Nex Systems

DPA

Data Processing Agreement.

The processor terms that apply when our customers handle personal data through NexScreening.

Data Processing Agreement (DPA)

Effective Date: 1st February 2025 Last Updated: 30th December 2025

This Data Processing Agreement ("DPA") forms part of the agreement between NexGlobal LLC, operating NexScreening under NexSystems ("Processor"), and the customer using the Services ("Controller").

This DPA applies where and to the extent that NexGlobal processes Personal Data on behalf of the Controller in the course of providing the NexScreening Services.

1. Purpose, Scope, and Relationship to Other Agreements

1.1 Purpose of This DPA

This DPA sets out the data protection obligations of the parties in accordance with Article 28 of the GDPR, UK GDPR, and other applicable data protection laws. It governs the conditions under which the Processor processes Personal Data on behalf of the Controller. The DPA ensures that processing is conducted lawfully, fairly, and transparently. It defines responsibilities, safeguards, and limitations applicable to Personal Data processing. This DPA applies only to processing activities performed as part of the Services. It does not apply to processing activities carried out independently by the Controller.

1.2 Relationship to the EULA and T&C

This DPA supplements the End User License Agreement (EULA), Terms & Conditions, and Privacy Policy. In the event of a conflict relating to data protection matters only, this DPA shall prevail. All other provisions of the EULA and T&C remain fully effective. Nothing in this DPA expands the Processor's obligations beyond Applicable Law. Commercial terms remain governed by the main agreement. This DPA does not create joint controllership.

1.3 Applicability

This DPA applies only where:

  • the Controller submits Personal Data to the Services; and
  • the Processor processes such Personal Data solely on the Controller's instructions.

If no Personal Data is processed, this DPA does not apply. The Controller determines whether data qualifies as Personal Data. The Processor does not independently determine applicability. Regulatory definitions under Applicable Law apply.

2. Roles of the Parties

2.1 Data Controller

The Controller determines:

  • the purposes of processing;
  • the lawful basis for processing;
  • the categories of data subjects;
  • the retention periods and use of results.

The Controller is solely responsible for compliance with Applicable Law. The Controller ensures transparency to data subjects. The Controller bears responsibility for regulatory reporting. The Processor does not assume controller obligations.

2.2 Data Processor

The Processor processes Personal Data solely:

  • on documented instructions from the Controller;
  • to provide the Services;
  • within the scope of this DPA.

The Processor does not determine purposes or means. The Processor does not act as a joint controller. Processing is limited to technical and operational execution. Any deviation requires written authorization.

2.3 No Joint Controllership

Nothing in this DPA creates joint controllership. The Processor does not make decisions affecting data subject rights. Screening outputs are generated automatically. The Controller retains decision-making authority. Risk assessments and outcomes are the Controller's responsibility. This allocation reflects industry practice.

3. Description of Processing

3.1 Subject Matter of Processing

The subject matter of processing is the provision of compliance screening services. Processing includes sanctions screening, PEP screening, adverse media screening, and passport checks. Processing occurs when the Controller submits data for screening. Processing does not extend beyond service provision. No profiling or marketing processing occurs. Processing is limited and purpose-specific.

3.2 Duration of Processing

Processing occurs for the duration of the Services. Additional retention may occur where legally required. Retention periods are primarily determined by the Controller. Processing ceases upon termination, subject to lawful retention. Anonymization or deletion follows termination instructions. No indefinite retention occurs.

3.3 Categories of Data Subjects

Data subjects may include:

  • customers or clients of the Controller;
  • counterparties or business partners;
  • beneficial owners or directors;
  • employees or representatives (where lawful).

The Processor does not determine who is screened. Screening scope is defined by the Controller. No direct relationship exists with data subjects. Processing is indirect only.

3.4 Categories of Personal Data

Personal Data may include:

  • names and aliases;
  • dates and places of birth;
  • nationality;
  • passport or document references;
  • public roles and political exposure;
  • references in public or regulatory sources.

Special category data is not intentionally processed. Any incidental processing is limited to lawful public sources.

4. Processor Obligations

4.1 Processing on Instructions Only

The Processor processes Personal Data only on documented instructions. Instructions are defined by use of the Services. If an instruction is unlawful, the Processor shall notify the Controller. The Processor will not act on unlawful instructions. No independent processing occurs. All processing is traceable.

4.2 Confidentiality

Processor personnel are bound by confidentiality obligations. Access is limited to authorized individuals. Training is provided on data protection principles. Confidentiality survives termination. Unauthorized disclosure is prohibited. Controls are regularly reviewed.

4.3 Security Measures

The Processor implements technical and organizational measures. Measures include access controls, encryption in transit, and monitoring. Security practices align with industry standards. Absolute security cannot be guaranteed. Measures are reviewed periodically. Risk-based assessments are applied.

4.4 Assistance to the Controller

The Processor provides reasonable assistance with:

  • data subject rights;
  • DPIAs;
  • breach notifications.

Assistance is limited to information within the Processor's control. The Processor does not provide legal advice. Costs may be recoverable where excessive. Timelines follow Applicable Law.

5. Data Subject Rights

5.1 Controller Responsibility

The Controller is solely responsible for responding to data subject requests. This includes access, rectification, erasure, and objection. The Processor does not respond directly. The Controller determines eligibility of requests. The Processor follows lawful instructions. Documentation is maintained.

5.2 Processor Assistance

The Processor assists where feasible. Assistance may include confirming processing or executing deletion. Requests must be documented. The Processor does not evaluate legality. Assistance is proportionate. Response times are reasonable.

6. Personal Data Breaches

6.1 Breach Notification

The Processor notifies the Controller without undue delay. Notification occurs upon awareness. Information includes nature and scope of the breach. Mitigation steps are described. Notification supports regulatory compliance. Updates are provided as available.

6.2 Controller Obligations

The Controller is responsible for:

  • notifying authorities;
  • notifying data subjects;
  • conducting impact assessments.

The Processor does not notify regulators directly. Responsibilities are clearly allocated. This reflects GDPR requirements. No assumption of liability occurs.

7. Sub-Processors

7.1 Authorization

The Controller grants general authorization for subprocessors. Subprocessors support infrastructure and security. Authorization is limited to service provision. Material changes may be notified. The Processor maintains oversight. Use is minimized.

7.2 Safeguards

Subprocessors are contractually bound. Obligations mirror this DPA. Security and confidentiality are required. Audits may be conducted indirectly. Compliance is monitored. Risk is managed.

7.3 Responsibility

The Processor remains responsible for subprocessors. Liability is limited as permitted by law. This does not expand contractual liability. Risk allocation remains unchanged. Oversight is continuous. Documentation is maintained.

8. International Data Transfers

8.1 Cross-Border Transfers

Data may be processed internationally. Transfers occur where services are global. Safeguards such as SCCs are applied. Legal requirements are assessed. Transfers are documented. Compliance is monitored.

8.2 No Localization Guarantee

The Processor does not guarantee localization. Data residency requires express agreement. Processing locations may change. Security standards remain consistent. Transparency is maintained. Legal obligations are respected.

9. Data Retention and Deletion

9.1 Retention

Personal Data is retained only as necessary. Retention aligns with service provision. Legal obligations may require longer retention. Retention is documented. Excess data is minimized. Policies are enforced.

9.2 Deletion or Return

Upon termination and instruction, data is deleted or anonymized. Deletion may be subject to legal holds. Confirmation may be provided. Deletion methods are secure. No residual access remains. Compliance is documented.

10. Audits and Information Rights

10.1 Information Requests

The Controller may request compliance information. Requests must be reasonable. Responses are provided within scope. Confidential information is protected. No on-site audits by default. Documentation may be substituted.

10.2 Limitations

Audits do not include source code. Security restrictions apply. Frequency is limited. Costs may be allocated. Business disruption is minimized. Regulatory audits are supported where required.

11. Liability and Indemnity

11.1 Allocation of Liability

This DPA does not expand liability. Liability is governed by the main agreement. Statutory obligations remain unaffected. Risk is allocated contractually. Fees reflect this allocation. No implied warranties arise.

11.2 Controller Indemnity

The Controller indemnifies the Processor for:

  • unlawful instructions;
  • lack of lawful basis;
  • misuse of Personal Data.

This reflects controller responsibility. Indemnity survives termination. Claims must be notified. Defense cooperation is required.

12. Governing Law

This DPA is governed by the laws of the State of Wyoming, USA. Conflict of law rules do not apply. Jurisdiction follows the main agreement. Regulatory law remains applicable. Interpretation aligns with Applicable Law. Consistency is ensured.

13. Survival

This DPA survives termination as required by law. Obligations continue where processing continues. Confidentiality survives. Liability provisions survive. Data protection obligations remain enforceable. This reflects statutory requirements.