Data Processing Agreement
Last updated: March 2026
DRAFT — This document requires review by a qualified legal professional before use. This DPA is designed to comply with GDPR Art. 28.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Controller:The entity that has agreed to the NetSenX Terms of Service ("Client", "Controller").
- Processor:TriStiX S.L., a limited liability company registered in Alicante, Spain ("TriStiX", "Processor").
This DPA supplements and forms part of the NetSenX Terms of Service and is effective from the date the Client accepts the Terms of Service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).
- "Processing" means any operation performed on Personal Data as defined in GDPR Art. 4(2).
- "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Subject Matter and Duration
Subject matter: Processing of network flow metadata for the purpose of behavioral threat detection, alert generation, compliance reporting, and security monitoring.
Duration:This DPA remains in effect for the duration of the Client's subscription to NetSenX, plus 90 days for data deletion post-termination.
4. Nature and Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the NetSenX threat detection service, including:
- Collection:Receiving network flow metadata from the Client's NetSenX agent installations.
- Analysis: Processing flow metadata through the NDR behavioral detection engine to identify potential security threats.
- Storage:Storing flow metadata, detection results, SHAP explanations, and Decision Traces in the Controller's isolated database partition.
- Alerting: Generating and delivering security alerts to the Controller via the dashboard, email notifications, and webhook integrations.
- Reporting:Generating compliance reports (NIS2, GDPR) at the Controller's request.
5. Categories of Personal Data
The following categories of Personal Data may be processed:
| Category | Examples | Source |
|---|---|---|
| Network identifiers | IP addresses (source, destination) | Agent |
| Connection metadata | Ports, protocols, byte counts, timestamps | Agent |
| Account data | Email, name, company, role | Registration |
| Billing data | Payment method (via Stripe), invoices | Stripe |
| Usage data | Dashboard interactions, feature usage | Analytics |
Excluded: The NetSenX agent does not capture packet payloads, communication content, email bodies, HTTP request/response bodies, or DNS query results.
6. Categories of Data Subjects
- The Controller's employees and authorized users of the NetSenX dashboard.
- Individuals whose network activity generates flow metadata on the Controller's monitored infrastructure (employees, contractors, visitors using the network).
7. Processor Obligations (GDPR Art. 28)
7.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law to which the Processor is subject.
7.2 Confidentiality
The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3 Security Measures (GDPR Art. 32)
The Processor implements the following technical and organizational security measures:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest.
- Tenant isolation: PostgreSQL row-level security (RLS) ensures complete data isolation between clients.
- Access control: Role-based access control (RBAC) with 5 permission levels. Two-factor authentication available for all users.
- Audit logging: All administrative actions are logged with user, timestamp, and action detail.
- CSRF/XSS protection: Double-submit cookie CSRF tokens, Content Security Policy headers, DOMPurify sanitization.
- Rate limiting: Redis-backed rate limiting on all API endpoints.
- Network security: HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Permissions-Policy restrictions.
- Automated security scanning: Bandit SAST, ESLint security rules, dependency auditing, pattern enforcement in CI/CD.
7.4 Sub-Processors
The Controller hereby provides general written authorization for the Processor to engage the sub-processors listed in the Privacy Policy. The Processor shall:
- Notify the Controller at least 30 days before adding or replacing a sub-processor.
- Enter into a data processing agreement with each sub-processor imposing equivalent data protection obligations.
- Remain fully liable for the acts and omissions of its sub-processors.
The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the agreement.
7.5 Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data. The notification shall include:
- Nature of the breach, including categories and number of data subjects affected.
- Contact details of the Processor's DPO.
- Description of likely consequences.
- Description of measures taken or proposed to address the breach.
7.6 Assistance
The Processor shall assist the Controller in:
- Responding to data subject requests (access, rectification, erasure, portability, restriction, objection) via the self-service tools provided in the dashboard and API.
- Conducting data protection impact assessments (DPIA) where required.
- Ensuring compliance with GDPR Art. 32-36 obligations.
7.7 Data Return and Deletion
Upon termination of the agreement, the Processor shall, at the Controller's choice:
- Return all Personal Data in machine-readable format (JSON/CSV) via the data export functionality (
GET /tenant/export), or - Delete all Personal Data within 90 days of termination, except where EU or Member State law requires retention.
Billing records are retained for 7 years pursuant to Spanish tax law.
8. Controller Obligations
The Controller warrants that:
- It has a lawful basis for processing network flow metadata (typically legitimate interest under GDPR Art. 6(1)(f) for network security).
- It has informed data subjects (employees, network users) about the monitoring, where required by applicable law.
- Any instructions given to the Processor comply with applicable data protection law.
9. Audit Rights
The Controller may audit the Processor's compliance with this DPA once per calendar year, subject to:
- 30 days written notice.
- The audit shall be conducted during business hours and shall not unreasonably interfere with the Processor's operations.
- The Controller bears the cost of the audit unless the audit reveals material non-compliance.
- The Processor may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation.
10. International Transfers
The Processor does not transfer Personal Data outside the European Economic Area (EEA). All infrastructure, sub-processors, and data storage are located within the EU. If international transfers become necessary, the Processor shall implement Standard Contractual Clauses (SCCs) as approved by the European Commission and notify the Controller in advance.
11. Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the main Terms of Service agreement.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Spain and applicable EU data protection regulations, including the GDPR. Any disputes shall be submitted to the exclusive jurisdiction of the courts of Alicante, Spain.
13. Contact
- Processor DPO: dpo@netsenx.com
- Legal: legal@netsenx.com
- Company: TriStiX S.L., Alicante, Spain