EN
NEXCONN DATA PROCESSING AGREEMENT
Last Updated: March 24, 2026
This Data Processing Agreement ("DPA") is entered into between RCLOUD GLOBAL PTE. LTD. ("Nexconn", "Processor", "we", "us", or "our") and the Customer ("Controller", "you", or "your") and forms part of the Terms of Service between you and Nexconn.
This DPA sets out the terms and conditions under which Nexconn will process Personal Data on behalf of the Customer in connection with the provision of the Services. This DPA prevails over any conflicting terms in the Terms of Service with respect to the processing of End User Data.
1. DEFINITIONS
1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (GDPR) for data subjects in the European Economic Area, the UK Data Protection Act 2018 for data subjects in the United Kingdom, and other applicable privacy laws.
1.2 "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data.
1.3 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
1.4 "End User Data" means Personal Data of end users that is transmitted, stored, or processed through the Services by or on behalf of the Customer.
1.5 "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
1.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
1.7 "Processor" means Nexconn, who processes Personal Data on behalf of the Controller.
1.8 "Service Region" means the geographic region selected by the Customer for storing and processing End User Data, being one of: Singapore, Saudi Arabia, or United States.
1.9 "Subprocessor" means any third party engaged by Nexconn to process Personal Data on behalf of the Controller.
2. PROCESSING OF PERSONAL DATA
2.1 Roles and Responsibilities
(a) The parties acknowledge that with respect to End User Data, the Customer is the Controller and Nexconn is the Processor.
(b) Nexconn shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law.
(c) The Customer warrants that it has obtained all necessary consents and authorizations from Data Subjects for the processing of their Personal Data as contemplated by this DPA.
2.2 Details of Processing
The processing activities under this DPA include:
• Subject Matter: Processing of End User Data in connection with the provision of communication and AI services;
• Duration: For the term of the Agreement and as specified in Section 8 (Data Retention and Deletion);
• Nature and Purpose: To provide, maintain, and improve the Services as described in the Terms of Service;
• Categories of Data Subjects: End users of Customer's applications that integrate Nexconn Services;
• Types of Personal Data: User identifiers, messages, files, user profile information, and other data transmitted through the Services.
3. OBLIGATIONS OF THE PROCESSOR
3.1 Confidentiality
Nexconn shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Security Measures
Nexconn shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
• Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
3.3 Subprocessing
(a) The Customer authorizes Nexconn to engage Subprocessors as listed in Annex A (List of Subprocessors).
(b) Nexconn shall provide the Customer with prior notice of any intended changes concerning the addition or replacement of Subprocessors, allowing the Customer 5 days to object.
(c) Where Nexconn engages a Subprocessor, it shall enter into a written agreement with such Subprocessor that imposes data protection obligations substantially similar to those in this DPA.
(d) Nexconn shall remain fully liable to the Customer for the performance of any Subprocessor's obligations.
3.4 Assistance to the Controller
Nexconn shall assist the Customer, taking into account the nature of the processing, in fulfilling its obligations to:
• Respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law;
• Ensure security of processing;
• Notify Personal Data Breaches to supervisory authorities and Data Subjects;
• Conduct data protection impact assessments and consult with supervisory authorities where required.
3.5 Data Protection Impact Assessment
Upon request, Nexconn shall provide the Customer with information necessary to conduct data protection impact assessments and prior consultations with supervisory authorities.
4. DATA LOCATION AND TRANSFERS
4.1 Data Storage Location
(a) End User Data will be stored and processed only in the Customer's selected Service Region, unless:
• The Customer explicitly enables cross-region features for specific functionalities;
• Required by law or binding order of a competent authority;
• Necessary for technical support with the Customer's prior authorization.
(b) AI Services data may be processed through third-party AI providers located in various jurisdictions. By using AI Services, the Customer consents to such transfers.
4.2 International Data Transfers
Where Personal Data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with data localization requirements, Nexconn shall ensure appropriate safeguards are in place, including:
• Standard Contractual Clauses approved by the European Commission or relevant authorities;
• Adequacy decisions where applicable;
• Other legally recognized transfer mechanisms.
5. PERSONAL DATA BREACH NOTIFICATION
5.1 Nexconn shall notify the Customer without undue delay and in any case within 72 hours after becoming aware of a Personal Data Breach.
5.2 Such notification shall include:
• The nature of the Personal Data Breach including categories and approximate number of Data Subjects and Personal Data records concerned;
• Likely consequences of the Personal Data Breach;
• Measures taken or proposed to address the breach and mitigate its potential adverse effects.
5.3 Nexconn shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
6. AUDIT RIGHTS
6.1 Nexconn shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
6.2 The Customer may conduct an audit once per calendar year, or more frequently if required by applicable law or if a Personal Data Breach has occurred.
6.3 Audits shall be conducted during regular business hours, with reasonable advance notice (at least 30 days), and in a manner that minimizes disruption to Nexconn's operations.
6.4 The Customer shall bear its own costs for conducting audits, unless the audit reveals material non-compliance by Nexconn, in which case Nexconn shall bear reasonable audit costs.
7. DATA SUBJECT RIGHTS
7.1 Upon receipt of a request from a Data Subject exercising their rights under Applicable Data Protection Law, Nexconn shall promptly notify the Customer.
7.2 Nexconn shall assist the Customer in responding to such requests, including by providing technical means to access, rectify, erase, or export Personal Data.
7.3 Unless legally prohibited, Nexconn shall not respond directly to Data Subject requests without the Customer's prior authorization.
8. DATA RETENTION AND DELETION
8.1 Retention Period
Nexconn shall retain Personal Data only for as long as necessary to provide the Services or as required by applicable law:
• Active Service Data: Retained while the Customer's account is active;
• Post-Termination: Deleted within 180 days after termination of the Agreement, except where retention is required by law;
• AI Services Data: Active data retained for 180 days, archived data retained for 1 year.
8.2 Data Deletion
(a) Upon termination of the Agreement or upon the Customer's written request, Nexconn shall delete or return all Personal Data to the Customer, except where retention is required by applicable law.
(b) The Customer may request deletion of specific Personal Data through the Nexconn console or by contacting support.
(c) Nexconn shall certify deletion of Personal Data upon the Customer's request.
8.3 Backup Data
Personal Data in backup systems may be retained for up to 180 days after deletion from active systems, after which it will be permanently deleted. Backup data is encrypted and access-restricted.
9. AI SERVICES DATA PROCESSING
9.1 AI Services Data
When the Customer uses Nexconn's AI Services, the following additional terms apply:
9.2 Input Data
(a) Input Data (prompts, queries, instructions) is processed solely to generate AI responses.
(b) Nexconn does not use Input Data to train or improve AI models without the Customer's explicit consent.
(c) Input Data may be transmitted to third-party AI providers as necessary to provide AI Services.
9.3 Output Data
(a) Output Data (AI-generated content) is provided to the Customer for its use.
(b) The Customer is responsible for reviewing Output Data before use or distribution.
9.4 AI Subprocessors
AI Services may utilize third-party AI model providers as Subprocessors. The current list of AI Subprocessors is included in Annex A.
10. LIABILITY AND INDEMNIFICATION
10.1 Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
10.2 Nexconn shall indemnify the Customer against any claims, damages, and expenses arising from Nexconn's breach of this DPA or violation of Applicable Data Protection Law, except to the extent caused by the Customer's instructions or actions.
11. TERM AND TERMINATION
11.1 This DPA shall remain in effect for the duration of the Agreement between the parties.
11.2 Upon termination of the Agreement, Nexconn shall comply with the data deletion obligations set forth in Section 8.
11.3 Sections 1 (Definitions), 8 (Data Retention and Deletion), and 10 (Liability and Indemnification) shall survive termination of this DPA.
12. GOVERNING LAW
This DPA shall be governed by and construed in accordance with the laws of the Republic of Singapore, without regard to its conflict of law principles. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
13. CONTACT INFORMATION
For any questions or concerns regarding this DPA or data protection matters, please contact us at: dpa@nexconn.ai.
ANNEX A: LIST OF SUBPROCESSORS
Infrastructure Subprocessors
| Subprocessor | Location | Service |
| Amazon Web Services | Singapore / USA / Saudi Arabia | Cloud Infrastructure |
| Alibaba Cloud | China | Account Data Storage |
| Subprocessor | Location | Service |
| OpenAI | United States | LLM API Services |
| Anthropic | United States | AI Model Services |
| Google Cloud AI | United States | AI/ML Services |
| Subprocessor | Location | Service |
| Stripe | United States | Payment Processing |
Nexconn may update this list from time to time. The Customer will be notified of any changes in accordance with Section 3.3.