Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Nexbree ("Processor") and you ("Controller") and governs the processing of personal data in connection with the Service.
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "Sub-processor" means any third party engaged by Nexbree to process Personal Data on behalf of the Controller.
Nexbree processes Personal Data solely to provide the Service as described in the Terms of Service. Categories of data processed include account information (name, email), decision content (business questions, analysis, documents), usage data (feature interactions, analytics), and connector data (synced from third-party integrations).
The Controller is responsible for ensuring a lawful basis for processing, providing notice to data subjects about the use of AI-powered processing, and obtaining necessary consents for connector data syncing.
Nexbree shall process Personal Data only on documented instructions from the Controller, implement appropriate technical and organizational security measures, assist the Controller in responding to data subject requests, notify the Controller of data breaches without undue delay (within 72 hours), delete or return Personal Data upon termination of the Service, and make available information necessary to demonstrate compliance.
Nexbree uses the following categories of sub-processors:
We will notify the Controller of any new sub-processors at least 30 days before engagement. The Controller may object to a new sub-processor by contacting privacy@nexbree.com.
Personal Data may be transferred to countries outside of India/EEA where our sub-processors operate. Such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or equivalent safeguards recognized under applicable law.
Nexbree implements encryption in transit (TLS 1.3) and at rest (AES-256), access controls and role-based authentication, regular security assessments and vulnerability testing, audit logging of all data access, and employee security training and background checks.
Personal Data is retained for the duration of the Service agreement plus 30 days for deletion processing. Account data is deleted within 30 days of account termination. Decision data can be exported before deletion. Backups are purged within 90 days.
Nexbree assists the Controller in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection. Self-service tools are available in Settings → Data & Privacy for data export and deletion.
The Controller may audit Nexbree's compliance with this DPA with reasonable notice (30 days). Nexbree will provide relevant documentation, certifications, and facilitate on-site inspections for Enterprise plan customers.
Decision content sent to AI model providers is processed in real-time and not retained by the provider beyond the processing session. We do not use Controller data to train, fine-tune, or improve any AI model. AI-generated outputs are treated as Controller data and subject to the same protections.
For a signed copy of this DPA, contact legal@nexbree.com.