Data Processing Agreement (DPA)
When a business customer uses OWL to process personal data, NDEVR acts as a processor on that customer's behalf. This page is a transparency template of the GDPR Article 28 terms that govern that relationship — what we process, the security we apply, the sub-processors involved, and how international transfers are handled.
1. Roles & subject matter
For personal data that a customer puts into OWL, the customer is the controller and NDEVR is the processor (or, where the customer is itself a processor, NDEVR is a sub-processor). NDEVR processes that data only to provide the OWL service — encrypted file storage and sync, sharing, messaging, and the associated account, licensing and billing features.
- Duration: for the term of the customer's use of OWL, plus the limited retention described in our privacy policy.
- Nature & purpose: storage, transmission, sharing, and processing of customer content and the associated metadata strictly to deliver the service the customer has configured.
- Types of data: account identifiers (e.g. usernames, email addresses), file and folder metadata (names, sizes, types, timestamps, sharing relationships), message metadata, billing/licensing metadata, and server logs (including IP addresses). The contents of files and messages are end-to-end encrypted (see below).
- Categories of data subjects: the customer's authorized users and any individuals whose personal data the customer chooses to store in OWL.
2. Processor obligations
Under this template, NDEVR commits to the Article 28(3) obligations:
| Obligation | How OWL meets it |
|---|---|
| Process only on documented instructions | We process customer personal data only to provide the service as configured by the customer, and as required by applicable law (we will notify the customer of such a legal requirement unless prohibited). |
| Confidentiality | Personnel authorized to process customer data are bound by confidentiality. |
| Security (Art. 32) | End-to-end AES-256 content encryption, authenticated AES-256-GCM key wrapping, P-256 ECIES, bcrypt credentials, pinned-root TLS, rate limiting and lockout, audit logging, and HTTP security headers. See cryptography and security overview. |
| Sub-processors | We use a defined list of sub-processors under written terms, with the customer's authorization and advance notice of changes. See sub-processors. |
| Assist with data-subject requests | We help the customer respond to access, deletion, correction, and portability requests, taking the zero-knowledge architecture into account. |
| Assist with security, breach & DPIA duties | We assist with the controller's obligations under Articles 32–36, including breach notification. |
| Breach notification | We notify the customer without undue delay after becoming aware of a personal-data breach affecting their data. |
| Deletion or return on termination | On termination, at the customer's choice, we delete or return customer personal data, subject to the retention described in the privacy policy. |
| Audit & information | We make available the information needed to demonstrate compliance and contribute to audits, as agreed in the executed DPA. |
3. Sub-processors
NDEVR engages the third-party providers listed on the sub-processor page — hosting (AWS Lightsail, US), payments (Stripe / PayPal, on their hosted pages), an optional AI provider, and user-initiated cloud import (Dropbox / OneDrive / Google Drive). Because OWL is end-to-end encrypted, sub-processors never receive readable file or message content. We give customers advance notice of new sub-processors so they can object.
4. International data transfers
OWL's servers are operated in the United States (see privacy policy §15). For personal data transferred from the EU/EEA, UK, or Switzerland, the intended transfer mechanism is the EU Standard Contractual Clauses (SCCs) (plus the UK Addendum / Swiss adaptations as applicable), supplemented by OWL's end-to-end encryption as a technical safeguard that keeps content unreadable in transit and at rest on our infrastructure.
5. How to request a signed DPA
If you need a signed Data Processing Agreement to evaluate or deploy OWL, contact privacy@ndevr.org. We will provide the current DPA for your counsel's review and execution.