Template DPA outlining how NTLi GmbH processes personal data on behalf of its B2B clients, in line with Article 28 GDPR.
Placeholder notice: this DPA is a working template under final legal review. The binding version is the one signed alongside your engagement contract. This page does not constitute legal advice.
This Data Processing Agreement (“DPA”) governs the processing of personal data carried out by NTLi GmbH (“Processor”) on behalf of the Client (“Controller”) in the context of the services described in the underlying engagement contract or statement of work.
For the purposes of Article 28 GDPR, the Client acts as the Controller and NTLi acts as the Processor. NTLi processes personal data only on documented instructions from the Client, including with regard to transfers of personal data to a third country or an international organisation.
The subject matter of processing is the delivery of the agreed services. The duration of processing corresponds to the term of the underlying engagement, plus any retention period required by law or expressly agreed in writing.
The categories of personal data and categories of data subjects are defined in an annex to this DPA per engagement. Typical categories include business contact details of the Client’s personnel, end-user account data within Client systems, and operational data needed to deliver the services.
NTLi shall: (a) process personal data only on documented instructions; (b) ensure that persons authorised to process the personal data are bound by confidentiality; (c) implement the security measures listed below; (d) assist the Controller in fulfilling its obligations under Articles 32–36 GDPR; and (e) make available all information necessary to demonstrate compliance with Article 28 GDPR.
NTLi maintains a list of approved sub-processors which is appended to each engagement DPA. NTLi will inform the Client of any intended changes concerning the addition or replacement of sub-processors and impose the same data protection obligations as set out in this DPA.
Technical and organisational measures include: encryption in transit (TLS 1.2+), encryption at rest for stored credentials and operational data, role-based access control with least privilege, multi-factor authentication for administrative access, segregated environments, regular backups, vulnerability monitoring, audit logs, and a documented incident-response procedure.
Where processing involves a transfer of personal data outside the EEA, NTLi relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and conducts a transfer impact assessment in line with the Schrems II ruling. Additional safeguards are applied as appropriate.
NTLi will, on reasonable prior notice and subject to confidentiality obligations, make available the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
NTLi will notify the Client without undue delay after becoming aware of a personal data breach affecting Client data, providing the information required by Article 33(3) GDPR to support the Client’s own notification obligations.
Upon termination or expiry of the underlying engagement, NTLi shall, at the Client’s choice, return or delete all personal data processed on behalf of the Client and delete existing copies, unless EU or Member State law requires storage of the personal data.
Liability under this DPA is governed by, and forms part of, the underlying engagement contract, including any agreed liability cap. Nothing in this DPA limits liability that cannot be limited under applicable law.
This DPA is governed by the laws of Austria, excluding its conflict-of-laws rules. Exclusive place of jurisdiction is Vienna, Austria, unless mandatory consumer-protection or data-protection rules require otherwise.
Request the signed DPA
We will send the current version annexed with sub-processor details.
Last updated: 23 April 2026 · NTLi GmbH · FN 671761 · Vienna, Austria