Data-Processing Addendum (DPA)

Last updated: 06/13/2025

This Data-Processing Addendum (“DPA”) is incorporated by reference into:

1. the TechNexus Terms of Service;
2. any Proposal, Order Form, Statement of Work, Master Services Agreement or similar document (collectively “SOW”) that references TechNexus LLC; and
3. any other agreement under which TechNexus provides development, UX/UI, or marketing services (“Services”).

By signing an SOW, clicking “Accept,” or otherwise using the Services, the Customer agrees to be bound by this DPA.

1. Parties and roles

TechNexus LLC acts as the data processor, located at Rruga Ukshin Hoti, Kompleksi Ramiz Sadiku, Kosovo, Prishtine, 10000. The data controller is the legal entity identified as the "Customer" in the applicable Statement of Work (SOW), with the address specified therein.

2. Scope, purpose, and duration

Subject-matter & purpose: TechNexus processes Customer Personal Data solely to deliver the Services described in the SOW.
Duration: From SOW signature until deletion/return under Clause 11.

3. Categories of data & data subjects (Annex I(A))

We process personal data on behalf of our customers. For end-users, this includes names, emails, device or session IDs, and behavioral metrics. For customers' employees and contractors, we process work emails, job titles, and profile photos. Other types of data may also be provided directly by the customer, which they may choose to append.

4. Processor obligations

• Process on documented instructions only.
• Staff are under NDA; access is need-to-know.
• Security measures in Annex II (e.g., TLS 1.2+, AES-256 at rest, MFA).
• Sub-processors: only those in Annex III; 10-day written notice for additions.
• International transfers protected by 2021 EU SCCs or UK addendum.
• Assist with data-subject requests and DPIAs; allow one audit per 12 months.
• Breach notification within 48 h of confirmation.
• Delete or return data within 30 days of project end unless law requires retention.

5. Customer responsibilities

• Ensure a lawful basis for data supplied to TechNexus.
• Give only instructions that comply with GDPR and Kosovo Law 06/L-082.
• Inform data subjects and obtain any required consents.

6. Liability

Each Party’s aggregate liability under this DPA is capped at the fees paid or payable under the relevant SOW in the 12 months preceding the claim, excluding wilful misconduct or breach of confidentiality.

7. Governing law & venue

Kosovo law governs this DPA; exclusive jurisdiction lies with the courts of Pristina unless an SOW specifies arbitration.

8. Order of precedence

If this DPA conflicts with any other agreement between the Parties regarding data protection, this DPA controls.

Annex II — Technical & organisational measures (summary)

• AWS EU-region hosting (ISO 27001, SOC 2).
• TLS 1.2+ in transit; AES-256 at rest.
• Role-based access, MFA, quarterly access reviews.
• Nightly encrypted backups, 30-day retention.
• Monthly vulnerability scans, annual external penetration test.
• Annual privacy & security training for all personnel.

Annex III — Approved sub-processors

We work with a number of trusted sub-processors to deliver our services efficiently while ensuring data protection standards. AWS (Amazon Web Services EMEA SARL) provides hosting and storage services within the EU, without requiring a cross-border data transfer mechanism. Google (including Workspace, Google Analytics, and Tag Manager) supports email, documentation, and analytics services across both the EU and the US, relying on Standard Contractual Clauses (SCCs) and IP anonymisation for international transfers. Hotjar Ltd., based in the EU, handles heat-mapping and session replay under SCCs. Meta Platforms Ireland and LinkedIn Ireland provide ad pixel and ad analytics services respectively, also under SCCs, with processing confined to the EU. In the US, Klaviyo Inc. manages email automation and Figma Inc. facilitates design collaboration, both under SCCs. Zoho Corp. supports CRM and mailing services across both the EU and US, protected by SCCs. Slack Technologies Ltd. is used for internal communication and operates in both the EU and US, also adhering to SCCs.