When you process personal data in ONX — prospect contacts, candidates, deal-room visitors, client and workforce records — you are the controller and Optimal Nexus Ltd acts as your processor under Article 28 GDPR. Our standard DPA, including the Technical & Organisational Measures annex and the approved sub-processor list, is available to all paying customers.
Last updated: July 2026 · To request or execute the DPA, contact compliance@optimalnexus.com
EU data residency
Primary application data — database, authentication, storage — is hosted in the European Union (AWS eu-north-1, Stockholm). Product analytics runs on PostHog EU Cloud. No transfer safeguard is needed for primary data.
SCCs for US sub-processors
Where a sub-processor operates in the United States, the transfer is covered by EU Standard Contractual Clauses (Implementing Decision 2021/914), with data minimisation and encryption in transit.
30-day sub-processor notice
We give at least 30 days’ prior notice before adding or replacing any sub-processor — by in-platform notification and email to your DPA contact — with a contractual right to object.
72-hour breach notification
Personal data breaches affecting your data are notified to you without undue delay, and in any event within 72 hours of us becoming aware, with the Article 33(3) particulars.
Deletion or return on termination
On termination you choose deletion or return of your data, completed within 30 days. Self-service machine-readable export is available throughout the term, and automated retention runs continuously.
Audit rights
Audit once per 12-month period on 30 days’ notice, satisfied in the first instance through our security documentation and the SOC 2 / ISO 27001 reports of our infrastructure sub-processors.
The full document follows the Article 28(3) GDPR checklist, with numbered clauses and three annexes (description of processing, TOM security annex, approved sub-processors).
Request or execute the DPA
The DPA is available on request to all paying customers and is executed by countersignature. Enterprise customers may request a mutually negotiated DPA. Include your company name, registration number, and the email of your DPA contact.
Sub-processors: the authoritative, always-current list — with each provider's purpose, data categories, hosting region and transfer safeguard — is published at /subprocessors and forms part of the DPA. Changes carry 30 days' prior notice.
Related documents: our Privacy Policy covers the data for which we are the controller, the Security & Trust centre summarises our security posture, and the AI Transparency Notice details how AI is used, including EU AI Act controls.