Last updated: March 3, 2026

Data Processing Agreement

GDPR Article 28 Data Processing Agreement between 3NV OÜ (Processor) and customers processing personal data on 3NV infrastructure.

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and 3NV OÜ ("Processor", "3NV") for the use of 3NV infrastructure services. It is entered into pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

By using 3NV services to process personal data, you agree to the terms of this DPA.

1. Definitions

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in Article 4 of the GDPR.

"Services" means the cloud and bare-metal infrastructure services provided by 3NV under your subscription agreement.

"Sub-processor" means any third party engaged by 3NV to process Personal Data on your behalf.

2. Roles

You are the Data Controller — you determine the purposes and means of processing. 3NV is the Data Processor — we process Personal Data solely on your instructions, as provided through your use of the Services.

3. Details of Processing

Subject matterProvision of cloud and bare-metal infrastructure services
DurationFor the term of your active subscription
NatureStorage, hosting, and transmission of data on 3NV infrastructure
PurposeTo deliver the Services as described in your subscription
Categories of dataAs determined and controlled by you
Data subjectsAs determined by you — may include your employees, customers, or end users

3NV does not access, inspect, or use your data for any purpose other than operating the infrastructure as instructed.

4. Processor Obligations

3NV commits to the following obligations as your Data Processor:

4.1 Instructions

We will process Personal Data only on your documented instructions. If we believe an instruction violates GDPR or applicable law, we will inform you promptly.

4.2 Confidentiality

All personnel authorised to process Personal Data are bound by confidentiality obligations. Access to customer data is restricted to personnel who require it to operate and support the infrastructure.

4.3 Security

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. See Section 6 for details.

4.4 Sub-processors

We will not engage Sub-processors without informing you in advance. See Section 7 for our current Sub-processor list and notification process.

4.5 Data Subject Rights

We will assist you — insofar as reasonably possible given the nature of the Services — in responding to requests from Data Subjects exercising their rights under GDPR (Articles 15–22).

4.6 Compliance Assistance

We will assist you in meeting your obligations under Articles 32–36 of the GDPR, including security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

4.7 Deletion and Return

Upon termination of your subscription, we will delete or return all Personal Data in accordance with your instructions and our data retention policy, unless retention is required by applicable law.

4.8 Audit Rights

We will make available to you all information necessary to demonstrate compliance with this DPA and will permit and contribute to audits conducted by you or a mandated auditor, subject to reasonable notice and confidentiality obligations. In most cases, we can satisfy audit requirements through documentation rather than on-site inspection.

5. Your Obligations as Controller

You represent and warrant that:

  • You have a lawful basis for any Personal Data you process using the Services
  • You have provided appropriate notices to Data Subjects where required
  • You are responsible for configuring the Services in accordance with GDPR requirements
  • You will not use the Services to process special categories of data (Article 9) without implementing appropriate additional safeguards

6. Security Measures

3NV implements and maintains the following technical and organisational security measures:

Infrastructure Security

  • Greenergy Data Centers, Hüüru, Estonia — Tier-3 certified facility
  • Physical access controls: biometric authentication, 24/7 CCTV monitoring, staffed security
  • Redundant power and cooling systems

Network Security

  • Always-on DDoS mitigation
  • Network-level firewalling and traffic isolation
  • VLAN-based private network separation between customers

Access Controls

  • Strict internal access controls — customer data is accessible only to authorised personnel for support purposes
  • Internal systems protected by multi-factor authentication

Data in Transit

  • Encrypted in transit using TLS 1.2 or higher for management interfaces
  • Customer responsibility for end-to-end encryption of application-layer data

Incident Response

  • 24/7 monitoring and alerting
  • Documented incident response procedures

7. Sub-processors

3NV uses a limited number of Sub-processors to support the delivery of Services (such as monitoring infrastructure and billing systems). These Sub-processors do not have access to your hosted data or workloads.

We will notify you of any intended additions or replacements to our Sub-processor list with at least 14 days' notice via email. If you object to a new Sub-processor on reasonable data protection grounds, you may notify us in writing and we will work with you to find an alternative or, if no alternative is available, allow you to terminate the affected Services without penalty.

For the current Sub-processor list, contact [email protected].

8. Data Transfers

All infrastructure and data processing under this DPA takes place in Estonia, within the European Union. No Personal Data is transferred to countries outside the EEA under this DPA.

3NV OÜ has no US parent company and is not subject to the US CLOUD Act.

9. Personal Data Breach Notification

In the event of a Personal Data breach affecting your data, 3NV will notify you without undue delay and within 72 hours of becoming aware of the breach. Notification will include, to the extent available:

  • Nature of the breach, including categories and approximate number of records affected
  • Contact details of our Data Protection contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

You are responsible for notifying the relevant supervisory authority and affected Data Subjects where required by GDPR.

10. Governing Law and Supervisory Authority

This DPA is governed by the laws of Estonia and the European Union. The competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

11. Contact

For data protection enquiries: [email protected]

For general support: [email protected]

3NV OÜ · Tornimäe tn 5, 10145 Tallinn, Estonia · Reg. no. 17032725