This Data Processing Agreement (“DPA”) applies between the customer that accepts the Nexly Terms (“Customer”) and Nexly when Nexly processes personal data on Customer’s behalf through the hosted service.
This DPA forms part of the Terms. It is written for the current Nexly service and should receive jurisdiction-specific legal review before production reliance.
1. Scope and roles
Customer is the controller or a processor acting with authority from a controller. Nexly is Customer’s processor for analytics data submitted through Customer properties. Each party remains independently responsible for data it controls.
Processing begins when Customer submits data and continues while Nexly provides the service or retains data under the documented retention behavior.
2. Documented instructions
Nexly will process Customer Data to provide, secure, maintain, and support the service; apply Customer configuration; prevent abuse; and comply with documented Customer requests. The Terms, Data Policy, product settings, and support requests constitute Customer’s instructions.
If Nexly believes an instruction violates applicable data protection law, it may pause the affected processing and ask Customer to clarify or amend the instruction.
3. Customer obligations
- Provide lawful instructions and an appropriate lawful basis for processing.
- Give required notices and obtain consent for device storage or analytics where applicable.
- Configure events and properties to avoid unnecessary or sensitive personal data.
- Use reasonable security for Nexly credentials and account access.
- Respond to data-subject requests as controller and provide identifiers needed for Nexly assistance.
4. Confidentiality and security
Nexly will limit access to Customer Data to people and providers who need it to operate or support the service and who are subject to confidentiality obligations.
Nexly maintains the technical and organizational measures described on the Security page. Customer acknowledges that no service can guarantee absolute security.
5. Subprocessors
Customer gives general authorization for the subprocessors listed on the Subprocessors page. Nexly remains responsible for engaging subprocessors under data-protection terms appropriate to their role.
Material changes to the list will be published. Customer may raise a reasonable data-protection objection by contacting mail@nexly.to. The parties will work in good faith on an alternative; if none is reasonably available, either party may end the affected service.
6. Data-subject requests
Taking into account the nature of processing, Nexly will provide reasonable assistance with access, correction, deletion, restriction, objection, or portability requests. Customer remains responsible for validating and responding to the requester.
Because analytics identifiers are pseudonymous, Customer may need to provide property, visitor, session, date-range, or event details before data can be located.
7. Security incidents
Nexly will notify Customer without undue delay after confirming a personal-data breach affecting Customer Data and will provide available information reasonably needed for Customer’s legal obligations.
Notification is not an admission of fault. Customer is responsible for notices to regulators and data subjects unless applicable law requires Nexly to notify directly.
8. International transfers
Core backend data is hosted in the Netherlands, but some subprocessors may process limited data outside the Customer’s jurisdiction. Where transfer safeguards are legally required, the parties will rely on an applicable transfer mechanism and supplementary measures available for the service.
9. Return and deletion
Customer can access analytics through the dashboard, exports, and read API while the service is active. Account and analytics deletion requests are handled manually through mail@nexly.to.
Dashboard property deletion is currently a soft deletion and does not immediately purge the underlying analytics storage. Raw events and rollups follow the Data Policy retention schedule; session records currently have no automatic TTL.
Following a verified deletion instruction, Nexly will delete or de-identify the relevant personal data in active systems within 30 days, unless retention is required by applicable law. Residual copies may persist in backups for a limited period before being cycled out.
10. Information and audits
Nexly will provide information reasonably necessary to demonstrate the obligations in this DPA, subject to confidentiality, security, proportionality, and protection of other customers. The public Legal and Security pages are the first source for vendor review.
Nexly does not currently provide a SOC 2 or ISO 27001 report. Any additional audit arrangement must be agreed in advance and may be subject to reasonable scope, timing, and cost controls.
Appendix: processing details
| Item | Description |
|---|---|
| Subject matter | Hosted product and web analytics for Customer properties |
| Duration | The service relationship plus documented retention |
| Data subjects | Visitors and users of Customer websites, apps, and services |
| Data categories | Pseudonymous IDs, sessions, URLs and paths, device and software attributes, city-level geo, engagement, attribution, and Customer-defined events |
| Sensitive data | Not intended or permitted as a normal use of the service |
| Processing | Collection, transmission, filtering, classification, storage, aggregation, analysis, reporting, support, security, and deletion |
Last updated: July 10, 2026