Data Processing Agreement
Effective: May 12, 2026 · Version 1.0
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Order Form, or Terms of Service (the "Agreement") between nano, LLC ("Nano", "Processor") and the customer identified in the Agreement ("Customer", "Controller") for the provision of the Nano platform (the "Service").
This DPA reflects the parties' agreement on the processing of Personal Data in accordance with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), and the California Consumer Privacy Act as amended by the CPRA ("CCPA").
1. Definitions
Capitalized terms not defined in this DPA have the meaning given in the Agreement or in applicable data protection law.
- Personal Data — any information relating to an identified or identifiable natural person processed by Nano on behalf of Customer under the Agreement.
- Processing — any operation performed on Personal Data, whether or not by automated means (collection, storage, use, disclosure, deletion, etc.).
- Controller, Processor, Data Subject, Supervisory Authority — as defined in the GDPR.
- Sub-processor — any third party engaged by Nano to process Personal Data on behalf of Customer.
- Standard Contractual Clauses or SCCs — the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914, and the UK International Data Transfer Addendum where applicable.
- Security Incident — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Nano.
2. Roles and Scope
| Party | Role |
|---|---|
| Customer | Controller (or Processor acting on behalf of its own controller) |
| Nano | Processor |
Customer determines the purposes and means of the Processing. Nano processes Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by applicable law (in which case Nano will inform Customer of that legal requirement before processing, unless prohibited from doing so).
3. Subject Matter, Nature, and Purpose of Processing
- Subject matter — Nano's provision of the Service to Customer under the Agreement.
- Nature and purpose — collection, storage, analysis, indexing, search, alerting, and retention of security log data to enable Customer to monitor, detect, investigate, and respond to security events.
- Duration — for the term of the Agreement, plus any post-termination retention period set out in Section 11.
4. Categories of Data Subjects and Types of Personal Data
The Personal Data processed by Nano on behalf of Customer is determined and controlled by Customer in its sole discretion. It typically includes Personal Data contained in security log data, including:
Categories of Data Subjects:
- Customer's employees, contractors, agents, and authorized end users
- Visitors to and users of Customer's systems, networks, and applications
- Other individuals identified in log data transmitted to the Service
Types of Personal Data:
- Identifiers: usernames, email addresses, employee IDs, full names where present
- Online identifiers: IP addresses, device identifiers, MAC addresses, session tokens
- Authentication and access data: login timestamps, source/destination hosts, authentication outcomes
- System and network activity: hostnames, process names, file paths, command lines, URLs accessed
- Account information of Customer's authorized users of the Service (name, email, role)
Customer is responsible for ensuring that Personal Data transmitted to the Service is consistent with the categories above and that it has all rights and lawful bases necessary to do so.
5. Processor Obligations
Nano will:
a. Process Personal Data only on documented instructions from Customer, including those set out in the Agreement and this DPA, and inform Customer if Nano believes an instruction infringes applicable data protection law.
b. Ensure confidentiality by requiring personnel authorized to process Personal Data to commit to confidentiality or be under an appropriate statutory obligation of confidentiality.
c. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 8 and Annex II.
d. Engage Sub-processors only in accordance with Section 7.
e. Assist Customer, taking into account the nature of the Processing, by appropriate technical and organizational measures, in fulfilling Customer's obligations to respond to Data Subject requests under Articles 12–23 GDPR.
f. Assist Customer in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of Processing and the information available to Nano.
g. Delete or return Personal Data at Customer's choice at the end of the provision of the Service, as set out in Section 11.
h. Make available to Customer the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 10.
6. Data Subject Requests
Nano will, to the extent legally permitted, promptly notify Customer if Nano receives a request from a Data Subject relating to Personal Data Processed under the Agreement. Nano will not respond to such a request directly except on Customer's documented instructions or as required by applicable law.
Where the Service provides functionality enabling Customer to retrieve, correct, delete, or restrict Personal Data, Customer will use that functionality to fulfill its obligations under applicable data protection law. Where additional assistance is required, Nano will provide reasonable assistance at Customer's expense, taking into account the nature of the Processing.
7. Sub-processors
7.1 General Authorization
Customer provides general authorization for Nano to engage Sub-processors to process Personal Data, subject to this Section 7.
7.2 Current Sub-processors
The current list of authorized Sub-processors is available at nano.rs/dpa#sub-processors or, where Customer is on a Bring-Your-Own-Cloud deployment, scoped to the Sub-processors actually engaged for that deployment. A representative list includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge network, DDoS protection, static asset delivery, transactional email delivery | Global |
| Hetzner Online GmbH | Compute and storage infrastructure (selected deployments) | Germany / Finland |
| Civo Ltd. | Managed Kubernetes for tenant clusters (selected tiers) | United States / United Kingdom |
| Amazon Web Services, Inc. | Compute, storage, and managed services (BYOC and selected tiers) | Customer-selected region |
| Google Cloud Platform | Compute, storage, and managed services (BYOC and selected tiers) | Customer-selected region |
| Stripe, Inc. | Subscription billing and payment processing | United States |
| ClickHouse, Inc. | ClickHouse Cloud (Enterprise tier only) | Customer-selected region |
The authoritative, up-to-date list is maintained at the URL above. Customers may subscribe to notifications of changes by emailing .
7.3 Changes to Sub-processors
Nano will give Customer at least 30 days' prior written notice of the appointment of any new Sub-processor or replacement of an existing Sub-processor. Customer may object to such appointment on reasonable grounds relating to data protection within that notice period. If the parties cannot reach a mutually agreeable resolution, Customer may terminate the affected portion of the Service without penalty as its sole and exclusive remedy.
7.4 Sub-processor Obligations
Nano will impose on each Sub-processor data protection obligations no less protective than those in this DPA, and remains liable to Customer for the performance of each Sub-processor's obligations.
8. Security Measures
Nano will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents, as further described in Annex II (Technical and Organizational Measures). These measures include, at a minimum:
- Encryption in transit for all Personal Data transmitted to and from the Service (TLS 1.2+)
- Encryption at rest for stored Personal Data
- Access controls based on the principle of least privilege, with multi-factor authentication for Nano personnel with access to production systems
- Network segregation between tenants, with logical isolation at the application layer and physical or virtualized isolation at the infrastructure layer where applicable
- Audit logging of administrative actions on production systems
- Vulnerability management including regular dependency scanning and security review of changes
- Personnel security including background checks (where lawful) and onboarding/offboarding controls
- Business continuity and disaster recovery procedures appropriate to the Service tier
Nano regularly reviews and updates its security measures to reflect changes in technology and the evolving threat landscape. Customer acknowledges that Nano may update the measures provided that any update does not result in a material reduction in the level of security.
9. Security Incident Notification
Nano will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer's Personal Data. The notification will, to the extent the information is then known to Nano, include:
- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects and records affected
- The likely consequences of the Security Incident
- The measures taken or proposed to address the Security Incident and mitigate its possible adverse effects
Nano will provide reasonable cooperation and assistance to enable Customer to fulfill its own notification obligations to Supervisory Authorities and Data Subjects.
10. Audits
Customer may, at its own expense, audit Nano's compliance with this DPA no more than once per twelve-month period, provided that Customer:
- Gives at least 30 days' prior written notice
- Conducts the audit during normal business hours and in a manner that does not unreasonably interfere with Nano's business operations
- Complies with Nano's reasonable security and confidentiality requirements
- Bears its own costs and Nano's reasonable costs of supporting the audit
Customer agrees that Nano's then-current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report (where available) will be deemed to satisfy Customer's audit rights, except where required otherwise by a Supervisory Authority.
11. Deletion and Return of Personal Data
Upon termination or expiry of the Agreement, or earlier on Customer's written request, Nano will, at Customer's choice, delete or return all Personal Data processed on behalf of Customer, and delete existing copies, unless retention is required by applicable law.
The Service provides Customer with functionality to export its data prior to termination. After a post-termination grace period of 30 days, Customer's Personal Data will be deleted from active production systems. Backup copies will be deleted in accordance with Nano's backup retention schedule, not to exceed 90 days from termination.
12. International Data Transfers
Where Nano transfers Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, the transfer will be subject to:
- For transfers from the EEA: the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as adopted by the European Commission in Decision (EU) 2021/914, which are deemed incorporated into this DPA by reference and completed by the information in Annex I.
- For transfers from the United Kingdom: the UK International Data Transfer Addendum to the EU SCCs.
- For transfers from Switzerland: the EU SCCs as adapted in accordance with guidance from the Swiss Federal Data Protection and Information Commissioner.
If a Supervisory Authority or court finds that the SCCs are no longer a valid transfer mechanism, the parties will work in good faith to implement an alternative lawful transfer mechanism without undue delay.
13. California Consumer Privacy Act (CCPA)
Where Nano processes Personal Data of California residents on behalf of Customer:
- Nano is a "service provider" as defined in the CCPA
- Nano will not retain, use, or disclose Personal Data for any purpose other than the specific purpose of providing the Service, including for any commercial purpose other than providing the Service to Customer
- Nano will not "sell" or "share" Personal Data as those terms are defined in the CCPA
- Nano will not combine Personal Data received from Customer with Personal Data received from another source, except as permitted by the CCPA
- Nano will provide the same level of privacy protection to Personal Data as is required of Customer under the CCPA
14. Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects under applicable law.
15. Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the subject matter of the Processing of Personal Data. The SCCs prevail over this DPA where they are incorporated.
16. Governing Law and Forum
This DPA is governed by the laws and forum specified in the Agreement, except where mandatory law (including data protection law) requires otherwise.
17. Execution
This DPA is effective when executed by both parties or, in the absence of separate execution, on the effective date of the Agreement provided Customer has indicated its acceptance in writing (including by email or order form referencing this DPA).
For execution, signed counterparts, or to request edits to this DPA, contact .
Annex I — Details of Processing
Data Exporter Customer, as identified in the Agreement.
Data Importer nano, LLC.
Categories of Data Subjects and Personal Data As described in Section 4.
Sensitive Data The Service is not intended for the processing of special categories of Personal Data under Article 9 GDPR. Customer is responsible for ensuring that any incidental processing of such data is lawful and that appropriate additional safeguards are in place.
Frequency of Transfer Continuous, for the duration of the Agreement.
Duration of Processing For the term of the Agreement, plus the post-termination retention period set out in Section 11.
Purpose Provision of the Service as described in Section 3.
Competent Supervisory Authority For EEA transfers, the supervisory authority of the EU/EEA member state in which the data exporter is established. For UK transfers, the UK Information Commissioner's Office. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner.
Annex II — Technical and Organizational Measures
The following measures apply to Nano's Processing of Personal Data under the Agreement. They are reviewed and updated periodically.
| Domain | Measures |
|---|---|
| Encryption in transit | TLS 1.2+ for all customer-facing endpoints; mTLS for internal service-to-service communication where supported |
| Encryption at rest | Disk-level encryption (LUKS or cloud-provider equivalent) for all storage systems holding Personal Data |
| Access controls | Role-based access; least-privilege defaults; MFA required for production access; just-in-time elevation for sensitive operations |
| Tenant isolation | Logical isolation at the application layer; per-tenant database schemas or instances; per-tenant Vector ingestion endpoints with mTLS |
| Network security | Default-deny network policies; egress restricted to known endpoints; tenant ingress over TLS with authentication tokens |
| Logging and monitoring | Audit logs for administrative actions; anomaly detection on access patterns; alerting on policy violations |
| Vulnerability management | Continuous dependency scanning; security review of all changes; regular patching of base images and platform components |
| Personnel security | Background checks where lawful; confidentiality obligations; security training; access reviews on role change and termination |
| Incident response | Documented incident response procedures; on-call rotation; post-incident review |
| Business continuity | Multi-AZ deployments for production-tier services; documented backup and restore procedures; periodic restore testing |
| Sub-processor management | DPA or equivalent with each Sub-processor; review of Sub-processor security posture before onboarding |
| Data deletion | Documented deletion procedures on termination and on Data Subject deletion requests |
Sub-processors
The current list of authorized Sub-processors is provided in Section 7.2. To subscribe to notifications of changes, email .