Nexly
Legal

Data Processing Agreement

Processor terms for customer analytics data handled through the Nexly service.

This Data Processing Agreement (“DPA”) applies between the customer that accepts the Nexly Terms (“Customer”) and Nexly when Nexly processes personal data on Customer’s behalf through the hosted service.

This DPA forms part of the Terms. It is written for the current Nexly service and should receive jurisdiction-specific legal review before production reliance.

1. Scope and roles

Customer is the controller or a processor acting with authority from a controller. Nexly is Customer’s processor for analytics data submitted through Customer properties. Each party remains independently responsible for data it controls.

Processing begins when Customer submits data and continues while Nexly provides the service or retains data under the documented retention behavior.

2. Documented instructions

Nexly will process Customer Data to provide, secure, maintain, and support the service; apply Customer configuration; prevent abuse; and comply with documented Customer requests. The Terms, Data Policy, product settings, and support requests constitute Customer’s instructions.

If Nexly believes an instruction violates applicable data protection law, it may pause the affected processing and ask Customer to clarify or amend the instruction.

3. Customer obligations

  • Provide lawful instructions and an appropriate lawful basis for processing.
  • Give required notices and obtain consent for device storage or analytics where applicable.
  • Configure events and properties to avoid unnecessary or sensitive personal data.
  • Use reasonable security for Nexly credentials and account access.
  • Respond to data-subject requests as controller and provide identifiers needed for Nexly assistance.

4. Confidentiality and security

Nexly will limit access to Customer Data to people and providers who need it to operate or support the service and who are subject to confidentiality obligations.

Nexly maintains the technical and organizational measures described on the Security page. Customer acknowledges that no service can guarantee absolute security.

5. Subprocessors

Customer gives general authorization for the subprocessors listed on the Subprocessors page. Nexly remains responsible for engaging subprocessors under data-protection terms appropriate to their role.

Material changes to the list will be published. Customer may raise a reasonable data-protection objection by contacting mail@nexly.to. The parties will work in good faith on an alternative; if none is reasonably available, either party may end the affected service.

6. Data-subject requests

Taking into account the nature of processing, Nexly will provide reasonable assistance with access, correction, deletion, restriction, objection, or portability requests. Customer remains responsible for validating and responding to the requester.

Because analytics identifiers are pseudonymous, Customer may need to provide property, visitor, session, date-range, or event details before data can be located.

7. Security incidents

Nexly will notify Customer without undue delay after confirming a personal-data breach affecting Customer Data and will provide available information reasonably needed for Customer’s legal obligations.

Notification is not an admission of fault. Customer is responsible for notices to regulators and data subjects unless applicable law requires Nexly to notify directly.

8. International transfers

Core backend data is hosted in the Netherlands, but some subprocessors may process limited data outside the Customer’s jurisdiction. Where transfer safeguards are legally required, the parties will rely on an applicable transfer mechanism and supplementary measures available for the service.

9. Return and deletion

Customer can access analytics through the dashboard, exports, and read API while the service is active. Account and analytics deletion requests are handled manually through mail@nexly.to.

Dashboard property deletion is currently a soft deletion and does not immediately purge the underlying analytics storage. Raw events and rollups follow the Data Policy retention schedule; session records currently have no automatic TTL.

Following a verified deletion instruction, Nexly will delete or de-identify the relevant personal data in active systems within 30 days, unless retention is required by applicable law. Residual copies may persist in backups for a limited period before being cycled out.

10. Information and audits

Nexly will provide information reasonably necessary to demonstrate the obligations in this DPA, subject to confidentiality, security, proportionality, and protection of other customers. The public Legal and Security pages are the first source for vendor review.

Nexly does not currently provide a SOC 2 or ISO 27001 report. Any additional audit arrangement must be agreed in advance and may be subject to reasonable scope, timing, and cost controls.

Appendix: processing details

ItemDescription
Subject matterHosted product and web analytics for Customer properties
DurationThe service relationship plus documented retention
Data subjectsVisitors and users of Customer websites, apps, and services
Data categoriesPseudonymous IDs, sessions, URLs and paths, device and software attributes, city-level geo, engagement, attribution, and Customer-defined events
Sensitive dataNot intended or permitted as a normal use of the service
ProcessingCollection, transmission, filtering, classification, storage, aggregation, analysis, reporting, support, security, and deletion
Questions about this document can be sent to mail@nexly.to.

Last updated: July 10, 2026