Data Processing Addendum
Last update: July 9, 2026
This data processing addendum (the “Data Processing Agreement”) is between 1oT and the Customer (each a “Party” and together the “Parties”) and applies as an addendum to our Terms of Service (“Terms”) as made available on https://www.1ot.com/terms-of-service.
WHEREAS:
- The Customer and 1oT have entered an agreement under which 1oT provides the Customer access to mobile data connectivity and SMS services for IoT and M2M applications (the “Services”).
- In relation to the provision of the Services, the 1oT processes some limited personal data for the Customer.
- To ensure the secure, correct and lawful processing of personal data, the Parties have agreed to enter into this Data Processing Agreement.
- In the event of any conflict between the Terms and this Data Processing Agreement, this Data Processing Agreement shall prevail to the extent of the conflict.
1. GENERAL PROVISIONS
1.1 The terms used in the Data Processing Agreement are used in the meaning given to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the GDPR) or in the Terms.
1.2 In the context of Article 28 of the GDPR, the Customer is the data controller of the personal data transferred or made available through the use of the Services and 1oT is the data processor (or sub-processor, where Customer acts as a processor for its own customer).
2. GENERAL OBLIGATIONS OF THE 1OT
2.1 1oT shall process personal data in accordance with the applicable law, the Terms and this Data Processing Agreement.
2.2 1oT shall process personal data for the purposes described in Section 11.
2.3 1oT shall process personal data in accordance with all the instructions given or documented by Customer according to need. “Documented instructions” include this Data Processing Agreement, Section 11 (Processing Details), settings selected by the Customer in the Services, and any instructions provided by Customer in writing.
2.4 If 1oT considers that an instruction infringes the GDPR or other EU/Member State data protection law, 1oT shall inform the Customer without undue delay.
2.5 Customer is responsible for the lawfulness of the processing, including providing all required notices to data subjects and establishing a valid legal basis.
2.6 1oT shall keep records of all the data processing operations carried out on behalf of Customer as required under the GDPR. Upon the respective request by the Customer, 1oT shall make available to Customer the records.
2.7 1oT shall, taking into account the nature of the processing and available information, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests for exercising data subjects’ rights under Chapter III GDPR.
2.8 1oT shall provide reasonable assistance to the Customer with Articles 32–36 GDPR (security, breach notifications, DPIAs and prior consultations), taking into account the nature of processing and information available to 1oT.
2.9 Upon termination or expiry of the Services relating to the processing, at Customer’s written election made within thirty (30) days of such termination or expiry, 1oT shall delete or return all personal data and delete existing copies within ninety (90) days, unless EU or Member State law requires storage. Routine backup copies will be overwritten in accordance with 1oT’s standard retention cycles. If Customer makes no election within the thirty (30) day period, 1oT shall delete the personal data.
2.10 1oT shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and, where applicable, cooperate with the competent supervisory authority.
2.11 1oT may charge reasonable costs for assistance under Sections 2.5–2.8 where such assistance is excessive, unusually burdensome, or not reasonably required by the Services.
3. CONFIDENTIALITY
3.1 1oT shall ensure the full confidentiality of the personal data processed on behalf of the Customer.
3.2 1oT shall ensure that access to the personal data processed on behalf of the Customer shall be given to only those representatives, specific employees or other persons acting for the benefit of 1oT who need access to the personal data strictly in relation to the performance of their duties.
3.3 1oT shall ensure that no unauthorised third parties can access the personal data processed on behalf of the Customer, for example, employees present in 1oT’s premises, who do not need access in relation to the performance of their duties or other service providers, for example, cleaning staff, IT service providers etc., who in this specific case do not need access to the personal data in relation to the performance of their duties.
3.4 1oT shall ensure that all the representatives, employees of 1oT and other persons who through 1oT come into contact with the personal data processed on behalf of the Customer are subject to the confidentiality obligation assumed under a contract or the law and 1oT shall ensure that their representatives, employees and other persons acting for their benefit maintain the full confidentiality of the personal data.
4. SECURITY MEASURES
4.1 1oT shall ensure the security of personal data processing in accordance with Article 32 GDPR for the purposes of protecting personal data from accidental or unauthorised processing, disclosure or destruction.
4.2 Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of natural persons, of varying likelihood and severity, that may result from personal data processing, 1oT shall apply appropriate technical and organisational measures upon personal data processing to ensure the security of personal data.
4.3 1oT shall use up-to-date information technology solutions and ensure the use of up-to-date antivirus programmes.
4.4 Customer may make reasonable recommendations regarding security measures. 1oT shall consider such recommendations in good faith but is not obliged to implement measures that would require material changes to the Services or infrastructure used for multiple customers.
4.5 Without limiting the generality of the foregoing, 1oT maintains measures appropriate to the risk, which may include: access controls; encryption in transit; business continuity/backup procedures, etc.
5. AUDIT
5.1 Customer has the right to audit or check the activity of 1oT with regard to the performance of this Data Processing Agreement or authorise an auditor to carry out the respective audit.
5.2 1oT’s obligations under Section 5 shall be deemed satisfied in the first instance by making available then-current independent third-party audit reports, certificates or summaries of controls (e.g., ISO/IEC certifications, independent audit letters) relating to the Services.
5.3 Any audits shall occur during business hours, be limited in scope to what is necessary to verify compliance, not unreasonably interfere with 1oT’s operations, and be subject to confidentiality obligations. Customer shall bear its own costs and reimburse 1oT for reasonable time and materials spent facilitating any audit.
6. PERSONAL DATA BREACH
6.1 In case of a personal data breach or suspected personal data breach, 1oT shall immediately notify the Customer of this. In case of a personal data breach of suspected breach or an incident that is likely to escalate into a personal data breach, 1oT shall send to the Customer a notification about the personal data breach, which shall include, where reasonably possible, include the following information:
6.1.1 a description of the nature of the personal data breach;
6.1.2 the categories and approximate number of data subjects concerned;
6.1.3 the categories and approximate number of personal data records concerned;
6.1.4 measures taken or proposed to be taken by 1oT to address the personal data breach or measures to mitigate its possible adverse effects.
6.2 1oT shall send the notification specified in section 6.1 to the Customer without undue delay and, where feasible, not later than within 48 hours of becoming aware of the personal data breach.
6.3 Insofar as 1oT is not able to submit the information described in section 6.1 within that term, 1oT may provide the information in phases without undue further delay.
7. SUBPROCESSORS AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
7.1 Customer grants 1oT a general authorisation to engage sub-processors for the processing of personal data. 1oT shall impose on sub-processors data protection obligations no less protective than those set out in this Data Processing Agreement and shall remain liable for the performance of each sub-processor to the extent provided in Section 8. 1oT shall inform Customer of intended changes concerning the addition or replacement of sub-processors by providing at least fourteen (14) days’ prior written notice. Customer may object to such changes on reasonable, data-protection-related grounds by notifying 1oT within fourteen (14) days of receipt of the notice. If Customer objects and the Parties cannot resolve the objection within a further fourteen (14) days, Customer may terminate the affected Services without penalty by written notice to 1oT.
7.2 1oT may process personal data in or outside the European Economic Area where such transfer is permitted under Chapter V GDPR, including on the basis of adequacy decisions or the European Commission’s standard contractual clauses. On request, 1oT shall identify the relevant transfer mechanism used for the processing.
7.3 Customer acknowledges that the Services depend on underlying mobile network operators (MNOs) and roaming partners globally. Such MNOs process network-level data (including device identifiers and location data derived from network signaling) as independent controllers or joint controllers under their own regulatory frameworks; 1oT does not act as a processor in respect of such MNO processing. 1oT’s obligations under this Data Processing Agreement apply only to personal data processed within 1oT’s own systems and infrastructure.
8. LIABILITY
8.1 Each Party shall be liable for the damage it causes the other Party as a result of its breach of this Data Processing Agreement or applicable data protection law, subject to the limitations in this Section.
8.2 To the maximum extent permitted by applicable law, each Party’s aggregate liability arising out of or relating to this Data Processing Agreement shall not exceed the fees paid or payable by Customer to 1oT for the Services giving rise to the claim in the twelve (12) months preceding the event giving rise to liability, except that this cap shall not apply to (i) wilful misconduct or fraud, or (ii) liability that cannot be limited under applicable law.
8.3 Neither Party shall be liable for any indirect or consequential loss, loss of profits or loss of business, in each case to the extent permitted by law. Administrative fines shall only be recoverable where imposed directly as a result of that Party’s breach.
8.4 Nothing in this Section affects data subjects’ rights to seek compensation under Article 82 GDPR vis-à-vis the Parties.
9. VALIDITY
9.1 The Data Processing Agreement shall be valid from its signing until 1oT is processing personal data on behalf of Customer or until the end of the term of Agreement, whichever is the later.
10. FINAL PROVISIONS
10.1 This Data Processing Agreement forms an integral part of, and is incorporated by reference into, the Terms.
10.2 1oT may update this Data Processing Agreement from time to time to reflect changes in applicable law, regulatory guidance or 1oT’s processing practices. Material changes will be notified to Customer via the email address associated with Customer’s account or through the Services. Continued use of the Services following such notification constitutes acceptance of the updated Data Processing Agreement.
10.3 The Data Processing Agreement shall be governed by the laws of the Republic of Estonia.
10.4 Disputes arising from the Data Processing Agreement shall be resolved by negotiations or in Estonian courts, Harju County Court being the court of first instance.
11. PROCESSING DETAILS
11.1 Purpose of processing. Provision of Services under the Terms.
11.2 Data subjects:
11.2.1 Customer’s personnel (e.g., administrators, technical and billing contacts, users submitting support requests);
11.2.2 Natural persons who use devices/SIMs where the Customer assigns a device/SIM to a natural person. 1oT is not aware of end-user identities. 1oT does not access or inspect the content of communications; processing is limited to metadata and technical information necessary to provide the Services. Where Customer enables optional network management features (e.g., packet gateway), data sessions may transit through 1oT infrastructure for the purpose of providing such features; 1oT does not store or analyse the content of such sessions except as necessary for troubleshooting purposes at Customer’s request.
11.3 Categories of personal data:
11.3.1 account and contact details for Customer personnel (name, role, business email, business phone);
11.3.2 device/SIM identifiers and network metadata;
11.3.3 approximate device/SIM location information derived from the communications network and session/usage metadata;
For clarity, no content of communications (e.g., websites visited, messages, etc) is processed by 1oT.
11.4 Processing operations by 1oT include collection/receipt; storage; transmission necessary to provide connectivity/SMS; logging and monitoring; deletion.
11.5 Processing period:
11.5.1 1oT eSIM Core (eSIM infrastructure) system logs retention period is 2.5 years, this is tied to the requirement of keeping all systems logs available for periods between bi-annual GSMA SAS-SM renewal audits. In case of GSMA SAS-SM audit standard change this retention period might change, but it will never be less than the maximum allowed period between GSMA SAS-SM renewal audits.
11.5.2 1oT eSIM Core (eSIM infrastructure) system user and SIM information is stored for duration of business needs, plus maximum period of storage of backup images of the systems - 6 months.
11.5.3 1oT Terminal platform data retention: Radius data is retained for 7 days. CDR (call detail records) data, personal user data and user logs are retained for the duration of the Customer relationship plus 12 months following termination, after which such data is deleted in accordance with 1oT’s standard data deletion procedures.
11.6 Locations of processing:
11.6.1 primary processing of 1oT Terminal occurs in the European Economic Area on infrastructure hosted in Frankfurt, Germany (valid as of the date of signing and may be unilaterally amended by 1oT within European Economic Area if deemed necessary). Email notifications may be sent by a third-party service, and CRM/contact management may be performed by a third-party tool and such processing may occur in the EEA and, where applicable, in other jurisdictions under a valid transfer mechanism pursuant to Section 7.2.
11.6.2 primary processing of 1oT eSIM Core occurs in the European Economic Area on infrastructure hosted in Paris, France (valid as of the date of signing and may be unilaterally amended by 1oT within European Economic Area if deemed necessary). Email notifications may be sent by a third-party service, and CRM/contact management may be performed by a third-party tool and such processing may occur in the EEA and, where applicable, in other jurisdictions under a valid transfer mechanism pursuant to Section 7.2.
11.7 Sub-processors (as at the date of this Data Processing Agreement) are:
11.7.1 Amazon Web Services (in Frankfurt, Germany, for 1oT Terminal & in Paris, France, for 1oT eSIM Core; valid as of the date of signing and may be unilaterally amended by 1oT within European Economic Area if deemed necessary) – cloud hosting and platform infrastructure for the Services (including databases, storage and compute);
11.7.2 Pipedrive – customer relationship management (CRM) for Customer personnel/contact data and account management;
11.7.3 Postmark – email delivery for Service and notifications.
11.7.4 Stripe - provides software that lets 1oT to accept payments via credit card and Paypal.
