Legal

Data Processing Agreement & DPIA

Last updated: May 2026

Every Nexus CMS deployment is governed by a Data Processing Agreement between Nexus Neurodevelopment Centre and the licensee. This page summarises the framework. The full DPA is provided as part of the licence pack.

1. Roles

For data processed inside a deployed instance of Nexus CMS, the licensee organisation is the data controller. Where Nexus Neurodevelopment Centre manages the underlying infrastructure (such as a managed VPS deployment), Nexus acts as a data processor under written instruction. For on-premise deployments where the licensee operates the hardware, Nexus acts only as a software supplier and not as a processor of clinical data.

2. Subject matter and duration

Processing covers personal data and special category (clinical) data about service users, their families, referrers and clinical staff, for the duration of the licence agreement. Termination triggers data return and secure deletion as set out in the full DPA.

3. Categories of data

  • Identifying data (names, contact details, NHS numbers where applicable).
  • Clinical data (assessments, session notes, support plans, progress records).
  • Family and carer data linked to service users.
  • Referrer credentials and audit metadata.
  • Operational data (appointments, billing, audit logs).

4. Sub-processors

Nexus operates a deliberately short list of sub-processors. The list is published to licensees in advance of appointment, with reasonable opportunity to object. As a baseline:

  • Hosting infrastructure — UK-based providers for managed-VPS deployments only. None for on-premise.
  • Email delivery — used solely for transactional and notification email; no marketing.
  • Payment processing — for parent-side payments through the parent portal where the licensee enables that feature.

5. International transfers

Production processing for managed-VPS deployments occurs within the United Kingdom. Where any sub-processor transfers data outside the UK, the relevant UK-approved safeguards (such as the UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses) are applied.

6. Security measures

Nexus maintains technical and organisational measures appropriate to the risk of processing, including encryption in transit and at rest, multi-factor authentication, role-based access, audit logging, and a documented incident response process. Detailed measures are set out in the full DPA and Security Statement.

7. Data subject rights

Nexus CMS includes first-class workflows for handling data subject access requests, rectification, erasure, objection, and restriction. Where Nexus acts as processor, we assist the licensee in responding within statutory timeframes.

8. DPIA support

A DPIA template aligned to the platform is provided to licensees during onboarding, covering deployment-mode-specific risk considerations. Nexus assists in completing the licensee's DPIA as part of the onboarding programme.

9. Breach notification

Where Nexus becomes aware of a personal data breach affecting licensee data, we notify the licensee without undue delay and in any event in line with the timing committed in the DPA, providing all information needed to meet the licensee's regulatory obligations.

10. Contact

For DPA enquiries — including draft text reviews ahead of contracting — email info@nexusndc.co.uk with the subject line "DPA enquiry".