← Back to Home

Data Processing Agreement

Template — Effective upon execution by both parties

This Data Processing Agreement (“DPA”) forms part of the software license agreement (“Agreement”) between the client identified in the Agreement (“Controller”) and Nexus Automate AI, S.L. (NIF: B26956565), registered in Spain (“Processor”).

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Nexus Automate platform.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only for the purposes of providing the Nexus Automate AI platform as described in the Agreement. The categories of data, data subjects, and processing activities are described in Annex A of this DPA.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law.
• Immediately inform the Controller if, in the Processor’s opinion, an instruction infringes the GDPR or other EU/Member State data protection provisions.

3. Processor Obligations

The Processor shall:

• Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organizational measures as described in Annex B to ensure a level of security appropriate to the risk of processing.
• Subprocessors: Not engage another processor without prior specific or general written authorization of the Controller. Where general written authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller the opportunity to object. See current subprocessor list.
• Assistance with data subject rights: Assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data subject rights (Articles 15–22 GDPR).
• Assistance with security and breach notification: Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR, taking into account the nature of processing and information available to the Processor.
• Deletion or return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
• Audit rights: Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Personal Data Breach Notification

The Processor shall:

• Notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.
• Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the Personal Data Breach under Articles 33 and 34 GDPR.
• Include in the notification at minimum: (a) the nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences, and (d) measures taken or proposed to address the breach.

5. Subprocessors

The Controller provides general written authorization for the Processor to engage the subprocessors listed at nexus-automate.com/subprocessors. The Processor shall:

• Maintain an up-to-date list of subprocessors on its website.
• Notify the Controller at least 30 days in advance of any intended addition or replacement of subprocessors.
• Impose the same data protection obligations as set out in this DPA on any subprocessor by way of a contract.
• Remain fully liable to the Controller for the performance of any subprocessor’s obligations.

If the Controller objects to a new subprocessor, the parties shall discuss the concern in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected services without penalty.

6. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless:

• The European Commission has issued an adequacy decision for the recipient country; or
• Standard Contractual Clauses (SCCs) approved by the European Commission are in place; or
• Another valid transfer mechanism under Chapter V GDPR applies.

Where transfers to non-EEA subprocessors occur (see subprocessor list), the Processor applies additional technical safeguards including PII stripping and data minimization before any data leaves the EEA.

7. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities (Articles 35–36 GDPR) that are required in relation to the processing performed under this DPA.

8. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement:

• The Processor shall, at the Controller’s election, return or securely delete all Personal Data within 30 days.
• The Processor shall provide written certification of deletion upon request.
• Obligations of confidentiality shall survive termination.

9. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Spain. Any disputes arising from this DPA shall be submitted to the courts of Alicante, Spain.

The supervisory authority for the Processor is the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

Annex A — Details of Processing

Categories of Data Subjects:

• End customers of the Controller’s e-commerce platform
• Visitors to the Controller’s website

Categories of Personal Data:

• Pseudonymized visitor identifiers (session IDs, cookie IDs)
• Behavioral data (page views, clicks, cart actions, browsing patterns)
• Transaction data (order values, product categories — no payment card data)
• Device and browser metadata
• Consent preferences

Nature and Purpose of Processing:

• Real-time behavioral analysis for personalized engagement
• AI-driven recommendation and decision-making (with automated profiling)
• Cart recovery and churn prediction
• Customer support automation via RAG pipeline
• Analytics and reporting (aggregated)

Duration of Processing:

For the term of the Agreement. Behavioral data retained for 12 months. Audit logs retained for 36 months. Strategy outcome data retained for 36 months.

Annex B — Technical and Organizational Measures

The Processor implements the following security measures:

Encryption:

• Data in transit: TLS 1.2+ on all connections
• Data at rest: AES-256 encryption on all storage volumes
• Database connections: SSL-enforced

Access Control:

• Role-based access control (RBAC) for all platform components
• SSH key-only authentication for infrastructure access
• UFW firewall with deny-by-default policy
• No shared credentials; individual accounts for all personnel

Data Minimization:

• Automatic PII detection and stripping before data is sent to any external AI provider
• Pseudonymization of personal identifiers in behavioral data
• No raw personal data stored in AI model training sets

Infrastructure Security:

• All services containerized via Docker with isolated networks
• EU-based data centers (Frankfurt/Amsterdam) for primary infrastructure
• Automated backups with tested recovery procedures
• Prometheus/Grafana monitoring with alerting

Organizational Measures:

• Confidentiality obligations for all personnel
• Regular security reviews and credential rotation
• Incident response procedures with defined escalation paths
• Subprocessor due diligence and contractual obligations