NEXUS
DE|EN

Data Processing Agreement (DPA)

Preamble

This Data Processing Agreement ("DPA") is entered into between:

Controller:
(hereinafter "Controller" or "Customer")

Processor:
Nicholas George Stockhammer, trading as NEXUS Labs
Dom-Pedro-Str. 18
80637 München (Munich), Germany
Email: hello@nexusintel.app
(hereinafter "Processor" or "NEXUS Labs")

This DPA is an addendum to and forms an integral part of the service agreement between the parties (the "Main Agreement") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the NEXUS service.

1. Definitions

Terms not otherwise defined herein shall have the meanings given to them in the GDPR (Regulation (EU) 2016/679).

  • "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under this DPA.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in Art. 4(2) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "SCC" means the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.

2. Subject Matter and Duration of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller to provide the NEXUS productivity and planning service, including:

  • User account management and authentication
  • Task, plan, and note storage and retrieval
  • AI-powered planning and research assistance
  • Cloud synchronization
  • Subscription and billing management (via Stripe)
  • Transactional email delivery (via Resend)

2.2 Duration

Processing shall continue for the duration of the Main Agreement. Upon termination, Section 12 (Return and Deletion) applies.

3. Nature and Purpose of Processing

The Processor processes Personal Data for the sole purpose of providing the NEXUS service to the Controller's authorized end users. Processing activities include:

  • Collection: registration data (email, name) from end users
  • Storage: user profiles, tasks, plans, notes, preferences in the Processor's database
  • Use: rendering the application, providing AI-powered features, sending transactional notifications
  • Transmission: to Sub-processors listed in Section 8 for the purposes described therein
  • Deletion: upon account deletion or contract termination per Section 12

4. Types of Personal Data

CategoryExamples
Identity dataName, email address, profile picture URL
Authentication dataHashed passwords, OAuth provider IDs, session tokens
Content dataTask titles, descriptions, plans, notes, user preferences
Usage dataTimestamps, feature usage patterns
Payment dataBilling name, billing address, card last-4, subscription status (processed by Stripe)
Communication dataEmail delivery metadata (processed by Resend)
Technical dataIP address, User-Agent, HTTP request metadata (processed by Vercel, Cloudflare)
AI interaction dataUser prompts, model-generated outputs (processed by Anthropic)

5. Categories of Data Subjects

  • End users of the Controller who have registered accounts on the NEXUS platform
  • Individuals whose personal data may be included in content created by end users (e.g., names mentioned in task descriptions)

6. Controller Obligations

The Controller warrants that:

  1. It has a lawful basis for providing Personal Data to the Processor (Art. 6 GDPR).
  2. It has fulfilled all applicable information obligations toward Data Subjects (Art. 13, 14 GDPR).
  3. It has obtained any required consents from Data Subjects before transmitting their data.
  4. It will promptly notify the Processor of any Data Subject requests it cannot fulfill independently.
  5. It complies with all applicable data protection laws.

7. Processor Obligations

The Processor shall:

  1. Process only on instructions. Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by EU or Member State law (Art. 28(3)(a) GDPR). The Main Agreement and this DPA constitute the Controller's complete instructions; additional instructions require written agreement.

  2. Ensure confidentiality. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

  3. Implement security measures. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR (see Section 10).

  4. Respect Sub-processor conditions. Comply with the conditions for engaging Sub-processors set out in Section 8 (Art. 28(3)(d) GDPR).

  5. Assist with Data Subject rights. Assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to Data Subject requests under Art. 15–22 GDPR (Art. 28(3)(e) GDPR).

  6. Assist with compliance. Assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor (Art. 28(3)(f) GDPR).

  7. Delete or return. At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage (Art. 28(3)(g) GDPR). See Section 12.

  8. Make available information. Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR). See Section 11.

8. Sub-processors

8.1 Authorized Sub-processors

The Controller grants general authorization for the Processor to engage the following Sub-processors:

#Sub-processorPurposeData CategoriesLocationSafeguards
1Vercel Inc.Hosting & serverless functionsIP, request logsUSADPF + SCC
2Supabase Inc.Database & authenticationEmail, profile, task dataUSA (data: EU Frankfurt)SCC
3Stripe Inc.Payment processingEmail, billing, payment methodUSA (EU card data: EU)DPF + SCC
4Anthropic PBCAI inferenceUser prompts, AI outputsUSADPF + SCC
5Resend Inc.Transactional emailsEmail address, email contentUSASCC
6Cloudflare Inc.DNS & CDNIP, request metadataUSA/GlobalDPF + SCC

8.2 Sub-processor Change Notification

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change takes effect, thereby giving the Controller the opportunity to object (Art. 28(2) GDPR).

8.3 Right to Object

If the Controller objects to a new Sub-processor on reasonable data protection grounds within 14 days of receiving notification, the parties shall discuss the objection in good faith. If no resolution is reached within 30 days, the Controller may terminate the Main Agreement with immediate effect without penalty.

8.4 Sub-processor Agreements

The Processor shall impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a contract, ensuring that the Sub-processor provides sufficient guarantees regarding technical and organizational measures (Art. 28(4) GDPR).

9. International Data Transfers

9.1 Transfer Mechanisms

Where Personal Data is transferred to Sub-processors located outside the European Economic Area (EEA), such transfers are protected by:

  1. EU–US Data Privacy Framework (DPF) — For DPF-certified Sub-processors (Vercel, Stripe, Cloudflare, Anthropic), on the basis of the adequacy decision (Commission Implementing Decision (EU) 2023/1795).

  2. Standard Contractual Clauses (SCC) — Module 2 (Controller → Processor) and/or Module 3 (Processor → Sub-processor) per Commission Implementing Decision (EU) 2021/914, included in all Sub-processor DPAs.

9.2 Transfer Impact Assessment

The Processor has conducted a transfer impact assessment for each Sub-processor receiving data in the USA and has concluded that the combination of DPF certification and/or SCC, together with Processor-level encryption-in-transit and at-rest, provides an adequate level of protection for the transferred data.

10. Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

10.1 Encryption

  • In transit: TLS 1.2+ for all connections between users, Processor systems, and Sub-processors
  • At rest: AES-256 encryption for database storage (Supabase), payment data (Stripe), and backup storage

10.2 Access Control

  • Role-based access control (RBAC) with least-privilege principle
  • Multi-factor authentication (MFA) for all administrative accounts
  • Row-Level Security (RLS) in Supabase ensuring tenant isolation

10.3 Authentication Security

  • Passwords stored as bcrypt/argon2 hashes (never plaintext)
  • OAuth 2.0 with PKCE for Google sign-in
  • Session tokens with expiration and rotation

10.4 Infrastructure Security

  • Serverless architecture (Vercel) — no persistent servers to compromise
  • Cloudflare DDoS protection and Web Application Firewall
  • Automated deployment pipeline with no manual server access

10.5 Data Minimization

  • Only data necessary for service provision is collected
  • Anthropic API: zero-retention policy on paid tier (no training data retention)
  • No analytics, advertising, or session-replay processors

10.6 Incident Response

  • Breach detection and notification within 72 hours per Art. 33 GDPR (see Section 13)
  • Documented incident response procedure

10.7 Availability and Resilience

  • Vercel global edge network for high availability
  • Supabase automated backups (daily, 7-day retention)
  • Stripe's PCI-DSS Level 1 certification for payment infrastructure

11. Audit Rights

11.1 Information and Documentation

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR upon reasonable request.

11.2 Audits

The Controller may conduct audits, including inspections of the Processor's processing activities. Audits shall:

  • be conducted with at least 30 days' written notice
  • take place during normal business hours
  • be carried out in a manner that does not unreasonably disrupt the Processor's operations
  • be at the Controller's expense

11.3 Third-Party Audits

The Controller may mandate a qualified, independent third-party auditor (bound by confidentiality) to conduct audits on its behalf.

11.4 Sub-processor Audit

Where a Sub-processor is subject to audit under its own DPA with the Processor, the Processor shall, upon request, provide the Controller with summaries of audit results or certifications (e.g., SOC 2 reports from Supabase, PCI-DSS from Stripe).

12. Return and Deletion of Data

12.1 Upon Termination

Upon termination of the Main Agreement, the Processor shall, at the Controller's election:

  • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON export), or
  • Delete all Personal Data and certify such deletion in writing.

12.2 Deletion Timeline

Unless the Controller requests return, the Processor shall delete all Personal Data within 30 days of the effective date of termination.

12.3 Retention Exceptions

The Processor may retain Personal Data beyond the deletion timeline only where required by EU or Member State law (e.g., tax records under § 147 AO: 6–10 years). In such cases, the Processor shall inform the Controller of the legal basis and scope of retention.

13. Data Breach Notification

13.1 Processor Notification to Controller

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include:

  1. Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  2. Name and contact details of the Processor's point of contact
  3. Description of the likely consequences of the breach
  4. Description of measures taken or proposed to address the breach and mitigate its effects

13.2 Controller Notification to Supervisory Authority

The Controller is responsible for notifying the competent supervisory authority within 72 hours of becoming aware of a breach (Art. 33 GDPR) and for notifying affected Data Subjects where required (Art. 34 GDPR).

13.3 Processor Cooperation

The Processor shall cooperate with the Controller and provide all reasonably requested information and assistance to enable the Controller to fulfill its breach notification obligations.

14. Liability

14.1 Allocation

Liability between the parties is governed by Art. 82 GDPR. Each party is liable for damage caused by processing that infringes the GDPR. The Processor is liable for damage caused by processing only where it has not complied with obligations specifically directed to processors or has acted outside or contrary to the Controller's lawful instructions.

14.2 Limitation

To the extent permitted by applicable law, each party's aggregate liability under this DPA shall not exceed the total fees paid or payable under the Main Agreement in the 12 months preceding the event giving rise to the claim.

14.3 Indemnification

Each party shall indemnify the other against any fines, claims, damages, and expenses (including reasonable legal fees) arising from the indemnifying party's breach of this DPA or the GDPR, to the extent attributable to that party's fault.

15. Term and Termination

15.1 Term

This DPA enters into force on the date of signature and remains in effect for the duration of the Main Agreement.

15.2 Survival

Sections 7.7 (Delete or return), 11 (Audit rights), 12 (Return and deletion), 13 (Data breach notification), and 14 (Liability) survive the termination of this DPA.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany. The courts of Munich, Germany, have exclusive jurisdiction for disputes arising from this DPA, unless mandatory laws require otherwise.

17. Signatures

ControllerProcessor
Name_________________________Nicholas George Stockhammer
Title_________________________Sole Proprietor, NEXUS Labs
Date__________________________________________________
Signature__________________________________________________

Annex A — Sub-processor List

See Section 8.1 for the current authorized sub-processor list. This annex is incorporated by reference.

Annex B — Technical and Organizational Measures

See Section 10 for the current TOMs. This annex is incorporated by reference.

Source Citations

  • [GDPR] — Regulation (EU) 2016/679
    • Art. 4(2) — Definition of processing
    • Art. 6 — Lawfulness of processing
    • Art. 13, 14 — Information obligations
    • Art. 15–22 — Data subject rights
    • Art. 28 — Processor
    • Art. 32 — Security of processing
    • Art. 33 — Breach notification to supervisory authority
    • Art. 34 — Breach notification to data subject
    • Art. 44 — General principle for transfers
    • Art. 45 — Adequacy decisions
    • Art. 46(2)(c) — Standard contractual clauses
    • Art. 82 — Right to compensation and liability
  • [SCC] — Commission Implementing Decision (EU) 2021/914
  • [EU–US DPF] — Commission Implementing Decision (EU) 2023/1795
  • [AO] — German Fiscal Code, § 147