\u0273Self
HomeMembershipCloudClawChatTaskDocs
GitHubGet Started

Product

  • Docs
  • Membership
  • Cloud
  • Changelog

Apps

  • ɳChat
  • ɳClaw
  • ɳTask

Community

  • GitHub
  • Discord
  • Blog

Legal

  • Privacy
  • Terms
ɳSelf

© 2026 ɳSelf. All rights reserved.

ɳSelfɳSELFCLI
DocsComparePricingChangelogBlogɳCloud
19★
# Data Processing Agreement (DPA)

**Version:** 1.0 (DRAFT) **Effective date:** May 15, 2026 **Last updated:** April 14, 2026

> **DRAFT NOTICE:** This document is a template pending review by outside legal counsel and DPO. Do not treat it as final legal advice. Do not countersign until counsel has approved.

This Data Processing Agreement ("DPA") forms part of the [Terms of Service](/legal/terms) ("Agreement") between nSelf, LLC ("Processor", "we", "us") and the entity or individual accepting the Agreement ("Controller", "you", "Customer").

---

1. Definitions

Terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) or the Agreement.

- **Personal Data** — any information relating to an identified or identifiable natural person - **Processing** — any operation performed on Personal Data - **Data Subject** — the identified or identifiable natural person - **Sub-processor** — a third party engaged by the Processor to process Personal Data - **SCCs** — Standard Contractual Clauses as approved by European Commission Implementing Decision (EU) 2021/914 - **IDTA** — UK International Data Transfer Agreement - **TOMs** — Technical and Organizational Measures

---

2. Scope and Roles

This DPA applies when nSelf processes Personal Data on behalf of the Customer through the hosted services (cloud.nself.org, task.nself.org, claw.nself.org, and related APIs).

- **Customer** is the Controller (determines purposes and means of processing) - **nSelf** is the Processor (processes data on Controller's documented instructions)

This DPA does not apply to self-hosted nSelf instances. If you run nSelf on your own infrastructure, you are the sole Controller and Processor.

---

3. Processing Details

| Element | Description | |---------|-------------| | **Subject matter** | Hosting and operating managed nSelf backend instances and applications | | **Duration** | For the term of the Agreement, plus any data return/deletion period | | **Nature and purpose** | Storage, retrieval, processing, and transmission of data as directed by the Controller through the nSelf API and hosted applications | | **Types of Personal Data** | As determined by the Controller: user profiles, application data, communications, AI conversation data, uploaded files, authentication credentials (hashed), billing metadata | | **Categories of Data Subjects** | End users of the Controller's applications, Controller's employees and contractors | | **Frequency of transfer** | Continuous, for the duration of the service |

---

4. Obligations of the Processor

nSelf shall:

1. **Process on instructions only** — Process Personal Data solely on the Controller's documented instructions, including transfers to third countries, unless required by EU or Member State law (in which case we will inform the Controller before processing, unless prohibited by law) 2. **Confidentiality** — Ensure that all persons authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality 3. **Security** — Implement appropriate technical and organizational measures as described in Annex II (TOMs) 4. **Sub-processors** — Not engage a new sub-processor without providing the Controller 30 days' prior notice and the opportunity to object (see Section 6) 5. **Data subject rights** — Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing technical measures and cooperation within reasonable timeframes 6. **Breach notification** — Notify the Controller of any Personal Data breach without undue delay and in any event within **72 hours** of becoming aware, including: (a) nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences, (d) measures taken or proposed to address the breach 7. **Data protection impact assessments** — Assist the Controller with DPIAs and prior consultations with supervisory authorities where required 8. **Audit rights** — Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or a mandated auditor, subject to reasonable notice (at least 30 days), scope limitations, and confidentiality. Audits limited to once per year unless a breach has occurred. 9. **Return or deletion** — Upon termination of the Agreement, at the Controller's choice: return all Personal Data in a standard machine-readable format, or delete all Personal Data and existing copies (unless EU or Member State law requires continued storage). The Controller has 30 days after termination to make this choice. After 30 days, we delete all data per our retention schedule.

---

5. Security Measures (Summary)

Full technical and organizational measures are detailed in Annex II. Summary:

- **Encryption at rest:** AES-256 for all stored data - **Encryption in transit:** TLS 1.3 for all connections - **Access control:** Role-based access, principle of least privilege, MFA for infrastructure access - **Backups:** Automated daily encrypted backups, 35-day retention, tested restoration - **Network security:** Firewalled infrastructure, DDoS protection (Cloudflare), intrusion detection - **Physical security:** Hetzner data centers (ISO 27001 certified, Falkenstein, Germany) - **Monitoring:** Prometheus + Grafana + Loki for infrastructure, automated alerting - **Incident response:** Documented runbook, 72-hour breach notification SLA

---

6. Sub-Processors

### Current sub-processors

See our live [Sub-Processor List](/legal/subprocessors) for the current table of sub-processors, including entity name, processing purpose, data processed, location, and transfer mechanism.

### Notification of changes

We will notify the Controller by email at least **30 days** before adding or replacing a sub-processor. The notification will include the sub-processor's name, location, processing purpose, and transfer mechanism.

### Objection right

The Controller may object to a new sub-processor within 30 days of notification by emailing privacy@nself.org with a reasonable justification. If we cannot accommodate the objection, either party may terminate the affected services with 30 days' notice, and we will pro-rate any prepaid fees.

### Sub-processor obligations

We impose contractual obligations on each sub-processor that are no less protective than this DPA, including equivalent confidentiality, security, and data protection requirements.

---

7. International Data Transfers

### Primary processing location

All primary data processing occurs in the EU (Hetzner, Falkenstein, Germany).

### Transfers outside the EU/EEA

For sub-processors located outside the EU/EEA, we rely on:

- **Standard Contractual Clauses (SCCs)** — Module 2 (Controller to Processor) per Commission Implementing Decision (EU) 2021/914, attached as Annex III - **EU-US Data Privacy Framework (DPF)** certification where the sub-processor participates - **Supplementary measures** as required by the Schrems II decision, documented in our transfer impact assessments

### UK transfers

For transfers from the UK, we rely on the **UK International Data Transfer Agreement (IDTA)** or the **UK Addendum** to the EU SCCs, as published by the UK Information Commissioner's Office. See Annex IV.

### Swiss transfers

For transfers from Switzerland, we rely on the EU SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner, with the modifications specified in Annex V.

---

8. Customer-Specific Regulatory Annex

For customers subject to sector-specific regulations (HIPAA, FERPA, SOX, PCI DSS, etc.), we provide a blank Customer Regulatory Annex. This annex allows the Customer to document their specific regulatory requirements, and we commit to supporting only those requirements that we can reasonably fulfill.

To request a Customer Regulatory Annex, email legal@nself.org with your organization name, applicable regulations, and specific requirements.

**Note:** nSelf is not currently HIPAA-certified. If you require a Business Associate Agreement (BAA), contact us to discuss feasibility before storing PHI on our hosted services.

---

9. Requesting a Signed DPA

To request a countersigned copy of this DPA:

1. Email legal@nself.org with your organization name and cloud.nself.org account email 2. We will send a DocuSign envelope with the DPA pre-signed on our side 3. You countersign and both parties receive a copy 4. Signed copies are retained for 10 years

Enterprise plan customers receive an auto-generated DPA envelope upon plan upgrade.

---

Annex I — Description of Transfer

### I.A — Parties

| Role | Entity | |------|--------| | **Controller (data exporter)** | [Customer name and address — to be completed per customer] | | **Processor (data importer)** | nSelf, LLC, [registered address], Delaware, USA |

**Contact for data protection:** privacy@nself.org

### I.B — Description of Transfer

| Element | Description | |---------|-------------| | **Categories of data subjects** | End users of Customer's applications, Customer's employees and contractors | | **Categories of personal data** | User profiles, application data, communications, authentication credentials (hashed), AI conversation data (if ɳClaw enabled), uploaded files, metadata | | **Sensitive data** | Only if Customer chooses to store it; not collected by default. No special category data is required by the Service | | **Frequency of transfer** | Continuous | | **Nature of processing** | Storage, retrieval, computation, transmission, deletion | | **Purpose** | Providing the hosted nSelf services as described in the Agreement | | **Retention** | Per the Agreement and Privacy Policy retention schedule; Controller may request earlier deletion |

### I.C — Competent Supervisory Authority

The supervisory authority of the EU Member State in which the Controller is established, or if the Controller is not established in the EU, the supervisory authority of the Member State where the Controller's EU representative is appointed.

---

Annex II — Technical and Organizational Measures (TOMs)

[Cross-reference: These measures align with P88 Block G security hardening requirements.]

| Category | Measures | |----------|---------| | **Access control** | Role-based access (Hasura permissions), principle of least privilege, MFA for all infrastructure access, SSH key-only server access, API key rotation | | **Encryption** | AES-256 at rest (full-disk encryption on Hetzner servers), TLS 1.3 in transit for all connections, bcrypt for password hashing | | **Network security** | Cloudflare WAF + DDoS protection, firewall rules (ufw), all services bound to 127.0.0.1 (external access via Nginx only), VPN for administrative access | | **Backup and recovery** | Automated daily encrypted backups, 35-day retention, periodic restoration testing, documented disaster recovery runbook | | **Monitoring and logging** | Prometheus + Grafana for metrics, Loki for logs, Tempo for traces, automated alerting via Alertmanager, 90-day log retention | | **Physical security** | Hetzner data centers: ISO 27001 certified, biometric access control, 24/7 security, redundant power and cooling | | **Employee measures** | Confidentiality agreements, security awareness training, access revocation on offboarding | | **Incident response** | Documented incident response plan, 72-hour breach notification SLA, post-incident review process | | **Vendor management** | Sub-processor due diligence, contractual data protection obligations, periodic review | | **Data minimization** | Collect only what is necessary, anonymize telemetry, hash credentials, no full PAN storage |

---

Annex III — Standard Contractual Clauses (EU SCCs Module 2)

The Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference, Module 2 (Controller to Processor).

The clauses are available in full at: [EUR-Lex Decision 2021/914](https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj)

For execution purposes, the SCCs are attached as a separate document to the signed DPA envelope.

**Selected options:**

| Clause | Selection | |--------|-----------| | Clause 7 (Docking clause) | Included | | Clause 9(a) (Sub-processor authorization) | Option 2: General written authorization with 30-day objection period | | Clause 11 (Redress) | Optional language NOT included | | Clause 17 (Governing law) | Laws of Ireland | | Clause 18 (Forum) | Courts of Ireland |

---

Annex IV — UK International Data Transfer Agreement / UK Addendum

For transfers of Personal Data from the United Kingdom, the parties agree to the UK Addendum to the EU SCCs as published by the UK Information Commissioner's Office, or alternatively the full UK IDTA.

The UK Addendum / IDTA is attached as a separate document to the signed DPA envelope for UK-based customers.

**Key terms:**

| Element | Value | |---------|-------| | Start date | Effective date of the DPA | | Parties | As per Annex I.A | | UK laws that apply | UK GDPR and Data Protection Act 2018 | | Approved SCCs reference | EU SCCs Module 2 as set out in Annex III |

---

Annex V — Swiss Addendum

For transfers of Personal Data from Switzerland, the EU SCCs apply with the following modifications:

- References to "GDPR" include the Swiss Federal Act on Data Protection (FADP/nDSG) - The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) - References to "Member State" include Switzerland - The term "EU" includes Switzerland for purposes of these clauses

---

Sub-Processor Transfer Mechanisms

| Sub-processor | Location | Transfer mechanism | |--------------|----------|-------------------| | Hetzner Online GmbH | Germany | Intra-EEA (no transfer mechanism needed) | | Vercel Inc. | USA + global edge | SCCs Module 2 | | Cloudflare Inc. | USA + global edge | SCCs Module 2 + DPF | | Stripe Inc. | USA | SCCs Module 2 + DPF | | Elastic Email (Emaillabs) | Poland (EU) | Intra-EEA (no transfer mechanism needed) | | OpenAI, LLC | USA | SCCs Module 2 + zero-retention API | | Anthropic PBC | USA | SCCs Module 2 + zero-retention API | | Google Cloud (optional) | USA + EU | SCCs Module 2 + DPF | | Groq Inc. | USA | SCCs Module 2 |

For the current live sub-processor list, see [nself.org/legal/subprocessors](/legal/subprocessors).