Governance
Data Processing Addendum
Contractual framework for personal data processing in client engagements.
Nexus S³ – FZCO
This Data Processing Addendum ("DPA") forms part of any agreement under which Nexus S³ processes Personal Data on behalf of a client.
1. Roles
- Client acts as Data Controller
- Nexus S³ – FZCO acts as Data Processor
2. Processing Instructions
Nexus S³ shall:
- Process Personal Data only on documented client instructions
- Not process Personal Data for its own purposes
- Notify the client if instructions conflict with applicable law
3. Confidentiality
Personnel processing Personal Data are bound by confidentiality obligations and access is limited to those with a legitimate business need.
4. Security Measures
Appropriate technical and organisational measures are implemented to protect Personal Data against unauthorised access, loss, or disclosure.
5. Sub-processing
- Sub-processors may be engaged where necessary
- Equivalent data protection obligations apply
- Nexus S³ remains responsible for Sub-processors
6. Data Subject Rights
Nexus S³ will reasonably assist the client in responding to Data Subject requests.
7. Personal Data Breach
In the event of a breach affecting Client Data, Nexus S³ shall notify the client without undue delay and provide reasonable assistance.
8. International Transfers
Transfers outside the UAE are subject to appropriate safeguards in line with applicable law.
9. Data Return or Deletion
Upon termination, Personal Data will be returned or securely deleted, subject to legal retention obligations.
10. Audit
Subject to confidentiality and security, Nexus S³ will cooperate with reasonable audit requests.
11. Governing Law
This DPA is governed by the laws of the United Arab Emirates unless otherwise agreed.