Legal

Data Processing Agreement

Effective date

July 9, 2026

1. Parties and background

This Data Processing Agreement (“DPA”) is entered into between Notakey Latvia, SIA, unified registration number 40103993632, registered address Ganu iela 3 – 12, Riga, LV-1010, Latvia (“Notakey” or the “Processor”) and the customer identified in the applicable Order Form or subscription (“Customer” or the “Controller”). It forms part of, and is incorporated into, the Notakey Terms of Service (the “Agreement”).

This DPA applies where Notakey processes personal data on behalf of Customer in the course of providing the Services, within the meaning of Regulation (EU) 2016/679 (the “GDPR”). Terms such as “personal data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given in the GDPR.

2. Subject matter, duration, nature and purpose

Subject matter: the provision of the Notakey authentication and transaction-signing Services (notakey.cloud or the Notakey Appliance, together with the Notakey mobile application) to Customer.

Duration: the term of the Agreement, plus the period until deletion or return of all Customer Personal Data under section 10.

Nature and purpose: hosting, transmitting, and processing authentication and transaction-approval data so that Customer’s authorized users can enroll devices, receive approval requests, and approve or decline authentication and signing operations.

Categories of data subjects: Customer’s employees, contractors, customers, members, or other end users whom Customer enrolls in the Services.

Types of personal data: user identifiers (such as username, email address, or phone number); enrollment verification data (such as one-time codes delivered by SMS or WhatsApp, directory or OpenID Connect assertions, or an administrator’s manual approval); device data (device model, operating system version, push-notification token, public key and device certificate); and authentication/approval activity (request metadata, approve/decline outcomes, timestamps, signatures). Private keys are generated and stored on end users’ devices and are never transmitted to or held by Notakey. No special categories of personal data (GDPR Article 9) are intended to be processed; biometric verification, where used, occurs entirely on the end user’s device and is not received by Notakey.

3. Roles and instructions

Customer is the controller and Notakey is the processor of Customer Personal Data. Notakey will process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Customer’s configuration of the Services, unless processing is required by EU or Member State law to which Notakey is subject — in that case Notakey will inform Customer of the legal requirement before processing, unless the law prohibits it. Notakey will inform Customer if, in its opinion, an instruction infringes the GDPR.

4. Confidentiality

Notakey ensures that persons authorized to process Customer Personal Data are bound by contractual or statutory confidentiality obligations.

5. Security

Notakey implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by GDPR Article 32. The current measures are described in Annex 2. Notakey may update them from time to time, provided the overall level of protection is not reduced.

6. Subprocessors

Customer grants Notakey general authorization to engage the subprocessors listed in Annex 3. Notakey will notify Customer at least 30 days before adding or replacing a subprocessor; Customer may object on reasonable data protection grounds within that period, in which case the parties will work in good faith to find a solution and, failing that, Customer may terminate the affected Services. Notakey imposes data protection obligations on each subprocessor equivalent to those in this DPA and remains liable for their performance.

7. Assistance to Customer

Taking into account the nature of the processing, Notakey will assist Customer with appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to data subject requests (GDPR Chapter III), and with Customer’s obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments, and prior consultation), in each case at Customer’s reasonable request. If a data subject contacts Notakey directly about Customer’s use of the Services, Notakey will refer the request to Customer without undue delay.

8. Personal data breach notification

Notakey will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to Notakey to help Customer meet its own notification obligations under GDPR Articles 33 and 34, supplementing the notification as further information becomes available.

9. International transfers

Notakey processes Customer Personal Data in the European Economic Area. notakey.cloud is hosted on Oracle Cloud Infrastructure. Where a subprocessor processes personal data outside the EEA (see Annex 3), Notakey ensures an appropriate transfer safeguard is in place, such as the European Commission’s Standard Contractual Clauses or an adequacy decision (including the EU–US Data Privacy Framework, where the recipient is certified).

10. Deletion and return of data

Upon termination or expiry of the Services, Notakey will, at Customer’s choice, delete or return all Customer Personal Data and delete existing copies without undue delay, unless EU or Member State law requires further storage.

11. Audits

Notakey will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable prior notice, at most once in any 12-month period unless a personal data breach or a supervisory authority requires otherwise, during normal business hours, and under confidentiality obligations. Notakey may first satisfy an audit request by providing existing audit reports or certifications where these reasonably address the scope of the request.

12. Liability and order of precedence

Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. In case of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

Annex 1 — Details of processing

As set out in section 2 of this DPA (subject matter, duration, nature and purpose, categories of data subjects, and types of personal data).

Annex 2 — Technical and organizational measures

  • End-user private keys are generated and stored in device hardware-backed secure storage and never transmitted to or held by Notakey; each approval is cryptographically signed on the device.
  • Data in transit is encrypted using TLS.
  • Approval-request payloads are delivered to the device only after the user accepts the push notification; push providers (APNs/FCM) receive tokens, not request content.
  • Further details of Notakey’s technical and organizational measures are available to Customer on request at info@notakey.com.

Annex 3 — Authorized subprocessors

  • Oracle Cloud Infrastructure — hosting of notakey.cloud.
  • Apple Inc. (Apple Push Notification service) — delivery of push notifications to iOS devices.
  • Google LLC (Firebase Cloud Messaging) — delivery of push notifications to Android devices.
  • Functional Software, Inc. (Sentry) — application error and crash diagnostics.

Where Customer’s onboarding configuration uses SMS or WhatsApp delivery of one-time codes, the messaging delivery provider receives the end user’s phone number for delivery purposes. An up-to-date subprocessor list is available on request at info@notakey.com.