logo

Select Sidearea

Populate the sidearea with useful widgets. It’s simple to add images, categories, latest post, social media icon links, tag clouds, and more.
side-area-image-1
side-area-image-2
side-area-image-3
side-area-image-4
side-area-image-5
side-area-image-6
hello@youremail.com
+1234567890
mobile-logo

Privacy Policy

Privacy Policy

This policy establishes guidelines for the protection and privacy of personal data processed by Nexu Transaction Technologies,
ensuring compliance with applicable regulations, including the General Data Protection Regulation (GDPR).

This policy is intended for controllers who use Nexu’s services, as well as any interested party
wishing to understand the data protection practices adopted by the company.

Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processor: An entity that processes personal data on behalf of the controller, as defined by the GDPR.

Controller: A natural or legal person responsible for collecting and making decisions regarding the processing of personal data.

Scope

Nexu’s Responsibilities

Nexu acts exclusively as a data processor, providing and maintaining a SaaS platform.
Nexu has no authority to collect, modify, delete, or make decisions regarding the personal data
stored in the system — these responsibilities rest with the controller.

Nexu is committed to ensuring that data remains protected, accessible only for operational support
purposes, and in compliance with applicable data protection regulations.

Data Access Controls

To ensure the security and integrity of data stored in the technological environment, Nexu implements
strict access control mechanisms, including:

  • Least privilege principle: Only professionals strictly required for operational support are granted access to the system.
  • Multi-Factor Authentication (MFA): All access to the environment requires enhanced authentication to mitigate the risk of unauthorized access.
  • Audit logs: All activities related to data access and interaction are recorded and monitored, ensuring traceability and enabling periodic audits.
  • Access reviews: Access permissions are reviewed regularly to prevent unnecessary or unauthorized access.

Data Handling and Processing

Nexu professionals are not authorized to modify, extract, copy, or delete any personal data stored
in its systems, unless a formal and documented request is submitted by the controller.

When operational support requires access to data, Nexu will follow these steps:

  • Formal request from the controller, duly documented.
  • Action log, ensuring traceability of the reason and the individuals responsible for the access.
  • Execution of strictly necessary activities, in accordance with the controller’s guidelines.
  • Closure and audit, ensuring no unauthorized changes were made.

Confidentiality and Security

Nexu adopts rigorous measures to ensure that information remains protected against unauthorized access and data breaches:

  • Confidentiality obligations: All professionals with access to the environment are subject to formal confidentiality obligations, established contractually or through a specific instrument.
  • Encryption: Data stored and transmitted through the platform is protected by encryption, ensuring that only authorized parties can access it.
  • Continuous monitoring: Nexu uses monitoring tools to detect unauthorized access and suspicious activities.

Privacy Incident Management

In the event of a security incident compromising personal data, Nexu will notify the controller within
24 hours of confirming the incident. The controller is responsible for notifying the relevant authorities
within the applicable regulatory deadlines, including:

  • European supervisory authority: within 72 hours, pursuant to Art. 33 of the GDPR, where applicable.

Nexu’s incident response plan includes the following steps:

  • Identification and containment of the incident, preventing its spread or escalation.
  • Notification to the controller within the established deadline.
  • Detailed investigation to understand the origin and impact of the incident.
  • Corrective measures to prevent recurrence.

Awareness and Training

Nexu regularly promotes awareness initiatives to ensure that authorized professionals understand the
risks and responsibilities associated with data access. These include:

  • Periodic distribution of materials on information security and data handling best practices.
  • Formal training sessions conducted at least annually.
  • Annual review of policies and operational procedures to ensure the continuous application of best practices.

Data Retention and Deletion

Personal data will be retained for the period strictly necessary for the provision of services.
Upon termination of the contractual relationship or upon formal request by the controller, Nexu will adopt the following procedures:

  • Data return: Data may be exported in a structured and readable format within the contractually established timeframe.
  • Secure deletion: Upon confirmation by the controller or after the contractual period, data will be securely and irreversibly deleted, including backup copies.
  • Deletion certificate: Upon request, Nexu will issue a formal document certifying the deletion of data.

Operational records, such as audit logs, may be retained for the minimum period required by applicable law.

Sub-processors

Nexu does not use sub-processors for the processing of personal data stored on the platform.
All processing is carried out internally by authorized professionals subject to the obligations described in this policy.

International Data Transfers

If personal data is stored or processed outside Canada or the European Union, Nexu will implement
appropriate safeguards to ensure a level of protection equivalent to that required by the GDPR, including:

  • Use of providers that adopt Standard Contractual Clauses (SCCs) approved by the European Commission or an equivalent mechanism.
  • Verification of the adequacy of the destination country, as assessed by the European Commission, where applicable.
  • Documentation of transfers carried out, available for verification upon request.

Support for Data Subject Rights

Nexu, acting as a data processor, does not maintain a direct relationship with data subjects.
However, it is committed to supporting the controller in fulfilling data subject requests, including:

  • Access: Providing the technical information necessary to locate and present data to the data subject.
  • Rectification: Technical support for data corrections, upon formal documented request from the controller.
  • Erasure: Executing the deletion of data indicated by the controller, following the procedure described in the Data Handling and Processing section.
  • Portability: Exporting data in a structured and interoperable format, as requested by the controller.
  • Objection and restriction: Applying blocks or access restrictions to data in accordance with formal instructions from the controller.

Requests will be fulfilled within the contractually established deadlines, observing the limits of
30 days under the GDPR.

Data Protection Officer (DPO)

Nexu has appointed a Data Protection Officer (DPO), responsible for acting as a communication channel
between the company, controllers, and data protection authorities, as well as for providing internal
guidance on compliance with applicable privacy regulations.

For questions, requests, or communications related to personal data protection, the DPO may be contacted at:

Email: dpo@nexu.ca

light logo

340 King Street East, 2nd Floor - Toronto/Canada

Email: contactus@nexu.ca

Phone: +1 (403) 463-1188

Copyright © 2017 - Nexu Transaction Technologies Ltd.