Data processing addendum

This Nasuni Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Nasuni Subscription and Services  Agreement or other written or electronic agreement referencing this Addendum (the “Agreement”) between Nasuni Corporation  (“Nasuni”) and the entity identified in the table below that has engaged Nasuni to provide the Services (“Customer”). This  Addendum amends the Agreement and is effective upon its incorporation into the Agreement, as specified in the Agreement itself  or in any Order. Upon its incorporation into the Agreement, this Addendum will form part of the Agreement. Notwithstanding anything  to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control.  

Nasuni: Nasuni CorporationCustomer:
Entity type / incorporated in: Delaware corporationEntity type / incorporated in:
Address: One Marina Park Drive, 6th Floor Boston, MA 02110Address:
Legal Jurisdiction (for the purposes of relevant supervisory authority).
DPO / Contact for data protection inquiries: Privacy Officer  [email protected]DPO / Contact for data protection inquiries:

If Customer’s Affiliates have placed Orders for the Services under the Agreement, then this Addendum amends those Orders, and  each such Affiliate shall be deemed to be the “Data Controller” for Protected Information pertinent to its Order for the purposes of  this Addendum. Customer shall be responsible for coordinating all communications with Nasuni and Customer’s Affiliates under  this Addendum and shall be entitled to make and receive any communication in relation to the Addendum, and Customer hereby  enters into this Addendum, on behalf of itself and its Affiliates.  

This Addendum has been pre-signed by Nasuni. To complete this Addendum, Customer must (a) complete the information in the  table above, complete the information in the signature boxes on the signature page and sign on such page, (c) complete the  information in the tables in Schedule 1, and (d) send the signed and completed addendum to [email protected].  

1. Definitions.

For the purposes of this Addendum, capitalized terms shall have the meaning ascribed to them herein or  in the Agreement and in the IDTA and/or SCCs, unless the context otherwise requires.  

“Affiliate” means an entity that owns or controls, is owned or controlled by or is under common ownership or control with such  entity, where “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of fifty percent (50%) or more of the voting securities or other equivalent voting interests of an entity. 

“California Personal Data” means any Protected Information contained in Customer Data that constitutes personal information  as defined in, and to the extent regulated by, the California Privacy Laws. 

California Privacy Laws” means the California Consumer Privacy Act of 2018, together with any regulations promulgated  thereunder (collectively, the “CCPA”), as amended or replaced by the California Privacy Rights Act of 2020, together with any  regulations promulgated thereunder (collectively, the CPRA). 

“Data Protection Laws” means all privacy laws applicable to any Personal Data processed under or in connection with this  Addendum, including, without limitation (in each case to the extent applicable), the California Privacy Laws and all privacy laws  and regulations of the European Union, the EEA and their member states, Switzerland and the United Kingdom applicable to  any Personal Data processed under or in connection with this Addendum, including, without limitation, the General Data  Protection Regulation 2016/679 (the “GDPR”), UK Data Protection Act 2018 and UK GDPR (as defined in the Data Protection  Act), the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on  Privacy and Electronic Communications, (“ePrivacy Regulation”)), and all national legislation implementing or supplementing  the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time. 

Data Controller” means the entity that determines the purposes and means of Processing Personal Data. “Data Processor” means an entity which Processes Personal Data on behalf of a Data Controller. 

IDTAmeans either (i) the International Data Transfer Agreement or (ii) the International Data Transfer Addendum to the EU  Commission IDTA, both issued by the UK’s Information Commissioner under section 119A(1) Data Protection Act 2018 for UK  transfers of personal data to Processors in Third Countries, dated 21 March 2022, whichever is the appropriate document for  the transfer of Personal Data. This document is not attached but is incorporated by reference into this agreement.  

“Standard Contractual Clauses” or “SCCs” shall have the meaning set forth in Section 6. 

Personal Data” means all data which is defined as ‘Personal Data’ or ‘personal information’ under Data Protection Laws and  which is provided by the Customer to Nasuni or accessed, stored or otherwise processed by Nasuni in connection with the Services. 

Processingor “processing(including grammatically inflected forms thereof) means any operation or set of operations  which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization,  structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise  making available, alignment or combination, restriction, erasure or destruction. 

“Regulator” means a supervisory authority that is concerned with the Processing of Personal Data under this Addendum and  includes (in each case as applicable): (a) the UK Information Commissioner’s Office or any other UK governmental data  protection agency which has jurisdiction over a Data Controller’s Processing of Personal Data; (b) the UK Government; and/or  (c) the courts of England and Wales. 

Services” means the products or services provided by Nasuni to Customer under the Agreement. 

“Third Countries” means all countries outside of the UK or the EU, excluding countries approved as providing adequate  protection for Personal Data by the UK Government or other applicable Regulators from time to time. 

2. Protected Information.

Customer hereby acknowledges that the Services are not designed (nor is it intended) for Nasuni  to access your Customer Data or Protected Information, including any Personal Data. Each party agrees to comply with all  applicable data protection laws with respect to its Processing of Protected Information of the other party which the parties agree to  process in connection with this Agreement. 

3. Business Contact Information.

Without limitation of any other provision contained herein, each party may also access  and use the other party’s Protected Information where such Protected Information is included in business contact information  provided in connection with this Agreement. 

4. California Privacy Laws. 

Except as otherwise required by applicable law, Nasuni shall: (i) not sell or share California Personal Data; (ii) not retain, use,  or disclose California Personal Data for any purpose other than for the business purposes specified in the Agreement , nor  retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the  Agreement, or as otherwise permitted by the CPRA; (iii) not retain, use, or disclose California Personal Data outside of the direct  business relationship between the parties; (iv) not combine California Personal Data, which Nasuni receives pursuant to the  Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or  persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as  otherwise expressly permitted by the CPRA; (v) reasonably cooperate with Customer in responding to any requests from any  individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion,  correction, or limitation of the use of such California Personal Data where required under the CPRA, and including instructing  Nasuni’s service providers and/or contractors (if any) to so reasonably cooperate in such response; (vi) reasonably assist  Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CPRA, taking into account the nature of the California Personal Data  Processing by Nasuni; (vii) implement and maintain commercially reasonable security procedures and practices appropriate to  the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access,  destruction, use, modification, or disclosure; (viii) comply with all applicable obligations under the CPRA and provide the same  level of privacy protection with respect to California Personal Data as required by the CPRA; and (ix) notify Customer if Nasuni  determines it can no longer meet its obligations under the CPRA. Nasuni acknowledges and agrees that the California Personal  Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Nasuni further acknowledges  and agrees Customer shall have the right: (x) to take reasonable and appropriate steps to ensure that Nasuni uses California  Personal Data in a manner consistent with Customer’s obligations under the CPRA; and (y) upon notice from Customer to  Nasuni, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data. The  following terms have the meanings given in the California Privacy Laws: “business purpose“, “personal information”, “service  provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”. 

5. UK Personal Data.

To the extent any Protected Information contained in Customer Data is regulated by the UK GDPR  (“UK Personal Data”), the IDTA (as defined herein) and Schedule 1 attached hereto will apply to Nasuni’s Processing of such UK  Personal Data on your behalf and the parties hereby agree to comply with the IDTA, which is hereby incorporated into this  Addendum in its entirety. In the event of a conflict between the Agreement and the IDTA, the IDTA will control to the extent  applicable to UK Personal Data. 

6. EU Personal Data.

To the extent any Protected Information contained in the Customer Data is regulated by the GDPR  (“EU Personal Data”), then to the extent required by the GDPR, the standard contractual clauses for the transfer and Processing  of personal data as set out in European Commission Decision 2021/914/EC, modules 2 and 3 (“Standard Contractual Clauses” or “SCCs”) and Schedule 1 attached hereto will apply to Nasuni’s Processing of such Protected Information on your behalf and the  parties hereby agree to comply with such Standard Contractual Clauses, which are hereby incorporated into this Addendum by  reference, in their entirety. In the event of a conflict between the Agreement and the Standard Contractual Clauses, the Standard  Contractual Clauses will control to the extent applicable to the EU Personal Data. 

7. Other Data.

Notwithstanding anything to the contrary in the Agreement or herein, Customer acknowledges that Nasuni  shall have a right to use and disclose usage and similar anonymized statistical data relating to the operation, support and/or use of  the Services for its legitimate business purposes, such as product development and sales and marketing and such data is not  Customer Data. To the extent any such data is considered Personal Data (to the extent regulated by the Data Protection Laws),  then, to the extent that Nasuni is subject to the Data Protection Laws, Nasuni is the Data Controller of such data and accordingly  shall Process such data in accordance with the applicable Data Protection Laws. To the extent any such data is considered personal  information (as defined in, and regulated by, the California Privacy Laws), then, to the extent Nasuni is subject to the California  Privacy Laws as a business, Nasuni is the business with respect to such data and accordingly shall Process such data in  accordance with the California Privacy Laws. 

8. Processing of Personal Data 

As between the parties, (i) Customer is a Data Controller and Nasuni is a Data Processor on behalf of Customer with regard to  Personal Data; or (ii) Customer is a Data Processor on behalf of a third party with respect to Personal Data and Nasuni is a Data  Processor on behalf of Customer with regard to Personal Data. Customer wishes to appoint Nasuni as a Data Processor to Process  Personal Data (i) in accordance with the Agreement; (ii) at the Customer’s or its Authorized User’s request in using the Software; or  (iii) to comply with other reasonable instructions of the Customer (e.g., via email or support tickets) that are consistent with the terms  of this Addendum (individually and collectively, the “Purpose”). If Customer’s Affiliates have placed Orders with Nasuni for the  Software under the Agreement, then this Addendum amends those Orders, and each such Affiliate shall be deemed to be the “Data  Controller” for Personal Data pertinent to its Order for the purposes of this Addendum. Customer shall be responsible for coordinating  all communications with Nasuni and Customer’s Affiliates under this Addendum and shall be entitled to make and receive any  communication in relation to this Addendum, and Customer hereby enters into this Addendum, on behalf of itself and its Affiliates.  

9. Customer 

(a) Customer will determine the scope, purposes, and manner by which the Personal Data may be accessed or Processed by  Nasuni as set out in Schedule 1. Nasuni will process the Personal Data only as set forth in Customer’s written instructions. 

(b) Customer warrants that it has all necessary rights to provide the Personal Data to Nasuni for the Processing to be performed  in relation to the Services. To the extent required by the UK GDPR, Customer is responsible for ensuring that it has a legal basis  for the processing and where necessary, the consent of the Data Subject. Where consent is the legal basis for processing,  Customer shall ensure that a record of such consents is maintained. Should such a consent be revoked by the Data Subject,  Customer is responsible for promptly communicating the fact of such revocation to Nasuni, and Nasuni remains responsible for  implementing any Customer instruction with respect to the further Processing of such Personal Data. 

10. Nasuni’s Obligations 

To the extent Nasuni Processes Personal Data solely on behalf of the Customer, it shall:

(a) Process the Personal Data only on documented instructions from the Customer in such manner as, and to the extent that, this is  appropriate for the provision of the Services, except as required to comply with a legal obligation to which Nasuni is subject. In such  a case, Nasuni shall, to the extent legally permitted, inform the Customer of that legal obligation before Processing. Nasuni shall  immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws, including with regard to transfers of  Personal Data to Third Countries; 

(b) without prejudice to any existing contractual arrangements between the parties, treat all Personal Data as strictly confidential  and inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data; further, Nasuni shall ensure that such persons or parties authorized to Process the Personal Data  have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 

(c) be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the  Purpose, subject to the requirements of this Addendum; and 

(d) at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in  any case the measures referenced in Section 11 below. 

11. Security 

(a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of  Processing, as well as the risk of varying likelihood and severity for violations of the rights and freedoms of natural persons,  without prejudice to any other security standards agreed upon by the parties, each of the Customer and Nasuni shall  independently implement appropriate technical and organizational measures designed for the protection of the security,  confidentiality and integrity of the Personal Data appropriate to the risk, taking into account the risks that are presented by the  Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage,  Processing, access or disclosure of Personal Data. These measures may include, as appropriate: 

(i) controls to permit access to the Personal Data only by authorized personnel for the Purpose; (ii) the pseudonymization and encryption of Personal Data; 

(iii) controls for the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iv) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or  technical incident; 

(v) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures  for ensuring the security of the Processing of Personal Data; and  

(vi) measures to identify vulnerabilities with regard to the Processing of Personal Data in systems used to provide Services  to the Customer. 

(b) The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security  requirements set forth in Data Protection Laws or by any Regulator. 

(c) Nasuni shall, in accordance with applicable Data Protection Laws, make available to the Customer such information in  Nasuni’s possession or control as the Customer may reasonably request with a view to demonstrating Nasuni’s compliance with  the obligations of processors under Data Protection Law in relation to its processing of Personal Data. The Customer may  exercise its right of audit under Data Protection Laws, through Nasuni providing: (a) an audit report not older than 12 months by  a registered and independent external auditor demonstrating that Nasuni’s technical and organizational measures are sufficient  and in accordance with an accepted industry audit standard (such as ISO 27001 or SSAE 18 SOC 2)and (b) additional information  in Nasuni’s possession or control to the applicable regulator, including the UK Information Commissioner and/or an EU  supervisory authority, when it requests or requires additional information in relation to the data processing activities carried out  by Nasuni under this DPA. In the event that any such audit report identifies any deficiencies or non-compliance with Nasuni’s  obligations, Nasuni will use commercially reasonable efforts to promptly address and rectify such deficiencies/non-compliance.  Notwithstanding the foregoing, in no event shall Customer have access to the information of any other client of Nasuni and the  disclosures made pursuant to this Section 11(c) (“Audit Information”) shall be held in confidence as Nasuni’s confidential information  and subject to any confidentiality obligations in the Agreement. 

12. International Transfers 

In order to ensure adequate safeguards for the Personal Data where it is transferred from the Customer to Nasuni in a Third  Country, the Customer shall comply with the data exporter’s obligations in the IDTA and/or the SCCs as applicable, and Nasuni  shall comply with the data importer’s obligations in the IDTA and/or the SCCs as applicable in respect of that transferred  Personal Data. The parties hereby enter into the IDTA and the SCCs, which are incorporated into and form part of this  Addendum, by reference. To the extent that the IDTA or the SCCs, as a statutory mechanism to enable international data  transfers, have been revoked, or held by a Regulator to be invalid, the Customer and Nasuni agree to cooperate in good faith  to promptly terminate the transfer or to ensure suitable security mechanisms and processes are implemented to lawfully effect  and support such transfer.

13. Sub-Processing 

The Customer hereby grants Nasuni general written authorization to engage Nasuni’s Affiliates to Process the Personal Data of the Customer and authorizes Nasuni and its Affiliates to engage sub-processors in connection with the delivery of Services under  the Agreement. As used herein, “sub-processor” means another Data Processor engaged by Nasuni to process Personal Data  on behalf of Nasuni. The Customer hereby authorizes the use by Nasuni and its Affiliate of the sub-processors identified at https://www.nasuni.com/legal/nasuni-sub-processors/ (subject to the requirements of this Section 13).  Nasuni may engage new sub-processors or may change sub-processors from time to time. Nasuni will provide the Customer  with notice (by updating the sub-processor list at https://www.nasuni.com/legal/nasuni-sub-processors/ and  by providing the Customer with a mechanism to receive notice of such updates) of any new sub-processor at least 14 days in  advance of providing such sub-processor with access to Personal Data. The Customer will have 14 days from the date of receipt  of the notice to approve or reject the new sub-processor. In the event of no response from the Customer, the sub- processor  will be deemed accepted. If the Customer rejects the new or replacement sub-processor, Nasuni may terminate Services with  immediate effect, and without liability to Nasuni, on written notice to the Customer. Nasuni shall enter into written agreements  with its sub-processors containing data protection obligations that provide at least the same level of protection for the Personal  Data as are imposed under this Addendum and shall in particular impose on its sub-processors the obligation to implement  appropriate technical and organizational measures in such a manner that the sub-processing will meet the requirements of the  applicable Data Protection Laws. Nasuni shall supervise the sub-processor’s compliance with its obligations and, where a sub processor fails to fulfill its obligations, Nasuni shall remain fully liable under the applicable Data Protection Laws to the Customer  for the performance of that sub-processor’s obligations. 

14. Return Or Destruction Of Personal Data 

Upon termination of this Addendum, upon the Customer’s written request, or upon fulfillment of the Purpose whereby no further  Processing is required, Nasuni and the Customer agree that Nasuni shall either delete or destroy all Personal Data except where  otherwise required by applicable law. The return of data may incur additional charges by Nasuni. Nasuni agrees to preserve the  confidentiality of any retained Personal Data and will only Process such Personal Data after the date of termination in order to  comply with the laws to which it is subject and to fulfill its obligations under this Addendum.  

15. Assistance To Customer 

(a) Nasuni shall, to the extent legally permissible, promptly notify the Customer of any requests from a Data Subject to exercise the  rights of the Data Subject under Data Protection Laws, including: access, rectification, restriction of Processing, erasure (the “right  to be forgotten”), data portability, objection to the Processing, or to not be subject to automated individual decision making (each a  “Data Subject Request”). Taking into the account the nature of the Processing, Nasuni shall assist the Customer by appropriate  technical and organizational measures, insofar as this is commercially reasonable, for the fulfilment of the Customer’s obligation to  respond to the Data Subject Request under Data Protection Laws. In addition, to the extent the Customer, in its use of the Services,  does not have the ability to address a Data Subject Request, Nasuni shall, upon the Customer’s request, use commercially  reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent Nasuni is legally permitted to  do so and the response to such Data Subject Request is required under applicable Data Protection Laws.  

(b) Upon the Customer’s request, Nasuni shall provide the Customer with reasonable cooperation and assistance to help the  Customer fulfill its obligations (if applicable) under applicable Data Protections Laws with respect to carrying out a data impact  assessment related to the Customer’s use of the Services, to the extent the Customer does not otherwise have access to the  relevant information, and to the extent such information is available to Nasuni. Nasuni will provide reasonable assistance to the  Customer in the cooperation or prior consultations with Regulators taking into account the nature of the Processing. 

(c) The Customer shall be responsible for any costs arising from Nasuni’s provision of such assistance, under this Section

16. Information Obligations and Incident Management 

(a) If Nasuni becomes aware of an incident that materially adversely affects the Processing of the Personal Data that is the subject  of the Agreement, it shall promptly notify the Customer about the incident, shall provide commercially reasonable cooperation to the  Customer, and (to the extent such incident was caused by Nasuni’s negligent acts or omissions) shall take commercially reasonable  steps designed to remediate the incident, if applicable, to the extent that remediation is within Nasuni’s control. The obligations of  this Section 16(a) do not apply to incidents that are caused by the Customer, Authorized Users, and/or any products and services  other than Nasuni’s. 

(b) The term “incident” used in Section 16(a) shall mean in any case: 

(i) a government investigation into or seizure of the Personal Data held by Nasuni or a sub processor, or a specific indication that such an investigation or seizure is imminent; or 

(ii) any breach of the security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of,  or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.

(c) Nasuni shall maintain written records and procedures to enable it to promptly respond to the Customer about an incident. Where  the incident is reasonably likely to require a data breach notification by the Customer under applicable Data Protection Laws, Nasuni  shall implement its written procedures in such a way that it is able to notify the Customer in the time frame required by the applicable  Data Protection Laws after becoming aware of such an incident. 

17. Miscellaneous 

(a) The liability of each party and its respective Affiliates’, taken together in the aggregate, arising out of or relating to this Addendum shall be subject to the section(s) of the Agreement governing limitations of liability, and any reference in such section(s) to the liability  of a party means the aggregate liability of that party (and all of its Affiliates) to the other party (and all of its Affiliates) under the  Agreement and all Data Processing Addendums together. 

(b) This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non contractual disputes and claims) shall be governed by and construed in accordance with the laws applicable to the Agreement of  which this Addendum forms a part. 

(c) This Addendum shall automatically terminate on the expiration or earlier termination of the Agreement. 

(d) This Addendum is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and  supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other  than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the Addendum will be effective unless in writing and signed by an  authorized signatory of each party. This Addendum may be executed in counterparts, each of which shall be deemed to be an  original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this Addendum. Each party  represents and warrants to the other that the execution and delivery of this Addendum, and the performance of such party’s  obligations hereunder, have been duly authorized and that this Addendum is a valid and legally binding agreement on each  such party, enforceable in accordance with its terms.

IN WITNESS WHEREOF, the parties have caused this Addendum to be executed by their duly authorized representatives as  of the last date written below. 

NASUNI CORPORATION CUSTOMER: 

By:________________________________ By:__________________________________ Name:_____________________________ Name:_______________________________ Title:______________________________ Title:________________________________ Date:______________________________ Date:________________________________

Schedule 1 

A. List of Parties 

Data importer
Name, Address, Contact Person, Role of Contact  Person and Contact Person Contact detailsNasuni Corporation One Marina Park Drive, 6th Floor Boston, MA 02210 Annie Bourne Chief Commercial and Compliance Counsel [email protected]
Activities relevant to the data transferred under the  IDTAProvision of the Services.
Role Processor
Data exporter
Name, Address, Contact Person, Role of Contact  Person and Contact Person Contact details
Activities relevant to the data transferred under the  IDTAUse of the Services provided by Nasuni. 
Role Controller

B. Description of Transfer

Categories of data subjects whose personal data is  transferredAuthorized Users of the Services, as well as Customer’s employees,  consultants, contractors, agents, and/or third parties with whom the  Customer conducts business, as well as any other data subjects to whom  the Personal Data included in the data and information submitted by  Authorized Users in Customer’s discretion may relate. 
Categories of personal data transferred Personal Data that is included in the data and information submitted by  Authorized Users and that may or may not contain special categories of data  (such as, but not necessarily limited to, data concerning health, genetic data,  or biometric data) in the Customer’s discretion
Sensitive data transferred None, subject to the prior section. 
The frequency of the transfer (e.g. whether the data  is transferred on a one-off or continuous basis)Personal data is transferred on a continuous basis in accordance with the  instructions of the Customer, for the Term of each Agreement (as defined in  the DPA). 
Nature of the processing Personal Data will be subject to Processing, which may include without  limitation collection, recording, organization, storage, adaptation or  alteration, retrieval, consultation, use, disclosure by transmission,  dissemination or otherwise making available, alignment or combination,  blocking, erasure or destruction for the purpose of providing Services to data  exporter in accordance with the terms of the Agreement.
Purpose(s) of the data transfer and further  processingThe transfer of Personal Data enables Nasuni to provide the Services under  the Agreement.
The period for which the personal data will be  retained, or, if that is not possible, the criteria used  to determine that periodThe duration of the Processing under this DPA shall continue as long as Nasuni carries out Personal Data Processing operations on behalf of  Customer or until the termination of the Agreement (and all Personal Data  has been destroyed or deleted in accordance with Section 14 of the  Addendum). 
For transfers to (sub-) processors, subject matter, nature and duration of the processingAs set out in Section 13 of the DPA.

C. Technical and organisational measures 

Technical and organisational measures  implemented by the Data ImporterTechnical and organisational security measures are set out at  https://www.nasuni.com/legal/technical-and-organizational-measures-of-security-toms-for-nasuni-file-data-platform/ Technical and organisational measures by which Nasuni will provide  assistance to the Customer in responding to data subjects’ requests  are set out at https://www.nasuni.com/legal/privacy/ and  https://www.nasuni.com/legal/privacy/#yourrights 

D. Additional Matters 

To the extent any Processing of Personal Data by Nasuni under the DPA takes place in any country outside the UK or the EEA  (except if in an Adequate Country) this Schedule 1 shall apply to the Services and be incorporated into and form part of the  Addendum. 

For the purpose of clause 9(a) of the SCCs, OPTION 2 shall apply with notification time period of 10 days. For the purpose of  clause 13(a) and Annex I.C. the SCCs, if the Data Exporter is established in an EU Member State or has appointed a  representative pursuant to Article 27(1) GDPR (which shall in each case be indicated in the details set out at the head of the  Addendum) then the competent supervisory authority shall be that of the country where the Data Exporter is established or  where it has appointed such representative. Otherwise if the Data Exporter is not established in an EU Member State and has  not appointed a representative but the GDPR applies, the competent supervisory authority for the purpose of Clause 13  Standard Contractual Clauses shall be identified at the head of the DPA. 

For the purpose of clause 17 of the SCCs, OPTION 2 shall apply and the agreed law shall be the law of the country identified  in the details set out at the head of this Addendum. For the purpose of clause 18(b) of the SCCs, the parties agree to the courts  of the same country. The optional clause 7 of the SCCS (docking clause) shall be included.  

Without prejudice to the Standard Contractual Clauses or the IDTA, these additional terms set out the Parties’ interpretation of  their obligations under specific terms of the Standard Contractual Clauses and, where applicable, the IDTA. Where a Party  complies with the interpretations set out in this Schedule 1, that Party shall be deemed by the other Party to have complied with  its commitments under the Standard Contractual Clauses and the IDTA

(a) Appointment of new sub-processors: Pursuant to 9(a) of the Standard Contractual Clauses, Data Exporter  acknowledges and expressly agrees that Data Importer will appoint sub-processors in accordance with Section  13 of this Addendum.  

(b) Notification of new sub-processors and Objection Right for new sub- processors: Pursuant to 9(a) of the SCCs,  Data Exporter acknowledges and expressly agrees that Data Importer may engage new sub-processors as  described in Section 13 of this Addendum.  

(c) Copies of sub-processor agreements: The Parties agree that the requirement for copies of the sub-processor  agreements for the purpose of audit or inspection (pursuant to 9(c) of the SCCs) may be met by way of the audit  and records provisions at Section 11(c) of this Addendum.  

(d) Audit and Records: Data Exporter acknowledges and agrees (unless otherwise required by law) that it exercises  its audit right under Clause 8.9(c) of the SCCs by instructing Data Importer to comply with the audit measures  described in Section 11(c) of this Addendum.  

(e) Obligation after the termination of personal data-processing services: Data Exporter agrees that the Data Importer  may fulfil its obligation to return or destroy all the personal data on the termination of the provision of data processing services under Clause 8.5 of the SCCs by complying with the measures described in Section 14 of this Addendum.  

E. Supplementary Clauses 

1. Non-receipt of directives under FISA Section 702 representation: 

Nasuni represents and warrants that, as of the date of this contract, it has not received any national security orders of the type  described in Paragraphs 150-202 of the judgment in the European Court of Justice Case C-311/18, Data Protection  Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”).

2. FISA Section 702 ineligibility representation: 

Nasuni represents that to the best of Nasuni’s knowledge, it is not eligible to be required to provide information, facilities, or  assistance of any type under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) because: 

(a) No court has found Nasuni to be the type of entity eligible to receive process issued under FISA Section 702: (i) an  “electronic communication service provider” within the meaning of 50 U.S.C§ 1881(b)(4) or (ii) a member of any of the  categories of entities described within that definition. 

(b) If Nasuni were to be found eligible for Section 702, which it believes it is not, it is nevertheless also not the type of  provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as  described in paragraphs 62 & 179 of the Schrems II judgment. 

Nasuni will promptly notify the Data Exporter if the circumstances in this clause 2 change. 

3. Court-review safeguard: 

Nasuni shall promptly assess, and use all reasonable legal mechanisms to challenge, any demands for data access through  national security processes it receives in relation to data exporter’s data as well as any non-disclosure provisions attached  thereto. 

To the extent available Nasuni will seek interim measures to suspend the effects of any such order or demand until a court has  finally decided that it is lawful and effective. For the avoidance of doubt, Nasuni shall not disclose the personal data requested  until required to do so under the applicable procedural rules and will provide only the minimum amount of information permissible  when responding to such order, based on a reasonable interpretation of that order. 

In the event such an order or demand is received, Nasuni shall, as far as is lawfully practicable: inform the requesting public  authority of the incompatibility of any such order with the safeguards comprised in the Clauses and the resulting conflict of obligations on Nasuni; and simultaneously and as soon as reasonably possible, notify the data exporter and/or competent  supervisory authority within the EEA or UK of the order. 

4. EO 12333 non-cooperation: 

Nasuni represents that to the best of Nasuni’s knowledge, it is not required to take any action pursuant to U.S. Executive Order  12333. 

5. Notice of non-compliance: 

Nasuni shall promptly notify the data exporter if Nasuni can no longer comply with the Standard Contractual Clauses and shall  do so as far as practicable in advance to the receipt of personal data from the data exporter. Such notification shall take place  without undue delay and within 72 hours of Nasuni determining that it can no longer (or will no longer be able to) comply. Under  such circumstances (including, for the avoidance of doubt, where Nasuni is able to identify ahead of their implementation, any  legal or policy developments which may lead to an inability to comply with obligations under the EU SCCs or UK SCCs) the data 

exporter hereby authorizes Nasuni to promptly secure or return, or delete or securely encrypt, all relevant personal data, without  the need for further instructions from the data exporter. 

6. Further reassurance: 

Nasuni: 

(a) Certifies that it has not purposefully created back doors or similar programming that could be used to access its systems  and/or personal data; not purposefully created or changed its business processes in a manner which facilitates access  to personal data or systems; and that national law or government policy does not require it to create or maintain back  doors or to facilitate access to personal data or systems or for Nasuni to be in possession of or to hand over encryption  keys in respect of personal data transferred under the Clauses; and 

(b) Shall provide all assistance reasonably requested by the data exporter to support data subjects in exercising their  rights and the data exporter shall provide all information, cooperation and assistance reasonable required by Nasuni to do so.

Nasuni DPA