1. Definitions
For purposes of this Data Protection and Security Addendum (the "Addendum"), the following definitions shall apply.
1.1. "Agreement" means the written agreement between Nash and the Customer to provide the Nash Services.
1.2. "Customer" means the entity using the Services provided by Nash under an Agreement.
1.3. "Nash" shall refer to Nash Technologies Inc. or the relevant Nash Technologies Inc. entity or affiliate processing Personal Data for the Customer.
1.4. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.5. "Data Controller" means the Customer, which determines the purposes and means of the Processing of Personal Data.
1.6. "Data Processor" means Nash, who Processes Personal Data on behalf of the Data Controller.
1.7. "Data Protection Laws" means to the extent applicable the data protection or privacy laws of any applicable country.
1.8. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.9. "GDPR" means Regulation (EU) 2016/679. Any other terms not defined in this Addendum shall have the same meaning as in the GDPR and be construed accordingly.
1.10. "Personal Data" means personal data (as defined in the GDPR or other applicable Data Protection Law) that Customer transmits, or causes to be transmitted, to Nash ("Data Subject") for processing in connection with the Nash Services.
1.11. "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means.
1.12. "Services" means the Nash Services as defined in and provided under the Agreement.
1.13. "Subprocessor" means any person appointed by or on behalf of Nash to process Personal Data on behalf of the Customer in connection with the Nash Services.
2. Data Processor Obligations
2.1. Nash shall act solely as a Data Processor in respect of the Personal Data provided by the Customer and shall not have any independent rights to use, disclose, or otherwise process the Personal Data for any purpose other than as instructed by the Customer in writing or under the Agreement.
2.2. Nash shall ensure that its employees, agents, subcontractors, or any other persons acting under its authority who have access to Personal Data are subject to appropriate confidentiality obligations.
2.3. Nash shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Such measures shall include, but not be limited to, data encryption, access controls, physical security measures, regular backups, and employee training.
2.4. Nash shall, at the Customer's request, provide the Customer with all reasonable assistance and information necessary to enable the Customer to comply with its obligations under applicable Data Protection Laws, including responding to requests from Data Subjects exercising their rights under such laws.
2.5. Nash shall, to the extent legally permissible, promptly notify the Customer in writing upon becoming aware of any request, inquiry, complaint, or claim relating to the Processing of Personal Data by Nash and shall cooperate with the Customer in relation to such matters.
3. Data Breach Notification and Cooperation
3.1. Nash shall notify the Customer without undue delay, and in any event within 48 hours, upon becoming aware of any Data Breach, providing the Customer with all relevant information to enable the Customer to comply with its obligations under applicable Data Protection Laws.
3.2. Nash shall cooperate with the Customer and provide best efforts in its assistance to Customer in relation to the investigation, mitigation and remediation of any Data Breach, including but not limited to notifying relevant regulatory authorities and affected Data Subjects, as required by applicable law.
3.3. Nash shall, at its own expense, promptly take all necessary steps to remediate any Data Breach and prevent its recurrence, including implementing any additional security measures recommended by the Customer or required by applicable law.
3.4. Neither Nash nor any subcontractor shall publicly disclose any information regarding any suspected security incident, incident or Data Breach without Customer's prior written consent, except that Nash and any relevant authorized subcontractor may disclose any suspected incident, incident or Data Breach to (i) its own employees, affected customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by applicable law, to applicable supervisory authorities and/or data subjects without Customer's prior written consent.
4. Compliance with Applicable Data Protection Laws
4.1. Nash shall comply with all applicable Data Protection Laws in relation to the Processing of Personal Data on behalf of the Customer. At a minimum, and without limiting the foregoing, Nash represents and warrants that it shall maintain all Personal Data in strict confidence (except to the extent that sharing of the Personal Data is consistent with or required by the processing that Customer has contracted with Nash to conduct), which is more than or equal to the degree of care and organizational security measures that meet or exceed applicable industry standards and that ensure a level of security appropriate to the particular risks associated with the type of Personal Data being processed.
4.2. Nash shall maintain records of its Processing activities in accordance with the Agreement and applicable Data Protection Laws and shall make such records available to the Customer upon reasonable request.
5. Subprocessing
5.1. Where Nash engages a Subprocessor who will access, store, or otherwise process Customer's Personal Data, Nash shall ensure that the Subprocessor is contractually bound by Data Protection Laws, including but not limited to confidentiality obligations, that are at least as protective as those set out in this Addendum.
5.2. Nash shall remain fully liable to the Customer for the performance of any Subprocessor in relation to the Processing of Personal Data.
5.3. A list of Nash's current authorized Subprocessors is available to the Customer upon request.
6. Data Transfers
6.1. Nash shall not transfer Personal Data outside of the country in which the Customer is located, or to any country that does not provide an adequate level of data protection as determined by the applicable Data Protection Laws, without the prior written consent of the Customer. Nash may transfer Personal Data processed under this Addendum outside the European Economic Area, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Nash's primary processing operations take place in the United States, and that the transfer of Customer's Personal Data to the United States is necessary for the provision of the Services to Customer. If Nash transfers Personal Data protected under this Addendum to a jurisdiction for which the European Commission has not issued an adequacy decision, Nash will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with applicable Data Protection Laws.
7. Return or Destruction of Personal Data
7.1. Upon the termination or expiry of the Agreement between the Customer and Nash and within thirty (30) business days of the Customer's written request, Nash shall, at the Customer's discretion, either return all Personal Data to the Customer or securely destroy all Personal Data and shall certify in writing to the Customer that it has done so.
7.2. Any copies, reproductions, or extracts of Personal Data made by Nash in the course of providing Services and required to be retained for legal (such as tax, regulatory, or litigation hold purposes) shall be subject to the same obligations as the original Personal Data under this Addendum for so long as retained by Nash.
8. Audit Rights
8.1. Nash shall maintain complete and accurate records in connection with Nash's performance under this Addendum and shall retain such records for a period of three (3) years after the termination or expiration of the Agreement between the Customer and Nash.
8.2. Customer shall have reasonable access during regular business hours upon reasonable notice to review and audit such records relevant to Nash's provision of Services and discharge of obligations under this Addendum.
8.3. Customer also reserves the right to actively test Nash's compliance with Customer's security requirements, including without limitation security configuration (e.g., server parameters, security settings and control environment) and network perimeter controls; provided that such tests are not unreasonably disruptive to Nash's business and not less than thirty (30) business days' notice is provided. Nash agrees, at its cost, to make reasonable changes requested by Customer to correct inadequacies discovered in such audits or tests.
9. Miscellaneous
9.1. Notices under this Addendum (including notifications of any Data Breach notifications) will be delivered via the email supplied to Nash on Customer's account. The Customer is responsible for ensuring the account email remains current and valid.
Nash acknowledges and agrees that the Customer (whether it is acting as a controller or a processor on behalf of another controller) may disclose this Addendum to third parties (including other controllers, data subjects and regulators) for purposes of demonstrating compliance with applicable laws.
9.2. The Parties hereby acknowledge and agree that any regulatory fines or fees or technology remedies required to be undertaken by Nash arising from any Data Breach or any breach by Nash or any authorized representative of the terms of this Addendum are not and shall not be subject to any limitation of liability provision that applies to Nash under any Agreement.
9.3. Notwithstanding anything to the contrary contained herein, in the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the terms of this Addendum; (2) the Agreement.
© 2026 Nash Technologies, Inc. All rights reserved.
DPA execution
For a countersigned DPA, SOC 2 Type II report, or sub-processor list, email legal@nash.ai or your account team. The full set of Nash legal documents lives at /legal.