Data Processing Agreement
Available to Pro + Enterprise customers
The NexBasira DPA covers the GDPR Art. 28 processor obligations, sub-processor schedule, EU Standard Contractual Clauses (where applicable), and the security commitments referenced in the security posture page.
Requesting the DPA
For Pro + Enterprise customers, the DPA + sub-processor schedule are included in your contract package. To request a copy outside the sales cycle (e.g. for an InfoSec questionnaire), email legal@nexbasira.com with your organisation name and signing-authority contact.
What it covers
- Roles + responsibilities under GDPR (controller / processor)
- Categories of personal data processed
- Sub-processor list + change-notification mechanism
- International transfer safeguards (SCCs where applicable)
- Security measures (technical + organisational)
- Audit + cooperation obligations
- Breach notification timeline
- Term + termination + return / deletion of data
Sub-processors
Current sub-processor list is part of the DPA package. We commit to notifying account admins 30 days before adding a new sub-processor; you have a right to object during that window.
Schrems II + international transfers
The NexBasira production environment is hosted entirely in the EU (eu-central-1, Frankfurt). No transfers to third countries occur for the audit-chain, evidence storage, or core application data. Sub-processors with a US parent (where applicable) operate under EU-resident infrastructure bound by SCCs.