Data Processing Addendum

Last updated: 18 March 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between NexusAgents (“Processor” or “NexusAgents”) and the Customer (“Controller” or “you”) and governs the Processing of Personal Information by NexusAgents on behalf of the Controller.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the Processing of Personal Information.

1. Definitions

  • “Personal Information” has the meaning given in the Protection of Personal Information Act, 2013 (POPIA);
  • “Controller” means the Customer (Responsible Party under POPIA);
  • “Processor” means NexusAgents (Operator under POPIA);
  • “Data Subject” means the individual to whom Personal Information relates;
  • “Processing” has the meaning given in POPIA;
  • “Subprocessor” means any third party engaged by NexusAgents to process Personal Information.

2. Roles of the Parties

The parties agree that:

  • The Controller determines the purposes and means of Processing;
  • NexusAgents acts solely as a Processor.

3. Controller Obligations

You warrant and undertake that:

  • you have a lawful basis for Processing Personal Information;
  • you have provided all required notices to Data Subjects;
  • you have obtained all necessary consents where required;
  • you have the right to disclose Personal Information to NexusAgents; and
  • your Processing instructions comply with applicable law.

4. Instructions

NexusAgents will Process Personal Information only on documented instructions from the Controller.

You acknowledge that all configurations, prompts, automations, workflows, integrations, and system settings implemented through the Service constitute your documented instructions.

NexusAgents is not responsible for reviewing, validating, or ensuring the legality of such instructions.

If NexusAgents reasonably believes an instruction infringes applicable law, it may notify you and suspend the relevant Processing.

For the avoidance of doubt, NexusAgents does not independently determine the purposes or means of Processing and does not assume any responsibility for the content, legality, or outcomes of Processing initiated by the Controller.

5. Purpose and Nature of Processing

Processing includes:

  • AI-driven processing of prompts, inputs, outputs, and communication content;
  • Customer communication across messaging platforms (including WhatsApp/Meta);
  • Automation of workflows, lead handling, and support processes;
  • Storage of customer records and interaction history;
  • Analytics, reporting, and system monitoring.

The Controller acknowledges that the accuracy, legality, and appropriateness of AI-generated outputs depend on the quality and lawfulness of the data and prompts provided. NexusAgents does not warrant that AI outputs will be error-free or suitable for any particular purpose.

6. Duration and Retention

Processing will continue for the duration of the subscription and thereafter only for such period as required for backup, archival, legal, or operational purposes in accordance with NexusAgents’ retention practices.

The Controller acknowledges that it is solely responsible for configuring and managing data retention settings within the Service in order to comply with its internal policies and Section 14 of POPIA. NexusAgents does not monitor or enforce Customer-specific retention policies.

7. Subprocessors

You provide general authorisation for NexusAgents to appoint Subprocessors.

NexusAgents will:

  • enter into written agreements with Subprocessors imposing data protection obligations substantially similar to this DPA;
  • remain responsible for the performance of its Subprocessors to the extent required by applicable law; and
  • maintain an up-to-date list of Subprocessors and provide prior notice of material changes.

Such list may be made available via a publicly accessible webpage or other reasonable means.

You may object to a Subprocessor on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection.

In the event that the Controller reasonably objects to a new Subprocessor on legitimate data protection grounds and the parties are unable to resolve the objection within a reasonable period, NexusAgents may, at its discretion, either:

  • provide the affected functionality through an alternative Subprocessor; or
  • permit the Controller to terminate the affected Service or functionality on written notice, with such termination applying only to the specific functionality that cannot reasonably be provided without the Subprocessor.

For clarity, this clause does not entitle the Controller to a full termination of the Service unless the affected functionality is material to the Service as a whole.

Where the affected functionality is material to the Service as a whole and cannot reasonably be provided without the Subprocessor, the Controller’s sole remedy shall be termination of the Service with a pro-rata refund of any pre-paid, unused fees, and no further liability shall arise.

8. Security Measures

NexusAgents will implement appropriate, reasonable technical and organisational measures designed to protect Personal Information against unauthorised or unlawful Processing, loss, destruction, or damage.

The Controller acknowledges that security is a shared responsibility, and that the Controller is responsible for securing its own access credentials, configurations, integrations, and end-user environments.

Such measures include, where appropriate:

  • encryption in transit and at rest;
  • access controls, including role-based access and authentication;
  • multi-factor authentication for administrative access (where applicable);
  • logging, monitoring, and anomaly detection;
  • regular system updates and vulnerability management;
  • maintained incident response procedures.

NexusAgents will review and update its security measures periodically.

No system is completely secure, and absolute security cannot be guaranteed.

9. Confidentiality

NexusAgents will ensure that persons authorised to Process Personal Information are subject to appropriate confidentiality obligations.

10. Data Subject Rights

NexusAgents will, taking into account the nature of Processing, assist the Controller by implementing appropriate measures to support Data Subject rights requests.

NexusAgents will notify the Controller of any such request received and will not respond directly unless authorised or required by law.

11. Assistance and Compliance

NexusAgents will provide reasonable assistance to enable the Controller to comply with its obligations under POPIA, including in relation to:

  • data protection impact assessments;
  • security obligations;
  • regulatory consultations where applicable.

NexusAgents may charge reasonable fees for assistance requiring material additional effort.

12. Personal Information Breach

NexusAgents will notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware of and confirming a Personal Information breach affecting Customer Data.

Notification timelines are subject to the availability of sufficient information and may depend on upstream service providers.

Notifications will include available information reasonably required to enable the Controller to comply with its legal obligations.

13. Return and Deletion

Upon termination or expiry of the subscription, NexusAgents will:

  • provide a reasonable opportunity to export Personal Information; and
  • delete or anonymise Personal Information in accordance with its retention practices.

NexusAgents may retain Personal Information where required by law or in backups and archives for a limited period.

The Controller acknowledges that certain residual copies may persist in backup systems for a limited period, after which they will be securely overwritten or deleted in accordance with NexusAgents’ backup retention policies.

14. Audits

NexusAgents will make available information reasonably necessary to demonstrate compliance with this DPA.

Where required, audits may be conducted no more than once per calendar year, subject to:

  • at least 30 days’ prior written notice;
  • confidentiality obligations;
  • reasonable scope limitations;
  • minimal disruption to NexusAgents’ operations; and
  • cost recovery by NexusAgents where appropriate.

NexusAgents may satisfy audit obligations through certifications, summaries, or third-party audit reports.

The Controller may not exercise audit rights in a manner that would compromise the security, confidentiality, or integrity of NexusAgents’ systems or other customers.

15. Cross-Border Transfers

Personal Information may be transferred outside the Republic of South Africa.

NexusAgents will ensure that such transfers comply with Section 72 of POPIA, including through appropriate contractual safeguards or reliance on jurisdictions providing adequate protection.

16. Liability

Each party’s liability arising under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. For clarity, NexusAgents’ total aggregate liability shall not exceed the applicable cap set out in the Terms of Service.

17. Survival

The obligations relating to confidentiality, security, liability, and data protection survive termination of the Terms of Service for as long as NexusAgents processes Personal Information.

18. General

This DPA forms part of the Terms of Service and Privacy Policy and constitutes the entire agreement between the parties in relation to the Processing of Personal Information.

Accepted: By using the Service, you accept this DPA.

Annex 1 — Description of Processing

  • Categories of Data Subjects: customers, leads, employees, end-users
  • Types of Personal Information: contact information, communication content, identifiers, usage data
  • Purpose of Processing: customer communication, workflow automation, analytics
  • Processing Activities: collection, storage, transmission, AI processing, analysis

Annex 2 — Security Measures

  • Encryption in transit and at rest (where appropriate)
  • Role-based access control and authentication
  • Multi-factor authentication for administrative access
  • Logging, monitoring, and anomaly detection
  • Regular patching and vulnerability management
  • Documented incident response procedures