Data Protection and Security Addendum
For purposes of this Data Protection and Security Addendum (the “Addendum”), the following definitions shall apply.
1.1. “Customer” shall refer to the entity using the services provided by Vendor.
1.2. “Vendor” shall refer to the Nash Technologies Inc. or the relevant Nash Technologies Inc. entity processing Personal Data for the Customer.
1.3. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.4. “Data Controller” shall mean the Customer, which determines the purposes and means of the Processing of Personal Data.
1.5. “Data Processor” shall mean Vendor, who Processes Personal Data on behalf of the Data Controller. “Contracted Processor” means a Subprocessor.
1.6. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.7. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.8. “GDPR” means EU General Data Protection Regulation 2016/679. Any other terms not defined in this Addendum shall have the same meaning as in the GDPR, and be construed accordingly.
1.9. “Personal Data” means personal data (as defined in the GDPR or other applicable Data Protection Law) that Developer transmits, or causes to be transmitted, to Vendor (“Data Subject”) for processing in connection with the Vendor services.
2.0. “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means.
2.1. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Vendor services.
2.1. Vendor shall act solely as a Data Processor in respect of the Personal Data provided by the Customer and shall not have any independent rights to use, disclose, or otherwise process the Personal Data for any purpose other than as instructed by the Customer in writing.
2.2. The Vendor shall ensure that its employees, agents, subcontractors, or any other persons acting under its authority who have access to Personal Data are subject to appropriate confidentiality obligations.
2.3. The Vendor shall implement and maintain reasonable technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Such measures shall include, but not be limited to, data encryption, access controls, physical security measures, regular backups, and employee training.
2.4. The Vendor shall, at the Customer’s request and expense, provide the Customer with all reasonable assistance and information necessary to enable the Customer to comply with its obligations under applicable Data Protection Laws, including responding to requests from Data Subjects exercising their rights under such laws.
2.5. The Vendor shall, to the extent legally permissible, promptly notify the Customer in writing upon becoming aware of any request, inquiry, complaint, or claim relating to the Processing of Personal Data by the Vendor and shall cooperate with the Customer in relation to such matters.
3.1. The Vendor shall notify the Customer without undue delay, and in any event within 48 hours, upon becoming aware of any Data Breach, providing the Customer with all relevant information to enable the Customer to comply with its obligations under applicable Data Protection Laws.
3.2. The Vendor shall cooperate with the Customer and provide best efforts in its assistance to Customer in relation to the investigation, mitigation and remediation of any Data Breach, including but not limited to notifying relevant regulatory authorities and affected Data Subjects, as required by applicable law.
3.3. The Vendor shall, at its own expense, promptly take all necessary steps to remediate any Data Breach and prevent its recurrence, including implementing any additional security measures recommended by the Customer or required by applicable law.
3.4 Neither Vendor nor any authorized subcontractor shall publicly disclose any information regarding any suspected security incident, incident or Data Breach without Customer’s prior written consent, except that Vendor and any relevant authorized subcontractor may disclose any suspected incident, incident or Data Breach to (i) its own employees, customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by applicable law, to applicable supervisory authorities and/or data subjects without Customer’s prior written consent.
4. Compliance with Applicable Data Protection Laws
4.1. The Vendor shall comply with all applicable Data Protection Laws in relation to the Processing of Personal Data on behalf of the Customer. At a minimum, and without limiting the foregoing, Vendor represents and warrants that it shall maintain all Personal Data in strict confidence (except to the extent that sharing of the Personal Data is consistent with or required by the processing that Customer has herein contracted with Vendor to conduct), which is more than or equal to the degree of care and organizational security measures that meet or exceed applicable industry standards and that ensure a level of security appropriate to the particular risks associated with the type of Personal Data being processed.
4.2. The Vendor shall maintain records of its Processing activities in accordance with applicable Data Protection Laws and shall make such records available to the Customer upon reasonable request.
5. Subprocessing
5.1. Where the Customer engages a Subprocessor who will access, store, or otherwise process Customer’s Personal Data, the Vendor shall ensure that the Subprocessor is contractually bound by data protection obligations, including but not limited to confidentiality obligations, that are at least as protective as those set out in this Addendum.
5.2. The Vendor shall remain fully liable to the Customer for the performance of any Subprocessor in relation to the Processing of Personal Data.
5.3. A list of Company’s current authorized Sub-Processors is available to the Customer at Nash — Terms - Privacy Policy.
6. Data Transfers
6.1. The Vendor shall not transfer Personal Data outside of the country in which the Customer is located, or to any country that does not provide an adequate level of data protection as determined by the applicable Data Protection Laws, without the prior written consent of the Customer. The Company may transfer Personal Data processed under this DPA outside the European Economic Area, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer. If Company transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission has not issued an adequacy decision, Company will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with applicable Data Protection Laws.
7. Return or Destruction of Personal Data
7.1. Upon the termination or expiry of any agreement between the Customer and the Vendor, or upon the Customer’s written request at any time, the Vendor shall, at the Customer's discretion, either return all Personal Data to the Customer or securely destroy all Personal Data and shall certify in writing to the Customer that it has done so.
7.2. Any copies, reproductions, or extracts of Personal Data made by the Vendor in the course of providing its services shall be subject to the same obligations as the original Personal Data under this Data Protection and Security Provision.
8. Audit Rights
8.1. Vendor shall maintain complete and accurate records in connection with Vendor’s performance under this Addendum and shall retain such records for a period of 3 years after the termination or expiration of the agreement between the Customer and the Vendor.
8.2. Customer shall have reasonable access during regular business hours upon reasonable notice to review and audit such records relevant to Vendor’s provision of services and discharge of obligations under this Addendum.
8.3. Customer also reserves the right to actively test Vendor’s compliance with Customer’s security requirements, including without limitation security configuration (e.g., server parameters, security settings and control environment) and network perimeter controls; provided that such tests are not unreasonably disruptive to Vendor’s business and sufficient notice is provided. Vendor agrees, at its cost, to make reasonable changes requested by Customer to correct inadequacies discovered in such audits or tests.
9. Miscellaneous
9.1. Notices under this Addendum (including notifications of any Data Breach notifications, will be delivered via the email supplied to Vendor on Customer’s account. The Customer is responsible for ensuring the account email remains current and valid.
Vendor acknowledges and agrees that the Customer (whether it is acting as a controller or a processor on behalf of another controller) may disclose this Addendum to third parties (including other controllers, data subjects and regulators) for purposes of demonstrating compliance with applicable laws.
9.2. The Parties hereby acknowledge and agree that any remedies arising from any Data Breach or any breach by Vendor or any authorized representative of the terms of this Addendum are not and shall not be subject to any limitation of liability provision that applies to Vendor under any signed agreement.
9.3. Notwithstanding anything to the contrary contained herein, in the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the terms of this Addendum; (2) the written agreement between the Customer and the Vendor.