Data Processing Agreement
A template DPA between the Customer (controller) and N.T.J Technologies Limited (processor). Written in plain English, aligned with GDPR Art. 28. Business customers can sign this as-is or ask us to adapt it.
1. Parties
- Controller (Customer) — the legal entity named in the signature block below and identified in the underlying order form or written agreement (the "Customer").
- Processor — N.T.J Technologies Limited, a company incorporated in the Hong Kong Special Administrative Region, with contact address contact@ntjtech.com ("N.T.J").
Each a "party" and together the "parties." This DPA supplements the main services agreement or Terms between the parties (the "Principal Agreement"). If there is a conflict on data protection matters, this DPA controls.
2. Scope and subject matter
This DPA governs N.T.J's processing of personal data on the Customer's behalf while providing the software and support services described in the Principal Agreement (the "Services"). The Customer is the controller of that personal data. N.T.J acts as the processor.
Each party will comply with the data protection laws that apply to it, including the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the UK GDPR where applicable.
3. Duration
This DPA takes effect on the earlier of (a) the effective date signed below and (b) the date N.T.J first processes personal data under the Principal Agreement. It continues until N.T.J has returned or deleted the personal data as described in Section 11.
4. Nature and purpose of processing
N.T.J processes personal data only to deliver the Services — that is, to install, run, host, support, secure, back up, and maintain the software the Customer has purchased, and to comply with the Customer's documented instructions (including instructions given through the Services' normal use). N.T.J will not process the personal data for any other purpose, and will not sell it, share it with advertisers, or use it to train third-party models.
If N.T.J believes a Customer instruction breaches applicable data protection law, it will tell the Customer promptly.
5. Categories of data subjects and personal data
Data subjects — the Customer's employees, contractors, end users, and other individuals whose personal data the Customer chooses to process through the Services.
Categories of personal data — typically:
- Identifiers (name, email, user ID, IP address).
- Account and profile data (role, organisation, preferences).
- Content the Customer or its users submit to the Services.
- Operational metadata (audit and reliability logs).
The Services are not intended for special categories of personal data (Art. 9 GDPR) unless separately agreed in writing.
6. Sub-processors
The Customer authorises N.T.J to use the sub-processors listed on our public sub-processor page in the Privacy notice. N.T.J will:
- Impose written data-protection terms on each sub-processor that are no less protective than this DPA.
- Remain liable to the Customer for the acts and omissions of its sub-processors.
- Give the Customer at least 30 days' notice before adding or replacing a sub-processor, giving the Customer a reasonable opportunity to object on legitimate data-protection grounds.
7. Confidentiality
N.T.J will ensure that personnel authorised to process the Customer's personal data are bound by a written confidentiality obligation or a statutory duty of confidentiality, and are only granted access on a need-to-know basis for the Services.
8. Security measures
N.T.J will maintain appropriate technical and organisational measures to protect personal data, taking into account the state of the art, cost of implementation, and the nature and risk of the processing (Art. 32 GDPR). At a minimum this includes:
- Encryption in transit — TLS (currently TLS 1.2 or higher) for all network traffic between the Customer's users, our services, and sub-processors.
- Backup encryption — encryption at rest for backups of Customer data.
- Access controls — role-based access, unique accounts per operator, and multi-factor authentication on production systems.
- Change and vulnerability management — code review, dependency updates, timely patching of known vulnerabilities.
- Logging and monitoring — audit logs for administrative access and security-relevant events.
- Backups and recovery — regular backups with tested restoration procedures.
- Personnel — background-appropriate screening, confidentiality obligations, and security training for staff with access to Customer data.
N.T.J does not currently hold SOC 2 or ISO/IEC 27001 certification and does not claim to. Our measures are described honestly on our security page.
9. Data subject rights assistance
Taking into account the nature of the processing, N.T.J will assist the Customer with appropriate technical and organisational measures — insofar as possible — to respond to data subject requests to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
If N.T.J receives a request directly from a data subject that relates to the Customer's personal data, it will forward the request to the Customer without responding to the substance (unless legally required to do so).
10. Data breach notification
N.T.J will notify the Customer without undue delay, and in any event within 72 hours of confirming a personal data breach affecting the Customer's personal data. The notice will describe (as far as known at the time):
- The nature of the breach.
- The categories and approximate number of data subjects and records affected.
- Likely consequences.
- Measures taken or proposed to address the breach and mitigate its effects.
- A named contact point for further information.
N.T.J will update the Customer as more information becomes available, and cooperate reasonably with the Customer's own notification obligations to supervisory authorities and data subjects.
11. Return or deletion on termination
On termination of the Principal Agreement, N.T.J will, at the Customer's choice, return or delete all personal data it processes for the Customer within 30 days, and delete existing copies — unless applicable law requires further storage, in which case N.T.J will describe what is retained, why, and for how long. Backups containing personal data will be overwritten or expired in the normal encrypted backup rotation, which may take up to 90 additional days after the 30-day return-or-deletion window. This retention window is mirrored in our Privacy Policy.
12. Audits
N.T.J will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. On written request, and subject to reasonable confidentiality obligations, N.T.J will permit and contribute to audits — including inspections — conducted by the Customer or a mutually agreed independent auditor:
- No more than once per calendar year, except after a confirmed personal data breach or where required by a supervisory authority.
- On at least 30 days' written notice.
- During normal business hours, in a way that does not unreasonably interfere with N.T.J's operations.
Each party bears its own costs unless the audit reveals material non-compliance by N.T.J, in which case N.T.J bears the reasonable audit costs.
13. International transfers
N.T.J is based in Hong Kong. Some sub-processors operate in the United States or the European Union. Where personal data of EU or UK data subjects is transferred to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, and the UK Addendum where UK data is involved) are incorporated by reference and will apply as the transfer mechanism, together with any additional safeguards required by applicable law.
For those SCCs:
- Module 2 (controller to processor) applies where the Customer is the controller.
- The parties agree to Clause 7 (docking clause) and Option 2 on Clause 9(a) (general sub-processor authorisation with 30 days' notice). Where the SCCs permit a choice of governing law, the parties select the law of the Hong Kong Special Administrative Region, consistent with Section 14 of this DPA; where the SCCs require an EU member state law, the parties select the law of Ireland.
- Annex I (parties, data, categories) is taken from Sections 1, 4 and 5 of this DPA; Annex II (technical and organisational measures) is taken from Section 8; Annex III (sub-processors) is the list at /privacy.html.
14. Governing law
This DPA is governed by the laws of the Hong Kong Special Administrative Region, and disputes are subject to the exclusive jurisdiction of the Hong Kong courts — except where the Standard Contractual Clauses in Section 13 require otherwise for the specific transfers they cover.
15. Signatures
By signing below, each party confirms it has read, understood, and agreed to this DPA.
Customer (Controller)
Processor
This is a template. If you need edits — for example to name a specific EU representative, add jurisdiction-specific clauses, or align it with an existing MSA — email contact@ntjtech.com and we will work through it with you.
Last updated 11 July 2026.