Data Processing Addendum (DPA)

Effective Date: October 29, 2025
Parties: Nexorus LLC, 2093 Philadelphia Pike, Claymont, DE 19703, USA (“Processor” or “Nexorus”) and the Client identified in the applicable Order or Master Services Agreement (“Controller” or “Client”).
This DPA forms part of and is subject to the Terms of Service or other written agreement for the Services between the Parties (the “Agreement”).

1) Purpose & Scope

This DPA governs Nexorus’s Processing of Personal Data on behalf of Client in connection with the AI-powered marketing Services and any related professional services. The Parties intend to comply with all applicable Data Protection Laws, including the GDPR/UK GDPR, CCPA/CPRA, and other similar laws.

2) Definitions

Affiliate: Any entity that controls, is controlled by, or is under common control with a Party.
Controller, Processor, Data Subject, Personal Data, Processing/Process, Supervisory Authority: As defined under GDPR/UK GDPR.
Data Protection Laws: All laws applicable to Personal Data Processing, including GDPR/UK GDPR, ePrivacy laws, CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and successor laws.
SCCs: The EU Commission’s 2021 Standard Contractual Clauses (EU/EEA), including any UK and Swiss addenda (collectively, the “Clauses”).
Subprocessor: A Processor engaged by Nexorus to Process Personal Data on behalf of Client.
Security Incident: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Nexorus.
Services: The AI marketing platform and related consulting/services provided by Nexorus under the Agreement.
Client Data: Data (which may include Personal Data) supplied by or on behalf of Client to the Services or otherwise made available for Processing.

3) Roles & Processing Instructions

3.1 Roles. For Client Data, Client is Controller and Nexorus is Processor (or “Service Provider/Processor” under U.S. state privacy laws).
3.2 Instructions. Nexorus will Process Personal Data solely (a) to provide, maintain, and improve the Services; (b) per documented instructions from Client; and (c) as required by law. Nexorus will promptly inform Client if an instruction infringes Data Protection Laws.
3.3 Documented Instructions. The Agreement, this DPA, the Order/SOW, and in-product settings constitute Client’s complete documented instructions.

4) Confidentiality & Personnel

Nexorus will ensure that persons authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training. Access is limited to personnel with a need-to-know.

5) Security Measures

5.1 Technical & Organizational Measures. Nexorus will implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Personal Data, as described in Annex II.
5.2 Reviews. Nexorus regularly reviews and updates safeguards considering the state of the art, costs, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects.

6) Subprocessors

6.1 Authorization. Client authorizes Nexorus to appoint Subprocessors necessary to provide the Services.
6.2 List & Updates. Nexorus will maintain a list of current Subprocessors (available on request) and notify Client of new Subprocessors.
6.3 Objection. Client may object on reasonable data-protection grounds within 10 days of notice. The Parties will work in good faith to address the objection (e.g., alternate Subprocessor, configuration change). If unresolved, Client may suspend the affected portion of the Services or terminate the impacted Order with a prorated refund.
6.4 Flow-Down. Nexorus will enter into written agreements with Subprocessors imposing materially equivalent data-protection obligations as this DPA.

7) International Data Transfers

7.1 Mechanisms. Where Nexorus (or a Subprocessor) Processes Personal Data outside the originating jurisdiction, Nexorus will ensure a lawful transfer mechanism (e.g., SCCs with Module 2, and any required UK Addendum/IDTA and Swiss Addendum).
7.2 Order of Precedence. Where the SCCs apply, the Clauses (and applicable Addenda) prevail over conflicting terms in the Agreement and this DPA with respect to cross-border transfers.
7.3 Government Requests. Nexorus will (to the extent legally permitted) notify Client of government access requests and will challenge unlawful or overbroad requests.

8) Security Incidents

Nexorus will notify Client without undue delay (and no later than 48 hours after confirmation) upon becoming aware of a Security Incident affecting Personal Data Processed for Client. The notice will include available details to assist Client in meeting its obligations. Nexorus will promptly take reasonable steps to contain, investigate, and remediate the Security Incident.

9) Assistance & Data Subject Requests

9.1 Data Subject Requests. Taking into account the nature of Processing, Nexorus will assist Client by appropriate technical and organizational measures, insofar as possible, to fulfill Data Subject rights requests (access, deletion, rectification, portability, restriction, objection, and rights related to automated decision-making).
9.2 Regulatory Cooperation. Nexorus will provide reasonable assistance with data protection impact assessments (DPIAs) and consultations with Supervisory Authorities as required by law.

10) Audits & Compliance Information

10.1 Reports. Upon written request (not more than annually and subject to confidentiality), Nexorus will make available summary compliance materials (e.g., security whitepaper, penetration test summaries, SOC/ISO reports if available) sufficient to demonstrate compliance with this DPA.
10.2 Audits. If such materials are insufficient, Client may conduct a reasonable audit (no more than annually, or after a confirmed Security Incident) on at least 30 days’ notice, during business hours, without undue interference, and subject to reasonable time, scope, and place limitations. Third-party auditors must sign confidentiality agreements. Client bears audit costs.

11) Return & Deletion of Data

Upon termination or expiry of the Agreement, Nexorus will, at Client’s choice and subject to applicable law, return or delete Personal Data after a 30-day retrieval window. Nexorus may retain minimal Personal Data as required for legal, regulatory, or legitimate business purposes (e.g., billing records, backups), which will remain protected per this DPA until deletion.

12) CCPA/CPRA & U.S. State Privacy

12.1 Service Provider/Processor. For Client Personal Information subject to CPRA and similar laws, Nexorus acts as a “Service Provider/Processor” and will:
(a) Process only for the limited and specified purposes in this DPA/Agreement;
(b) Not “sell” or “share” Personal Information as defined by CPRA;
(c) Not combine Personal Information with other data except as permitted (e.g., for security, debugging, or to provide the Services);
(d) Assist Client in responding to verifiable consumer requests and honoring opt-outs, including GPC signals where legally required.
12.2 Certifications. Nexorus certifies it understands and will comply with these restrictions.

13) Liability & Indemnity

Liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. Nothing in this DPA limits either Party’s liability to the extent such limitation is prohibited by Data Protection Laws.

14) Conflicts; Order of Precedence

In case of conflict, the following order of precedence applies: SCCs (and applicable Addenda) → this DPA → the Agreement → Documentation.

15) Term & Termination

This DPA takes effect on the Effective Date and remains in force for the term of the Agreement, surviving as long as Nexorus Processes Personal Data on behalf of Client.

16) Miscellaneous

16.1 Amendments. Nexorus may update this DPA as required by changes in law; material changes will be notified with reasonable advance notice where practicable.
16.2 Governing Law. As set forth in the Agreement, provided that the SCCs (and Addenda) are governed as specified therein.
16.3 Counterparts & Electronic Signatures. This DPA may be executed in counterparts, including electronically.

Annex I — Details of Processing (SCCs, Module 2)

A. Parties

Data Exporter (Controller): Client (as identified in the Order/Agreement).
Data Importer (Processor): Nexorus LLC, 2093 Philadelphia Pike, Claymont, DE 19703, USA, legal@nexorus.com.

B. Description of Processing

Subject Matter: Provision of AI-powered marketing Services and related support/consulting.
Duration: Term of the Agreement plus the return/deletion period in Section 11.
Nature & Purpose: Hosting, storing, organizing, analyzing, training/tuning models with de-identified data, generating marketing content/insights, campaign optimization, reporting, support, security, and service improvement.
Types of Personal Data: Contact details (name, email, phone), identifiers, online identifiers, role/title, device and usage data, marketing engagement and conversion data, preference data, and any other Personal Data included by Client in Client Data (no special category data expected).
Special Categories (if any): Not intended. Client will not intentionally submit special category/sensitive data (e.g., health, precise geolocation, financial account numbers, children’s data) unless expressly agreed in writing.
Data Subjects: Client’s prospects/leads, customers, website/app users, employees/contractors, and other individuals whose data are included in Client Data.
Frequency of Transfer: Continuous and as needed during the Agreement.
Processing Operations: As necessary to provide the Services per the Agreement and this DPA.

C. Competent Supervisory Authority

For EU SCCs, the supervisory authority will be determined per the Exporter’s main establishment/representative in the EU.
For UK transfers, the ICO under the UK Addendum/IDTA.
For Swiss transfers, the FDPIC.

Annex II — Technical & Organizational Security Measures

1. Organization of Information Security

Appointed security lead; policies for access control, encryption, incident response, vendor management, vulnerability management, and secure development lifecycle (SDLC).

2. Personnel Security & Training

Background checks as permitted; confidentiality agreements; onboarding/offboarding access procedures; annual security and privacy training.

3. Access Control

Role-based access control (RBAC); least-privilege; MFA for privileged access; SSO support; session timeouts; unique user IDs; logging and monitoring of admin actions.

4. Encryption

TLS for data in transit; encryption at rest for primary data stores; managed key services with restricted access.

5. Application & Infrastructure Security

Network segmentation; firewalls and security groups; hardened images; anti-malware where applicable; regular vulnerability scanning; periodic third-party penetration testing; code review and CI/CD controls.

6. Data Management

Data minimization; logical segregation of Client Data; backup and restore procedures; tested disaster recovery plan; secure deletion routines.

7. Incident Response

24/7 on-call procedures; documented playbooks; breach notification workflow aligned with Section 8; post-incident review and remediation tracking.

8. Business Continuity & DR

Redundant infrastructure for critical components; RPO/RTO objectives appropriate to the Services; periodic DR exercises.

9. Vendor & Subprocessor Management

Risk assessments prior to onboarding; security and privacy due diligence; contractual flow-down of security/privacy obligations; continuous monitoring where feasible.

10. Compliance & Assurance

Maintenance of security documentation; availability of summaries of audits/certifications (e.g., SOC/ISO if and when obtained); remediation of findings within defined SLAs.

Annex III — Authorized Subprocessors (Illustrative/Expandable)

Nexorus maintains an up-to-date list of Subprocessors (infrastructure, analytics, communications, support, payments) available upon request. Typical categories include:

Cloud infrastructure & storage (e.g., IaaS providers, managed databases/CDNs).
Email/SMS/voice & support tooling (ticketing, chat, email delivery).
Authentication & security (identity providers, anti-abuse services).
Analytics & monitoring (product analytics, logging, APM).
Payments & billing (payment processors, invoicing).
Professional services (translation, transcription, specialized marketing tools) where needed.

For each Subprocessor, Nexorus enters into a written agreement imposing obligations no less protective than this DPA and conducts appropriate due diligence.

Annex IV — UK Addendum & Swiss Addendum

Where Personal Data is exported from the UK, the UK Addendum to the EU SCCs (or the IDTA) is incorporated by reference, with Part 1 tables populated consistently with Annex I/II and the Agreement.
For Swiss transfers, the SCCs are applied with modifications required by the FDPIC (e.g., references to Swiss law and authorities).

Annex V — U.S. State Privacy Disclosures (Service Provider/Processor)

Nexorus certifies it will not: (a) sell Personal Information; (b) share Personal Information for cross-context behavioral advertising; (c) retain, use, or disclose Personal Information for purposes other than those specified in this DPA/Agreement or as permitted by law; or (d) combine Personal Information with Personal Information received from other clients except as allowed for security, debugging, or to provide/improve the Services in a manner consistent with applicable law (e.g., de-identified/aggregated analytics).
Nexorus will assist Client with consumer rights requests and maintain reasonable records to demonstrate compliance.

Annex VI — Contact Points for Data Protection

Processor: Nexorus LLC, legal@nexorus.com, 2093 Philadelphia Pike, Claymont, DE 19703, USA
Controller: As identified in the Order/Agreement (Client’s Data Protection contact to be provided by Client).