Data Processing Agreement
Last updated: June 1, 2026
This Data Processing Agreement ("DPA") forms part of the nsxia Terms of Service between nsxia, Inc. ("Processor") and the Customer ("Controller"). It governs the processing of personal data by nsxia on behalf of the Customer, in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection laws.
Standard contractual DPA
This DPA is automatically incorporated into your agreement with nsxia when you create an account. No additional signature is required. Enterprise customers requiring a countersigned DPA may request one at [email protected].
1. Definitions
"Personal Data" has the meaning given in the GDPR: any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Data Subject" means the natural person to whom Personal Data relates.
"Sub-processor" means any third party engaged by nsxia to process Personal Data on the Customer's behalf.
2. Roles and Responsibilities
The Customer acts as the Data Controller β determining the purposes and means of processing Personal Data entered into the nsxia Platform.
nsxia acts as the Data Processor β processing Personal Data solely on behalf of and in accordance with the Customer's instructions.
Where nsxia processes data for its own operational purposes (e.g., billing, security), it acts as an independent Data Controller as described in the Privacy Policy.
3. Processing Instructions
nsxia will process Personal Data only on documented instructions from the Customer, which are set out in the nsxia Terms of Service and this DPA, or as otherwise agreed in writing.
nsxia will inform the Customer if it believes any instruction infringes applicable data protection law, unless prohibited by law.
nsxia personnel authorised to process Customer Personal Data are subject to confidentiality obligations.
4. Security Measures
nsxia shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised access. These measures include those described in our Security Overview and include at minimum:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls restricting data access to authorised personnel
- Regular security testing and vulnerability assessments
- Procedures for backup and recovery of Personal Data
- Audit logging of access and modifications to Personal Data
5. Sub-processors
The Customer grants nsxia a general authorisation to engage Sub-processors, subject to the conditions in this section. nsxia will provide at least 14 days' notice before engaging any new Sub-processor.
nsxia imposes data protection obligations on Sub-processors equivalent to those in this DPA. nsxia remains liable for Sub-processor compliance with this DPA.
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (AWS) | Serverless PostgreSQL β primary data store | United States (us-east-1) |
| Amazon Web Services (SES) | Transactional email delivery | United States |
| Amazon Web Services (S3) | File and document storage | United States (us-east-1) |
| Stripe | Payment processing and subscription billing | United States |
| Cloudflare | CDN, DDoS protection, DNS | Global edge network |
| Plausible Analytics | Privacy-first marketing page analytics | Germany (EU) |
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), nsxia ensures appropriate safeguards are in place. For transfers to the United States, nsxia relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
On request, nsxia will provide copies of the applicable SCCs.
7. Data Subject Rights
nsxia will assist the Customer in responding to Data Subject requests to exercise rights under applicable law (access, rectification, erasure, portability, restriction, objection). Where nsxia receives a Data Subject request directly related to Customer data, it will promptly forward it to the Customer.
nsxia provides the Customer with tools to export and delete Personal Data from within the Platform. For additional assistance, contact [email protected].
8. Data Breach Notification
nsxia will notify the Customer without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include:
- Nature of the breach and categories of Personal Data affected
- Estimated number of Data Subjects affected
- Likely consequences and mitigation measures taken
Data breach notifications are sent to the primary account email address.
9. Data Deletion
Upon termination or expiration of the Customer's account, nsxia will delete or return Customer Personal Data within 30 days. Residual copies in backup systems are purged within 60 days. nsxia may retain data required by applicable law.
10. Audit Rights
The Customer may audit nsxia's compliance with this DPA by requesting a compliance report no more than once per calendar year. nsxia may satisfy this obligation by providing a current third-party audit report (e.g., SOC 2) or by completing a standardised security questionnaire (CAIQ, SIG Lite).
11. Term
This DPA remains in force for the duration of the Customer's use of the Platform and survives termination to the extent necessary to fulfil deletion and return obligations.
12. Contact
For DPA-related enquiries: [email protected]
For data protection requests: [email protected]