including the California Privacy Rights Act. 1.5. “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). 1.6. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020, the “Revised FADP”. 1.7. “Services” means the services provided to the Controller by Nebius in accordance with the Terms of Services. 1.8. “Security Documentation” means the Security Documentation applicable to the Services purchased by the Controller as made available by Nebius. 1.9. “Standard Contractual Clauses” shall mean the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Controller’s Obligations

2.1. Compliance with Laws. Controller is responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions issued to the Nebius. Controller will moreover inform Nebius without undue delay if it is not able to comply with its responsibilities under applicable Data Protection Laws. 2.2. Security. Controller is responsible for a secure use of the Services offered by Nebius and it is responsible for independently determining whether the data security provided for adequately meets the obligations under applicable Data Protection Laws.

3. Nebius’s Obligations

3.1. Compliance with Instructions. Nebius only processes Personal Data for the purposes described in this DPA in the framework of the applicable Terms of Services or as otherwise agreed within the scope of the lawful Instructions received from Controller, except where and limited to the extent otherwise required by applicable law. 3.2. Conflict of Laws. Nebius will notify the Controller after it becomes aware of the impossibility to process Personal Data in accordance with the instructions received by the Controller due to a legal requirement under any applicable law. If such a situation occurs, Nebius will not be liable to Controller for any non-compliance until Controller issues new lawful Instructions. 3.3. Security. Nebius implements and duly maintains appropriate technical and organizational measures to protect Personal Data. An overview of the applicable security measures can be requested. 3.4. Confidentiality. Nebius ensures that all employees authorized to process Personal Data on our behalf is subject to appropriate confidentiality obligations with respect to that Personal Data. 3.5. (Personal) Data Breaches and cooperation with Controller. Nebius will notify the Controller without undue delay after it becomes aware of any Personal Data Breach and will provide the necessary information and necessary support to the Controller. 3.6. Deletion or Return of Personal Data. Data Nebius will delete or return, at the choice of the Controller, the Personal Data processed on behalf of the Controller, on termination or expiration of the Services. As a sole exception Nebius will retain (part of) the Personal Data in case and within the limit such is required by applicable law. 3.7. Data Subject Requests When a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is received directly by the Nebius, it will promptly redirect the request to the Controller. The Controller will be solely responsible for addressing and responding to any such Data Subject Requests. 3.8. Controls and reports. Upon the Controller’s request, Nebius shall assist Controller, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR. Also, upon written request made by Controller and limitedly to once a year, Nebius will provide Controller with a report demonstrating Nebius’s compliance with its obligations under this DPA and Applicable Law. 3.9. Audits. Nebius will allow an independent and suitably qualified auditor appointed by the Controller to conduct inspections to verify the Nebius’s compliance with its obligations under this Addendum, provided a minimum of a 30 days notice and not more than once per calender-year. 3.10. Costs. All additional cost and expenses incurred by Nebius in the performance of the obligations stated under 3.8 and 3,9 may be charged to the Controller.

4. Sub-Processors

4.1. Engaging. When engaging Sub-Processors, Nebius will impose terms on these Sub-Processors providing at least the equivalent level of protection for Personal Data as those in this document, to the extent applicable to the nature of the services provided by such Sub-Processors. 4.2. List. Controller hereby agrees Nebius may engage Sub-Processors to Process Personal Data on its behalf, a list of the current Sub-Processors is to be found on ANNEX 1. 4.3. Changes. Any change of Sub-Processors will be notified to the Controller at least 15 days prior to any such change, Controller will be given the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data. If – within this period- Controller notifies Provider in writing that Controller objects to Provider’s appointment of such new Sub-Processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith. If no such solution can be reached, Controller will be allowed to terminate the Service without prejudice to any fees incurred by Controller prior to suspension or termination, but without liability to either party.

5. Cross-border data transfers and processing location

5.1. Nebius processes Controllers’ personal data within the region according to the choice of the Customer. 5.2. Transfers from the EEA, the United Kingdom and Switzerland to countries that offer adequate level of data protection. Personal Data may be transferred from EU and EEA Member States, the United Kingdom (“UK”) and Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. Standard Contractual Clauses. The Standard Contractual Clauses are incorporated by reference and form part of this Agreement and added as Annex 2.

6. General Provisions

6.1 Severability. If any individual provisions of this DPA is invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected. 6.2 Limitation of Liability. Each party and each of their Affiliates’ liability, arising out of or related to this DPA will be subject to the limitations and exclusions of liability set out in the Terms of Services. 6.4 Governing Law. This DPA will be governed by and construed in accordance with Dutch Law.

ANNEX 1 - Details of the Processing

Nature and Purpose of Processing
  1. Providing the Services to Controller;
  2. Performing the Services under the Terms of Services, and this DPA;
  3. Acting upon Controller’s written instructions in accordance with the Terms of Services;
  4. Complying with applicable laws and regulations.
Duration of Processing Processor will Process Personal Data pursuant to the DPA and Terms of Services for the duration of the Service, and will keep it 30 days after, unless otherwise agreed upon in writing. Type of Personal Data processed Names and contact details, work position, company and technical identificators. Categories of Data Subjects Controller’s employees/contractors or any other data subject whose data processed by Controller at the Controller’s discretion during the service provisioning. Sub-Processors Processor may engage with the following Sub-Processors to provide the Services.
Name of Sub-ProcessorServices PerformedSub-Processor LocationDPA/SCC in place with Sub-Processor (yes or no)
Global DC OyData CentreMoreenikatu 6, 04600 Mantsala, FinlandYes
ADC Tech Netherlands B.V.Technical support and developmentSchiphol Boulevard 165, 1118 BG Schiphol, the NetherlandsYes
Okta, Inc.Auth0 Identity provider service100 1st Street, Suite 600 San Francisco, California 94105 United StatesYes

ANNEX 2 Standard Contractual Clauses

EEA Cross Border Transfers
  1. The Parties hereby agree to the Standard Contractual Clauses as outlined in the Annex of the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (“SCC”).
  2. Module Four (processor to controller) of the SCC shall apply where Nebius is a processor of the Personal Data and Customer is a controller of the personal data.
  3. Module Three (processor to processor) of the SCC shall apply where Customer is a processor of the personal data and Nebius acts as a Sub-Processor.
  4. Clause 7 of the SCC (Docking Clause) shall not apply.
  5. For the purposes of Clause 9 of the SCC (concerning Module Three transfers), the Parties choose the option 2 “General Written Authorisation” in Clause 9 of the SCC shall apply, and specify that the processor shall inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex 1 to this DPA and may be amended from time to time as agreed in this clause.
  6. For the purposes of Clause 11 of the SCC, the optional language will not apply.
  7. For the purpose of Clause 17 of the SCC, option 1 shall apply, and the Parties agree that the SCC shall be governed by the laws of the Netherlands.
  8. For the purpose of Clause 18(b), disputes shall be resolved before the courts of the Netherlands.
  9. Annex I.A of the SCC shall be completed as indicated in Annex 1.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex I of this DPA.
  11. The period for which the personal data will be retained is for the duration of [the Agreement], unless agreed otherwise in [the Agreement] and/or the DPA.
  12. In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex 1 of this DPA.
  13. Annex I.C of the SCC shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
  14. Annex 3 of this DPA serves as Annex II of the SCC.
  15. The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  16. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the [Agreement], the provisions of the Standard Contractual Clauses will prevail.
  17. In the event of EEA Transfer or UK Transfer the Parties agree to supplement international data transfer(s) with the appropriate safeguards and representations.

ANNEX 3 Security and Organizational Measures

Description of the technical and organizational security measures (“TOMs”), implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context, and purpose of processing, as well as the risks to the rights and freedoms of individuals: The Processor and its authorized partners will maintain administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of personal data processed on behalf of the Controller as part of the provided services.
  1. Specifically, the Processor implements (among others but not exclusively) the following measures:
  2. General: Maintaining comprehensive information security programs, including the adoption and enforcement of internal policies and procedures such as asset management, access control, vulnerability and incident management, change management, and more, as further described below.
  3. Periodic reviews: Conducting periodic reviews of network security and the effectiveness of the information security program.
  4. Risk assessment and management: assessing risks related to the processing of personal data and creates the appropriate plans to mitigates such risks.
  5. Inventory: maintaining an inventory of personal data reflecting the instructions set out in the DPA.
  6. Awareness and training: Nebius employees completes annual security and privacy training.
  7. Physical security: Nebius implements the necessary and adequate physical security of its facilities, including data centers, and takes the appropriate precautions against both environmental threats and power disruptions. All access to data centers and sensitive areas are limited by job role and subject to authorization.
  8. Network security: Nebius adheres to the practice of protecting its computer networks from unauthorized access, misuse, or attacks. It involves implementing policies, software, and hardware solutions to ensure the confidentiality, integrity, and availability of data transmitted over the network.
  9. Privacy by design: Nebius incorporates Privacy by Design principles for all systems since the earliest stages of development.
Web address: https://docs.nebius.com/legal/studio/dpa Publication date: December 20, 2024 Effective date: December 20, 2024