1. Scope & Definitions
This Data Processing Agreement ("DPA") forms part of the NodeBreach Terms of Service between NodeBreach LLC ("NodeBreach", "Processor") and the customer organisation ("Customer", "Controller"). It governs the processing of personal data by NodeBreach on behalf of the Customer.
2. Roles of the Parties
Determines the purposes and means of processing personal data of its employees or end users (e.g. deciding to enrol staff in NodeBreach training, determining which user data is provided).
Processes personal data only on the Customer's documented instructions for the purpose of providing the platform service. NodeBreach does not process Customer's team member data for its own purposes.
Where NodeBreach processes data about the Customer's account administrators or billing contacts for its own service delivery purposes (e.g. sending invoices), it acts as an independent Controller. Refer to the Privacy Policy for those activities.
3. Processor Obligations
NodeBreach agrees to:
- Process personal data only on the Customer's documented instructions (as provided by use of the platform features), unless required to do so by UK/EU law
- Ensure that all NodeBreach personnel with access to Customer data are subject to appropriate confidentiality obligations
- Implement and maintain the technical and organisational security measures described in Section 5
- Not engage new sub-processors without prior notification to the Customer (30 days' notice via platform email or notification)
- Assist the Customer, at their reasonable request and cost, to comply with data subject access rights, breach notifications, and data protection impact assessments
- Delete or return Customer personal data at the end of the service relationship as described in Section 9
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
4. Approved Sub-processors
NodeBreach currently uses the following sub-processors who may access Customer personal data. All sub-processors are bound by data processing agreements incorporating appropriate safeguards.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe Inc. | Payment processing | USA | SCCs (IDTA for UK) |
| Amazon Web Services / cloud provider | Infrastructure hosting | EU/EEA (primary) | Intra-EU / SCCs where applicable |
| Sentry | Error monitoring | USA | SCCs |
| Laravel Reverb / Pusher (if applicable) | Real-time WebSocket (battle events) | EU | SCCs / Adequacy |
NodeBreach will provide 30 days' advance notice of any changes to this sub-processor list via email to the Customer's account administrator. The Customer may object to a new sub-processor within 14 days; if NodeBreach cannot accommodate the objection, the Customer may terminate the agreement with a pro-rata refund for the unused subscription period.
5. Technical & Organisational Security Measures
NodeBreach implements the following measures to protect Customer personal data (Article 32 GDPR):
All data in transit encrypted via TLS 1.2+. Database encryption at rest where available.
Role-based access controls. Least-privilege principle applied to internal access.
All user workloads run in isolated Docker containers with no cross-tenant network access.
Bcrypt password hashing, 2FA support, session invalidation on logout.
Privileged operations and data access events are logged.
Dependencies and base images regularly reviewed and patched.
Personnel with data access receive data protection training.
Encrypted database backups with defined recovery objectives.
6. Personal Data Breach
In the event of a personal data breach affecting Customer data, NodeBreach will:
- Notify the Customer without undue delay and within 72 hours of becoming aware of the breach
- Provide a description of the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken or proposed
- Take reasonable steps to mitigate and remedy the breach
- Cooperate with the Customer in complying with any ICO or supervisory authority notification obligations
Report a security concern immediately to security@nodebreach.com.
7. Data Subject Rights
Where NodeBreach receives a direct request from one of the Customer's end users exercising a data subject right (access, erasure, rectification, etc.), NodeBreach will promptly forward the request to the Customer, who is responsible for responding as Controller.
NodeBreach will assist the Customer, upon reasonable written request and at the Customer's cost, to comply with data subject rights requests and Data Protection Impact Assessments (DPIAs) where NodeBreach's involvement is required.
8. International Transfers
NodeBreach LLC is established in the United States. Where Customer personal data originating in the EEA, UK, or Switzerland is transferred to NodeBreach or its sub-processors, the parties rely on the following transfer mechanisms:
- EU Standard Contractual Clauses, Module Two (Controller-to-Processor) as approved by EU Commission Decision 2021/914, incorporated by reference into this DPA for transfers from Customer (EEA Controller) to NodeBreach (US Processor).
- UK International Data Transfer Addendum (IDTA) issued by the UK ICO, incorporated for UK transfers.
- Swiss Addendum where Swiss FADP applies.
- EU-US / UK-US / Swiss-US Data Privacy Framework (DPF) may be relied on where NodeBreach or a sub-processor is self-certified. Certification status is confirmed in writing on request.
A Transfer Impact Assessment (TIA) has been conducted by NodeBreach covering the above transfers. The parties agree to supplement the SCCs with appropriate technical measures including encryption in transit and at rest, access controls, and published transparency on government access requests. Signed copies of the applicable SCCs / IDTA are available on request from legal@nodebreach.com.
9. Deletion & Return of Data
Upon termination or expiry of the service agreement, NodeBreach will, at the Customer's election:
- Return: Provide a machine-readable export of Customer team data within 30 days of written request
- Delete: Securely delete all Customer personal data from active systems within 90 days of account termination
Backup copies may be retained for up to 90 days on deletion, after which they will be overwritten. Aggregated, anonymised analytics data that cannot be attributed to any individual may be retained indefinitely.
10. Audit Rights
NodeBreach will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Audit requests should be submitted in writing to legal@nodebreach.com with at least 30 days' notice. Audits are carried out at the Customer's expense and must not disrupt platform operations.
In lieu of on-site audits, NodeBreach will provide relevant security documentation, penetration test summaries, and ISO/SOC compliance documentation where available.
11. Duration
This DPA is effective from the date you first access the platform as a business or enterprise customer and remains in force for the duration of the service agreement. The obligations in Sections 5 and 9 survive termination for 90 days (the backup retention period).
12. How to Execute a Signed DPA
Enterprise customers requiring a countersigned physical or digital DPA for compliance purposes (e.g. for ISO 27001 audits or third-party vendor questionnaires) can request one:
By using the NodeBreach platform as a business or enterprise customer, you acknowledge and agree to the terms of this DPA as incorporated into the NodeBreach Terms of Service.