Legal

Data Processing Addendum

Last updated: February 8, 2026

This Data Processing Addendum describes how NexEd ERP processes Personal Data on behalf of customer organizations, including schools and educational institutions, when providing the Services.

1. Scope and Definitions

  • This Data Processing Addendum ("DPA") applies when NexEd ERP processes Personal Data on behalf of a customer organization as part of providing the Services.
  • For the purposes of privacy laws, the customer is typically the Controller and NexEd ERP is the Processor (or equivalent terms under applicable law).

2. Processing Instructions

  • We will process Personal Data only on documented instructions from the customer, including as set out in the agreement and this DPA.
  • We will not process Personal Data for purposes unrelated to providing and securing the Services.

3. Confidentiality and Access Controls

  • We ensure personnel are bound by confidentiality obligations and receive security awareness training.
  • Access to customer data is restricted by role and logged to support auditing and investigations.

4. Security Measures

  • We maintain administrative, technical, and organizational safeguards designed to protect Personal Data.
  • Controls include encryption in transit, encryption at rest where appropriate, vulnerability management, monitoring, and incident response.

5. Subprocessors

  • We may engage subprocessors to support infrastructure and service delivery (e.g., hosting, email delivery, analytics, customer support tools).
  • We require subprocessors to implement appropriate security measures and to process data only under contract.
  • A current list of subprocessors is available upon request at dpo@nexederp.com.

6. International Transfers

  • Where Personal Data is transferred internationally, we apply appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legally recognized mechanisms.
  • Customers may select a data residency region when available. Some data may still be processed globally for support and security operations.

7. Data Subject Rights Assistance

  • We provide reasonable assistance to help customers respond to requests to access, correct, delete, or export Personal Data.
  • If we receive a request directly from an individual, we will direct them to the customer organization where applicable.

8. Personal Data Breach

  • We will notify the customer organization without undue delay after becoming aware of a confirmed breach affecting Personal Data.
  • We will provide information reasonably required to support breach notifications and remediation.

9. Deletion or Return of Data

  • Upon termination of the Services, customers may export their data for a limited period as described in the Terms of Service.
  • After the export window, we will delete or anonymize Personal Data unless retention is required by law.

10. Contact

  • For questions about this DPA, contact dpo@nexederp.com.