Skip to content

Data Processing Agreement

Agreement pursuant to GDPR Art. 28 on personal data processing

Version: 1.0.0Effective date: 21 February 2026GDPR Art. 28
DATA PROCESSING AGREEMENT
Version 1.0.0

entered into between:

1. THE DATA CONTROLLER
Name: {{controllerName}}
CUI: {{controllerCUI}}
Represented by: {{representativeName}}, as {{representativePosition}}
(hereinafter referred to as the "Controller")

2. THE DATA PROCESSOR
Name: Nexyra S.R.L.
(hereinafter referred to as the "Processor" or "Nexyra")

Acceptance date: {{acceptanceDate}}

---

ARTICLE 1 - SUBJECT MATTER

1.1. This agreement establishes the obligations of the parties regarding the protection of personal data, in accordance with Regulation (EU) 2016/679 (GDPR), Article 28.

1.2. The Processor processes personal data on behalf of the Controller for the purpose of providing Nexyra platform services, including appointment management, client communications, and invoicing.

ARTICLE 2 - CATEGORIES OF DATA PROCESSED

2.1. Categories of data processed include:
- Client identification data (name, surname, email, phone)
- Appointment and service request data
- Billing and payment data
- Communication data (messages, notifications)
- Technical data (IP address, user agent, timestamps)

2.2. Categories of data subjects include:
- The Controller's clients who use the appointment system
- The Controller's employees registered on the platform

ARTICLE 3 - DURATION OF PROCESSING

3.1. Data processing takes place throughout the Controller's use of Nexyra services.

3.2. Upon termination of this agreement, the Processor shall delete or return all personal data, according to the Controller's instructions, within 30 days.

ARTICLE 4 - PROCESSOR OBLIGATIONS

4.1. The Processor undertakes to:
a) Process personal data only on the basis of documented instructions from the Controller;
b) Ensure that persons authorized to process the data have committed to confidentiality;
c) Take all necessary technical and organizational measures pursuant to Art. 32 GDPR;
d) Respect the conditions for engaging another processor (sub-processor);
e) Assist the Controller in fulfilling the obligation to respond to data subject requests;
f) Assist the Controller in ensuring compliance with Art. 32-36 GDPR;
g) Make available to the Controller all information necessary to demonstrate compliance;
h) Allow and contribute to audits and inspections.

ARTICLE 5 - SUB-PROCESSORS

5.1. The Controller generally authorizes the use of the following sub-processors:

| Sub-processor | Purpose | Location |
|---------------|---------|----------|
| MongoDB Atlas | Database storage | EU (Frankfurt) |
| Redis Cloud | Cache and sessions | EU |
| Resend | Transactional email service | USA (standard contractual clauses) |
| Stripe | Payment processing | EU/USA (standard contractual clauses) |
| Railway | Application hosting | EU |
| Vercel | CDN and static assets | Global (standard contractual clauses) |

5.2. The Processor shall inform the Controller of any changes to sub-processors at least 30 days in advance.

ARTICLE 6 - INTERNATIONAL TRANSFERS

6.1. Any transfer of data outside the EEA shall be carried out only in compliance with Chapter V of the GDPR, through appropriate mechanisms (standard contractual clauses, adequacy decisions).

ARTICLE 7 - SECURITY MEASURES

7.1. The Processor implements the following technical and organizational measures:
a) Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
b) Role-based access control;
c) Data access logging;
d) Regular encrypted backups;
e) Periodic testing of security measures;
f) Two-factor authentication for administrative access.

ARTICLE 8 - INCIDENT NOTIFICATION

8.1. The Processor shall notify the Controller without undue delay, and within 48 hours at most, after becoming aware of a data security breach.

8.2. The notification shall contain at least: the nature of the breach, the categories of data affected, and proposed remediation measures.

ARTICLE 9 - DATA SUBJECT RIGHTS

9.1. The Processor shall assist the Controller in fulfilling obligations regarding data subject rights (access, rectification, erasure, portability, objection, restriction).

9.2. If the Processor receives a direct request from a data subject, the Processor shall redirect the request to the Controller.

ARTICLE 10 - AUDIT AND COMPLIANCE

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR.

10.2. The Processor shall allow and contribute to audits, including inspections, carried out by the Controller or another auditor mandated by the Controller.

ARTICLE 11 - FINAL PROVISIONS

11.1. This agreement is an integral part of the Terms and Conditions of use of the Nexyra platform.

11.2. This agreement is governed by Romanian law and Regulation (EU) 2016/679.

11.3. Any dispute shall be resolved amicably or, failing that, by the competent courts in Romania.

---

Electronically accepted by: {{representativeName}}
Position: {{representativePosition}}
Date: {{acceptanceDate}}
On behalf of: {{controllerName}} (CUI: {{controllerCUI}})