Data Processing Agreement
This Nexus Grid Data Processing Agreement (“DPA”) forms part of any contract or engagement where Nexus Grid processes personal data on behalf of a customer. This DPA ensures compliance with applicable data protection laws, including the UK GDPR, EU GDPR, and relevant international regulations.
────────────────────────────────────────────────────────────────────────
1. Definitions
“Nexus Grid” refers to the provider of cybersecurity and related services.
“Customer” refers to the entity receiving services from Nexus Grid.
“Personal Data” means any information relating to an identifiable individual.
“Processing” means any action performed on Personal Data.
“Controller” means the entity determining the purposes of Processing.
“Processor” means the entity Processing data on behalf of the Controller.
“Sub-processor” means third-party providers engaged by Nexus Grid.
────────────────────────────────────────────────────────────────────────
2. Purpose of Processing
Nexus Grid processes Personal Data solely to provide contracted services, including:
• Cybersecurity consulting
• Managed security operations
• Incident response
• Compliance and GRC support
• Cloud and identity services
• Training and workforce development
Personal Data is never processed for purposes other than fulfilling service obligations.
────────────────────────────────────────────────────────────────────────
3. Roles and Responsibilities
3.1 Customer as Controller
The Customer determines the purpose and legal basis for Processing.
3.2 Nexus Grid as Processor
Nexus Grid processes Personal Data on the Customer’s instructions and maintains appropriate safeguards to protect the information.
────────────────────────────────────────────────────────────────────────
4. Instructions for Processing
Nexus Grid will only process Personal Data:
• Based on documented instructions from the Customer
• For the duration of the contract
• To the extent necessary to fulfil service requirements
• In accordance with this DPA and applicable law
If Nexus Grid believes an instruction violates data protection law, we will notify the Customer promptly.
────────────────────────────────────────────────────────────────────────
5. Confidentiality
Nexus Grid ensures that:
• All personnel handling Personal Data are bound by confidentiality obligations
• Access is restricted to staff who require it to perform services
• Confidentiality remains in place after employment or contract termination
────────────────────────────────────────────────────────────────────────
6. Security Measures
Nexus Grid implements appropriate technical and organisational measures, including:
• Encryption of data in transit and at rest
• Access controls and authentication
• Secure networks and firewalls
• Audit logging and monitoring
• Incident detection and response procedures
• Regular security assessments and staff training
Additional measures may be applied depending on the service provided.
────────────────────────────────────────────────────────────────────────
7. Sub-Processors
Nexus Grid may engage Sub-processors to support service delivery. When we do so:
• All Sub-processors are bound by equivalent data protection obligations
• Customers are informed of Sub-processors upon request
• Sub-processors are reviewed for compliance and security
────────────────────────────────────────────────────────────────────────
8. International Data Transfers
Where Personal Data is transferred outside the Customer’s region:
• Standard Contractual Clauses (SCCs) or equivalent safeguards are applied
• Nexus Grid ensures Sub-processors follow adequate protection standards
• Transfers occur only where legally permitted
────────────────────────────────────────────────────────────────────────
9. Data Subject Rights
Nexus Grid assists the Customer in responding to:
• Access requests
• Rectification requests
• Deletion requests
• Objections or restrictions
• Data portability requests
We support these requests where legally required and technically feasible.
────────────────────────────────────────────────────────────────────────
10. Incident Notification
If a Personal Data breach occurs, Nexus Grid will:
• Notify the Customer without undue delay
• Provide relevant details as they become available
• Assist in mitigation and investigation
• Support any regulatory notification obligations
────────────────────────────────────────────────────────────────────────
11. Data Retention and Deletion
Upon contract termination, Nexus Grid will:
• Delete or return all Personal Data, unless required by law to retain it
• Ensure Sub-processors also delete or return Personal Data
• Provide confirmation of deletion upon request
────────────────────────────────────────────────────────────────────────
12. Audits and Compliance
Nexus Grid supports Customer audits through:
• Documentation and policy reviews
• Security reports, certifications, or summaries
• Remote audit support where appropriate
Any on-site audit must be pre-agreed and occur in a secure manner.
────────────────────────────────────────────────────────────────────────
13. Customer Obligations
The Customer agrees to:
• Provide lawful instructions
• Maintain their own compliance requirements
• Ensure Personal Data is collected lawfully
• Inform Nexus Grid of any processing changes
────────────────────────────────────────────────────────────────────────
14. Limitation of Liability
This DPA does not extend liability beyond what is agreed in the main contract. All limitations, caps, and exclusions remain in effect.
────────────────────────────────────────────────────────────────────────
15. Changes to This DPA
Nexus Grid may update this DPA to reflect:
• Legal changes
• Service improvements
• Updated security measures
Revisions will be communicated to the Customer.
────────────────────────────────────────────────────────────────────────
16. Contact Information
If you have questions about the Nexus Grid Data Processing Agreement or require support, please reach out through our Contact Us page.