Data processing addendum.

Controller, Processor, Data Subject, Personal Data, Processing, Subprocessor, and Personal Data Breach have the meanings given to them by the applicable data-protection regime. Brand is the Controller; Agency (the Nexus Club Agency) is the Processor. Member refers to a Nexus Club creator engaged on a campaign.

The agency processes personal data only as necessary to perform the campaign described in the brief and to meet its obligations under these terms. Processing begins on signature of the first brief and ends on the later of: completion of the last live campaign, return or deletion of brand-furnished personal data, and any retention required by law.

The agency processes personal data to commission, run, deliver, and report on campaigns: receiving brief content, communicating with members assigned to the brand, scheduling and publishing, recording action logs, and producing campaign reporting. The agency does not process the brand's personal data for any purpose outside the campaign without separate written consent.

Typically: brand-side approver names and contact details; member names, handles, and contact details (created and held by the agency under the membership relationship, not under this DPA); audience names where a campaign explicitly addresses them. Special-category data is not processed under this DPA without an addendum dated and signed by both parties.

Brand-side personnel; members assigned to the campaign; brand customers, where they are identifiable in campaign assets; recipients of communications the campaign sends.

The agency processes personal data only on documented instructions from the brand, including those given through the brief and those given in writing during the campaign. The agency informs the brand without undue delay if an instruction would, in its view, infringe applicable data-protection law; the brand may, in turn, instruct the agency to cease the disputed processing while the question is resolved.

The agency ensures that any person authorised to process personal data under this DPA is bound by confidentiality obligations of equivalent effect to this addendum. This includes the editorial desk, members on assignment, and any subprocessor's personnel.

The agency maintains the technical and organisational measures described in our security posture — including encryption in transit and at rest, hardened authentication, hashed passwords, audit logging, and a written disclosure process — and updates them as the threat environment requires.

The brand grants general written authorisation to engage subprocessors listed at /subprocessors. Material additions are dated on that page and, where the brand has requested it in writing, notified by email at the email of record. The agency remains responsible for the acts and omissions of its subprocessors as if they were its own.

Where personal data is transferred from the European Economic Area or the United Kingdom to a country not subject to an adequacy decision, the transfer is made under the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate) and, where applicable, the UK International Data Transfer Addendum. The clauses are incorporated into this DPA by reference and are countersigned on request.

The agency assists the brand, by appropriate technical and organisational measures, in fulfilling the brand's obligation to respond to requests from data subjects exercising rights of access, rectification, erasure, restriction, portability, and objection. The agency forwards any such request received directly to the brand without responding on the brand's behalf, unless the brand instructs otherwise.

The agency notifies the brand of a Personal Data Breach affecting brand-controlled personal data without undue delay, and in any event within seventy-two hours of becoming aware of it. The notice includes: the nature of the breach, categories and approximate volume of data and data subjects, the likely consequences, and the measures taken or proposed to address it. The agency cooperates with the brand on regulator notification and data-subject communications where applicable.

The brand may, on reasonable notice and at its own cost, audit the agency's compliance with this DPA, no more than once per twelve-month period unless an audit is triggered by a notified breach or a regulator's request. Audits respect the agency's legitimate confidentiality, security, and operational constraints; on-site audits proceed on dates agreed in advance.

On the brand's written request, made within thirty days of campaign completion or termination, the agency returns or deletes brand-controlled personal data. Where the agency is required by law to retain data, the agency informs the brand of the legal requirement, the categories retained, and the retention period.

Liability under this DPA is governed by the liability clause of the brand-side terms, save where a more specific allocation is required by applicable law. Notices, audit requests, and breach communications: dpa@thenexusclub.org.