Data Processing Agreement

Nexus Systems LLC Effective: March 25, 2026 Version 2.0
This DPA is incorporated into and forms part of the NEXUS Platform Terms of Service. By creating an Organization account and accepting the Terms of Service, the Controller accepts the terms of this DPA. No separate signature is required. For enterprise customers requiring a separately executed DPA, please contact admin@platform.nexus.
Data Processor

NEXUS Systems LLC

David Karasinski, Sole Member

7578 Newbury Circle N, Washington Township, MI 48094

Table of Contents
  1. Definitions
  2. Scope and Purpose of Processing
  3. Processor Obligations
  4. Controller Obligations
  5. Sub-Processors
  6. Data Security Measures
  7. Data Breach Notification
  8. Data Subject Rights
  9. Data Transfers
  10. Audits and Inspections
  11. Term and Termination
  12. Liability
  13. Governing Law and Regulatory Compliance
  14. General Provisions
  15. Acceptance
  16. Annex I — Description of Processing
  17. Annex II — Technical and Organizational Security Measures
  18. Annex III — List of Sub-Processors

This Data Processing Agreement (“DPA”) is entered into as of the Effective Date by and between:

Data Controller

The Organization subscribing to the NEXUS Platform and accepting the Terms of Service (the “Controller” or “Customer”)

Data Processor

NEXUS Systems LLC

7578 Newbury Circle N, Washington Township, MI 48094 (the “Processor” or “NEXUS”)

This DPA is incorporated into and forms part of the Terms of Service (“Agreement” or “ToS”). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

1.1. “Applicable Data Protection Law” means all laws applicable to the processing of Personal Data, including the GLBA, FTC Safeguards Rule, CCPA/CPRA, VCDPA, GDPR (to the extent applicable), and all other applicable privacy statutes.

1.2. “Authorized User” means any individual granted access to the Platform by the Controller.

1.3. “Controller” means the entity that determines the purposes and means of processing Personal Data.

1.4. “Customer Data” means all data, including Personal Data, provided to the Platform by or on behalf of the Controller.

1.5. “Data Subject” means an identified or identifiable natural person, including mortgage loan applicants, borrowers, co-borrowers, referral partners, and any other individuals whose Personal Data is processed through the Platform.

1.6. “Data Subject Request” means a request to exercise rights under Applicable Data Protection Law (access, correction, deletion, restriction, portability, objection).

1.7. “Nonpublic Personal Information” or “NPI” has the meaning ascribed under the Gramm-Leach-Bliley Act (15 U.S.C. § 6809(4)).

1.8. “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller, including NPI.

1.9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.10. “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, encryption, decryption, masking, export, and analytics.

1.11. “Processor” means NEXUS Systems LLC.

1.12. “Sensitive Personal Data” means SSNs, DOBs, credit scores, financial account information, and any data classified as “Restricted” or “High Sensitivity.”

1.13. “Sub-Processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

1.14. “Supervisory Authority” means any governmental or regulatory body with jurisdiction, including the FTC, CFPB, and state attorneys general.

2. Scope and Purpose of Processing

2.1. Purpose Limitation

The Processor shall Process Customer Data solely for providing the NEXUS Platform services and solely in accordance with the Controller’s documented instructions. The Processor shall not Process Personal Data for any other purpose unless required by law or authorized in writing by the Controller.

2.2. Categories of Data Subjects

  1. Mortgage loan applicants;
  2. Borrowers;
  3. Co-borrowers;
  4. Referral partners; and
  5. Other individuals whose Personal Data is entered into the Platform.

2.3. Categories of Personal Data Processed

2.3.1. High-Sensitivity Personal Data (Restricted)

Data ElementProtection Applied
Social Security Number (SSN)AES-256-GCM encryption at rest; masked by default; audit-logged on access
Date of Birth (DOB)AES-256-GCM encryption at rest; audit-logged on access
Credit scores and credit dataAccess-controlled; organization-level isolation

2.3.2. Standard PII (Confidential)

Names, addresses, contact information, demographic data, and professional identifiers (NMLS numbers).

2.3.3. Financial Data (Confidential)

Loan information, income and employment data, assets and liabilities, commission data, and IRRRL flags.

2.3.4. Application Data

MISMO 3.4 loan application fields, application status and workflow data, campaign and marketing data, and follow-up and relationship data.

2.4. Processing Activities

  1. Storage — Secure storage in encrypted PostgreSQL databases on SOC 2 compliant US infrastructure;
  2. Retrieval — Authenticated, access-controlled retrieval with sensitive data masked by default;
  3. Display — Presentation through the Platform UI with RBAC and org-level isolation;
  4. Calculation — Commission calculations, pipeline analytics, DTI ratios, and financial projections;
  5. Export — Data export in MISMO 3.4 XML, CSV, and JSON formats;
  6. Campaign automation — Scheduled and event-triggered email communications;
  7. Analytics — Aggregated production reports, trend analysis, and performance metrics;
  8. Client management — Follow-up tracking and engagement workflows;
  9. AI-assisted features — Targeting recommendations using non-sensitive data only (SSNs, DOBs, financial account numbers are never transmitted to AI providers); and
  10. Backup and disaster recovery — Automated encrypted backups with defined retention.

2.5. Processing shall continue for the duration of the Agreement plus any post-termination retention period.

3. Processor Obligations

3.1. Processing on Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller. The Processor shall immediately inform the Controller if an instruction infringes Applicable Data Protection Law.

3.2. Confidentiality

All persons authorized to Process Personal Data are under appropriate confidentiality obligations. Access is limited to personnel who require it, with appropriate training.

3.3. Security

The Processor implements comprehensive security measures as described in Annex II, including:

  1. AES-256-GCM encryption for Sensitive Personal Data with per-value random IVs;
  2. TLS 1.2+ on all connections;
  3. TOTP-based two-factor authentication;
  4. JWT-based authentication with live database validation;
  5. Organization-level data isolation at the database query level;
  6. Complete audit logging with seven-year retention;
  7. SSN masking by default with audit-logged reveal;
  8. Rate limiting on all sensitive endpoints;
  9. DOMPurify input sanitization;
  10. Helmet.js security headers;
  11. Sentry error monitoring (no PII transmitted);
  12. Watchdog automated health monitoring (30-second intervals); and
  13. CI/CD pipeline security with dependency auditing.

3.4. Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject Requests through appropriate technical and organizational measures.

3.5. Assistance with Impact Assessments

The Processor shall provide reasonable assistance with data protection impact assessments and consultations with Supervisory Authorities.

3.6–3.8.

The Processor shall assist with breach notification, provide data return/deletion upon termination, and make available information to demonstrate compliance including support for audits.

4. Controller Obligations

4.1. The Controller warrants it has a lawful basis for collection and processing, and is responsible for obtaining consents and providing privacy notices.

4.2. The Controller shall ensure instructions comply with Applicable Data Protection Law.

4.3. The Controller is responsible for managing Authorized User access, including prompt deactivation of departed personnel.

4.4. The Controller is responsible for the accuracy, quality, and legality of all Customer Data.

5. Sub-Processors

5.1. The Controller provides general written authorization for the Processor to engage Sub-Processors. The current list is in Annex III.

5.2. The Processor enters into written agreements with each Sub-Processor imposing obligations no less protective than this DPA, and remains fully liable for Sub-Processor performance.

5.3. The Processor provides at least thirty (30) days’ notice before engaging new Sub-Processors.

5.4. The Controller may object within fifteen (15) days. If the Parties cannot resolve the objection within thirty (30) days, either Party may terminate without penalty to the Controller.

6. Data Security Measures

The Processor implements and maintains comprehensive measures as detailed in Annex II, appropriate to the nature, scope, context, and purposes of Processing and the risk to Data Subjects. Security is regularly reviewed, never materially decreased during the Agreement, and full documentation is available upon request.

7. Data Breach Notification

7.1. The Processor shall notify the Controller within seventy-two (72) hours of becoming aware of a Personal Data Breach.

7.2. Notification includes: nature of the breach, categories and approximate number of affected Data Subjects and records, contact details, likely consequences, and measures taken or proposed.

7.3. The Processor shall cooperate with investigation, mitigation, and remediation, and assist with regulatory notifications.

7.4. Incident Response Capabilities:

  1. Detection — Watchdog (30-second health checks) and Sentry (error tracking);
  2. Containment — Immediate session revocation, key rotation, endpoint disabling;
  3. Assessment — Audit log queries to determine scope;
  4. Remediation — Key rotation, re-encryption, vulnerability patching; and
  5. Documentation — Incident recording with root cause analysis.

7.5. A breach log is maintained and available to the Controller upon request.

8. Data Subject Rights

The Processor provides mechanisms for:

  1. Right of Access — Data export in MISMO 3.4 XML, CSV, and JSON;
  2. Right to Rectification/Correction — Data correction through the Platform UI;
  3. Right to Erasure/Deletion — Account and data deletion functionality;
  4. Right to Data Portability — Structured, machine-readable export formats; and
  5. Right to Restriction — Record-level access restriction upon Controller instruction.

Response within thirty (30) days or as required by law. Reasonable assistance at no additional charge.

9. Data Transfers

9.1. All Customer Data is stored and processed within the United States.

9.2. No international transfers without prior written consent. Cloudflare processes HTTP metadata at global edge locations for CDN/DDoS only.

9.3. If international transfer is authorized, appropriate safeguards (SCCs, BCRs, or equivalent) will be implemented.

10. Audits and Inspections

The Controller may conduct audits with thirty (30) days’ notice, during business hours, no more than once per year (unless a breach or regulatory inquiry necessitates additional audits). The Processor may offer third-party audit reports, security questionnaires, or compliance documentation as alternatives. Remediation plans will be developed for any identified non-compliance.

11. Term and Termination

11.1. This DPA is co-terminous with the Agreement.

11.2. Upon termination, the Controller has thirty (30) days to export data in MISMO 3.4 XML, CSV, or JSON format.

11.3. Customer Data is permanently deleted from production within sixty (60) days post-export period. Backups purged within ninety (90) days.

11.4. Data may be retained as required by law. Audit logs retained for seven (7) years.

11.5. Survival: Definitions, Confidentiality, Breach Notification (post-termination discoveries), Audits (one year), Term and Termination, Liability, and Governing Law survive.

12. Liability

12.1. Liability is subject to the limitations in the Agreement, except for fraud, intentional misconduct, gross negligence, breach of confidentiality, breach notification obligations, or any liability that cannot be limited by law.

12.2. Each Party indemnifies the other for breaches of this DPA, subject to the Agreement’s limitations.

13. Governing Law and Regulatory Compliance

13.1. Governed by Michigan law. Disputes in Macomb County, Michigan courts.

13.2. The Processor implements a comprehensive information security program satisfying the GLBA Safeguards Rule, including administrative, technical, and physical safeguards.

13.3. Compliance with the FTC’s Revised Safeguards Rule (effective June 9, 2023): encryption in transit and at rest, access controls, monitoring and logging, and regular security testing.

13.4. Compliance with applicable state privacy laws (CCPA/CPRA, VCDPA, NYDFS 23 NYCRR 500) and GDPR-compatible structure.

14. General Provisions

14.1. Entire Agreement. This DPA, together with the Agreement and annexes, constitutes the entire agreement regarding Processing.

14.2. Amendments. Amendments require written agreement, except Annex III updates per Section 5.

14.3. Severability. Invalid provisions are modified to the minimum extent necessary.

14.4. Order of Precedence. This DPA prevails over the Agreement for Personal Data matters. The body prevails over annexes.

14.5. Notices. Written notices to designated addresses; breach notices may be via email.

14.6. No Third-Party Beneficiaries. Except Data Subjects to the extent provided by law.

14.7. Waiver. Failure to enforce does not constitute waiver.

14.8. Counterparts. Electronic signatures are valid and binding.

15. Acceptance

By creating an Organization account and accepting the Terms of Service, the Controller accepts the terms of this DPA. Electronic acceptance has the same legal effect as a physical signature.

Annex I — Description of Processing

A. List of Parties

Controller (Data Exporter)

The subscribing Organization, as provided during account registration.

Processor (Data Importer)

NEXUS Systems LLC
7578 Newbury Circle N, Washington Township, MI 48094
Contact: David Karasinski, Sole Member
Email: admin@platform.nexus

B. Description of Processing

ElementDescription
Subject matterProcessing of Personal Data for the provision of the NEXUS Platform SaaS mortgage LOS
DurationDuration of the Agreement plus post-termination retention period
NatureStorage, retrieval, display, calculation, export, campaign automation, analytics, client management, AI-assisted targeting, and backup/disaster recovery
PurposeEnable the Controller to manage mortgage loan origination pipeline, client relationships, marketing campaigns, analytics, and compliance
Data SubjectsMortgage loan applicants, borrowers, co-borrowers, referral partners, and other individuals
Personal Data categoriesHigh-Sensitivity PII (SSN, DOB, credit scores), Standard PII, Financial Data, and Application Data per Section 2.3
Sensitive Personal DataSSNs (AES-256-GCM encrypted), DOBs (AES-256-GCM encrypted), Credit scores
FrequencyContinuous, as the Controller and Authorized Users use the Platform
RetentionActive account duration; 30-day export period post-termination; audit logs retained seven (7) years

C. Competent Supervisory Authority

Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB).

Annex II — Technical and Organizational Security Measures

1. Encryption

MeasureImplementation
Encryption at Rest (High-Sensitivity PII)AES-256-GCM (FIPS 197, NIST SP 800-38D) with 256-bit key, per-value random 128-bit IV, 128-bit authentication tag. Applied to SSN and DOB fields.
Encryption at Rest (General)Railway platform-level encryption for all database storage
Encryption in TransitTLS 1.2+ / HTTPS on all connections: web traffic, database, and external APIs
Password Storagebcrypt with 12 salt rounds; plaintext never stored; timing-safe comparison
Session Token StorageSHA-256 hashing of JWT tokens before database persistence

2. Access Controls

MeasureImplementation
AuthenticationJWT (HS256) with 24-hour expiration, per-request live database validation
Multi-Factor AuthenticationTOTP-based 2FA available for all users
RBACAdmin, Manager, Loan Officer roles with dedicated middleware enforcement
Multi-Tenancy IsolationAll queries scoped to org_id; cross-org access impossible for non-admin users
Session ManagementLive database check on every request; immediate revocation via revoked_at timestamp
Service AuthenticationDedicated CRON_SERVICE_TOKEN for automated tasks

3. Data Masking and Minimization

MeasureImplementation
SSN MaskingAll API responses and UI displays show ***-**-XXXX by default; full SSN via dedicated reveal endpoint only
SSN Reveal ControlsAuthenticated, rate-limited (10/hour/user), every reveal audit-logged
Data MinimizationOnly required fields collected; auto-save never overwrites encrypted values with masked placeholders

4. Audit Logging

MeasureImplementation
Audit ScopeAll access to encrypted PII logged to audit_log PostgreSQL table
Logged EventsAPI reads of applications with SSN/DOB, UI SSN reveals, application creation/updates with sensitive fields, MISMO XML exports with SSN
Log FieldsUUID, timestamp, org_id, user_id, action type, entity_type, entity_id, old_values, new_values, IP address, user_agent
RetentionSeven (7) years; not subject to automatic deletion; available for compliance audits

5. Network Security

MeasureImplementation
DDoS ProtectionCloudflare DDoS mitigation, CDN, and WAF
Security HeadersHelmet.js: CSP, HSTS (preload), X-Frame-Options, X-Content-Type-Options, Referrer-Policy
Rate LimitingLogin: 5/15min per IP; API: 100/min per user; SSN Reveal: 10/hour per user
Input SanitizationDOMPurify HTML/JS stripping on all request bodies; prevents stored XSS
Webhook VerificationStripe webhooks verified via HMAC signature

6. Infrastructure Security

MeasureImplementation
Cloud HostingRailway (SOC 2 compliant); US-based; automatic HTTPS with managed SSL
DatabasePostgreSQL 16 on Railway with SSL/TLS connections; encrypted at rest
Secrets ManagementAll keys in environment variables (Railway encrypted store); never in source code, logs, or disk
Source Code SecurityPrivate GitHub repository; .env files gitignored; CI dependency vulnerability auditing
Deployment SecurityGitHub Actions with syntax validation, dependency auditing, and health checks

7. Monitoring and Incident Detection

MeasureImplementation
Application Error MonitoringSentry — no PII transmitted; data scrubbing enabled
Platform Health MonitoringWatchdog — 30-second checks; auto-restart after 3 consecutive failures; push notifications
Automated BackupsEvery 6 hours; 20-backup rotation; encrypted storage; restore capability

8. Key Management

MeasureImplementation
Key Generation256-bit cryptographically random keys
Key StorageEnvironment variables only; loaded into memory at startup; never logged
Key SeparationSeparate keys for encryption, authentication, payment processing, webhook verification, service auth, and third-party integrations
Key RotationDocumented procedure: generate → re-encrypt → update env → verify → destroy old key
Key Compromise ResponseImmediate rotation, re-encryption of all PII, session invalidation, and incident documentation

9. Organizational Measures

MeasureImplementation
Personnel ConfidentialityAll personnel with access under confidentiality obligations
Access LimitationAccess limited to personnel who require it
Security CoordinatorDesignated per FTC Safeguards Rule
Incident Response PlanContainment → Assessment → Notification (72h) → Remediation → Documentation
Change ManagementAll changes tracked in version control with descriptive commit history

Annex III — List of Sub-Processors

Sub-ProcessorLocationProcessing ActivityData Processed
Railway, Inc.United StatesCloud infrastructure hostingAll Customer Data (stored on their infrastructure)
Cloudflare, Inc.US (global edge)CDN, DNS, SSL/TLS, DDoS protectionIP addresses, HTTP request metadata (routing only)
Sentry (Functional Software, Inc.)United StatesApplication error monitoringError stack traces, browser metadata — no PII
Google LLCUnited StatesCompany email (Google Workspace)Email communications with Users
FRED (Federal Reserve Bank of St. Louis)United StatesPublic economic data APINo user data transmitted — read-only public API
Stripe, Inc.United StatesPayment processingBilling name, email, subscription tier — no Consumer Data; PCI DSS Level 1
Anthropic, PBCUnited StatesAI-powered features via Claude APINon-sensitive data only (names, loan types, status). No SSNs, DOBs, or financial account numbers. Anthropic is contractually prohibited from training on or retaining API data.
Microsoft CorporationUnited StatesEmail send/read via Microsoft 365 OAuth2 (planned)Outbound email content, inbox reply detection. Scoped to individual user mailbox only. No Sensitive Personal Data.

The Controller is deemed to have authorized the above Sub-Processors by executing this DPA. Changes are subject to the notification and objection procedure in Section 5.