• NexaGuard CMP: Simplifying Data Privacy Compliance

    NexaGuard CMP – Data Processing Agreement (DPA)

NexaGuard CMP – Data Processing Agreement (DPA)

Effective Date: June 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between NexaGuard Inc., a New York corporation (“Processor” or “NexaGuard”), and the customer entity using NexaGuard CMP (“Controller” or “Customer”).

This DPA applies to the processing of Personal Data by NexaGuard on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not defined herein shall have the meanings set forth in the Agreement or applicable data protection laws.

  • “Applicable Data Protection Laws” means GDPR, UK GDPR, CPRA, and other applicable privacy laws.

  • “Personal Data” means any information relating to an identified or identifiable natural person.

  • “Processing” has the meaning given in Applicable Data Protection Laws.

  • “Sub-processor” means any third party engaged by NexaGuard to process Personal Data.

2. Roles of the Parties

2.1 Customer as Controller
Customer is the Data Controller (or “Business” under CPRA) with respect to Personal Data processed via the Services.

2.2 NexaGuard as Processor
NexaGuard acts solely as a Data Processor (or “Service Provider” under CPRA), processing Personal Data only on documented instructions from Customer.

2.3 No Independent Control
NexaGuard does not:

  • Determine purposes or means of processing

  • Identify individual end users

  • Combine CMP data with external datasets

3. Scope of Processing

3.1 Subject Matter

Provision of consent management, compliance signaling, and audit logging services.

3.2 Nature and Purpose

Processing is limited to:

  • Recording consent preferences

  • Generating compliance signals (e.g., TCF, GPP)

  • Providing audit logs and compliance tools

3.3 Categories of Data Subjects

  • End users of Customer’s websites or applications

  • Authorized Customer personnel

3.4 Types of Personal Data

  • Pseudonymous identifiers (e.g., consent IDs, cookie IDs)

  • Consent choices and metadata

  • Device and browser information (non-identifying)

NexaGuard does not intentionally process sensitive personal data.

4. Customer Obligations

Customer represents and warrants that it:

  • Has a lawful basis for Processing

  • Provides required notices to Data Subjects

  • Obtains valid consent where required

  • Handles Data Subject Requests (DSARs)

  • Complies with Applicable Data Protection Laws

5. NexaGuard Obligations

NexaGuard shall:

5.1 Process Personal Data only on documented instructions from Customer
5.2 Ensure confidentiality of personnel
5.3 Implement appropriate technical and organizational safeguards
5.4 Assist Customer with compliance obligations (upon request)
5.5 Notify Customer of any Personal Data Breach without undue delay

6. Security Measures

NexaGuard maintains industry-standard security measures including:

  • Encryption at rest and in transit

  • Access controls and authentication

  • Pseudonymization and data minimization

  • Monitoring and incident response procedures

7. Sub-processors

7.1 Customer authorizes NexaGuard to engage Sub-processors for:

  • Cloud hosting

  • Infrastructure

  • Security and monitoring

  • Billing and support tooling

7.2 NexaGuard ensures Sub-processors are bound by equivalent data protection obligations.

A current list of Sub-processors is available upon request.

8. International Transfers

Where Personal Data is transferred internationally, NexaGuard relies on:

  • Standard Contractual Clauses (SCCs)

  • Adequate safeguards required by law

9. Data Subject Requests (DSARs)

9.1 Customer Responsibility
Customer is solely responsible for responding to Data Subject Requests.

9.2 Processor Assistance
NexaGuard will provide reasonable technical assistance upon request but does not:

  • Verify Data Subject identity

  • Decide request outcomes

  • Communicate directly with Data Subjects

10. Data Retention & Deletion

NexaGuard shall:

  • Retain Personal Data only as necessary to provide Services

  • Delete or return Personal Data upon termination, subject to legal obligations

  • Retain anonymized or aggregated data where permitted by law

11. Audits

Upon reasonable written request, NexaGuard will:

  • Provide information necessary to demonstrate compliance

  • Cooperate with audits limited to documentation or third-party certifications

  • Reserve the right to protect confidential and security-sensitive information

12. Liability

Liability under this DPA is subject to the limitations set forth in the Agreement.

13. CPRA Compliance (U.S.)

NexaGuard certifies that it:

  • Acts as a Service Provider

  • Does not sell or share Personal Data

  • Does not use Personal Data for purposes other than providing Services

14. Governing Law

This DPA is governed by the laws specified in the Agreement.

15. Order of Precedence

In the event of conflict, this DPA shall prevail over other terms solely with respect to data protection matters.

By using NexaGuard CMP, Customer agrees to this Data Processing Agreement.