Skip to content
exune

Data Processing Addendum

Data Processing Addendum

Covers GDPR (Article 28) and India DPDP obligations, with Standard Contractual Clauses appended for cross-border transfers. The executable document is available on request; the material terms are summarized below. Nothing here overrides the signed agreement.

Roles

For the personal data in a customer’s Microsoft 365 tenants (device and user records acted on during a migration), the customer is the Controller / Data Fiduciary and Nexune is the Processor / Data Processor. Nexune processes that data only on the customer’s documented instructions — the migration the operator configures and approves.

Scope & duration

Processing is limited to operating the migration: discovering devices, mapping users, running approved waves, and producing the audit record. It lasts for the term of the agreement. On termination, operational data is deleted or returned on request; WORM audit receipts are retained under their locked immutability policy for their stated period (an integrity guarantee), as documented in the agreement.

Security measures

Row-level security isolates every tenant at the database layer; per-tenant Graph tokens live in Azure Key Vault; wave approvals and device commands are HSM-signed; the audit log is hash-chained and notarized to immutable (WORM) storage; MFA is mandatory for password operators; data is TLS 1.3 in transit and AES-256 at rest. The full posture is on the Security page.

Sub-processors

The current sub-processor list is published and versioned. Customers with an active agreement are notified before a new sub-processor goes live and may object. Standard Contractual Clauses are appended for transfers outside the customer’s region where applicable.

Sub-processor obligations

Each sub-processor is bound by data-protection terms no less protective than this DPA. Nexune remains liable to the customer for a sub-processor’s performance of its obligations.

Assistance & breach notification

Nexune assists the customer with data-subject requests, DPIAs, and regulator engagement to the extent the customer cannot self-serve. In the event of a personal-data breach affecting customer data, Nexune notifies the customer without undue delay, with the information needed to meet the customer’s own reporting obligations.

Request the executable DPA, ask about a specific clause, or send your own paper for review at security@nexune.in.

Related: Sub-processors · Security & compliance · Privacy