Data Processing Agreement (DPA)

1. Purpose

This DPA forms part of the agreement between Nest2App (“Processor”) and your organization (“Controller”) to support compliance with GDPR, CCPA, and other applicable laws.

2. Roles

• Your organization is the Data Controller.
• Nest2App is the Data Processor.

3. Scope of Processing

Processor will process personal data only to deliver Nest2App services, including authentication, training compliance, hazard reporting, and administrative insights.

4. Sub-processors

Processor may engage sub-processors (e.g., hosting/email providers) under written agreements with equivalent protections. A current list is available upon request.

5. Security Measures

Processor implements technical and organizational measures such as encryption in transit and at rest, access controls, audit logging, and incident response procedures, aligned with SOC 2 and ISO 27001.

6. International Transfers

Transfers outside regulated jurisdictions use lawful safeguards, such as Standard Contractual Clauses (SCCs).

7. Data Subject Rights

Processor assists Controller in fulfilling requests for access, correction, deletion, and portability of personal data.

8. Breach Notification

Processor will notify Controller without undue delay of any personal data breach, including details and mitigation steps.

9. Term & Termination

This DPA remains in effect while Processor processes personal data for the Controller. Upon termination, Processor will delete or return personal data as directed.