Data Processing Agreement
Last updated: December 15, 2025
Need a signed DPA?
Contact us to execute a Data Processing Agreement for your organization.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Nexion Technologies, LLC ("Nexion", "Processor", "we", "us") and the customer ("Controller", "you", "your") that has executed an Agreement with Nexion for the provision of data platform services (the "Services").
This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws.
2. Definitions
- "Controller" means the entity that determines the purposes and means of Processing Personal Data.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other applicable regulations.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Processor" means an entity that Processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by Processor to Process Personal Data on behalf of Controller.
- "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Scope and Roles
3.1 Scope
This DPA applies to the Processing of Personal Data by Nexion on behalf of the Controller in connection with the provision of the Services. The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1.
3.2 Roles of the Parties
The Controller determines the purposes and means of Processing Personal Data. Nexion acts as a Processor, Processing Personal Data only on documented instructions from the Controller.
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for Processing Personal Data
- Provide clear and documented instructions for Processing
- Ensure compliance with Data Protection Laws in its use of the Services
- Respond to Data Subject requests and notify Nexion when assistance is required
- Implement appropriate security measures in its systems
- Notify Nexion of any changes to Processing requirements
5. Processor Obligations
Nexion shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to Process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Respect conditions for engaging Sub-processors
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, DPIAs, and prior consultation obligations
- Delete or return all Personal Data upon termination, at Controller's choice
- Make available information necessary to demonstrate compliance
6. Security Measures
Nexion implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
Encryption
AES-256 encryption at rest, TLS 1.3 in transit
Access Controls
Role-based access control, multi-factor authentication, least privilege principle
Monitoring
Comprehensive logging, anomaly detection, security monitoring
Physical Security
SOC 2 certified data centers (Azure, AWS, GCP)
A full description of our security measures is available in our Security documentation.
7. Sub-processors
7.1 Authorization
The Controller provides general authorization for Nexion to engage Sub-processors. The current list of Sub-processors is available below and will be updated with at least 30 days' notice before adding new Sub-processors.
7.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure hosting | Customer-selected region |
| Amazon Web Services | Cloud infrastructure hosting | Customer-selected region |
| Google Cloud Platform | Cloud infrastructure hosting | Customer-selected region |
| Stripe | Payment processing | USA |
| Intercom | Customer support | USA |
7.3 Objection to Sub-processors
The Controller may object to the addition of a new Sub-processor within 14 days of receiving notice. If an objection is raised, the parties will work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the affected Services.
8. Data Subject Rights
Nexion will assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of Processing
- Right to data portability
- Right to object
If Nexion receives a request directly from a Data Subject, we will promptly notify the Controller unless prohibited by law.
9. Personal Data Breach
In the event of a Personal Data Breach, Nexion will:
- Notify the Controller without undue delay and within 48 hours of becoming aware
- Provide details of the nature of the breach, categories and approximate number of Data Subjects affected, and likely consequences
- Describe measures taken or proposed to address the breach and mitigate potential adverse effects
- Cooperate with the Controller in investigating and remediating the breach
- Assist the Controller in meeting its breach notification obligations to supervisory authorities and Data Subjects
10. International Data Transfers
When Personal Data is transferred outside the European Economic Area (EEA), UK, or Switzerland to a country not providing adequate protection, Nexion ensures appropriate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement or Addendum where applicable
- Supplementary measures where required by applicable law
The applicable SCCs are incorporated into this DPA by reference.
11. Audits
Nexion will make available to the Controller information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, subject to:
- 30 days' prior written notice
- Reasonable scope and duration
- Confidentiality obligations
- Scheduling during normal business hours to minimize disruption
- Controller bearing audit costs (unless audit reveals material non-compliance)
Nexion maintains SOC 2 Type II certification, which may be provided in lieu of certain audit requests.
12. Data Retention and Deletion
Upon termination of the Agreement or upon Controller's request:
- Nexion will delete or return all Personal Data within 90 days, at Controller's choice
- Controller's data stored in their cloud infrastructure remains under their control
- Metadata and configuration data will be deleted from Nexion systems
- Retention may continue where required by applicable law
13. HIPAA Addendum
For Controllers subject to HIPAA, Nexion will execute a Business Associate Agreement (BAA) that addresses the Processing of Protected Health Information (PHI). The BAA incorporates additional safeguards required by HIPAA, including:
- Use and disclosure limitations
- Safeguards for PHI
- Breach notification requirements
- Sub-contractor flow-down requirements
Contact us to execute a BAA before Processing PHI.
Annex 1: Processing Details
Subject Matter of Processing
Provision of data platform services including data integration, transformation, and storage
Duration
Duration of the Agreement plus retention period
Nature and Purpose
Collection, storage, transformation, transfer, and deletion of data as directed by Controller through the Services
Types of Personal Data
As determined by Controller; may include names, contact information, identifiers, financial data, health information (with BAA), and other data categories
Categories of Data Subjects
As determined by Controller; may include customers, employees, patients, end users, and other individuals
14. Contact
For questions about this DPA or to request a signed copy: