1. Definitions
Terms in this DPA have the same meaning as those in the Terms of Service, unless expressly defined otherwise in this DPA. Capitalized terms not defined herein shall have the meaning assigned to them in the Terms of Service. 1.1. “Adequacy Decision” means a decision adopted by the European Commission pursuant to Article 45 of the General Data Protection Regulation, determining that a third country, a territory or one or more specified sectors within that country ensure an adequate level of protection for personal data, allowing transfers of personal data from the European Economic Area (“EEA”) to such country without the need for additional safeguards. 1.2. “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective Party in its role in the processing of personal data under the Terms of Service, which may include, to the extent applicable, Israeli Data Protection Laws and European Data Protection Laws. 1.3. “Customer Content” means, if not defined within the Terms of Service, all data processed by Nebius on your behalf in the course of providing the Services. 1.4. “Customer Personal Data” means any ‘personal data’ or ‘personal information’ contained within Customer Content. 1.5. “Database Owner” / “Database Holder” mean respectively the terms “Database Controller” (Ba’al Shlita b’Ma’agar) and “Holder” (Machzik), as such terms are defined in the Israeli Protection of Privacy Law, 5741-1981, and shall be interpreted accordingly under this DPA. 1.6. “European Data Protection Laws” means (a) Regulation 2016/679 (General Data Protection Regulation)(“EU GDPR”); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss Data Protection Act”); in each case as may be amended, superseded or replaced from time to time. 1.7. “Israeli Data Protection Laws” means Protection of Privacy Law, 5741-1981 (the “PPL”), the Protection of Privacy Regulations (Data Security), 5777-2017 (the “Data Security Regulations”), the Protection of Privacy Regulations (Transfer of Data to Databases Abroad), 5761-2001 (the “Transfer Regulations”), and any binding guidance/directives of the Israeli Privacy Protection Authority to the extent applicable. 1.8. “Security Breach” means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, including a ‘Severe Security Breach’ as defined in the Security Regulations. 1.9. “Services” means the services provided to the Customer by Nebius in accordance with the Terms of Services. 1.10. “Sub-processor” means any other processor engaged by Nebius to process Customer Personal Data. 1.11. “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time. 1.12. The terms “controller”, “data subject”, “supervisory authority”, “processor”, “process”, “processing”, “personal data,” and “personal information” shall have the meanings given to them in Applicable Data Protection Laws.2. Processing of Personal Data
2.1. Scope and Roles of the Parties. This DPA applies when Customer Personal Data is processed by Nebius as a processor (“holder”) in its provision of the Services to Customer, who will act as either a controller or processor, as applicable, of Customer Personal Data. 2.2. Processing by Nebius. When processing personal data on behalf of Customer, Nebius will (i) comply with Applicable Data Protection Laws; (ii) process personal data only as necessary to perform its obligations under the Agreement and strictly in accordance with Customer’s documented instructions (as set out in the Agreement and this DPA, or as directed by Customer or its Authorized Users through the Services) (“Instructions”); and (iii) process personal data only for the purposes authorized by Customer. If Nebius is required to process personal data to comply with applicable law to which it is subject, Nebius will inform Customer of that legal requirement before such processing, unless such law prohibits notice. 2.3. Processing by Customer. Customer (i) will comply with Applicable Data Protection Laws in its processing of personal data and in any Instructions it issues to Nebius; (ii) is responsible for using the Services in a secure manner and for independently determining whether the security measures available through the Services satisfy Customer’s legal and contractual obligations; (iii) represents that it has provided all required notices and obtained (and will obtain and maintain) all necessary consents / authorizations and rights to process personal data through the Services and to provide Nebius with Instructions; and (iv) will inform Nebius without undue delay if Customer is unable to comply with its responsibilities under Applicable Data Protection Laws or its Instructions would cause non-compliance. 2.4. Details of Processing. The subject matter of Nebius’s processing of personal data is the provision of the Services under the Terms of Services. The duration, nature and purpose of the processing, and the types of personal data and categories of data subjects are set out in Annex 1 to this DPA. 2.5. Confidentiality. Nebius will ensure that the only persons who will have access to the Personal Data are those whose role requires access to the same and who are legally bound to protect the confidentiality of the Personal Data and to comply with the terms of this DPA. Personnel confidentiality requirements. Nebius shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to confidentiality undertakings or appropriate statutory obligations of confidentiality3. Assistance Obligations
3.1. Data Subject Requests. Customer is responsible for responding to and complying with data subject requests (“DSR”). If Nebius receives a DSR directly and the request identifies Customer or enables Nebius to identify Customer, Nebius will promptly forward the DSR to Customer. Unless legally required to respond, Nebius will not respond to the data subject except to acknowledge receipt and refer the individual to Customer for a response. 3.2. Legal Requests. If Nebius receives a subpoena, court order, warrant, or other legal demand from law enforcement or any public or judicial authority seeking disclosure of Customer Personal Data, Nebius will first attempt to redirect the requesting authority to seek the information directly from Customer and may provide the authority with Customer’s basic contact information for that purpose. If Nebius is compelled to disclose Customer Personal Data, Nebius will provide Customer with reasonable prior notice of the demand so Customer may seek a protective order or other appropriate remedy, unless Nebius is legally prohibited from giving such notice. In responding to any legally binding demand, Nebius will disclose only the minimum amount of Customer Personal Data necessary to comply with the demand and will challenge requests that Nebius reasonably believes are overbroad, unlawful, or otherwise invalid.4. Sub-processors
4.1. Authorization. Customer provides a general written authorization for Nebius to engage Sub-processors to process Customer Personal Data in accordance with this Section. Nebius has entered into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set forth in this Agreement, including with respect to the protection of Personal Data, to the extent applicable to the nature and scope of the Services the Sub-processor provides. 4.2. Current List of Sub-processors. Nebius maintains a current list of Sub-processors engaged to process personal data, including a description of their processing activities and country of location - available at the following link: https://docs.nebius.com/legal/sub-processors (the “Sub-processor List”). Customer hereby consents to these Sub processors, their locations and processing activities as it pertains to their personal data. 4.3. Changes to Sub-processors. Nebius will provide Customer at least fifteen (15) days’ prior notice of any addition or replacement of a Sub-processor. Customer may object on reasonable data-protection grounds to the engagement of a new Sub-processor by providing written notice within that period. The Parties will discuss the objection in good faith. If no mutually acceptable solution is reached, Customer may terminate the affected Services and receive a pro-rata refund of any prepaid, unused fees, without liability to either Party, without prejudice to fees accrued before suspension or termination.5. Security and Compliance
5.1. Security Measures. Nebius implements and maintains appropriate technical and organizational measures to safeguard Personal Data in accordance with the Security Regulations. A summary of these security measures is provided in Annex 3 to this DPA. The Customer is responsible for assessing whether the above mentioned security measures are sufficient for the intended processing of Personal Data, and for ensuring it has a valid legal basis and complies with any additional requirements under Applicable Data Protection Laws. 5.2. Security Breaches and Cooperation with Customer. Nebius will notify the Customer without undue delay after becoming aware of any Security Breach and will provide all necessary information and reasonable assistance to the Customer. 5.3. Data Protection Impact Assessments. Upon reasonable request, Nebius will provide the Customer with information about the Nebius Services necessary for the Customer to conduct data protection impact assessments and any related consultations with supervisory authorities, as required by Applicable Data Protection Laws, provided that the Customer does not otherwise have access to the relevant information. 5.4. Audit Program. Upon written request and at no additional cost to the Customer, Nebius will provide the Customer and/or its appropriately qualified third-party representative with access to documentation reasonably necessary to demonstrate Nebius’s compliance with its obligations under this DPA and Applicable Data Protection Laws. 5.5. Audits. Nebius will allow an independent, suitably qualified auditor appointed by the Customer to conduct inspections to verify Nebius’s compliance with its obligations under this DPA, provided that the Customer gives at least 30 days’ prior notice and does not request such inspections more than once per calendar year. All additional costs and expenses incurred by Nebius in connection with such audits may be charged to the Customer.6. Transfer of Personal Data
6.1. Data Processing Location. Nebius processes the Customer’s Personal Data within the region selected by the Customer. 6.2. Cross-Border Transfers. Where Customer is subject to Israeli Data Protection Laws and instructs Nebius to process or store Customer Personal Data outside Israel (including in the EEA), the Parties agree that: (a) such transfer shall be made in compliance with the Transfer Regulations; and (b) Nebius shall ensure that any recipient outside Israel (including Sub-processors) is bound by written obligations to protect data subjects at a level not less than required under Israeli law, including limitations on onward transfers and use of the data solely for the purposes of providing the Services.7. Return and Deletion of Customer Personal Data
Upon termination or expiration of the Services, Nebius will, at the Customer’s choice, delete or return any Customer Personal Data processed on the Customer’s behalf. The sole exception is that Nebius may retain Customer Personal Data, in whole or in part, to the extent required by applicable law.8. General
8.1. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect. 8.2. Limitation of Liability. The liability of each party and their respective Affiliates arising out of or in connection with this DPA will be subject to the limitations and exclusions set forth in the Terms of Service. 8.3. Governing Law and Jurisdiction. This DPA will be governed by, and construed in accordance with, the laws as specified in the Terms of Service. 8.4. Order of Precedence. In the event of any conflict between this DPA and any data protection provisions in other agreements between the Parties relating to the Services, the terms of this DPA will prevail.ANNEX 1 - Details of the Processing
Annex I(A) - LIST OF PARTIES
| Data Exporter | Name of the data exporter: The entity identified as the “Customer” in the Terms of Service and this DPA Contact person’s name, position and contact details: The address and contact details associated with Customer’s Account, or as otherwise specified in this DPA or the Terms of Service Activities relevant to the data transferred: The activities specified in Annex 1(B)below Signature and date: as set out in the Customer’s Account Role (Controller/Processor): Controller or Processor |
| Data Importer | Name of the data importer: Nebius Israel Ltd. Contact person’s name, position and contact details: Marina Benassi, Global Data Protection Officer, privacy@nebius.com Activities relevant to the data transferred: The activities specified in Annex 1.B below Signature and date: as set out in the main agreement Role (Controller/Processor): Processor |
ANNEX I(B): DESCRIPTION OF THE PROCESSING / TRANSFER
| Categories of data subjects whose personal data is transferred: | Customer’s employees, contractors, and any other individuals whose Personal Data is processed by the Customer at its sole discretion in connection with the Services, including individuals added by the Controller to the federated account; as well as other individuals whose Personal Data is contained in Customer Content. |
| Categories of personal data transferred: |
|
| Sensitive data transferred (if appropriate): | Subject to any applicable restrictions and/or conditions in the Terms of Services and this DPA, Customer may include Sensitive personal data or similarly personal data (as described or defined in Applicable Data Protection Laws, i.e. special categories of personal data) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation. |
| Frequency of the transfer: | Continuous basis depending on the use of the Services by Customer. |
| Nature, subject matter and duration of the processing: | Nature: Nebius provides cloud- and related services, as further described in the Terms of Service. Subject Matter: Customer Personal Data. Duration: The duration of the processing will be for the term of the Terms of Service. |
| Purpose(s) of the data transfer and further processing: |
|
| Sub-processor transfers: | In relation to transfers to Sub-processors, the subject matter and nature of the processing are specified in the list of Sub-processors (accessible at the link - https://docs.nebius.com/legal/sub-processors). The duration of the processing by Sub-processors will be the same as the duration of the Terms of Service, unless otherwise specified in the Terms of Service or this DPA. |
ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY
To the extent applicable under the European Data Protection Laws, the Parties agree that the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) shall be the relevant supervisory authority.ANNEX 2 - Security and Organizational Measures
A. TECHNICAL AND ORGANISATIONAL MEASURES
The below provide a description of the technical and organizational measures, which shall be implemented by Nebius (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. Nebius shall guarantee to have/be:- the ability and technical capacity to ensure the ongoing security, confidentiality, integrity, availability and resilience of processing systems, networks and services. Data processor shall maintain network and physical security policies, procedures, and systems and shall perform network security and activities consistent with best practices in data processor’s industry but that, at a minimum, include but are not limited to: network firewall provisioning, intrusion detection, and regular (but in no event less frequently than annually) vulnerability assessments. In no event shall the foregoing as applied to the personal data of the data controller be any less stringent and protective than those applied by data processor to the protection of its own data and systems of a like or similar nature;
- the ability and technical capacity to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident;
- an adequate process for regularly monitoring, testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
- adequate and current controls and preventive measures in place against access of unauthorized persons to data processing systems (physical access control), concretely the following measures are implemented with respect to Access Management: i) Need-to-Know basis, Least Privilege, Segregation of Duties (SoD). ii) Approval for each access request must be obtained through a verifiable process to confirm the necessity. Information systems must leverage a robust framework consisting of these processes: Identification, Authentication, Authorization, Accounting (logging);
- proper and accurate controls in place for keeping personal data logically separate from data processed on behalf of any third party and / or for other purposes as well as proper controls regarding sharing of personal data within your organization and with third parties;
- applying a level of encryption (at rest and in transit) and pseudonymisation of the personal data, appropriate to the risks and personal data processed;
- ensuring that in the course of processing activities and after storage, personal data cannot be read, copied, modified or deleted without authorization (data access control);
- envisaging and applying the necessary measures to ensure that the personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of the personal data by means of data transmission facilities can be established and verified (data transfer control);
- ensuring the establishment of logging and the deployment of an audit trail to document whether and by whom the personal data have been entered into, modified in, or removed from data processing systems (entry control);
- maintaining and enforcing an information security policy and security incident management and continuity plans, consisting of, among others, the analysis performed in this respect and the risk management of personal data, a description of various responsibilities and organizational rules, description of how security incidents are managed, the measure that were introduced to keep the security system up-to-date after installation;
- ensuring that information security is led by trained experts with the necessary competences. Moreover, ensuring that the staff is trained and obliged to confidentiality and aware and trained in data protection.
- ensuring physical environment security, for instance by means of security and surveillance regarding building, premises, and installations where carriers of personal data and computer systems processing the data are positioned, as well as prevention, detection, and operating procedure in the case of fire, intrusion, and water damage;
- ensuring that asset management process, policy, and procedures are in place (asset inventory is in place with annual reviews);
- ensuring that human resources processes, policies, and procedures are in place (employee background checks prior to hiring where applicable, account disabling upon termination, annual security awareness trainings, etc.);
- ensuring that antivirus protection/EDR is in place (as additional operational controls);
- ensuring effective change management process, policy, and procedures are in place (changes are reviewed, tested and approved before deployed to production);
- maintaining complete and up-to-date documentation proportionate to the risk profile of the processing operations, including, but no limited to, technical documentation of implemented security measures and other information necessary to demonstrate compliance with the requirements of this Annex; and
- ensuring that the personal data is processed solely in accordance with the relevant controller’s instructions (control of instructions).
B. Assistance with Data Subject Requests
The below provide a description of the technical and organisational measures, which shall be implemented by Nebius in order to assist the data controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under the Applicable, and the scope and the extent of the assistance required. Nebius shall ensure to have/be:- the ability to effectively promptly notify the data controller that it has received a request from a data subject to exercise its rights under the Applicable Data Protection Laws concerning the personal data of the data controller;
-
the ability, at its own cost and expense, to co-operate with the data controller as requested to enable the data controller to comply with exercise of rights by a data subject under the Applicable Data Protection Laws concerning the personal data of the data controller, and to comply with any assessment, inquiry, notice or investigation concerning the personal data of the data controller, which includes:
- providing all data requested by the data controller within a reasonable timescale, which shall always by set by the data controller, but in any case not longer than 3 days, including full details and copies of the complaint, communication or request and any the personal data of the data controller it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by the data controller to comply with the relevant request within the timescales prescribed by the Applicable Data Protection Laws; and
- implementing any additional technical and organisational measures as may be reasonably required by the data controller to allow the data controller to respond effectively to relevant complaints, communications or requests.
- the ability to assist the data controller in fulfilling the data controller’s obligation to respond to a request to exercise the rights of the data subject. In particular, Nebius undertakes to respond to requests for access to data, requests for rectification and erasure of data, requests for restriction of processing and requests to exercise the right to data portability.
Publication date: March 11, 2026 Effective date: March 11, 2026 Web address: https://docs.nebius.com/legal/dpa-il