Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Organic Intelligence Labs ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you", "Customer") for the use of the Nexus platform ("Service").

This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Service, and reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA").

1. Definitions

For the purposes of this DPA, the following definitions apply:

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, transfer, or deletion.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data approved by the European Commission.

2. Scope and Purpose of Processing

2.1. The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service, and in accordance with the Controller's documented instructions.

2.2. The categories of Personal Data processed include:

Identity data: names, email addresses, profile pictures, job titles
Account data: authentication credentials (hashed), account preferences, workspace membership
Content data: tasks, pages, comments, databases, file attachments, and other workspace content created by users
Usage data: feature usage, timestamps, IP addresses, browser and device information
Communication data: notifications, mentions, and messages within the Service

2.3. The categories of Data Subjects include the Controller's employees, contractors, customers, and any other individuals whose Personal Data is submitted to the Service.

2.4. The duration of processing shall continue for the term of the agreement between the Controller and the Processor, plus any retention period required by applicable law.

3. Controller Obligations

3.1. The Controller shall ensure that it has a lawful basis for the processing of Personal Data under applicable data protection laws, including obtaining any necessary consents from Data Subjects.

3.2. The Controller shall provide documented instructions to the Processor regarding the processing of Personal Data. The Processor shall promptly inform the Controller if, in the Processor's opinion, an instruction violates applicable data protection laws.

3.3. The Controller is responsible for the accuracy, quality, and legality of Personal Data submitted to the Service.

4. Processor Obligations

4.1. The Processor shall process Personal Data only in accordance with the Controller's documented instructions, unless required to do otherwise by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

4.2. The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6 of this DPA.

4.4. The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.

4.5. The Processor shall assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.

4.6. Upon termination of the agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage.

4.7. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

5. Sub-processors

5.1. The Controller provides general authorization for the Processor to engage Sub-processors. The current list of Sub-processors is as follows:

Sub-processor	Purpose	Location
Vercel Inc.	Web application hosting and CDN	United States
Railway Corp.	Backend services hosting	United States
Neon Inc.	PostgreSQL database hosting	United States
Anthropic PBC	AI processing (Claude API)	United States
OpenAI Inc.	Embedding generation for semantic search	United States
Stripe Inc.	Payment processing	United States
Resend Inc.	Transactional email delivery	United States
Cloudflare Inc.	R2 object storage for file uploads	Global
PostHog Inc.	Product analytics	United States / EU
Sentry (Functional Software Inc.)	Error monitoring	United States

5.2. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects, the parties shall discuss the concern in good faith with a view to achieving a resolution.

5.3. The Processor shall impose on each Sub-processor data protection obligations no less protective than those set out in this DPA, by way of a written agreement. The Processor shall remain liable for the acts and omissions of its Sub-processors.

6. Security Measures

The Processor shall implement and maintain the following technical and organizational security measures:

6.1 Encryption

All data in transit is encrypted using TLS 1.3
All data at rest is encrypted using AES-256 encryption
Database connections use SSL/TLS with certificate verification

6.2 Access Controls

Role-based access control (RBAC) at workspace, project, and resource levels
Passwords are hashed using bcrypt with 12 salt rounds
Multi-factor authentication available for user accounts
API key authentication for programmatic access with scoped permissions

6.3 Infrastructure Security

Isolated network environments for production workloads
Automated vulnerability scanning of dependencies
Regular security patching and updates
Intrusion detection and prevention systems
DDoS mitigation through CDN and network-level protection

6.4 Operational Security

Principle of least privilege for employee access
Audit logging of administrative actions
Rate limiting on all API endpoints
Brute-force protection on authentication endpoints
Regular backups with tested restoration procedures

6.5 Business Continuity

Automated database backups with point-in-time recovery
Multi-region availability for core infrastructure
Disaster recovery plan with documented procedures
99.9% uptime SLA for paid plans

7. Data Breach Notification

7.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

7.2. The notification shall include, to the extent known:

A description of the nature of the Data Breach
The categories and approximate number of Data Subjects and records concerned
A description of the likely consequences of the Data Breach
A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects
The contact details of the Processor's data protection point of contact

7.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

8. Data Subject Rights

8.1. The Processor shall promptly notify the Controller of any request received directly from a Data Subject exercising their rights under applicable data protection laws, unless otherwise authorized by the Controller.

8.2. The Processor shall assist the Controller by appropriate technical and organizational measures in fulfilling Data Subject requests, including requests for:

Access to Personal Data
Rectification of inaccurate Personal Data
Erasure of Personal Data
Data portability
Restriction of processing
Objection to processing

8.3. The Service provides self-service tools that enable Data Subjects to access, export, and delete their data through account settings. For requests that cannot be fulfilled through self-service, the Controller may contact the Processor at dpo@nexus.app.

9. Cross-Border Data Transfers

9.1. Personal Data may be transferred to and processed in the United States, where the Processor's primary infrastructure is located.

9.2. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States or other countries outside the EEA, the Processor shall ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
UK International Data Transfer Agreement or Addendum, as applicable
Any successor mechanisms recognized under applicable data protection laws

9.3. The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary to ensure the level of protection required by applicable data protection laws.

10. Term and Termination

10.1. This DPA shall remain in effect for the duration of the agreement between the Controller and the Processor for the provision of the Service.

10.2. Upon termination of the agreement, the Processor shall:

Cease all processing of Personal Data on behalf of the Controller, except as required by applicable law
At the Controller's written request, return all Personal Data in a standard machine-readable format (JSON, CSV) within 30 days
Delete all copies of Personal Data within 60 days of termination, unless retention is required by applicable law
Provide written certification of deletion upon the Controller's request

10.3. The obligations in this DPA that by their nature should survive termination shall continue to apply, including confidentiality, data breach notification, and audit rights.

11. Audit Rights

11.1. The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA and applicable data protection laws.

11.2. The Controller may conduct audits, including inspections, of the Processor's data processing activities, either directly or through a mandated third-party auditor, subject to:

Reasonable prior notice of at least 30 days
Conducting the audit during normal business hours
Minimizing disruption to the Processor's operations
The auditor entering into a confidentiality agreement

11.3. The Processor may satisfy audit requirements by providing SOC 2 Type II reports or equivalent third-party audit certifications, where available.

12. Liability

12.1. Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

12.2. The Processor shall be liable for damages caused by processing only where it has not complied with its obligations under this DPA or has acted outside of or contrary to the Controller's lawful instructions.

13. Contact Information

For questions about this Data Processing Agreement or to exercise your rights:

Data Protection Officer: dpo@nexus.app
Legal inquiries: legal@nexus.app
Address: Organic Intelligence Labs, 251 Little Falls Drive, Wilmington, DE 19808, United States