GDPR
Data Processing Agreement (DPA)
Last updated: 07.06.2026
This English translation is provided for convenience only. In the event of any discrepancy or conflict of interpretation, the Romanian language version prevails.
This Personal Data Processing Agreement (“DPA”) constitutes an annex forming an integral part of the Terms and Conditions of use of the iotferma.ro platform and governs the relationship between the Parties regarding data processing activities, in strict compliance with the provisions of Art. 28 of Regulation (EU) 2016/679 (GDPR).
1. Parties and roles
The Client (Controller) — means the legal entity or commercial entity treated as a professional that contracts the Services for the purpose of monitoring its agricultural activity, holding the legal capacity of Controller of personal data.
The Provider (Processor) — NORDIC SILVA S.R.L., a commercial company incorporated under the laws of Romania, with its registered office in Borșa, Maramureș County, as owner and provider of the iotferma.ro technology solution, holding the capacity of Processor.
2. Object, duration, nature and purpose of the processing
The object of this DPA is to provide the legal and security framework required for the processing of personal data in the context of delivering the SaaS Service. The nature of the processing includes collection, structuring, logical aggregation, cloud storage and the display of graphical dashboards in the application.
The exclusive purpose of the processing is to provide agricultural decision support (soil-moisture analysis, ET₀ calculation, automatic generation of operational alarms) and the technical administration of access accounts within the platform.
The duration of the processing is directly tied to the contractual validity period of the Client's active subscription, plus an administrative-technical interval of a maximum of 30 calendar days after termination of the service, required to complete data exports and irreversibly delete secondary databases and backups.
3. Obligations of the processor
In accordance with Art. 28(3) GDPR, the Processor expressly undertakes:
- To process personal data only on the basis of the Controller's documented written instructions, including with regard to international data transfers;
- To ensure that all of its internal personnel authorised to access or process the data have validly committed to strict confidentiality through specific contractual agreements or are under a clear statutory obligation of confidentiality;
- To implement all appropriate technical and organisational measures stipulated by Art. 32 GDPR in order to ensure an enhanced level of cybersecurity;
- To actively support the Controller, through appropriate technological measures and insofar as technically feasible, in fulfilling its obligation to respond to specific requests submitted by data subjects exercising their rights;
- To provide prompt technical assistance to the Controller in ensuring compliance with the obligations regarding system security, notification of the authorities in the event of an incident, and the completion of data protection impact assessments (DPIA);
- At the Controller's written option expressed upon termination of the contract, to permanently delete or fully return the personal data, destroying existing copies, except where Romanian law expressly requires long-term storage;
- To make available to the Controller all evidence necessary to demonstrate compliance with these obligations and to allow authorised audits to be carried out in accordance with the provisions of this document.
4. Sub-processors
The Controller grants the Provider a general authorisation to engage auxiliary technical sub-processors. The initial approved list comprises: (1) Hetzner Online GmbH — main provider of cloud services and server infrastructure located within the European Union; (2) specialised e-mail or SMS service providers for sending operational notifications (if used). The Provider undertakes to inform the Controller of any intention to modify, add or replace these sub-processors at least 15 days in advance, giving the Controller the legal right to raise reasoned written objections.
5. International transfers
All physical and logical processing, database hosting and backup activities are carried out exclusively on servers located within the European Union and the European Economic Area (EEA). No external transfer outside the EEA will take place without the Controller's prior express consent and without the implementation of the Standard Contractual Clauses approved by the European Commission.
6. Security (technical and organisational measures)
The Provider guarantees the implementation of the following specific measures, described in detail in Annex 2: logical isolation and segregation of data sets at the individual client level, enforced server-side through permissions (RBAC); full protection of communications through TLS/HTTPS encryption in transit; strict role-based access management (RBAC); and rigorous automated backup policies.
7. Notification of security breaches
In the event of an incident or a confirmed breach of personal data security, the Processor will send an official notification to the Controller without undue delay, within a maximum of 48 hours of the initial discovery. The notification will detail the estimated volume of affected data, the probable impact and the immediate mitigation measures taken by the Provider.
8. Assistance with data-subject rights and DPIA
The Provider will respond to any written request for assistance from the Controller within a maximum of 7 working days, providing the technical details extracted from the platform logs needed to complete the record of processing activities or to finalise the impact assessments required by law.
9. Deletion/return of data upon termination
Upon termination or expiry of the main contract, the Provider will ensure a 15-day access window for the Controller to download the raw operational data in standard CSV format. At the end of this interval, the Provider will permanently delete the account and all associated databases, with the process fully completed within a maximum of 30 days.
10. Audit
The Controller has the legal right to carry out a documentary audit once a year, at its own expense, with written notice given at least 30 days in advance. The Provider undertakes to cooperate in good faith and to make available to the appointed auditor extracts from its internal documentation attesting to the compliance of its technical processes.
Annex 1 — Details of the processing
- Categories of data subjects: employees, administrators, agronomists, field operators and collaborators of the Controller (the farm) for whom an access account is created.
- Categories of data processed: first name, last name, professional e-mail address, mobile phone number, secured credentials (hashes), connection IP addresses, system logs and geographical coordinates of agricultural parcels or the placement of physical devices.
- Processing operations: collection, recording, structuring, cloud storage, correlation with LoRaWAN sensor telemetry, querying, display in graphical interfaces and automated deletion.
Annex 2 — Technical and organisational measures
- Logical client-level data segregation at the application layer, with isolation enforced server-side through permissions (RBAC).
- Mandatory encryption of all communication flows in transit using the secure HTTPS and TLS 1.2 or higher protocols.
- Exclusive hosting of the systems in audited and physically secured data centres belonging to Hetzner Online GmbH within the European Union.
- Implementation of strict role-based access control (RBAC) and the use of complex passwords for administration accounts.
- Daily automated backup procedures stored on fully geographically isolated secondary storage media.