Template pending legal review. This agreement text has not yet been reviewed by a solicitor and is not yet execution-ready. It is published so you can see exactly what you will be asked to sign; the final version may differ in detail.

How this works

Every Node customer gets a UK GDPR Article 28 data processing agreement as standard: it is listed in what every plan includes and underpins the UK data residency commitment of the Node Platform. Rather than making you email us for a copy, you can complete one here. Fill in your company details below and the agreement is populated in place, ready to print or save as a PDF.

Your details never leave your browser. This page has no backend and sends no form data anywhere: the fields below update the document on this page and nothing else. Reload the page and they are gone. That is deliberate — a document generator for confidentiality paperwork should not itself be collecting your data.

Your company details

The printed document contains only the agreement, not this page.

The agreement

UK GDPR — Article 28

Data Processing Agreement

between [Customer company name] (the “Controller”) and Node Digital Ltd (the “Processor”)

Dated [date]

1. Parties

  1. [Customer company name], a company registered in England and Wales with company number [company number], whose registered office is at [registered address] (the “Controller”); and
  2. Node Digital Ltd, a company registered in England and Wales with company number 14796571, VAT number GB 443 2934 95, ICO registration number ZA3436219, whose registered office is at Stone House, 2d Fulwood Park, Liverpool, L17 5AG, United Kingdom (the “Processor”).

2. Background and definitions

  1. The Processor provides managed hosting of open source business applications and a metered AI/API gateway to the Controller under a service agreement between the parties (the “Agreement”). In providing those services (the “Services”) the Processor processes personal data on the Controller's behalf.
  2. This Data Processing Agreement (“DPA”) is entered into pursuant to Article 28(3) of the UK GDPR and forms part of the Agreement. If this DPA conflicts with the Agreement in relation to the processing of personal data, this DPA prevails.
  3. “UK GDPR” means the retained EU Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018. “Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018 and any other applicable law relating to the processing of personal data. “personal data”, “processing”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given in the UK GDPR.
  4. “Controller Data” means personal data processed by the Processor on behalf of the Controller in connection with the Services, as described in Annex 1.

3. Subject matter, duration, nature and purpose

  1. The subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.
  2. The Processor shall process Controller Data for the duration of the Agreement and, to the extent described in clause 10 (deletion and return), for the retention period that follows cancellation or termination of a Service.

4. Controller obligations

  1. The Controller warrants that it has, and will maintain, a lawful basis for the processing of Controller Data and that its instructions to the Processor will comply with Data Protection Legislation.
  2. The Controller is responsible for the accuracy, quality and legality of Controller Data, the means by which it was acquired, and for providing any notices to, and obtaining any consents from, data subjects that Data Protection Legislation requires.
  3. The Controller shall configure and use the Services in a manner appropriate to the sensitivity of the Controller Data, including managing its own users, roles and application-level access rights within its tenant.

5. Processor obligations

The Processor shall:

  1. process Controller Data only on the documented instructions of the Controller (the Agreement, this DPA and the Controller's configuration and use of the Services constituting such instructions), including with regard to transfers of personal data outside the United Kingdom, unless required to do otherwise by law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing unless that law prohibits it;
  2. immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Legislation;
  3. ensure that all persons authorised to process Controller Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  4. implement and maintain the technical and organisational measures set out in Annex 3, and such further measures as are required by Article 32 of the UK GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing;
  5. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR;
  6. assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to the Processor;
  7. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for and contribute to audits as set out in clause 11; and
  8. maintain a record of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the UK GDPR.

6. Sub-processors

  1. The Controller grants the Processor general written authorisation to engage the sub-processors listed in Annex 2 for the processing activities described there.
  2. The Processor shall inform the Controller of any intended addition or replacement of a sub-processor at least 14 days before the change takes effect, by email to the Controller's registered administrative contact and by updating the published sub-processor list, thereby giving the Controller the opportunity to object. If the Controller reasonably objects on data protection grounds and the parties cannot resolve the objection, the Controller may terminate the affected Service in accordance with the Agreement.
  3. Where the Processor engages a sub-processor, it shall do so under a written contract imposing data protection obligations on the sub-processor that are materially equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
  4. AI gateway partner routing. Where the Controller elects to use partner-routed models on the Processor's AI gateway, prompt and completion content is processed by the model-hosting sub-processor identified for that model in the published model catalogue (see Annex 2, note A). Models labelled UK-hosted are processed solely on the Processor's own UK infrastructure and involve no third-party sub-processor.

7. International transfers

  1. The Services store Controller Data on infrastructure located in the United Kingdom by default.
  2. The Processor shall not transfer Controller Data outside the United Kingdom except (a) to the sub-processors and for the purposes identified in Annex 2, or (b) on the Controller's documented instructions (including the Controller's election to use partner-routed AI models), and in each case only where the transfer is protected by a transfer mechanism valid under Data Protection Legislation, such as an adequacy regulation, the UK International Data Transfer Agreement or Addendum, or the UK Extension to the EU-US Data Privacy Framework.

8. Security

  1. The Processor shall implement and maintain the technical and organisational measures set out in Annex 3.
  2. The Processor may update those measures from time to time, provided the update does not materially reduce the overall level of protection of Controller Data.

9. Personal data breach

  1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Controller Data.
  2. The notification shall, so far as the information is available to the Processor, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Information may be provided in phases as it becomes available.
  3. The Processor shall cooperate with the Controller and take such reasonable steps as the Controller directs to assist in the investigation, mitigation and remediation of the breach. The Processor shall not notify a supervisory authority or any data subject of a breach affecting Controller Data on the Controller's behalf unless the Controller instructs it to do so or the law requires it.

10. Deletion and return of Controller Data

  1. During the term of the Agreement the Controller can export Controller Data at any time: every application provided under the Services is open source and holds data in open, standard formats.
  2. On cancellation or termination of a Service, the Processor's default behaviour under the Agreement is to stop the application but retain the Controller's stored data as a chargeable retained-storage service, so that the Controller can export it or reinstate the Service. The retention terms and charges are those published in, or agreed under, the Agreement.
  3. At the choice of the Controller, made by written instruction at any time, the Processor shall delete or return all Controller Data and delete existing copies within 30 days of the instruction (or of the end of any agreed retention period), unless and to the extent that the law of England and Wales requires continued storage, in which case the Processor shall protect the retained data in accordance with this DPA and process it for no other purpose. Data in encrypted backups is deleted in the ordinary course of the backup rotation cycle described in Annex 3.
  4. On written request the Processor shall confirm in writing when deletion under this clause has completed.

11. Audit

  1. The Processor shall make available to the Controller, on written request, the information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR, including summaries of its security controls, policies and framework alignment.
  2. Where that information is not sufficient to demonstrate compliance, the Controller (or an independent auditor mandated by it, who is not a competitor of the Processor and is bound by confidentiality) may audit the Processor's compliance with this DPA no more than once in any 12-month period, on at least 30 days' written notice, during normal business hours, in a manner that does not disrupt the Processor's business or compromise the security or confidentiality of other customers' data. Each party bears its own costs of an audit. Nothing in this clause limits audits or inspections required by a supervisory authority or by law.

12. Liability, term and general

  1. Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
  2. This DPA takes effect on the date at its head and remains in force for as long as the Processor processes Controller Data under the Agreement.
  3. This DPA and any dispute or claim arising out of it are governed by the law of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 — Details of processing

Subject matter The provision of managed hosting of open source business applications and a metered AI/API gateway within the Controller's private tenant, as described in the Agreement.
Duration The term of the Agreement, plus any retained-storage period under clause 10.
Nature and purpose Hosting, storage, backup, transmission and display of Controller Data as required to operate the applications the Controller enables; identity and access management (single sign-on) for the Controller's users; processing of prompts and completions through the AI gateway where the Controller uses it; and related support, monitoring and maintenance.
Categories of data subjects The Controller's staff, contractors and other authorised users; and the individuals whose personal data the Controller and its users store or process in the applications, such as the Controller's customers, suppliers, prospects and contacts.
Types of personal data User account data (names, business email addresses, authentication records, activity logs); and the business data the Controller chooses to store or process in the applications, which may include contact details, correspondence, documents, financial and transactional records, and any other personal data the Controller submits. The Controller should not submit special category data unless the parties have agreed measures appropriate to it in writing.

Annex 2 — Authorised sub-processors

Sub-processor Processing activity Location / transfer safeguard
Cloudflare, Inc. Edge network, DNS and security for the Processor's public web properties, and hosting of the marketing website and customer portal front end. Global edge network (US parent). UK Extension to the EU-US Data Privacy Framework and/or UK IDTA/Addendum.
Amazon Web Services (Amazon SES) Transactional email delivery (for example sign-up, billing and service notifications). eu-west-2 (London, United Kingdom).
Stripe Payment processing and billing. Cardholder data is submitted directly to Stripe and is not stored by the Processor. EU/US entities. UK Extension to the EU-US Data Privacy Framework and/or UK IDTA/Addendum.

Note A — AI gateway partner routing. If, and only if, the Controller sends requests to a partner-routed model on the AI gateway, the prompt and completion content of those requests is processed by the model-hosting provider identified for that model in the published catalogue at node.uk/ai/models/, which forms part of this Annex for those requests. Each model's page states its hosting provider and processing location. Models labelled UK-hosted are excluded: they run on GPUs the Processor owns in its UK data centre and no third party processes that content.

Annex 3 — Technical and organisational security measures

  1. Tenant isolation. Each customer's Services run in a dedicated, logically isolated tenant: a private internal network with ring-fenced compute, memory and storage, enforced network policies and resource quotas. No other customer's workloads or users can reach the Controller's tenant.
  2. Encryption in transit. All traffic between users and the Services, and between the Processor's public endpoints, is encrypted with TLS. Certificates are managed and renewed automatically.
  3. Access control and single sign-on. Each tenant has its own identity realm on the Processor's managed identity platform. Access is enforced at the identity layer with role-based access control; multi-factor authentication is available and supported for directory federation. Removing a user revokes access to every application at once.
  4. Administrative access. Administrative access to the platform is restricted to the Processor's named engineers, authenticated through centralised identity, and logged. Generated credentials are stored in an access-controlled password manager, not in code or configuration repositories.
  5. Data residency. Controller Data is stored on hardware the Processor owns and operates in UK data centres, under UK jurisdiction, except as set out in Annex 2.
  6. Backups. Encrypted backups are taken on a scheduled basis and stored on separate storage infrastructure in the UK. Backups are rotated on a defined cycle and restoration is tested.
  7. Logging, monitoring and audit. Logs from the platform flow to central collection and a security information and event management (SIEM) platform. Sign-ins, permission changes and administrative actions are recorded and reviewable.
  8. Vulnerability and patch management. Security patching of the platform and managed applications is part of routine operations. Vulnerability detection and file integrity monitoring run across the estate.
  9. Security framework alignment. The Processor runs its information security programme to the structure of ISO/IEC 27001:2022 and maps its controls to NIST CSF 2.0, maintained as a living internal control register. (This describes framework alignment, not certification.)
  10. Personnel. Persons authorised to process Controller Data are bound by confidentiality obligations and limited to those who need access to operate the Services.

Execution

Signed for and on behalf of the Controller

[Customer company name]

Name: [signatory name]

Title: [signatory title]

Date: [date]

Signed for and on behalf of the Processor

Node Digital Ltd

Name:

Title:

Date:

Node Digital Ltd · Company no. 14796571 · VAT GB 443 2934 95 · ICO registration ZA3436219 · Stone House, 2d Fulwood Park, Liverpool L17 5AG

Template pending legal review — not yet execution-ready.

Questions?

If your DPO or legal team wants to discuss specific clauses, sub-processors or transfer mechanisms, talk to an engineer — the people who operate the platform answer these questions directly. The current sub-processor list is in Annex 2 above, and per-model AI hosting providers are listed in the model catalogue.