---
title: "Neeto Data Processing Agreement (DPA)"
description: "Read Neeto Data Processing Agreement (DPA)."
canonical_url: "https://www.neeto.com/legal/data-processing-agreement"
markdown_url: "https://www.neeto.com/legal/data-processing-agreement.md"
---

# Neeto Data Processing Agreement (DPA)

Read Neeto Data Processing Agreement (DPA).

This Data Processing Agreement ("DPA") is incorporated into, and is
subject to the terms and conditions of, the Agreement between Neeto LLC and the
customer entity that is a party to the Agreement. Capitalized terms used below
that are not otherwise defined have the meanings given to them in the
[Agreement](/legal/terms-of-service).

The parties have entered into an Agreement under which Neeto will process
certain Personal Data provided or made available by the Customer in the course
of providing Services to the Customer. The parties intend this DPA to be an
extension of the Agreement that will outline certain requirements for the
processing of such Personal Data. This DPA applies exclusively to Personal Data
provided or made available by the Customer to Neeto.

## 1. Scope

The parties agree that Customer is a data controller and that Neeto is a data
processor in relation to Personal Data that Neeto processes on behalf of
Customer in the course of providing the Services under the Agreement. The
subject matter of the data processing, the types of Personal Data processed, and
the categories of data subjects will be defined by, and/or limited to that
necessary to carry out the Services described in, the Agreement. The processing
will be carried out until the date Neeto ceases to provide the Services to
Customer. The subject matter, duration, nature, and purpose of the processing of
the Personal Data as well as the type of Personal Data and categories of data
subjects are:

- The subject matter of the data processing under this DPA is the Customer Data.

- The duration of the processing equals the term of the Agreement plus any
  limited post-termination period needed to return, delete, or retain Customer
  Personal Data as described in Section 2.6, unless otherwise requested by
  Customer in writing and agreed by Neeto.

- The nature and purposes of the processing under this DPA is the provision of
  the Services to the Customer and the performance of Neeto's obligations under
  the Agreement, including production monitoring and error reporting of
  Customer's platform and related services.

- The categories of the data subjects include (a) any employee or personnel of
  Customer accessing and/or using the Services through the Customer's account(s)
  ("Customer Users") and (b) any individual whose information is stored on or
  collected via the Services at Customer's direction ("Customer's Customers").

The categories of Personal Data include the following:

Customers: identification and contact data (name, email, address, contact
details); financial information (credit card details, account details, payment
information);

Customer's Customers: identification and contact data (name, email, contact
details), personal interests or preferences (including purchase history,
marketing preferences and publicly available social media profile information);
IT information (IP addresses, usage data, cookies data, online navigation data,
location data, browser data); financial information (credit card details,
account details, payment information); any other personal information as
configured by Customer.

## 2. Data Protection

In respect of Personal Data processed in the course of providing the Services,
Neeto shall adhere to the following requirements:

**2.1** Neeto will process the Personal Data only in accordance with the written
instructions from Customer (the Agreement and this DPA are hereby deemed to be
Customer's sole written instructions) and only in compliance with Data
Protection Legislation. The nature and purposes of the processing shall be
limited to that which is necessary to carry out such instructions, and not for
Neeto's own purposes, or for any other purposes except as required by law. If
Neeto is required by law to process the Personal Data for any other purpose,
Neeto will inform Customer of such requirement prior to the processing unless
prohibited by law from doing so.

**2.2** Neeto will process the Personal Data only to the extent, and in such
manner, as is necessary for the provision of the Services. Neeto may only
correct, delete or block the Personal Data processed on behalf of Customer as
and when instructed to do so by Customer.

**2.3** Neeto will implement and maintain appropriate technical and
organizational measures designed to protect the Personal Data against
unauthorized or unlawful processing and against accidental loss, destruction,
damage, theft, alteration or disclosure. These measures shall take into account
the state of the art, the costs of implementation, and the nature, scope,
context, and purposes of processing as well as the risk of varying likelihood
and severity for the rights and freedoms of natural persons. The measures shall
be appropriate to the harm which might result from any unauthorized or unlawful
processing, accidental loss, destruction, damage or theft of the Personal Data
and having regard to the nature of the Personal Data which is to be protected
and as a minimum shall be in accordance with the Data Protection Legislation and
Good Industry Practice. Customer can read about Our
[Security Policy](/legal/security-policy) to know more about security measures
taken to protect the data.

**2.4** Neeto will take reasonable steps to ensure the reliability and
competence of any Neeto personnel who have access to the Personal Data, ensuring
in each case that access is strictly limited to those individuals who need to
access the relevant Personal Data, as strictly necessary. Neeto will ensure that
all Neeto personnel required to access the Personal Data are informed of the
confidential nature of the Personal Data and comply with the obligations set out
in this DPA. Neeto further ensures that all such individuals shall be under an
appropriate obligation of confidentiality.

**2.5** Neeto will take all reasonable steps to assist Customer in meeting
Customer's obligations under applicable Data Protection Legislation, including
Customer's obligations to respond to requests by data subjects to exercise their
rights with respect to Personal Data, adhere to data security obligations,
respond to data breaches and other incidents involving Personal Data, conduct
data protection impact assessments, and consult with supervisory authorities.
Neeto will promptly inform Customer in writing if it receives: (i) a request
from a data subject concerning any Personal Data; or (ii) a complaint,
communication, or request relating to Customer's obligations under Data
Protection Legislation.

**2.6** Neeto will not retain Personal Data for longer than is necessary to
provide the Services or comply with legal obligations. At the end of the
Services, or upon Customer's written request, Neeto will securely delete or
return (at Customer's election, where technically feasible) Personal Data unless
continued storage is required by law, permitted by the Agreement, or necessary
for security, fraud prevention, dispute resolution, financial records, or backup
retention. Unless a shorter period is required by law, agreed in writing, or
technically available through the Services, Neeto will delete Customer Personal
Data within 180 days after termination or deletion request.

**2.7** Neeto will allow Customer and its respective auditors or authorized
agents to conduct audits and inspections during the term of the Services
Agreement and for 12 months thereafter, which shall solely include, unless
otherwise expressly required by applicable law, providing access to summaries of
Neeto's data protection and data security measures and access to personnel used
by Neeto in connection with the provision of the Services for purposes of asking
questions regarding Neeto's data protection and data security measures. The
purposes of an audit pursuant to this paragraph include verifying that Neeto is
processing Personal Data in accordance with its obligations under this DPA, the
Services Agreement, and applicable Data Protection Legislation.

**2.8** If Neeto becomes aware of any accidental, unauthorized or unlawful
destruction, loss, alteration, or disclosure of, or access to the Personal Data
that is processed by Neeto in the course of providing the Services under the
Agreement,

a) it shall promptly and without undue delay, and where feasible within 72
hours of becoming aware, provide Customer with: a detailed description of the
Security Breach; the type of data
that was the subject of the Security Breach; the identity of each affected
person, and the steps Neeto takes in order to mitigate and remediate such
Security Breach, in each case as promptly as such information can be collected
or otherwise becomes available (as well as periodic updates to this information
and any other information Customer may reasonably request relating to the
Security Breach); and

b) take action promptly, at its own expense, to investigate the Security Breach
and to identify, prevent and mitigate the effects of the Security Breach and to
carry out appropriate recovery actions to remedy the Security Breach.

Neeto shall comply at all times with, and assist Customer in complying with its
applicable obligations under, Data Protection Legislation. Neeto shall provide
reasonable information requested by Customer to demonstrate compliance with the
obligations set out in this DPA.

Neeto will notify Customer immediately if, in Neeto's opinion, an instruction
for the processing of Personal Data given by Customer infringes applicable Data
Protection Legislation.

## 3. Sub-processing

Customer gives Neeto general written authorization to engage subprocessors in
connection with providing the Services. Neeto will not give access to or
transfer Customer Personal Data to any subprocessor except as described in this
DPA, the Agreement, and the [Subprocessors](/legal/subprocessors) page.
Customer hereby consents to Neeto's use of the listed subprocessors for purposes
of providing the Services.

Neeto has or shall enter into a written agreement with each subprocessor
containing data protection obligations not less protective than those in the
Agreement and/or this DPA with respect to protection of Customer Personal Data
to the extent applicable to the nature of the Services provided by such
subprocessor.

Neeto shall ensure that any subprocessor processing Customer Personal Data
outside the EEA, United Kingdom, or Switzerland is bound by an appropriate
transfer mechanism, such as the Standard Contractual Clauses, the UK
International Data Transfer Addendum or equivalent UK-approved mechanism where
applicable, or an adequacy decision from the relevant authority. Neeto shall
maintain an updated list of subprocessors, including their locations, and notify
Customer of intended additions or replacements by email, in-app notice, or
another reasonable proactive notice method before the change takes effect where
required by applicable Data Protection Legislation. Customers may object to a
new subprocessor within 30 days of notification on reasonable data protection
grounds.

Upon Customer's reasonable request, Neeto shall provide information sufficient
to demonstrate that subprocessors are bound by data protection obligations
substantially similar to those in this DPA. Customer acknowledges that
subprocessor agreements may contain confidential information or disclosure
restrictions. Where direct copies cannot be provided, Neeto may provide
summaries, redacted copies, or other reasonable evidence of compliance.

## 4. List of subprocessors

The Processor currently commissions these
[Subprocessors](https://neeto.com/legal/subprocessors).

## 5. International Data Transfer

Where Neeto transfers Customer Personal Data outside the European Economic Area
(EEA) to a country not recognized by the European Commission as providing an
adequate level of protection, Neeto shall ensure such transfers comply with GDPR
Article 46 by implementing the Standard Contractual Clauses (SCCs) as set forth
in Commission Implementing Decision (EU) 2021/914. Unless the parties agree
otherwise in writing, Module Two (controller-to-processor) applies to transfers
from Customer to Neeto, and Module Three (processor-to-processor) applies to
onward transfers from Neeto to subprocessors. The SCCs are incorporated into
this DPA by reference and apply to all transfers of Customer Personal Data to
Neeto or its subprocessors in third countries. Neeto shall provide a copy of the
applicable SCCs to Customer upon request.

Neeto shall conduct a Transfer Impact Assessment (TIA) for any transfer of
Customer Personal Data to a third country, in accordance with GDPR and EDPB
guidance. The TIA will evaluate the laws and practices of the third country and
implement supplementary measures, if necessary, to ensure an adequate level of
protection equivalent to that in the EEA. Neeto shall document TIAs and make
summaries available to the Customer upon request.

Upon termination of the Agreement or at Customer's written request, Neeto shall
delete or return Customer Personal Data, including data transferred to third
countries, in accordance with Section 2.6. Neeto shall ensure that subprocessors
comply with substantially similar deletion or return obligations.

## 6. Rights and Obligations of Customer with respect to Processing of Personal Data

Customer shall, in its use of the Services, at all times process Personal Data,
and provide instructions for the processing of Personal Data, in compliance with
the General Data Protection Regulation (Regulation (EU) 2016/679). Customer
shall ensure that its instructions comply with all laws, rules and regulations
applicable in relation to the Personal Data, and that the processing of Personal
Data in accordance with Customer's instructions will not cause Neeto to be in
breach of the GDPR. Customer is solely responsible for the accuracy, quality,
and legality of (i) the Personal Data provided to Neeto by or on behalf of
Customer, (ii) the means by which Customer acquired any such Personal Data, and
(iii) the instructions it provides to Neeto regarding the processing of such
Personal Data. Customer shall not provide or make available to Neeto any
Personal Data in violation of the Agreement or otherwise inappropriate for the
nature of the Services.

The Customer may audit Neeto's compliance with this DPA, including international
data transfer obligations, as described in Section 2.7.

## 7. Definitions

"**Data Protection Legislation**" means all applicable laws relating to privacy
and the processing of Personal Data that may exist in any relevant jurisdiction,
including, where applicable, the guidance and codes of practice issued by the
supervisory authorities. Data Protection Legislation includes, as applicable,
the General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR,
the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, the
ePrivacy Directive 2002/58/EC and local implementing laws, the California
Consumer Privacy Act as amended by the California Privacy Rights Act, the
Brazilian Lei Geral de Protecao de Dados, and any legislation or regulation
that amends, replaces, re-enacts, or consolidates them.

"**Good Industry Practice**" means, in relation to any activity and under any
circumstance, exercising the same skill, expertise and judgement and using
facilities and resources of a similar quality as would be expected from a person
who: (a) is skilled and experienced in providing the services in question,
seeking in good faith to comply with his contractual obligations and seeking to
avoid liability arising under any duty of care that might reasonably apply; (b)
takes all proper and reasonable care and is diligent in performing his
obligations; and (c) complies with the Data Protection Legislation.

"**data controller**", "**data processor**", "**subprocessor**", "**data
subject**", "**processing**", and "**appropriate technical and organizational
measures**" shall be interpreted in accordance with applicable Data Protection
Legislation in the relevant jurisdiction.

## Links

- [Human page](https://www.neeto.com/legal/data-processing-agreement)