Data Processing Addendum
Last updated 2026-06-03
This Data Processing Addendum ("DPA") forms part of the Nexvendo Terms of Service and applies whenever Nexvendo ApS ("Processor") processes personal data on behalf of a customer ("Controller") under the GDPR. By accepting the Terms of Service, the Controller is deemed to have accepted this DPA on behalf of itself and its authorised users.
1. Definitions
Terms used in this DPA have the meanings given in the GDPR. "Customer Personal Data" means personal data uploaded to or generated within the Nexvendo platform by the Controller or its end users.
2. Subject matter, duration, and nature of processing
The Processor processes Customer Personal Data for the duration of the Controller's subscription, for the purpose of providing the Nexvendo platform — catalog aggregation, product matching, quoting, customer relationship management, and related features. Processing includes collection, storage, organisation, retrieval, transmission, and erasure.
3. Categories of data subjects and personal data
Data subjects: the Controller's end users (employees, contractors) and the Controller's customers (business contacts) whose details are entered into the platform.
Categories of personal data: business contact details (name, email, phone, work address), role, organisation affiliation, account metadata, communication content provided by the Controller. No special-category data is processed by default.
4. Obligations of the Processor
The Processor:
- processes Customer Personal Data only on documented instructions from the Controller (the Terms of Service and the configuration of the platform constitute such instructions);
- ensures that persons authorised to process Customer Personal Data have committed to confidentiality;
- implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Annex);
- assists the Controller in responding to data subject requests and in complying with Articles 32–36 GDPR;
- notifies the Controller without undue delay (and in any event within 72 hours where feasible) after becoming aware of a personal data breach;
- on termination of the subscription deletes or returns all Customer Personal Data on request, subject to legal retention obligations.
5. Sub-processors
The Controller authorises the Processor to engage sub-processors listed in the Privacy Policy. The Processor remains responsible for sub-processor compliance and ensures equivalent data-protection obligations are imposed on each sub-processor by written contract. The Processor will give the Controller at least 30 days' prior notice of any addition or replacement of a sub-processor (by posting on this page or the Privacy Policy), during which the Controller may object on reasonable data-protection grounds and, failing resolution, terminate the affected service.
6. International transfers
The Processor stores Customer Personal Data within the European Economic Area (EEA). Where any transfer outside the EEA becomes necessary, the Processor will rely on Standard Contractual Clauses adopted by the European Commission or another lawful transfer mechanism.
7. Audit
The Processor will provide the Controller, on reasonable written request, with information necessary to demonstrate compliance with this DPA, including third-party audit reports where available. On-site audits are limited to one per calendar year and subject to confidentiality terms and 30 days' notice.
8. Liability and indemnity
The liability provisions of the Terms of Service apply to claims arising under this DPA. Each party is liable for damages it causes through its non-compliance with the GDPR or this DPA.
9. Order of precedence
Where there is a conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to data protection.
Annex: Technical and organisational measures (summary)
- Encryption of data in transit (TLS 1.2+) and credential encryption at rest (AES-256-GCM).
- Tenant isolation enforced via Postgres Row-Level Security policies.
- Restricted internal access to production systems; least-privilege role assignments.
- Daily backups retained for up to 35 days; point-in-time recovery for the production database.
- Vulnerability monitoring via dependency scanning and infrastructure provider security tooling.
- Incident response procedures with logging and customer-notification commitments.
This DPA template is provided as a starting point. Customers with specific regulatory requirements (financial services, public sector, healthcare) may require a negotiated DPA — contact info@nexvendo.com to discuss.