Back to Legal Documents

Data Processing Agreement

Last updated: April 23, 2026
GDPR Article 28 Compliant

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service (or other agreement) between:

Data Controller

The Customer (as identified in the main service agreement)

Data Processor

Nexus Systems B.V.
Amsterdam, The Netherlands
dpa@nexus-systems.com

This DPA sets out the terms under which the Data Processor will Process Personal Data on behalf of the Data Controller in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.

"Processing"

Any operation or set of operations performed on Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Data Subject"

An identified or identifiable natural person whose Personal Data is Processed.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2. Data Processing Details

2.1 Categories of Data Subjects

  • Customers and website visitors of the Data Controller
  • Employees and contractors (if applicable)
  • End users of the Data Controller's services

2.2 Categories of Personal Data

  • Identification data (names, email addresses, phone numbers)
  • Contact information and communication data
  • Behavioral and usage data from website interactions
  • Device and browser information
  • IP addresses and geolocation data
  • Survey responses and quiz answers

2.3 Processing Purposes

  • Providing the Platform services to the Data Controller
  • Analyzing user behavior and improving service quality
  • Generating personalized recommendations and content
  • Ensuring platform security and preventing fraud
  • Complying with legal obligations

2.4 Processing Duration

Personal Data will be Processed for the duration of the service agreement between the Data Controller and Data Processor, unless otherwise required by applicable law.

3. Obligations of the Data Processor

3.1 Processing Instructions

The Data Processor shall only Process Personal Data in accordance with the Data Controller's documented instructions and the terms of this DPA.

3.2 Confidentiality

The Data Processor shall ensure that all personnel authorized to Process Personal Data are bound by confidentiality obligations.

3.3 Security Measures

The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Incident response and breach notification procedures
  • Regular backups and disaster recovery procedures

3.4 Sub-processors

The Data Processor may engage sub-processors, but shall maintain an up-to-date list of sub-processors and provide it to the Data Controller upon request.

3.5 Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights under applicable data protection laws.

3.6 Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

4. Obligations of the Data Controller

4.1 Lawful Instructions

The Data Controller shall ensure that its instructions for the Processing of Personal Data comply with applicable data protection laws.

4.2 Data Subject Consent

The Data Controller shall ensure that it has obtained all necessary consents and lawful bases for the Processing of Personal Data.

4.3 Data Quality

The Data Controller shall ensure that Personal Data provided to the Data Processor is accurate and up to date.

5. International Data Transfers

If Personal Data is transferred outside the European Economic Area, the Data Processor shall ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules
  • Approved certification mechanisms

6. Audit Rights

The Data Controller shall have the right to audit the Data Processor's compliance with this DPA. Audits may be conducted:

  • By the Data Controller or its appointed auditor
  • Up to once per year unless a Data Breach has occurred
  • With reasonable advance notice
  • Subject to confidentiality obligations

7. Data Breach Response

In the event of a Data Breach, the Data Processor shall:

  • Notify the Data Controller without undue delay
  • Provide detailed information about the breach
  • Take immediate steps to mitigate the breach
  • Cooperate with the Data Controller in investigating the breach
  • Assist with regulatory notifications if required

8. Termination and Return/Destruction of Data

Upon termination of the service agreement or this DPA, the Data Processor shall:

  • Return or destroy all Personal Data in its possession
  • Delete existing copies unless retention is required by law
  • Certify in writing that all Personal Data has been destroyed
  • Ensure sub-processors comply with these requirements

9. Liability

Each party shall be liable for damages caused by its breach of this DPA in accordance with applicable data protection laws. The Data Processor's liability shall be limited to the amount stipulated in the main service agreement.

The Data Processor shall not be liable for breaches caused by the Data Controller's instructions or the Data Controller's breach of its obligations under this DPA.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of The Netherlands. Any disputes shall be resolved through the courts of The Netherlands.

11. Amendments

This DPA may only be amended in writing and signed by both parties. The Data Processor reserves the right to update this DPA to comply with changes in applicable data protection laws.

12. Signatures

This DPA becomes effective upon the later of: (a) the date it is signed by both parties, or (b) the date Personal Data Processing begins under the main service agreement.

Data Controller

Data Processor

13. Contact Information

For questions regarding this DPA or data protection matters:

Email:dpa@nexus-systems.com
Address:Amsterdam, The Netherlands