Data Processing Agreement
This DPA governs the processing of personal data by Nexivo LLC on behalf of its customers when using the Nexivo AI platform. It is designed to satisfy obligations under the GDPR, the UK GDPR and comparable privacy laws.
1. Scope and roles
This Data Processing Agreement (the "DPA") forms part of the Terms of Service between Nexivo LLC ("Nexivo", "Processor") and the customer ("Customer", "Controller"). It applies whenever Nexivo processes personal data on behalf of the Customer in connection with the Nexivo AI platform (the "Services"). Where the GDPR, UK GDPR or comparable laws apply, the Customer acts as Controller and Nexivo acts as Processor.
2. Subject matter and duration
Nexivo processes Customer personal data solely to provide, secure and improve the Services as instructed by the Customer through configuration of the platform and these Terms. Processing continues for the term of the Customer's subscription and for the limited deletion window described in section 8.
3. Categories of data and data subjects
Personal data processed under this DPA is limited to: (i) account data (name, business email, organization, role); (ii) prompts and generated artifacts submitted by Customer users; (iii) usage telemetry derived from platform interactions. Data subjects are the Customer's employees, contractors and other authorized end-users of the Services.
4. Nature and purpose of processing
Nexivo processes Customer personal data to authenticate users, render the four-stage AI pipeline, persist generated artifacts to the Customer's workspace, bill paid plans, support customers and improve the platform. Nexivo does not use Customer personal data or generated content to train its own models or any third-party model.
5. Sub-processors
Customer authorizes Nexivo to engage sub-processors to deliver the Services, including cloud infrastructure, transactional email, payment processing and customer support tooling. Nexivo maintains an up-to-date list of sub-processors available on request at contact@nexivollc.com. Nexivo imposes data protection obligations on each sub-processor that are no less protective than this DPA and remains liable for their performance.
6. International transfers
Where personal data is transferred from the EEA, UK or Switzerland to the United States, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, subject to the supplementary measures described in section 7 and on the Security page.
7. Security measures
Nexivo implements and maintains administrative, technical and organisational measures appropriate to the risk, including TLS 1.3 in transit, AES-256 at rest, hardware-key MFA for administrative access, row-level security in the database, continuous monitoring, formal incident response and annual independent penetration testing. A summary of current controls is published at /security and updated as controls mature.
8. Deletion and return
Within thirty (30) days of subscription termination, Nexivo will delete Customer personal data from production systems and remove it from backups within the documented backup retention window, except where retention is required by law. The Customer may also export project artifacts at any time from the dashboard or via the REST API.
9. Data subject requests
Nexivo will reasonably assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing the technical means and information necessary within the Services or, where required, on direct request to contact@nexivollc.com.
10. Audits
On reasonable request and no more than once per twelve (12) months, Nexivo will provide the Customer with a summary of its most recent independent security report (e.g. SOC 2) and reasonable additional information necessary to demonstrate compliance with this DPA, subject to confidentiality obligations.
11. Personal data breach
Nexivo will notify the Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a confirmed personal data breach affecting Customer data, and will cooperate in good faith to investigate, remediate and meet any applicable notification obligations.
12. Conflict and governing terms
In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails. All other terms of the Terms of Service remain in effect.