Data Processing Agreement
1. Preamble & Parties
This Data Processing Agreement (the "Agreement") is entered into by and between:
- The Data Controller: The entity engaging CloudNexus to process Personal Data on its behalf (the "Controller"); and
- The Data Processor: CloudNexus, Inc., a Delaware corporation with its principal place of business at 100 Cloud Avenue, San Francisco, CA 94105, USA (the "Processor").
This Agreement is incorporated by reference into the Master Services Agreement (the "MSA") and governs all processing of Personal Data by CloudNexus on behalf of the Controller. In the event of a conflict, this Agreement shall prevail with respect to data protection matters.
2. Definitions
- "Applicable Data Protection Laws" means GDPR, CCPA/CPRA, and any other applicable privacy legislation governing the processing of Personal Data.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, modification, access, transmission, and deletion.
- "Data Subject" means the individual to whom the Personal Data relates.
- "Security Incident" means any unauthorized access, breach, loss, or alteration of Personal Data.
3. Scope, Subject Matter & Duration
The Processor shall process Personal Data solely as described in the MSA, Service Orders, and applicable documentation. The processing includes but is not limited to:
- Hosting and storage of customer databases and application logs
- Automated scaling, monitoring, and backup operations
- Network routing, CDN delivery, and DDoS mitigation
- Account management and billing support access (where strictly necessary)
The nature and purpose of processing are strictly limited to providing the Cloud Infrastructure & Hosting services requested by the Controller. Processing shall continue for the duration of the MSA unless terminated earlier per Section 12.
4. Controller & Processor Obligations
4.1 Processor Obligations
- Process Personal Data only on documented instructions from the Controller, unless required by Applicable Data Protection Laws.
- Ensure personnel authorized to process data are bound by confidentiality obligations and receive regular data protection training.
- Assist the Controller in fulfilling data subject requests and DPIA obligations where technically feasible.
- Implement appropriate technical and organizational measures to secure data (Section 5).
4.2 Controller Obligations
- Ensure lawful basis for collection and processing of all Personal Data provided to the Processor.
- Provide accurate, timely, and complete instructions regarding processing requirements.
- Cooperate with the Processor to maintain security, respond to breaches, and fulfill regulatory obligations.
5. Technical & Organizational Security Measures
CloudNexus maintains an industry-leading security posture compliant with SOC 2 Type II, ISO 27001, and NIST CSF. Key measures include:
| Category | Security Control | Implementation |
|---|---|---|
| Encryption | Data at rest & in transit | AES-256 / TLS 1.3, Customer-managed keys supported |
| Access Control | Role-based & multi-factor | SSO/SAML integration, principle of least privilege, automated session timeouts |
| Network Security | Perimeter & internal isolation | Firewalls, VPC segmentation, DDoS scrubbing, IDS/IPS |
| Physical Security | Data center access | 24/7 surveillance, biometric entry, mantrap systems, environmental controls |
| Backup & Recovery | Business continuity | Automated geographically redundant backups, RPO < 15min, RTO < 2hrs |
Full technical specifications and compliance reports are available upon request in our Trust Center.
6. Sub-processors
The Controller grants the Processor limited authorization to engage Sub-processors for specific tasks. The Processor remains fully liable for the acts and omissions of its Sub-processors.
Authorized Sub-processors: AWS (Compute/Storage), Cloudflare (CDN/DNS), Stripe (Payments), Datadog (Monitoring). Full list: trust.cloudnexus.io/subprocessors
The Processor will notify the Controller of intended changes at least 30 days in advance. The Controller may object to new Sub-processors on reasonable grounds within 15 days of notification.
7. Data Subject Rights
Upon request by the Controller or directly from a Data Subject, the Processor will:
- Facilitate access, rectification, erasure, restriction, portability, and objection requests within 30 days.
- Provide data in a machine-readable, commonly used format where technically feasible.
- Maintain processing logs sufficient to demonstrate compliance with data subject rights.
8. Data Breach Notification
In the event of a confirmed or reasonably suspected Security Incident involving Personal Data, CloudNexus will:
- Notify the Controller without undue delay, and in no case later than 24 hours after becoming aware.
- Provide details including nature of breach, categories of data affected, approximate number of records, potential consequences, and mitigation measures taken.
- Cooperate fully with the Controller's forensic investigation and regulatory reporting obligations.
- Issue post-incident reports within 14 days, including root cause analysis and corrective actions.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or other restricted jurisdictions:
- The Processor ensures transfers are protected by EU Standard Contractual Clauses (SCCs), UK Addendum, and/or other approved transfer mechanisms.
- Transparency reports and transfer impact assessments are available upon request.
- Data residency controls allow the Controller to restrict processing to specific geographic regions where technically supported.
10. Audit & Inspection Rights
The Controller may request audits of the Processor's compliance with this Agreement, subject to:
- At least 10 business days written notice
- Execution of a confidentiality agreement if not already in place
- Audit scope limited to relevant processing activities and conducted during normal business hours
Alternatively, the Controller may rely on third-party certifications (SOC 2 Type II, ISO 27001) provided annually by CloudNexus. Additional audits may be requested if security incidents occur or regulatory changes mandate it.
11. Data Retention & Deletion
Personal Data shall not be retained longer than necessary to fulfill the purposes of the MSA or as required by law. Upon termination of services or written request:
- All Personal Data shall be securely deleted or returned in a standard format within 30 days.
- Backups containing Personal Data will be overwritten in accordance with standard backup lifecycle policies (maximum 90 days).
- A certificate of destruction may be issued upon request.
12. Term & Termination
This Agreement enters into force on the Effective Date and remains in effect for the duration of the MSA. Either party may terminate this Agreement if the other materially breaches data protection obligations and fails to cure within 30 days of written notice. Termination of the MSA automatically terminates this Agreement, except for Sections 7, 8, 10, 11, and 13 which survive indefinitely.
13. Governing Law & Dispute Resolution
This Agreement shall be governed by the laws of the State of California, excluding its conflict of law principles and the Uniform Commercial Code. Any disputes arising under this Agreement shall be resolved through binding arbitration in San Francisco, CA, under AAA Commercial Rules, or in courts of competent jurisdiction if arbitration is unavailable. Nothing herein limits a Data Subject's right to lodge a complaint with a supervisory authority.
14. Execution & Signatures
By subscribing to CloudNexus services, accepting this DPA via our portal, or executing the MSA, the Controller acknowledges and agrees to the terms herein. Physical signatures are not required for digital acceptance.