DPA

Data Processing Agreement (DPA)

Effective Date: August 05, 2025

Parties:

- Controller: Customer using the NextDR.ai software

- Processor: Orkrestrate.ai LLC, a California limited liability company, operating under the brand name NextDR.ai.

1. Purpose and Scope

This Data Processing Agreement ("Agreement") governs the processing of personal data by NextDR.ai ("Processor") on behalf of the customer ("Controller") in connection with the use of NextDR.ai's on-premise software (the "Services"). This Agreement is an addendum to any agreement between the parties, including but not limited to licensing or support contracts.

2. Nature of Processing

The Processor only processes a minimal amount of personal data and aggregate operational metadata required to:
- Validate software license entitlements
- Provide support services
- Issue billing or renewal notices
- Monitor and enforce usage limits

All data collection occurs from software deployed in the Controller’s environment and is transmitted securely to the Processor’s licensing infrastructure.

3. Categories of Personal Data

The Processor may process the following personal data:
- Name
- Email address
- Phone number
- Company name
- Billing address

4. Categories of Operational Data

The Processor collects non-personal, aggregate metadata solely for the purpose of licensing validation and support eligibility. This metadata is collected securely from the deployed instance of the NextDR.ai software during periodic license checks.

Operational Metadata (for Licensing Only)

To enforce licensing limits and ensure proper usage of the NextDR.ai software, our on-premise platform securely collects and transmits aggregate infrastructure metadata. This metadata is collected from the environment in which the software is deployed (whether in a cloud or on-premises infrastructure) and includes only non-user-specific, non-sensitive data.

The operational metadata may include, but is not limited to:
- Number of cloud compute instances (e.g., virtual machines, physical servers)
- Number of managed databases
- Number of users, recovery plans, application groups, and features configured within the software
- Virtual Private Clouds (VPCs), subnets, and networking services
- Container clusters (e.g., Kubernetes workloads)
- Object and block storage resources
- Identity and access configurations (only usage counts, never credentials)
- Messaging and eventing systems (e.g., Pub/Sub, EventBridge equivalents)
- Monitoring, logging, and orchestration services

Important Notes:
- The information collected is strictly limited to aggregate counts.
- No configuration details, sensitive content, or customer workload data is collected.
- The data is not linked to any individual users.
- This metadata is used exclusively for license validation and customer support eligibility.
- The data is not shared with any third parties beyond what is necessary for licensing operations.

5. Duration of Processing

The Processor will process the data:
- For the duration of the license agreement
- Until the Controller deletes the data or the license expires
- As required by applicable law

6. Data Subject Rights

The Processor will assist the Controller, to the extent applicable, in:
- Responding to data subject access or deletion requests
- Demonstrating compliance with applicable data protection laws

7. Subprocessors

The Processor may use trusted subprocessors for CRM, licensing, and infrastructure support. All subprocessors are subject to obligations consistent with this DPA.

8. Security Measures

The Processor implements appropriate technical and organizational security measures, including:
- Data encryption in transit and at rest
- Access control and authentication policies
- Minimal data collection and secure storage
- Role-based access to personal data

9. Data Transfers

All personal data is stored and processed in the United States. Transfers outside the U.S. will comply with applicable legal safeguards.

10. Return or Deletion of Data

Upon termination or written request, the Processor will delete all personal data unless required to retain it by law.

11. Audit Rights

The Controller may request documentation to demonstrate compliance. Direct audits may occur with prior written notice if required by law.

12. Liability

Each party is responsible for its own compliance with applicable data protection laws. The Processor is not liable for the Controller’s non-compliance.

13. Governing Law

This Agreement is governed by the laws of the State of California, United States.

14. Contact Information

Processor Contact:
privacy@nextdr.ai

Contact information:

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may send an email to privacy@nextdr.ai.