Data Processing Agreement (DPA)
This Data Processing Agreement governs Nexa-Group.org’s processing of personal data on behalf of business customers when providing Vibble-related services, in accordance with applicable data protection laws, including the GDPR.
1. Roles of the Parties
- Customer acts as the data controller with respect to personal data it provides or makes available to Nexa-Group in connection with Vibble services.
- Nexa-Group.org acts as the data processor (or sub-processor) when processing such personal data on behalf of the Customer.
2. Subject Matter & Duration
The subject matter of the processing is the provision of Vibble-related services as described in the main service agreement between Customer and Nexa-Group. The duration of processing coincides with the term of the service agreement, unless otherwise required by law.
3. Nature & Purpose of Processing
Nexa-Group processes personal data only to provide, maintain, secure, and improve the contracted Vibble services and to fulfill documented instructions from the Customer.
4. Categories of Data & Data Subjects
Depending on the services used, personal data may include:
- Account identifiers, contact information, profile data.
- Usage data, logs, and interaction data.
- Any other personal data uploaded or transmitted by the Customer or its end users.
Data subjects may include Customer’s end users, employees, contractors, and other individuals whose data is processed via Vibble.
5. Processor Obligations
Nexa-Group shall:
- Process personal data only on documented instructions from the Customer, unless required by law.
- Ensure personnel authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to protect personal data.
- Assist the Customer, where reasonably possible, in fulfilling data subject requests and impact assessments.
- Notify the Customer without undue delay after becoming aware of a personal data breach.
6. Sub-Processors
Nexa-Group may engage sub-processors to support delivery of the services. Nexa-Group will ensure sub-processors are bound by data protection obligations no less protective than those in this DPA. A current list of sub-processors may be made available upon request.
7. International Transfers
Where personal data is transferred outside the EEA/UK or other regions with adequacy decisions, Nexa-Group shall implement appropriate transfer mechanisms such as Standard Contractual Clauses or other lawful safeguards.
8. Data Subject Requests
To the extent permitted by law, Nexa-Group shall promptly notify the Customer of any direct data subject requests and, where possible, assist the Customer in responding, at the Customer’s cost if applicable.
9. Security & Audits
Nexa-Group maintains a security program appropriate to the risks associated with data processing. Upon reasonable written request and subject to confidentiality obligations, Nexa-Group will provide relevant information or third-party audit reports to demonstrate compliance.
10. Return or Deletion of Data
Upon termination or expiry of the services, Nexa-Group shall, at Customer’s choice and subject to applicable law, delete or return personal data and delete existing copies, except where retention is required for legal, regulatory, or security reasons.
11. Contact
For questions related to this DPA or data processing under a business contract:
DPA & B2B Privacy: dpa@nexa-group.org
Privacy Team: privacy@nexa-group.org
