Data Processing Addendum
This Data Processing Addendum (the "DPA") forms part of the Nxera Terms of Service (the "Agreement") between Nxera Digital LLC ("Nxera") and the Client identified in the underlying Agreement ("Client"). It applies whenever Nxera Processes Personal Data on behalf of Client in connection with the Services.
In the event of any conflict between this DPA and the Agreement on data-protection matters, this DPA controls. In the event of any conflict between this DPA and any Standard Contractual Clauses or jurisdiction-specific addendum incorporated by reference, that incorporated instrument controls to the extent of the conflict.
1. Definitions
In this DPA:
- "Applicable Data Protection Laws" means all data-protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including: the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); the data-protection statutes of other U.S. states as they take effect (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, and any successor laws); and, where applicable to Nxera or Client, the EU General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Personal Information Protection and Electronic Documents Act of Canada ("PIPEDA"), and similar laws in other jurisdictions.
- "Controller," "Processor," "Data Subject," "Personal Data," "Personal Information," "Process / Processing," "Sale / Share, Service Provider, Contractor" have the meanings given in the Applicable Data Protection Laws.
- "Customer Personal Data" means Personal Data Processed by Nxera on behalf of Client under the Agreement.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
- "Standard Contractual Clauses" or "SCCs" means, as applicable: the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum to the EU SCCs, and any successor or replacement instruments.
- "Sub-processor" means any third party engaged by Nxera to Process Customer Personal Data on Nxera's behalf.
Capitalized terms not defined here have the meanings given in the Agreement.
2. Roles of the Parties
2.1 Roles
For Customer Personal Data, Client is the Controller (or "Business" under CCPA/CPRA), and Nxera is the Processor (or "Service Provider" under CCPA/CPRA), except that Nxera acts as Controller for Personal Data it Processes for its own legitimate business purposes (account management, billing, fraud prevention, security, product improvement in aggregated form, legal compliance, and the operation of the Sites generally), as described in the Privacy Policy.
2.2 Compliance
Each party will comply with its respective obligations under Applicable Data Protection Laws.
2.3 Client Responsibilities
Client represents, warrants, and covenants that: (a) Client has and will maintain a lawful basis to Process all Customer Personal Data and to instruct Nxera to Process it (including, where required, the consent of Data Subjects); (b) Client has provided all required notices to Data Subjects; (c) Client's instructions to Nxera comply with Applicable Data Protection Laws; (d) Client will not provide Nxera with sensitive or special-category Personal Data except as expressly authorized in writing by Nxera; (e) Client is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Client acquired it.
3. Scope, Nature, and Purpose of Processing
3.1 Subject Matter and Duration
The subject matter of Processing is the Services described in the Agreement. The duration is the term of the Agreement plus any retention period required by law or set out in the Privacy Policy.
3.2 Nature and Purpose
Nxera Processes Customer Personal Data to: build and host websites for Client; deliver AI visibility scans, monthly reports, and postcards; provide customer support; process payments; comply with law; and otherwise fulfill the Agreement.
3.3 Categories of Data Subjects
- Client's customers and prospective customers;
- Client's employees and team members whose data Client provides;
- Visitors to Client's Hosted Site;
- Recipients of postcards Client directs Nxera to send;
- Other individuals about whom Client provides Personal Data.
3.4 Categories of Personal Data
Customer Personal Data may include: name; contact details (email, phone, mailing address); business information; photographs; reviews and testimonials; payment information (handled by Stripe; Nxera does not store full card numbers); website usage data; IP addresses; postcard recipient mailing addresses; and any other Personal Data Client provides or directs Nxera to Process.
3.5 No Sensitive Categories
Client agrees not to provide Nxera with special-category, sensitive, financial-account, government-identifier, biometric, health, children's, or similar restricted data, except as expressly authorized in writing by Nxera. Nxera is not responsible for safeguards specific to such data unless explicitly agreed.
4. Nxera's Obligations as Processor
Nxera will:
(a) Process Customer Personal Data only on documented instructions from Client (the Agreement, this DPA, and Client's use of the Services constitute such instructions), including instructions regarding international transfers, except as required by law (in which case Nxera will notify Client unless legally prohibited);
(b) Confine access to authorized personnel who have a need to know and are bound by confidentiality obligations;
(c) Implement and maintain appropriate technical and organizational measures consistent with Section 7 below;
(d) Engage Sub-processors only in accordance with Section 5;
(e) Assist Client, taking into account the nature of the Processing, in responding to Data Subject requests under Applicable Data Protection Laws (access, deletion, correction, portability, restriction, objection);
(f) Assist Client in fulfilling its obligations under Applicable Data Protection Laws to conduct data-protection impact assessments and prior consultations with supervisory authorities;
(g) Notify Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data (Section 8);
(h) At Client's choice, delete or return Customer Personal Data at the end of the Services as set out in Section 8 of the Refund Policy and Section 6.6 of the Terms, except where retention is required by law;
(i) Make available to Client all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits under Section 6;
(j) Maintain a written record of Processing activities as required by Applicable Data Protection Laws.
4.1 CCPA/CPRA-Specific Provisions
Nxera will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship with Client; or (d) combine Customer Personal Data with personal information Nxera receives from other sources, except as expressly permitted by the CCPA/CPRA. Nxera certifies that it understands and will comply with these restrictions.
4.2 GDPR/UK GDPR-Specific Provisions (When Applicable)
Where Nxera Processes Personal Data subject to GDPR or UK GDPR, the parties agree that this DPA satisfies Article 28 of GDPR and UK GDPR. The SCCs are deemed incorporated into this DPA by reference for any restricted transfer requiring them; the parties' contact details, processing description, and Annex parameters are derived from this DPA and the Agreement.
5. Sub-Processors
5.1 General Authorization
Client authorizes Nxera to engage Sub-processors to Process Customer Personal Data, subject to this Section 5. Nxera will impose data-protection obligations on Sub-processors that are no less protective than those in this DPA.
5.2 Current Sub-processor List
| Sub-processor | Role | Region |
|---|---|---|
| Stripe, Inc. | Payment processing | USA |
| Vercel Inc. | Website hosting and content delivery | USA / Global |
| Supabase, Inc. | Database, authentication, file storage | USA |
| Anthropic, PBC | AI content generation (Claude API) | USA |
| Resend, Inc. | Transactional email delivery | USA |
| Lob.com, Inc. | Postcard production and mailing | USA |
| Google LLC | Places data, font delivery | USA / Global |
| Cloudflare, Inc. | DDoS protection, bot management, CDN | USA / Global |
The current Sub-processor list is also published at getnxera.com/sub-processors and is updated when changes occur.
5.3 Notice of New Sub-processors
Nxera will notify Client of any new Sub-processor at least thirty (30) days before engaging the new Sub-processor (or, in case of urgent operational need, as soon as reasonably practicable).
5.4 Right to Object
Client may object to a new Sub-processor on reasonable, documented data-protection grounds within fifteen (15) days of notice by emailing info@getnxera.com (subject line "Sub-processor Objection"). The parties will discuss the objection in good faith. If the parties cannot resolve the objection within thirty (30) days, Client may terminate the affected Service component without further fees as its sole and exclusive remedy.
5.5 Liability for Sub-processors
Nxera remains responsible to Client for the acts and omissions of Sub-processors as if they were Nxera's own.
6. Audits
6.1 Information and Audit Rights
Nxera will make available to Client information reasonably necessary to demonstrate compliance with this DPA, which may take the form of: (a) Nxera's most recent third-party audit report (when one exists); (b) responses to a reasonable security questionnaire; (c) a written summary of relevant policies and controls.
6.2 On-Site Audits
On reasonable advance written notice (at least sixty (60) days), and no more than once per twelve (12) month period (except when an audit is required following a Personal Data Breach or by order of a supervisory authority), Client may conduct an audit of Nxera's data-protection controls relevant to the Processing of Customer Personal Data.
6.3 Audit Limitations
Audits must: (a) Be conducted during regular business hours and in a manner that does not unreasonably interfere with Nxera's operations; (b) Be conducted by Client or a mutually-agreed independent third-party auditor (not a competitor of Nxera and not a person or firm with which Nxera reasonably objects); (c) Be subject to reasonable confidentiality obligations; (d) Be conducted at Client's expense; (e) Be limited to information relevant to Customer Personal Data Processing; (f) Not include access to information of other Nxera customers or to Nxera's source code, trade secrets, or proprietary methodologies.
6.4 Sub-processor Audits
For Sub-processors, Nxera will make available the most recent audit report or compliance certification of that Sub-processor that Nxera holds. Where Client requires a direct audit of a Sub-processor and the Sub-processor permits, Nxera will use commercially reasonable efforts to facilitate.
7. Security Measures
Nxera implements and maintains technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, or damage, including:
- Encryption: TLS 1.2 or higher in transit; encryption at rest provided by underlying cloud-provider infrastructure.
- Access Control: Role-based access for Nxera personnel with the principle of least privilege; multi-factor authentication for all staff access to production systems.
- Authentication: Multi-factor authentication available to Client users on the portal.
- Network Security: Bot mitigation, DDoS protection, and continuous monitoring through Cloudflare.
- Backups and Disaster Recovery: Regular database backups via Supabase with point-in-time recovery; documented disaster-recovery procedures.
- Vulnerability Management: Routine review of dependencies and infrastructure for known vulnerabilities; timely patching.
- Logging and Monitoring: Audit logging for production system access; security monitoring for anomalous activity.
- Incident Response: Documented procedures for identifying, containing, and notifying on Personal Data Breaches.
- Personnel: Confidentiality obligations binding all personnel; security training; background checks for personnel with production access where lawful.
- Vendor Management: Sub-processor selection criteria include data-security and contractual data-protection commitments.
- Physical Security: Cloud-provider data centers maintain physical security controls.
These measures may be updated from time to time, but in no case will updates materially decrease the level of protection.
8. Data Breach Notification
8.1 Notification Timing
Nxera will notify Client without undue delay and in any event within seventy-two (72) hours of confirming a Personal Data Breach affecting Customer Personal Data.
8.2 Notification Content
Notice will include, to the extent then known: the nature of the Breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the Breach and mitigate its effects.
8.3 Cooperation
Nxera will cooperate reasonably with Client in investigating and responding to the Breach.
8.4 No Admission
Notification of a Breach is not an admission of fault or liability by Nxera. The notification timeline begins when Nxera reaches a reasonable conclusion that a Breach has occurred, not at the moment of any precursor incident, suspicion, or alarm.
8.5 Client Notifications
Where Applicable Data Protection Laws require Client (as Controller) to notify Data Subjects or supervisory authorities, Client is responsible for those notifications. Nxera will provide reasonable assistance.
9. International Data Transfers
9.1 US Operations
Nxera operates from the United States. Customer Personal Data is Processed in the United States.
9.2 Transfer Mechanisms
If applicable to a particular Client, Nxera will rely on lawful transfer mechanisms recognized under the Applicable Data Protection Laws, which may include without limitation: (a) the Standard Contractual Clauses adopted by the European Commission; (b) the UK International Data Transfer Addendum; (c) Canada-EU adequacy determinations; (d) explicit Data Subject consent where appropriate; or (e) other mechanisms approved by competent authorities. The applicable mechanism will be deemed incorporated into this DPA upon Client's request and Nxera's confirmation that the Services are made available to that jurisdiction.
9.3 Future Expansion
If Nxera offers Services to Clients in jurisdictions requiring formal SCCs, Nxera will execute the relevant SCCs (or successor instrument) at that time as a separate annex to this DPA.
10. Liability and Indemnification
The liability of each party under this DPA is subject to the limitations of liability set forth in Section 12 of the Terms. Nothing in this DPA increases either party's aggregate liability above the cap stated in the Terms. The indemnification obligations in Section 13 of the Terms apply to claims arising from breach of this DPA.
11. Term and Termination
This DPA takes effect on the Effective Date and remains in effect for the duration of the Agreement and for any period during which Nxera continues to Process Customer Personal Data. Sections that by their nature should survive will survive termination, including without limitation Sections 4(h), 7, 8, 9, 10, and this Section 11.
12. Updates to This DPA
Nxera may update this DPA to reflect changes in Applicable Data Protection Laws or business practice. Material updates will be communicated by email at least thirty (30) days before they take effect. Continued use of the Services after the effective date constitutes acceptance.
13. Order of Precedence
In the order of precedence between this DPA and other Nxera documents on data-protection matters: (a) any executed jurisdiction-specific addendum or executed SCCs control to their extent; (b) this DPA controls over the Privacy Policy and Cookie Policy; (c) the Terms control over this DPA on non-data-protection matters.
14. Contact
Questions about data protection: info@getnxera.com (subject line: "Data Protection")
Nxera Digital LLC 1201 E Ponce De Leon Blvd Coral Gables, FL 33134
This DPA was last updated on April 27, 2026. Version 2.1.