Effective: APRIL 18, 2026
Last Updated: APRIL 18, 2026
IMPORTANT LEGAL NOTICE — CLASS ACTION WAIVER, LIMITATION OF LIABILITY, AND DISPUTE TERMS
PLEASE READ THIS AGREEMENT CAREFULLY. BY ACCESSING OR USING THE SERVICES, YOU AGREE TO BE LEGALLY BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE, YOU MUST NOT ACCESS OR USE THE SERVICES.
THIS AGREEMENT CONTAINS PROVISIONS THAT SIGNIFICANTLY AFFECT YOUR LEGAL RIGHTS, INCLUDING:
A WAIVER OF YOUR RIGHT TO PARTICIPATE IN ANY CLASS, COLLECTIVE, OR REPRESENTATIVE ACTION;
LIMITATIONS ON THE TYPES AND AMOUNTS OF DAMAGES YOU MAY RECOVER; AND
RESTRICTIONS ON HOW AND WHERE DISPUTES MAY BE RESOLVED.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU AND NOCOM SOLUTIONS AGREE THAT ANY DISPUTES WILL BE RESOLVED ON AN INDIVIDUAL BASIS ONLY, AND NOT AS PART OF ANY CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING.
THIS AGREEMENT ALSO LIMITS NOCOM SOLUTIONS’ LIABILITY, INCLUDING BY CAPPING TOTAL DAMAGES AND EXCLUDING CERTAIN TYPES OF DAMAGES (SUCH AS INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES), EVEN IF NOCOM SOLUTIONS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THESE PROVISIONS MAY SUBSTANTIALLY LIMIT YOUR ABILITY TO SEEK RELIEF OR RECOVER DAMAGES. YOU SHOULD REVIEW THE SECTIONS TITLED “LIMITATION OF LIABILITY” AND “DISPUTES, GOVERNING LAW, AND VENUE” CAREFULLY BEFORE ACCEPTING THIS AGREEMENT.
By (a) clicking “I Accept,” (b) creating an Account, (c) signing an Order Form, or (d) using any Service, you agree to this Agreement on behalf of yourself and/or the entity you represent.
If you are accepting on behalf of an entity, you represent you have authority to bind that entity.
“Account”: A registered customer account used to access the Services.
“Affiliate”: Any entity controlling, controlled by, or under common control with a party.
“API”: Application programming interfaces used to provision, manage, or consume Services.
“Authorized Users”: Your employees, contractors, and end users authorized to use the Services under your Account.
“Customer Content”: Data, text, software, images, customer applications, logs, and other content you (or your Authorized Users) input, upload, transmit, or store using the Services.
“Documentation”: Service descriptions, technical docs, and user guides we publish.
“Fees”: Charges for Services, including usage, subscriptions, overages, and taxes.
“Order Form”: A mutually executed ordering document specifying Services, pricing, and terms.
“Services”: IaaS/hosting services, such as compute, storage, networking, virtualization, backups (if offered), managed services (if offered), and related support.
“Subprocessor”: A third party engaged by nocom Solutions to process Customer Content and/or Personal Data on your behalf (as applicable).
Eligibility. You must be at least the age of majority in your jurisdiction, and capable of entering a binding contract.
Account registration. You agree to provide accurate registration information and maintain it.
Credentials and security.
You are responsible for all activity under your Account, including by Authorized Users.
You must implement reasonable security controls, including access control, MFA where available, and secure handling of keys/tokens.
Authorized Users. You are responsible for ensuring Authorized Users comply with this Agreement.
Resellers/managed service providers. If you are a reseller/MSP, you must have written authorization from the end customer to create/manage their environment, and you remain responsible for compliance unless the Order Form states otherwise. All resellers must have authorization from nocom Solutions to perform such activities on our platform; Failure to adhere to this agreement will result in access termination or legal action.
Service provisioning. We may refuse provisioning, delay, or impose limits if required for fraud prevention, sanctions/export compliance, credit risk, technical constraints, or legal obligations.
Usage limits and quotas. Services may include default quotas (e.g., IPs, cores, storage IOPS, bandwidth). We may change quotas with reasonable notice, or immediately for security/stability.
No guaranteed capacity. Unless an Order Form states reserved capacity, capacity is provided on an “as available” basis.
Multi-tenant environments. Some Services may be multi-tenant. You agree not to attempt to access other tenants or shared infrastructure.
AUP applies. Your use must comply with Schedule A (AUP).
High-risk restrictions. Unless explicitly agreed in writing, you will not use the Services for:
safety-critical systems where failure could reasonably lead to death, personal injury, or catastrophic damage (e.g., certain medical life-support, nuclear facilities, air traffic control).
Security abuse. You must not:
probe, scan, or test vulnerabilities of Company systems except under an approved program,
bypass access controls,
engage in DDoS, botnet hosting, malware distribution, or credential theft.
Customer Content ownership. As between the parties, you retain all rights in Customer Content. We do not acquire ownership of Customer Content.
License to operate Services. You grant nocom Solutions a limited license to host, copy, transmit, display, and process Customer Content solely to:
provide, maintain, and secure the Services,
prevent or address technical/fraud/security issues,
perform support requests,
comply with law and enforce this Agreement.
Shared responsibility model (contractual statement). You acknowledge security and compliance responsibilities are shared:
We secure the underlying infrastructure and managed components we control.
You secure what you configure, deploy, and manage (including identities, guest OS configuration, network rules, application security, and data classification).
Security program. We will maintain an information security program reasonably designed to:
protect Service infrastructure,
prevent unauthorized access to Customer Content,
detect, respond to, and remediate security incidents.
Monitoring and logging.
We may monitor and log usage and network traffic to operate the Services, ensure stability, enforce this Agreement, and comply with law.
We may use automated systems to detect abuse, malware, credentials misuse, and policy violations.
We may process network traffic through third-party infrastructure providers as part of delivering, securing, and optimizing the Services. Such processing may include routing, inspection, and mitigation activities necessary to maintain service availability, integrity, and security.
To the extent permitted by applicable law, Customer acknowledges that certain automated monitoring and analysis of network traffic may occur for security, abuse prevention, and operational purposes, and that such processing is an inherent part of the provision of the Services.
Encryption.
In transit: We will support encryption in transit for customer management interfaces and APIs where feasible.
At rest: We will support encryption at rest features for applicable storage services (customer-managed keys may be offered if specified).
Customer responsibility: You are responsible for encrypting Customer Content where required by law or your policies and for key management if you use customer-managed keys.
Vulnerability management. We may patch infrastructure and managed services, including via scheduled or emergency maintenance. You remain responsible for patching your guest operating systems and applications unless the Order Form states otherwise.
Incident response lifecycle. We maintain an incident response process aligned to common industry phases (prepare; detect/analyze; contain; eradicate/recover; post-incident improvement). (See Schedule F timeline.)
Security Incident definition. “Security Incident” means a confirmed breach of Company-controlled systems that results in unauthorized access to Customer Content, or materially compromises confidentiality, integrity, or availability of Customer Content due to Company’s failure to maintain reasonable safeguards.
Notification.
We will notify you of a Security Incident without undue delay after becoming aware of it, consistent with our legal obligations and incident response processes.
If you are subject to EU GDPR breach notification obligations, you remain the controller responsible for regulator/data subject notifications, and we will provide reasonable information to assist you, as applicable.
Privacy Notice. Our Privacy Notice describes how we collect and use personal information related to accounts, billing, websites, and support (Schedule D).
Backups Unless expressly stated in an Order Form or service description, we do not provide backups of Customer Content, and you are responsible for backups and disaster recovery.
Optional backup services. If we offer backup/snapshot services, they are:
subject to configuration limits,
not guaranteed to prevent all data loss,
subject to the SLA only if explicitly covered.
Retention and deletion.
We retain certain logs and records for security, billing, abuse prevention, and legal compliance.
Upon termination, we will delete or de-identify Customer Content from production systems within a stated period, subject to legal holds and backup retention cycles (see Schedule E and Schedule G).
Secure disposal. When media is sanitized or retired, we will follow media sanitization practices consistent with widely used guidance (e.g., clear/purge/destroy categories).
Support tiers. Support tiers and response targets are in Schedule C.
Support exclusions. We may limit support for unsupported configurations, end-of-life software, third-party products, or issues caused by Customer Content.
Copyright policy. We respect IP rights and respond to notices of alleged infringement.
DMCA agent (U.S.). If we qualify as an online service provider under the DMCA, we will maintain a designated agent and publish contact info:
DMCA Agent: NO CURRENT DMCA AGENT
(FOR REQUESTS EMAIL [email protected])
Notice requirements. A valid notice must include required elements (identification of copyrighted work, location, contact info, statements under penalty of perjury, etc.).
Counter-notice. If you believe content was removed in error, you may submit a counter-notice.
Repeat infringer policy. We may terminate accounts of repeat infringers in appropriate circumstances.
As-is. EXCEPT AS EXPRESSLY STATED IN AN ORDER FORM, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.”
Disclaimer. WE DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW.
No guarantee of uninterrupted service. We do not guarantee the Services will be uninterrupted or error-free; SLA remedies apply if covered.
Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, OUR TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO US FOR THE AFFECTED SERVICES IN THE [12] MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY.
Excluded damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE ARE NOT LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR LOSS OF PROFITS/REVENUE/DATA, EVEN IF ADVISED OF THE POSSIBILITY.
Consumer carve-outs. Some jurisdictions do not allow limitations for certain consumer rights; where prohibited by law, the limitation applies only to the permitted extent.
Customer indemnity. You will defend and indemnify nocom Solutions from third-party claims arising from:
Customer Content,
your use of the Services in violation of law or AUP,
your applications, configurations, or security failures,
your breach of this Agreement.
Company IP indemnity. Company indemnifies Customer for claims that the Services (excluding Customer Content and third-party products) infringe IP, subject to limitations.
Compliance required. You represent you and your users are not subject to sanctions and will not use the Services in violation of applicable export controls or sanctions laws.
Screening and enforcement. We may suspend/terminate and/or block transactions to comply with sanctions/export controls.
Confidential Information. Non-public business, technical, and security information disclosed by either party is confidential.
Exclusions. Information is not confidential if independently developed, public without breach, received from a third party without duty, or rightfully known.
Required disclosures. A party may disclose confidential information as required by law, with notice if legally allowed.
Informal Resolution.
The parties agree to attempt to resolve any dispute, claim, or controversy arising out of or relating to these Terms, the Services, or the relationship between the parties (collectively, “Disputes”) through good-faith informal negotiations for a period of at least thirty (30) days before initiating any formal legal proceeding. Such informal efforts shall include written notice describing the nature of the Dispute and the relief sought.
Governing Law.
These Terms, and any Disputes arising out of or related thereto, shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of law principles or rules that would require the application of the laws of another jurisdiction.
Exclusive Venue.
To the fullest extent permitted by applicable law, any Dispute that is not resolved through informal resolution shall be brought exclusively in the state or federal courts located within the State of Florida. The parties hereby consent to the personal jurisdiction of such courts and waive any objections based on improper venue or inconvenient forum.
Waiver of Class or Representative Actions.
To the maximum extent permitted by applicable law, all Disputes shall be resolved solely on an individual basis, and not as part of any class, consolidated, or representative action. The parties expressly waive any right to bring or participate in any class action, collective action, or other representative proceeding against the other party.
Equitable Relief.
Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction where necessary to prevent actual or threatened infringement, misappropriation, or violation of a party’s intellectual property rights or other proprietary interests.
Consumer and Local Law Rights.
Nothing in this section shall limit or exclude any rights that may not be waived under applicable consumer protection laws. If the laws of the user’s jurisdiction require access to local courts, prohibit certain waivers, or otherwise impose mandatory provisions, such laws shall control to the extent required.
Updates. We may modify this Agreement by posting an updated version and updating “Last Updated.” For material changes, we will provide notice via email or account notifications.
Effective. Changes become effective on the date specified in the notice, or if none, upon posting.
Continued use. Continued use after the effective date constitutes acceptance.
You may not assign this Agreement without our prior written consent (except in connection with a merger or sale of substantially all assets), and any prohibited assignment is void. We may assign to an Affiliate or successor.
If any provision is unenforceable, the remainder remains in effect. Failure to enforce is not a waiver. This Agreement is the entire agreement regarding Services.
Neither party is liable for failures caused by events beyond reasonable control (natural disasters, war, acts of government, widespread Internet incidents, etc.), excluding payment obligations.
This Data Processing Addendum (“DPA”) forms part of the agreement governing Customer’s use of the Services (the “Agreement”). Capitalized terms not defined herein have the meanings in the Agreement.
Parties
Customer: the entity or person entering into the Agreement (the “Controller” or “Customer”).
“Customer Personal Data”: Personal data (as defined by Applicable Data Protection Law) contained in Customer Content that Processor Processes on behalf of Customer under the Agreement.
“Processing”: as defined in Applicable Data Protection Law.
“Personal Data Breach”: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Subprocessor”: any processor engaged by nocom to Process Customer Personal Data on behalf of Customer.
Controller/Processor roles. Customer is the Controller of Customer Personal Data. nocom is the Processor of Customer Personal Data, Processing such data only on behalf of Customer and in accordance with Customer’s instructions, as required by Article 28.
Excluded controller activities. This DPA does not govern personal data that nocom processes as an independent controller (e.g., account registration, billing, business security logs for nocom’s own purposes), which are addressed in nocom’s Privacy Policy.
The subject matter, duration, nature, and purpose of processing, as well as the types of Customer Personal Data and categories of data subjects, are described in Annex 1 (Processing Details), satisfying Article 28(3)’s minimum specification requirement.
Documented instructions. nocom shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required by applicable law; in such case, nocom shall inform Customer of that legal requirement before Processing unless prohibited by law.
Instruction conflict notice. nocom shall promptly inform Customer if, in nocom’s opinion, an instruction infringes Applicable Data Protection Law.
Service configuration as instructions. Customer’s configuration and use of the Services in accordance with Documentation constitute Customer’s instructions.
No independent use. nocom shall not (i) sell Customer Personal Data, (ii) share Customer Personal Data for cross-context behavioral advertising, or (iii) otherwise Process Customer Personal Data for its own purposes, except as required by applicable law.
Confidentiality. nocom shall ensure persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Access controls. nocom shall limit access to Customer Personal Data to authorized personnel as necessary to provide the Services and support requests.
Article 32 measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context, purposes, and risks of Processing, nocom shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, consistent with Article 32.
Security measures summary. nocom’s security measures are described in Annex 2 (Technical and Organizational Measures). Customer acknowledges security is a shared responsibility and Customer is responsible for secure configuration of the Services.
Encryption and key management.
In transit: TLS 1.3.
At rest: AES.
Key options: BYOK / HYOK
Responsibility: Customer is responsible for key custody where customer-managed/BYOK is used; nocom is not responsible for loss of access due to Customer key deletion/rotation errors.
Ongoing effectiveness. nocom shall regularly test, assess, and evaluate the effectiveness of its technical and organizational measures and shall implement improvements where appropriate, taking into account evolving risks and industry practices.
Subprocessors may include infrastructure, network, and delivery providers that process Customer Personal Data in transit as part of delivering the Services, including providers of reverse proxy, content delivery, and secure tunneling functionality.
Authorization model. Customer grants nocom a general written authorization to engage Subprocessors to Process Customer Personal Data, subject to the notice/objection process below, consistent with Article 28(2).
Subprocessor list. nocom will maintain an up-to-date list of Subprocessors, including their processing activities and locations, as set out in Annex 3 of this Agreement. nocom may update such list from time to time in accordance with the notice and objection provisions of this DPA.
Notice of changes. nocom will notify Customer of any intended changes regarding the addition or replacement of Subprocessors at least 14 DAYS before the change becomes effective, except where urgent changes are required for security or legal compliance. This implements the “inform… thereby giving the controller the opportunity to object” concept.
Objection process. Customer may object to a new Subprocessor within 30 DAYS by contacting [email protected] and describing reasonable grounds relating to data protection. nocom will work with Customer in good faith to address the objection; if unresolved, Customer may terminate the affected Services in accordance with the Agreement.
Flow-down obligations. Where nocom engages a Subprocessor, nocom shall impose the same data protection obligations on the Subprocessor as set out in this DPA, and nocom remains liable to Customer for performance of Subprocessor obligations as required by Article 28(4).
Due diligence. nocom shall perform reasonable due diligence on Subprocessors prior to engagement, including evaluation of their security posture and data protection practices, and shall document such assessments where appropriate.
Notwithstanding the foregoing, nocom’s liability arising from Subprocessor acts or omissions shall remain subject to the limitations and exclusions of liability set forth in the Agreement, to the maximum extent permitted by applicable law.
Data subject rights. Taking into account the nature of Processing, nocom shall assist Customer through appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligation to respond to requests for exercising data subject rights (access, erasure, etc.).
Security, breach, DPIAs. nocom shall assist Customer in ensuring compliance with obligations relating to security, breach notification, DPIAs, and prior consultation, taking into account the nature of Processing and information available to nocom. DPIA obligations are anchored in GDPR Article 35.
Assistance limits (IaaS realism). Customer acknowledges that in IaaS environments nocom may not have visibility into the contents of Customer applications and may be limited to metadata and platform-level telemetry; assistance will be provided consistent with the Services’ design and Customer’s configurations.
Processor-to-controller notice. nocom shall notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data, consistent with Article 33(2).
Notification content. To the extent reasonably available, nocom’s notice will include the information needed by Customer to meet its Article 33(3) obligations (nature of breach; categories and approximate number of data subjects/records; likely consequences; measures taken or proposed; contact point). Guidance elaboration is reflected in EDPB breach notification guidelines.
Notification method. Notices will be sent to Customer’s designated security contact(s) at their email and in the customer portal.
No admission. Notification does not constitute an admission of fault or liability.
Location transparency. Primary processing locations/data center regions: FLORIDA, UNITED STATES OF AMERICA.
Transfer restrictions. nocom shall not transfer Customer Personal Data to a country outside the EEA/UK/Switzerland (as applicable) unless:
Customer instructs the transfer via use/configuration of the Services; or
an appropriate transfer mechanism is in place (Adequacy, SCCs, or other Article 46 safeguards). SCCs are described by the European Commission as standardized, pre-approved model clauses.
SCC election Where Standard Contractual Clauses apply, the Parties incorporate the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914. The Parties agree that Module Two (Controller to Processor) applies.
Supplementary measures. Where applicable, the Parties will cooperate on transfer risk assessments and supplementary measures consistent with EDPB recommendations on supplementary measures. citeturn1search2turn1search5
nocom shall maintain records of processing activities as required for processors (Article 30) and make them available to competent authorities on request, and to Customer to the extent relevant and appropriate.
Audit right. Customer may audit nocom’s compliance with this DPA on reasonable prior written notice, during normal business hours, and in a manner that minimizes disruption to nocom’s operations, subject to the safeguards set forth below.
Audit safeguards (recommended for IaaS).
Frequency: no more than [1] audit per [12] months, unless a material incident or regulator request justifies additional audits.
Scope: limited to systems, policies, and controls relevant to Customer Personal Data; excludes other customers’ data, nocom trade secrets, and information that would create security risk.
NDA: audit conducted under a mutually acceptable confidentiality agreement.
Method: (preferred) review of independent audit reports or security documentation where available; on-site audits only where necessary and proportional.
Third-party reports. If available, nocom may provide SOC 2 / ISO 27001 reports or equivalent summaries under NDA in lieu of certain direct audit procedures.
End of services. At the choice of Customer, nocom shall delete or return Customer Personal Data after the end of the provision of Services, and delete existing copies, unless law requires retention.
Export window. Customer may export Customer Content during a post‑termination period of 14 DAYS, after which deletion is initiated.
Backups and logs.
Deletion from active systems may not immediately remove data from backups.
Backup retention period: 30 DAYS.
Log retention: 12 MONTHS.
Data will be deleted from backups per rotation/expiry and secure deletion practices.
Certification of deletion. Upon written request, nocom shall provide written confirmation of deletion of Customer Personal Data from production systems, subject to backup and archival limitations described herein.
This table is designed to satisfy the Article 28(3) requirement to enumerate processing details.
Field
Description for nocom Solutions DPA
Subject matter
Provision of IaaS/hosting Services, including compute, storage, networking, and support processing on Customer’s behalf.
Duration
For the term of the Agreement + post-termination export/deletion period.
Nature of processing
Hosting, storing, transmitting, and otherwise processing Customer Personal Data as necessary to provide the Services; support troubleshooting as requested by Customer.
Purpose of processing
Provide, maintain, and secure Services; perform support; prevent/mitigate security and abuse affecting Customer environments (processor context)
Categories of data subjects
Determined by Customer (e.g., Customer end users, employees, consumers).
Categories of personal data
Determined by Customer; may include identifiers, contact data, usage data, content data, and special categories if Customer uploads them.
Special categories
Not intended; if processed, Customer is responsible for lawful basis and instructions; nocom provides safeguards per Annex 2.
Processing operations
Collection (from Customer inputs), storage, retrieval, transmission, deletion, and access for support/security under instructions.
Payment processing and billing-related transaction handling (limited to payment data and associated metadata; does not include core Customer Content hosted within Services)
United States and other jurisdictions in which Stripe operates
Adequacy decisions and/or Standard Contractual Clauses (SCCs), as applicable
PCI-DSS compliant; encryption in transit and at rest; access controls and auditing
04/15/2026
Cloudflare
Reverse proxy, traffic routing, CDN, and secure tunnel services; processing of network traffic, request metadata, and Customer Content in transit as part of delivering the Sites and Services
United States and global edge locations
Adequacy decisions and/or Standard Contractual Clauses (SCCs), as applicable
