Where you act other than as a consumer, you confirm that you have authority to bind the organisation on whose behalf you accept this agreement.

Please review these terms carefully; they include legally binding obligations that both parties will rely on.

The Customer and Nocode LTD are party to terms governing the use of the latenode.com automation platform (the "Terms of Service"). Under the Terms of Service, Nocode LTD trading as Latenode ("Latenode") may process Personal Data for and on behalf of the Customer. This Data Processing Agreement (the "Agreement") supplements the Terms of Service.

1.1 The Customer acts as Controller and Latenode acts as Processor in relation to Personal Data processed under the Terms of Service.

1.2 This Agreement applies only to the processing of Personal Data as described in Appendix A.

2.1 The following definitions apply:

– "Authorised Persons" means the individuals or categories of individuals identified in Appendix A.

– "Business Purposes" means the services described in the Terms of Service or any additional purposes expressly specified in Appendix A.

– "Controller" and "Processor" have the meanings given in the Data Protection Legislation.

– "Customer" means the party entering into this Agreement.

– "Data Protection Legislation" means the General Data Protection Regulation ((EU) 2016/679); the UK GDPR; the Privacy and Electronic Communications Directive 2002/58/EC (as amended by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); and any other applicable laws and regulatory requirements in force from time to time that relate to the use of Personal Data.

– "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.

– "Latenode" means Nocode LTD, trading as the latenode.com automation platform, incorporated and registered in Cyprus with company number HE 449108, whose registered office is at Griva Digeni, 51, ATHINAION COURT, Flat/Office 202, 8047, Paphos, Cyprus.

– "Personal Data" means any information relating to an identified or identifiable natural person processed by Latenode as a result of, or in connection with, providing the services under the Terms of Service.

– "Personal Data Breach" means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

– "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and includes transfers of Personal Data to third parties.

– "Sensitive Personal Data" has the meaning given in Article 9 GDPR.

– "Standard Contractual Clauses (SCC)" means the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en and completed as set out in Annex I.

– "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2.2 References to writing include email but exclude fax.

3.1 Latenode will process Personal Data only as necessary for the Business Purposes and strictly in line with written instructions from Authorised Persons. If Latenode considers that an instruction from the Customer would infringe the Data Protection Legislation, it will promptly inform the Customer and may suspend the relevant processing pending clarification.

3.2 Latenode will promptly comply with any Customer instruction from Authorised Persons to amend, transfer, delete or otherwise process Personal Data, or to cease, mitigate, or remedy unauthorised processing.

3.3 Latenode will keep Personal Data confidential and will not disclose it to third parties unless authorised by the Customer or this Agreement, or required by law. Where required by a law, court, regulator, or supervisory authority to process or disclose Personal Data, Latenode will (unless prohibited by law) first notify the Customer and provide an opportunity to object or challenge the requirement.

3.4 Appendix A sets out the subject matter, duration, nature and purpose of the processing, along with the categories of Personal Data and types of Data Subjects that Latenode may process to perform the Business Purposes. If the Customer wishes to process Sensitive Personal Data via the Latenode platform, the Customer must notify Latenode in writing and ensure such processing complies with applicable law. The Customer is responsible for issuing specific instructions for such data.

4.1 Latenode will implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, alteration, disclosure or damage, including the measures described in Annex II. Latenode will document these measures and review them at least annually to ensure they remain current and effective.

4.2 Latenode will ensure a level of security appropriate to the risks, including as appropriate: (a) pseudonymisation and encryption; (b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident; and (d) processes for regularly testing, assessing and evaluating the effectiveness of security measures.

4.3 Personnel. Latenode will ensure that all personnel who have access to Personal Data: (a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions; (b) have received training appropriate to their role on data protection and information security; and (c) are aware of their obligations under this Agreement and applicable Data Protection Legislation.

5.1 The Customer consents to Latenode engaging subprocessors to provide the Platform. Latenode will inform the Customer of intended changes to its subprocessors, allowing the Customer to object under clause 5.3.

5.2 Latenode will: (a) enter into agreement with each subprocessor imposing obligations substantially similar to those in this Agreement (including appropriate technical and organisational security measures) and, on the Customer’s written request and at the Customer’s expense, provide copies of such agreements with confidential information redacted; (b) retain control over all Personal Data entrusted to the subprocessor; and (c) ensure the subprocessor’s agreement terminates automatically upon termination of this Agreement.

5.3 If the Customer objects to a new or replacement subprocessor, the Customer may terminate its account for the Platform or, where feasible, agree with Latenode to terminate access to the portion of the Services affected by the new subprocessor. This is the Customer’s sole and exclusive contractual remedy.

5.4 Latenode remains fully liable to the Customer for a subprocessor’s performance of its obligations.

5.5 A list of subprocessors, together with a form to subscribe to updates about them can be found here.

6.1 Where an appropriate safeguard is required for international transfers of Personal Data and no alternative arrangement has been agreed, the SCCs are incorporated into this Agreement as if set out in full. For transfers subject to the UK GDPR, the parties adopt the UK Addendum issued by the UK Information Commissioner’s Office, which, where applicable, is deemed attached to this Agreement.

6.2 The Customer consents to Latenode (and its subprocessors) transferring Personal Data outside the European Economic Area ("EEA"), provided that Latenode: (a) processes Personal Data in a territory that the European Commission has determined provides adequate protection; or (b) participates in a valid cross‑border transfer mechanism under the Data Protection Legislation, identifies the mechanism in Appendix A, and notifies the Customer of any change; or (c) otherwise ensures the transfer complies with the Data Protection Legislation, including Articles 44 et seq. GDPR.

7.1 Taking into account the nature of its processing and information available to it, Latenode will reasonably assist the Customer, at no additional cost, in meeting obligations under the Data Protection Legislation, including with respect to Data Subject rights, data protection impact assessments, and communications with supervisory authorities.

7.2 Latenode will promptly notify the Customer if it receives any complaint, notice, communication or Data Subject request relating to Personal Data, and will provide reasonable cooperation to enable the Customer to respond. Latenode will not respond to any Data Subject request directly except on the Customer’s documented instructions or where required by law; in such cases, and to the extent permitted by law, Latenode will inform the Customer before responding.

8.1 Latenode will notify the Customer promptly and without undue delay if any Personal Data is lost, destroyed, damaged, corrupted, or rendered unusable, and will, at its cost, restore such Personal Data.

8.2 Latenode will notify the Customer without undue delay and, where feasible, not later than 72 hours after becoming aware of: (a) any accidental, unauthorised or unlawful processing of Personal Data; or (b) any Personal Data Breach.

8.3 Without undue delay, Latenode will also provide: (a) a description of the nature of the event, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences; and (c) measures taken or proposed to address the event, including steps to mitigate possible adverse effects.

8.4 The parties will coordinate to investigate any Personal Data Breach. Latenode will: (a) assist with any investigation; (b) make available relevant records, logs, files, data reports and other materials required to comply with the Data Protection Legislation or as otherwise reasonably requested by the Customer; and (c) take prompt and reasonable steps to mitigate effects and minimise damage.

8.5 Latenode will not notify any third party of a Personal Data Breach without the Customer’s prior written consent unless required by law. The Customer has the sole right to determine whether to notify Data Subjects, supervisory authorities, regulators, law enforcement, or others, including the content and method of any notice, and whether to offer any remedy to affected Data Subjects.

8.6 Latenode will bear all reasonable costs of performing its obligations under this clause 8 unless the incident results from the Customer’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will bear the reasonable costs of both parties.

9.1 Latenode will keep detailed, accurate and up‑to‑date written records regarding its processing of Personal Data for the Customer, including access, control and security of Personal Data, approved subprocessors and affiliates, processing purposes, categories of processing, transfers of Personal Data to third countries and related safeguards, and a general description of the security measures referred to in clause 4 (the "Records").

9.2 Latenode will ensure the Records are sufficient to enable the Customer to verify Latenode’s compliance with this Agreement and will provide copies of the Records upon request.

9.3 No more than once in any 12‑month period, upon the Customer’s request Latenode will conduct an audit (by itself or its third‑party representatives) to assess compliance with this Agreement and will provide the results to the Customer. The Customer may submit reasonable questions about compliance in advance, and Latenode will use reasonable endeavours to address them in the audit results.

9.4 Upon the Customer’s written request and at the Customer’s cost, Latenode will exercise any relevant audit rights it has to verify its subprocessors’ compliance regarding the Customer’s Personal Data and will provide the Customer with the audit results.

10.1 On the Customer’s request, Latenode will provide the Customer with a copy of, or access to, all or part of the Customer’s Personal Data in Latenode’s possession or control, in a commonly accessible electronic format determined by Latenode.

10.2 On expiry or termination of the Terms of Service for any reason, Latenode will promptly and securely delete or destroy, or if directed in writing by the Customer, return (and not retain) all Personal Data related to this Agreement in Latenode’s possession or control. This does not apply to Personal Data archived on backup systems that are not reasonably accessible, provided such Personal Data is isolated from routine processing and deleted in accordance with Latenode’s standard backup rotation schedule.

10.3 Clause 10.2 does not apply to the extent that law or a governmental or regulatory body requires Latenode to retain documents or materials that would otherwise be returned or destroyed.

11.1 Unless otherwise specified in Appendix A or the Terms of Service, Latenode may process and store Personal Data in the EEA or other jurisdictions, subject to clause 6 (International transfers). If the Customer elects a specific data residency option (where available), such election must be documented in Appendix A.

12.1 To the fullest extent permitted by law, the exclusions and limitations of liability in the Terms of Service apply to this Agreement. Each party’s aggregate liability arising out of or in connection with this Agreement is subject to, and shall not exceed, the applicable cap set out in the Terms of Service.

12.2 Nothing in this Agreement limits or excludes liability for wilful misconduct, fraud, or any liability that cannot be limited or excluded by applicable law.

12.3 No additional indemnities are created by this Agreement. Any indemnities between the parties apply only to the extent set out in the Terms of Service.

12.4 Notwithstanding anything to the contrary in the Terms of Service, for claims arising from (a) breach of clause 4 (Security) and Annex II, clause 8 (Personal Data Breach), or clause 10 (Data return and deletion), (b) infringement of Data Protection Legislation resulting from Latenode’s processing, or (c) sums payable under the SCCs to the extent permitted by law, each party’s aggregate liability shall be limited to two (2) times the fees paid by the Customer in the twelve (12) months preceding the event giving rise to liability.

13.1 This Agreement remains in effect for so long as: (a) the Terms of Service remain in effect; or (b) Latenode retains Personal Data related to the Terms of Service in its possession or control.

13.2 Any provision intended to come into or remain in force on or after termination of the Terms of Service in order to protect Personal Data will continue in full force and effect.

13.3 If any change to the Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Terms of Service, the parties will suspend processing until compliance is restored. If compliance cannot be achieved within 30 days, either party may terminate the Terms of Service on written notice.

13.4 Latenode will promptly notify the Customer of any changes to the Data Protection Legislation that Latenode becomes aware of and that may materially affect Latenode’s performance of the Services or its obligations under this Agreement.

14.1 Subject to the SCCs (which govern themselves as specified therein), this Agreement and any non‑contractual obligations arising out of or in connection with it are governed by the laws of Cyprus, and the courts of Cyprus have exclusive jurisdiction to settle any dispute arising out of or in connection with it.

15.1 Notices. Formal notices under this Agreement must be sent to the addresses specified in the Terms of Service (with a copy by email to [insert privacy contact email]). Instructions relating to processing may also be provided by the Customer via the Latenode interface, API, or email from Authorised Persons.

15.2 Assignment. Neither party may assign this Agreement without the other party’s prior written consent, except that either party may assign this Agreement together with the Terms of Service to a successor in interest in connection with a merger, reorganisation, acquisition or other transfer of all or substantially all of its assets or voting securities.

15.3 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

15.4 Order of precedence. In the event of conflict or ambiguity: (a) the executed SCCs (and any UK Addendum) prevail over this Agreement; (b) the body of this Agreement prevails over its Appendices and Annexes (other than the SCCs and any UK Addendum); (c) this Agreement prevails over the Terms of Service; and (d) the Appendices and Annexes to this Agreement prevail over any accompanying invoice or other appended documents.

15.5 The following optional commitments are available on Enterprise plans: (a) a US privacy addendum addressing CPRA and applicable US state privacy laws; (b) availability of a current SOC 2 Type II report under NDA; (c) cyber liability insurance confirmation and limits; (d) alternative governing law and venue as specified in an Order Form; and (e) an alternative liability floor as expressly agreed. Any such options apply only if expressly stated in the Order Form or an executed addendum.

The parties’ authorised signatories have executed this Agreement.

ON BEHALF OF NOCODE LTD:

NAME: ___________________, Director _____________________________________________

COMPANY NAME AND ADDRESS: Nocode LTD, Griva Digeni, 51, ATHINAION COURT, Flat/Office 202, 8047, Paphos, Cyprus _____________________________________________

SIGNED: Signed by: ___________________

ON BEHALF OF THE CUSTOMER:

CONTACT PERSON NAME: _____________________________________________

CONTACT PERSON POSITION: _____________________________________________

CONTACT PERSON EMAIL: _____________________________________________

COMPANY NAME AND ADDRESS: _____________________________________________

SIGNED: _____________________________________________

DATE: _____________________________________________

DATA PROCESSING PURPOSES AND DETAILS

Subject matter of processing: Latenode provides a workflow automation platform enabling customers to synchronise, move and transform data between third‑party services.

Duration of Processing: For the duration of the Customer's subscription term.

Nature of Processing: Provision of Latenode's services to the Customer to automate workflows.

Business Purposes: Automation of internal business processes.

Personal Data Categories: Name, email address, password, billing address, credit card information, IP address, API key, access token, user identifiers, integration configuration, API logs, cookies.

Data Subject Types: At the Controller's discretion, personal data may be submitted concerning, without limitation: employees, customers, vendors, and service providers.

Authorised Persons: The holder of the Latenode account.

Latenode's legal basis for Processing outside the EEA: Standard Contractual Clauses.

The SCCs are incorporated by reference. Where a choice of governing law or forum/jurisdiction is required, the parties select Cyprus.

Name: The exporter is the Customer specified in the Agreement

Address: Specified in the Agreement

Contact person’s name, position and contact details: Specified in the Agreement

Activities relevant to the data transferred under these Clauses: Processing in connection with Latenode’s Terms of Service

Role: Controller

Signed: ___________________________________

Name: Nocode LTD

Address: Griva Digeni, 51, ATHINAION COURT, Flat/Office 202, 8047, Paphos, Cyprus

Contact person’s name, position and contact details: ___________________, Director, available at [insert contact email]

Activities relevant to the data transferred under these Clauses: Processing in connection with our Terms of Service

Role: Processor

Signed: ___________________________________

Signed by: ___________________

Module Two: Controller‑to‑Processor

Categories of data subjects: Data subjects whose Personal Data is uploaded or otherwise provided by the data exporter to Latenode.

Categories of personal data transferred: Personal Data submitted to Latenode by the exporter. The categories of Personal Data are determined and controlled solely by the exporter.

Sensitive data transferred (if applicable) and applied safeguards: None anticipated.

Frequency of the transfer: Continuous for the duration of the Agreement.

Nature of the processing: Personal Data will be processed to (i) provide Latenode’s product to the data exporter and meet the data importer’s obligations under the Agreement; and (ii) comply with applicable laws.

Purpose(s) of the transfer and further processing: Personal Data will be processed to (i) deliver Latenode’s product to the data exporter and fulfil contractual obligations under the Agreement; and (ii) comply with legal requirements.

Retention period or criteria: Personal Data will be retained for as long as necessary to provide Latenode’s product under the Agreement, in accordance with Latenode’s data retention practices and as otherwise required by law.

For transfers to (sub‑)processors: Latenode’s sub‑processors will process Personal Data to assist Latenode in providing its product under the Agreement, for as long as needed for that purpose.

The Office of the Commissioner for Personal Data Protection (Cyprus)

Latenode’s technical and organisational measures include the following categories of controls (further detail may be provided upon request):

– Governance and risk management

– Asset management and data classification

– Access control (identity, MFA, RBAC, least privilege, joiner/mover/leaver)

– Cryptography (TLS 1.2+/1.3, encryption at rest, key management/rotation)

– Physical and environmental security

– Operations security (logging/SIEM, vulnerability management with patch SLAs)

– Communications security (network segmentation, WAF, IDS/IPS)

– System acquisition, development and maintenance (secure SDLC, SAST/DAST, secrets management)

– Supplier management (due diligence, contractual controls, monitoring)

– Incident management (runbooks, breach notification workflow)

– Business continuity and disaster recovery (tested; restore objectives)

Latenode will not materially reduce the overall security of the service during any subscription term and will notify the Customer of any substantial changes.

The current list of sub‑processors and a mechanism to subscribe to updates is available as referenced by Latenode.