Legal

Data Processing Agreement

This DPA forms part of the agreement between the customer identified in the applicable Order Form or other written agreement with Nexus Core Inc. ("Controller") and Nexus Core Inc. ("Processor").

Effective 23 April 2026Version 1.0Request signed copy →

Overview

This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable Order Form or other written agreement ("Controller") and Nexus Core Inc. ("Processor").

It sets out the terms on which the Processor processes personal data on behalf of the Controller in connection with the Nexus platform and related services.

1. Scope and roles

1.1 The Controller appoints the Processor to process personal data on its behalf.

1.2 The Controller determines the purposes and means of processing. The Processor processes personal data only on documented instructions from the Controller.

2. Nature and purpose of processing

2.1 Processing includes:

  • Hosting and managing user profiles
  • Facilitating connections and communications between users
  • Scheduling and conducting meetings
  • Transcription (if enabled)
  • Analytics to improve matching and recommendations

2.2 Categories of data subjects:

  • Customer employees, members, and users

2.3 Categories of personal data:

  • Name, email, profile information
  • Professional data (role, company, interests)
  • Communication data (messages, meeting metadata)
  • Audio/transcription data (if enabled)

3. Processor obligations

The Processor shall:

3.1 Process personal data only on documented instructions from the Controller.

3.2 Ensure personnel are bound by confidentiality obligations.

3.3 Implement appropriate technical and organizational measures to protect personal data.

3.4 Assist the Controller in responding to data subject requests (access, deletion, etc.).

3.5 Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Controller's data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it, together with any further information reasonably required for the Controller to meet its own notification obligations under applicable law.

3.6 At the Controller's choice, delete or return all personal data to the Controller within 30 days of termination of services, and delete existing copies, unless applicable law requires continued retention of the personal data.

4. Sub-processors

4.1 The Controller authorizes the Processor to use sub-processors.

4.2 Current sub-processors include:

  • Amazon Web Services (hosting)
  • OpenAI (AI features)
  • Resend (email)
  • Sentry (error tracking)
  • Clerk (authentication)
  • Daily.co (video and real-time communications)

A full, up-to-date list with regions is published at nexus.app/trust.

4.3 The Processor shall impose data protection obligations on sub-processors that are no less protective than those set out in this DPA.

4.4 The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' notice.

4.5 The Controller may object to such changes on reasonable data protection grounds.

5. International data transfers

5.1 The Processor may transfer personal data outside the EEA/UK.

5.2 Such transfers are safeguarded through:

  • The European Commission's Standard Contractual Clauses (SCCs); and
  • The UK International Data Transfer Addendum (UK IDTA), where personal data is transferred from the United Kingdom,

in each case incorporated into the Processor's agreements with the relevant sub-processors.

6. Security measures

The Processor implements appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including:

  • Encryption in transit using industry-standard protocols (TLS 1.2 or higher)
  • Encryption of personal data at rest within production systems and backups
  • Role-based access controls ensuring access is limited to authorized personnel on a least-privilege basis
  • Multi-factor authentication (MFA) for access to production systems and administrative interfaces
  • Monitoring and logging of system activity, including access to personal data, with logs retained for at least 30 days
  • Regular vulnerability assessments and security reviews
  • Backup and disaster recovery procedures, including encrypted backups with a rolling retention period of approximately 35 days
  • Procedures for regularly testing, assessing, and evaluating the effectiveness of security measures

Further detail on each of these measures is set out in Annex 2.

7. Data subject rights

7.1 The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests.

8. Audit and information rights

8.1 The Processor will make available information necessary to demonstrate compliance.

8.2 Audits shall be limited to once annually, during normal business hours, with reasonable prior notice, and subject to confidentiality obligations.

9. Term and termination

9.1 This DPA remains in effect for the duration of the services.

9.2 Upon termination, the Processor will, at the Controller's choice, delete or return all personal data to the Controller within 30 days and delete existing copies, unless applicable law requires continued retention, as further described in Section 3.6.

10. Liability

10.1 Each party's liability shall be subject to the limitations set forth in the main agreement.

11. Governing law

11.1 This DPA shall be governed by the laws specified in the main agreement.

12. Contact

For data protection inquiries, including Controller instructions under this DPA and assistance with data subject requests:

Nexus Core, Inc.
701 Brazos St, Austin, TX 78701
privacy@nexus.app

Annex 2 — Technical and organizational measures

The Processor maintains and implements the following technical and organizational measures:

1. Access control

  • Access to systems containing personal data is restricted to authorized personnel only
  • Role-based access control (RBAC) is enforced
  • Multi-factor authentication (MFA) is required for privileged access

2. Data protection

  • Personal data is encrypted in transit using TLS 1.2 or higher
  • Personal data is encrypted at rest in production systems and backups
  • Logical separation of customer data is maintained

3. Monitoring and logging

  • System access and activity are logged and monitored
  • Logs are retained for at least 30 days
  • Alerts are configured for suspicious or unauthorized activity

4. Infrastructure security

  • Systems are hosted on secure cloud infrastructure provided by Amazon Web Services
  • Network security controls include firewalls and access restrictions
  • Regular patching and updates are applied to infrastructure and dependencies

5. Backup and recovery

  • Regular backups of personal data are performed
  • Backups are encrypted and stored securely
  • Backup retention follows a rolling schedule of approximately 35 days
  • Disaster recovery procedures are in place to restore availability

6. Organizational security

  • Personnel are subject to confidentiality obligations
  • Security awareness practices are followed
  • Access to personal data is limited based on job responsibilities

7. Testing and evaluation

  • Security measures are periodically reviewed and updated
  • Vulnerability assessments are conducted
  • Measures are adjusted to address evolving risks

Need a signed copy?

Enterprise customers who need a countersigned DPA for their own compliance files can request one by emailing privacy@nexus.app. We'll return a signed PDF within five business days.