This Data Processing Agreement (“DPA”) forms part of the Terms of Service between NexWeave, Inc. (“Processor”) and the Customer (“Controller”) for Personal Data processed under the Service. It is designed to comply with GDPR Article 28, UK GDPR, and CCPA service provider requirements.
1. Subject matter and duration
NexWeave processes Personal Data on behalf of the Customer as necessary to provide the Service. Processing starts when the Customer creates an account and ends 30 days after termination (or earlier by request).
2. Nature and purpose
- Running Claude-powered analysis (Policy X-Ray, AI Audit, AIRISK, Web Scan)
- Storing AIRISK disclosures, policy PDFs, and findings
- Routing quote requests to brokers (with Customer consent)
- Logging access and audit events
3. Types of Personal Data
As described in the Privacy Policy § 2.
4. Categories of data subjects
- Customer’s employees and representatives
- Customer’s end-users who appear in uploaded content
- Broker firm employees (for the broker marketplace)
5. Sub-processors
The Customer authorizes the following sub-processors. We’ll notify you of changes 30 days in advance via email.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic, PBC | AI inference (Claude) for analysis features | US | SCCs 2021; Anthropic DPA on file |
| Clerk, Inc. | Authentication, org management, billing | US | SCCs 2021 |
| Stripe, Inc. | Payment processing (via Clerk Billing) | US | SCCs 2021 |
| Amazon Web Services, Inc. | Compute, storage (S3), database (RDS), Redis | US (us-east-1) | SCCs 2021; AWS DPA |
| GitHub, Inc. | Source control (deployment pipeline only) | US | SCCs 2021 |
| Sentry (Functional Software) | Error telemetry (when enabled) | US | SCCs 2021 |
6. Security measures
NexWeave implements the following technical and organizational measures (“TOMs”):
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security (RLS) in PostgreSQL to isolate tenant data.
- Multi-factor authentication on production access.
- Secrets in AWS Secrets Manager with least-privilege IAM.
- Regular dependency updates and automated vulnerability scanning.
- Access logs recording all sensitive reads.
- Incident response plan with a 72-hour breach notification commitment.
7. International transfers
For transfers from the EEA/UK to the US, we rely on Standard Contractual Clauses (2021). A Transfer Impact Assessment is available on request.
8. Data subject rights
The Customer is the primary point of contact for data subject requests. NexWeave provides tools in the portal to export and delete data on the Customer’s instruction, and will assist with any request that cannot be fulfilled via self-service.
9. Deletion or return of data
On termination, the Customer may export all data (JSON + CSV) via the portal for 30 days. After that, all org-scoped data is permanently deleted. Backups are retained for up to 90 days before rolling off.
10. Audits
The Customer may request an annual security questionnaire or, for Enterprise plans, a SOC 2 Type II report (available after our audit completes).
11. Breach notification
We will notify the Customer of any confirmed Personal Data breach affecting their data within 72 hours, with the information required by GDPR Article 33(3).