Sign inTalk to specialists

Data Processing Addendum (DPA)

Contractual addendum governing NEXEFII's processing of personal data as processor on behalf of the Customer (controller). Covers roles, purpose, processor obligations, subprocessors, data subject rights, incident notification, international transfers, audits, and data deletion.

Version
2026.2
Last updated
2026-07-11

1. Roles: Controller and Processor

This Data Processing Addendum ("DPA") forms an integral part of the NEXEFII Terms of Service and governs the processing of personal data carried out by NEXEFII in connection with the provision of contracted services.

For the purposes of this DPA, the Customer acts as the data controller (as defined under applicable data protection law), identified in the Commercial Agreement as the Customer, as controller of Customer Data, with NEXEFII acting as processor. The controller determines the purposes and means of processing personal data of users and data subjects associated with it.

NEXEFII acts as the data processor, processing personal data only on behalf of and under the documented instructions of the Customer, under the conditions and for the purposes set out in this DPA and the Commercial Agreement.

When NEXEFII processes personal data for its own independent purposes — such as Administrator account data for contract management — it may act as an independent controller. That scope is detailed in the NEXEFII Privacy Policy.

2. Subject Matter, Nature, and Purpose of Processing

NEXEFII processes personal data on behalf of the Customer exclusively for the following purposes: (i) delivery of the contracted Platform features and modules; (ii) provision of technical support authorized by the Customer; (iii) Platform maintenance, security monitoring, and improvement, to the extent necessary for service delivery; and (iv) compliance with legal obligations applicable to NEXEFII as processor.

The nature of the processing includes collection, storage, access, organization, retrieval, transmission, use, restriction, deletion, and any other operations required for the purposes described above.

The duration of processing corresponds to the Subscription Term under the Commercial Agreement, plus the period required to fulfill legal obligations or process outstanding data subject requests, as specified in Section 10 (Return and Deletion upon Termination).

3. Categories of Data and Data Subjects

Categories of personal data processed by NEXEFII as processor include, as configured by the Customer: (i) End User identification data (name, email address, account identifiers); (ii) Platform usage and interaction data (access logs, preferences, action history within the Customer's account); (iii) contact and organizational data of Administrators; (iv) transactional and financial data associated with the Customer's Commercial Agreement; and (v) any other personal data contained in Customer Data as submitted by the Customer itself.

NEXEFII does not request or encourage submission of special categories of personal data (sensitive data, health data, biometric data, data of minors) to the Platform. Should the Customer submit such data, the Customer is responsible for ensuring an adequate legal basis and for notifying NEXEFII in advance so that additional protective measures can be assessed.

Data subjects are primarily: (i) the Customer's End Users; (ii) Administrators designated by the Customer; and (iii) third parties whose personal data is included in Customer Data by the Customer itself.

4. NEXEFII Processor Obligations

NEXEFII, in its capacity as processor, undertakes to:

Process personal data only on the basis of documented instructions from the Customer as set out in this DPA and the Commercial Agreement, unless required to act otherwise by applicable law, in which case NEXEFII will inform the Customer before processing to the extent permitted by law.

Ensure that persons authorized to process the Customer's personal data are bound by appropriate confidentiality obligations, whether contractual or statutory.

Implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, accidental loss, or destruction. Measures currently implemented on the Platform include: (i) role-based access control (RBAC) with strict tenant segregation; (ii) tenant isolation ensuring that one customer's data is not accessible to other customers; (iii) session management with automatic expiry and protection against session fixation; (iv) immutable audit trails for sensitive actions within the Platform; and (v) encryption of data in transit via TLS (Transport Layer Security). NEXEFII does not assert that all data at rest is encrypted — that claim is subject to technical review and confirmation by the security team.

Assist the Customer, through reasonable technical and organizational means, in fulfilling its obligations to respond to data subject rights requests, as described in Section 6.

Cooperate with audits conducted by the Customer or its designated auditor, as described in Section 9.

4.1. Support and Remote Access

In fulfilling its obligations as processor, any access by NEXEFII personnel to personal data processed on behalf of the Customer for support purposes is nominative (tied to a named support user), authorized by the Customer, temporary (with an expiration), and limited to the least privilege strictly necessary for the task.

NEXEFII does not use shared credentials or the Customer's password, and does not have permanent or standing access to the Customer's environment. Each support access is tied to a justification or ticket, protected by multi-factor authentication (MFA), revocable by the Customer, and recorded in an immutable audit trail, including start, end, and relevant actions.

Access is read-only by default, with write permitted only where necessary and authorized. Just-in-time (JIT) provisioning mechanisms with temporary time-boxed elevation are treated as a future improvement and are not yet implemented; until then, the nominative, transitional procedure described in this clause and in the Security Policy applies.

5. Subprocessing

The Customer authorizes NEXEFII to engage subprocessors for the delivery of the services, provided that: (i) NEXEFII enters into contracts with subprocessors imposing data protection obligations equivalent to those in this DPA; and (ii) NEXEFII remains liable to the Customer for the acts or omissions of subprocessors to the same extent as if NEXEFII had performed them directly.

The current list of authorized subprocessors is identified as NEXEFII's Subprocessor List and is maintained and published separately by NEXEFII. Payments are processed by Stripe, Inc., which acts as a subprocessor for financial data under its own data processing agreement.

NEXEFII will notify the Customer of any addition or replacement of subprocessors with reasonable advance notice, through the communication channel established in the Commercial Agreement or via a Platform notice. The Customer may object to the addition of a new subprocessor on legitimate data protection grounds by providing written notice within the timeframe indicated in the notification. If NEXEFII cannot accommodate the objection, the Customer may terminate the affected services in accordance with the procedure in Section 7 of the Terms.

6. Assistance with Data Subject Rights

The Customer, as controller, bears primary responsibility for receiving and responding to requests from data subjects exercising their data protection rights (access, rectification, deletion, portability, objection, restriction of processing, and others as provided under applicable law).

NEXEFII will provide the Customer with available technical means on the Platform to enable it to respond to data subject requests, including user data management tools available in Master Control. Where responding to a data subject requires technical action beyond the Customer's self-service capabilities, NEXEFII will cooperate with the Customer within a reasonable timeframe, as agreed.

Data subject requests sent directly to NEXEFII will be forwarded to the Customer, unless NEXEFII acts as an independent controller with respect to the data in question.

NEXEFII will not respond directly to data subject requests concerning data under the Customer's control without the Customer's explicit authorization, except where required by law.

7. Personal Data Breach Notification

NEXEFII will notify the Customer without undue delay and within without undue delay after confirmation of the incident of becoming aware of a personal data breach affecting data processed on behalf of the Customer, providing available information regarding: (i) the nature of the breach, including the categories and approximate number of data subjects and records affected; (ii) the measures taken or underway to contain and remediate the breach; and (iii) the likely consequences of the breach.

Initial notification may be made in stages as more information becomes available, within the timeframe above. NEXEFII will provide additional information as investigations progress.

The Customer is responsible for assessing whether the breach requires notification to data protection authorities or affected data subjects under applicable law, and for carrying out such communication.

A breach notification by NEXEFII does not constitute an admission of fault or liability for any damages arising from the breach.

8. International Data Transfers

NEXEFII may transfer personal data to third countries or international organizations only when: (i) the destination country provides an adequate level of protection recognized by the competent data protection authority; (ii) appropriate safeguards are in place, as per mechanism appropriate contractual safeguards for international transfers, where they occur; or (iii) one of the derogations provided under applicable data protection law applies.

Data hosting and processing regions are identified as managed cloud infrastructure (Railway). NEXEFII will update this information whenever there is a material change to processing regions.

The Customer acknowledges that the operation of cloud-based services may involve cross-border data transfers and authorizes NEXEFII to carry out such transfers in accordance with the conditions of this DPA.

9. Audits

The Customer has the right to audit NEXEFII's compliance with the obligations of this DPA, itself or through an independent auditor it designates, provided that: (i) the Customer notifies NEXEFII with reasonable advance notice (minimum thirty days, except in urgent circumstances); (ii) the audit is conducted during normal business hours without disruption to Platform operations; and (iii) the auditor is subject to adequate confidentiality obligations.

NEXEFII may alternatively provide the Customer with relevant third-party audit reports (such as security or compliance assessments conducted by independent auditors) covering the obligations of this DPA, subject to confidentiality agreements. The availability of such reports will be communicated to the Customer upon request.

Audit costs are the Customer's responsibility, except where the audit reveals material non-compliance by NEXEFII, in which case NEXEFII will bear its own costs.

10. Return and Deletion upon Termination

Following the expiry or termination of the Commercial Agreement for any reason, the Customer will have access to the Platform solely for the purpose of exporting its data for a period of the periods defined in the Data Retention and Deletion Policy (to be confirmed). NEXEFII will provide the export tools available on the Platform during that period.

After the export period, NEXEFII will, unless otherwise required by applicable law, delete or render irreversible the Customer's personal data processed on its behalf, providing written confirmation to the Customer that deletion has been carried out.

NEXEFII may retain certain personal data for the minimum period required by applicable law, audit obligations, or the defense of rights in judicial, administrative, or arbitration proceedings. The Customer will be informed of any such retention.

Authorized subprocessors will be instructed to likewise proceed with deletion or return of personal data in accordance with NEXEFII's instructions and the obligations of this DPA.

11. Legal Basis for Processing

The legal basis on which the Customer grounds the processing of personal data it controls and delegates to NEXEFII for processing is the Customer's responsibility and must be determined by qualified legal counsel and DPO. The summary of legal bases applicable to the Customer's context is identified as the legal bases applicable to service delivery and compliance with legal obligations.

The Customer is responsible for ensuring that its delegation of personal data processing to NEXEFII, including any international transfers, is supported by a valid legal basis under applicable law (including, where applicable, the Brazilian General Data Protection Law — LGPD — and the General Data Protection Regulation — GDPR).

NEXEFII is not responsible for determining the adequacy of the Customer's legal basis or for auditing the Customer's compliance with its controller obligations toward data subjects and data protection authorities.

12. Contact and Data Protection Officer (DPO)

For matters related to personal data processing and this DPA, the Customer may contact NEXEFII at contact@nexefii.com.

NEXEFII's Data Protection Officer (DPO) is NEXEFII's privacy contact (contact@nexefii.com), reachable at contact@nexefii.com. The Customer may send data subject rights requests, privacy complaints, and DPA-related enquiries directly to the DPO.

NEXEFII undertakes to respond to communications related to this DPA within a reasonable timeframe and to cooperate in good faith with the Customer and competent data protection authorities.