Skip to main content
This is an old version of the document, which expired on October 31, 2025. The current version is available at: https://docs.nebius.com/legal/dpa. This Data Processing Agreement (this “DPA” or “Addendum”), is entered into by and between Nebius B.V. (“Nebius” or “the Processor”), having its legal seat in the Netherlands, at Schiphol Boulevard 165, 1118 BG Schiphol, and the Customer, (“Customer”), and is in connection with Nebius’ provision of services to Customer, pursuant to the applicable service agreement between the parties. Both parties shall be referred to as the “Parties” and each, a “Party”. In consideration of the mutual obligations set out herein, the Parties hereby agree that conditions set out below shall be added as an Addendum integral to the agreements established between the Parties and set out on https://docs.nebius.com/legal/agreement (“Nebius Services Agreement”) and https://docs.nebius.com/legal/terms-of-use (“Nebius Terms of Use”) and accepted by Customer (both referred as the “Terms of Services”). In the event of any conflict between certain provisions of this DPA and the provisions of the Terms of Services the provisions of this DPA shall prevail with respect to the Processing of Personal Data.

1. Definitions

1.1. The Terms used in this Addendum have the same meaning as those used in the Terms of Services, unless explicitly provided otherwise in this Addendum. Capitalized terms not defined herein shall have the meaning assigned to such terms in the Terms of Services. 1.2. “Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this Addendum, including, where applicable: (a) GDPR; (b) UK GDPR; (c) FADP; (d) CCPA; and (e) and any other laws, regulations, or legally binding rules (including sector-specific or state-specific legislation) in any jurisdiction that apply to the collection, use, disclosure, retention, or other processing of Personal Data. 1.3. The terms, “Controller”, “Member State”, “Processor”, “Processing” and “Supervisory Authority”, “Data Subject”, “Personal Data”, “Personal Information”, “Sub-Processor”, “Personal Data Breach”, “Supervisory Authority”, shall have the same meaning as in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”). The terms “Business”, “Business Purpose”, “Consumer” shall have the same meaning as in the CCPA. 1.4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as may be amended from time to time, including the California Privacy Rights Act. 1.5. “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). 1.6. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020, the “Revised FADP”. 1.7. “Services” means the services provided to the Customer by Nebius in accordance with the Terms of Services. 1.8. “Security Documentation” means the Security Documentation applicable to the Services purchased by the Customer as made available by Nebius. 1.9. “Standard Contractual Clauses” shall mean the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles

2.1. When processing Personal Data, under Applicable Data Protection Law, the parties agree that with regard to the Processing of Personal Data, Nebius acts as Processor on behalf of the Customer, which may act either as a Controller or a Processor, and that Nebius or members of the Nebius Group will engage Sub-processors pursuant to the requirements of this DPA. Under the terms of the CCPA Nebius will take the role of the “Service Provider” and Customer will take the role of the “Business”.

3. Nebius obligations and compliance with Law

3.1. When processing Personal Data, Nebius (i) complies with the provisions of Applicable Data Protection Law, (ii) act only on the documented instructions from Customer, and (iii) acts only for the purposes authorized by the Customer. If Nebius is required to process Personal Data in compliance with the law of the European Union or a Member State to which Nebius is subject, it will inform the Customer of such legal requirement prior to such processing, unless a law of the European Union or a Members States to which Nebius is subject prohibits it from doing so. 3.2. Security Measures. Nebius implements and duly maintains appropriate technical and organizational security measures to protect Personal Data. An overview of the applicable security measures is enclosed as Annex 3 to this Addendum. 3.3. Confidentiality. Nebius ensures that all employees authorized to process Personal Data on our behalf is subject to appropriate confidentiality obligations with respect to that Personal Data. 3.4. (Personal) Data Breaches and cooperation with Customer. Nebius will notify the Customer without undue delay after it becomes aware of any Personal Data Breach and will provide the necessary information and necessary support to the Customer. 3.5. Deletion or Return of Personal Data. Data Nebius will delete or return, at the choice of the Customer, the Personal Data processed on behalf of the Customer, on termination or expiration of the Services. As a sole exception Nebius will retain (part of) the Personal Data in case and within the limit such is required by applicable law. 3.6. Data Subject Requests. When a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is received directly by Nebius, it will promptly redirect the request to the Customer. The Customer will be solely responsible for addressing and responding to any such Data Subject Requests. 3.7. Use of sub-processors. When engaging Sub-Processors, Nebius will impose terms providing at least the equivalent level of protection for Personal Data as those contained in this document. Customer hereby agrees Nebius may engage Sub-Processors to Process Personal Data on its behalf, a list of the current Sub-Processors is to be found on ANNEX 1. 3.8. Changes. Any change of Sub-Processors will be notified to the Customer at least 15 days prior to any such change, Customer will be given the opportunity to object to the engagement of new Sub-Processors on reasonable grounds related to the protection of Personal Data. If – within this period- Customer notifies Provider in writing of an objection to Provider’s appointment of such new Sub-Processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith. If no such solution can be reached, Customer will be allowed to terminate the Service without prejudice to any fees incurred by Customer prior to suspension or termination, but without liability to either party. 3.9. (Personal) Data Breaches and cooperation with Customer. Nebius will notify the Customer without undue delay after it becomes aware of any Personal Data Breach and will provide the necessary information and necessary support to the Customer. 3.10. Deletion or Return of Personal Data. Data Nebius will delete or return, at the choice of the Customer, the Personal Data processed on behalf of the Customer, on termination or expiration of the Services. As a sole exception Nebius will retain (part of) the Personal Data in case and within the limit such is required by applicable law.

4. Customer’s obligations

4.1. Compliance with Laws. Customer is responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions issued to Nebius. Customer will moreover inform Nebius without undue delay if it is not able to comply with its responsibilities under applicable Data Protection Laws. 4.2. Security. Customer is responsible for a secure use of the Services offered by Nebius and it is responsible for independently determining whether the data security provided for adequately meets the obligations under applicable Data Protection Laws.

5. Controls, audits and reports

5.1. Upon the Customer’s request, Nebius shall assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR. Also, upon written request made by Customer and limitedly to once a year, Nebius will provide Customer with a self-assessment report demonstrating Nebius’s compliance with its obligations under this DPA and Applicable Law. This self-assessment will cover all processing activities performed by Nebius in the previous calendar year. 5.2. Audits. Nebius will allow an independent and suitably qualified auditor appointed by the Customer to conduct inspections to verify Nebius’s compliance with its obligations under this Addendum, provided a minimum of a 30 days’ notice and not more than once per calender-year. 5.3. Costs. All additional cost and expenses incurred by Nebius in the performance of the activities listed in this paragraph 5 may be charged to the Customer.

6. Cross-border data transfers and processing location

6.1. Nebius processes Customers’ personal data within the region according to the choice of the Customer. 6.2. Transfers from the EEA, the United Kingdom and Switzerland to countries that offer adequate level of data protection. Personal Data may be transferred from EU and EEA Member States, the United Kingdom (“UK”) and Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decisions”), as applicable, without any further safeguard being necessary. Standard Contractual Clauses. The Standard Contractual Clauses are incorporated by reference and form part of this Agreement and added as Annex 2.

7. General Provisions

7.1. Severability. If any individual provisions of this DPA is invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected. 7.2. Limitation of Liability. Each party and each of their Affiliates’ liability, arising out of or related to this DPA will be subject to the limitations and exclusions of liability set out in the Terms of Services. 7.3. Governing Law and Jurisdiction. This Addendum is governed by and construed in accordance with the Laws of the Netherlands and subject to the exclusive jurisdiction of the Dutch Courts.

ANNEX 1 - Details of the Processing

Nature and Purpose of Processing
  1. Providing the Services to the Customer;
  2. Performing the Services under the Terms of Services, and this DPA and processing possible requests of the Customer;
  3. Acting upon Customer’s written instructions in accordance with the Terms of Services;
  4. Complying with applicable laws and regulations and with the provisions of this Addendum
Duration of Processing Processor will Process Personal Data pursuant to the Addendum and Terms of Services for the duration of the Service, and will keep it 30 days after, unless otherwise agreed upon in writing. Type of Personal Data processed (in the role of Processor) Customer data provided to Nebius via the Services, by Customer or by its End Users. Categories of Data Subjects Customer’s employees/contractors or any other data subject whose data processed by Customer, exclusively at the Customer’s discretion during the service provisioning. Sub-Processors Processor may engage with the following Sub-Processors to provide the Services: https://docs.nebius.com/legal/sub-processors

ANNEX 2 Standard Contractual Clauses

EEA Cross Border Transfers
  1. The Parties hereby agree to the Standard Contractual Clauses as outlined in the Annex of the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (“SCC”).
  2. Module Four (processor to controller) of the SCC shall apply where Nebius is a processor of the Personal Data and Customer is a controller of the personal data.
  3. Module Three (processor to processor) of the SCC shall apply where Customer is a processor of the personal data and Nebius acts as a Sub-Processor.
  4. Clause 7 of the SCC (Docking Clause) shall not apply.
  5. For the purposes of Clause 9 of the SCC (concerning Module Three transfers), the Parties choose the option 2 “General Written Authorisation” in Clause 9 of the SCC shall apply, and specify that the processor shall inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex 1 to this DPA and may be amended from time to time as agreed in this clause.
  6. For the purposes of Clause 11 of the SCC, the optional language will not apply.
  7. For the purpose of Clause 17 of the SCC, option 1 shall apply, and the Parties agree that the SCC shall be governed by the laws of the Netherlands.
  8. For the purpose of Clause 18(b), disputes shall be resolved before the courts of the Netherlands.
  9. Annex I.A of the SCC shall be completed as indicated in Annex 1.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex I of this DPA.
  11. The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
  12. In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex 1 of this DPA.
  13. Annex I.C of the SCC shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
  14. Annex 3 of this DPA serves as Annex II of the SCC.
  15. The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  16. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Terms of Services, the provisions of the Standard Contractual Clauses will prevail.
  17. In the event of EEA Transfer or UK Transfer the Parties agree to supplement international data transfer(s) with the appropriate safeguards and representations.

ANNEX 3 Security and Organizational Measures

TECHNICAL AND ORGANISATIONAL MEASURES

A.

The below provide a description of the technical and organizational measures, which shall be implemented by the data processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. The data processor shall guarantee to have/be:
  1. the ability and technical capacity to ensure the ongoing security, confidentiality, integrity, availability and resilience of processing systems, networks and services. Data processor shall maintain network and physical security policies, procedures, and systems and shall perform network security and activities consistent with best practices in data processor’s industry but that, at a minimum, include but are not limited to: network firewall provisioning, intrusion detection, and regular (but in no event less frequently than annually) vulnerability assessments. In no event shall the foregoing as applied to the personal data of the data controller be any less stringent and protective than those applied by data processor to the protection of its own data and systems of a like or similar nature;
  2. the ability and technical capacity to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident;
  3. an adequate process for regularly monitoring, testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
  4. adequate and current controls and preventive measures in place against access of unauthorized persons to data processing systems (physical access control), concretely the following measures are implemented with respect to Access Management: i) Need-to-Know basis, Least Privilege, Segregation of Duties (SoD). ii) Approval for each access request must be obtained through a verifiable process to confirm the necessity. Information systems must leverage a robust framework consisting of these processes: Identification, Authentication, Authorization, Accounting (logging);
  5. proper and accurate controls in place for keeping personal data logically separate from data processed on behalf of any third party and / or for other purposes as well as proper controls regarding sharing of personal data within your organization and with third parties;
  6. applying a level of encryption (at rest and in transit) and pseudonymisation of the personal data, appropriate to the risks and personal data processed;
  7. ensuring that in the course of processing activities and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control);
  8. envisaging and applying the necessary measures to ensure that the personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of the personal data by means of data transmission facilities can be established and verified (data transfer control);
  9. ensuring the establishment of logging and the deployment of an audit trail to document whether and by whom the personal data have been entered into, modified in, or removed from data processing systems (entry control);
  10. maintaining and enforcing an information security policy and security incident management and continuity plans, consisting of, among others, the analysis performed in this respect and the risk management of personal data, a description of various responsibilities and organizational rules, description of how security incidents are managed, the measure that were introduced to keep the security system up-to-date after installation;
  11. ensuring that information security is led by trained experts with the necessary competences. Moreover, ensuring that the staff is trained and obliged to confidentiality and aware and trained in data protection.
  12. ensuring physical environment security, for instance by means of security and surveillance regarding building, premises, and installations where carriers of personal data and computer systems processing the data are positioned, as well as prevention, detection, and operating procedure in the case of fire, intrusion, and water damage;
  13. ensuring that asset management process, policy, and procedures are in place (asset inventory is in place with annual reviews);
  14. ensuring that human resources processes, policies, and procedures are in place (employee background checks prior to hiring where applicable, account disabling upon termination, annual security awareness trainings, etc.);
  15. ensuring that antivirus protection/EDR is in place (as additional operational controls);
  16. ensuring effective change management process, policy, and procedures are in place (changes are reviewed, tested and approved before deployed to production);
  17. maintaining complete and up-to-date documentation proportionate to the risk profile of the processing operations, including, but no limited to, technical documentation of implemented security measures and other information necessary to demonstrate compliance with the requirements of this Annex; and
  18. ensuring that the personal data is processed solely in accordance with the relevant controller’s instructions (control of instructions).
Security Breach Notification - In the event of a personal data breach or breach of any of data processor’s security obligations, data processor shall notify data controller of such an event without undue delay of discovery by telephone and e-mail at the following phone number and email address: E-mail: privacy@nebius.com

B.

The below provide a description of the technical and organisational measures, which shall be implemented by the data processor in order to assist the data controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679, and the scope and the extent of the assistance required. The data processor shall ensure to have/be:
  1. the ability to effectively promptly notify the data controller that it has received a request from a data subject to exercise its rights under Regulation (EU) 2016/679 concerning the personal data of the data controller;
  2. the ability, at its own cost and expense, to co-operate with the data controller as requested to enable the data controller to comply with exercise of rights by a data subject under Regulation (EU) 2016/679 concerning the personal data of the data controller, and to comply with any assessment, inquiry, notice or investigation under Regulation (EU) 2016/679 concerning the personal data of the data controller, which includes:
  • providing all data requested by the data controller within a reasonable timescale, which shall always by set by the data controller, but in any case not longer than 3 days, including full details and copies of the complaint, communication or request and any the personal data of the data controller it holds in relation to a data subject;
  • where applicable, providing such assistance as is reasonably requested by the data controller to comply with the relevant request within the timescales prescribed by Regulation (EU) 2016/679; and
  • implementing any additional technical and organisational measures as may be reasonably required by the data controller to allow the data controller to respond effectively to relevant complaints, communications or requests.
  1. the ability to assist the data controller in fulfilling the data controller’s obligation to respond to a request to exercise the rights of the data subject as set out in Chapter III of Regulation (EU) 2016/679. In particular, the data processor undertakes to respond to requests for access to data, requests for rectification and erasure of data, requests for restriction of processing and requests to exercise the right to data portability.
Web address: https://docs.nebius.com/legal/dpa Publication date: March 31, 2025