Privacy & Compliance

Our Principles

Optimal Nexus is built on privacy-first principles. We process personal data only when necessary, use strong safeguards, and give you full control over data handling.

Privacy by Design

Every system component is designed with data minimization, purpose limitation, and user rights at its core. We collect only what's needed, retain data only as long as required, and provide transparent controls for access and deletion.

Security & Encryption

All data in transit uses TLS 1.3+. Data at rest is encrypted using AES-256. Access is controlled via role-based permissions with audit logging for all operations.

Transparency & Accountability

We maintain detailed records of processing activities, conduct regular audits, and provide clear documentation of our data handling practices. Our DPO is available for any questions or concerns.

Technical & Organizational Controls

We implement comprehensive controls aligned with GDPR, SOC 2, and ISO 27001 requirements.

GDPR Compliance

• Lawful basis documented for all processing activities (legitimate interest, consent, contract)
• Data subject rights workflow (access, rectification, erasure, portability, objection)
• Privacy Impact Assessments (DPIA) for high-risk processing
• Data breach notification procedures (72-hour authority notification)
• International transfer safeguards (Standard Contractual Clauses, adequacy decisions)

Technical Safeguards

• PII redaction and pseudonymization for non-essential contexts
• Automated data retention and deletion policies
• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication (MFA) for all admin access
• Comprehensive audit logging with tamper-proof storage

Regional Compliance

• CAN-SPAM (US): Opt-out mechanisms, sender identification, honor requests within 10 days
• CASL (Canada): Express/implied consent tracking, identification requirements
• PECR (UK): Electronic marketing consent, cookie compliance
• CCPA/CPRA (California): Consumer rights, opt-out of sale, sensitive data handling
• Privacy Act (Australia): APP compliance, notification requirements

Data Flow Architecture

Our systems are designed with data minimization and regional boundaries in mind. Below is a simplified representation of data flows:

All cross-border transfers utilize Standard Contractual Clauses (SCCs) approved by the European Commission. Data subjects retain full rights regardless of processing location.

Regional Data Routing

We enforce geographic boundaries to ensure data residency compliance and minimize cross-border transfers.

Routing Rules

• EU/EEA contacts: Processed exclusively in EU-WEST region (Ireland/Germany)
• UK contacts: Processed in UK-SOUTH region with adequacy decision safeguards
• US contacts: Processed in US-EAST region with state-specific controls (CCPA/CPRA)
• Canadian contacts: Processed with CASL compliance, consent verification
• APAC contacts: Processed in APAC-SOUTHEAST with regional safeguards

Automated Detection

Our system automatically detects contact region based on:

• Account billing address and company registration
• Contact email domain and IP geolocation (when available)
• Explicit region flags set by your team
• Fallback to most restrictive framework (EU/GDPR) when uncertain

Subprocessors & Third Parties

We use carefully vetted subprocessors for specific functions. All subprocessors sign Data Processing Agreements (DPAs) and are subject to regular audits.

Note: We notify customers at least 30 days before adding new subprocessors. You may object to new subprocessors within this period.

Contact Our Data Protection Officer

If you have questions about our data practices, want to exercise your data subject rights, or need to report a concern, please contact our DPO: