Data Processing Agreement

Version 1.0 — Last updated: April 2026

This DPA forms part of the agreement between NexCyberEU and the Customer. It is incorporated by reference into the Terms of Service and applies whenever NexCyberEU processes personal data on behalf of the Customer.

1. Definitions

Capitalized terms used in this DPA have the meaning given to them in Regulation (EU) 2016/679 (the “GDPR”) unless defined here.

  • Controller: the Customer using the NexCyberEU platform.
  • Processor: NexCyberEU acting on documented instructions of the Customer.
  • Sub-processor: any third party engaged by NexCyberEU to process Customer Data.
  • Customer Data: personal data submitted to or generated by the platform.

2. Scope and purpose

NexCyberEU processes Customer Data solely for the purpose of providing the regulatory compliance services described in the Terms of Service. Processing is limited to what is necessary to run assessments, ingest evidence, generate compliance artifacts and operate the platform.

3. Categories of data and data subjects

  • Categories of data: account credentials, profile metadata, product descriptions, technical specifications, uploaded compliance evidence, SBOM artifacts, audit logs.
  • Categories of data subjects: Customer employees, Customer end-users referenced in submitted documents, persons identified in evidence artifacts.
  • Special categories: NexCyberEU does not request and does not require any special category of personal data under Article 9 GDPR.

4. Duration

Processing continues for the duration of the Customer's subscription. After termination, Customer Data is retained for the periods described in section 8 of this DPA, then deleted.

5. Obligations of NexCyberEU as processor

NexCyberEU undertakes to:

  • Process Customer Data only on the documented instructions of the Customer.
  • Ensure all personnel authorised to process Customer Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Article 32 GDPR), as described in the Trust & Security page.
  • Assist the Customer in responding to data subject requests under Articles 15–22 GDPR.
  • Notify the Customer without undue delay after becoming aware of a personal data breach.
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR.
  • Allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

6. Sub-processors

The Customer authorises NexCyberEU to engage the sub-processors listed on the Sub-processors page. NexCyberEU will:

  • Impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
  • Notify the Customer of any intended addition or replacement of sub-processors at least 30 days in advance.
  • Remain fully liable for the acts and omissions of its sub-processors.

7. International transfers

NexCyberEU stores and processes Customer Data exclusively within the European Union. Where a sub-processor is established outside the EU/EEA, transfers are governed by the Standard Contractual Clauses (Commission Decision 2021/914) or by an adequacy decision under Article 45 GDPR.

8. Retention and deletion

Account data is retained for the duration of the active subscription and 12 months after account closure. Assessment and evidence data may be retained for up to 36 months to support compliance audit trails unless the Customer requests earlier deletion. Usage logs are retained for 90 days. After the applicable retention period, Customer Data is deleted from production systems and from backups within 35 days.

9. Security incidents

In the event of a personal data breach affecting Customer Data, NexCyberEU will notify the Customer without undue delay, and in any case within 48 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences and the measures taken to mitigate the breach.

10. Audits

The Customer may request an annual audit of NexCyberEU's technical and organisational measures, with reasonable prior notice. Audits must be conducted during business hours, must not disrupt the platform's operations and must respect the confidentiality of other customers. NexCyberEU may satisfy audit requests by providing third-party attestations (when available) such as ISO 27001 or SOC 2 reports.

11. Liability and governing law

The liability provisions of the Terms of Service apply to this DPA. This DPA is governed by French law. Any dispute arising out of or in connection with this DPA falls under the exclusive jurisdiction of the courts of Paris, France.

12. Signature

A signed countersigned copy of this DPA is available on request for Customer compliance and procurement records. Reach our privacy team via the DPA & privacy form to receive the signature-ready PDF.