Effective July 18, 2025
Exhibit C
This Data Protection Addendum (“Addendum”) forms part of the Master Customer Agreement (the “MCA”) or the Nerdio for Azure Standard Terms and Conditions currently available at: https://getnerdio.com/nerdio-policies-legal/ (the “Nerdio for Azure Standard Terms and Conditions “; the MCA or the Nerdio for Azure Standard Terms and Conditions, as applicable, are each referred to as the “Agreement”) between Nerdio and Customer. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. This DPA constitutes an amendment to the Agreement (including in accordance with Section 11.4 of the Nerdio for Azure Standard Terms and Conditions where such terms apply). Except as modified below, the terms of the Agreement will remain in full force and effect. For the avoidance of doubt, where applicable, Section 2 of the Nerdio for Azure Standard Terms and Conditions is deleted in its entirety. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below will be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this Addendum where applicable. In the event that the individual accessing the Services is accessing the Services on behalf of a legal entity, such legal entity shall be the Customer hereunder, and, where Customer is not a natural person, the natural person accessing the Services on behalf of Customer hereby represents and warrants in their individual capacity that they have the authority to bind such legal entity in contract to this DPA as Customer.
Definitions
In this Addendum, the following terms will have the meanings set out below and cognate terms will be construed accordingly:
“Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to any other Data Protection Laws;
“CCPA” means (to the extent applicable) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder;
“Customer Personal Data” means any Personal Data Processed by a Contracted Processor solely on behalf of Customer to provide the Services pursuant to or in connection with the Agreement;
“Contracted Processor” means Nerdio or a Subprocessor;
“Data Protection Laws” means collectively, the GDPR and the UK Data Protection Laws, as applicable;
“EEA” means the European Economic Area;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Restricted Transfer”means:
a transfer of Customer Personal Data from Customer to a Contracted Processor; or
an onward transfer of Customer Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses and/or UK DTA;
“Services” means the services and other activities to be supplied to or carried out by or on behalf of Nerdio for Customer pursuant to the Agreement;
“StandardContractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN;
“Subprocessor” means any person (including any third party, but excluding an employee of Nerdio or any of its sub-contractors) appointed by or on behalf of Nerdio to Process Customer Personal Data on behalf of Customer in connection with the Agreement;
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”,“Processor” and “Supervisory Authority” will have the same meaning as in the Data Protection Laws (as applicable), and their cognate terms will be construed accordingly;
“UK” means the United Kingdom;
“UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”);
“UK DTA” means the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx.
“UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018; and
2.Processing of Customer Personal Data
2.1. Nerdio will:
2.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
2.1.2. not Process Customer Personal Data other than on the Customer’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Nerdio will to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Data.
2.2. Customer:
2.2.1. instructs Nerdio (and authorizes Nerdio to instruct each Subprocessor) to:
2.2.1.1. Process Customer Personal Data; and
2.2.1.2. in particular, transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement.
2.3. Exhibit A to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
Nerdio Personnel
Nerdio will take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nerdio will in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and/or the equivalent provision(s) of the UK Data Protection Laws.
4.2. In assessing the appropriate level of security, Nerdio will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Subprocessing
5.1. Customer authorizes Nerdio to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2. Nerdio may continue to use those Subprocessors already engaged by Nerdio as at the date of this Addendum, subject to Nerdio in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3. Nerdio will give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within five (5) business days of receipt of that notice, Customer notifies Nerdio in writing of any objections (on reasonable grounds) to the proposed appointment:
5.3.1 Nerdio will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
5.3.2 where such a change cannot be made within ten (10) business days from Nerdio’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may by written notice to Nerdio with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, Nerdio will:
5.4.1. before the Subprocessor first Processes Customer Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Agreement;
5.4.2. ensure that the arrangement between on the one hand (a) Nerdio or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR and/or the equivalent provision(s) of the UK Data Protection Laws;
5.4.3. if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses and/or UK DTA are at all relevant times incorporated into the agreement between on the one hand (a) Nerdio or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, or before the Subprocessor first Processes Customer Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses and/or UK DTA with the Customer; and
5.4.4. provide to Customer for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
5.5. Nerdio will ensure that each Subprocessor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8 and 10.1, as they apply to Processing of Customer Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Nerdio.
Data Subject Rights
6.1. Taking into account the nature of the Processing, Nerdio will assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Nerdio will:
6.2.1. promptly notify Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
6.2.2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Contracted Processor is subject, in which case Nerdio will to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
Personal Data Breach
7.1. Nerdio will notify Customer promptly upon Nerdio becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. Nerdio will co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, provided that such assistance shall be provided at Customer’s expense, except in the event that such Personal Data Breach is caused by Contracted Processor’s act or omissions, in which case such assistance shall be provided at Contracted Processor’s expense.
Data Protection Impact Assessment and Prior Consultation
Nerdio will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion or return of Customer Personal Data
9.1. Subject to sections 9.2 and 9.3 Nerdio will promptly and in any event within thirty-one (31) days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
9.2. Subject to section 9.3, Customer may in its absolute discretion by written notice to Nerdio within thirty (30) days of the Cessation Date require Nerdio to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Nerdio; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Contracted Processor. Nerdio will comply with any such written request within thirty-one (31) days of the Cessation Date.
9.3. Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Nerdio will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4. Nerdio will provide written certification to Customer that it has fully complied with this section 9 within thirty-one (31) days of the Cessation Date.
Audit rights
10.1. Subject to sections 10.1 to 10.3, Nerdio will make available to Customer on request all information necessary to demonstrate compliance with this Addendum, and will allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer, provided that no such auditor will be a competitor of Nerdio or compensated on a contingency basis, in relation to the Processing of the Customer Personal Data by the Contracted Processors.
10.2. Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR and/or equivalent provisions of the UK Data Protection Laws).
10.3. Customer will give Nerdio reasonable prior notice of any audit to be conducted under section 10.1 and will make (and ensure that each of its mandated auditors makes) reasonable efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business in the course of such an audit. Notwithstanding anything to the contrary in this section 10 no audit shall be undertaken unless or until Customer has requested, and Nerdio has provided, information about Nerdio’s data protection practices and Customer reasonably determines that an audit remains necessary to demonstrate material compliance with the obligations laid down in this Addendum.
For the purposes of such an audit:
10.3.1. A Contracted Processor need not give access to its premises to any individual unless he or she produces reasonable evidence of identity and authority;
10.3.2. Such audit shall not occur outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Nerdio that this is the case before attendance outside those hours begins;
10.3.3. Customer may conduct, in respect of each Contracted Processor, no more than one audit in any 12-month period, except for any additional audits which:
10.3.3.1. Customer reasonably considers necessary because of genuine and commercially reasonable concerns as to Nerdio’s compliance with this Addendum; or
10.3.3.2. Customer is required to carry out by Data Protection Law, a Supervisory Authority (acting with lawful authority) or any similar regulatory authority (acting with lawful authority) responsible for the enforcement of Data Protection Laws in any country or territory,
where Customer has identified its concerns or the relevant requirement or request in its notice to Nerdio of the audit.
10.3.4. In no event shall Customer or any mandated auditor have access to the information of any other client of Nerdio;
10.3.5. The disclosures made pursuant to this section 10 shall be held in confidence as Nerdio’s confidential information and subject to any confidentiality obligations in the Agreement; and
10.3.6. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard information it receives under this section 10 that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of information received under this section 10 by Customer or its agents.
Transfers
11.1 To the extent Nerdio Processes Customer Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a Controller and Nerdio is a Processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Nerdio and to Nerdio’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit B. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
11.2 To the extent Nerdio Processes EU Personal Data, and to the extent Customer is a Processor on behalf of a third party with respect to EU Personal Data and Nerdio is a Processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Nerdio and to Nerdio’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit C. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
11.3 To the extent Nerdio Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK DTA will apply to the transfer of such UK Personal Data by Customer to Nerdio and to Nerdio’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit D. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
11.4 To the extent Customer makes available to Nerdio any information relating to any identified or identifiable individual or household that is regulated by the CCPA for a business purpose pursuant to the Agreement and/or to the extent Nerdio Processes Personal Data regulated by the CCPA solely on behalf of Customer (collectively, “California Personal Data”), then to the extent required by the CCPA, the California Data Exhibit (attached hereto as Exhibit E, the “California Data Exhibit”) will apply to Nerdio’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.
General Terms
Governing law and jurisdiction
12.1. Without prejudice to clauses 17 and 18 of the Standard Contractual Clauses and/or equivalent provision(s) in the UK DTA:
12.1.1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
12.2. Nothing in this Addendum reduces Nerdio’s obligations under the Agreement in relation to the protection of Personal Data or permits Nerdio to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.
12.3. Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.
Miscellaneous.
12.4. Customer may:
12.4.1. by at least 30 (thirty) calendar days’ written notice to Nerdio from time to time make any variations to the Standard Contractual Clauses and/or UK DTA (including any Standard Contractual Clauses and/or UK DTA entered into under section 11), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
12.4.2. propose any other variations to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5. If Customer gives notice under section 12.4.1:
12.5.1. Nerdio will promptly co-operate (and take reasonable steps designed to ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.4.3; and
12.5.2. Customer will not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Nerdio to protect the Contracted Processors against additional risks associated with the variations made under section 12.4.1 and/or 12.5.1.
12.6. If Customer gives notice under section 12.4.2, the parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable.
12.7. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.8. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Personal Data and California Personal Data (collectively, “Processed Personal Data”) in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Nerdio to lawfully Process Processed Personal Data as permitted by the Agreement and/or this Addendum; (ii) it has (and will continue to have) full right and authority to make the Processed Personal Data available to Nerdio under the Agreement and this Addendum; and (iii) Nerdio’s Processing of the Processed Personal Data in accordance with the Agreement, this Addendum, and/or Customer's instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Nerdio harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this section 12.8. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this section 12.8 shall not be subject to any limitations of liability set forth in the Agreement.
12.9. Notwithstanding anything to the contrary in the Agreement (including this Addendum), Customer acknowledges that Nerdio shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the Data Protection Laws), then, to the extent Nerdio is subject to the Data Protection Laws as a Controller, Nerdio is the Controller of such data and accordingly shall Process such data in accordance with the Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CCPA), then, to the extent Nerdio is subject to the CCPA as a business (as defined in the CCPA), Nerdio is the business (as defined in the CCPA) with respect to such data and accordingly shall Process such data in accordance with the CCPA.
Exhibit A: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Exhibit A includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum. The duration of the Processing shall continue as long as Nerdio carries out Customer Personal Data Processing operations on behalf of Customer or until the termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with this Addendum).
The nature and purpose of the Processing of Customer Personal Data
The nature of the processing is such that the Customer Personal Data will be subject to basic Processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by Nerdio to Customer in accordance with the terms of the Agreement.
The types of Customer Personal Data to be Processed
The categories of Personal Data included within the Customer Personal Data to which Customer provides Nerdio access, including without limitation display name, email address, IP address, and device information.
The categories of Data Subject to whom the Customer Personal Data relates
Individuals whose Personal Data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
EXHIBIT B: MODULE 2 CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
For the purposes of the Controller to Processor Standard Contractual Clauses:
Clause 7. The parties agree that the optional language in Clause 7 is included.
Clause 9(a). The parties agree that under Option 2, Nerdio has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in section (a)(11)(i). Nerdio will inform Customer in writing of any intended changes to the list of sub-processors set out in section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
Clause 11. The parties agree that the optional language in Clause 11 is excluded.
Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
Clause 17. Option 1 shall apply and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
Annex I.A.
The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
The name and address of Nerdio, and the name, position, and contact details of the contact person of Nerdio (which is the data importer) are as follows:
Name: Nerdio, Inc.
Address: 7061 N. Kedzie Ave., Suite 515, Chicago, IL 60645
Contact person’s name, position and contact details: Kevin Murray, VP, Technical Solutions, [email protected]
The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
The signature and date are the signature and date set forth in the Agreement.
The roles of the parties are as follows: Nerdio is a processor and Customer is a controller.
Annex I.B.
The categories of data subjects are individuals whose personal data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The categories of personal data transferred are the categories of personal data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The categories of sensitive data transferred are the categories of sensitive data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The frequency of the transfer shall be on a continuous basis.
The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
Annex I.C.
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
Annex II.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nerdio shall implement commercially reasonable technical and organizational measures with respect to Customer Personal Data intended to meet the security requirements under Applicable Laws.
Annex III.
Customer hereby authorizes the use of the following sub-processors:
Zoho Corporation Private Limited
EXHIBIT C: MODULE 3 PROCESSOR TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
For the purposes of the Processor to Processor Standard Contractual Clauses:
Clause 7. The parties agree that the optional language in Clause 7 is included.
Clause 9(a). The parties agree that under Option 2, Nerdio has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in section (a)(11)(i). Nerdio will inform Customer in writing of any intended changes to the list of sub-processors set out in section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
Clause 11. The parties agree that the optional language in Clause 11 is excluded.
Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
Clause 17. Option 1 shall apply and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
Annex I.A.
The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
The name and address of Nerdio, and the name, position, and contact details of the contact person of Nerdio (which is the data importer) are as set forth in Exhibit B, Section (a)(7)(ii).
The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
The signature and date are the signature and date set forth in the Agreement.
The roles of the parties are as follows: Nerdio is a processor and Customer is a processor.
Annex I.B.
The categories of data subjects are individuals whose personal data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The categories of personal data transferred are the categories of personal data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The categories of sensitive data transferred are the categories of sensitive data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The frequency of the transfer shall be on a continuous basis.
The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
Annex I.C.
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
Annex II.
Section (a)(10)(i) of Exhibit B is incorporated herein by reference.
Annex III.
Section (a)(11)(i) of Exhibit B is incorporated herein by reference.
EXHIBIT D: UK DTA
For the purposes of the UK DTA:
For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit B section (a)(7) and Exhibit C section (a)(7), respectively;
For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit B section (a)(8), (10), and (11)(i) and Exhibit C section (a)(8), (10), and (11)(i), respectively, shall apply; and
For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.
EXHIBIT E: CALIFORNIA DATA EXHIBIT
This California Data Exhibit (this “Exhibit E”), forms part of the Addendum. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Addendum or the Agreement (as applicable). The following types of California Personal Data will be subject to processing hereunder: the categories of California Personal Data uploaded to the Services by or behalf of Customer.
CCPA Provisions.
In this Exhibit E, the following terms have the meanings given in the CCPA: "business purpose", “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
Except as otherwise required by applicable law or as otherwise permitted by the CCPA, Nerdio shall:
not sell or share California Personal Data;
not retain, use, or disclose California Personal Data for any purpose other than for the business purposes of providing the Services specified in the Agreement for the Customer, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA;
not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
not combine California Personal Data, which Nerdio receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CCPA, and including instructing Nerdio’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of section 1798.100 of the CCPA, taking into account the nature of the California Personal Data processing by Nerdio;
implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
comply with all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA;
notify Customer if Nerdio determines it can no longer meet its obligations under the CCPA; and
comply with section 1798.140(m) of the CCPA with respect to deidentified data (as defined in the CCPA) received by Nerdio from Customer.
To the extent Nerdio is a contractor, Nerdio certifies that Nerdio understands the restrictions provided in sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.
Nerdio acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Nerdio further acknowledges and agrees Customer shall have the right: (i) to take reasonable and appropriate steps to ensure that Nerdio uses California Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (ii) upon notice from Customer to Nerdio, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
To the extent required by the CCPA and to the extent Nerdio is a contractor, Nerdio shall permit Customer to monitor Nerdio’s compliance with this Exhibit E by conducting audits in accordance with section 10 of this Addendum and including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing.
If Nerdio engages any other person to assist Nerdio in processing California Personal Data for a business purpose on behalf of Customer, Nerdio shall notify Customer of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit E. Nerdio hereby notifies Customer that Nerdio may engage the persons listed in section (a)(11)(i) of Exhibit B to this Addendum to assist Nerdio in processing California Personal Data for a business purpose on behalf of Customer.