Skip to content

Data Protection and Security Policy

This sets out i-nexus’ Data Protection and Security Policy.

Last updated: 15/07/2025

1. Introduction

i-nexus is committed to preserving the confidentiality, integrity, and availability of all information it processes in connection with the provision of its services. This Combined Policy (“Policy”) describes:

  • The principles and technical measures i-nexus applies to protect personal data and confidential information;
  • The rights and obligations of Customers as Controllers and i-nexus as Processor under applicable Data Protection Laws, including the UK GDPR and EU GDPR;
  • The contractual commitments governing the Processing of Customer Data (Subscriber Personal Data) under applicable Agreements between i-nexus and the Customer.

This Policy forms part of and is incorporated into any Agreement under which i-nexus provides its services. Where there is any conflict between this Policy and other i-nexus terms (including any Framework Subscription Agreement, Terms and Conditions, or Supplementary Terms), this Policy shall prevail to the extent necessary to comply with Data Protection Laws.

If you have any questions, please contact our Data Officer at dataofficer@i-nexus.com.

2. Definitions

The definitions below apply throughout this Policy. Terms not defined here shall have the meaning set out in Data Protection Laws or applicable Agreements.

“Confidential Information”means all confidential information disclosed by the Customer to i-nexus whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information (including Personal Data);
“Customer Data” or “Data”means all electronic data or information submitted by or on behalf of the Customer including data submitted through an API and, where the context so admits, the content and or form/appearance of any document templates created by Customer in the course of using the Services;
“Data Controller”means the entity which determines the purposes and means of the Processing of Personal Data;
“Data Processor”means the entity which Processes Personal Data on behalf of the Controller;
“Data Protection Laws and Regulations”means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom, applicable to the Processing of Personal Data as part of the Services;
“Data Subject”means the identified or identifiable person to whom Personal Data relates;
“GDPR”means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Personal Data”means any information relating to an identified or identifiable natural person where such data is Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing”means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Services”means: (i) access to the relevant i-nexus solutions provided via Customer’s login link at the i-nexus website or another designated web site or IP address; and/or (ii) ancillary online or offline products and services provided or licensed to Customer by i-nexus.

3. Roles and Responsibilities

The Customer is the Controller and responsible for determining the legal basis and purposes for Processing Subscriber Personal Data.

i-nexus is the Processor and Processes Subscriber Personal Data only in accordance with documented instructions from the Customer and as necessary to comply with law.

i-nexus also acts as a Controller in respect of Processing described in its Privacy Policy and Cookie Policy (e.g., account management, billing, compliance).

4. Data Protection Principles

i-nexus applies the following principles to Processing:

  • Personal Data is Processed lawfully, fairly, and transparently.
  • Personal Data is collected for specified, explicit purposes and not further Processed incompatibly.
  • Personal Data is adequate, relevant, and limited to what is necessary.
  • Personal Data is accurate and kept up to date.
  • Personal Data is kept for no longer than necessary.
  • Personal Data is Processed securely using appropriate technical and organizational measures.

5. Nature and Purpose of Processing

Subject Matter:
Provision and administration of the Services.

Nature:
Collection, organization, retrieval, storage, and deletion of Personal Data.

Duration:
For the duration of the Agreement and any retention periods required by law.

Purposes:

  • Provision and administration of the Services.
  • Compliance with legal obligations.
  • Security, support, and Service improvement.

6. Categories of Data Subjects

  • Customer’s authorized users.
  • Customer’s employees or representatives.

7. Categories of Personal Data

  • Full name
  • Job title
  • Email address
  • (Other categories only if explicitly agreed in writing)

Special Categories of Personal Data:
The Customer shall not upload or Process any special category or Article 10 data without prior written agreement.

8. Security Controls

i-nexus implements the following measures:

  • User Authentication: Unique credentials, enforced password complexity, optional SSO.
  • Data Segregation: Logical separation of Customer Data via tenant IDs.
  • Encryption: TLS encryption in transit and encrypted backups.
  • Access Controls: Role-based access and logging of user activities.
  • Intrusion Detection: Network monitoring and alerting.
  • Physical Security: Secure data centres with biometric access.
  • Incident Management: Breach notification to Customer without undue delay.
  • Disaster Recovery: RTO of 132 hours, RPO of 72 hours.
  • Virus Protection: Malware controls across infrastructure.

9. Sub-Processors

Authorized Sub-Processors:

  • AWS:
    i-nexus operates its Services from AWS. Data stored in AWS is held within i-nexus’ AWS subscriptions across multiple geographic regions (limited to the EEA where the Customer entity and i-nexus entity are based inside the EEA). More information: https://aws.amazon.com/compliance/
  • HubSpot:
    i-nexus uses HubSpot for marketing automation, sales CRM, customer success, support, and analytics. HubSpot has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. More information: https://legal.hubspot.com/dpa
  • emlen:
    For the presentation, collection and exchange of content in a digital dealroom, i-nexus uses the application emlen, of emlen GmbH, Dudweilerstraße 71, 66111 Saarbrücken. emlen GmbH processes your personal data on i-nexus’ behalf in accordance with Art. 28 GDPR. More information: https://www.emlen.io/legal/privacy-policy

i-nexus may engage additional Sub-Processors from time to time to support the delivery of the Services. i-nexus will provide advance notice of any intended changes to Sub-Processors by posting updates to the Sub-Processor list on its website or by other reasonable means.

By continuing to use the Services after such notice is provided, the Customer is deemed to have accepted and consented to the engagement of such Sub-Processors.

10. International Data Transfers

i-nexus shall not transfer Subscriber Personal Data outside the UK or EEA unless:

  • The transfer is to a country with an adequacy decision;
  • Appropriate safeguards are in place (e.g., Standard Contractual Clauses);
  • The Customer consents or such transfer is required by law.

11. Data Subject Rights and Assistance

i-nexus shall, at Customer’s cost where permitted, assist with:

  • Responding to Data Subject requests.
  • Security impact assessments.
  • Cooperation with data protection authorities.

i-nexus shall not respond directly to Data Subjects unless required by law.

12. Audit Rights

Customer may audit i-nexus’ compliance once per year:

  • On 1 month’s written notice.
  • During normal business hours.
  • At Customer’s cost.
  • Subject to i-nexus’ right to object to proposed auditors and to confidentiality requirements.

13. Return and Deletion of Data

  • During the contract term, Customers may export their data.
  • After termination:
    • Customer may request return of data within 30 days.
    • After that, data is retained up to 90 days in inactive status, then securely deleted unless retention is required by law.

14. Liability

i-nexus shall not be liable for:

  • Inaccuracies in data provided by the Customer.
  • Customer’s non-compliant instructions.
  • Any processing carried out in compliance with documented Customer instructions.

Any liability under GDPR Article 82 is limited to i-nexus’ part in causing the damage.

15. Confidential Information

i-nexus shall:

  • Not use Confidential Information except to provide the Services.
  • Not disclose Confidential Information to third parties except authorized Sub-Processors.
  • Apply technical and organizational measures as described in this Policy.

16. Customer Responsibilities

The Customer shall:

  • Ensure all instructions are compliant with Data Protection Laws.
  • Not upload special categories of data without prior agreement.
  • Immediately notify i-nexus if processing descriptions are inaccurate.

17. Amendments

i-nexus may amend this Policy:

  • To comply with legal requirements.
  • To reflect changes in practices.

Notice will be provided via website publication or direct communication.

Continued use of the Services constitutes acceptance.

18. Contact

Data Officer:
dataofficer@i-nexus.com

19. Complaints

Data Subjects may lodge complaints with the UK Information Commissioner’s Office (ICO) or their local supervisory authority.