Data Processing Addendum
Last updated:
DATA PROCESSING AGREEMENT
Last Updated: November 2024
This Data Processing Agreement ("DPA") forms part of the agreement ("Agreement") between Nusu Inc. ("Nusu", "we", "us", or "our") and the customer entity that has agreed to Nusu's Terms of Service ("Customer", "you", or "your").
This DPA applies where and to the extent that Nusu processes Personal Data on behalf of Customer as a Data Processor in the provision of the Services.
1. DEFINITIONS
In this DPA:
-
"Applicable Data Protection Law" means all applicable laws and regulations relating to data protection and privacy, including without limitation the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, and the California Consumer Privacy Act ("CCPA"), as may be amended or superseded from time to time.
-
"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Processor" shall have the meanings given to them in the GDPR, and related terms shall be construed accordingly.
-
"Customer Data" means any Personal Data that Nusu processes on behalf of Customer as a Processor in connection with the Services.
-
"Services" means the services provided by Nusu to Customer pursuant to the Agreement.
-
"Sub-processor" means any third party engaged by Nusu to process Customer Data on behalf of Customer.
2. RELATIONSHIP OF THE PARTIES
2.1 Roles. The parties acknowledge and agree that with regard to the Processing of Customer Data:
- Customer is the Controller
- Nusu is the Processor
- Customer appoints Nusu to process Customer Data on Customer's behalf
2.2 Customer Responsibilities. Customer shall ensure that:
- Its instructions for the processing of Customer Data comply with Applicable Data Protection Law
- It has all necessary rights to provide Customer Data to Nusu for processing
- It has provided all necessary notices and obtained all necessary consents and authorizations required under Applicable Data Protection Law
3. NUSU'S PROCESSING OF CUSTOMER DATA
3.1 Processing Instructions. Nusu shall:
- Only process Customer Data in accordance with Customer's documented instructions as set out in this DPA and the Agreement
- Immediately inform Customer if, in Nusu's opinion, an instruction violates Applicable Data Protection Law
3.2 Purpose Limitation. Nusu shall process Customer Data solely to provide the Services in accordance with the Agreement and shall not process Customer Data for any other purpose.
3.3 Confidentiality. Nusu shall ensure that all personnel authorized to process Customer Data:
- Are subject to appropriate confidentiality obligations
- Process Customer Data only as necessary to provide the Services
4. SECURITY
4.1 Security Measures. Nusu shall implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data ("Security Measures"), including without limitation:
- Encryption of Customer Data in transit and at rest
- Access controls ensuring Customer Data is accessible only to authorized personnel
- Regular testing and evaluation of Security Measures
- Regular backups of Customer Data
- Incident response and data breach procedures
4.2 Updates to Security Measures. Nusu may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall protection of Customer Data.
5. SUB-PROCESSORS
5.1 Authorized Sub-processors. Customer agrees that Nusu may engage Sub-processors to process Customer Data on Nusu's behalf. The current list of Sub-processors is set out in Annex A.
5.2 Sub-processor Obligations. Where Nusu engages a Sub-processor:
- Nusu shall impose data protection obligations on the Sub-processor that provide at least the same level of protection as those in this DPA
- Nusu shall remain fully liable to Customer for the Sub-processor's performance
5.3 Changes to Sub-processors. Nusu may add or replace Sub-processors by:
- Providing Customer with at least 10 days' advance notice
- Giving Customer the opportunity to object to such changes on reasonable grounds relating to data protection
- If Customer objects, the parties shall work together in good faith to resolve the objection
6. DATA SUBJECT RIGHTS
6.1 Assistance with Data Subject Requests. Nusu shall, taking into account the nature of the processing, provide reasonable assistance to Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
6.2 Data Subject Request Procedure. If Nusu receives a request from a Data Subject regarding Customer Data, Nusu shall:
- Promptly notify Customer of the request
- Not respond to the request except as instructed by Customer or as required by law
7. DATA BREACH
7.1 Breach Notification. If Nusu becomes aware of a Personal Data Breach affecting Customer Data, Nusu shall:
- Notify Customer without undue delay and in any event within 72 hours
- Provide Customer with sufficient information to allow Customer to meet any obligations to report to supervisory authorities or notify Data Subjects
7.2 Breach Information. Such notification shall include:
- The nature of the Personal Data Breach
- The categories and approximate number of affected Data Subjects
- The categories and approximate number of affected Personal Data records
- The likely consequences of the breach
- Measures taken or proposed to address the breach
8. AUDIT
8.1 Audit Rights. Nusu shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.
8.2 Audit Procedure. Customer may exercise its audit rights by:
- Reviewing Nusu's certifications and audit reports
- Requesting additional information through written questions
- Conducting an on-site audit with 30 days' advance written notice, not more than once per year
9. DATA LOCATION AND TRANSFERS
9.1 Data Location. Customer Data will be processed in the United States and other jurisdictions where Nusu or its Sub-processors maintain operations.
9.2 International Transfers. Where Customer Data is transferred outside of the European Economic Area, UK, or other jurisdiction with data transfer restrictions, Nusu shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses
- Other transfer mechanisms approved under Applicable Data Protection Law
10. DATA RETURN AND DELETION
10.1 Return or Deletion. Upon termination of the Agreement, Nusu shall, at Customer's election:
- Return all Customer Data to Customer in a commonly used format
- Delete all Customer Data from Nusu's systems
10.2 Retention. Notwithstanding the above, Nusu may retain Customer Data:
- As required by applicable law
- In accordance with standard backup and disaster recovery procedures for up to 90 days
11. COOPERATION AND ASSISTANCE
11.1 Regulatory Assistance. Nusu shall provide reasonable assistance to Customer with:
- Data protection impact assessments
- Prior consultations with supervisory authorities
- Other compliance obligations under Applicable Data Protection Law
11.2 Costs. Customer shall reimburse Nusu for reasonable costs incurred in providing assistance beyond Nusu's standard support obligations.
12. LIABILITY
12.1 Liability. Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.
12.2 Indemnification. Each party shall defend, indemnify, and hold harmless the other party from and against any claims, damages, losses, and expenses arising from its breach of this DPA.
13. GENERAL PROVISIONS
13.1 Governing Law. This DPA shall be governed by the same law as the Agreement.
13.2 Modification. This DPA may only be modified by written agreement of both parties.
13.3 Severability. If any provision of this DPA is held to be unenforceable, the remaining provisions shall continue in full force and effect.
13.4 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the processing of Customer Data.
13.5 Conflict. In the event of conflict between this DPA and the Agreement, this DPA shall control with respect to the processing of Customer Data.
ANNEX A: LIST OF SUB-PROCESSORS
The following third-party Sub-processors are authorized to process Customer Data:
| Sub-processor | Service Provided | Location | Purpose | |-------------------|---------------------|--------------|-------------| | Vercel Inc. | Infrastructure & Hosting | United States | Application hosting and content delivery | | Neon, Inc. | Database Services | United States | Database infrastructure and storage | | Amazon Web Services, Inc. | Cloud Infrastructure | United States | Cloud computing and storage services |
This list may be updated from time to time in accordance with Section 5.3 of this DPA.
ANNEX B: DESCRIPTION OF PROCESSING
Categories of Data Subjects:
- Customer's end users
- Customer's employees and contractors
- Customer's customers and prospects
Categories of Personal Data:
- Contact information (names, email addresses, phone numbers)
- Account information (usernames, user IDs)
- Usage data (IP addresses, browser information, activity logs)
- Communication data (support tickets, messages)
- Any other Personal Data submitted through the Services
Nature and Purpose of Processing:
- To provide the Services as described in the Agreement
- To provide customer support
- To ensure security and prevent fraud
- To comply with legal obligations
Duration of Processing:
- For the duration of the Agreement and as specified in Section 10
BY ACCEPTING THE TERMS OF SERVICE OR USING THE SERVICES, CUSTOMER AGREES TO BE BOUND BY THIS DATA PROCESSING AGREEMENT.
For questions about this DPA, please contact: privacy@nusu.ai
Mailing Address:
Nusu Inc.
10161 W Park Run Dr Ste 150
Las Vegas, NV 89145
United States