1. Definitions
1.1. Terms in this DPA have the same meaning as those in the Terms of Service, unless expressly defined otherwise in this DPA. Capitalized terms not defined herein shall have the meaning assigned to them in the Terms of Service. 1.2. The terms, “Controller”, “Processor”, “Processing”, “Data Subject”, “Personal Data”, “Sub-Processor”, “Personal Data Breach”, and “Supervisory Authority” shall have the meaning given to them in the GDPR. The terms “Business”, “Business Purpose”, and “Consumer” shall have the meaning given to them in the CCPA. 1.3. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 1.4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., as amended from time to time, including the California Privacy Rights Act. 1.5. “UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). 1.6. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, as revised on 25 September 2020 (the “Revised FADP”). 1.7. “Services” means the services provided by Nebius to the Controller pursuant to the Terms of Service. 1.8. “Standard Contractual Clauses” means the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021. 1.9. “Applicable Data Protection Law” means all data protection laws and regulations applicable to the Processing of Personal Data under this DPA, including, where applicable GDPR, CCPA, UK GDPR, FADP.2. Roles
When Processing Personal Data in accordance with the Customer’s instructions, the Parties acknowledge and agree that the Customer acts as the Controller and Nebius as the Processor under the Terms of service.3. Controller’s Obligations
3.1. Compliance with Laws. The Controller shall: (a) comply with all Applicable Data Protection Law(s) in respect of its Processing of Personal Data and the Instructions it issues to Nebius. In particular, but not exclusively, the Controller acknowledges and agrees that it is solely responsible for: (i) the accuracy, quality, and legality of the data provided to Processor; (ii) complying with all necessary requirements (e.g., transparency and lawfulness) under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring that it may legally transfer the Personal Data that the Processor will process in accordance with the Terms of Service (including this DPA); and (b) Without undue delay notify Nebius if the Controller becomes unable to comply with any of its obligations under applicable Data Protection Law. 3.2. Security. The Controller is responsible for: (a) Using the Services in a secure manner; and (b) Assessing and determining whether the security measures provided by Nebius meet the Controller’s own obligations under Applicable Data Protection Law(s).4. Processor’s Obligations
4.1. Compliance with Instructions. Nebius shall process Personal Data only in accordance with the Controller’s documented Instructions, for the purposes set out in this DPA and the Terms of Service, except to the extent required by Applicable Data Protection Law(s). 4.2. Conflict of Laws. Nebius shall notify the Controller without undue delay if it becomes aware that applicable law prevents it from processing Personal Data in accordance with the Controller’s Instructions. In such event, Nebius shall be relieved of those Instructions until the Controller issues new lawful Instructions. 4.3. Security. Nebius implements and maintains appropriate technical and organizational measures to protect Personal Data. A summary of these measures is provided in Annex 3. 4.4. Confidentiality. Nebius ensures that all employees authorized to process Personal Data on its behalf are subject to appropriate confidentiality obligations with respect to that Personal Data. 4.5. Personal Data Breaches and Cooperation. Nebius shall notify the Controller without undue delay upon becoming aware of any Personal Data Breach and shall provide information and assistance reasonably requested by the Controller. 4.6. Deletion or Return of Personal Data. Upon termination or expiration of the Services, Nebius shall, at the Controller’s choice, delete or return all Personal Data processed on behalf of the Controller. Notwithstanding the foregoing, Nebius may retain Personal Data to the extent required by applicable law, provided that it continues to comply with this DPA in respect of such retained data. 4.7. Data Subject Requests When Nebius receives a Data Subject Request or other inquiry related to the Processing of Personal Data under this DPA, it shall promptly redirect the request to the Controller. The Controller shall be responsible for addressing and responding to any such requests. 4.8. Controls and reports. Upon the Controller’s request, Nebius shall provide reasonable assistance to support the Controller’s compliance with its data protection obligations (e.g., specified in the articles 32-36 of the GDPR). Additionally, upon written request and no more than once per calendar year, Nebius shall furnish the Controller with a report summarizing its measures and activities demonstrating compliance with this DPA and applicable legal requirements. 4.9. Audits. Nebius shall, upon at least 30 days’ prior written notice, permit the Controller or its independent, qualified auditor to conduct audits once per calendar year to verify Nebius’s compliance with this DPA. Alternatively, and limited to once per calendar year, Nebius may provide the Controller with relevant compliance reports and certifications (e.g., ISO 27001) in lieu of an audit. 4.10. Costs. The Controller shall reimburse Nebius for any reasonable additional costs and expenses incurred by Nebius in performing its obligations under Sections 4.8. and 4.9. hereof.5. Sub-Processors
5.1. Engagement. Nebius shall require each Sub-Processor to agree to contractual obligations that provide at least the same level of protection for Personal Data as set out in this DPA insofar as relevant to the services they perform. 5.2. Approved List of Sub-Processors. The Controller acknowledges and agrees that Nebius may engage Sub-Processors to process Personal Data on its behalf. A current list of Sub-Processors is maintained here. 5.3. Changes and Objections. Nebius shall notify the Controller no later than 15 (fifteen) days before engaging any new Sub-Processor. The Controller may object in writing on reasonable data-protection grounds within that period. If the Parties cannot resolve the objection in good faith, the Controller may terminate the relevant Services without penalty but remains liable for fees accrued up to the effective date of termination.6. Cross-border Data Transfers and Processing Location
6.1. Transfers under Adequacy Decisions. Personal Data may be transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to any jurisdiction that has been recognized as providing an adequate level of data protection by the European Commission, the UK Informassion Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner (together “Adequacy Decisions”) without requiring additional safeguards. 6.2. Standard Contractual Clauses. The EU Standard Contractual Clauses are incorporated into and form part of this DPA by reference. A copy of those clauses is annexed hereto as Annex 2. Standard Contractual Clauses. The Standard Contractual Clauses are incorporated by reference and form part of this Agreement and added as Annex 2.7. General Provisions
7.1 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. 7.2 Limitation of Liability. Each Party and its Affiliates’ liability arising out of or related to this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service. 7.3 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Netherlands.ANNEX 1. Details of the Processing
1. Nature and Purpose of Processing- Providing the Services requested by the Controller
- Registering and managing federated accounts to enable the Controller to add employees and representatives to the Services
- Performing obligations under the Terms of Service and this DPA
- Acting on the Controller’s documented instructions
- Complying with all applicable laws and regulations
- Processor shall process Personal Data for the duration of the Services and/or the term of the Terms of Service and retain it for up to thirty (30) days thereafter, unless otherwise agreed in writing.
- Any personal data included in the Controller’s datasets (Inputs and Outputs)
- Voice recordings (for Services related to speech-to-text)
- Personal data necessary for registration, authentication and use of the Services, including:
- Names and contact details (e.g. email address, telephone number)
- Job position and company affiliation
- Technical identifiers (e.g. IP addresses, device IDs, user IDs)
ANNEX 2. Standard Contractual Clauses
EEA Cross Border Transfers- The Parties hereby agree to the Standard Contractual Clauses as outlined in the Annex of the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (“SCC”).
- Module Four (processor to controller) of the SCC shall apply where Nebius is a processor of the Personal Data and Customer is a controller of the personal data.
- Module Three (processor to processor) of the SCC shall apply where Customer is a processor of the personal data and Nebius acts as a Sub-Processor.
- Clause 7 of the SCC (Docking Clause) shall not apply.
- For the purposes of Clause 9 of the SCC (concerning Module Three transfers), the Parties choose the option 2 “General Written Authorisation” in Clause 9 of the SCC shall apply, and specify that the processor shall inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex 1 to this DPA and may be amended from time to time as agreed in this clause.
- For the purposes of Clause 11 of the SCC, the optional language will not apply.
- For the purpose of Clause 17 of the SCC, option 1 shall apply, and the Parties agree that the SCC shall be governed by the laws of the Netherlands.
- For the purpose of Clause 18(b), disputes shall be resolved before the courts of the Netherlands.
- Annex I.A of the SCC shall be completed as indicated in Annex 1.
- Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex I of this DPA.
- The period for which the personal data will be retained is for the duration of the Terms of service, unless agreed otherwise in the Terms of service and/or the DPA.
- In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex 1 of this DPA.
- Annex I.C of the SCC shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
- Annex 3 of this DPA serves as Annex II of the SCC.
- The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
- To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Terms of service, the provisions of the Standard Contractual Clauses will prevail.
- In the event of EEA Transfer or UK Transfer the Parties agree to supplement international data transfer(s) with the appropriate safeguards and representations.
ANNEX 3. Security and Organizational Measures
A. The below provide a description of the technical and organizational measures, which shall be implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. The Processor shall guarantee to have/be:- the ability and technical capacity to ensure the ongoing security, confidentiality, integrity, availability and resilience of processing systems, networks and services. Processor shall maintain network and physical security policies, procedures, and systems and shall perform network security and activities consistent with best practices in Processor’s industry but that, at a minimum, include but are not limited to: network firewall provisioning, intrusion detection, and regular (but in no event less frequently than annually) vulnerability assessments. In no event shall the foregoing as applied to the personal data of the Controller be any less stringent and protective than those applied by Processor to the protection of its own data and systems of a like or similar nature;
- the ability and technical capacity to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident;
- an adequate process for regularly monitoring, testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
- adequate and current controls and preventive measures in place against access of unauthorized persons to data processing systems (physical access control), concretely the following measures are implemented with respect to Access Management: (i) Need-to-Know basis, Least Privilege, Segregation of Duties (SoD); (ii) Approval for each access request must be obtained through a verifiable process to confirm the necessity. Information systems must leverage a robust framework consisting of these processes: Identification, Authentication, Authorization, Accounting (logging);
- proper and accurate controls in place for keeping personal data logically separate from data processed on behalf of any third party and / or for other purposes as well as proper controls regarding sharing of personal data within your organization and with third parties;
- applying a level of encryption (at rest and in transit) and pseudonymisation of the personal data, appropriate to the risks and personal data processed;
- ensuring that in the course of processing activities and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control);
- envisaging and applying the necessary measures to ensure that the personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of the personal data by means of data transmission facilities can be established and verified (data transfer control);
- ensuring the establishment of logging and the deployment of an audit trail to document whether and by whom the personal data have been entered into, modified in, or removed from data processing systems (entry control);
- maintaining and enforcing an information security policy and security incident management and continuity plans, consisting of, among others, the analysis performed in this respect and the risk management of personal data, a description of various responsibilities and organizational rules, description of how security incidents are managed, the measure that were introduced to keep the security system up-to-date after installation;
- ensuring that information security is led by trained experts with the necessary competences. Moreover, ensuring that the staff is trained and obliged to confidentiality and aware and trained in data protection;
- ensuring physical environment security, for instance by means of security and surveillance regarding building, premises, and installations where carriers of personal data and computer systems processing the data are positioned, as well as prevention, detection, and operating procedure in the case of fire, intrusion, and water damage;
- ensuring that asset management process, policy, and procedures are in place (asset inventory is in place with annual reviews);
- ensuring that human resources processes, policies, and procedures are in place (employee background checks prior to hiring where applicable, account disabling upon termination, annual security awareness trainings, etc.);
- ensuring that Workload Protection is in place (as additional operational controls);
- ensuring effective change management process, policy, and procedures are in place (changes are reviewed, tested and approved before deployed to production);
- maintaining complete and up-to-date documentation proportionate to the risk profile of the processing operations, including, but no limited to, technical documentation of implemented security measures and other information necessary to demonstrate compliance with the requirements of this Annex; and
- ensuring that the personal data is processed solely in accordance with the relevant controller’s instructions (control of instructions).
- the ability to effectively promptly notify the Controller that it has received a request from a data subject to exercise its rights under Regulation (EU) 2016/679 concerning the personal data of the Controller;
- the ability, at its own cost and expense, to co-operate with the Controller as requested to enable the Controller to comply with exercise of rights by a data subject under Regulation (EU) 2016/679 concerning the personal data of the Controller, and to comply with any assessment, inquiry, notice or investigation under Regulation (EU) 2016/679 concerning the personal data of the Controller, which includes:
- providing all data requested by the Controller within a reasonable timescale, which shall always by set by the Controller, but in any case not longer than 3 days, including full details and copies of the complaint, communication or request and any the personal data of the Controller it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the Controller to comply with the relevant request within the timescales prescribed by Regulation (EU) 2016/679; and
- implementing any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
- the ability to assist the Controller in fulfilling the Controller’s obligation to respond to a request to exercise the rights of the data subject as set out in Chapter III of Regulation (EU) 2016/679. In particular, the Processor undertakes to respond to requests for access to data, requests for rectification and erasure of data, requests for restriction of processing and requests to exercise the right to data portability.
Web address: https://docs.studio.nebius.com/legal/dpa Effective date: As stated above in the Terms of service
Last updated: August 12, 2025 _Previous version of the document: _https://docs.nebius.com/legal/studio/archive/dpa-20250401
_Previous version of the document: _https://docs.nebius.com/legal/studio/archive/dpa-20241220