Neo4j Data Processing Addendum

Last Updated: March 18, 2026

This Neo4j Data Processing Addendum (“DPA”) is incorporated into and supplements the agreement between Customer and the respective Neo4j contracting entity under which Neo4j has agreed to provide its Offerings (the “Agreement”). Capitalized terms used but not defined have the meanings set forth in the Agreement. In the event of any conflict between the Agreement and this DPA, this DPA shall govern.

  1. Scope and Roles. This DPA applies only to the extent that Neo4j Processes Personal Data on behalf of Customer in the provision of its Offerings. Neo4j acts as a Processor (or with respect to the CCPA, as a “service provider”) on behalf of Customer, who may act as either Controller of Personal Data or Processor on behalf of a third-party Controller (the “Third-Party Controller”).
  2. Customer Instructions.
    1. Neo4j shall Process Personal Data only as instructed by Customer, which instructions, if applicable, include and are consistent with instructions from Third-Party Controllers. Such instructions include Neo4j’s provision of its Offerings as described in the Agreement, and any Processing initiated by Customer in their use of the Offerings.
    2. Customer shall ensure its instructions are lawful and in accordance with the Agreement and that the Processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Legislation. Given the nature of the Processing, it is unlikely that Neo4j can form an opinion on whether instructions infringe Applicable Data Protection Legislation, but if Neo4j were to form such an opinion, it shall notify Customer without undue delay.
  3. Details of Data Processing. The details of the Processing, including the categories of Personal Data, the purposes of Processing, and the duration of the Processing are specified in Appendix 1.
  4. Security. Neo4j shall implement the technical and organizational measures specified in the Security Addendum to ensure the security of the Personal Data. This includes protecting the Personal Data against a Security Incident pursuant to Article 32 GDPR. Neo4j shall assist Customer in ensuring compliance with Customer’s obligations as a Controller or Processor pursuant to Article 32 GDPR.
  5. Customer Audit Rights.
    1. Reports. Upon written request and at no additional cost, Neo4j will provide Customer or its qualified third-party representative (collectively, the “Auditor“), access to documentation evidencing Neo4j’s compliance with this DPA, including, as applicable, (i) Neo4j’s ISO 27001 third-party certification; (ii) Neo4j’s SOC2 Report; and (iii) Neo4j’s most recently completed industry standard security questionnaire (collectively, “Audit Reports”).
    2. Audits. If Audit Reports and teleconference meetings with Neo4j personnel do not reasonably suffice to demonstrate Neo4j’s compliance with this DPA, Customer may request, with at least 30 days’ written notice, an audit of Neo4j’s applicable controls, including inspection of its facilities. Neo4j and Customer shall mutually agree in advance on the details of the audit, including having such audit take place during regular business hours, at a reasonable start date, and with a scope and duration that shall not unreasonably interfere with Neo4j’s day-to-day operations. Neo4j may charge a reasonable fee to cover costs incurred for any such audit. All Audit Reports, any audit, and any information arising therefrom shall be considered Neo4j’s Confidential Information.
    3. Third-Party Audits. In the event Customer conducts an audit through a third-party representative, such representative shall be subject to confidentiality obligations protective of Neo4j substantially similar to those set forth in the Agreement. Neo4j may object in writing to such third-party representative if, in Neo4j’s reasonable opinion, they are not suitably qualified or are a direct competitor of Neo4j. Any such objection by Neo4j will require Customer to appoint another third-party representative. Any expenses incurred by an Auditor in connection with an audit or any review of Audit Reports shall be borne exclusively by the Customer. Customer must promptly provide Neo4j with any findings of non-compliance discovered during the course of an audit, and Neo4j will use commercially reasonable efforts to address any confirmed non-compliance.
  6. Subprocessing.
    1. Customer Authorization. Customer provides Neo4j with a general authorization to engage Neo4j’s current Subprocessors listed at the Trust Center as of the effective date of this DPA. In addition, Customer generally authorizes Neo4j’s engagement of other third parties as Subprocessors subject to Section 6.3 (Changes to Subprocessors).
    2. Subprocessor Obligations. When engaging a Subprocessor under this DPA, Neo4j shall (a) enter into a contract that imposes data protection obligations no less protective as Neo4j’s obligations under this DPA, and (b) remain liable for the performance and compliance of Subprocessor’s obligations.
    3. Changes to Subprocessors. Customer may subscribe to Subprocessor updates on the Neo4j Trust Center. Neo4j will provide at least 30 days’ prior notice of any change to its Subprocessors by (i) updating the subscribed users of the Trust Center and (ii) emailing Customer’s authorized administrators of the Cloud Offering. During this notice period, Customer may object in writing to such changes on reasonable data protection grounds. The parties will discuss any such objections in good faith to reach a resolution. If no resolution is reached, Customer’s sole and exclusive remedy is the termination of those Offerings that cannot be provided in connection with the disputed Subprocessor. In the event of such termination, Customer must provide advance written notice to Neo4j. Neo4j will provide Customer with a pro-rata refund of any prepaid unused fees of such Order Form following the date of termination.
  7. Data Hosting and Processing Locations. Neo4j hosts Personal Data in the location selected by Customer on an Order Form and/or configured by the Customer via the Cloud Offering. Customer is solely responsible for the regions from which its Users access and transfer Personal Data. Neo4j will only Process Personal Data in Customer’s chosen location, except as reasonably necessary to provide the Cloud Offering as initiated or selected by Customer or as necessary to comply with the law or binding order of a governmental body.
  8. Data Transfer Mechanisms. For any transfer of Personal Data to a territory outside of the EEA, the United Kingdom, or Switzerland that has not been recognized by the relevant authorities as providing an adequate level of protection (each a “Restricted Transfer“), Neo4j shall ensure compliance with Applicable Data Protection Law through the mechanisms set forth below.
    1. Data Privacy Framework (DPF). Neo4j, Inc. participates in and has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (together, the “DPF“). Where a Restricted Transfer is made to Neo4j, Inc. in the U.S., Neo4j shall provide at least the same level of protection as required by the DPF Principles. Neo4j will notify Customer if it determines it can no longer meet its obligation to provide such protection, in which case Customer may take reasonable steps to stop or remediate unauthorized Processing.
    2. Standard Contractual Clauses (SCCs). To the extent the DPF does not apply or is invalidated, Restricted Transfers shall be governed by the 2021 EU Standard Contractual Clauses (as approved by Commission Decision 2021/914), which are hereby incorporated by reference.
      1. Modules. Module Two (C2P) applies where Customer is a Controller; Module Three (P2P) applies where Customer is a Processor. When Customer is acting as a Processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, Customer agrees that it is unlikely that Neo4j will know the identity of Third-Party Controller because Neo4j has no direct relationship with Third-Party Controller and therefore, Customer will fulfill Neo4j’s obligations to Third-Party Controller under the Processor-to-Processor Clauses.
      2. UK Transfers. For transfers protected by the UK GDPR, the UK International Data Transfer Addendum is incorporated into this DPA, with the EU SCCs deemed amended as specified by the UK ICO.
      3. Swiss Transfers. For transfers protected by the Swiss FADP, the EU SCCs apply with the following adaptations: (i) references to “GDPR” mean “FADP”; (ii) “Member State” includes Switzerland; and (iii) the Swiss FDPIC acts as the competent authority.
    3. Alternative Transfer Mechanism. The SCCs will not apply if Neo4j has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.
  9. Cooperation.
    1. Data Subject Requests. Neo4j shall promptly notify Customer of any request it has received from Data Subjects. Neo4j shall not respond to such request itself, and Customer hereby authorizes Neo4j to redirect the Data Subject to Customer and/or to confirm that the request has been forwarded to Customer. Neo4j provides Customer with controls in the Cloud Offering to respond to requests from Data Subjects. To the extent Customer is unable to access the relevant Personal Data using the Cloud Offering, Neo4j shall, upon Customer’s written request and taking into account the nature of the Processing, provide commercially reasonable assistance to Customer.
    2. Impact Assessments and Prior Consultation. Taking into account the nature of the Processing and the information available to Neo4j, Neo4j shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations to carry out data protection impact assessments and prior consultations with supervisory authorities. Such assistance shall be limited to information that is reasonably available to Neo4j and not otherwise accessible to Customer via the Documentation, the Cloud Offering, or Audit Reports.
  10. Government & Law Enforcement Inquiries. In the event of a legally binding order from a governmental body for the disclosure of Personal Data or if Neo4j receives a demand to retain, disclose, or otherwise Process Personal Data from law enforcement or any other government and/or public authority (“Governmental Inquiry”), Neo4j will use every reasonable effort to redirect the request to Customer and, unless prohibited by law, promptly notify Customer to allow it to seek a protective remedy. Neo4j commits to challenging any overbroad or inappropriate requests, including those conflicting with EU or local law, and will disclose only the minimum amount of data necessary to satisfy the Governmental Inquiry once compelled.
  11. Incident Management. Neo4j implements policies and processes to identify, detect, and manage Security Incidents in accordance with regulatory and legal requirements applicable to providing the Cloud Offering. In the event Neo4j discovers, or reasonably concludes based on an initial investigation, a Security Incident, Neo4j shall (i) notify Customer promptly and without undue delay in accordance with Article 33(2) GDPR and (ii) promptly take appropriate steps to minimize harm and mitigate any adverse effects resulting from the Security Incident.
  12. Term and Termination. The DPA shall become effective on the date on which Customer accepted, or the parties otherwise agreed to, this DPA. Notwithstanding the expiration or termination of the Agreement, this DPA shall remain in force until Neo4j has deleted the Personal Data. Upon termination of the Agreement or upon Customer’s written request, Neo4j shall delete the Personal Data as soon as reasonably practicable and within a maximum period of 180 days from the time of Customer’s written request, unless otherwise required by applicable law.
  13. Limitation of Liability. Each party’s liability taken together in the aggregate, arising out of or related to this DPA (including any incorporated Standard Contractual Clauses or transfer mechanisms), whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions set forth in the Agreement.
  14. Definitions.
    1. Applicable Data Protection Legislation” means the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the European Directives 95/46 and 2002/58/EC (as amended by Directive 2009/136/EC), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including but not limited to the Privacy and Electronic Communication (EC Directive) Regulations 2003), and the CCPA.
    2. California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as amended from time to time, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.
    3. Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
    4. Data Subject” means the natural person whose Personal Data is Processed under the Agreement and this DPA.
    5. EU” and “EEA” means, respectively, the European Union and the European Economic Area.
    6. Standard Contractual Clauses” means the Standard Contractual Clauses issued by the EU Commission as an Annex by the Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, including the Appendices attached thereto, or any other decision by the EU Commission amending this Implementing Decision.
    7. Personal Data” means any information relating to an identified or identifiable natural person, and which the Processor is Processing under the Agreement and this DPA, and of which the Controller is a controller under Applicable Data Protection Legislation, including, but not limited to, the definition of “personal information” in the CCPA.
    8. Processor” means an entity that Processes Personal Data on behalf of a Controller.
    9. Processing” has the meanings given by Applicable Data Protection Legislation, or absent any such meaning or law, as set forth in the GDPR. “Process,” “Processes,” and “Processed” will be interpreted accordingly.
    10. Security Incident” shall mean a breach of Neo4j’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data.
    11. Security Addendum” means the Neo4j Security Addendum made available at https://neo4j.com/legal-terms/.
    12. Subprocessor” means a third party authorized as another processor under this DPA in order to provide the Offerings.

Appendix 1: Data Processing Details

  1. Subject Matter: The subject matter of the processing under this DPA is Customer Personal Data.
  2. Frequency and Duration: The duration of the Processing under this DPA is determined by the Customer. Neo4j shall Process the Personal Data continuously until Customer’s determination or the period of time following the expiration or termination of the Agreement subject to the applicable provisions on Customer Data deletion, including the Retrieval Right.
  3. Nature and Purpose of the Processing: Neo4j will Process Personal Data for the purposes of providing the Offerings to Customer in accordance with this DPA.
  4. Categories of Data: Customer determines and controls in its sole discretion the categories of Personal Data provided to Neo4j via the Offerings. These categories may include (i) identification and contact data (name, address, title); (ii) financial information (account details, payment information); (iii) employment details (employer, job title, geographic location); and/or (iv) IT information (IP addresses, cookie data, location data).
  5. Categories of Data Subjects: Customer determines and controls in its sole discretion the categories of Data Subjects to which Personal Data relate, and may include, but are not limited to Customer’s employees, prospects, customers, partners, suppliers, and end users.