Back to Home

Data Processing Agreement

GDPR-compliant data processing terms for NuLink unified communication platform

Last Updated: November 3, 2025 | Effective Date: January 1, 2025

This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and NuLink LLC ("Data Processor"), a Wyoming limited liability company located at 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801.

WHEREAS, Customer uses NuLink's unified communication platform for business communications, and NuLink processes personal data on behalf of Customer in accordance with applicable data protection laws.

1. Definitions

"Personal Data"
Has the meaning given in GDPR Article 4(1): any information relating to an identified or identifiable natural person.
"Processing"
Has the meaning given in GDPR Article 4(2): any operation performed on personal data, including collection, storage, transmission, or deletion.
"Controller"
The Customer, who determines the purposes and means of processing personal data.
"Processor"
NuLink LLC, who processes personal data on behalf of the Controller.
"GDPR"
General Data Protection Regulation (EU) 2016/679.

2. Processing Terms

Purpose of Processing

Provision of unified communication services including messaging, voice, video, and collaboration features as described in the Master Service Agreement.

Duration

Processing continues for the duration of the Master Service Agreement and for 90 days following termination to allow for data retrieval.

Nature of Processing

Storage, transmission, and processing of business communications including messages, call records, contact information, and associated metadata.

Categories of Data

Business contact data, communication content, usage logs, billing information, and system metadata as necessary for service provision.

3. Processor Obligations

NuLink LLC, as Data Processor, shall:

✓ Process personal data only on documented instructions from the Controller

✓ Ensure that persons authorized to process personal data have committed to confidentiality

✓ Implement appropriate technical and organizational security measures per GDPR Article 32

✓ Assist the Controller in responding to data subject requests (access, rectification, erasure, etc.)

✓ Notify Controller without undue delay of any personal data breach

✓ Delete or return all personal data upon termination of services (unless legally required to retain)

✓ Make available all information necessary to demonstrate compliance with obligations

4. Sub-processors

The Controller authorizes the use of the following pre-approved sub-processors for specific service components:

Sub-processorServiceLocation
Amazon Web Services (AWS)Cloud InfrastructureUnited States
Stripe Inc.Payment ProcessingUnited States
Telnyx LLCTelephony ServicesUnited States
Twilio Inc.Backup MessagingUnited States
Render Services, Inc.Application HostingUnited States
Vercel Inc.Frontend HostingUnited States

Note: NuLink will provide 30 days notice before engaging new sub-processors, allowing Controller to object on reasonable grounds.

5. Security Measures

NuLink implements technical and organizational measures in accordance with GDPR Article 32:

Technical Measures

  • • AES-256 encryption at rest
  • • TLS 1.3 encryption in transit
  • • Multi-factor authentication
  • • Role-based access control
  • • Regular security assessments
  • • Automated threat detection

Organizational Measures

  • • Security awareness training
  • • Background checks for personnel
  • • Incident response procedures
  • • Data minimization practices
  • • Regular audits and reviews
  • • Vendor security assessments

6. International Data Transfers

Personal data may be transferred to and processed in the United States and other countries where NuLink or its sub-processors maintain facilities.

For transfers from the European Economic Area (EEA), NuLink ensures appropriate safeguards:

  • ✓ Standard Contractual Clauses (SCCs) approved by the European Commission
  • ✓ EU-US Data Privacy Framework certification (where applicable)
  • ✓ Supplementary measures per Schrems II guidance
  • ✓ Data localization options for Enterprise customers

7. Audit Rights

The Controller has the right to audit NuLink's compliance with this DPA:

  • Annual Audit Reports: NuLink provides SOC 2 Type II reports or equivalent audit documentation upon reasonable request
  • On-Site Audits: Available with 30 days advance notice during business hours, not more than once per year
  • Costs: Controller bears reasonable costs associated with on-site audits unless a material breach is discovered
  • Documentation: All audit findings treated as confidential information under the Master Service Agreement

8. Liability and Indemnification

Liability under this DPA is subject to the limitations set forth in the Master Service Agreement between the parties. The aggregate liability caps and exclusions apply to claims arising from this DPA.

Each party shall defend, indemnify, and hold harmless the other from claims arising from its breach of applicable data protection laws or this DPA.

9. Governing Law

This DPA shall be governed by the laws of the State of Wyoming, United States, except where EU data protection law requires application of EU Member State law.

Questions About Data Processing?

NuLink LLC

1309 Coffeen Avenue, Suite 1200

Sheridan, WY 82801

+1 833 214 3272

DPA Inquiries: dpa@nulink.app

Legal Department: legal@nulink.app

Privacy Office: privacy@nulink.app