Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you, the Customer ("Data Controller"), and NetViper, a sole proprietorship organised under the laws of Greece ("Data Processor"), in relation to your use of the Keryx platform and related services (the "Services").

This DPA applies to the extent that NetViper processes Personal Data on behalf of the Customer in the course of providing the Services.

1. Definitions

Capitalised terms not defined herein have the meanings given in Regulation (EU) 2016/679 (GDPR). "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" shall have the meanings set forth in Article 4 GDPR.

2. Roles of the Parties

• The Customer acts as the Data Controller, determining the purposes of processing
• NetViper acts solely as the Data Processor
• NetViper determines the technical means of processing (including implementation methods, architecture, and security controls) but not the business purposes or scope of processing

3. Subject Matter and Duration

• Subject matter: Secure file transfer services, relay infrastructure, license management, bandwidth tracking, and related platform operations
• Duration: For the duration of the Customer's active subscription to the Services
• Nature and purpose: Processing strictly necessary to provide the Services
• Categories of Personal Data: User identifiers, contact details, authentication data, IP addresses, transfer metadata, bandwidth usage data, and technical logs
• Categories of Data Subjects: End users, organisation administrators, and other individuals whose Personal Data is processed through the Services

4. Processor Obligations

4.1 NetViper shall process Personal Data only on documented instructions from the Customer regarding the purposes and scope of processing.

4.2 NetViper shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations.

4.3 NetViper shall implement appropriate technical and organisational security measures proportionate to the risk, including:

• End-to-end encryption of file transfer content
• Encryption of Personal Data in transit (TLS) and at rest
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems
• Regular testing and evaluation of security effectiveness
• Procedures for timely detection, response, and remediation of security incidents

4.4 NetViper shall not disclose Personal Data to third parties except as permitted under this DPA or required by applicable law.

4.5 If NetViper believes a Customer instruction violates GDPR or other applicable data protection law, NetViper shall promptly inform the Customer and may refuse to execute such instruction until the matter is resolved.

4.6 NetViper shall maintain records of processing activities as required by Article 30 GDPR.

5. Sub-Processors

5.1 NetViper may engage sub-processors solely as necessary to provide the Services.

5.2 Sub-processors shall be bound by written obligations no less protective than this DPA.

5.3 NetViper remains responsible for sub-processor compliance.

5.4 The Customer grants general authorisation for NetViper to engage sub-processors. NetViper shall inform the Customer of any intended addition or replacement of sub-processors, providing ten (10) business days to object in writing. If the Customer objects, NetViper may either:

• Not engage the sub-processor; or
• If the sub-processor is essential to the Services, terminate the Customer's subscription without liability

6. International Transfers

Personal Data shall be processed exclusively within the European Economic Area (EEA) unless the Customer provides prior written consent to specific transfers outside the EEA. Any such transfers shall be subject to appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses, adequacy decisions, or other approved mechanisms.

7. Data Subject Rights

NetViper shall reasonably assist the Customer in responding to Data Subject requests to the extent technically feasible and within NetViper's role as Processor.

8. Data Protection Impact Assessments

NetViper shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments where required under GDPR, to the extent such assistance relates to processing performed by NetViper.

9. Personal Data Breach

9.1 NetViper shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

9.2 The notification shall include, to the extent reasonably available:

• A description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm

10. Deletion or Return of Personal Data

10.1 Upon termination of the Customer's subscription, NetViper shall delete Personal Data within a reasonable period unless retention is required by law.

10.2 The Customer may request data export prior to account termination.

10.3 NetViper may retain Personal Data where required by law or for legitimate purposes such as legal defence or compliance.

11. Audits

11.1 The Customer may request reasonable written information to demonstrate compliance with this DPA.

11.2 Audits shall be limited to data protection obligations, conducted remotely where possible, subject to reasonable advance notice, and performed at the Customer's expense.

11.3 Audits shall not require access to NetViper's source code, repositories, or internal systems unrelated to the Services.

12. Liability

Liability arising under this DPA is subject to the limitations and caps set forth in the Terms of Service.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Greece, consistent with the governing law of the Terms of Service.

14. Data Processor Details

NetViper
Legal Form: Sole Proprietorship (Greece)
Owner: David Riding
Location: Athens, Attica, Greece
Email: support@netviper.gr