GDPR and Data Handling — Noda Public Website

TIMPIA S.R.L. operates the public Noda website with GDPR-aligned handling of personal data, vendor review, and documented access controls. This page summarizes our public-site posture. Product-side processor commitments for customer workspaces are handled separately in customer contracts and DPAs.

We structure website-related processing around the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

• Minimization: we ask only for the data needed to handle the requested demo, report, or conversation
• Purpose limitation: public-site inputs are used for the purposes stated in the privacy notice
• Reviewability: we document providers, transfer posture, and retention logic as part of our internal compliance pack
• Security: we apply technical and organizational controls appropriate to a B2B infrastructure software business

You may exercise the rights granted by GDPR Articles 15-22 where the legal conditions are met, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.

Public-site AI outputs or analytics data do not remove or reduce those rights.

Email hello@noda.energy with enough detail for us to locate the relevant record. We may ask for proportionate identity verification before acting on a request. We usually respond within one month, with lawful extensions where a request is complex or voluminous.

The public site uses necessary cookies and browser storage for language and consent handling, plus analytics storage after opt-in.

Server-side records created when you submit a form do not depend on cookies or localStorage and are handled under the legal bases described in the privacy policy.

• Encrypted transport: website and API traffic is served over TLS
• Least-privilege access: access to production systems and vendor dashboards is limited to authorized personnel
• EU-oriented deployment choices: where regional choices exist, we prefer EU-region infrastructure for website and product operations
• Vendor governance: key providers are reviewed for DPAs, security posture, and transfer safeguards
• Operational logging: selected security and service events are logged to support troubleshooting, abuse prevention, and incident response
• Secure development baseline: we maintain internal controls for secrets handling, dependency review, and change management

We are building the control documentation, risk register, and Statement of Applicability needed for procurement-ready ISO/IEC 27001 alignment. As of the last updated date on this page, TIMPIA S.R.L. is not yet ISO/IEC 27001 certified and no certificate number has been issued.

When Noda acts as a processor for customer workspace data, that relationship is expected to be governed by a signed Article 28 GDPR data processing addendum or equivalent contractual processor terms. This public website notice does not replace those customer documents.

If a personal data breach affecting the website or related systems occurs, we investigate, document, contain, and notify in line with GDPR Articles 33 and 34 where the legal thresholds are met. Internal response steps include triage, technical remediation, vendor coordination, and impact assessment.

The current public-site stack relies on the following main providers:

The exact transfer posture can vary by active contract, feature path, and vendor configuration. We revise this list when the public website stack materially changes.