Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

2. Subject Matter and Duration

This DPA governs the processing of personal data by GhostNexus on behalf of the Controller in connection with the provision of GPU compute services (“Service”). The DPA enters into force on the date of account creation and remains in effect until termination of the Service agreement, extended by any statutory retention obligations.

3. Nature, Purpose, and Scope of Processing

GhostNexus processes personal data solely to provide the compute marketplace service, including job dispatch, billing, authentication, and communication. Processing is limited to the following operations:

• Storing account registration data (email address, hashed credentials)
• Logging job execution metadata (job ID, GPU type, duration, cost, status)
• Processing payment information via Stripe (card tokens, transaction IDs)
• Sending transactional and lifecycle emails via Resend
• Maintaining security logs for fraud prevention and incident response

4. Categories of Personal Data and Data Subjects

4.1 Data categories processed

• Identification data: email address, username
• Authentication credentials: bcrypt-hashed passwords, API key hashes
• Financial data: Stripe customer ID, last-4 card digits, subscription status
• Usage data: API call logs, job identifiers, GPU resource consumption, timestamps
• Technical data: IP addresses, user-agent strings (security logs, 30-day retention)

4.2 Categories of data subjects

• Registered users of the GhostNexus platform (clients and GPU providers)
• Employees or contractors of the Controller using the Service under the Controller's account

Special category data (Art. 9 GDPR): GhostNexus does not knowingly process special category data. The Controller is solely responsible for ensuring that no special category data is transmitted to GhostNexus infrastructure unless a dedicated data protection impact assessment (DPIA) has been completed and appropriate safeguards are in place.

5. Obligations of the Processor

GhostNexus undertakes to:

• Process personal data only on documented instructions from the Controller
• Ensure that all persons authorised to process personal data are bound by confidentiality
• Implement and maintain the Technical and Organisational Measures set out in Article 7
• Not engage sub-processors without prior written authorisation from the Controller (general authorisation granted as per Article 6 below)
• Assist the Controller, insofar as possible, in responding to data subject requests under Chapter III GDPR
• Assist the Controller with Articles 32–36 GDPR obligations (security, breach notification, DPIA)
• Delete or return all personal data upon termination of services at the Controller's choice
• Make available all information necessary to demonstrate compliance and permit audits

6. Sub-processors

The Controller grants general authorisation to GhostNexus to engage the following sub-processors. GhostNexus will notify the Controller of any intended changes at least 30 days in advance via email and the platform changelog.

7. Technical and Organisational Measures (TOMs)

GhostNexus implements the following measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk:

7.1 Compute isolation (primary control)

Container filesystems are destroyed immediately upon job completion. No data persists between jobs. Provider nodes cannot access the internet during job execution.

7.2 Access controls

• API keys hashed with bcrypt (cost factor 12) — plaintext never stored
• API keys carry a 90-day TTL; rotation available via dashboard
• TLS 1.3 enforced for all API and WebSocket communications (Caddy/ACME)
• Rate limiting: 10 requests/minute per API key for compute endpoints
• WebSocket brute-force protection: 8 failed auth attempts per 60s → IP block

7.3 Data minimisation

• Script contents transmitted to provider node via encrypted WebSocket and not stored post-execution
• Job logs stored only as metadata (ID, status, duration, cost) — no output data
• IP addresses in access logs rotated after 30 days

7.4 Physical and infrastructure security

• All compute hardware located in Hetzner-certified data centres (ISO 27001, SOC 2)
• Locations: Frankfurt/Main (DE) and Helsinki (FI) — within EEA
• No data processing outside EEA for compute workloads

7.5 Availability and resilience

• Job state persisted in Redis with 2-hour TTL for crash recovery
• Automated daily database backups with 7-day retention
• Monitoring with 5-minute health checks and automated alerting

7.6 Pseudonymisation and encryption

• Passwords: bcrypt hash, never stored in recoverable form
• API keys: hashed at rest; only the hash is stored in the database
• Database connections: TLS encrypted in transit
• Stripe payment data: tokenised — card numbers never touch GhostNexus servers

8. International Data Transfers

Compute processing takes place exclusively within the EEA (Germany and Finland). No personal data is transferred to third countries for the purpose of executing compute jobs.

Where sub-processors operate outside the EEA (Stripe — United States), transfers are governed by Standard Contractual Clauses (Module 2: Controller to Processor) pursuant to Article 46(2)(c) GDPR and Commission Implementing Decision (EU) 2021/914.

9. Personal Data Breach Notification

In the event of a personal data breach, GhostNexus will:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33 GDPR)
• Provide, at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed
• Notify via email to the account's registered address; escalation path: contact@ghostnexus.net
• Cooperate fully with the Controller in any regulatory notification obligations

10. Assistance with Data Subject Rights

GhostNexus will assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 GDPR. Requests should be submitted to contact@ghostnexus.net. GhostNexus will respond to Controller requests within 10 business days.

Deletion requests: Upon account deletion, all personal data associated with the account is deleted within 30 days, except data subject to statutory retention obligations (financial records: 10 years under French commercial law).

11. Audit Rights

The Controller may audit GhostNexus's compliance with this DPA no more than once per calendar year, upon 30 days' written notice. Audits may be conducted by the Controller or a mutually agreed independent third party bound by confidentiality. GhostNexus may satisfy audit requests by providing up-to-date third-party audit reports (ISO 27001 certification from Hetzner) or completing a standardised security questionnaire.

12. Termination and Data Return

Upon termination of the Service or upon the Controller's written request, GhostNexus will, at the Controller's election:

• Delete all personal data within 30 days and provide written confirmation; or
• Return personal data in machine-readable format (JSON export available via API)

This obligation does not apply to data that GhostNexus is required to retain under applicable law.

13. Governing Law

This DPA is governed by the laws of France. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Commercial Court of Paris (Tribunal de Commerce de Paris), unless mandatory local law requires otherwise.