O
ONX/Data Processing Agreement

Data Processing Agreement

When you process personal data in ONX — prospect contacts, candidates, deal-room visitors, client and workforce records — you are the controller and Optimal Nexus Ltd acts as your processor under Article 28 GDPR. Our standard DPA, including the Technical & Organisational Measures annex and the approved sub-processor list, is available to all paying customers.

Last updated: July 2026 · To request or execute the DPA, contact compliance@optimalnexus.com

Key commitments

EU data residency

Primary application data — database, authentication, storage — is hosted in the European Union (AWS eu-north-1, Stockholm). Product analytics runs on PostHog EU Cloud. No transfer safeguard is needed for primary data.

SCCs for US sub-processors

Where a sub-processor operates in the United States, the transfer is covered by EU Standard Contractual Clauses (Implementing Decision 2021/914), with data minimisation and encryption in transit.

30-day sub-processor notice

We give at least 30 days’ prior notice before adding or replacing any sub-processor — by in-platform notification and email to your DPA contact — with a contractual right to object.

72-hour breach notification

Personal data breaches affecting your data are notified to you without undue delay, and in any event within 72 hours of us becoming aware, with the Article 33(3) particulars.

Deletion or return on termination

On termination you choose deletion or return of your data, completed within 30 days. Self-service machine-readable export is available throughout the term, and automated retention runs continuously.

Audit rights

Audit once per 12-month period on 30 days’ notice, satisfied in the first instance through our security documentation and the SOC 2 / ISO 27001 reports of our infrastructure sub-processors.

What the DPA covers

The full document follows the Article 28(3) GDPR checklist, with numbered clauses and three annexes (description of processing, TOM security annex, approved sub-processors).

  • Parties, definitions, and the controller–processor split (you are the controller of the data you process in ONX; we are your processor)
  • Subject matter, duration, nature and purpose of processing
  • Categories of data subjects and personal data per module — your users, prospect contacts, deal-room visitors, candidates, and operations/finance personnel
  • Processing on your documented instructions only — never for our own purposes, never for AI model training
  • Confidentiality commitments for all personnel with access
  • Security of processing, with a full Technical & Organisational Measures (TOM) annex — tenant isolation, RBAC and visibility scoping, MFA, encryption at rest and in transit, audit logging, retention automation
  • Sub-processor authorisation, the live sub-processor list, and 30-day change notice with objection rights
  • International transfers — EU-hosted primary data, SCCs for US sub-processors
  • Assistance with data subject rights, including self-service export, erasure and suppression tooling
  • Personal data breach notification within 72 hours
  • Deletion and return of data at end of services
  • Audit and inspection rights, and liability aligned to the main agreement

Request or execute the DPA

The DPA is available on request to all paying customers and is executed by countersignature. Enterprise customers may request a mutually negotiated DPA. Include your company name, registration number, and the email of your DPA contact.

compliance@optimalnexus.com

Sub-processors: the authoritative, always-current list — with each provider's purpose, data categories, hosting region and transfer safeguard — is published at /subprocessors and forms part of the DPA. Changes carry 30 days' prior notice.

Related documents: our Privacy Policy covers the data for which we are the controller, the Security & Trust centre summarises our security posture, and the AI Transparency Notice details how AI is used, including EU AI Act controls.