Data Processing Agreement
Version 1.0 · Last updated June 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service and any other written agreement (the "Main Agreement") between Internetivo Ltd ("Internetivo") and the counterparty (the "Customer", which includes a node operator or developer), together the "Parties".
It applies whenever one Party processes personal data on behalf of the other in connection with the IVO Platform, and in particular to two scenarios:
- Internetivo as processor - where Internetivo processes personal data on behalf of a Customer or node operator who acts as controller (for example, a node operator's handling of personal data of its own local users).
- Customer / node / developer as processor - where a node operator, developer, or integrator processes personal data on behalf of Internetivo as controller (for example, when operating a federated node or building on the public API or SDK).
This DPA gives effect to Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679. It is consistent with our Privacy Policy and Data Protection Policy.
2. Definitions
| Term | Meaning |
|---|---|
| Controller | The natural or legal person that, alone or jointly, determines the purposes and means of processing personal data (per Art. 4(7) GDPR). |
| Processor | The natural or legal person that processes personal data on behalf of the Controller (per Art. 4(8) GDPR). |
| Sub-processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
| Data Subject | An identified or identifiable natural person to whom personal data relates (per Art. 4(1) GDPR). |
| Personal Data | Any information relating to a Data Subject, processed under this DPA (per Art. 4(1) GDPR). |
| Processing | Any operation performed on personal data, as defined in Art. 4(2) GDPR. |
| Data Protection Law | The GDPR and applicable Cypriot data protection law, and any successor or implementing legislation. |
| Standard Contractual Clauses (SCCs) | The clauses approved by the European Commission for transfers of personal data to third countries. |
Capitalised terms not defined here have the meaning given in the Main Agreement.
3. Roles of the Parties
The Parties acknowledge that, for the personal data within scope, one Party acts as Controller and the other as Processor, as identified in Annex 1. Each Party complies with its obligations under Data Protection Law in its respective role. The Controller is responsible for the lawfulness of the instructions it gives; the Processor processes only as instructed.
4. Subject-Matter, Duration, Nature and Purpose
The subject-matter, duration, nature and purpose of the processing, the types of personal data, and the categories of Data Subjects are set out in Annex 1. Processing continues for the duration of the Main Agreement and for any period thereafter required to meet legal obligations or to return or delete the data under Section 11.
5. Processor Obligations
The Processor shall:
5.1 Documented Instructions
Process personal data only on the Controller's documented instructions, including as set out in this DPA and the Main Agreement, unless required to process by law (in which case it will inform the Controller, where legally permitted). The Processor will inform the Controller if, in its opinion, an instruction infringes Data Protection Law.
5.2 Confidentiality
Ensure that persons authorised to process personal data are bound by an appropriate duty of confidentiality and process the data only as instructed.
5.3 Security (Art. 32)
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the data. The categories of measures are described generically in Annex 2.
5.4 Sub-processors
Engage Sub-processors only under the conditions in Section 6.
5.5 Assistance with Data Subject Requests
Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects exercising their rights under Chapter III of the GDPR.
5.6 Assistance with Compliance (Arts. 32-36)
Assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of personal data breaches, communication of breaches to Data Subjects, data protection impact assessments, and prior consultation with the supervisory authority, taking into account the information available to the Processor.
5.7 Breach Notification
Notify the Controller without undue delay after becoming aware of a personal data breach affecting the personal data processed under this DPA, and provide the information reasonably needed for the Controller to meet its own notification obligations.
5.8 Audit and Information
Make available to the Controller the information reasonably necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, frequency limits, and minimisation of disruption to operations and to other customers. Where appropriate, third-party audit reports or certifications may be provided to satisfy an audit request.
6. Sub-processors
6.1 General Authorisation
The Controller grants the Processor a general authorisation to engage Sub-processors to support the provision of the services. The current Sub-processors, by role, are listed in Annex 3.
6.2 Flow-down Obligations
The Processor shall impose on each Sub-processor data protection obligations no less protective than those in this DPA, by written contract, and remains liable to the Controller for the acts and omissions of its Sub-processors.
6.3 Change Notice
The Processor shall give the Controller reasonable prior notice of any intended addition or replacement of a Sub-processor, giving the Controller the opportunity to object on reasonable data-protection grounds. If the Parties cannot resolve a reasonable objection, the Controller may terminate the affected service.
7. International Transfers
The Processor shall not transfer personal data outside the European Economic Area unless an appropriate safeguard under Chapter V of the GDPR is in place. Where transfers occur, they are made under the Standard Contractual Clauses (SCCs) approved by the European Commission, an adequacy decision, or another lawful transfer mechanism. The SCCs are incorporated into this DPA by reference where a transfer relies on them, and prevail over any conflicting term in respect of that transfer.
8. Liability and Indemnity
Each Party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement. Each Party shall be liable for, and shall indemnify the other against, claims, fines, and reasonable costs (including legal fees) arising from its own breach of this DPA or of Data Protection Law, to the extent attributable to that Party. Apportionment of liability between controllers and processors follows Art. 82 GDPR. Nothing in this DPA limits liability that cannot be limited under applicable law.
9. Order of Precedence
In the event of a conflict, the following order of precedence applies: (1) the Standard Contractual Clauses (for matters they govern); (2) this DPA; (3) the Main Agreement. In all other respects the Main Agreement remains in full force.
10. Governing Law
This DPA is governed by the laws of the Republic of Cyprus and EU law where applicable, without prejudice to any governing-law term required by the SCCs for the transfers they cover.
11. Duration, Deletion and Return
This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller. On termination or expiry of the Main Agreement, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless retention is required by law, in which case the Processor shall protect the data and process it only as the law requires.
Annex 1 - Details of Processing
| Item | Description |
|---|---|
| Subject-matter | Processing of personal data necessary to operate the IVO federated work marketplace and related services. |
| Duration | The term of the Main Agreement, plus any legally required retention period. |
| Nature of processing | Collection, storage, organisation, retrieval, transmission, display, hosting, and deletion in connection with marketplace, account, payment-related, communication, and support functions. |
| Purpose of processing | Providing the Platform: account management, posting and bidding on work, messaging, escrow-related processing, reputation and matching, dispute handling, fraud prevention, support, and compliance. |
| Types of personal data | Identification and contact data (name, email, phone, username, profile); account and authentication data; task and project content; transaction and payment-related metadata (no full card numbers); communications and support records; device and technical data; approximate location; reputation and rating data. Identity verification data is processed by a specialist provider as noted in the Privacy Policy. |
| Special categories | Not intended. The Platform does not request special-category data; any biometric processing for identity verification is performed by the identity-verification provider under its own controls. |
| Categories of Data Subjects | Clients (who post work), Workers (who deliver work), node operators and their staff, prospective users, and authorised contacts of business users. |
| Frequency | Continuous, for the duration of the services. |
Annex 2 - Technical and Organisational Measures
The Processor maintains a documented information-security programme aligned with recognised standards (ISO 27032 aligned), covering, as appropriate to the risk, the following generic categories. No implementation detail is disclosed here.
- Encryption of personal data in transit and at rest.
- Access controls, authentication, and least-privilege principles.
- Pseudonymisation and minimisation where appropriate.
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of systems.
- Backup, recovery, and business-continuity measures to restore availability after an incident.
- Logging, monitoring, and detection measures.
- Regular testing, assessment, and evaluation of the effectiveness of measures, including audits and penetration testing.
- Personnel measures, including confidentiality obligations and security awareness.
- Vendor and sub-processor management.
- Incident-response and breach-notification procedures.
Payment card processing is performed by a PCI-DSS compliant payment processor; Internetivo does not receive or store full card numbers.
Annex 3 - Sub-processors (by Role)
The following categories of Sub-processors may be engaged. This list mirrors the third-party recipients identified in our Privacy Policy; the current list is available on request from a privacy and data ticket.
| Role | Provider | Location / safeguard |
|---|---|---|
| Payment processing, escrow, payouts | Our payment processor (Stripe, Inc.) | USA (SCCs) |
| Identity verification (KYC/AML) | Our identity-verification provider (Sumsub) | EU / UK |
| Security and fraud-prevention IP intelligence | Our IP-intelligence providers (proxycheck.io; ip-api.com) | UK / EU |
| SMS and voice authentication | Our communications provider (Twilio, Inc.) | USA (SCCs) |
| Push notification delivery | Our push-notification provider (Expo) | USA (SCCs) |
| Hosting and infrastructure | Our hosting provider (Hetzner, EU) | EU (Germany) |
| Aggregate analytics | Our analytics provider | EU |
| Federated marketplace hosting | Licensed node operators | EU (primarily), under contract + DPA |
Contact
Data Protection Officer / DPA enquiries: Internetivo Ltd Open a privacy and data ticket Website: https://internetivo.com/legal/dpa
Related documents: Privacy Policy, Data Protection Policy, GDPR and Your Data Rights, Cookie Policy.
This DPA is governed by the laws of the Republic of Cyprus and EU law where applicable.