NextChapter

Data Processing Agreement (DPA)

Last updated: April 2026

1. Preamble

This Data Processing Agreement ("DPA") is concluded between the client ("Controller") and NextChapter(sole proprietorship), owner Maureen Njeri-Duennebacke, New York Str. 22, 35510 Butzbach, Germany ("Processor" or "NextChapter").

This DPA supplements the Terms & Conditions and governs the data-protection obligations of the parties in connection with the processing of personal data by the Processor on behalf of the Controller in accordance with Art. 28 GDPR.

This DPA applies where the Controller uses NextChapter's services to have personal data of third parties (e.g. candidates of a partner organisation) processed on the Controller's behalf. Where an individual client uses our service for their own immigration case, NextChapter is the Controller in its own right, and this DPA does not apply.

2. Definitions

The terms used in this DPA have the meaning assigned to them in the General Data Protection Regulation (GDPR). In particular, the following definitions apply:

  • Personal data: any information relating to an identified or identifiable natural person (Art. 4 (1) GDPR).
  • Processing: any operation performed on personal data, such as collection, storage, modification, transmission, or deletion (Art. 4 (2) GDPR).
  • Controller: the natural or legal person who decides on the purposes and means of processing (Art. 4 (7) GDPR).
  • Processor: the natural or legal person who processes personal data on behalf of the Controller (Art. 4 (8) GDPR).
  • Data subject: the identified or identifiable natural person whose data is processed.

3. Subject and duration of processing

Subject

The subject of this DPA is the processing of personal data by the Processor in the context of providing the agreed services, in particular:

  • AI-assisted pathway assessments for candidates
  • Document review and preparation (CVs, passports, certificates)
  • Storage and management of case and profile data
  • Provision of the NextChapter portal
  • Communication on behalf of the Controller (emails, notifications)

Duration

Processing begins with the use of the services and ends with the termination of the contractual relationship or the complete deletion of all personal data in accordance with section 11 of this DPA.

4. Nature and purpose of processing

Types of data

The following categories of personal data may be processed:

  • Contact data (name, email, phone)
  • Identification data (passport details, date of birth, nationality)
  • Professional data (CV, work history, certifications, education)
  • Family data (spouse, children where relevant to the application)
  • Financial data limited to payment processing
  • Usage data (login times, IP addresses)
  • Any other personal data contained in uploaded documents

Categories of data subjects

Data subjects may be:

  • Candidates or clients of the Controller
  • Family members of the candidates
  • Referees and other individuals mentioned in submitted documents

Purpose of processing

Processing takes place exclusively for the provision of the contractually agreed services, in particular for automated pathway assessment, document review, case management, and related communication.

5. Duties of the processor

The Processor undertakes:

  • to process personal data only on the Controller's documented instructions, unless processing is required under Union or Member State law;
  • to ensure that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • to implement all technical and organisational measures required under Art. 32 GDPR (see section 8);
  • to engage sub-processors only under the conditions set out in section 6;
  • to support the Controller in complying with its obligations under Arts. 32–36 GDPR;
  • to delete or return all personal data after the end of processing (see section 11);
  • to make available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR.

6. Sub-processors

The Controller grants the Processor a general authorisation to engage sub-processors. The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to such changes.

The Processor shall ensure that the same data-protection obligations as set out in this DPA are imposed on each sub-processor.

Current sub-processors

The current list of sub-processors includes:

  • Supabase, Inc. (Singapore) — database, authentication, file storage
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing
  • Sinch Email (Mailgun) (USA) — email delivery
  • Anthropic PBC (USA) — Claude AI for assessments and document analysis
  • Google Ireland Limited (Ireland) — calendar, fonts, and related services

The Processor will notify changes to this list at least 14 days before they take effect by email to the address on file with the Controller.

7. Rights of data subjects

The Processor supports the Controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights under Chapter III GDPR, in particular:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

If a data subject contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.

8. Technical and organisational measures

The Processor implements the following technical and organisational measures pursuant to Art. 32 GDPR:

Confidentiality

  • Physical access control: server locations with physical access control (via hosting providers)
  • System access control: authentication via email/password, with optional two-factor authentication
  • Data access control: role-based permissions; row-level security in the database
  • Separation control: logical separation of client data by row-level security

Integrity

  • Transfer control: encrypted data transmission (TLS 1.2+)
  • Input control: logging of data changes in the database

Availability and resilience

  • Availability control: regular backups; redundant systems at the hosting providers
  • Recoverability: documented recovery procedures

Procedures for regular review

  • Data-protection management: regular review of measures
  • Incident-response management: documented procedure for security incidents

9. Notification of personal data breaches

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach. The notification contains at least:

  • a description of the nature of the breach;
  • the categories and approximate number of data subjects and records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to remedy the breach.

The Processor supports the Controller in fulfilling its notification obligations under Arts. 33 and 34 GDPR.

10. Audit rights

The Controller has the right to verify the Processor's compliance with this DPA. The Processor provides the Controller with all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR.

Audits and inspections by the Controller or an auditor appointed by it take place after prior notice and with reasonable consideration of the Processor's business secrets.

The Processor may alternatively provide the Controller with current certifications, reports, or excerpts of reports from independent bodies.

11. Termination and data return

At the end of the main contract, the Processor shall, at the Controller's option:

  • return all personal data to the Controller (where technically feasible); or
  • delete all personal data and confirm deletion in writing.

Deletion takes place within 30 days of termination of the contractual relationship, unless statutory retention obligations apply.

The Controller can download its data at any time via the export function in the account.

12. Liability

The liability of the parties is governed by the provisions of the GDPR, in particular Art. 82 GDPR, and by the general contractual arrangements.

Where the Processor is responsible for damage caused by processing in breach of the GDPR or the Controller's instructions, it is liable to the Controller for the damage arising.

13. Final provisions

Amendments: Changes to this DPA must be made in text form. NextChapter reserves the right to adapt this DPA if legal requirements change. Material changes will be communicated to the Controller.

Order of precedence: In the event of conflicts between this DPA and other contractual arrangements, this DPA prevails to the extent that the protection of personal data is concerned.

Applicable law: The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods.

Jurisdiction: Exclusive place of jurisdiction, where legally permissible, is the registered office of the Processor.

Severability: Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions remains unaffected.

For questions regarding this DPA please contact: maureen@next-chapter.net