nerapo — Data Processing Agreement (DPA)
Effective date: 01 May 2026
Last updated: 22 May 2026
1. Introduction and parties
1.1. This Data Processing Agreement ("DPA") is entered into between:
- SC MOVING RECORDS SRL ("nerapo", "we", the "Processor") — CUI 36516097, J1/790/2016, VAT ID: RO48113896, Str. Vasile Alecsandri nr. 76, Alba Iulia, Alba County, Romania; and
- the Customer ("you", the "Controller") — the business or individual that subscribes to or uses the nerapo service.
1.2. This DPA governs nerapo's Processing of End-User Personal Data on the Customer's behalf when the Customer uses the nerapo service to build and operate a mobile application.
1.3. Incorporation. This DPA forms part of, and is incorporated by reference into, the nerapo Terms and Conditions (the "Terms"). By accepting the Terms, the Customer also accepts this DPA — no separate signature is required. A counter-signed copy of this DPA is available to any Customer on request at [email protected].
1.4. Capitalised terms not defined in this DPA have the meaning given to them in the Terms.
2. Definitions
- GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation).
- Data Protection Law — the GDPR and any other data-protection law applicable to the Processing under this DPA.
- Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject, Personal Data Breach — have the meanings given to them in the GDPR.
- End User — a person who downloads, installs or uses a mobile application published by the Customer using the nerapo service (as defined in the Terms).
- End-User Personal Data — Personal Data relating to End Users that nerapo Processes on the Customer's behalf through the service. The specific data is described in Schedule 1.
3. Roles of the parties
3.1. In respect of End-User Personal Data, the Customer is the Controller and nerapo is the Processor. The Customer determines the purposes and means of the Processing; nerapo Processes End-User Personal Data only to provide the service to the Customer.
3.2. This DPA covers only End-User Personal Data. Personal Data relating to the Customer's own nerapo account (such as the account holder's name, e-mail and billing data) is not governed by this DPA: in respect of that data nerapo acts as an independent Controller, and that Processing is described in the nerapo Privacy Policy.
3.3. The Customer is solely responsible for the lawfulness of the End-User Personal Data and of its instructions, and for its own mobile application's privacy notice and terms presented to its End Users.
4. The Customer's obligations (as Controller)
4.1. The Customer warrants that it has, and will maintain, a valid legal basis under Data Protection Law for the End-User Personal Data Processed through the service.
4.2. The Customer is responsible for providing its End Users with all required privacy information and for obtaining any consents required — including publishing its own privacy policy and terms for its mobile application. nerapo does not provide legal documents to the Customer's End Users.
4.3. The Customer will issue only lawful instructions to nerapo and warrants that its instructions, and the data and configuration it enters into the service, comply with Data Protection Law.
5. nerapo's obligations (as Processor)
5.1. Processing on instructions. nerapo will Process End-User Personal Data only on the Customer's documented instructions. The Terms, this DPA, and the Customer's configuration and use of the service's features together constitute the Customer's complete documented instructions. nerapo will inform the Customer if, in its opinion, an instruction infringes Data Protection Law.
5.2. Confidentiality. nerapo ensures that persons authorised to Process End-User Personal Data are bound by an appropriate obligation of confidentiality.
5.3. Security. nerapo implements appropriate technical and organisational measures to protect End-User Personal Data, as described in Schedule 3.
5.4. Sub-processors. The Customer gives general authorisation for nerapo to engage the Sub-processors listed in Schedule 2. nerapo will: (a) impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain liable to the Customer for each Sub-processor's performance; and (c) inform the Customer of any intended addition or replacement of a Sub-processor, giving the Customer a reasonable opportunity to object on reasonable data-protection grounds.
5.5. Data Subject rights. Taking into account the nature of the Processing, nerapo will assist the Customer, by appropriate technical and organisational measures, to respond to End-User requests to exercise their rights. If nerapo receives such a request directly from an End User, it will refer the End User to the Customer. The service also allows an End User to delete their own account directly, which permanently removes that End User's record and related data.
5.6. Assistance. Taking into account the nature of the Processing and the information available to nerapo, nerapo will assist the Customer in ensuring compliance with its obligations regarding security, Personal Data Breach notification, data protection impact assessments, and prior consultation.
5.7. Personal Data Breach. nerapo will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting End-User Personal Data, and will provide the information reasonably available to it to help the Customer meet its own notification obligations.
5.8. Deletion and return. On termination of the Customer's use of the service, nerapo will delete End-User Personal Data (and existing copies) within a reasonable period, unless retention is required by law. The platform's normal behaviour is: when an account is closed it is deleted after a short grace window, including the End-User accounts associated with it; routine backups cycle out within a limited period thereafter. Demo data is deleted automatically (see the Terms).
5.9. Audits. nerapo will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits are subject to reasonable conditions as to confidentiality, advance notice, frequency, scope and cost, and must not compromise the security or data of other customers.
6. International transfers
6.1. nerapo Processes End-User Personal Data primarily on infrastructure located in Romania (European Economic Area), through the Sub-processor Zenith Technology. The CDN and security layer is provided by Cloudflare, Inc., a company established in the United States, which may involve the transfer of End-User Personal Data outside the EEA. For such transfers, the parties rely on the European Commission's Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 (Module 3 — processor-to-processor), as incorporated into Cloudflare's standard Data Processing Addendum, which is available at https://www.cloudflare.com/cloudflare-customer-dpa/.
7. Liability, precedence and term
7.1. This DPA forms part of the Terms. The limitation-of-liability provisions of the Terms apply to this DPA and to any claim arising under it.
7.2. In the event of a conflict between this DPA and the rest of the Terms on a matter of personal-data Processing, this DPA prevails.
7.3. This DPA takes effect when the Customer accepts the Terms and continues for as long as nerapo Processes End-User Personal Data on the Customer's behalf.
8. Governing law
This DPA is governed by the laws of Romania, in line with, and subject to, the governing-law and dispute-resolution provisions of the Terms.
Schedule 1 — Description of the Processing
Subject matter. nerapo's Processing of End-User Personal Data in order to provide the nerapo platform to the Customer.
Duration. For the term of the Customer's use of the service, plus the deletion periods described in clause 5.8.
Nature and purpose. Hosting, storing, transmitting and displaying End-User Personal Data so that the Customer's mobile application can offer End-User account login, a favourites feature, End-User-added podcast RSS feeds, and playback-position memory, and so that the Customer can see an aggregate count of its application's users in the nerapo dashboard.
Types of End-User Personal Data Processed (code-verified):
- a pseudonymous user identifier — an irreversible SHA-256 hash derived from the End User's e-mail address or Apple/Google sign-in identifier; the e-mail address and the raw sign-in identifier themselves are never stored;
- an optional display name (may be a real name, where the End User or the Apple/Google sign-in provides one);
- a hashed password (bcrypt) — only for End Users who register with e-mail and password; not stored for Apple/Google sign-in;
- the End User's favourites, self-added podcast RSS feed URLs, and playback position.
Data NOT Processed. nerapo does not store End Users' raw e-mail addresses, raw social-login identifiers, device identifiers or push tokens, IP addresses, location data, payment data, or any special categories of personal data (Article 9 GDPR).
Categories of Data Subjects. End Users — the users/listeners of mobile applications published by the Customer using the nerapo platform.
Schedule 2 — Authorised Sub-processors
For the Processing of End-User Personal Data, nerapo uses:
| Sub-processor | Role | Location |
|---|---|---|
| Zenith Technology | Hosting and storage of the platform and its database | Bucharest, Romania |
| Cloudflare, Inc. | (1) Content-delivery network and security/WAF layer in front of the platform; (2) R2 object storage used solely for off-site backup of Customer data (fiscal invoices, the consent log, and the Customer action audit log). R2 is not used to store any End-User Personal Data. Region: Global / EU edge locations. | Global / EU edge |
Not Sub-processors under this DPA. Stripe and Oblio Process the Customer's own billing data (not End-User Personal Data) and are addressed in the nerapo Privacy Policy. OneSignal (push notifications) and Google AdMob (advertising), where the Customer enables them, operate under the Customer's own OneSignal and AdMob accounts; nerapo does not send End-User Personal Data to them.
nerapo will keep this Schedule up to date and notify the Customer of changes as described in clause 5.4.
Schedule 3 — Technical and Organisational Security Measures
nerapo applies the following measures to protect End-User Personal Data:
- Data minimisation and pseudonymisation by design. End-User identifiers are stored only as irreversible SHA-256 hashes; passwords only as bcrypt hashes; raw e-mail addresses, social-login identifiers, device identifiers and IP addresses are not stored for End Users.
- Encryption in transit. All communication with the platform and its API is served over HTTPS/TLS.
- Tenant isolation. Each Customer's data, including its End-User data, is logically scoped and isolated per application within the platform. At the hosting layer, accounts are isolated via CloudLinux.
- Access control. Administrative access to the platform and database is restricted to authorised personnel and protected by authentication.
- Network and application protection. A content-delivery and security layer (Cloudflare), including a web application firewall, sits in front of the platform. The hosting environment is additionally protected by Imunify360, providing server-level firewall, malware scanning and brute-force protection.
- Software maintenance and backups. The platform and its environment are kept updated; data is backed up daily by the hosting provider, and backups cycle out within 30 days.
- Incident response. nerapo maintains an internal procedure for handling security incidents, covering identification, containment, remediation and notification to the Customer in accordance with clause 5.7.
- Deletion procedures. Account closure, app archival and End-User self-deletion trigger automated deletion of the associated data, as described in the Terms and in clause 5.8.
- Audit logging of critical configuration changes. nerapo maintains an append-only audit log of changes to critical app configuration initiated by Customers or by nerapo operators — specifically registrations, resets, and per-platform overrides of the mobile application identifier (iOS Bundle ID, Android Package Name). The log is stored on the primary platform database and mirrored as off-site backup to Cloudflare R2. End-User device IP addresses and User-Agents are not recorded in this log; it captures only Customer (account-holder) and operator activity. This supports security, dispute resolution and contractual accountability.