Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is incorporated into the contractual relationship between the Data Controller and Vexor, a platform owned and operated by Nexa Group. It governs how personal data is processed in compliance with GDPR Article 28, the EU/EEA data protection framework, and international privacy standards.

1. Parties to the Agreement

This DPA is entered into between:

  • Data Controller: The business entity or organization using Vexor Services for commercial purposes.
  • Data Processor: Vexor, operated by Nexa Group.

Both parties agree to comply with all applicable data protection laws, including the GDPR, UK GDPR, CCPA (where applicable), and similar international frameworks.

2. Purpose of Processing

Vexor processes personal data strictly for:

  • Delivering, maintaining, and optimizing Vexor Services
  • Security, fraud detection, and abuse prevention
  • Analytics and operational insights
  • Compliance with legal obligations
  • Providing technical support and platform functionality

No processing occurs beyond documented instructions from the Controller.

3. Categories of Personal Data Processed

The categories processed may include, but are not limited to:

  • Identifiers (email, username, account ID)
  • User-generated content (videos, comments, metadata)
  • Engagement metrics and analytics
  • Technical and device information
  • Security and fraud-related signals

Special Categories of Data

Vexor does not intentionally process special categories of data (e.g., biometrics, health, political beliefs) unless explicitly instructed by the Controller and legally permitted.

4. Obligations of the Data Controller

The Controller agrees to:

  • Ensure a valid lawful basis exists for all collected data
  • Provide accurate, lawful, documented processing instructions
  • Comply fully with GDPR and local privacy laws
  • Notify Vexor of data subject requests requiring Processor assistance

5. Obligations of the Data Processor (Vexor / Nexa Group)

Vexor agrees to:

  • Process personal data only according to Controller’s documented instructions
  • Implement robust technical and organizational security measures
  • Ensure personnel handling data are bound by confidentiality
  • Assist the Controller with GDPR rights requests
  • Provide breach notifications to the Controller within 72 hours
  • Maintain logs of processing activities
  • Support supervisory authority inquiries when required

6. Sub-Processors

Vexor may engage trusted third-party sub-processors, including but not limited to:

  • Cloud hosting providers
  • Content delivery networks (CDNs)
  • Security and anti-fraud vendors
  • Analytics partners

All sub-processors are bound by written agreements requiring the same data protection standards as this DPA. The Controller will be notified of any intended additions or replacements.

7. International Data Transfers

Transfers of personal data outside the EU/EEA occur only when one of the following safeguards is used:

  • EU Standard Contractual Clauses (SCCs, 2021 version)
  • UK International Data Transfer Addendum (IDTA)
  • Binding Corporate Rules (BCRs) where available
  • Encrypted transport and storage
  • Verified third-country vendor assessments

Data is never transferred internationally without lawful safeguards.

8. Data Deletion, Return, and Retention

Upon termination of a business contract or written request from the Controller:

  • Vexor will delete or return all personal data
  • Backups containing such data will be purged on the next scheduled cycle
  • Deletion certificates can be issued upon request

Vexor may retain data where required by law (e.g., fraud logs, security incidents).

9. Audit Rights

The Controller may request:

  • Security documentation and compliance reports
  • Penetration testing summaries
  • Third-party audit certifications (ISO 27001, SOC 2 where applicable)

10. Data Breach Notification

In the event of a personal data breach affecting Controller data, Vexor will:

  • Notify the Controller within 72 hours
  • Provide all relevant details and impact assessments
  • Cooperate fully in investigations and remediation efforts

11. Governing Law

This DPA is governed by:

  • GDPR (EU Regulation 2016/679)
  • Norwegian Data Protection Act
  • Applicable laws of the Controller’s region

12. Contact Information

For privacy, compliance, or DPA-related inquiries:

Data Protection Office (DPO): dpo@vexor.to
Legal Department: legal@vexor.to
Parent Company: legal@nexa-group.org

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Privacy Policy

Privacy Policy Vexor is a platform owned and operated by Nexa Group, an international...
GDPR Policy

GDPR Compliance Statement This GDPR Compliance Statement outlines how Vexor — owned...
Cookie Policy

Cookie Policy This Cookie Policy explains how Vexor — owned and operated by Nexa...
Term of Service

Terms of Service These Terms of Service govern your access to and use of Vexor — a...
Export Control & Sanctions Policy

Export Control & Sanctions Policy This Export Control & Sanctions Policy...