Data Processing Agreement

A template DPA between the Customer (controller) and N.T.J Technologies Limited (processor). Written in plain English, aligned with GDPR Art. 28. Business customers can sign this as-is or ask us to adapt it.

1. Parties

Each a "party" and together the "parties." This DPA supplements the main services agreement or Terms between the parties (the "Principal Agreement"). If there is a conflict on data protection matters, this DPA controls.

2. Scope and subject matter

This DPA governs N.T.J's processing of personal data on the Customer's behalf while providing the software and support services described in the Principal Agreement (the "Services"). The Customer is the controller of that personal data. N.T.J acts as the processor.

Each party will comply with the data protection laws that apply to it, including the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the UK GDPR where applicable.

3. Duration

This DPA takes effect on the earlier of (a) the effective date signed below and (b) the date N.T.J first processes personal data under the Principal Agreement. It continues until N.T.J has returned or deleted the personal data as described in Section 11.

4. Nature and purpose of processing

N.T.J processes personal data only to deliver the Services — that is, to install, run, host, support, secure, back up, and maintain the software the Customer has purchased, and to comply with the Customer's documented instructions (including instructions given through the Services' normal use). N.T.J will not process the personal data for any other purpose, and will not sell it, share it with advertisers, or use it to train third-party models.

If N.T.J believes a Customer instruction breaches applicable data protection law, it will tell the Customer promptly.

5. Categories of data subjects and personal data

Data subjects — the Customer's employees, contractors, end users, and other individuals whose personal data the Customer chooses to process through the Services.

Categories of personal data — typically:

The Services are not intended for special categories of personal data (Art. 9 GDPR) unless separately agreed in writing.

6. Sub-processors

The Customer authorises N.T.J to use the sub-processors listed on our public sub-processor page in the Privacy notice. N.T.J will:

7. Confidentiality

N.T.J will ensure that personnel authorised to process the Customer's personal data are bound by a written confidentiality obligation or a statutory duty of confidentiality, and are only granted access on a need-to-know basis for the Services.

8. Security measures

N.T.J will maintain appropriate technical and organisational measures to protect personal data, taking into account the state of the art, cost of implementation, and the nature and risk of the processing (Art. 32 GDPR). At a minimum this includes:

N.T.J does not currently hold SOC 2 or ISO/IEC 27001 certification and does not claim to. Our measures are described honestly on our security page.

9. Data subject rights assistance

Taking into account the nature of the processing, N.T.J will assist the Customer with appropriate technical and organisational measures — insofar as possible — to respond to data subject requests to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If N.T.J receives a request directly from a data subject that relates to the Customer's personal data, it will forward the request to the Customer without responding to the substance (unless legally required to do so).

10. Data breach notification

N.T.J will notify the Customer without undue delay, and in any event within 72 hours of confirming a personal data breach affecting the Customer's personal data. The notice will describe (as far as known at the time):

N.T.J will update the Customer as more information becomes available, and cooperate reasonably with the Customer's own notification obligations to supervisory authorities and data subjects.

11. Return or deletion on termination

On termination of the Principal Agreement, N.T.J will, at the Customer's choice, return or delete all personal data it processes for the Customer within 30 days, and delete existing copies — unless applicable law requires further storage, in which case N.T.J will describe what is retained, why, and for how long. Backups containing personal data will be overwritten or expired in the normal encrypted backup rotation, which may take up to 90 additional days after the 30-day return-or-deletion window. This retention window is mirrored in our Privacy Policy.

12. Audits

N.T.J will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. On written request, and subject to reasonable confidentiality obligations, N.T.J will permit and contribute to audits — including inspections — conducted by the Customer or a mutually agreed independent auditor:

Each party bears its own costs unless the audit reveals material non-compliance by N.T.J, in which case N.T.J bears the reasonable audit costs.

13. International transfers

N.T.J is based in Hong Kong. Some sub-processors operate in the United States or the European Union. Where personal data of EU or UK data subjects is transferred to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, and the UK Addendum where UK data is involved) are incorporated by reference and will apply as the transfer mechanism, together with any additional safeguards required by applicable law.

For those SCCs:

14. Governing law

This DPA is governed by the laws of the Hong Kong Special Administrative Region, and disputes are subject to the exclusive jurisdiction of the Hong Kong courts — except where the Standard Contractual Clauses in Section 13 require otherwise for the specific transfers they cover.

15. Signatures

By signing below, each party confirms it has read, understood, and agreed to this DPA.

Customer (Controller)

Entity
Signed by
Title
Date
Signature

Processor

EntityN.T.J Technologies Limited
JurisdictionHong Kong SAR
Contactcontact@ntjtech.com
Signed by
Title
Date
Signature

This is a template. If you need edits — for example to name a specific EU representative, add jurisdiction-specific clauses, or align it with an existing MSA — email contact@ntjtech.com and we will work through it with you.

Last updated 11 July 2026.