1. Introduction & Purpose

This Data Processing Agreement (DPA) Policy (the "Policy") outlines Nexly Corporation's ("Nexly" or the "Company") obligations and practices as a data processor and/or data controller under applicable data privacy laws and regulations, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant data protection laws. Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly is committed to protecting the privacy and security of personal data. This Policy is designed to:

• Ensure Compliance with Data Privacy Laws: Establish a framework for complying with all applicable data privacy laws and regulations when processing personal data.
• Define Data Controller and Processor Roles: Clearly define Nexly's roles as a data controller and/or data processor.
• Establish Data Processing Principles: Set forth the principles that govern Nexly's data processing activities.
• Protect Personal Data: Protect the confidentiality, integrity, and availability of personal data.
• Define Contractual Obligations: Establish requirements.
• Promote Transparency and Accountability: Be transparent about the Company's data processing practices and to be accountable for its data protection responsibilities.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals and entities that process personal data on behalf of Nexly. This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Data Privacy Policy, the Information Security Policy, and the Incident Response & Breach Notification Policy.

2. Definitions

For the purposes of this Policy, the following definitions apply:

• Personal Data: Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Data Subject: An individual whose personal data is processed.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• Sub-processor: A third party engaged by a data processor to process personal data.
• Data Protection Officer (DPO): The individual responsible for overseeing the Company's data protection compliance efforts. [Specify name/title]

3. Data Controller vs. Data Processor Roles

Nexly Corporation operates as both a Data Controller and a Data Processor. The specific role in a particular data processing activity will be determined by the nature of the activity and the relationship with the data subjects.

• 3.1. Data Controller Role: When Nexly determines the purposes and means of processing personal data, it acts as a Data Controller. Examples include:
  • Processing the personal data of its employees for payroll and HR purposes.
  • Collecting customer data through its website or mobile applications.
  • Marketing activities.
• 3.2. Data Processor Role: When Nexly processes personal data on behalf of a Data Controller, it acts as a Data Processor. This typically occurs when Nexly provides services to other organizations. Examples include:
  • Providing data processing services to a client.
  • Storing customer data.
• 3.3. Hybrid Role: In some instances, Nexly may act in a hybrid role, simultaneously acting as a Data Controller and a Data Processor, depending on the specific data processing activities.

4. Data Processing Principles

Nexly Corporation will adhere to the following data processing principles:

• 4.1. Lawfulness, Fairness, and Transparency: Process personal data lawfully, fairly, and transparently.
• 4.2. Purpose Limitation: Collect and process personal data only for specified, explicit, and legitimate purposes. Only process personal data that is compatible with the original purpose.
• 4.3. Data Minimization: Collect and process only the minimum amount of personal data necessary for the specified purpose.
• 4.4. Accuracy: Ensure that personal data is accurate and kept up-to-date.
• 4.5. Storage Limitation: Retain personal data only for as long as is necessary for the specified purpose. Follow the Data Retention Policy. [Link to Data Retention Policy].
• 4.6. Integrity and Confidentiality: Process personal data securely, using appropriate technical and organizational measures to protect it from unauthorized access, use, disclosure, or loss.
• 4.7. Accountability: Be responsible for demonstrating compliance with these principles.

5. Data Protection Practices

Nexly Corporation will implement the following data protection practices:

• 5.1. Data Security Measures:
  • Secure Storage: Store personal data securely, using appropriate encryption and access controls.
  • Access Control: Limit access to personal data to authorized personnel only, based on the principle of least privilege.
  • Encryption: Encrypt personal data both at rest and in transit.
  • Regular Audits: Conduct regular security audits.
• 5.2. Data Privacy Impact Assessments (DPIAs): Conduct DPIAs for all data processing activities that are likely to result in a high risk to the rights and freedoms of individuals.
• 5.3. Data Transfers: Comply with all applicable laws and regulations when transferring personal data internationally.
• 5.4. Data Subject Rights: Respect data subject rights, including:
  • Right to Access: Provide individuals with access to their personal data.
  • Right to Rectification: Correct inaccurate data.
  • Right to Erasure: Erase personal data when appropriate.
  • Right to Restriction: Restrict the processing of personal data under certain circumstances.
  • Right to Data Portability: Allow individuals to obtain and reuse their personal data.
  • Right to Object: Allow individuals to object to processing.
• 5.5. Sub-processors:
  • Approval: Obtain the Data Controller's written authorization before using any sub-processors.
  • Contractual Obligations: Enter into a written agreement with each sub-processor.
  • Due Diligence: Conduct due diligence on all sub-processors to ensure they meet the required data protection standards.
  • Data Protection: Ensure that all sub-processors provide a similar level of protection for the processing of personal data.

6. Vendor Agreements (If acting as a Data Processor)

When Nexly acts as a Data Processor, it will enter into a written Data Processing Agreement (DPA) with the Data Controller. The DPA will address:

• 6.1. Subject Matter and Duration: The subject matter and duration of the data processing.
• 6.2. Nature and Purpose of Processing: The nature and purpose of the data processing.
• 6.3. Types of Personal Data and Data Subjects: The types of personal data being processed and the categories of data subjects.
• 6.4. Obligations: The obligations of Nexly Corporation. The DPA will specify that Nexly will:
  • Process the personal data only on the documented instructions of the Data Controller, including with regard to transfers of personal data to a third country or an international organization.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
  • Take all measures to ensure a level of security.
  • Allow the Data Controller to audit Nexly’s compliance.
  • Assist the Data Controller in fulfilling its obligations.
• 6.5. Data Breach Notification: Procedures for notifying the Data Controller of any data breaches. See also the Incident Response & Breach Notification Policy [Link to the policy].
• 6.6. Sub-processors: Requirements for using sub-processors.
• 6.7. Data Subject Rights: Cooperation with the Data Controller in addressing Data Subject Rights.
• 6.8. Termination: Define any terms.

7. Data Breach Response

In the event of a data breach, Nexly Corporation will follow the procedures outlined in the Incident Response & Breach Notification Policy [Link to the policy], and take steps to:

• 7.1. Contain the Breach: Take steps to contain the data breach.
• Investigate: Investigate the incident.
• Notify: Notify the Data Controller and other stakeholders, as required by law.
• Remediate: Remediate any vulnerabilities and take steps to prevent future incidents.
• Notify the relevant authorities (if applicable).
• If acting as a Data Processor: Cooperate with the Data Controller in notifying the affected individuals or data protection authorities.

8. Training and Awareness

Nexly Corporation will provide training and awareness programs to ensure that all employees and contractors understand their responsibilities under this Policy.

• 8.1. Training: Provide training on this Policy, data privacy laws, and data security best practices.
• 8.2. Role-Specific Training: Provide role-specific training for those involved in data processing activities.

9. Enforcement and Monitoring

Compliance with this Policy is mandatory for all Users.

• 9.1. Enforcement: Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or contract.
• 9.2. Monitoring: The Company will monitor compliance with this Policy.
• 9.3. Audits: The Company may conduct audits to assess compliance.

10. Policy Review & Amendments

This Data Processing Agreement (DPA) Policy will be reviewed and updated regularly to ensure its continued effectiveness.

• Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed.
• Review Process: The review process will involve:
  • Input from Stakeholders: Seeking input from relevant stakeholders.
  • Legal and Regulatory Review: Ensuring compliance with all applicable laws.
  • Industry Trends and Best Practices: Reviewing relevant trends.
• Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all Users through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions].
• Policy Ownership: The Data Privacy Officer (DPO), with support from Legal Counsel, is responsible for maintaining and updating this Policy.

**Acknowledgement:** By accessing and using data, all employees, contractors, and other authorized individuals are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Data Processing Agreement (DPA) Policy.