Data Processing Addendum

Parties and incorporation

This DPA is entered into by and between: (1) Customer (Controller) and (2) NEXIEL LIMITED (Processor). It is incorporated into the Terms of Service / Master Services Agreement and any Order Form(s) (together, the “Agreement”).

1. Processor identity and contact details

Processor: NEXIEL LIMITED, VENTURE HUB, 136 CAPEL STREET, DUBLIN, D01 T2C9, IRELAND. Privacy contact: dpo@nexiel.ie Legal notices: legal@nexiel.ie.

2. Definitions and interpretation

Terms not defined here have the meaning in GDPR and/or the Agreement. This DPA prevails over the Agreement for data protection terms; SCCs prevail for Transfers where applicable.

3. Roles of the Parties

Customer is the Controller. NEXIEL is the Processor and will act only on documented instructions.

4. Details of processing (GDPR Article 28(3))

• Subject matter: provision of the Services (onboarding, verification, issuance, logging, evidence packs, support).
• Duration: Term of the Agreement plus lawful retention/export period.
• Nature: collecting, storing, using, transmitting, restricting, deleting Customer Personal Data as needed to provide/secure the Services and follow Customer instructions.
• Purpose: provide and secure the Services, troubleshoot/support, comply with Customer instructions and Applicable Law.
• Data Subjects: Customer’s admins/users; Customer’s end users/wallet holders/applicants; individuals referenced in credentials; partners’ contacts.
• Personal Data: identifiers; contact details; credential attributes; verification results/signals; evidence pack data; technical identifiers/logs; certificate metadata; Customer-specified fields.
• Special Categories: may be processed if Customer submits them; Customer is responsible for lawful basis and safeguards.

5. Processor obligations

NEXIEL will maintain confidentiality, implement appropriate security (Annex 1), assist with Data Subject requests and DPIAs, notify without undue delay after becoming aware of a Personal Data Breach, provide compliance information (subject to Section 9), and return/delete Customer Personal Data at end of Services unless law requires retention.

6. Customer obligations

Customer warrants lawful basis, notices/consents, minimisation, compliant instructions, and configuration to avoid unnecessary sensitive data.

7. Subprocessing

General authorisation with 30 days’ notice for new/changed Subprocessors; names required. Objection process and termination right for substantiated data protection objections. Flow-down terms; NEXIEL remains responsible. Current Subprocessor: Stripe (billing/payments) — https://stripe.com/ie/privacy.

8. International transfers

Core hosting in the EU/EEA. Stripe may transfer per its DPA/transfer addendum. Where required, SCCs (Module 2/3) and supplementary measures will be used based on transfer risk assessment.

9. Audit and compliance

Annual audit right (or more in specific cases), with notice, scope, and confidentiality/security conditions; Customer bears costs unless material non-compliance is found.

10. Information requests

NEXIEL will respond to reasonable written requests for processing information, subject to confidentiality/security constraints.

11. Instructions that conflict with law

NEXIEL will inform Customer if instructions appear unlawful, unless prohibited by law.

12. Deletion, return, and retention

Delete within 30 days of termination (after export), subject to backups lifecycle and legal retention. Residual backups are protected and deleted per lifecycle unless law requires retention.

13. Liability

Subject to the Agreement’s liability terms (and SCCs where applicable).

14. Term and termination

Effective while NEXIEL processes Customer Personal Data under the Agreement; relevant clauses survive.

15. Signatures and electronic acceptance

May be accepted electronically and in counterparts. Acceptance is recorded in the customer compliance panel.

Annex 1 — Security Measures (High-Level)

• Access controls and least privilege.
• Encryption in transit (TLS) and at rest where appropriate.
• Logging, monitoring, and alerting for suspicious activity.
• Incident response procedures and breach management workflow.
• Patching and vulnerability remediation processes.
• Logical segregation and environment controls.
• Backups and recovery processes consistent with service requirements.

Annex 2 — Subprocessor List (Minimum)

Stripe (billing, invoicing, and payment processing): https://stripe.com/ie/privacy

Annex 3 — Processing Description (Summary)

As described in Section 4. Customer may further specify details in an Order Form, DPIA, or written instructions, consistent with the Agreement and Applicable Law.