Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NexusRMS Limited (Company No. 16170889) ("Processor", "we", "us") and the Customer ("Controller", "you") and reflects the parties' agreement with regard to the processing of Personal Data.

This DPA is designed to ensure compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means an individual whose Personal Data is processed
• "Sub-processor" means any third party engaged by us to process Personal Data
• "Controller" means the entity that determines the purposes and means of processing
• "Processor" means the entity that processes Personal Data on behalf of the Controller

3. Scope and Roles

3.1 Relationship

In providing the Service, you act as the Data Controller for Customer Data, and we act as the Data Processor. We only process Personal Data on your documented instructions.

3.2 Processing Activities

4. Processor Obligations

We shall:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage sub-processors only with your prior authorization
• Assist you in responding to Data Subject requests
• Assist you with data protection impact assessments where required
• Delete or return all Personal Data at the end of the service relationship
• Make available information to demonstrate compliance
• Allow for and contribute to audits and inspections

5. Controller Obligations

You shall:

• Ensure you have a lawful basis for processing Personal Data
• Provide clear documented instructions for processing
• Ensure Data Subjects are informed about the processing
• Comply with your obligations under applicable data protection laws
• Promptly notify us of any Data Subject requests received directly

6. Security Measures

We implement the following security measures:

6.1 Technical Measures

• Encryption of data in transit (TLS 1.3)
• Encryption of data at rest (AES-256)
• Multi-factor authentication
• Access control and role-based permissions
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Automated security monitoring and alerting

6.2 Organizational Measures

• Employee security awareness training
• Background checks for employees with data access
• Confidentiality agreements
• Information security policies and procedures
• Incident response procedures
• Business continuity and disaster recovery plans

7. Sub-processors

7.1 Authorization

You authorize us to engage sub-processors to assist in providing the Service. A current list of sub-processors is available at our Subprocessor List.

7.2 Sub-processor Requirements

We ensure that sub-processors:

• Are bound by data protection obligations equivalent to this DPA
• Implement appropriate security measures
• Only process data as necessary to provide their service

7.3 Notification of Changes

We will notify you at least 30 days before engaging a new sub-processor. If you object, you may terminate the affected services.

8. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

We will notify you promptly if we receive a request directly from a Data Subject.

9. Data Breach Notification

9.1 Our Obligations

We will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

9.2 Your Obligations

You are responsible for notifying the supervisory authority and affected Data Subjects where required by law.

10. International Transfers

We may transfer Personal Data outside the UK. When doing so, we ensure appropriate safeguards are in place:

• UK International Data Transfer Agreement (IDTA)
• Standard Contractual Clauses approved by the UK Government
• Transfers to countries with adequacy decisions

11. Data Retention and Deletion

Upon termination of your subscription:

• We will provide 30 days to export your data
• After 30 days, we will delete all Personal Data from our systems
• Backups will be purged within 90 days of account closure
• We may retain data where required by law (e.g., billing records)

12. Audit Rights

You may audit our compliance with this DPA, subject to:

• Reasonable advance notice (minimum 30 days)
• Audits during normal business hours
• Confidentiality obligations for audit findings
• Cost borne by you unless non-compliance is found

Alternatively, we can provide copies of our security certifications, audit reports, or allow inspection by an agreed third-party auditor.

13. Liability

Each party's liability under this DPA is subject to the limitations set forth in the main Terms of Service. Neither party limits its liability for breaches of data protection law to the extent such limitation is prohibited.

14. Term

This DPA remains in effect for the duration of your NexusRMS subscription and for as long as we process Personal Data on your behalf.

15. Contact

For DPA-related inquiries: