Who signs what
| Role | Entity | Typical controller/processor status |
|---|---|---|
| Customer | Your organization | Controller of buyers’ data you submit |
| Novatrade24 | Novatrade24 GmbH | Processor for customer-submitted data; controller for platform-internal data (logs, billing, infra) |
| Joint controllers | Both | For specific categories documented per-case (e.g. KYC review workflows where NT24 makes substantive decisions) |
Standard DPA content
The current template covers:- Subject matter and duration. Scoped to the Integration API’s lifetime at your organization.
- Nature and purpose of processing. EU VAT compliance, cross-border transaction validation.
- Categories of personal data. See GDPR data categories.
- Categories of data subjects. Buyer contact persons, identity subjects of uploaded ID documents, transport drivers.
- Controller obligations. Your obligations as customer (lawful basis, providing accurate data, handling subject requests you receive).
- Processor obligations. NT24’s obligations (security measures, confidentiality, sub-processor management, breach notification, audit cooperation, data return/deletion at end of engagement).
- Sub-processors. Initial list (Hetzner, Stripe, iDenfy), approval mechanism for additions, objection rights.
- Security measures. Referenced to the technical documentation (see Security overview).
- Data transfers. EU-only; SCCs for any ancillary third-country flows.
- Audit rights. Customer’s right to audit and how it’s exercised (e.g. annual SOC 2 report sharing in lieu of on-site audit).
- Liability and indemnification. Per the master agreement.
- Term and termination. Aligned with the master agreement.
Technical enforcement
The signed DPA version is stored on yourIntegrationOrganization:
- No DPA → 403. API requests are rejected with
type: dpa-not-acceptedifdpaAcceptedAtis null. - Outdated DPA → 403 (after grace period). When we publish a new DPA
version, we notify organization admins and set a grace window
(typically 90 days) before enforcement. After the grace window, API
calls against the old version return
403.
Inspect your DPA status
Signing process
- Reach out via our contact page to request the current DPA version.
- Legal review on your side.
- Both parties sign (typically DocuSign).
- NT24 records the signed version on your organization.
GET /v1/mereflects acceptance immediately.- API access unblocks.
Updating the DPA
New DPA versions are published when:- Regulatory change requires updated language (e.g. EU-US adequacy decision changes).
- Sub-processor list changes materially.
- Platform scope changes (new data categories).
- Notice to organization admins on record (90+ days advance).
- Grace window during which old version remains enforced.
- Cutover: sign new version OR API calls start returning
403.
Sub-processor changes
Current sub-processors are listed in the DPA. Customer is notified before new sub-processors are added — typically a 30-day objection window. Unresolved objections may be grounds for termination per the master agreement.Data return and deletion at termination
At end of engagement:- Customer may request data export in a machine-readable format (JSON / CSV) for all data they submitted.
- After export confirmation, NT24 deletes customer-provided data subject to legal retention overrides (VAT records remain for the mandatory retention period, with access limited to compliance staff).
- Customer-provided data in backups expires per backup retention schedule (typically 90 days).
- A termination certificate is issued on completion.
Questions
- DPA text / negotiation: [email protected]
- Technical enforcement / API gate behavior: contact page
- Privacy / data-subject issues: [email protected]
Next
GDPR details
Data categories, subject rights, retention.
Security overview
Encryption, residency, audit trail.