NodeFoxLast updated: April 8, 2026
NODEFOX DATA PROCESSING ADDENDUM
Version 1.0 | Effective Date: April 8, 2026 | Last Updated: April 8, 2026
Beta Status Notice: NodeFox is currently provided in beta. Features, behavior, documentation, and controls may change without notice. You must independently validate suitability for your use case and maintain your own safeguards.
© 2025–2026 NodeFox LLC. All rights reserved.
DATA PROCESSING ADDENDUM
THIS DATA PROCESSING ADDENDUM ("DPA" OR "ADDENDUM") IS ENTERED INTO BY AND BETWEEN:
NODEFOX LLC, a California limited liability company ("NodeFox," "Company," "Processor," "we," "us," or "our")
AND
THE CUSTOMER identified in the applicable Services Agreement or who otherwise accepts this DPA ("Customer," "Controller," "you," or "your")
(collectively, the "Parties").
IMPORTANT NOTICE
THIS DPA GOVERNS THE PROCESSING OF PERSONAL DATA BY NODEFOX ON BEHALF OF CUSTOMER IN CONNECTION WITH THE SERVICES. THIS DPA IS INCORPORATED INTO AND FORMS PART OF THE NODEFOX TERMS OF SERVICE AT HTTPS://WWW.NODEFOX.AI/LEGAL/TERMS (THE "TERMS OF SERVICE" OR "AGREEMENT").
BY USING THE SERVICES, CUSTOMER AGREES TO THIS DPA. IF CUSTOMER DOES NOT AGREE, CUSTOMER MAY NOT USE THE SERVICES. This DPA applies only when NodeFox Processes Customer Personal Data as Processor; otherwise the Privacy Policy applies.
THIS DPA REFLECTS THE PARTIES' AGREEMENT REGARDING THE PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH APPLICABLE DATA PROTECTION LAW, INCLUDING THE GDPR, UK GDPR, AND CCPA.
THE SERVICES ARE IN BETA. Beta status does not waive NodeFox's statutory Processor obligations under Applicable Data Protection Law; however, the data processing described herein is subject to the limitations and disclaimers in the Terms of Service. Customer should not process high-risk, highly sensitive, or regulated data through the beta Services. Nothing in this DPA expands support, SLA, or service commitments beyond the Terms of Service.
PART I: GENERAL TERMS
SECTION 1. DEFINITIONS
1.1 Capitalized terms not defined herein have the meanings in the Terms of Service.
1.2 Defined Terms.
"Affiliate" — any entity that directly or indirectly controls, is controlled by, or is under common control with a Party (more than 50% voting interest).
"Applicable Data Protection Law" — all laws relating to Processing of Personal Data that apply to Customer Personal Data under this DPA, including the GDPR, UK GDPR, UK DPA 2018, Swiss FADP, CCPA/CPRA, and any other applicable privacy laws.
"CCPA" — the California Consumer Privacy Act of 2018, as amended by CPRA, and implementing regulations.
"Confirmed Personal Data Breach" — a Personal Data Breach that NodeFox has determined, through reasonable investigation, meets the definition in Section 1.2 ("Personal Data Breach"). Preliminary alerts, unsuccessful access attempts, general availability incidents, and security scans that do not result in unauthorized access to Customer Personal Data do not constitute a Confirmed Personal Data Breach.
"Controller" — the entity determining the purposes and means of Processing.
"Customer Data" — all data submitted by Customer to the Services, including Workflow content, configurations, logs, inputs, and outputs.
"Customer Personal Data" — the subset of Customer Data that constitutes Personal Data and that NodeFox Processes on behalf of Customer as Processor.
"Data Subject" — an identified or identifiable natural person.
"Data Subject Request" — a request from a Data Subject to exercise rights under Applicable Data Protection Law.
"EEA" — the European Economic Area.
"GDPR" — Regulation (EU) 2016/679.
"Personal Data" — any information relating to an identified or identifiable natural person.
"Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Processing" (and cognates) — any operation performed on Personal Data.
"Processor" — an entity that Processes Personal Data on behalf of the Controller.
"Restricted Transfer" — a transfer of Customer Personal Data from the EEA, UK, or Switzerland to a jurisdiction not subject to an adequacy decision.
"SCCs" — the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
"Security Incident" — any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of Customer Personal Data, or any event reasonably likely to have resulted in such access or compromise.
"Sensitive Personal Information" — Special Categories of Personal Data under the GDPR and Sensitive Personal Information under the CCPA.
"Services" — the NodeFox platform, application, APIs, and related services provided under the Terms of Service.
"Services Agreement" — the Terms of Service and any Order Form or subscription agreement.
"Special Categories of Personal Data" — Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sex life/sexual orientation data.
"Subprocessor" — any third party engaged by NodeFox to Process Customer Personal Data on behalf of Customer.
"Supervisory Authority" — an independent public authority established under Applicable Data Protection Law.
"Support Data" — logs, metadata, diagnostic information, and other data provided by Customer in connection with support requests.
"UK GDPR" — the GDPR as incorporated into UK law.
"Usage Data" — de-identified and aggregated telemetry, analytics, and operational data relating to Customer's use of the Services that does not include the substantive content of Workflows, prompts, Outputs, or User Secrets. Usage Data is excluded from Customer Personal Data.
"User Secrets" — API keys, OAuth tokens, credentials, private keys, certificates, and other secrets, whether stored in designated secrets features or embedded (intentionally or inadvertently) in Workflows, inputs, logs, configurations, payloads, or exports.
SECTION 2. SCOPE AND APPLICATION
2.1 This DPA applies to NodeFox's Processing of Customer Personal Data as Processor in connection with the Services.
2.2 This DPA applies where and only to the extent that: (a) NodeFox Processes Customer Personal Data as Processor; and (b) Applicable Data Protection Law applies to such Processing.
2.3 This DPA is incorporated into the Services Agreement. In the event of conflict with the Services Agreement regarding Processing of Customer Personal Data, this DPA controls. In the event of conflict between this DPA and the SCCs, the SCCs control.
2.4 Customer enters into this DPA on behalf of itself and its Affiliates. Customer is responsible for Affiliate compliance.
2.5 Third-Party AI Providers. This DPA does not apply to Processing by third-party AI providers that Customer integrates using Customer's own API keys (including through NodeFox's AI Suggest feature, which routes requests through Customer's own API keys to Customer's chosen provider). Such providers are not Subprocessors of NodeFox. They act as independent Controllers or Processors under their own terms. Customer is solely responsible for: (a) the lawful basis for transferring Personal Data to such providers; (b) providing required notices to Data Subjects; (c) compliance with provider terms and opt-out configurations; (d) implementing appropriate transfer mechanisms (SCCs, adequacy decisions, or other safeguards) for cross-border transfers to such providers; and (e) any Processing, retention, or training by such providers. NodeFox bears no liability under this DPA for any Security Incident, breach, or unlawful Processing by third-party AI providers accessed via Customer-provided credentials.
2.6 Managed AI. If NodeFox provides AI or model access using NodeFox's own credentials or infrastructure (rather than Customer-provided keys), such AI providers will be treated as Subprocessors and listed on the Subprocessor list.
2.7 Local Processing. This DPA governs hosted Processing by NodeFox. Processing occurring purely locally on Customer's device is governed by the EULA and Customer's own security posture. NodeFox cannot remotely access or delete Customer Personal Data stored in Customer's local browser storage, IndexedDB, local file system, or desktop Application data.
2.8 Beta. Customer acknowledges that during beta: (a) security controls may evolve; (b) compliance-support features (export, deletion, audit artifacts) may be incomplete or limited; and (c) the Services are not designed for high-risk, regulated, or sensitive datasets absent an Enterprise Agreement.
SECTION 3. RELATIONSHIP OF THE PARTIES
3.1 Roles. With respect to Customer Personal Data: (a) Customer is the Controller (or, where Customer acts on behalf of a third-party Controller, a Processor); (b) NodeFox is the Processor (or Sub-processor); and (c) NodeFox Processes Customer Personal Data in accordance with Customer's documented instructions.
3.2 Instructions Scope. Customer's documented instructions are: (a) this DPA; (b) the Services Agreement; and (c) Customer's in-product configurations. NodeFox is not obligated to implement custom instructions unless agreed in a signed Order Form.
3.3 Customer as Processor. Where Customer acts as Processor on behalf of a third-party Controller, Customer represents that it has obtained all necessary authorizations from the Controller to engage NodeFox as Sub-processor, has entered into a compliant DPA with the Controller, and that its instructions to NodeFox are consistent with the Controller's instructions.
3.4 NodeFox as Controller. NodeFox acts as an independent Controller with respect to: (a) Personal Data of Customer's representatives collected for account management, billing, and relationship purposes; and (b) Usage Data (de-identified/aggregated telemetry for security, abuse prevention, and operational purposes). Such Processing is governed by the Privacy Policy, not this DPA. For clarity, Customer Personal Data is not included in the Controller categories described in this Section. NodeFox does not "sell" or "share" Customer Personal Data and does not use it for cross-context behavioral advertising.
3.5 The Parties are not joint Controllers. NodeFox is not Customer's agent for responding to regulators or Data Subjects; assistance is limited and may be billable per Section 10.
SECTION 4. DETAILS OF PROCESSING
4.1 The subject matter is providing the Services under the Services Agreement.
4.2 Duration: the term of the Services Agreement plus any retention period under Section 15.
4.3 Nature and Purpose. Processing may include: hosting Workflows and configurations; executing Workflows; storing Customer Data; providing authentication and access control; enabling integrations; providing support if and as made available under the Services Agreement; processing execution logs, traces, and metadata generated by Workflows; and other Processing necessary for the Services.
4.4 Categories of Data Subjects. Customer's employees, contractors, agents; Customer's customers and end users; Customer's business contacts; and any other individuals whose Personal Data Customer submits. Customer determines the categories via its Workflow configurations.
4.5 Categories of Personal Data. Contact information; account/authentication data; professional information; technical identifiers (IP addresses, device IDs); usage metadata (timestamps, logs); content data in Workflows, inputs, and configurations; and any other Personal Data Customer submits. Customer is responsible for data minimization and for not placing Personal Data in Workflows, logs, or metadata fields unnecessarily.
4.6 Prohibited Data. Customer shall not submit Special Categories of Personal Data, Sensitive Personal Information (CCPA), children's data (under 18 or as defined by COPPA/UK Age Appropriate Design Code), PHI (HIPAA), GLBA-regulated financial data, or PCI cardholder data to the Services unless: (a) Customer has a lawful basis, all necessary consents, and appropriate safeguards; (b) the data type is expressly permitted under a signed Enterprise Agreement or BAA; and (c) NodeFox has agreed in writing. NodeFox is not a HIPAA Business Associate, does not process PHI absent a signed BAA, does not process GLBA data or PCI cardholder data absent express written agreement, and does not design the Services for such data categories.
4.7 Further details in Annex I.
PART II: OBLIGATIONS
SECTION 5. CUSTOMER OBLIGATIONS
5.1 Customer shall comply with all Applicable Data Protection Law.
5.2 Customer shall ensure a valid lawful basis for Processing of Customer Personal Data by NodeFox, including any required consents.
5.3 Customer shall ensure Customer Personal Data is accurate and current as necessary.
5.4 Customer provides documented instructions per Section 3.2. Customer shall ensure instructions comply with Applicable Data Protection Law. Customer shall not instruct NodeFox to violate third-party provider terms, deploy unlawful monitoring or surveillance, or process Prohibited Data.
5.5 Customer shall provide all required notices to Data Subjects.
5.6 Customer is responsible for responding to Data Subject Requests (NodeFox assists per Section 10).
5.7 Customer is responsible for conducting required DPIAs or prior consultations.
5.8 Security. Customer shall implement appropriate security for its own systems, including securing account credentials, API keys, OAuth client secrets, refresh tokens, access tokens, webhook signing secrets, private keys, and all User Secrets.
5.9 Secrets Covenant. Customer shall not embed User Secrets in Workflow inputs, prompts, logs, node titles, configuration fields, exports, shared workspaces, or any location outside designated secrets storage features. Customer must rotate credentials immediately upon any exposure. NodeFox is not responsible for compromise arising from Customer embedding secrets outside designated features.
5.10 Misclassified Data. Customer shall not hardcode or embed Customer Personal Data in structural/metadata elements (Workflow titles, node descriptions, plaintext configuration fields). NodeFox has no liability for incidental telemetry logging or inadequate protection of Customer Personal Data that Customer places outside designated encrypted or data-bearing fields.
5.11 Sharing and Export. Customer is solely responsible for: sharing Workspaces, Workflows, logs, and exports; ensuring redaction of Personal Data and User Secrets before sharing; and obtaining consents for disclosures to collaborators or third parties.
5.12 Third-Party AI Providers. Customer is solely responsible for its integration with third-party AI providers (including providers accessed through AI Suggest), transfer of Personal Data to them, compliance with their terms, configuring opt-outs, and any Processing by them.
5.13 Prohibited Data. Customer shall not submit Personal Data obtained unlawfully, scraped without rights, or regulated datasets (HIPAA/GLBA/PCI) absent express written agreement per Section 4.6.
SECTION 6. NODEFOX OBLIGATIONS
6.1 NodeFox shall Process Customer Personal Data only per Customer's documented instructions, unless required by law (in which case NodeFox will inform Customer to the extent legally permitted and reasonably practicable before Processing).
6.2 The Services Agreement and this DPA constitute Customer's complete documented instructions. Additional instructions require separate written agreement. NodeFox may refuse or suspend Processing if instructions create excessive security risk, require material product changes, or are reasonably believed to be unlawful.
6.3 NodeFox shall Process Customer Personal Data only for providing the Services and as otherwise permitted under this DPA or required by law.
6.4 NodeFox shall ensure authorized personnel are bound by confidentiality obligations.
6.5 NodeFox shall implement and maintain appropriate technical and organizational security measures per Section 8.
6.6 NodeFox shall engage Subprocessors only per Section 9.
6.7 NodeFox shall provide reasonable assistance per Sections 10, 12, and 13, subject to availability of resources and information, technical feasibility, and applicable fees.
6.8 Upon termination, NodeFox shall handle Customer Personal Data per Section 15.
6.9 NodeFox shall make available audit information per Section 14.
6.10 No AI Training. NodeFox shall not use Customer Personal Data to train, fine-tune, or improve general-purpose AI/ML models. This applies to Customer Personal Data processed as Processor. Exceptions: (a) limited processing strictly necessary for security, abuse prevention, fraud detection, anomaly detection, and operational integrity; (b) de-identified/aggregated Usage Data (which is not Customer Personal Data); and (c) if NodeFox launches opt-in model improvement features, participation requires Customer's express written consent.
SECTION 7. CONFIDENTIALITY
7.1 NodeFox shall keep Customer Personal Data confidential and not disclose except: (a) to Subprocessors per Section 9; (b) as required by law; (c) as authorized by Customer; (d) as permitted under this DPA; or (e) as necessary for security investigations, abuse prevention, and operational integrity consistent with this DPA and the Privacy Policy.
7.2 NodeFox personnel with access to Customer Personal Data are informed of confidentiality requirements, receive appropriate training, and are bound by confidentiality obligations.
7.3 If compelled to disclose Customer Personal Data by law, NodeFox shall, to the extent legally permitted and reasonably practicable, provide notice to Customer to enable Customer to seek a protective order. NodeFox shall disclose only the minimum required and shall not be liable for delay where notice is prohibited by law.
SECTION 8. SECURITY MEASURES
8.1 NodeFox shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature, scope, context, and purposes of Processing, the beta status, the risks, the state of the art, and costs of implementation. No system is completely secure. NodeFox does not guarantee that measures will prevent all Security Incidents.
8.2 Security measures may include, as appropriate to the beta nature and scale of the Services: (a) access controls (authentication, role-based access, least privilege, access logging); (b) encryption of data at rest using industry-standard protocols; (c) network security measures; (d) physical security at facilities (as provided by infrastructure providers); (e) availability measures (backup and recovery where available); (f) incident response procedures; (g) secure development practices; and (h) vendor due diligence.
8.3 NodeFox may update security measures. Updates will not be intended to materially reduce the overall level of protection, though changes may be required due to beta evolution, vendor changes, or the threat landscape.
8.4 Customer Configuration Risk. Security posture depends in part on Customer's configuration. NodeFox is not responsible for Customer's security posture where Customer configures public webhooks, permissive sharing settings, weak credentials, insecure Workflow design, or embeds secrets outside designated features.
8.5 Customer is responsible for security of its own systems, networks, and devices.
8.6 Details in Annex II. Annex II measures are illustrative and risk-based; specific measures may vary.
PART III: SUBPROCESSORS AND DATA SUBJECT RIGHTS
SECTION 9. SUBPROCESSORS
9.1 Customer provides general authorization for NodeFox to engage Subprocessors, subject to this Section.
9.2 The current Subprocessor list is at /legal/subprocessors and in Annex III. The online list controls for updates; Annex III is illustrative as of the Effective Date. Customer acknowledges the listed Subprocessors.
9.3 NodeFox shall enter written agreements with each Subprocessor imposing data protection obligations no less protective than this DPA.
9.4 NodeFox shall notify Customer of intended Subprocessor changes by updating the list. For Customers subscribed to notifications, NodeFox will provide email notification at least thirty (30) days before the new Subprocessor begins Processing, except that NodeFox may add or replace Subprocessors on shorter notice for security incidents, legal requirements, or to avoid service disruption (with notice as soon as practicable). Posting to the list constitutes notice; email is supplementary.
9.5 Objection. If Customer has a reasonable, documented objection to a new Subprocessor based on material, objective data protection risk, Customer shall notify NodeFox in writing within fourteen (14) days of notice. The Parties shall discuss in good faith. If no resolution is reached within thirty (30) days: (a) Customer's sole and exclusive remedy is termination of the affected Services; (b) fees are handled per the Services Agreement (no automatic refund entitlement arises from this DPA); and (c) because the Services operate on a multi-tenant architecture, NodeFox cannot accommodate customized subprocessor environments for individual Customers. If NodeFox cannot reasonably accommodate the objection without altering core platform architecture, NodeFox may terminate the affected Services without penalty or liability.
9.6 NodeFox shall be liable for Subprocessor acts per Section 17.
9.7 Third-party AI providers accessed via Customer's own API keys are not Subprocessors. See Section 2.5.
SECTION 10. DATA SUBJECT RIGHTS
10.1 Customer is responsible for responding to Data Subject Requests. NodeFox shall, taking into account the nature of Processing and to the extent reasonably possible, assist Customer through appropriate technical and organizational measures.
10.2 Self-Service First. The Services provide Customer with ability to access, correct, delete, and export Customer Personal Data. Customer shall use self-service features first. NodeFox has no obligation to build custom tooling for Data Subject Requests.
10.3 Where self-service is insufficient, Customer may request assistance at privacy@nodefox.ai. Assistance is limited to data within the Services, subject to verification of requester authority, and subject to technical feasibility.
10.4 If NodeFox receives a Data Subject Request directly, NodeFox shall redirect the Data Subject to Customer unless otherwise required by law. If the requestor is a current or former authorized user of Customer (e.g., employee or contractor), NodeFox will only process requests affecting the Customer's shared Workspace upon explicit instruction from an authorized administrator. NodeFox does not mediate internal disputes between Customer and its users.
10.5 NodeFox may charge reasonable fees (at then-current rates, with pre-approval required) for assistance requiring significant manual effort beyond self-service, including exporting logs, reconstructing deletion history, or producing custom reports.
PART IV: DATA TRANSFERS
SECTION 11. DATA TRANSFERS
11.1 Customer Personal Data may be Processed in the United States and other countries where NodeFox or Subprocessors maintain facilities.
11.2 For Customer Personal Data originating from the EEA, UK, or Switzerland transferred to jurisdictions without an adequacy decision, NodeFox shall ensure appropriate safeguards: (a) SCCs; (b) EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. DPF (where applicable and certified); (c) binding corporate rules; or (d) other lawful mechanisms.
11.3 User-Directed Transfers. Customer acknowledges the Services enable dynamic routing. If Customer configures Workflows, webhooks, AI integrations, or API requests that transmit Customer Personal Data to external endpoints in jurisdictions lacking adequate protection, Customer is the Data Exporter and solely responsible for implementing SCCs, derogations, or other safeguards for such user-directed transfers. NodeFox acts as a technical conduit executing Customer's configured instructions.
11.4 SCCs are in Annex IV and Section 24.
11.5 NodeFox may conduct transfer impact assessments and implement supplementary measures as reasonably necessary, subject to feasibility and Customer cooperation. Assessments may be high-level and need not be shared where privileged or confidential.
11.6 See /legal for current Data Privacy Framework certification status.
11.7 NodeFox shall cooperate in good faith to implement alternative transfer mechanisms, subject to technical feasibility and at Customer's cost where custom work is required.
PART V: INCIDENTS AND ASSESSMENTS
SECTION 12. SECURITY INCIDENT NOTIFICATION
12.1 NodeFox shall notify Customer without undue delay after becoming aware of a Confirmed Personal Data Breach affecting Customer Personal Data.
12.2 Notification shall include, to the extent known: (a) nature of the breach (categories and approximate numbers of Data Subjects and records); (b) likely consequences; (c) measures taken or proposed; and (d) contact point. Information may be provided in phases.
12.3 Notification to Customer's Account email or designated security contact. Customer must maintain a current security contact; NodeFox is not liable for delivery failures to outdated addresses.
12.4 Customer is responsible for: determining reportability to Supervisory Authorities or Data Subjects; making required notifications; and fulfilling other obligations under Applicable Data Protection Law.
12.5 NodeFox shall provide reasonable cooperation in investigating the breach and supporting Customer's notification obligations, subject to availability of information and resources, and subject to reasonable fees for significant effort (extended questionnaires, regulator-specific reports, bespoke incident documentation).
12.6 NodeFox's notification or response does not constitute an admission of fault or liability.
12.7 Exclusions. This Section 12 does not apply to: (a) incidents caused by Customer or Customer's users; (b) incidents affecting only data for which NodeFox is Controller; (c) incidents caused by Customer's insecure integrations, Workflow configurations, or third-party AI providers; or (d) unsuccessful access attempts, security scans, or availability incidents that do not result in unauthorized access to Customer Personal Data.
SECTION 13. DATA PROTECTION IMPACT ASSESSMENTS
13.1 NodeFox shall provide reasonable assistance to Customer in conducting DPIAs, limited to describing technical measures and the Services' processing characteristics. NodeFox does not provide legal advice. Assistance may be satisfied by providing existing documentation (security overviews, questionnaires, certifications where available). NodeFox has no obligation to complete custom legal assessments, draft bespoke compliance documentation, or analyze Customer's specific Workflow configurations.
13.2 Customer is solely responsible for determining whether a DPIA is required and conducting it.
13.3 NodeFox may charge reasonable fees (with pre-approval and rate disclosure) for material DPIA assistance effort.
SECTION 14. AUDITS
14.1 Upon written request, NodeFox shall make available information reasonably necessary to demonstrate compliance, which may include: (a) summaries of third-party audit reports (SOC 2 or similar, where available), subject to confidentiality; (b) responses to reasonable security questionnaires; and (c) other documentation. During beta, third-party audit reports may not be available; NodeFox may respond via questionnaires.
14.2 NodeFox may satisfy audit requests through third-party reports where available.
14.3 On-Site Audits. On-site audits are permitted only where required by Applicable Data Protection Law or a Supervisory Authority and where no alternative documentation reasonably satisfies the request. On-site audits shall be: (a) remote by default; (b) during business hours; (c) limited to DPA-relevant matters; (d) on at least thirty (30) days' notice; (e) no more than once per year absent legal/regulatory requirement; (f) conducted by Customer or an independent third-party auditor (reputable, not a competitor) bound by confidentiality acceptable to NodeFox; and (g) subject to NodeFox's security and confidentiality requirements. NodeFox may refuse on-site access that threatens other customers' security.
14.4 Customer bears all audit costs, including NodeFox's reasonable personnel time (at then-current rates, prepayment/deposit may be required).
14.5 Audit information is NodeFox Confidential Information.
14.6 Exclusions. Audits shall not: (a) require access to proprietary systems, source code, or trade secrets; (b) compromise Services security or other customers' data; (c) permit access to multi-tenant cloud infrastructure, underlying databases, or shared environments; (d) disrupt operations; (e) require disclosure of raw vulnerability findings, exploit details, or penetration test results; or (f) require disclosure of information prohibited by law or contract. CCPA Section 22 "reasonable steps" obligations are satisfied by the audit/attestation mechanisms in this Section 14.
PART VI: TERM, TERMINATION, AND LIABILITY
SECTION 15. RETURN AND DELETION
15.1 During the term, Customer may access, export, and delete Customer Personal Data via self-service features.
15.2 Upon Termination. Upon termination or expiration, Customer may, within thirty (30) days, elect in writing to: (a) receive Customer Personal Data in NodeFox's standard machine-readable export format (JSON or CSV as generated by native export tools; NodeFox has no obligation to reformat, transform, or map data to third-party schemas); or (b) have Customer Personal Data deleted.
15.3 Following election (or, if no election is made within thirty (30) days, NodeFox may delete in ordinary course), NodeFox will delete or return Customer Personal Data within a commercially reasonable period, taking into account the Services' nature, beta status, technical limitations, and legal retention requirements.
15.4 Retention Exceptions. NodeFox may retain Customer Personal Data after termination to the extent: (a) required by law or legal process; (b) necessary to establish, exercise, or defend legal claims; (c) contained in backup systems (subject to eventual deletion per retention schedule); (d) necessary for NodeFox's legitimate Controller purposes (billing records); or (e) residing in Customer's local browser storage, IndexedDB, or local file system (which NodeFox cannot remotely access or delete).
15.5 Upon written request, NodeFox may provide confirmation of compliance with deletion requirements. Confirmation may be satisfied by officer attestation or automated confirmation; fees may apply for bespoke attestations.
15.6 NodeFox shall ensure Subprocessors delete or return data per Subprocessor agreements.
SECTION 16. TERM AND TERMINATION
16.1 This DPA remains effective for the duration of the Services Agreement and terminates automatically upon its expiration or termination.
16.2 Post-termination assistance (custom exports, bespoke deletion attestations) may be billable.
16.3 Survival. Definitions (§1), Confidentiality (§7), Security Incident Notification (§12, for post-termination discoveries), Audits (§14, for the term's Processing), Return and Deletion (§15), Liability (§17), and any provisions that by nature should survive.
SECTION 17. LIABILITY
17.1 The limitations of liability in the Terms of Service apply to this DPA and are incorporated by reference. Where SCCs apply, SCC liability terms control to the extent of conflict.
17.2 Total aggregate NodeFox liability under this DPA shall not exceed the liability cap in the Terms of Service.
17.3 These limitations apply to claims under this DPA, including Personal Data Breach claims and data protection law violations, subject to the exceptions in the Terms of Service.
17.4 Regulatory Fines. Administrative fines, regulatory penalties, or statutory damages imposed on Customer by a Supervisory Authority or government body due to Customer's failure to comply with Applicable Data Protection Law are excluded damages under this DPA. NodeFox disclaims liability for such fines to the fullest extent permitted by law.
17.5 Customer is liable for damages arising from Customer's breach of this DPA, including failure to comply with Section 5 obligations, unlawful instructions, or lack of lawful basis.
17.6 NodeFox is liable for Subprocessor acts to the same extent as if performing directly, subject to the liability cap. Notwithstanding the foregoing, NodeFox shall not be liable for data loss, unavailability, or Security Incidents caused by catastrophic failures of foundational infrastructure Subprocessors entirely beyond NodeFox's reasonable control, provided NodeFox complied with its own configuration and security obligations.
17.7 To the fullest extent permitted by Applicable Data Protection Law, neither Party shall be liable for indirect, incidental, special, consequential, or exemplary damages arising under this DPA.
PART VII: GENERAL AND REGIONAL TERMS
SECTION 18. GENERAL PROVISIONS
18.1 This DPA and the Services Agreement constitute the entire agreement regarding Processing of Customer Personal Data.
18.2 Amendments. NodeFox may amend this DPA to reflect changes in law, regulation, or practices. For material changes, NodeFox will require clickwrap re-acceptance where feasible or provide advance notice; Customer may terminate before the effective date if it objects. Continued use after the effective date constitutes acceptance.
18.3 Severability: invalid provisions modified or severed; remainder continues.
18.4 Waiver: failure to enforce does not waive; waivers must be written.
18.5 Assignment. NodeFox may assign freely in connection with mergers, acquisitions, or asset sales. Customer may not assign without NodeFox's written consent. Unauthorized assignment is void.
18.6 Notices under this DPA to NodeFox: legal@nodefox.ai. Email notice effective upon receipt; Customer must maintain current contact information. NodeFox may route or decline to act on misdirected requests.
18.7 Governed by the Terms of Service governing law provisions; interpretation of data protection terms governed by Applicable Data Protection Law.
18.8 Precedence: DPA controls over Services Agreement for Customer Personal Data Processing. SCCs control over DPA where applicable.
18.9 No third-party beneficiaries except as provided in the SCCs.
SECTION 19. GDPR-SPECIFIC TERMS
19.1 Applies where the GDPR applies.
19.2 Customer is Controller; NodeFox is Processor. For Processor processing, Customer warrants lawful basis. For Controller processing under Section 3.4, NodeFox's legal bases are described in the Privacy Policy.
19.3 NodeFox shall Process per Articles 28 and 32–36 of the GDPR.
19.4 NodeFox maintains processing records per Article 30(2).
19.5 Data protection inquiries: dpo@nodefox.ai.
19.6 EU Representative. Pursuant to Article 27, NodeFox has appointed:
Euverify Ltd (Ireland), Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland. Email: gdpr@euverify.com
19.7 Customer may lodge complaints with the relevant Supervisory Authority: https://edpb.europa.eu/about-edpb/about-edpb/members\_en
19.8 GDPR Request Portal. https://gdpr.euverify.com/verify/40de1847-966c-42c5-bc95-9ad6c91c3348 — Requests are logged and tracked to support compliance with applicable law.
SECTION 20. UK GDPR-SPECIFIC TERMS
20.1 Applies where UK GDPR applies.
20.2 Customer is Controller; NodeFox is Processor.
20.3 Processing per UK GDPR requirements corresponding to Articles 28 and 32–36.
20.4 UK Representative. Euverify Ltd (UK), 3rd Floor, 86-90 Paul Street, London EC2A 4NE, United Kingdom. Email: gdpr@euverify.com
20.5 UK Addendum to EU SCCs applies for UK transfers.
20.6 Supervisory Authority: UK ICO (https://ico.org.uk).
SECTION 21. SWISS DATA PROTECTION TERMS
21.1 Applies where Swiss FADP applies.
21.2 GDPR references interpreted as Swiss FADP equivalents.
21.3 Restricted Transfers from Switzerland use SCCs with Swiss-required modifications.
21.4 Supervisory Authority: Swiss FDPIC (https://www.edoeb.admin.ch).
SECTION 22. CCPA/CPRA-SPECIFIC TERMS
22.1 Applies where CCPA applies.
22.2 Customer is the "Business"; NodeFox is the "Service Provider."
22.3 NodeFox shall: (a) Process Customer Personal Data only for business purposes specified in the Services Agreement and this DPA, or as otherwise permitted by the CCPA (including for security incidents, fraud prevention, debugging, and account maintenance); (b) not sell or share Customer Personal Data; (c) not retain, use, or disclose Customer Personal Data for purposes other than providing the Services, including for commercial purposes other than providing the Services; (d) not retain, use, or disclose outside the direct business relationship; (e) not combine Customer Personal Data with information received from others or collected from its own consumer interactions, except as permitted by the CCPA; (f) notify Customer if it can no longer meet CCPA obligations; (g) allow Customer to take reasonable steps to ensure compliant use (satisfied by the audit mechanisms in Section 14); and (h) comply with applicable CCPA requirements.
22.4 Subcontractors processing Customer Personal Data agree to equivalent restrictions.
22.5 NodeFox certifies that it understands and will comply with the restrictions in this Section 22 to the extent applicable to Customer Personal Data processed as Service Provider.
22.6 NodeFox assists with verifiable consumer requests per Section 10.
SECTION 23. OTHER REGIONAL TERMS
23.1 Brazil (LGPD). Where LGPD applies, GDPR references include LGPD equivalents.
23.2 Canada (PIPEDA). Where PIPEDA or provincial law applies, NodeFox Processes per applicable requirements.
23.3 Australia. Where Australian Privacy Act/APPs apply, NodeFox Processes per applicable requirements.
23.4 Japan (APPI). Where APPI applies, NodeFox Processes per applicable requirements.
23.5 These regional terms do not create additional security, support, or service obligations beyond this DPA and the Terms of Service.
SECTION 24. STANDARD CONTRACTUAL CLAUSES
24.1 Where SCCs are required for Restricted Transfers, they are incorporated by reference.
24.2 EU SCCs. For EEA transfers: (a) Module 2 (Controller to Processor) where Customer is Controller; (b) Module 3 (Processor to Processor) where Customer is Processor; (c) Clause 7 optional docking clause does not apply; (d) Clause 9 Option 2 (general authorization), notice per Section 9.4; (e) Clause 11 optional language does not apply; (f) Clause 17 Option 1, governed by Irish law; (g) Clause 18, disputes in Irish courts; (h–l) Annexes completed per this DPA's Annexes.
24.3 UK Addendum. UK Addendum to EU SCCs applies for UK transfers, completed per this DPA. Table 4: neither Party may end the UK Addendum per Section 19 thereof.
24.4 Swiss SCCs. EU SCCs with Swiss-required modifications (FADP references, Switzerland included, Swiss FDPIC as supervisory authority).
24.5 SCCs prevail over this DPA to the extent of conflict. Annex I/II of this DPA satisfy SCC Annex I/II requirements.
24.6 The Parties shall execute SCCs and UK Addendum as separate documents upon request, to the extent required for compliance and subject to verification that execution is required.
SECTION 25. CONTACT
| Purpose | Contact |
|---|---|
| Data Protection | privacy@nodefox.ai |
| DPO | dpo@nodefox.ai |
| Legal | legal@nodefox.ai |
| Security | security@nodefox.ai |
| Subprocessor Notifications | legal@nodefox.ai |
Mailing Address: NodeFox LLC, PO Box 1667, Ross, CA 94957, United States
EU Representative: Euverify Ltd (Ireland), Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland. gdpr@euverify.com
UK Representative: Euverify Ltd (UK), 3rd Floor, 86-90 Paul Street, London EC2A 4NE, United Kingdom. gdpr@euverify.com
GDPR Portal: https://gdpr.euverify.com/verify/40de1847-966c-42c5-bc95-9ad6c91c3348
ANNEXES
ANNEX I: DESCRIPTION OF PROCESSING
A. List of Parties
| Field | Data Exporter (Controller) | Data Importer (Processor) |
|---|---|---|
| Name | Customer per Services Agreement | NodeFox LLC |
| Address | Per Services Agreement | PO Box 1667, Ross, CA 94957, US |
| Contact | Customer's designated contact | dpo@nodefox.ai |
| Activities | Use of NodeFox Services | Provision of NodeFox Services |
| Role | Controller (or Processor) | Processor (or Sub-processor) |
B. Description of Transfer
Data Subjects: Customer's employees, contractors, agents; Customer's customers and end users; Customer's business contacts; others whose data Customer submits. Categories determined by Customer via Workflow configurations.
Personal Data: Contact information; account/authentication data; professional information; technical identifiers; usage metadata; execution logs and traces; content data in Workflows/inputs; any other data Customer submits.
Sensitive Data: Customer should not submit Special Categories, Sensitive Personal Information, children's data, PHI, GLBA data, or PCI data absent express written agreement per Section 4.6. If submitted, Customer bears full responsibility.
Frequency: Continuous during the Services.
Nature: Collection, storage, organization, retrieval, use, transmission, combination, restriction, erasure, destruction, and transient processing including backup/log generation.
Purpose: Providing the Services per the Services Agreement.
Duration: Services Agreement term plus retention per Section 15.
C. Competent Supervisory Authority
GDPR: Irish Data Protection Commission (or Customer's establishment authority). UK: ICO. Swiss: FDPIC.
ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
NodeFox implements the following categories of measures. These are illustrative, risk-based, and may vary by environment, beta status, and scale. They do not constitute warranties. Security posture depends in part on Customer's configuration (integrations, permissions, sharing, exported logs).
1. Access Controls. Authentication, role-based access, least privilege, access logging, credential storage.
2. Encryption. Industry-standard encryption at rest.
3. Network Security. Firewalls, intrusion detection, and related measures.
4. Physical Security. As provided by infrastructure providers (access controls, surveillance, environmental controls).
5. Availability. Backup and recovery capabilities where available.
6. Incident Response. Detection, response, documentation procedures.
7. Organizational. Confidentiality obligations, security training, vendor due diligence, security policies.
8. Secure Development. Code review, vulnerability testing, secure deployment where applicable.
9. Shared Responsibility. These measures do not protect against Customer misconfiguration, unsafe Workflows, credential leakage through Customer inputs/logs, or data Customer places outside designated encrypted fields.
ANNEX III: LIST OF SUBPROCESSORS
The current list is at /legal/subprocessors (which controls for updates). The following is illustrative as of the Effective Date:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure and hosting | United States |
| Vercel Inc. | Web hosting and delivery | United States |
| Supabase, Inc. | Database and authentication | United States |
| Stripe, Inc. | Payment processing | United States |
| Cloudflare, Inc. | Security and delivery | United States |
| Google LLC | Analytics and OAuth | United States |
| Resend, Inc. | Transactional email | United States |
Subscribe to change notifications: legal@nodefox.ai.
ANNEX IV: STANDARD CONTRACTUAL CLAUSES
EU SCCs: Incorporated by reference per Commission Implementing Decision (EU) 2021/914: https://eur-lex.europa.eu/eli/dec\_impl/2021/914/oj
UK Addendum: Incorporated by reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
Annex I/II of this DPA satisfy the corresponding SCC Annex requirements. The Parties shall execute as separate documents upon request where required for compliance.
SIGNATURES
This DPA is effective as of the date Customer accepts the Terms of Service or begins using the Services.
FOR NODEFOX LLC:
By: ________________________________ Title: Authorized Representative Date: ________________________________
FOR CUSTOMER:
By accepting the Terms of Service or using the Services, Customer agrees to this DPA.
END OF DATA PROCESSING ADDENDUM
© 2025–2026 NodeFox LLC. All rights reserved.
NodeFox LLC | PO Box 1667, Ross, CA 94957, United States | https://www.nodefox.ai