Skip to content

    We use cookies for analytics and to improve your experience. Learn more in our Cookie Policy.

    Book a Call
    N40 Agency
    ServicesAI AgentsPrototypingOps DashboardsSecure Corporate Messenger
    Book a Meeting
    Back to home

    Остання редакція: 10 квітня 2026 / Last updated: April 10, 2026

    Data Processing Agreement

    Introduction

    This page describes the data processing commitments of N40 Agency, LLC (Delaware LLC, EIN: 36-5172738, File No. 10548740, incorporated March 16, 2026; registered agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA) under Article 28 of the EU General Data Protection Regulation (GDPR) 2016/679. It serves as a public summary of our obligations as a data processor.

    For a legally binding signed DPA — required to demonstrate GDPR compliance to regulators and enterprise clients — please use the request form at the bottom of this page.

    Roles of the Parties

    Data Controller

    The Client — the organization or individual engaging N40. Determines the purposes and means of processing.

    Data Processor

    N40 Agency, LLC (Delaware LLC, EIN: 36-5172738) — processes personal data on behalf of the Client solely for the purpose of delivering agreed services.

    N40 does not process Client personal data for its own purposes and does not transfer it to third parties except the sub-processors listed in this document.

    Subject Matter of Processing

    Depending on the service engaged, N40 may process the following categories of data:

    Service

    Data Types

    Data Subjects

    Secure Messenger

    Names, emails, messages, metadata

    Client's employees

    Ops Dashboards

    Business metrics, reports, credentials

    Client's managers, analysts

    AI Agents

    Queries, conversation context, CRM data

    Client's customers and employees

    Prototyping

    Test data, user accounts

    Test users

    Contact Form

    Name, email, phone, message

    Website visitors

    The exact data categories and processing duration are defined in the applicable agreement or Statement of Work. Processing is carried out solely for the purpose of delivering agreed services.

    Processing Instructions

    N40 processes personal data only on documented instructions from the Client (data controller), unless required to do so by EU or member state law. In such cases, N40 informs the Client of the legal requirement prior to processing, unless the law prohibits such notification on grounds of public interest.

    If N40 considers that an instruction from the Client infringes GDPR or other applicable data protection law, N40 immediately informs the Client.

    Staff Confidentiality

    N40 ensures that access to Client personal data is limited to personnel and contractors who require it to perform the agreed services. All such persons:

    • • Have signed non-disclosure agreements or whose employment contracts contain equivalent confidentiality obligations.
    • • Have received training on data protection and information security requirements.
    • • Have access only to the data necessary for their specific tasks (principle of least privilege).

    Data Security Measures (Article 32 GDPR)

    N40 implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing:

    Measure

    Details

    Encryption at rest

    AES-256

    Encryption in transit

    TLS 1.3

    Authentication

    MFA, OAuth 2.0, RBAC

    Monitoring & audit logging

    Event logs, anomaly alerts

    Backup

    Regular encrypted backups

    Secure development

    OWASP Top 10, code review, vulnerability testing

    Access control

    Least privilege, regular access reviews

    For full details of our security practices, contact us at contact@n40.agency.

    Sub-processors

    The Client grants general prior authorization for N40 to engage sub-processors. N40 will notify the Client at least 30 days before engaging a new sub-processor or replacing an existing one. The Client may object on reasonable data protection grounds within this period.

    Sub-processor

    Purpose

    Location

    Supabase Inc.

    Database, Edge Functions, authentication

    USA (AWS us-east-1)

    Resend / AWS SES

    Transactional email delivery

    USA (Amazon)

    Google LLC

    Google Analytics (anonymized web analytics)

    USA

    Stripe, Inc.

    Invoice payment processing (name, email, billing address; card data is not stored by N40)

    USA (PCI DSS L1)

    NovaPay

    Payment processing in Ukraine (name, email, billing address; certified by National Bank of Ukraine)

    Ukraine (PCI DSS)

    Netlify, Inc.

    Web hosting and CDN

    USA

    Calendly, LLC

    Appointment scheduling

    USA

    Hotjar Ltd

    Analytics and session recording

    Malta/EU

    Meta Platforms, Inc.

    Conversion tracking (Meta Pixel)

    USA

    LinkedIn Corporation

    Conversion tracking (Insight Tag)

    USA

    All US-based sub-processors process data under Standard Contractual Clauses (SCC) pursuant to EU Commission Decision 2021/914.

    N40 remains liable to the Client for sub-processors' compliance with GDPR obligations to the same extent as N40's own obligations.

    Data Subject Rights

    N40 provides technical and organizational assistance to the Client (controller) in fulfilling its obligations regarding data subject rights under Chapter III of the GDPR:

    • Right of access (Art. 15) — providing the Client with the data subject's data in a structured format within 10 business days.
    • Right to rectification (Art. 16) — correcting inaccurate data per Client instruction.
    • Right to erasure (Art. 17) — deleting data subject records per confirmed Client instruction.
    • Right to data portability (Art. 20) — providing data in a standard machine-readable format (JSON, CSV).
    • Right to restriction (Art. 18) — temporarily suspending processing per Client instruction.

    N40 will not delete or alter data without written Client instruction, except where required by law.

    Breach Notification (Art. 33–34 GDPR)

    Upon becoming aware of an actual or suspected personal data breach, N40 will:

    • • Notify the Client within 24 hours of discovery.
    • • Provide a description of the nature of the breach, approximate number and categories of affected data subjects and records.
    • • Describe the likely consequences of the breach and the measures taken or proposed to address it.
    • • Continue to provide updates as additional information becomes available.

    The Client (controller) is responsible for notifying the competent supervisory authority (pursuant to Art. 33 GDPR) and affected data subjects (Art. 34 GDPR) within the required timeframes.

    Audit Rights (Art. 28(3)(h))

    N40 makes available to the Client all information necessary to demonstrate compliance with Article 28 GDPR obligations and allows for audits and inspections, including by auditors mandated by the Client.

    Audits require 14 days' prior written notice, are conducted during normal business hours, and are subject to NDA. Audit costs are borne by the Client unless the audit reveals a material breach by N40.

    N40 may satisfy compliance verification obligations by providing an independent auditor's report or relevant certification where available.

    International Data Transfers (Art. 44–49 GDPR)

    N40's sub-processors (Supabase, Resend, Google, Netlify, Calendly, Meta, LinkedIn) are primarily located in the United States; Hotjar is in the EU. Transfers of personal data from the EU to the US are made under Standard Contractual Clauses (SCC) pursuant to EU Commission Decision 2021/914 (Module 2: controller-to-processor and Module 3: processor-to-sub-processor).

    N40 has conducted a Transfer Impact Assessment (TIA) and implemented supplementary measures (data encryption prior to transfer, data minimization) to ensure a level of protection essentially equivalent to that guaranteed by the GDPR.

    Standard Contractual Clauses are included in the signed DPA as an Annex. Request a copy below.

    Data Deletion Upon Termination (Art. 28(3)(g))

    Upon termination or expiration of the agreement, N40 will, at the Client's choice:

    • Return all personal data to the Client in a standard format (JSON, CSV) within 30 days.
    • Delete all personal data from active systems within 30 days.
    • • Backup copies will be permanently deleted within 90 days of the deletion decision.
    • • Provide written confirmation of deletion to the Client.

    Exception: N40 may retain data longer where required by EU or member state law, citing the applicable legal basis.

    Request a Signed DPA

    This page is a public summary of our data processor commitments. For legally valid GDPR compliance with regulators and your compliance team, a signed bilateral DPA is required.

    Contact us and we will send a complete DPA draft (including an SCC Annex for US transfers) within 2 business days.