This Data Processing Agreement ("DPA") forms part of the agreement between NexliOne ("NexliOne," "Processor," "we") and the customer entity that has agreed to the applicable NexliOne Terms of Service, order form, or other written agreement for the Service ("Customer," "Controller," "you").
This DPA applies to the extent NexliOne processes personal data on behalf of Customer in connection with the Service and to the extent applicable data protection laws (including the EU/EEA General Data Protection Regulation 2016/679 ("GDPR")) require a processor agreement.
If there is a conflict between this DPA and the Terms of Service for data processing terms, this DPA controls for those terms only.
Terms such as "personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given in GDPR (or the equivalent terms under applicable law).
"Customer Content" means data submitted to the Service by or on behalf of Customer, including any personal data contained in it.
Provision of the NexliOne platform and related services.
Processing continues for the term of Customer's use of the Service and, following termination, for the time needed to return or delete Customer Content in accordance with Customer instructions, the Terms, and applicable law.
Processing includes hosting, storing, organizing, retrieving, transmitting, and otherwise processing Customer Content to provide the Service, support, security, and maintenance.
Personal data may include (depending on Customer use): contact details, account identifiers, business records containing personal data, authentication data, support communications, and technical/log data.
Customer's users and administrators, employees, contractors, customers, vendors, and other individuals whose personal data Customer submits to the Service.
Customer instructs NexliOne to process personal data (a) to provide the Service and related support, (b) as configured by Customer and its users, and (c) as documented in the Documentation, this DPA, and the parties' agreement.
Customer is responsible for:
NexliOne will process personal data only on documented instructions from Customer, unless required to do otherwise by applicable law. If NexliOne is required by law to process personal data other than on Customer instructions, NexliOne will inform Customer of that requirement unless prohibited by law.
NexliOne will ensure that persons authorized to process personal data are bound by confidentiality obligations appropriate to the processing.
NexliOne will implement appropriate technical and organizational measures designed to protect personal data, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. High-level measures are described in Annex B.
Customer authorizes NexliOne to engage sub-processors to process personal data on NexliOne's behalf for the Service, subject to Section 6.
Taking into account the nature of processing, NexliOne will provide reasonable assistance to Customer to respond to data subject requests (for example, access, deletion, correction, portability) to the extent Customer cannot do so through the Service.
NexliOne will provide reasonable assistance to Customer with:
in each case to the extent required by GDPR and to the extent the relevant information is available to NexliOne.
Upon termination of the Service, NexliOne will return or delete Customer Content (including personal data) in accordance with the Terms and Customer's instructions, unless retention is required by applicable law.
NexliOne will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits as required by GDPR, subject to reasonable confidentiality, security, and scheduling restrictions. Audits will be limited to information and systems relevant to the Service and this DPA.
Our current sub-processors commonly used for the Service are listed in Annex C. This list may change over time as the Service evolves.
NexliOne will impose data protection obligations on sub-processors that are no less protective than those in this DPA, including appropriate security obligations.
NexliOne will provide notice of material changes to sub-processors by updating the sub-processor list on our Legal Center or through other reasonable notice. If Customer objects to a new sub-processor on reasonable data protection grounds, the parties will work in good faith to address the objection.
NexliOne will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably necessary to assist Customer in meeting its breach notification obligations under applicable law.
Customer acknowledges that NexliOne and its sub-processors may process personal data in the United States and other jurisdictions.
Where GDPR applies and personal data is transferred from the EEA/UK/Switzerland to a country not recognized as providing adequate protection, the parties will implement an applicable transfer mechanism, such as Standard Contractual Clauses, as required.
Liability under this DPA is subject to the limitations and exclusions in the parties' agreement, except to the extent such limitations are not permitted under applicable law.
For data protection inquiries:
See Section 3.
Depending on the Service configuration and features enabled, measures may include:
| Sub-Processor | Purpose | Typical Processing Locations | | --- | --- | --- | | Supabase | Database hosting, authentication, and related infrastructure | United States and other regions configured for the Service | | ClickHouse | Analytics and performance/usage aggregation (as configured) | Global (depending on deployment) | | Stripe | Payment processing and subscription billing | Global | | Vercel | Hosting and content delivery | Global | | Resend | Transactional email delivery | United States and other regions configured for delivery |