NerdioCon 2025: April 7-9, Palm Springs, CA
NerdioCon 2025: April 7-9, Palm Springs, CA
According to a new Gartner report, The Future of VMware’s EUC Products, concerns about licensing
Cloud computing has forever changed traditional IT setups. It has made it possible to access
Properly quote and cost-predict Microsoft Azure.
Model and cost-predict Azure Virtual Desktop environments.
Effective August 16, 2018
This Privacy Policy describes how Nerdio (https://getnerdio.com/) collects, uses and discloses information, and what choices you have with respect to the information. Updates in this version of the Privacy Policy reflect changes in data protection law.
When we refer to “Nerdio”, we mean the Nerdio, Inc. entity that acts as the controller or processor of your information, as explained in more detail in the “Identifying the Data Controller and Processor” section below.
Nerdio (“Nerdio,” “we,” “us,” “our,” or “Company”) is committed to respecting the privacy of the information collected from its customers, visitors, and other users (“you” or “your”) of the Nerdio website, (the “Nerdio Site,” or “Site”). We created this Privacy Policy (this “Policy”) to explain how we collect, use, disclose, and safeguard your information when you use the Nerdio Site.
This Policy is only applicable to the Nerdio Site, and not to any other websites that you may be able to access from the Site or via the Services, each of which may have data collection and use practices and policies that differ materially from this Policy. This Policy applies to all personal information received by Nerdio whether in electronic, paper or verbal format.
PLEASE READ THIS POLICY CAREFULLY. We take the security and privacy of your personal information very seriously and only collect personally identifiable information that is appropriate for you to use, interact and improve Nerdio Site. If you do not agree with the terms of this Policy, please do not download the Site, access the Services, or otherwise use the Nerdio Site.
Personal Information. We may ask for certain personal information from you for the purpose of providing you with any content and/or services that you request (including but not limited to your name, organization, address, phone number, email address).
We may also decide to keep the info you submit to us on file so we can properly respond to any of your questions or concerns, as well as for future communication.
Testimonials. From time to time, we may specifically contact you to provide a testimonial regarding your experience, thoughts and comments about Nerdio. If you agree to provide a testimonial, we will publish your testimonial on our Site and the information you provide such as your full name and company will be public. However, you have the right to decline our request for a testimonial and not provide us any information.
Automatic Collection. We may automatically collect the following information about your use of our Services: access time, device ID, Application ID or other unique identifier; domain name, IP address, language information; device name and model; operating system information; location information; your activities within the Services; and the length of time that you are logged in.
Cookies. From time to time, we may use the standard “cookies” feature of major browser applications that allows us to store a small piece of data on your device about your activity on our Site. We do not set any personally identifiable information in cookies, nor do we employ any data capture mechanisms on our website other than cookies. We’re always looking to improve the quality of our service and to customize your experience on our Site. Cookies help us learn which areas of our site are useful and which areas need improvement. You can choose whether to accept cookies by changing the settings on your browser. However, if you choose to disable this function, your experience with our Site may be diminished and some features may not work as they were intended.
Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Nerdio uses your information in furtherance of performance of a contract to provide you our Site, information we collect with your consent and our legitimate interests in operating our Site and business as listed below. Please see how we use the information we collect from you:
Personal Information. We will not share your personal information with any third parties without your consent, except as necessary to provide you with the Nerdio Site or to comply with the law. We may use your personal information to verify your identity, to check your qualifications, or to follow up with transactions initiated on the Site. We may also use your contact information to inform you of any changes to the Site, or to send you additional information about Company. If you give your permission, we may share your contact information with our business partners or other companies that we integrate with.
Anonymous Information. We use anonymous information to analyze our Site traffic, but we do not examine this information for individually identifying information. In addition, we may use anonymous IP addresses to help diagnose problems with our server, to administer our Site, or to display the content according to your preferences. Traffic and transaction information may also be shared with business partners and advertisers on an aggregate and anonymous basis.
Marketing. We may use your personal information to:
Use of Cookies. We may use cookies and other tracking technologies to deliver content specific to your interests, to save your password so you don’t have to re-enter it each time you visit our Site, or for other purposes. Promotions or advertisements displayed on our Site may contain cookies. Aggregate cookie and tracking information may be shared with third parties. Also, we may display certain advertising offers on our Site to allow service providers, advertisers, or other third parties to advertise on our Site. Most browsers are set up to accept cookies by default. You can remove or reject cookies, but be aware that such action could affect the availability and functionality of the Nerdio Site.
Disclosure To Protect Lawful Interests. We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to (1) conform to the edicts of the law or comply with legal process served on Company or its parent company, subsidiaries or affiliates, (2) protect and defend the rights or property of Company or the users of the Site, or (3) act under exigent circumstances to protect the safety of the public or users of the Site.
Sale of Information. In order to accommodate changes in our business, we may sell or buy portions of our company or other companies or assets, including the information collected through this Site. If Company or substantially all of its assets are acquired; customer information will be one of the assets transferred to the acquirer.
Retention Period. We review our retention periods for personal information on a regular basis. We will hold your personal information on our systems for as long as you are using Nerdio Site.
Correcting Your Information. The accuracy of your information is important to us. We are working on making it easier for you to review and correct the information we hold about you. If you change email address, or you think any of the other information we hold is inaccurate or out of date, please email us at: hello@getnerdio.com.
Access To Information. You have the right to ask for a copy of the information we hold about you, free of charge, and we will respond to your request within 30 (thirty) days.
Marketing. You have the right to ask us not to process your personal information for marketing purposes. You can exercise your right to prevent such processing by checking or unchecking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at: hello@getnerdio.com.
Nerdio Site, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
Right To Portability. You have the right to receive personal data you have provided to us in a structured, commonly used and machine readable format. You also have the right to request that we, as the controller, transmit this data directly to another controller. You may only exercise this right with respect to the personal data you have provided to us with your consent or for the performance of a contract. The right to data portability only applies to personal data. This means that it does not apply to genuinely anonymous data. If you wish to exercise your right to portability, free of charge, please contact us at hello@getnerdio.com. We will respond to your request within 30 (thirty) days.
Right To File A Complaint. If you are residing in European Economic Area: If you have any concerns and/or complaints regarding our information privacy practices, please contact us at hello@getnerdio.com, we will help to resolve your question, concern or complaint. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, after you contacted us, you have the right to file a complaint with your Data Protection Authority.
Nerdio’s servers are located in the United States. As part of the services offered to you through Nerdio Site, the information which you provide to us may be transferred to countries outside the European Union (“EU”). By way of example, this may happen if any of our or third-party providers’ servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the EU.
By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
IDENTIFYING THE DATA PROCESSOR AND DATA CONTROLLER
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, you are the controller of your data. In general, Nerdio is the processor of your data.
DATA SECURITY
We have administrative, technical, and physical security measures in place to help prevent the loss, misuse, and alteration of the information that we obtain from you, but we make no assurances about our ability to prevent any such loss, misuse, to you or to any third party arising out of any such loss, misuse, or alteration. Any information disclosed online can potentially be intercepted and used by unauthorized parties.
CONTROLS FOR DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting that you can activate to signal your privacy preference not to have information about your online browsing activities monitored or collected.
Our Site do not track your browsing activities across third party websites and we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your preference not to be tracked online. No uniform technology standard for recognizing and implementing DNT signals has been finalized. Because there is not yet a common understanding of how to interpret the DNT signal, we do not currently respond to DNT signals which may be sent from your computer, mobile device, or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will provide information about that practice in a revised version of this Policy.
The Site may contain links to other websites. If you choose to visit other websites, we are not responsible for the privacy practices or content of those other websites, and it is your responsibility to review the privacy policies at those websites to confirm that you understand and agree with their policies.
NOTICE CONCERNING THE INFORMATION OF CHILDREN
Nerdio Site is not directed to children. In connection with our Services, we do not knowingly solicit information from or market to children under the age of 16. Please contact us if your child has provided personal information to us and we will take reasonable measures to promptly delete the information from our records; however, please be aware that the information may not be completely or comprehensively removed from our databases, if it is kept in a de-identified manner and if we are not able to link that information to the individual.
At Nerdio, we believe in being transparent about how we collect and use data. This policy provides information about how and when we use cookies for these purposes. Capitalized terms used in this policy but not defined have the meaning set forth in our Privacy Policy, which also includes additional details about the collection and use of information at Nerdio.
Cookies are small text files sent by us to your computer or mobile device. These files enable Nerdio features and functionality. They are unique to your account or your browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.
To find out more about cookies, visit this site.
Yes. Nerdio uses cookies and similar technologies like web plugins. We use both session-based and persistent cookies. Nerdio sets and accesses our own cookies on the domains operated by Nerdio and its corporate affiliates (collectively, the “Sites”). In addition, we use third-party cookies, such as Google Analytics.
In addition to our own cookies, we may also use various third-party cookies to report usage statistics of the Service, deliver advertisements on and through the Service, and so on.
Some cookies are associated with your account and personal information in order to remember that you are logged in. Other cookies are not tied to your account but are unique and allow us to carry out analytics and customization, among other, similar activities.
Cookies can be used to recognize you when you visit a Site or use our Services, remember your preferences, and give you a personalized experience that is consistent with your settings. Cookies also make your interactions faster and more secure.
Categories of Use | Description |
Authentication | If you’re signed in to our Services, cookies help us show you the right information and personalize your experience. |
Security | We use cookies to enable and support our security features, as well as to help us detect malicious activity. |
Preferences, features and services | Cookies can tell us which language you prefer and what your communications preferences are. They can help you fill out forms on our Sites more easily. They also provide you with features, insights, and customized content. |
Marketing | We may use cookies to help us deliver marketing campaigns and track their performance. Similarly, our partners may use cookies to provide us with information about your interactions with their services; however, use of those third-party cookies would be subject to the service provider’s policies. |
Performance, Analytics and Research | Cookies help us learn how well our Site and Services perform. We also use cookies to understand, improve, and research products, features, and services, including to create logs and record when you access our Sites and Services from different devices, such as your work computer or mobile device. |
You can find a list of the third-party cookies Nerdio uses on our sites, along with other relevant information, in our cookie tables. While we do our best to keep this table updated, please note that the number and names of cookies, pixels and other technologies may change from time to time.
Cookies and other ad technology such as beacons, pixels, and tags help us market more effectively to users that we and our partners believe may be interested in Nerdio. They also help provide us with aggregated auditing, research, and reporting, and know when content has been shown to you.
What can you do if you don’t want cookies to be set or want them to be removed, or if you want to opt out of internet-based targeting?
Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust.
Browser manufacturers provide help pages relating to cookie management in their products. Please see the links below for more information.
For other browsers, please consult the documentation that your browser manufacturer provides.
You can opt out of interest-based targeting provided by participating ad servers through the Digital Advertising Alliance (http://youradchoices.com). In addition, on your iPhone, iPad, or Android, you can change your device settings to control whether you see online interest-based ads.
If you limit the ability of websites and applications to set cookies, you may worsen your overall user experience and/or lose the ability to access the services, since it will no longer be personalized to you. It may also stop you from saving customized settings like login information.
Our Sites and Services do not collect personal information about your online activities over time or across third-party websites or online services. Therefore, “do not track” signals transmitted from web browsers do not apply to our Sites or Services, and we do not alter any of our data collection and use practices upon receipt of such a signal.
If you have questions or comments about these policies, please email us at hello@getnerdio.com or call us at (877) 909-5410.
We reserve the right, at any time, to add to, change, update, or modify this Policy, simply by posting such change, update, or modification on the Site and without any other notice to you. Any such change, update, or modification will be effective immediately upon posting on the Site. It is your responsibility to review this Policy from time to time to ensure that you continue to agree with all of its terms.
Please see Microsoft Commercial Marketplace terms and conditions here.
Effective April 3, 2019
This Data Protection Addendum (“Addendum”) forms part of the Standard Terms and Conditions (“Agreement”) between Nerdio and Customer. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below will be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
1.1. In this Addendum, the following terms will have the meanings set out below and cognate terms will be construed accordingly:
1.1.1. “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to any other Data Protection Laws;
1.1.2. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Agreement;
1.1.3. “Contracted Processor” means Nerdio or a Subprocessor;
1.1.4. “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.5. “EEA” means the European Economic Area;
1.1.6. “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.7. “Restricted Transfer” means:
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under section 5.4.3 or 11 below;
1.1.8. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Nerdio for Customer pursuant to the Agreement;
1.1.9. “Standard Contractual Clauses” means the contractual clauses set out in Annex 2, amended as indicated (in square brackets and italics) in that Annex and under section 13.4;
1.1.10. “Subprocessor” means any person (including any third party, but excluding an employee of Nerdio or any of its sub-contractors) appointed by or on behalf of Nerdio to Process Personal Data on behalf of Customer in connection with the Agreement; and
1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” will have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.
2.1. Nerdio will:
2.2. Customer:
2.3. Annex 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Customer may make reasonable amendments to Annex 1 by written notice to Nerdio from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 2.3) confers any right or imposes any obligation on any party to this Addendum.
Nerdio will take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nerdio will in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Nerdio will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1. Customer authorizes Nerdio to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2. Nerdio may continue to use those Subprocessors already engaged by Nerdio as at the date of this Addendum, subject to Nerdio in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3. Nerdio will give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within five (5) business days of receipt of that notice, Customer notifies Nerdio in writing of any objections (on reasonable grounds) to the proposed appointment:
5.4. With respect to each Subprocessor, Nerdio will:
5.5. Nerdio will ensure that each Subprocessor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8 and 10.1, as they apply to Processing of Customer Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Nerdio.
6.1. Taking into account the nature of the Processing, Nerdio will assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Nerdio will:
7.1. Nerdio will notify Customer promptly upon Nerdio or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. Nerdio will co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Nerdio will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9.1. Subject to sections 9.2 and 9.3 Nerdio will promptly and in any event within thirty-one (31) days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
9.2. Subject to section 9.3, Customer may in its absolute discretion by written notice to Nerdio within thirty (30) days of the Cessation Date require Nerdio to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Nerdio; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Contracted Processor. Nerdio will comply with any such written request within thirty-one (31) days of the Cessation Date.
9.3. Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Nerdio will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4. Nerdio will provide written certification to Customer that it has fully complied with this section 10 within thirty-one (31) days of the Cessation Date.
10.1. Subject to sections 10.1 to 10.3, Nerdio will make available to Customer on request all information necessary to demonstrate compliance with this Addendum, and will allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.
10.2. Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
10.3. Customer will give Nerdio reasonable notice of any audit or inspection to be conducted under section 10.1 and will make (and ensure that each of its mandated auditors makes) reasonable efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
11.1. Subject to section 11.3, Customer (as “data exporter”) and each Contracted Processor, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Customer to that Contracted Processor.
11.2. The Standard Contractual Clauses will come into effect under section 12.1 on the later of:
11.3. Section 11.1 will not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
Governing law and jurisdiction
12.1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
Order of precedence
12.2. Nothing in this Addendum reduces Nerdio’s obligations under the Agreement in relation to the protection of Personal Data or permits Nerdio to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
12.3. Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.
Changes in Data Protection Laws, etc.
12.4. Customer may:
12.5. If Customer gives notice under section 12.4.1:
12.6. If Customer gives notice under section 12.4.2, the parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable.
Severance
12.7. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer Personal Data
Nerdio for Azure (NFA) Service as provided under the Agreement.
The types of Customer Personal Data to be Processed
[Include list of data types here]
The categories of Data Subject to whom the Customer Personal Data relates
[Include categories of data subjects here]
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
ANNEX 2: STANDARD CONTRACTUAL CLAUSES
[These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise).]
[If these Clauses are not governed by the law of a Member State, the terms “Member State” and “State” are replaced, throughout, by the word “jurisdiction”.]
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection [This opening recital is deleted if these Clauses are not governed by the law of a member state of the EEA.]
[The gaps below are populated with details of the Customer:]
Name of the data exporting organisation:
Address:
Tel.: ____________; fax: __________________; e-mail: __________________
Other information needed to identify the organisation
……………………………………………………………
(the data exporter)
And
[The gaps below are populated with details of the relevant Contracted Processor:]
Name of the data importing organisation:
Address:
Tel.: ________________; fax: _________________; e-mail:__________________
Other information needed to identify the organisation:
…………………………………………………………………
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Background
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of “personal data” is expanded to include those data” are added.]
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC” are deleted.]
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “within the meaning of Directive 95/46/EC” are deleted.]
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
[Populated with details of, and deemed signed on behalf of, the data exporter:]
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
On behalf of the data importer:
[Populated with details of, and deemed signed on behalf of, the data importer:]
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter
The data exporter is:
[TO BE COMPLETED]
Data importer
The data importer is:
[TO BE COMPLETED]
Data subjects
The personal data transferred concern the following categories of data subjects:
[TO BE COMPLETED]
Categories of data
The personal data transferred concern the following categories of data:
[TO BE COMPLETED]
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
[TO BE COMPLETED]
Processing operations
The personal data transferred will be subject to the following basic processing activities:
[TO BE COMPLETED]
DATA EXPORTER
[Populated with details of, and deemed to be signed on behalf of, the data exporter:]
Name:………………………………
Authorised Signature ……………………
DATA IMPORTER
[Populated with details of, and deemed to be signed on behalf of, the data importer:]
Name:………………………………
Authorised Signature ……………………
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
[TO BE COMPLETED]
ANNEX 3: LIST OF MANDATED AUDITORS
[TO BE COMPLETED]
Structured Onboarding & Training
90-day onboarding support with structured methodology
Persona-based training and Nerdio Manager for Enterprise Certification
Unlimited self-paced learning and in person training days
Ongoing Enablement & Technical Support
Designated Technical Account Manager
Access to best practices
Quarterly Executive Business Reviews
Unlimited technical support and premium support SLAs (details below)
Enhanced Product Experience
Semi-annual product roadmap presentations
Product release reviews and technical working sessions
Access to new Nerdio features in preview or private beta based on eligibility
Premium Support / Service Level Agreement
As part of the Customer Success Package, Customer is being provided premium support by Nerdio. The following service levels and support components are effective as of the Effective Date:
Service Description
Nerdio agrees to provide 24×7 support for the software product, Nerdio Manager for Enterprise, hereinafter referred to as “Product”. For a detailed view of the support scope please refer to https://nerdio.co/nmescope . Support includes and is not limited to:
Service Level Objectives
Nerdio commits to the following Service Level Objectives
Prioritization
Service Reporting
Nerdio will provide quarterly performance reports to the Customer that includes and is not limited to:
Support and Escalation
Support issues specific to the Product will be addressed via ticketing (see above) at which time severity will be applied to the issue. Any issues specific to the Product or its delivery of features may be designated as a software defect. Remediation of those defect includes and is no limited to:
Severity 1 (Critical) – Critical Outage: Halts Operations with Financial Impact or relates to a high-risk security issue. No Workaround exists.
Severity 2 (High) – Production Impact: Service is highly degraded and impacts the ability for operations. No reasonable workaround exists.
Severity 3 (Medium) – System Impaired: Features or functionality are impaired, but users can still leverage the service.
Severity 4 (Low) – General Guidance: General usage or configuration questions. No business or production impact.
Product Update and Release Schedule
The Product updates and releases include and are not limited to:
Note: Hotfixes applicable between releases with the exception for 7 days prior to a scheduled* release. Any hotfix within that period will be included in the *scheduled release.
*Current schedule for minor release is 6 weeks
© Copyright Nerdio 2024. All Rights Reserved.