Data Processing Addendum
Last updated: May 2026 · Forms part of the NexusForge Terms of Service
1. Roles & scope
You ("Controller") determine the purposes of processing personal data. NexusForge Technologies, Inc. ("Processor") processes data only on your documented instructions. This DPA applies whenever NexusForge processes personal data covered by the GDPR, UK GDPR, Swiss FADP, or California CCPA/CPRA on your behalf.
2. Subject-matter & duration
Processing covers project, financial, CRM, document, and field-operations data you submit to the Service. Duration matches the term of your subscription plus the deletion windows in §9.
3. Sub-processors
Current sub-processors: AWS (us-east-1, eu-west-1), Supabase (managed Postgres), OpenAI / Google (zero-retention enterprise tier), Stripe (billing), Plaid (financial OAuth), Resend (transactional email). 30-day notice of new sub-processors with right to object.
4. International transfers
EU/UK data exported via the EU Standard Contractual Clauses (2021/914) Module Two and the UK IDTA. Transfer Impact Assessment available on request.
5. Security measures
SOC 2 Type II controls; AES-256 at rest, TLS 1.3 in transit; RBAC + SSO; quarterly penetration testing; secrets in HSM-backed vault; immutable audit logs ≥ 365 days; principle of least privilege for all engineers.
6. AI processing
All generative-AI calls route through providers contractually bound to zero-retention and no-training-on-customer-data. Embeddings are encrypted; you may disable AI features per workspace.
7. Data-subject rights
We will assist your responses to access, rectification, erasure, restriction, portability, and objection requests within 5 business days. Self-service export and erase available in Settings → Data.
8. Breach notification
NexusForge will notify the Controller without undue delay and within 48 hours of confirming a personal-data breach affecting your tenant, with the information required by GDPR Art. 33(3).
9. Return & deletion
On termination, personal data is exportable for 30 days, then permanently deleted within 60 days from primary and backup systems, with a deletion attestation on request.
10. CCPA / CPRA
For California residents, NexusForge acts as a "Service Provider." We do not sell or share personal information and only retain, use, and disclose data for the limited business purposes defined by your subscription.
11. Audits
Annual SOC 2 Type II and ISO 27001 reports available under NDA. On-site audits available for enterprise customers with reasonable notice.
12. Contact
Data Protection Officer · dpo@nexusforge.ai · EU Representative: NexusForge EU Rep B.V., Herengracht 280, 1016 BX Amsterdam, NL.