Data Processing Agreement

1. Overview

This Data Processing Agreement ("DPA") forms part of the service agreement between Nexurift LLC ("Data Processor" or "Nexurift") and the client ("Data Controller" or "Client"). This DPA sets out the terms governing the processing of personal data by Nexurift on behalf of the Client in connection with our consulting services.

2. Definitions

Personal Data — Any information relating to an identified or identifiable natural person
Processing — Any operation performed on personal data, including collection, storage, use, transfer, and deletion
Data Subject — An identified or identifiable natural person whose personal data is processed
Sub-processor — A third party engaged by Nexurift to process personal data on behalf of the Client

3. Scope of Processing

Nexurift processes personal data only as necessary to provide consulting services as defined in the applicable service agreement. The types of data processed, categories of data subjects, and purposes of processing are determined by the specific engagement and documented in the service agreement.

4. Obligations of Nexurift

As a Data Processor, Nexurift shall:

Process personal data only on documented instructions from the Client
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Engage sub-processors only with prior consent of the Client and under a written agreement
Assist the Client in responding to data subject requests
Notify the Client without undue delay upon becoming aware of a personal data breach
Delete or return all personal data upon termination of the engagement, unless retention is required by law

5. Security Measures

Nexurift implements the following security measures to protect personal data:

Encryption — All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 where applicable
Access Controls — Role-based access controls with the principle of least privilege. Multi-factor authentication for all systems
Infrastructure — Services hosted on Amazon Web Services (AWS) with SOC 2, ISO 27001, and other industry certifications
Monitoring — Continuous security monitoring and logging of access to systems containing personal data
Incident Response — Documented incident response procedures with notification within 72 hours of a confirmed breach

6. Sub-processors

Nexurift uses the following sub-processors in connection with its services. The Client is deemed to have given general authorization for the use of these sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting, compute, and storage	United States
Cloudflare	DNS, CDN, and bot protection	United States
Resend	Transactional email delivery	United States

Nexurift will notify the Client of any intended changes to the list of sub-processors, giving the Client the opportunity to object to such changes.

7. International Data Transfers

When personal data is transferred outside of the data subject's jurisdiction, Nexurift ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms as required by applicable data protection laws.

8. Data Subject Rights

Nexurift will assist the Client in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing. Nexurift will promptly notify the Client if it receives a request directly from a data subject.

9. Data Breach Notification

In the event of a personal data breach, Nexurift will notify the Client without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Audit Rights

Nexurift will make available to the Client all information necessary to demonstrate compliance with data processing obligations. The Client may conduct audits, including inspections, upon reasonable notice. Nexurift will contribute to such audits and cooperate with the Client or its designated auditor.

11. Duration and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, Nexurift will, at the Client's choice, delete or return all personal data processed on behalf of the Client, unless retention is required by applicable law. Nexurift will certify the deletion of data upon request.

12. Contact Us

For questions regarding this Data Processing Agreement or our data handling practices, please contact us at:

Nexurift LLC
Latham, New York
Email: hello@nexurift.com
Or visit our Contact Page