# Data Processing Addendum Template

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This DPA template is for controller/processor, business/service-provider, and subprocessor relationships involving NEXQ. It must be reconciled with the commercial agreement.

## 1. Roles
Customer is the controller/business and NEXQ is the processor/service provider/contractor for customer personal data, unless the parties state otherwise in an order form or product-specific terms.

## 2. Instructions
NEXQ will process customer personal data only on documented instructions, including the agreement, order forms, product settings, support requests, and lawful customer directions.

## 3. Details of processing
| Field | Description |
| --- | --- |
| Subject matter | Provision, security, support, and improvement of NEXQ services under the applicable agreement. |
| Duration | term of agreement plus deletion/return period |
| Nature and purpose | provide, secure, support, and improve contracted services as permitted |
| Categories of data subjects | users, customers, employees, patients, applicants, visitors, or as specified |
| Categories of personal data | account, usage, support, content, health, or other specified categories |
| Sensitive data | Sensitive data only where expressly enabled, necessary, consented, contractually authorized, or legally required. |

## 4. Confidentiality and security
NEXQ will ensure personnel authorized to process personal data are bound by confidentiality and will implement appropriate technical and organizational measures.

## 5. Subprocessors
Customer authorizes subprocessors listed at https://nexq.us/legal-policy-bundle/site/policies/subprocessor-policy.html. NEXQ will impose materially protective obligations and provide notice of material changes where required.

## 6. Assistance
NEXQ will reasonably assist with data subject requests, DPIAs, security, breach notifications, and regulatory inquiries to the extent required and applicable.

## 7. International transfers
Where required, the parties will use approved transfer mechanisms such as SCCs, UK Addendum/IDTA, DPF certification where valid, or other lawful mechanisms. Insert transfer terms at https://nexq.us/legal#cross-border-transfer-controls.

## 8. Deletion or return
At the end of services, NEXQ will delete or return customer personal data as required by the agreement, unless retention is required by law or legitimate backup/security processes.

## 9. Audit
NEXQ will provide reasonable audit information such as security reports, certifications, questionnaires, or customer audits subject to confidentiality, frequency, scope, and security limits.

## 10. CCPA service-provider terms
NEXQ will not sell or share customer personal information, retain/use/disclose it outside the business purpose, or combine it except as permitted by applicable law and the agreement.
