Article 28 GDPR · Pre-signed · Finnish jurisdiction

Data Processing Agreement

Pre-signed Article 28 DPA covering NexusProMail's processing of customer data. Finnish jurisdiction clause, published sub-processor list, change-notice obligations. Request and receive within one working day.

Request the signed DPA →View sub-processor list →

Quick Answer

A Data Processing Agreement is the GDPR Article 28 contract that defines how a processor (NexusProMail) handles personal data on behalf of a controller (you). NexusProMail's DPA is pre-signed by Infotech Pioneers Oy, governed by Finnish law and EU regulations, and includes the published sub-processor list, technical and organisational measures, retention and breach-notification clauses required by GDPR. Email support@nexuspromail.com to receive the signed PDF within one working day.

What the DPA Covers

The DPA enumerates the eight categories of clauses GDPR Article 28(3) requires from any data processor agreement, plus the technical and organisational measures appendix required for DPIA reviews.

Subject matter and duration

What processing is covered, for how long, and the categories of data subjects and personal data involved.

Nature and purpose

Why NexusProMail processes the data — email delivery, suppression management, analytics, audit logging — strictly within the controller's instructions.

Controller obligations

Your responsibilities: lawful basis for processing, consent records where required, providing complete and accurate instructions, responding to data subjects.

Processor obligations

Our responsibilities under Article 28: process only on documented instructions, ensure confidentiality, implement security, assist the controller, sub-processor disclosure, delete or return data at end.

Sub-processor list + change notice

Current sub-processors enumerated. Change-notice period during which the controller can object or terminate before substantive sub-processor changes take effect.

Technical and organisational measures

Access controls, encryption, network segmentation, backup procedures, incident response, employee confidentiality, audit trails, physical security inherited from infrastructure providers.

Breach notification

NexusProMail notifies the controller of personal data breaches without undue delay per Article 33, with the minimum information GDPR requires and contact details for follow-up.

Audit rights

Controller right to audit the processor (within reason), satisfied by existing third-party audit reports and questionnaire-based reviews. Specific on-site audit terms negotiated for Enterprise customers.

Termination and data return

On termination, data is exported on request and deleted from primary systems within 30 days. Backup-cycle deletion follows the underlying cloud provider's retention period.

Why It's Pre-signed

Most ESPs treat DPA negotiation as a custom-quote activity — a weeks-long back-and-forth between procurement and the vendor's legal team for every customer. The reality is that 95% of DPA terms are standardised by GDPR Article 28 itself. There's very little room for substantive customisation without making the agreement weaker.

By pre-signing, we shift the procurement timeline from weeks to one working day. The customer reviews, sets their counterparty details, counter-signs and the agreement is in force. The actual GDPR protection is the same — better than the same, in fact, because the customer reviews a clean, lawyer-reviewed document instead of a Frankenstein of negotiated red-lines.

For customers with specific requirements — additional liability caps, bespoke jurisdiction clauses, custom audit-right wording — we discuss those on the Enterprise plan. Standard-plan customers occasionally have niche requests that fit within the existing DPA; we accommodate them where reasonable. The promise is “pre-signed and ready,” not “unmodifiable forever.”

Trust & Transparency

A DPA is only as good as the company's willingness to honour it. The DPA documents the rights; the supporting practices make them real.

Sub-processor list published

Always up-to-date at /subprocessors. Includes country of incorporation, role and applicable safeguards.

Change-notice clause

Substantive sub-processor changes are notified to all customers via the registered email. 30-day objection window before changes apply.

EU jurisdiction

Infotech Pioneers Oy is Finnish. Disputes resolved in Helsinki District Court. Outside US CLOUD Act and FISA Section 702 compulsion.

No surprise sub-processors

Sub-processor list is the authoritative source. We do not silently add third parties between disclosures.

Breach notification commitment

Without undue delay per Article 33. Minimum information required by GDPR. Direct contact channel for follow-up questions.

DSAR tooling built in

Locate, export and delete data by email address through the admin UI and API. The DPA documents the 30-day response window we operationalise.

DPA FAQ

What is a Data Processing Agreement?+
A DPA is a written contract required under GDPR Article 28 between a data controller (the customer) and a data processor (NexusProMail). It defines the scope of processing, the controller's instructions, the security and confidentiality measures the processor must maintain, retention and deletion obligations, sub-processor disclosure rules, audit rights, and termination conditions. Without a signed DPA, the processor relationship is not GDPR-compliant — no matter how good the platform's security is.
Is the NexusProMail DPA already signed by your side?+
Yes. The DPA is pre-signed by Infotech Pioneers Oy and ready to counter-sign by the customer. This removes weeks of legal back-and-forth from typical procurement reviews. You email support@nexuspromail.com, identify the contracting entity on your side, and the signed PDF arrives within one working day.
Which jurisdiction governs the DPA?+
Finnish law and EU regulations. Disputes are resolved in Helsinki District Court unless both parties agree to arbitration. For customers whose own procurement contracts require the processor agreement to fall under EU jurisdiction, this is a clean fit. For customers requiring US jurisdiction we are not the right processor.
Does the DPA cover Standard Contractual Clauses?+
The controller-processor relationship between you and NexusProMail does not require SCCs because both parties are inside the EU. SCCs apply to onward transfers when a sub-processor is outside the EU. The DPA addendum lists current sub-processors and notes which (if any) require SCCs, and includes the EU Commission's 2021/914 SCC text by reference for any future US-sub-processor scenarios.
What if your sub-processors change?+
The DPA includes a change-notice clause. Before adding or substantively changing a sub-processor, NexusProMail notifies customers via the email address registered on the account. Customers have a defined objection window — typically 30 days — during which they can raise concerns or terminate the affected service line. The current sub-processor list is published at /subprocessors.
What technical and organisational measures are covered?+
The DPA enumerates: access controls (role-based access, MFA on internal admin systems), encryption (TLS in transit, AES-256 at rest), pseudonymisation policies for analytics, network segmentation, backup and disaster recovery procedures, incident response and breach notification, employee confidentiality obligations, periodic security audits, and physical security controls inherited from the underlying cloud provider. The level of detail matches what most GDPR DPIA reviewers expect to see in the addendum.
How long do you keep customer data?+
Active customer data is retained while the contract is in force. On termination, data is exported on request and deleted from primary systems within 30 days. Backups are subject to the underlying cloud provider's backup-cycle retention — typically 90 days — after which they cycle out automatically. Audit logs and operational metrics carry their own retention policies (12 and 36 months respectively) documented in the DPA appendix.
Can the DPA be customised?+
Within standard scope (counterparty details, contracting entity, optional addenda for specific industries) — yes, no additional fee. For non-standard customisation (bespoke jurisdiction clauses, additional liability caps, custom audit-right wording) — possible on Enterprise plans with our legal team. Contact us before signup to discuss.
What happens during a Data Subject Access Request?+
GDPR Article 15-22 rights (access, rectification, erasure, restriction, portability, objection) are operationalised in the NexusProMail platform. The DPA documents the standard 30-day response window and the controller's responsibility to forward DSARs to us. For email-marketing data, the platform has built-in DSAR tooling that lets you locate, export and delete all data associated with an email address through the admin UI or API.

Request the signed DPA

Email support@nexuspromail.com with your contracting entity details. Signed PDF arrives within one working day. No commercial commitment required to request and review.

Email support@nexuspromail.com →

Or start a free account first and request the DPA from inside the platform.

Also read: Sub-processor list · GDPR email marketing · Schrems II compliance · Email compliance guide · EU email marketing