Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between NextBix ("Processor") and the subscribing organization ("Controller") as part of the Terms of Service for the NextBix Learning Management System ("Service"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

1. Definitions

• "Controller" means the organization subscribing to the Service, which determines the purposes and means of processing personal data
• "Processor" means NextBix, which processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection laws
• "Data Subject" means an individual whose personal data is processed
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller
• "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy, including GDPR, CCPA, and similar legislation

2. Subject Matter and Duration

Subject Matter: This DPA applies to the processing of personal data by NextBix in connection with the provision of the LMS platform and related services.

Duration: This DPA remains in effect for the duration of the Service agreement and terminates upon the cessation of all processing activities and deletion or return of personal data as specified herein.

3. Nature and Purpose of Processing

Nature of Processing:

• Collection, recording, storage, organization, structuring, and retrieval of personal data
• Modification, use, disclosure by transmission, and erasure of personal data
• Hosting and maintaining personal data on cloud infrastructure

Purpose of Processing:

• To provide, operate, and maintain the LMS platform
• To enable user authentication, access control, and session management
• To track learning progress, course completion, and generate reports
• To provide technical support and troubleshooting
• To ensure system security, performance, and availability

4. Categories of Personal Data and Data Subjects

Categories of Data Subjects:

• Employees, contractors, or users of the Controller's organization
• Students, learners, or trainees accessing the LMS
• Administrators and instructors managing the LMS

Categories of Personal Data:

• Identity Data: Name, username, email address, job title, department
• Account Data: Login credentials (hashed passwords), authentication tokens, session data
• Learning Data: Course enrollments, progress, completion status, quiz results, certificates, badges
• Technical Data: IP address, browser type, device information, access logs, error logs
• Content Data: Uploaded files, documents, videos, and other user-generated content (as provided by the Controller)

5. Controller and Processor Obligations

Controller Obligations:

• The Controller is responsible for determining the lawful basis for processing personal data
• The Controller shall ensure compliance with data protection laws in its use of the Service
• The Controller shall provide clear instructions to the Processor regarding data processing activities
• The Controller is responsible for responding to data subject rights requests, with assistance from the Processor

Processor Obligations:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to protect personal data (see Annex A)
• Engage sub-processors only with the Controller's prior consent and ensure they are bound by equivalent obligations
• Assist the Controller in responding to data subject rights requests
• Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations
• Notify the Controller without undue delay of any personal data breach
• Delete or return all personal data upon termination of services, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Confidentiality

The Processor shall ensure that all personnel with access to personal data are subject to a duty of confidentiality, whether by contract or statutory obligation. The Processor shall provide appropriate training to personnel on data protection and confidentiality requirements.

7. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:

• The state of the art and costs of implementation
• The nature, scope, context, and purposes of processing
• The risks to the rights and freedoms of data subjects

Specific security measures are detailed in Annex A: Technical and Organizational Measures.

8. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors to assist in providing the Service. The Processor shall:

• Maintain a list of authorized sub-processors (see Sub-processor List below)
• Notify the Controller of any intended changes (additions or replacements) to sub-processors
• Provide the Controller with an opportunity to object to such changes within 30 days
• Ensure that sub-processors are bound by data protection obligations equivalent to those in this DPA
• Remain fully liable to the Controller for the performance of sub-processor obligations

Current Sub-processors:

9. International Data Transfers

Where personal data is transferred to countries outside the European Economic Area (EEA) or other jurisdictions with adequate data protection laws, the Processor shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognized by relevant data protection authorities
• Binding Corporate Rules or other approved transfer mechanisms
• Use of infrastructure providers certified under applicable data protection frameworks

10. Data Subject Rights Assistance

The Processor shall assist the Controller, to the extent reasonably possible and taking into account the nature of processing, in responding to requests from data subjects exercising their rights under data protection laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Data subjects should direct their requests to the Controller. The Processor shall forward any data subject requests received directly to the Controller and assist in fulfilling such requests within a reasonable timeframe.

11. Data Breach Notification

In the event of a personal data breach affecting the Controller's data, the Processor shall:

• Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach
• Provide all relevant information about the breach, including:
  • Nature of the breach and categories/approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
• Cooperate with the Controller in investigating and remediating the breach
• Document all personal data breaches for audit and regulatory purposes

12. Data Deletion and Return

Upon termination of the Service or upon the Controller's request, the Processor shall, at the Controller's choice:

• Delete: Permanently delete all personal data in the Processor's possession, including backups, unless retention is required by applicable law
• Return: Return all personal data to the Controller in a structured, commonly used, and machine-readable format

The Processor shall provide written certification of deletion or return upon request. Data retained for legal compliance purposes shall remain subject to the confidentiality and security obligations of this DPA.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall provide reasonable notice (at least 30 days) for audits, which shall be conducted during normal business hours and in a manner that does not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of such audits unless they reveal material non-compliance.

14. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service. The Processor shall indemnify the Controller against any claims, fines, or penalties arising from the Processor's breach of this DPA or applicable data protection laws, except to the extent caused by the Controller's instructions or actions.

Annex A: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to ensure the security of personal data:

1. Access Control

• Role-based access controls (RBAC) limiting access to authorized personnel only
• Multi-factor authentication (MFA) for administrative access
• Regular review and revocation of access rights
• Unique user credentials and audit logging of access events

2. Encryption

• Data in transit encrypted using TLS 1.2 or higher
• Data at rest encrypted using industry-standard encryption algorithms (AES-256)
• Encryption keys managed securely with rotation policies

3. Data Backup and Recovery

• Regular automated backups with encryption
• Tested disaster recovery and business continuity procedures
• Geographically redundant storage where applicable

4. Physical Security

• Data centers with 24/7 physical security, access controls, and monitoring
• Environmental controls (fire suppression, climate control)
• Certified infrastructure providers (e.g., ISO 27001, SOC 2)

5. Network Security

• Firewalls and intrusion detection/prevention systems
• Regular vulnerability scanning and penetration testing
• Network segmentation and isolation of sensitive systems

6. Logging and Monitoring

• Comprehensive logging of access, authentication, and system events
• Real-time security monitoring and alerting
• Log retention and analysis for security incident investigation

7. Organizational Measures

• Security and data protection training for all personnel
• Confidentiality agreements for employees and contractors
• Incident response and breach notification procedures
• Regular security policy reviews and updates
• Vendor risk management for sub-processors

8. Data Minimization and Pseudonymization

• Collection limited to data necessary for service provision
• Pseudonymization or anonymization where feasible
• Data retention policies aligned with legal and contractual requirements

Contact Information

For questions about this Data Processing Agreement or data protection matters, please contact: