Skip to content
NxGeN
Legal Center

Data Processing Agreement

Data Processing Agreement

<!-- DRAFT: needs NxGeN product/legal review before publication. This DPA is intended for institutional partners (sponsors, brand partners, accelerator partners, vendors) who enter into a written agreement with NxGeN. Confirm domain, executing entity, and Annex contents before issuing. Counsel review required. -->

Effective Date: May 1, 2026

This Data Processing Agreement (this "DPA") forms part of the written agreement between NxGeN Holdings Inc. ("NxGeN") and the institutional counterparty signing or otherwise accepting it ("Customer" — typically a sponsor, brand partner, accelerator partner, vendor, or other organization entering into a commercial arrangement with NxGeN) (the "Agreement"). It governs the Processing of personal data carried out in connection with the Services NxGeN provides to Customer or that Customer provides to NxGeN, as the case may be. Capitalized terms not defined here have the meanings given to them in the Agreement.

This DPA does not apply to NxGeN's individual community members, whose personal data is governed by NxGeN's Privacy Policy.

1. Subject Matter, Scope, and Roles

1.1 Data Processing

In the course of performing under the Agreement, NxGeN may Process personal data provided by, or on behalf of, Customer that constitutes "personal data," "personal information," "personally identifiable information," or an analogous term under applicable law ("Customer Personal Data"). The parties agree to comply with this DPA and with all privacy and data protection laws applicable to the Processing of Customer Personal Data, including, as applicable, those of the European Union, the European Economic Area and its member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act and the California Privacy Rights Act, collectively the "CCPA") (collectively, "Data Protection Laws").

1.2 Subject Matter

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of "Data Subjects" (as defined under applicable Data Protection Laws) are described in Annex I, which is an integral part of this DPA.

1.3 Roles

Customer is a "Controller" or "Business" (as defined under applicable Data Protection Laws) and appoints NxGeN as a "Processor" or "Service Provider" (as defined under applicable Data Protection Laws) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers and Businesses, including for ensuring that Customer has the necessary lawful basis, notices, and consents in place before disclosing Customer Personal Data to NxGeN.

If Customer is a Processor on behalf of another Controller (a "Third-Party Controller"), Customer:

  • is the single point of contact for NxGeN;
  • must obtain all necessary authorizations from such Third-Party Controller; and
  • undertakes to issue all instructions and exercise all rights on behalf of that Third-Party Controller.

1.4 Member-Generated Data Out of Scope

Personal data of NxGeN community members that is generated through their use of the NxGeN platform — including profile data, Circle data, Network posts, direct-message content, and Givers Network listings — is not Customer Personal Data under this DPA. NxGeN is the Controller of that data, and it is governed by NxGeN's Privacy Policy.

2. Processing Instructions

NxGeN will Process Customer Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes:

  1. Processing in accordance with this DPA, the Agreement, and any applicable order form, statement of work, or scope-of-work document;
  2. Processing initiated by authorized users in their use of the Services; and
  3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

NxGeN will inform Customer if, in NxGeN's opinion, an instruction infringes Data Protection Laws, unless legally prohibited from doing so.

3. Personnel

NxGeN will ensure that all personnel authorized to Process Customer Personal Data are subject to a written or statutory obligation of confidentiality and have received appropriate training on data protection and security requirements.

4. CCPA Limitations on Processing

Except as permitted by applicable Data Protection Laws, the Agreement, or this DPA, NxGeN will not:

  • retain, use, or disclose Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer's documented instructions;
  • retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties;
  • combine Customer Personal Data with personal information that NxGeN obtains from, or on behalf of, sources other than Customer, except as permitted by Data Protection Laws; or
  • "Sell" or "Share" (as those terms are defined under applicable Data Protection Laws) Customer Personal Data.

NxGeN certifies that it understands and will comply with these restrictions.

5. Security and Security Incidents

5.1 Security

NxGeN will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk presented by the Processing of Customer Personal Data, in accordance with the measures described in Annex II. NxGeN intends to obtain SOC 2 Type II attestation (or a substantially equivalent standard) and will maintain that posture during the Term once attained.

5.2 Security Incident Notification

NxGeN will notify Customer without undue delay, and within seventy-two (72) hours, after becoming aware of any actual or reasonably suspected unauthorized access to, loss of, or other unauthorized Processing of, Customer Personal Data ("Security Incident"). If notification is delayed beyond seventy-two (72) hours, the notification will be accompanied by reasons for the delay.

5.3 Security Incident Response

NxGeN will take reasonable measures in response to a Security Incident, including:

  1. measures designed to mitigate the Security Incident and prevent its recurrence;
  2. providing Customer with reasonable information about the Security Incident as it becomes known to NxGeN; and
  3. providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.

5.4 Vulnerability Testing

NxGeN will perform regular vulnerability scanning and penetration testing of the platform used to provide the Services, at least annually or when significant changes are made to the platform.

5.5 Encryption

NxGeN will encrypt Customer Personal Data in transit using TLS 1.2 or higher (with TLS 1.3 preferred) and at rest using AES-256 encryption or equivalent industry-standard encryption techniques.

6. Subprocessing

6.1 Authorization

Customer hereby authorizes NxGeN to engage Processors that Process Customer Personal Data on behalf of NxGeN ("Subprocessors"). NxGeN's current Subprocessors are listed in Annex III.

6.2 Subprocessor Agreements

NxGeN will enter into a written agreement with each Subprocessor that imposes substantially similar obligations on the Subprocessor as those imposed on NxGeN under this DPA, including requirements for security, confidentiality, and data protection.

6.3 Subprocessor Changes

NxGeN will notify Customer at least thirty (30) days in advance of any intended change to its Subprocessors that affects Customer's data, by email to the address associated with Customer's account and by updating the list at <https://nxgen.club/legal/subprocessors>. Customer may object to the addition of a Subprocessor on reasonable grounds that the appointment will result in a material violation of Data Protection Laws by providing written notice setting out those grounds within thirty (30) days of NxGeN's notification. The parties will work together in good faith to address Customer's objection. If NxGeN chooses to retain the new Subprocessor and the parties cannot reach a mutually acceptable resolution, either party may discontinue providing or using the relevant parts of the Services that depend on that Subprocessor and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance to Customer

Taking into account the nature of the Processing and the information available to NxGeN, NxGeN will provide reasonable assistance to Customer:

  • in implementing appropriate technical and organizational measures;
  • in responding to Data Subject or "Consumer" (as defined under applicable Data Protection Laws) requests;
  • in replying to inquiries, complaints, and investigations from regulators; and
  • in conducting data protection impact assessments and prior consultations with regulators.

NxGeN may charge reasonable fees for assistance that materially exceeds the standard support included in the Agreement.

8. Audit

On Customer's reasonable written request, and no more than once per twelve (12) months unless required by a supervisory authority, NxGeN will permit Customer, at Customer's expense, to audit NxGeN's controls and compliance with this DPA (an "Audit"), provided that the Audit is:

  1. conducted by Customer or by a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with NxGeN;
  2. limited to a scope mutually agreed by the parties, including start date, duration, and confidentiality controls;
  3. conducted during normal business hours with at least thirty (30) days' prior written notice; and
  4. carried out in a manner that does not unreasonably interfere with NxGeN's business operations.

As an alternative to an Audit, NxGeN may provide Customer with a copy of its most recent SOC 2 Type II report (once available) or another equivalent certification or summary report. Customer will pay all costs and expenses incurred by NxGeN in connection with the Audit. Customer may use the results of an Audit only for the purposes of meeting Customer's regulatory audit requirements and confirming compliance with this DPA.

9. International Data Transfers

9.1 European Data Transfers

NxGeN will obtain Customer's specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission ("International Data Transfer"). Customer authorizes NxGeN to conduct International Data Transfers outside the EEA or Switzerland:

  • to any country subject to a valid adequacy decision of the European Commission;
  • on the basis of an organization's binding corporate rules approved by EEA Supervisory Authorities; and
  • to any data importer with whom NxGeN has entered into standard contractual clauses ("SCCs").

9.2 European Transfer Mechanisms

Customer and NxGeN conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are incorporated into this DPA and completed as follows:

  • the "data exporter" is Customer; the "data importer" is NxGeN;
  • the optional docking clause in Clause 7 is implemented;
  • Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above;
  • the optional redress clause in Clause 11(a) is struck;
  • Option 1 in Clause 17 is implemented and the governing law is the law of Delaware;
  • the courts in Clause 18(b) are the Courts of Delaware;
  • Annexes I, II, and III to the SCCs are Annexes I, II, and III to this DPA respectively.

For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3 UK Data Transfers

Customer authorizes NxGeN to perform International Data Transfers outside the United Kingdom:

  • to any country subject to a valid adequacy decision issued by the UK Government;
  • on the basis of an organization's binding corporate rules approved by the UK Information Commissioner; and
  • to any data importer with whom NxGeN has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner.

9.4 UK Transfer Mechanism

Customer and NxGeN conclude the UK Addendum, which is incorporated into this DPA and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows:

  1. in Table 1, the "Exporter" is Customer and the "Importer" is NxGeN; their details are set forth in this DPA and the Agreement;
  2. in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 9.2 of this DPA;
  3. in Table 3, Annexes 1 (A and B), II, and III to the "Approved EU SCCs" are Annex I, II, and III to this DPA respectively; and
  4. in Table 4, both the "Importer" and the "Exporter" can terminate the UK Addendum.

10. Return and Deletion

Following the date of expiration or earlier termination of the Agreement, NxGeN will return or delete all Customer Personal Data within sixty (60) days, except that NxGeN may retain copies of Customer Personal Data:

  • as expressly agreed by the parties;
  • as required by applicable law; or
  • as contained in standard backups,

in each case subject to the protections of this DPA. Customer may request expedited deletion by contacting legal@nxgen.club.

ANNEX I — DESCRIPTION OF THE TRANSFER

A. List of Parties

Data Exporter

  • Name: Customer (as defined above)
  • Activities relevant to the data transferred under these Clauses: Customer engages NxGeN under the Agreement (e.g., as a sponsor, brand partner, accelerator partner, or vendor) and provides Personal Data to NxGeN in that context.
  • Role (controller/processor): Controller, or Processor on behalf of a Third-Party Controller.

Data Importer

  • Name: NxGeN Holdings Inc.
  • Activities relevant to the data transferred under these Clauses: NxGeN provides the Services to Customer under the Agreement and Processes Personal Data on behalf of Customer in that context.
  • Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of a Third-Party Controller.

B. Description of International Data Transfer

Categories of Data Subjects whose Customer Personal Data is transferred:

  • Customer's employees, contractors, and authorized representatives;
  • Individuals who Customer enrolls in, or whose participation Customer facilitates for, NxGeN programming (e.g., partner-led Networks, sponsored experiences, accelerator cohorts);
  • Customer's invited guests at NxGeN-hosted or partner-hosted experiences; and
  • Other individuals whose personal data Customer chooses to share with NxGeN under the Agreement.

Categories of Customer Personal Data transferred:

  • Identity and contact details (e.g., name, email address, phone number, mailing address);
  • Professional details (e.g., title, organization, role);
  • Event and program participation data (e.g., RSVP status, session attendance, dietary requirements, accessibility requirements);
  • Authentication credentials (e.g., user identifiers); and
  • Any other personal data that Customer chooses to provide to NxGeN under the Agreement.

Sensitive data transferred (if applicable):

NxGeN does not solicit and is not designed to Process special-category or sensitive personal data. Customer must not provide sensitive personal data (including health information beyond ordinary accessibility requirements, government-issued identifiers, financial account details, biometric data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or trade-union membership) to NxGeN through the Services without a prior written agreement that specifically addresses such Processing.

Frequency of the International Data Transfer:

On a continuous basis for the duration of the Agreement.

Nature of the Processing:

The Customer Personal Data will be Processed and transferred as described in the Agreement, including collection, storage, retrieval, consultation, use, organization, structuring, adaptation, deletion, and disclosure for the purposes of providing the Services.

Purpose(s) of the International Data Transfer and further Processing:

  • Provision of the Services to Customer (e.g., delivery of partner-led programming, sponsored experiences, accelerator cohorts, or vendor support);
  • Event registration, check-in, and logistics;
  • Analytics and reporting on program performance for Customer;
  • Technical support and troubleshooting;
  • Improvement and development of the Services; and
  • Compliance with legal obligations.

Period for which the Customer Personal Data will be retained:

For the duration of the Agreement and for sixty (60) days following termination, unless otherwise required by applicable law or longer retention is necessary for legitimate business purposes such as dispute resolution.

For International Data Transfer to (Sub)Processors, also specify subject matter, nature, and duration of the Processing:

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement and as necessary to provide the Services.

C. Competent Supervisory Authority

  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Irish Data Protection Commission.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner's Office.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES

NxGeN implements technical and organizational measures designed to protect Customer Personal Data from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage. These measures include, without limitation:

Access Controls

  • Multi-factor authentication for administrative access;
  • Role-based access control (RBAC) and the principle of least privilege;
  • Regular access reviews and timely revocation procedures;
  • Unique user accounts for all personnel; and
  • Automated session timeouts.

Data Security

  • Encryption in transit using TLS 1.2 or higher (with TLS 1.3 preferred);
  • Encryption at rest using AES-256 or equivalent;
  • Secure key management and rotation procedures;
  • Database access logging and monitoring; and
  • Secure deletion and data sanitization procedures.

Network Security

  • Firewall and intrusion-detection/prevention systems;
  • Network segmentation and isolation;
  • DDoS protection and mitigation;
  • Regular security patching and updates; and
  • Vulnerability scanning and penetration testing.

Application Security

  • Secure software development lifecycle (SDLC);
  • Code review and security testing;
  • Input validation and output encoding;
  • Protections aligned with the OWASP Top 10; and
  • Periodic security assessments and audits.

Physical Security

  • Production infrastructure runs on Google Cloud Platform, whose data centers maintain SOC 2 Type II and other industry-standard certifications;
  • Physical access controls, monitoring, and environmental controls; and
  • Backup power and redundancy systems.

Organizational Measures

  • Information security policies and procedures;
  • Security awareness training for all personnel;
  • Background checks for personnel with access to Customer Personal Data;
  • Confidentiality obligations for personnel and contractors;
  • Incident response plan and procedures;
  • Business continuity and disaster recovery plans; and
  • Vendor risk management program.

Monitoring and Logging

  • Continuous security monitoring and alerting;
  • Audit logging of access to systems handling Customer Personal Data;
  • Log retention and analysis; and
  • Where applicable, security information and event management (SIEM) capabilities.

Compliance

  • SOC 2 Type II attestation in progress;
  • PCI-DSS compliance for payment processing through Stripe; and
  • Regular third-party security assessments.

ANNEX III — LIST OF SUBPROCESSORS

Customer authorizes NxGeN to engage the following Subprocessors:

SubprocessorLocation of ProcessingNature and Purpose of Processing
---------
Google Cloud PlatformUnited StatesCloud infrastructure, database, authentication, real-time services, and operational tooling
VercelUnited StatesApplication hosting, edge delivery, and content delivery
SanityUnited States / EUHeadless content management for the Learn module and editorial content
StripeUnited StatesPayment processing (membership dues, event fees)
CloudflareUnited StatesContent delivery network, DDoS protection, and edge security
ResendUnited StatesTransactional email delivery

NxGeN may update this list from time to time in accordance with Section 6.3 of this DPA. The current list of Subprocessors is maintained at <https://nxgen.club/legal/subprocessors>.

Contact Information

For questions regarding this DPA:

NxGeN Holdings Inc. Email: legal@nxgen.club Website: nxgen.club