Last update: June 19, 2025

Data Protection and Security Addendum

1) Definitions

For purposes of this Data Protection and Security Addendum (the “Addendum”), the following definitions shall apply.

1.1. “Customer” shall refer to the entity using the services provided by Vendor.

1.2. “Vendor” shall refer to the Nash Technologies Inc. or the relevant Nash Technologies Inc. entity processing Personal Data for the Customer.

1.3. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.4. “Data Controller” shall mean the Customer, which determines the purposes and means of the Processing of Personal Data.

1.5. “Data Processor” shall mean Vendor, who Processes Personal Data on behalf of the Data Controller. “Contracted Processor” means a Subprocessor.

1.6.  “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

1.7. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR. 

1.8. “GDPR” means EU General Data Protection Regulation 2016/679. Any other terms not defined in this Addendum shall have the same meaning as in the GDPR, and be construed accordingly.

1.9. “Personal Data” means personal data (as defined in the GDPR or other applicable Data Protection Law) that Developer transmits, or causes to be transmitted, to Vendor (“Data Subject”) for processing in connection with the Vendor services.

2.0. “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means.

2.1. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Vendor services.

2. Data Processor Obligations

2.1. Vendor shall act solely as a Data Processor in respect of the Personal Data provided by the Customer and shall not have any independent rights to use, disclose, or otherwise process the Personal Data for any purpose other than as instructed by the Customer in writing.

2.2. The Vendor shall ensure that its employees, agents, subcontractors, or any other persons acting under its authority who have access to Personal Data are subject to appropriate confidentiality obligations.

2.3. The Vendor shall implement and maintain reasonable technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Such measures shall include, but not be limited to, data encryption, access controls, physical security measures, regular backups, and employee training.

2.4. The Vendor shall, at the Customer’s request and expense, provide the Customer with all reasonable assistance and information necessary to enable the Customer to comply with its obligations under applicable Data Protection Laws, including responding to requests from Data Subjects exercising their rights under such laws.

2.5. The Vendor shall, to the extent legally permissible, promptly notify the Customer in writing upon becoming aware of any request, inquiry, complaint, or claim relating to the Processing of Personal Data by the Vendor and shall cooperate with the Customer in relation to such matters.

3. Data Breach Notification and Cooperation