RU ← Home

DATA PROCESSING AGREEMENT (DPA) NEXAXT WECO

Version: 1.0 Effective date: 11 May 2026 Canonical URL: https://weco.nexaxt.com/pages/dpa-en.html

PREAMBLE

This Data Processing Agreement ("DPA", "Agreement") is concluded between:

Controller (Client): the legal entity or natural person who has accepted the WECO Public Offer,

and

Processor (Licensor): NEXA IKS TI LLP (BIN 230940021527), 050013, Almaty, Seifullin Avenue 617,

to govern processing of the Controller's personal data passed to the Processor in connection with the WECO Service.

SCOPE

This DPA applies only to personal data the Client passes directly to the Licensor — for example: (a) personal data contained in support tickets (names, emails, descriptions of incidents that may mention natural persons); (b) data of the Client's representatives processed for billing and communication; (c) metadata of support usage.

It does not apply to Client Content or to End-User data of the public SPV sites — that data lives exclusively on the Client's infrastructure, to which the Licensor has no access.

This DPA supplements the Public Offer, EULA and Privacy Policy.

1. DEFINITIONS

1.1. Definitions of 94-V (RK Law on Personal Data) and GDPR (where applicable) apply.

1.2. Controller = the Client (equivalent to "Operator" in 94-V).

1.3. Processor = the Licensor.

1.4. Sub-processor = a third party engaged by the Processor to process personal data in the Controller's interest.

2. SUBJECT MATTER AND DURATION

2.1. The Processor processes the Controller's personal data to the extent necessary to deliver the Service (support, license issuance, billing).

2.2. Duration: for the term of the Agreement and until data are deleted or returned per Section 8.

3. CATEGORIES OF SUBJECTS AND DATA

3.1. Subjects: (a) the Controller's employees / representatives with admin access; (b) persons mentioned by the Controller in support tickets; (c) the Controller's finance / billing contacts.

3.2. Data categories: (a) identifiers (name, email, phone, role); (b) authentication metadata (logins — NOT passwords; passwords are bcrypt-hashed); (c) text of support tickets; (d) action metadata (timestamps, IP on admin login).

3.3. Special categories (race, political, health, biometrics) are not processed.

4. NATURE AND PURPOSE

4.1. Collection, recording, storage, use, transfer to sub-processors, deletion.

4.2. Purposes: (a) provision of technical support; (b) issuance, renewal, revocation of License JWT; (c) billing and payment; (d) notice of material Service changes; (e) security incident investigation; (f) compliance with applicable law.

5. CONTROLLER INSTRUCTIONS

5.1. The Processor processes personal data only on the Controller's documented instructions, except where required by applicable law (in which case the Processor notifies the Controller, unless prohibited).

5.2. Deemed instructions: (a) terms of this DPA; (b) terms of the Public Offer, EULA, Privacy Policy; (c) reasonable written instructions of the Controller sent to anton.orlov@nexaxt.com.

5.3. The Processor promptly notifies the Controller if, in its view, an instruction violates 94-V or other applicable law.

6. PROCESSOR DUTIES

6.1. The Processor: (a) processes data only on Controller instructions; (b) ensures confidentiality undertakings of all persons with data access (NDA / employment contract); (c) implements technical and organizational measures (Section 9); (d) engages sub-processors only per Section 7; (e) assists the Controller with subject rights (94-V Art. 24; GDPR Arts. 15-22); (f) assists with security of processing, breach notification, DPIAs; (g) returns or deletes data on termination (Section 8); (h) provides information needed to demonstrate compliance and allows audits per Section 10.

7. SUB-PROCESSORS

7.1. The Controller generally authorizes the Processor to engage the sub-processors listed at https://weco.nexaxt.com/pages/subprocessors-en.html.

7.2. Notice of new sub-processors. The Processor notifies the Controller by email at least 30 calendar days before activation. The notice states name, jurisdiction, purpose.

7.3. Right to object. Within 30 days the Controller may submit a reasoned objection to anton.orlov@nexaxt.com.

7.4. Effect of objection. The Parties discuss alternatives in good faith. If no agreement: (a) the Processor may proceed with the sub-processor; the Controller may then terminate the Agreement with pro-rata refund of unused fees; OR (b) the Processor refrains from engaging the sub-processor.

7.5. The Processor concludes contracts with each sub-processor imposing data-protection obligations equivalent to this DPA.

7.6. The Processor remains liable to the Controller for sub-processor acts and omissions.

8. RETURN AND DELETION

8.1. On termination, within 30 calendar days, at the Controller's option, the Processor: (a) returns all personal data in a structured machine-readable format; OR (b) deletes / destroys / anonymizes all personal data.

8.2. Exception: data subject to mandatory retention (accounting, AML KYC, click-wrap log) are kept for the minimum required term and then deleted.

8.3. On Controller request the Processor provides written confirmation of deletion.

9. SECURITY

9.1. Technical measures: (a) AES-256-GCM at rest for sensitive fields (SSH keys, API tokens) in Postgres, key MASTER_SECRET with MASTER_KEY_VERSION rotation; (b) bcrypt for admin passwords; (c) TLS 1.2+ in transit; (d) 127.0.0.1:3001 bind for host-api (never 0.0.0.0); (e) HS256 PDF-stream tokens, single-use, 60s TTL; (f) Append-only audit log; (g) Regular encrypted backups.

9.2. Organizational measures: (a) RBAC — least privilege; (b) MFA for admin access; (c) NDAs with employees and contractors; (d) data-protection training; (e) incident response procedure; (f) clean Controller / Processor boundary (Privacy Policy Section 8).

9.3. Breach notification:

(a) The Processor notifies the Controller of a known breach of confidentiality, integrity or availability of personal data within 24 hours of detection;

(b) The notice contains: - nature; - categories and approximate number of subjects / records; - likely consequences; - measures taken / proposed; - contact;

(c) The Processor assists the Controller in notifying the RK supervisory authority and affected subjects.

10. AUDIT

10.1. The Controller has the right to audit the Processor's compliance with this DPA.

10.2. Audit conditions: (a) 30 days' written notice; (b) at most once a year (except for known breach / regulator investigation); (c) during business hours, with minimal disruption; (d) mandatory NDA between auditor and Processor; (e) the Controller bears costs, except where the audit reveals a material breach by the Processor — in which case costs shift to the Processor.

10.3. Alternatively, the Processor may provide existing third-party audit reports (e.g., SOC 2 / ISO 27001 if obtained later) — these constitute a satisfactory audit.

11. CROSS-BORDER TRANSFER

11.1. Transfers outside RK only with: (a) adequacy in the destination jurisdiction (94-V Art. 16); OR (b) subject consent (Art. 16(2)(2)); OR (c) Standard Contractual Clauses (Module 2 — controller-to-processor) of substance comparable to the EU SCCs of 4 June 2021.

11.2. The current sub-processors with jurisdictions are listed in the Subprocessors List.

12. SUBJECT RIGHTS

12.1. If a subject contacts the Processor directly, the Processor promptly forwards the request to the Controller and reasonably assists.

12.2. The Processor does not respond to a subject without the Controller's written instruction, unless applicable law expressly requires a response.

13. LIABILITY

13.1. Liability under this DPA is subject to the limits in the Public Offer (Section 12).

13.2. Each Party is responsible to subjects directly to the extent applicable law provides.

14. CONFLICT WITH OFFER

14.1. Where this DPA conflicts with the Public Offer / EULA, the DPA prevails on personal-data processing matters for data the Controller passes to the Processor.

15. ENTRY INTO FORCE

15.1. The DPA enters into force concurrently with the Client's acceptance of the Public Offer.

15.2. It is incorporated by default into the Agreement Documents for every Client passing personal data to the Processor.

ANNEX 1 — DESCRIPTION OF PROCESSING

(a) Subject categories: §3.1. (b) Data categories: §3.2. (c) Purposes: §4.2. (d) Duration: §2.2. (e) Recipients: sub-processor list.

ANNEX 2 — TECHNICAL AND ORGANIZATIONAL MEASURES

See Section 9.

End of DPA v1.0 of 11 May 2026.