Nexly: Learning & Content Creation Suite for Everyone | Enterprise Data Processing Agreement (DPA)

1. Processing Mission Statement

Nexly.biz (the “Company”) acts as a data processor for a vast array of institutional partners. Our mission is to ensure that every byte of data processed within our educational fabric is handled with the highest degree of legal and technical safeguards. This Agreement defines the "Rules of Engagement" for data handling, ensuring absolute alignment with global privacy mandates.

2. Processing Roles & Definitions

Under this Agreement, the following roles are defined:

The Customer: Acts as the "Data Controller," retaining primary sovereignty and ownership of the data.
Nexly: Acts as the "Data Processor," executing business logic solely on behalf of and according to the instructions of the Controller.

3. Universal Structural Scope

This DPA applies to all processing activities involving "Personal Data" (as defined by GDPR) conducted by Nexly on behalf of the Customer. It encompasses the entirety of the storage, transmission, and computation lifecycle within the Nexly platform.

4. Processing Instructions & Limits

Nexly is contractually bound to process data *only* on the documented instructions of the Customer. We are strictly prohibited from processing Customer data for our own marketing, profiling, or secondary commercial purposes unless explicitly authorized in writing.

5. Personnel Confidentiality Mandate

Every Nexly representative with access to Customer data is subject to a "Lifer-Confidentiality" agreement. Access is granted on a "Least-Privilege" basis and only to personnel who have undergone rigorous privacy training and background vetting.

6. Sub-Processor Registry & Governance

Nexly utilizes a select group of "Critical Sub-Processors" (e.g., AWS, Stripe) to provide the infrastructure. We mandate through "Mirror-Agreements" that these sub-processors uphold the same privacy standards as Nexly. We maintain a public registry of these partners and provide notice of any planned changes.

7. Technical & Organizational Measures (TOMs)

Nexly implements enterprise-grade "TOMs," including but not limited to:

Encryption: AES-256 at rest and TLS 1.3 in transit.
Isolation: Logical separation of Customer data in our multi-tenant architecture.
Vulnerability Intel: Weekly automated scanning and periodic third-party penetration audits.

8. Breach Notification SLA

In the event of a suspected or confirmed data breach affecting Customer data, Nexly will notify the Customer without undue delay and, in all cases, within **48 hours** of discovery. This window ensures the Customer can meet their own regulatory reporting obligations.

9. Audit & Inspection Rights

Customer retains the right to audit Nexly’s compliance with this DPA. This may be fulfilled through the provision of our latest SOC2 Type II report or, for specific high-risk scenarios, a supervised inspection of our security documentation and processing logs.

10. Data Subject Rights Support

Nexly provides automated tools to help Customers respond to Data Subject Requests (DSRs). If a data subject contacts Nexly directly, we will redirect them to the Customer as the primary Controller while providing all necessary technical assistance to the Customer to fulfill the request.

11. Cross-Border Transfer Guardrails

Where data is transferred across jurisdictional borders, Nexly utilizes the European Commission’s "Standard Contractual Clauses" (SCCs) to ensure an adequate level of protection, ensuring the data is shielded regardless of its physical residence.

12. Data Return, Purge & Termination

Upon termination of the service, Nexly will, at the Customer’s choice, either return or permanently delete all Customer data from our production clusters within 60 days. We provide a "Certificate of Destruction" upon request to confirm the finality of the purge.