“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Protection Law

“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.

Data Subject

“Data Subject” means the individual to whom Personal Data relates.


“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.


“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

Personal Data

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

Personal Data Breach

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.


“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.


“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Client (a) is the sole Controller of Client Personal Data or (b) has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by Nexus Themes as set out in this DPA. Client appoints Nexus Themes as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform Nexus Themes of any such other Controllers prior to providing their Personal Data, as set out in the DPA Exhibit.

A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data and the processing activities is set out in the applicable DPA Exhibit for a Service. The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the respective DPA Exhibit. The nature, purpose and subject matter of the Processing is the provision of the Service as described in the applicable TD.

Nexus Themes will Process Client Personal Data according to Client’s instructions. The scope of Client’s instructions for the Processing of Client Personal Data is defined by the Agreement, this DPA including the applicable DPA Exhibit, and, if applicable, Client’s and its authorized users’ use and configuration of the features of the Service. Client may provide further instructions that are legally required (Additional Instructions). If Nexus Themes believes an Additional Instruction violates the GDPR or other applicable data protection regulations, Nexus Themes will inform Client without undue delay and may suspend the performance until Client has modified or confirmed the lawfulness of the Additional Instruction in writing. If Nexus Themes notifies Client that an Additional Instruction is not feasible or Client notifies Nexus Themes that it does not accept the quote for the Additional Instruction prepared in accordance with Section 9.2, Client may terminate the affected Service by providing Nexus Themes with a written notice within one month after notification. Nexus Themes will refund a prorated portion of any prepaid charges for the period after such termination date.

Client shall serve as a single point of contact for Nexus Themes. As other Controllers may have certain direct rights against Nexus Themes, Client undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Nexus Themes shall be discharged of its obligation to inform or notify another Controller when Nexus Themes has provided such information or notice to Client. Similarly, Nexus Themes will serve as a single point of contact for Client with respect to its obligations as a Processor under this DPA.

Nexus Themes will comply with all EEA data protection laws and regulations (Data Protection Laws) in respect of the Services applicable to Processors. Nexus Themes is not responsible for determining the requirements of laws applicable to Client’s business or that Nexus Themes’s provision of the Services meet the requirements of such laws. As between the parties, Client is responsible for the lawfulness of the Processing of the Client Personal Data. Client will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.

Technical and organizational measures
Nexus Themes will implement and maintain technical and organizational measures set forth in the applicable DPA Exhibit (TOMs) to ensure a level of security appropriate to the risk for Nexus Themes’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, Nexus Themes reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.

Client confirms that the TOMs provide an appropriate level of protection for the Client Personal Data taking into account the risks associated with the Processing of Client Personal Data.

Data Subject Rights and Requests
To the extent permitted by law, Nexus Themes will inform Client of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Nexus Themes regarding Client Personal Data. Client shall be responsible to respond to such requests of Data Subjects. Nexus Themes will reasonably assist Client in responding such Data Subject requests in accordance with Section 9.2.

If a Data Subject brings a claim directly against Nexus Themes for a violation of their Data Subject rights, Client will indemnify Nexus Themes for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Nexus Themes has notified Client about the claim and given Client the opportunity to cooperate with Nexus Themes in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from Nexus Themes amounts paid to a Data Subject for a violation of their Data Subject rights caused by Nexus Themes’s breach of its obligations under GDPR.

Third Party Requests and Confidentiality
Nexus Themes will not disclose Client Personal Data to any third party, unless authorized by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, Nexus Themes will notify Client prior to disclosure, unless prohibited by law.

Nexus Themes requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal Data for any other purposes, except on instructions from Client or unless required by applicable law.

Nexus Themes shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client of Nexus Themes companies Processing of Client Personal Data in accordance with the following procedures:

Upon Client’s written request, Nexus Themes will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s), which Nexus Themes has procured to regularly test, assess and evaluate the effectiveness of the TOMs.

Nexus Themes will reasonably cooperate with Client by providing available additional information concerning the TOMs, to help Client better understand such TOMs.

If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client will inform Nexus Themes in writing to enable Nexus Themes to provide such information or to grant Client access to it.

Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1. Any further assistance will be provided in accordance with Section 9.2.

Return or Deletion of Client Personal Data
Upon termination or expiration of the Agreement Nexus Themes will either delete or return Client Personal Data in its possession unless stated otherwise in the respective DPA Exhibit, or unless otherwise required by applicable law.

Client authorizes Nexus Themes to engage subcontractors to Process Client Personal Data (processors). A list of the current processors is set out in the respective DPA Exhibit. Nexus Themes will notify Client in advance of any changes to processors as set out in the respective DPA Exhibit. Within 30 days after Nexus Themes’s notification of the intended change, Client can object to the addition of a processor on the basis that such addition would cause Client to violate applicable legal requirements. Client’s objection shall be in writing and include Client’s specific reasons for its objection and options to mitigate, if any. If Client does not object within such period the respective processor may be commissioned to Process Client Personal Data. Nexus Themes shall impose substantially similar data protection obligations as set out in this DPA on any approved processor prior to the processor Processing any Client Personal Data.

If Client legitimately objects to the addition of a processor and Nexus Themes cannot reasonably accommodate Client’s objection Nexus Themes will notify Client. Client may terminate the affected Services by providing Nexus Themes with a written notice within one month of Nexus Themes’s notice.

Personal Data Breach
Nexus Themes will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to the Services. Nexus Themes will promptly investigate the Personal Data Breach if it occurred on Nexus Themes infrastructure or in another area Nexus Themes is responsible for and will assist Client as set out in Section 9.