Last updated: 4 May 2026
This Data Processing Agreement ("DPA") governs the processing of personal data that NEXON Systems Sp. z o.o. (referred to as NEXON, the Processor) processes on behalf of and at the instruction of the Customer in connection with the provision of the NEXON Vision service.
The DPA forms an integral part of the Terms of Service (the "Terms") and takes effect simultaneously with the Terms without the need for separate signature. Where NEXON and the Customer enter into a separate written agreement or a separately signed DPA, the terms of such separate document prevail over this DPA.
Terms used in this DPA have the meaning defined in the Terms. Terms "controller", "processor", "data subject", "processing", and "personal data" are used as defined in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
This DPA is intended to comply with the requirements of Article 28 of the GDPR.
The Controller of personal data is the Customer.
The Processor of personal data is NEXON (NEXON Systems Sp. z o.o., KRS: 0001225896).
1.2.1. This DPA applies to personal data uploaded, stored, processed, or broadcast by the Customer through the Service as the controller, as well as to personal data of data subjects to which NEXON may have access in the course of providing the Services.
1.2.2. This DPA does not apply to personal data that NEXON processes as an independent controller (in particular, data of Customer representatives for performance of the Terms, accounting, and technical support). Such processing is governed by the Privacy Policy.
2.1. Subject matter — personal data uploaded, stored, or processed by the Customer through NEXON Vision.
2.2. Purpose — provision of the Services to the Customer under the Terms, including storage, broadcasting, and management of Content.
2.3. Duration — the term of the Terms. After termination of the Terms, processing continues for an additional period of up to 90 calendar days under Section 7.4 of the Terms, unless data is deleted earlier at the Customer's request or in accordance with law.
2.4. Nature of processing includes: collection, recording, accumulation, storage, adaptation, alteration, retrieval, use, transmission, anonymisation, erasure; technical administration, backups, recovery, monitoring, security.
3.3.1. The Service is not intended for processing special categories of personal data under Article 9 GDPR — data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, biometric or genetic data.
3.3.2. The Customer must not upload such data to the Service unless separately agreed with NEXON in writing. In case of upload of such data without agreement, the Customer bears all liability.
4.1. NEXON processes personal data exclusively under the documented instructions of the Customer.
4.2. The act of accepting the Terms, as well as settings made by the Customer in the Service (creating Users, configuring playlists, activating integrations, activating audience counting modules), are documented instructions of the controller within the meaning of this DPA.
4.3. NEXON shall immediately notify the Customer if NEXON considers that the Customer's instruction infringes data protection law. NEXON may refuse to comply with such instruction.
4.4. NEXON does not use the Customer's personal data for its own purposes, does not sell, and does not transfer it to third parties, except as provided in this DPA, the Terms, or applicable law.
NEXON undertakes to:
5.1. Process personal data exclusively for providing the Services and in accordance with the Customer's instructions.
5.2. Ensure the confidentiality of personal data. Employees, contractors, and representatives of NEXON with access to personal data are bound by confidentiality obligations under employment contracts, non-disclosure agreements, or other legally binding instruments.
5.3. Implement appropriate technical and organisational measures in accordance with Annex 1 to this DPA.
5.4. Assist the Customer in responding to requests from data subjects regarding the exercise of their rights, insofar as possible given the nature of processing. Assistance is provided in reasonable scope and within reasonable time.
5.5. Assist the Customer in fulfilling controller obligations regarding data security, breach notifications, and data protection impact assessments (DPIA) under Articles 32–36 GDPR, insofar as possible given the nature of processing and information available to NEXON.
5.6. Notify the Customer of any personal data breach as set out in Section 6 of this DPA.
5.7. After the end of the provision of Services, delete or return personal data to the Customer as set out in Section 8 of this DPA.
5.8. Provide the Customer with information necessary to demonstrate compliance with obligations under this DPA, as set out in Section 9.
6.1. In case of identifying a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, NEXON shall notify the Customer without undue delay and no later than 72 (seventy-two) hours after becoming aware of the breach.
6.2. The notification shall contain:
6.3. The Customer is independently responsible for fulfilling its controller obligations, including notification of the supervisory authority and data subjects under Articles 33 and 34 GDPR. NEXON provides reasonable assistance in preparing such notifications.
7.1.1. The Customer grants NEXON general written authorisation to engage subprocessors for the provision of the Services within the meaning of Article 28(2) GDPR.
7.1.2. NEXON ensures that subprocessors are bound by data protection obligations that are substantially equivalent to those of this DPA, through contracts or other legally binding instruments.
NEXON engages subprocessors in the following categories:
| Category | Place of processing |
|---|---|
| Hosting and server infrastructure | EU |
| Analytics and integrations with external services | EU / United States (with safeguards under Section 10) |
| Cookie consent management | EU |
| Payment services | EU |
| Email, SMS, and push notifications | EU / United States (with safeguards under Section 10) |
| Helpdesk and live-chat | EU / United States (with safeguards under Section 10) |
| Design tools (Customer-activated) | Per the relevant provider's policy |
7.2.1. The current list of specific subprocessors, with company names, purposes, exact places of processing, and legal mechanisms for data transfers, is published on the Subprocessor List page and updated upon changes.
7.2.2. The subprocessor list page is the source of truth regarding the current list. In case of discrepancies between this category table and the list on the subprocessor page, the list on the subprocessor page is authoritative.
7.3.1. NEXON may change the list of subprocessors. NEXON updates the list on the subprocessor page upon adding new subprocessors or replacing existing ones.
7.3.2. NEXON aims to notify Customers of material changes (in particular, addition of new subprocessors with access to significant volumes of personal data) through the Service or email.
7.3.3. Certain categories of Customers (such as retail chains) may agree with NEXON in a separate written agreement an individual procedure for subprocessor notifications and the right to reasonably object to specific subprocessors.
7.4.1. NEXON remains liable to the Customer for the performance of subprocessors' obligations regarding data protection as for its own actions, in accordance with Article 28(4) GDPR.
8.1. After termination of the Terms, NEXON deletes all of the Customer's personal data in accordance with Section 7.4 of the Terms (90 calendar days after the end of the paid period + up to 30 days of technical backup retention).
8.2. Until the end of this period, the Customer may export its data under Section 7.4 of the Terms.
8.3. NEXON is not obliged to retain personal data after the end of the specified period, except where further retention is required by law (in particular, for tax, accounting, or legal obligations).
9.1. Upon written request from the Customer, NEXON shall, within reasonable time, provide information and documentation necessary to demonstrate compliance with obligations under this DPA, in particular:
9.2. Requests are sent to [email protected].
9.3. NEXON is not obliged to provide information that constitutes commercial secrets, trade secrets, data of other clients, or that may compromise Service security.
9.4. Certain categories of Customers (such as retail chains and regulated clients) may agree with NEXON in a separate written agreement extended audit terms, including the right to conduct on-site or documentary audits at their own expense with prior notice.
10.1. The primary place of processing of personal data is the European Union.
10.2. Certain subprocessors may process data outside the European Economic Area, including in the United States and Australia. In such cases, NEXON applies appropriate safeguards under Chapter V GDPR, including:
10.3. NEXON's development, technical support, monitoring, and Service administration team is located in the European Union (Poland). All Customer data is processed within the European Economic Area.
11.1. The general terms and limitations of liability under Section 10 of the Terms apply also to obligations under this DPA.
11.2. The limitations of NEXON's liability do not apply in cases provided in Section 10.3 of the Terms, including breach by NEXON of obligations regarding the protection of personal data under the GDPR.
12.1. This DPA takes effect simultaneously with the Terms and remains in force for the term of the Terms.
12.2. Obligations that by their nature must survive termination (in particular, confidentiality and return/deletion of data) remain in force after termination of the Terms.
12.3. NEXON may update this DPA under Section 14 of the Terms.
This DPA is published in English. NEXON may publish translations into other languages for convenience. In case of any discrepancy between the English version and any translation, the English version prevails.
NEXON applies technical and organisational measures to ensure an appropriate level of security for personal data under Article 32 GDPR, including:
NEXON regularly reviews and updates technical and organisational measures considering the state of the art, the nature of processing, and risks to data subjects.
Contact for data processing questions: [email protected]