Legal
Last updated: June 3, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Nexma, Inc. ("Nexma", "we", "us", or "Processor") and the customer entity that has accepted it ("Customer", "you", or "Controller") governing the provision of the Nexma platform and related services (the "Services"). This DPA reflects the parties' agreement with regard to the Processing of Personal Data in connection with the Services and applies to the extent that Nexma Processes Personal Data on behalf of the Customer.
1.1 This DPA is incorporated into and governed by the terms of the master subscription agreement, terms of service, or other written or electronic agreement between the parties for the provision of the Services (the "Agreement"). In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall prevail.
1.2 The purpose of this DPA is to ensure that Personal Data Processed by Nexma on behalf of the Customer is handled in accordance with Applicable Data Protection Law, including the GDPR, the CCPA, and the Israeli Privacy Protection Law, as further described herein.
1.3 By accepting the Agreement, or by accessing or using the Services after the effective date of this DPA, the Customer is deemed to have accepted this DPA on behalf of itself and, to the extent required, on behalf of its Affiliates that use the Services.
1.4 This DPA does not replace any rights or obligations the Customer may have under Applicable Data Protection Law and is intended to supplement, not limit, the protections afforded to Data Subjects.
Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. For the purposes of this DPA, the following terms have the meanings set out below.
3.1 This DPA applies only to the Processing of Personal Data carried out by Nexma on behalf of the Customer in the course of providing the Services, and only to the extent such Processing is subject to Applicable Data Protection Law.
3.2 The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A to this DPA.
3.3 This DPA applies regardless of whether the Personal Data is Processed within the European Economic Area, the United Kingdom, Israel, the United States, or any other jurisdiction.
3.4 Where the Customer acts as a Processor on behalf of a third-party Controller, the Customer warrants that it has the necessary authority and authorization to instruct Nexma to Process the relevant Personal Data and to enter into this DPA, and Nexma shall be deemed a Sub-processor of such third-party Controller.
4.1 The parties acknowledge and agree that, with respect to the Processing of Personal Data under the Agreement, the Customer is the Controller and Nexma is the Processor, except where the Customer acts as a Processor, in which case Nexma is a Sub-processor.
4.2 For the purposes of the CCPA, Nexma acts as a "service provider" and Processes Personal Data only on behalf of, and pursuant to the documented instructions of, the Customer. Nexma does not sell or share Personal Data and does not retain, use, or disclose Personal Data for any purpose other than performing the Services or as otherwise permitted by the CCPA.
4.3 Nexma processes a limited set of Personal Data as an independent Controller for its own legitimate business purposes, such as account administration, billing, security monitoring, and compliance with legal obligations. Such Processing is governed by the Nexma Privacy Policy and is outside the scope of this DPA.
4.4 Each party shall comply with its respective obligations under Applicable Data Protection Law in connection with the Processing of Personal Data under the Agreement.
5.1.1 Nexma shall Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law to which Nexma is subject. In such a case, Nexma shall inform the Customer of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.
5.1.2 The Agreement, this DPA, and the Customer's use and configuration of the Services constitute the Customer's complete and documented instructions to Nexma for the Processing of Personal Data. Additional instructions outside the scope of the Services require prior written agreement between the parties, including any adjustment to fees.
5.1.3 Nexma shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, without obligation to actively monitor the Customer's compliance with such law.
5.2.1 Nexma shall Process Personal Data only for the purposes described in this DPA and the Agreement, and shall not Process Personal Data for any other purpose unless required by Applicable Data Protection Law or instructed in writing by the Customer.
5.2.2 Nexma shall not combine Personal Data received from or on behalf of the Customer with Personal Data it collects from other sources, except as necessary to perform the Services or as permitted by Applicable Data Protection Law.
The types of Personal Data Processed by Nexma on behalf of the Customer in connection with the Services may include the following:
The categories of Data Subjects whose Personal Data may be Processed in connection with the Services include the following:
5.5.1 Nexma shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.5.2 Nexma shall limit access to Personal Data to those personnel who require such access to perform the Services and shall ensure that such access is governed by the principle of least privilege.
6.1.1 The Customer provides Nexma with a general authorization to engage Sub-processors to Process Personal Data on its behalf, subject to the conditions set out in this Section 6. The Sub-processors engaged by Nexma as of the effective date of this DPA are listed in Annex C.
A current and complete list of authorized Sub-processors is maintained at the Nexma sub-processors page.
6.2.1 Nexma shall notify the Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days before the new Sub-processor begins Processing Personal Data, giving the Customer the opportunity to object as described below. Notification may be provided through the sub-processors page, by email, or by another reasonable means.
6.2.2 The Customer may subscribe to notifications of changes to the Sub-processor list through the mechanism made available by Nexma.
6.3.1 The Customer may object in writing to the appointment of a new Sub-processor within fifteen (15) days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection.
6.3.2 If the Customer objects on reasonable grounds, the parties shall work together in good faith to resolve the objection, which may include Nexma making available a commercially reasonable alternative to avoid Processing Personal Data by the objected-to Sub-processor.
6.3.3 If the parties are unable to resolve the objection within a reasonable period, the Customer may, as its sole remedy, terminate the affected portion of the Services that cannot be provided without the objected-to Sub-processor, without penalty, by providing written notice to Nexma.
6.4.1 Nexma shall enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by that Sub-processor.
6.4.2 Nexma shall remain fully liable to the Customer for the performance of each Sub-processor's data protection obligations and for any acts or omissions of a Sub-processor that cause Nexma to breach this DPA.
7.1 Nexma may Process and transfer Personal Data to, and store Personal Data in, jurisdictions outside the country in which it was collected, including the United States and other countries where Nexma or its Sub-processors maintain operations. Any such transfer shall be carried out in accordance with Applicable Data Protection Law and the transfer mechanisms described below.
7.1.1 Where Personal Data subject to the GDPR is transferred from the European Economic Area to a country that has not been recognized by the European Commission as providing an adequate level of protection, the Standard Contractual Clauses are incorporated into this DPA by reference and apply to such transfer. Module Two (Controller to Processor) applies where the Customer is a Controller, and Module Three (Processor to Processor) applies where the Customer acts as a Processor.
7.1.2 The parties agree that, for the purposes of the SCCs, the Customer is the data exporter and Nexma is the data importer, the optional docking clause applies, the supervisory authority is determined by the data exporter's place of establishment, and the governing law and forum are those of the Republic of Ireland unless otherwise required by the SCCs. Annexes A, B, and C to this DPA shall serve as the appendices to the SCCs.
7.2.1 Where Nexma or a relevant Sub-processor is certified under the EU-US Data Privacy Framework, the UK Extension thereto, and the Swiss-US Data Privacy Framework, transfers of Personal Data to such certified entity may be made in reliance on the applicable Data Privacy Framework principles as an alternative transfer mechanism, in addition to or in lieu of the SCCs.
7.3.1 For transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office (the "UK Addendum") is incorporated into this DPA by reference and amends the SCCs as required for such transfers.
7.3.2 The information required to complete the tables of the UK Addendum is set out in this DPA and its Annexes, and the parties agree that Section 19 of the UK Addendum (right to terminate) applies.
7.4.1 Where Personal Data is subject to the Israeli Privacy Protection Law, the parties shall ensure that any transfer of such Personal Data outside Israel complies with the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001, including by ensuring that the receiving jurisdiction or recipient provides an adequate level of protection or that an appropriate exception or contractual safeguard applies.
8.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects, Nexma shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. A detailed description of these measures is set out in Annex B.
9.1 Taking into account the nature of the Processing, Nexma shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability, and objection.
9.2 The Services provide self-service tools that enable the Customer to access, correct, export, and delete Personal Data within the DataStore, which the Customer may use to respond to Data Subject requests directly.
9.3 If Nexma receives a request from a Data Subject in relation to Personal Data Processed on behalf of the Customer, Nexma shall, unless legally prohibited, promptly forward the request to the Customer and shall not respond to the request itself except on the documented instructions of the Customer or as required by Applicable Data Protection Law.
9.4 Nexma shall provide reasonable assistance to the Customer in responding to such requests to the extent the Customer is unable to address them through the self-service functionality of the Services. Nexma may charge a reasonable fee for assistance that is excessive or repetitive, as permitted by Applicable Data Protection Law.
9.5 With respect to the CCPA, Nexma shall cooperate with and assist the Customer in responding to verifiable consumer requests to know, delete, correct, opt out, or limit the use of Personal Data, consistent with Nexma's role as a service provider.
10.1 Nexma shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall be made to the contact designated by the Customer.
To the extent the relevant information is available to Nexma, the notification shall include or be supplemented as soon as practicable with the following:
10.2 Nexma shall take reasonable steps to contain, investigate, and remediate any Personal Data Breach and shall cooperate with the Customer and provide reasonable assistance in connection with the Customer's obligations to notify supervisory authorities and affected Data Subjects.
10.3 Nexma's notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by Nexma of any fault or liability with respect to the breach.
10.4 Except as required by Applicable Data Protection Law, the Customer is responsible for determining whether to notify supervisory authorities, regulators, or Data Subjects of a Personal Data Breach and for the content of any such notification.
11.1 Nexma shall provide reasonable assistance to the Customer with any data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law, in each case solely in relation to the Processing of Personal Data by Nexma and taking into account the nature of the Processing and the information available to Nexma.
11.2 Such assistance may include providing documentation regarding Nexma's security measures, Sub-processors, and Processing activities reasonably necessary for the Customer to complete a DPIA.
11.3 Nexma may charge a reasonable fee for assistance under this Section 11 where such assistance exceeds the documentation and information that Nexma makes generally available to its customers.
12.1 Nexma shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, in accordance with this Section 12.
12.2 Nexma shall satisfy its audit obligations primarily by making available to the Customer, upon request, copies of its then-current third-party certifications, attestations, and audit reports (such as SOC 2 reports), where available, together with summary descriptions of its technical and organizational measures.
12.3 To the extent the documentation described above is insufficient to demonstrate compliance, the Customer may, no more than once per calendar year and upon at least thirty (30) days' prior written notice, conduct an audit of Nexma's relevant Processing activities, subject to reasonable confidentiality obligations and during normal business hours so as not to unreasonably disrupt Nexma's operations.
12.4 The Customer shall bear the costs of any audit it requests, including Nexma's reasonable costs of supporting the audit, unless the audit reveals a material breach by Nexma of this DPA, in which case Nexma shall bear its own costs of the audit.
12.5 Where the SCCs apply, the audit obligations under the SCCs shall be deemed satisfied by compliance with this Section 12.
13.1 Upon termination or expiry of the Agreement, Nexma shall, at the choice of the Customer, return or delete all Personal Data Processed on behalf of the Customer, and delete existing copies, unless retention is required by Applicable Data Protection Law.
13.2 During the term of the Agreement, the Customer may export Personal Data and other content from the DataStore at any time using the self-service tools provided as part of the Services.
13.3 Following termination, the Customer will have a limited period, as specified in the Agreement or as otherwise communicated by Nexma, to retrieve its Personal Data. After this period, Nexma shall delete the Personal Data in accordance with its data retention and deletion schedule, subject to deletion from backups in the ordinary course.
13.4 Where Nexma retains Personal Data because it is required to do so by Applicable Data Protection Law, Nexma shall continue to protect such Personal Data in accordance with this DPA and shall Process it solely to the extent and for the period required by such law.
This Section 14 sets out additional provisions that apply to the Processing of Personal Data in connection with the artificial intelligence features of the Services, including the Jax AI agent and any automated reasoning, generation, or analysis capabilities.
14.1.1 Personal Data submitted to AI features of the Services is Processed on a transient basis for the purpose of generating a response or completing the requested task. Such Personal Data is not retained by the underlying AI inference systems beyond what is necessary to perform the operation, except where the resulting output is written to the DataStore at the Customer's direction.
14.1.2 Inputs and outputs that the Customer chooses to store within the DataStore are retained and Processed in accordance with the remainder of this DPA and the Customer's configuration of the Services.
14.2.1 Nexma shall not use Customer Personal Data to train, fine-tune, or otherwise develop its own or any third party's machine learning or generative AI models, except with the Customer's prior written authorization or where the data has been irreversibly anonymized such that it no longer constitutes Personal Data.
14.2.2 Nexma contractually requires its AI Sub-processors not to use Customer Personal Data submitted through the Services to train or improve their foundation models, and configures its integrations to opt out of any such training where the option is available.
14.2.3 Any authorization granted by the Customer under this Section 14.2 may be revoked on a prospective basis by written notice to Nexma, without affecting Processing already carried out in reliance on the authorization.
14.3.1 Certain AI features of the Services are powered by third-party AI providers acting as Sub-processors, as identified in Annex C. Nexma transmits to such providers only the data necessary to perform the requested operation and remains responsible for their compliance with the obligations set out in this DPA.
14.3.2 The Customer acknowledges that the use of third-party AI providers is integral to the provision of the relevant AI features and that disabling such providers may render those features unavailable.
14.4.1 AI-generated outputs may incorporate or reflect the Personal Data provided as input. The Customer is responsible for reviewing and validating AI-generated outputs before relying on them, and for ensuring that any use, storage, or disclosure of such outputs complies with Applicable Data Protection Law.
14.4.2 Nexma applies output filtering and safety controls but does not warrant that AI-generated outputs will be accurate, complete, or free from unintended inferences, and such outputs should not be treated as a substitute for human judgment.
14.5.1 The Services are designed to support, and not to replace, human decision-making. The Customer remains responsible for any decisions made on the basis of AI-generated outputs and shall ensure appropriate human oversight, particularly where Processing could produce legal or similarly significant effects on Data Subjects, consistent with Applicable Data Protection Law governing automated decision-making.
15.1 This DPA shall take effect on the date the Customer accepts it or first uses the Services after its effective date, whichever is earlier, and shall remain in force for the duration of the Agreement.
15.2 This DPA shall automatically terminate upon termination or expiry of the Agreement, except that any provisions that by their nature are intended to survive, including those relating to return and deletion of data, confidentiality, and liability, shall survive such termination.
15.3 Nexma's obligations and the Customer's rights under this DPA shall continue to apply for as long as Nexma Processes Personal Data on behalf of the Customer, including during any post-termination retrieval or deletion period.
16.1 Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.
16.2 Where the SCCs apply, nothing in this DPA or the Agreement is intended to limit or exclude any liability of a party toward Data Subjects to the extent such limitation or exclusion is prohibited by the SCCs or Applicable Data Protection Law.
16.3 The parties agree that any claims brought under this DPA shall be subject to the terms and conditions, including the limitations of liability, set forth in the Agreement, except to the extent otherwise required by Applicable Data Protection Law.
If you have any questions about this DPA, wish to exercise any rights, or need to contact Nexma regarding the Processing of Personal Data, please reach out using the details below.
By email: legal@nexma.ai
By mail: Nexma, Inc., Attn: Legal Department.
This Annex A describes the Processing of Personal Data carried out by Nexma on behalf of the Customer and forms part of this DPA. Where the SCCs apply, this Annex serves as the description of the transfer and Processing required by their appendices.
| Element | Description |
|---|---|
| Subject matter of Processing | The provision of the Nexma platform, including the Jax AI agent and the DataStore data layer, and related services to the Customer pursuant to the Agreement. |
| Duration of Processing | For the term of the Agreement, plus any post-termination retrieval and deletion period and any additional period required by Applicable Data Protection Law. |
| Nature of Processing | Collection, storage, organization, structuring, retrieval, consultation, analysis, transmission, AI-assisted generation and reasoning, and deletion of Personal Data as necessary to provide the Services. |
| Purpose of Processing | To enable the Customer to design, operate, analyze, and manage spatial data and workflows using the Services, and to provide support, security, and AI capabilities in accordance with the Customer's instructions. |
| Types of Personal Data | Account data, spatial and geospatial data, usage data, AI interaction data, and communication data, as further described in Section 5.3 of this DPA. |
| Categories of Data Subjects | Customer employees and personnel, end users, spatial data subjects, and contact persons, as further described in Section 5.4 of this DPA. |
This Annex B describes the technical and organizational security measures implemented by Nexma to protect Personal Data, as referenced in Section 8 of this DPA. Nexma may update these measures from time to time, provided that the updated measures do not materially reduce the overall level of protection.
Access to systems Processing Personal Data is governed by role-based access control, the principle of least privilege, unique user accounts, and mandatory multi-factor authentication. Access rights are reviewed periodically and revoked promptly upon role change or termination.
Personal Data is encrypted at rest using AES-256 or an equivalent algorithm and in transit using TLS 1.2 or higher. Cryptographic keys are managed using a dedicated key management service with restricted access and rotation policies.
The production environment is protected by firewalls, network segmentation, private networking, intrusion detection and prevention systems, and DDoS mitigation. Administrative access is restricted and conducted over secured channels.
Systems generate audit logs of access and significant operations on Personal Data. Logs are centralized, protected against tampering, retained for a defined period, and monitored for anomalous or unauthorized activity.
Nexma maintains a documented incident response plan defining detection, escalation, containment, remediation, and notification procedures, including the breach notification obligations set out in Section 10 of this DPA.
Encrypted backups are taken regularly and stored securely. Recovery procedures are documented and periodically tested to ensure the availability and resilience of Processing systems and the timely restoration of Personal Data following an incident.
Personnel with access to Personal Data are subject to confidentiality obligations, receive regular data protection and security training, and are granted access strictly on a need-to-know basis.
Personal Data is hosted in data centers operated by Sub-processors that maintain industry-recognized physical security controls, including access restrictions, surveillance, environmental controls, and relevant certifications such as ISO 27001 or SOC 2.
This Annex C lists the Sub-processors engaged by Nexma to Process Personal Data on behalf of the Customer as of the effective date of this DPA. An up-to-date list is maintained at the Nexma sub-processors page.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic, PBC | Large language model inference powering the Jax AI agent and AI-assisted features. | AI interaction data (prompts and outputs) and any Personal Data included therein, Processed on a transient basis. | United States |
| Clerk, Inc. | User authentication, identity, and session management for the Services. | Account data, including names, email addresses, authentication identifiers, and session metadata. | United States |
| Vercel, Inc. | Application hosting, serverless compute, and content delivery network for the Services. | Account data, usage data, log data, and IP addresses processed in the course of serving the application. | United States (global edge network) |
| Mapbox, Inc. | Mapping, tile rendering, and geocoding services used to display and resolve spatial data. | Spatial and geospatial data, location coordinates, search queries, and associated IP addresses. | United States |
| OpenStreetMap Foundation | Provision of open base map data and geocoding via the Nominatim service. | Geocoding queries and location coordinates; limited usage metadata. | United Kingdom / European Union |
| Railway Corp. | Hosting of the solver and compute backend used for optimization and spatial computation workloads. | Spatial data and computation inputs and outputs submitted to solver jobs, which may include Personal Data. | United States |
| Meshy, Inc. | AI-assisted generation of 3D models from text and image inputs. | Prompts, images, and related inputs submitted for 3D model generation, which may include Personal Data. | United States |
| ElevenLabs, Inc. | Voice synthesis and text-to-speech for the Jax AI agent's voice features. | Text content submitted for synthesis and associated voice interaction data. | United States |