Last Updated and Effective: 2/10/25
Privacy Policy
Nerdio, Inc. (“Nerdio,” “we,” “us,” “our,” or “Company”) is committed to respecting the privacy of the information collected from its customers, visitors, and other users (“you” or “your”) including through your use of the Nerdio websites, including https://getnerdio.com, https://nerdiocon.com/, and any subdomains thereof, (the “Nerdio Sites,” or “Sites”) and the services, features, and information available on the Sites and/or any applications or other software we may offer (together with the Sites, along with associated and successor websites, applications, features, information, and services, or any part thereof, the “Services”) as well as events (such as NerdioCon) and webinars we may host or otherwise participate in (“Networking Activities”). We created this Privacy Policy (this “Policy”) to explain how we collect, use, disclose, and safeguard your personal information when you use the Nerdio Services.
This Policy describes how Nerdio collects, uses, and discloses personal information, and what choices you have with respect to that personal information.
This Policy is only applicable to the Nerdio Services, and not to any other websites that you may be able to access via the Services, each of which may have data collection and use practices and policies that differ materially from this Policy. This Policy applies to all personal information received by Nerdio whether online or offline.
If an organization with which you are associated (an “Organization”) signs up to use our services, we may receive personal information about you in connection with our provision of such services to your Organization. To the extent we process that personal information solely in order to provide such services to your Organization, we will act as a processor on behalf of your Organization in respect of that personal information, which means: we will handle that information solely at the direction of your Organization; your Organization’s privacy policy (and not this Policy) will apply to the processing of that personal information; and your Organization (and not us) is responsible for obtaining all necessary consents and providing you with all requisite information as required by applicable law. To the extent we process your personal information for any other lawful business purpose of ours, this Policy will apply to the processing of such personal information.
For the purposes of this Policy, “personal information” refers to any information relating to an identified or identifiable natural person. Such personal information amounts to ‘personal data’ for the purposes of and as defined in the European Data Protection Laws (as defined below and to the extent applicable).
As used in this Policy (a) “GDPR” means the General Data Protection Regulation (EU) 2016/679; (b) “UK Data Protection Laws” means the UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”); (c) “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018; and (d) “European Data Protection Laws” means the GDPR and/or UK Data Protection Laws, in each case to the extent applicable.
PLEASE READ THIS POLICY CAREFULLY. We take the security and privacy of your personal information very seriously. If you do not agree with the terms of this Policy, please do not access the Services, or otherwise use the Nerdio Sites.
1. Information we collect and receive
Personal Information. In connection with the Services and/or Networking Activities, we may ask for certain personal information from you for the purpose of providing you with any content and/or services that you request including but not limited to: your name, organization, title, address, phone number, email address, type of product you are interested in, whether you are a MSP or an Enterprise End User/IT Professional, recording of sales calls, and any other information you choose to include in requests that you submit to us). Additionally, our Outside Contractors (as defined below) that are responsible for billing and payment processing services (the “Third-Party Payment Providers”) may collect your billing and credit card information from you directly. We may also receive the above types of personal information from third-party sources.
We may also decide to keep the info you submit to us on file so we can properly respond to any of your questions or concerns, as well as for future communication.
Testimonials. From time to time, we may specifically contact you to provide a testimonial regarding your experience, thoughts, and comments about Nerdio. If you agree to provide a testimonial, we will publish your testimonial on our Sites and the information you provide such as your full name and company will be public. However, you have the right to decline our request for a testimonial and not provide us any information.
2. Other information we collect
Automatic Collection. We may automatically collect the following information about your use of our Services: access time, device ID, Application ID or other unique identifier; domain name; IP address; language information; device name and model; operating system information; location information; your activities within the Services; and the length of time that you are logged in.
Cookies. From time to time, we may use the standard “cookies” feature of major browser applications that allows us to store a small piece of data on your device about your activity on our Services. We’re always looking to improve the quality of our service and to customize your experience on our Services. Cookies help us learn which areas of our Services are useful and which areas need improvement. You can choose whether to accept cookies by changing the settings on your browser. However, if you choose to disable this function, your experience with our Services may be diminished and some features may not work as they were intended. For more information on our use of cookies, please see Section 9 below.
3. How we use that information and with whom it may be shared
Pursuant to the European Data Protection Laws, legal bases for our processing your personal information may include (without limitation):
(a) where you have given consent to the processing, which consent may be withdrawn at any time without affecting the lawfulness of processing based on consent prior to withdrawal;
(b) where it is necessary to perform the contract we have entered into or are about to enter into with you (whether in relation to the provision of the Services, engaging in Networking Activities, or otherwise);
(c) where it is necessary for us to comply with a legal obligation to which we are subject; and/or
(d) where it is necessary for the purposes of our legitimate interests (or those of a third party) in providing, improving, or marketing the Services and our business and your interests or fundamental rights and freedoms do not override those legitimate interests.
Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Please see below for more information on how we use the personal information we collect from you and with whom it may be shared:
Personal Information. We will use your personal information as described in this Policy and as otherwise disclosed to you, including to provide the Services to you and for our internal operations and to improve, advertise, and market the Services and to engage in Networking Activities. We may use your personal information to verify your identity, to check your qualifications, or to follow up with transactions initiated on or through the Services. We may also use your contact information to inform you of any changes to the Services, or to send you additional information about the Company. If you give your permission, we may share your contact information with our business partners or other companies that we integrate with and as otherwise described in this Policy. In addition, we may use IP addresses to help diagnose problems with our server, to administer our Services, or to display the content according to your preferences.
Aggregated Information. We use aggregated or otherwise deidentified information to analyze our Services traffic. Traffic and transaction information may also be shared with business partners and advertisers on an aggregated or otherwise deidentified basis.
Marketing. We may use your personal information to:
- to provide you with information about Nerdio’s Services and features we add to Nerdio’s Services that are similar to those that you have already purchased or enquired about;
- to make suggestions and recommendations to you and other users of Nerdio’s Services about additional features or services that may interest you, which may be based on your activity on Nerdio’s Services.
- to provide you updates about Nerdio, and our success innovating Nerdio’s Services.
Use of Cookies. We may use cookies and other tracking technologies to deliver content specific to your interests, to save your password so you don’t have to re-enter it each time you use our Services, or for other purposes. Promotions or advertisements displayed on our Services may contain cookies. Aggregate cookie and tracking information may be shared with third parties. Most browsers are set up to accept cookies by default. You can remove or reject cookies, but be aware that such action could affect the availability and functionality of the Services. For more information on our use of cookies, please see Section 9 below.
Outside Contractors. We may employ independent contractors, vendors and suppliers (collectively, “Outside Contractors”) to provide specific services and products related to the Services, such as hosting and maintaining the Services, providing credit card processing and fraud screening, including Third-Party Payment Providers, and developing applications for the Services. In the course of providing products or services to us, these Outside Contractors may have access to information collected through the Service, including your personal information. We use reasonable efforts to ensure that these Outside Contractors are capable of protecting the security of your personal information.
Disclosure To Protect Lawful Interests. We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to (1) conform to the edicts of the law or comply with legal process served on the Company or its parent company, subsidiaries or affiliates, including to meet national security or law enforcement requirements, or other valid legal process, (2) protect and defend the rights or property of the Company or the users of the Services, or (3) act under exigent circumstances to protect the safety of the public or users of the Services.
Professional Advisors. We may provide your personal information to professional advisors, such as lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.
Sale of Information. We reserve the right to transfer personal information to a third party in connection with a sale, merger, general corporate reorganization, or other transfer of all or substantially all of the assets of Nerdio or any of its Corporate Affiliates (as defined below), or that portion of Nerdio or any of its Corporate Affiliates to which the Services relate, or in connection with a strategic investment by a third party in Nerdio, or in the event that we discontinue our business or file a petition or have filed against us a petition in bankruptcy, reorganization or similar proceeding.
Affiliates. We may disclose personal information about you to our Corporate Affiliates. For purposes of this Policy: “Corporate Affiliate” means any person or entity which directly or indirectly controls, is controlled by or is under common control with Nerdio, whether by ownership or otherwise; and “control” means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of fifty percent (50%) or more of the voting securities, by contract or otherwise.
Co-Sponsors of Networking Activities. With your consent, we may share your personal information with co-sponsors of our Networking Activities. These co-sponsors may use your personal information to communicate with you directly, including for their own marketing purposes, or to help us communicate with you. In particular, we may share your personal information, including name; phone number; email address; title; organization; and other similar information, with these co-sponsors.
Retention Period. We review our retention periods for personal information on a regular basis. We will only retain your personal information for as long as necessary to fulfill the purposes for which we collected it or as otherwise permitted by applicable law.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of that personal information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
4. Your Rights
We generally use your personal information as described in this Policy or as authorized by you or as otherwise disclosed at the time we request such personal information from you. You generally must “opt in” and give us permission to use your personal information for any other purpose.
Under certain circumstances and in compliance with the European Data Protection Laws, you may have certain rights:
Correcting Your Information. The accuracy of your personal information is important to us. You may request to review and correct the personal information we hold about you. If you change your email address, or you think any of the other personal information we hold is inaccurate or out of date, please email us at: [email protected].
Access To Information. You may have the right to ask for a copy of the personal information we hold about you, free of charge, and we will respond to your request within a reasonable time period (or as otherwise required under applicable law).
Marketing. You may have the right to ask us not to process your personal information for marketing purposes. You can exercise your right to prevent such processing by checking or unchecking certain boxes on the forms we use to collect your data or by following other directions we may provide. You can also exercise the right at any time by contacting us at: [email protected].
Right To Portability. You may have the right to receive personal information you have provided to us in a structured, commonly used and machine-readable format. You may also have the right to request that we, as the controller, transmit this data directly to another controller. You may only exercise this right with respect to the personal information you have provided to us with your consent or for the performance of a contract. The right to data portability only applies to personal information. This means that it does not apply to genuinely anonymous data. If you wish to exercise your right to portability, free of charge, please contact us at [email protected]. We will respond to your request within a reasonable time period (or as otherwise required under applicable law).
Request erasure of your personal information. You may have the right to ask us to delete or remove your personal information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove all of your personal information in certain circumstances.
Object to processing. You may object to our processing of your personal information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
Request the restriction of processing of your personal information. You may have the right to ask us to suspend the processing of your personal information, for example, if you want us to establish its accuracy or the reason for processing it.
Right To File A Complaint. If you are residing in European Economic Area or United Kingdom: If you have any concerns and/or complaints regarding our information privacy practices, please contact us at [email protected], we will help to resolve your question, concern, or complaint. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, after you contacted us, you have the right to file a complaint with the relevant supervisory authority which is established in your country.
5. Transferring your information outside of Europe
Personal information collected on the Services may be transferred from time to time to our offices or personnel, or to third parties, located throughout the world, and the Services may be viewed and hosted anywhere in the world, including countries that may not have laws of general applicability regulating the use and transfer of such personal information. Without limitation of the foregoing, you hereby expressly grant consent to Nerdio to: (a) process and disclose such personal information in accordance with this Policy; (b) transfer such personal information throughout the world, including to the United States or other countries that do not ensure adequate protection for personal data (as defined in the European Data Protection Laws) (as determined by the European Commission or the UK Information Commissioner’s Office, as applicable, each, an “Inadequate Jurisdiction”) and/or countries that may not have laws of general applicability regulating the use and transfer of such personal information; and (c) disclose such personal information to comply with lawful requests by public authorities, including to meet national security or law enforcement requirements. To the extent required by applicable law: whenever we transfer your personal data to third parties (as described in this Policy) located in an Inadequate Jurisdiction, we ensure a similar degree of protection is afforded to it; we may use specific contracts approved by the European Commission (accessible at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) or the UK Information Commissioner’s Office (accessible at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/), as applicable, which give personal data the same protection it has in the European Economic Area or the United Kingdom, as applicable, under the European Data Protection Laws; and if we rely on another basis to transfer your personal data to an Inadequate Jurisdiction, we will keep you updated or contact you if required. Please contact us if you want further information on the specific mechanisms used by us when transferring your personal data to an Inadequate Jurisdiction.
6. Data Security
We utilize commercially reasonable administrative, technical, and physical security measures designed to help prevent the loss, misuse, and alteration of the personal information that we obtain from you, but we make no assurances about our ability to prevent any such loss, misuse, to you or to any third party arising out of any such loss, misuse, or alteration. Any information disclosed online can potentially be intercepted and used by unauthorized parties.
7. Controls For Do-Not-Track Features
Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) setting that you can activate to signal your preference not to be tracked.
We take no action in response to DNT signals.
8. Third Party Services
The Services may contain links to other websites. This may include providing you with the ability to automatically post updates on LinkedIn, Facebook, and Twitter/X. If you choose to visit other websites, we are not responsible for the privacy practices or content of those other websites, and it is your responsibility to review the privacy policies at those websites to confirm that you understand and agree with their policies.
NOTICE CONCERNING THE INFORMATION OF CHILDREN
The Nerdio Services are not directed to children. In connection with our Services, we do not knowingly solicit information from or market to children under the age of 16. Please contact us if your child has provided personal information to us and we will take reasonable measures to promptly delete the information from our records; however, please be aware that the information may not be completely or comprehensively removed from our databases, if it is kept in a de-identified manner and if we are not able to link that information to the individual.
9. Cookies Policy
At Nerdio, we believe in being transparent about how we collect and use data. This Policy provides information about how and when we use cookies for these purposes.
What is a cookie?
Cookies are small text files sent by us to your computer or mobile device. These files enable Nerdio features and functionality. They are unique to your account or your browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire.
To find out more about cookies, visit this site.
Does Nerdio uses cookies?
Yes. Nerdio uses cookies and similar technologies like web plugins. We use both session-based and persistent cookies. Nerdio sets and accesses our own cookies on the Services, which include the domains operated by Nerdio and its corporate affiliates. Please note in particular that the Services use Google Analytics, including its data reporting features. Information collected by Google Analytics includes but is not limited to web metrics. For information on how Google Analytics collects and processes data, please see the site “How Google uses data when you use our partners’ sites or apps”, currently located at www.google.com/policies/privacy/partners/. For information on opting out of Google Analytics, we encourage you to visit Google’s website, including its list of currently available opt-out options presently located at https://tools.google.com/dlpage/gaoptout.
Third-party cookies
In addition to our own cookies, we may also use various third-party cookies such as to report usage statistics of the Services, deliver advertisements on and through the Services, and other analytics purposes.
How is Nerdio using cookies?
Some cookies are associated with your account and personal information in order to remember that you are logged in. Other cookies are not tied to your account but are unique and allow us to carry out analytics and customization, among other, similar activities.
Cookies can be used to recognize you when you visit our Sites or use our Services, remember your preferences, and give you a personalized experience that is consistent with your settings. Cookies also make your interactions faster and more secure.
What third-party cookies does Nerdio use?
You can find a list of the third-party cookies Nerdio uses on the Services, along with other relevant information below While we do our best to keep this list updated, please note it may change from time to time.
In addition, we would like you to be aware that, when you make a payment through the Sites and interact with our Payment Services Provider, the Payment Services Provider may collect personal information including via cookies and similar technologies. The personal information the Payment Services Provider collects may include transactional data and identifying information about devices that connect to its services. The Payment Services Provider uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about the Payment Services Provider and read its privacy policy at https://stripe.com/privacy.
How are cookies used for advertising purposes?
Cookies and other ad technology such as beacons, pixels, and tags help us market more effectively to users that we and our partners believe may be interested in Nerdio. They also help provide us with aggregated auditing, research, and reporting, and help us know when content has been shown to you.
Note that information collected from cookies and other similar technologies (which may include device identifiers) may be used to send you online advertising for the Services. In particular, information collected from cookies (including cookies placed by third-party vendors, such as Google and its partners) and other similar technologies (which may include device identifiers) may be used to deliver advertisements to users of our Services when such users are using other websites, including Facebook, LinkedIn, and YouTube. These third-party vendors may use cookies and/or device identifiers to serve ads based on your past usage to our Services. You may opt out of a third-party vendor’s use of cookies and/or device identifiers for personalized advertising by visiting https://thenai.org/opt-out/.
What can you do if you don’t want cookies to be set or want them to be removed, or if you want to opt out of internet-based targeting?
Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust.
Browser manufacturers provide help pages relating to cookie management in their products. Please see the links below for more information.
For other browsers, please consult the documentation that your browser manufacturer provides.
You may also be able to opt out of interest-based targeting provided by participating ad servers through the Digital Advertising Alliance (http://youradchoices.com). In addition, on your iPhone, iPad, or Android, you can change your device settings to control whether you see online interest-based ads.
If you limit the ability of websites and applications to set cookies, you may worsen your overall user experience and/or lose the ability to access the services, since it will no longer be personalized to you. It may also stop you from saving customized settings like login information.
10. How to Contact Us
If you have questions or comments about these policies, please email us at [email protected] or call us at (877) 909-5410.
11. Updates and Changes
We may revise this Policy from time to time. We will not make changes that result in significant additional uses or disclosures of your personal information without allowing you to “opt in” to such changes. We may also make non-significant changes to this Policy that generally will not significantly affect our use of your personal information, for which your opt-in is not required. We encourage you to check this page periodically for any changes. If any non-significant changes to this Policy are unacceptable to you, you must immediately contact us and, until the issue is resolved, stop using the Services.
12. Additional Information for California Residents
This Section 12 shall apply only to the extent that we are regulated as a business (as defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively with any regulations promulgated thereunder, the “CCPA”)) under the CCPA. This Section 12 shall apply to you only if you are a California resident.
As used in this Section 12, “sell” (including any grammatically inflected forms thereof) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, consumer information (as defined below) to a third party for monetary or other valuable consideration.
“Selling” does not include (i) disclosing consumer information to a third party at your direction, (ii) where you intentionally interact with one or more third parties, or (iii) transfers of your consumer information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of Nerdio, provided that information is used or shared consistent with the CCPA.
As used in this Section 12, “share” (including any grammatically inflected forms thereof) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, consumer information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions with a third party for cross-context behavioral advertising for our benefit in which no money is exchanged.
“Sharing” does not include (i) disclosing consumer information to a third party at your direction, (ii) where you intentionally interact with one or more third parties, (iii) where you have opted out in accordance with Section 12.7, disclosures to persons for the purposes of alerting such persons that you have opted out of the sharing of your consumer information, or (iv) transfers of your consumer information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of Nerdio, provided that information is used or shared consistently with the CCPA.
12.1. Consumer Information Collected: We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with particular California residents or households (“consumer information”). Consumer information does not include deidentified or aggregated information, publicly available information or lawfully obtained, truthful information that is a matter of public concern, or any other information that is excepted from the definition of “personal information” under the CCPA, or any information that is otherwise not regulated by the CCPA. For purposes of this Section 12.1, “publicly available information” means information that is lawfully made available from federal, state, or local government records, or information that we have a reasonable basis to believe is lawfully made available to the general public by you or from widely distributed media, or information made available by a person to whom you have disclosed the information if you have not restricted the information to a specific audience.
For purposes hereof, “sensitive consumer information” means: (1) consumer information that reveals (A) your social security, driver’s license, state identification card, or passport number; (B) your account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) your precise geolocation; (D) your racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of your mail, email, and text messages, unless we are the intended recipient of the communication; (F) your genetic data; and (2)(A) consumer information consisting of biometric information processed for the purpose of uniquely identifying you; (B) consumer information collected and analyzed concerning your health; or (C) consumer information collected and analyzed concerning your sex life or sexual orientation. We do not use or disclose your sensitive consumer information.
Please note that to the extent we consider Deidentified Data (as defined below) outside the scope of the CCPA because it is not identifiable, then, to the extent required by the CCPA, we hereby publicly commit to process Deidentified Data in our possession only in a de-identified fashion and not attempt to re-identify such Deidentified Data. “Deidentified Data” means data that cannot reasonably be used to infer information about, and that cannot reasonably be linked to, an identified California resident or an identifiable California resident.
In particular, with respect to the Services, we have collected the following categories of consumer information from California residents or households within the last twelve (12) months and, in connection therewith, we may collect the following categories of consumer information from California residents or households:
For the avoidance of doubt, with respect to the Services and Networking Activities, we have not collected sensitive consumer information from California residents or households within the last twelve (12) months and, in connection therewith, we do not collect sensitive consumer information from California residents or households.
12.2. Purposes for Collection of Consumer Information; Categories of Sources: We collect consumer information for the business or commercial purposes described in the tables above and in the manner described in Sections 3 and 9 of this Policy with respect to personal information. Regarding the categories of sources from which consumer information is collected, we collect consumer information from the categories of sources described in the tables above and in the manner described in Sections 1 and 2 of this Policy with respect to personal information.
12.3. Disclosures of Consumer Information for a Business or Commercial Purpose: Nerdio may disclose your consumer information described in the tables above to a third party for a business or commercial purpose, as described in the tables above and in Sections 3 and 9 of this Policy.
12.4. Sharing and Sales of Consumer Information:
12.4.1. In the preceding twelve (12) months, Nerdio has not sold, nor does it or will it sell, consumer information.
12.4.2. Your consumer information (as described in the tables above) may be shared for the business or commercial purposes set forth in the tables above.
12.4.3. In the preceding twelve (12) months, Nerdio has shared the categories of consumer information as described in the tables above.
12.4.4. Nerdio does not have actual knowledge that it shares the consumer information of minors under the age of 16.
12.5. California Residents’ Rights and Choices: The CCPA provides California residents with specific rights regarding their consumer information. This Section describes your CCPA rights (to the extent applicable to you) and explains how to exercise those rights.
12.5.1. Access to Specific Information and Data Portability Rights: You may have the right to request that Nerdio disclose certain information to you about our collection and use of your consumer information over the past twelve (12) months or such other period required by the CCPA. Once we receive and confirm your verifiable consumer request (in the manner described in Section 12.6 below), to the extent required by the CCPA, we will disclose to you:
12.5.1.1. The categories of consumer information we collected about you.
12.5.1.2. The categories of sources for the consumer information we collected about you.
12.5.1.3. Our business or commercial purpose for collecting or sharing that consumer information.
12.5.1.4. The categories of third parties to whom we disclose that consumer information.
12.5.1.5. The specific pieces of consumer information we collected about you (also called a data portability request).
12.5.1.6. If we shared or disclosed your consumer information for a business or commercial purpose, two separate lists disclosing: (i) sharing, identifying the consumer information categories that each category of third party received; and (ii) disclosures for a business or commercial purpose, identifying the categories of recipients to whom such consumer information was disclosed and the consumer information categories that each category of recipient obtained.
12.5.2. Deletion Request Rights: You have the right to request that Nerdio delete any of your consumer information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable request from you or your authorized agent (in each case if you are a California resident) in the manner described in Section 12.6 below (“verifiable consumer request”), we will delete (and notify our service providers and/or contractors to delete and notify all third parties with whom we have shared your consumer information to delete, unless this proves impossible or involves disproportionate effort) your consumer information from our records, unless an exception applies or retention of your consumer information is otherwise permitted by the CCPA. We may deny your deletion request if retaining the information is reasonably necessary for us or our service provider(s) and/or contractor(s) to:
12.5.2.1. Complete the transaction for which we collected the consumer information, provide a product or service that you requested, take actions reasonably anticipated by you within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
12.5.2.2. Help to ensure security and integrity to the extent the use of your consumer information is reasonably necessary and proportionate for those purposes.
12.5.2.3. Debug to identify and repair errors that impair existing intended functionality.
12.5.2.4. Exercise free speech, ensure the right of another consumer to exercise that consumer’s free speech rights, or exercise another right provided for by law.
12.5.2.5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
12.5.2.6. Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the ability to complete the research, if you have provided informed consent.
12.5.2.7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which you provided the information.
12.5.2.8. Comply with a legal obligation.
12.5.3. Correction Request Rights: You have the right to request that we correct inaccurate consumer information about you that we maintain, taking into account the nature of the consumer information and the purposes of the processing of the consumer information. If we receive a verifiable consumer request from you to correct inaccurate consumer information, we will use commercially reasonable efforts to correct such inaccurate consumer information as directed by you, pursuant to Section 1798.130 of the CCPA and regulations adopted pursuant to the CCPA.
12.6. Exercising Access, Data Portability, Correction, and Deletion Rights:
12.6.1. To exercise the access, data portability, correction, and deletion rights described in Section 12.5 above, please submit a verifiable consumer request to us by either: (1) calling us at 877-909-5410; (2) visiting https://getnerdio.com/; or (3) contacting us in accordance with Section 10. Only you, or someone legally authorized to act on your behalf (such as an authorized agent), may make a verifiable consumer request related to your consumer information. Someone legally authorized to act on your behalf (such as an authorized agent) may make a verifiable consumer request on your behalf, provided that you have duly authorized that person or entity to make such a verifiable consumer request on your behalf and provided that that person or entity can provide verification of their authority to make such a request on your behalf where required. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a twelve (12) month period. The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected consumer information or an authorized agent; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with consumer information if we cannot verify your identity or authority to make the request and confirm the consumer information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use consumer information provided for the purposes of verification of a consumer request to verify the requestor’s identity or authority to make the request. In the event you make a request under this Section, we may take various approaches to verify your identity depending on the nature of your request. These approaches may include initiating video conferencing or telephone calls with you or reaching out to you by email or otherwise to ask you questions pertaining to the information we have about you. For instructions on exercising sharing opt-out rights, see Section 12.7.
12.6.2. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. If you have an account with us, we may deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your consumer information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify you of the reason for refusing the request.
12.7. Notice of Right to Opt-Out of Sharing of Consumer Information
12.7.1. If you are 16 years of age or older, you have the right to direct us to not share your consumer information at any time (the “right to opt-out”). We do not share the consumer information of California residents we actually know are less than 16 years of age. California residents who opt-in to consumer information sharing may opt-out of future sharing at any time.
12.7.2. To exercise the right to opt-out, you (or your authorized agent) may submit a request to us by visiting the following Internet Web page link: Do Not Share My Personal Information
12.7.3. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize consumer information sharing. However, you may change your mind and opt back in to consumer information sharing at any time by visiting the following Internet Web page link: Do Not Share My Personal Information
12.7.4. You do not need to create an account with us to exercise your opt-out rights. We will only use consumer information provided in an opt-out request to review and comply with the request.
12.7.5. Someone legally authorized to act on your behalf (such as an authorized agent) may make a request on your behalf under this Section, provided that you have duly authorized that person or entity to make such request on your behalf and provided that that person or entity can provide verification of their authority to make such a request on your behalf where required.
12.8. Non-Discrimination
12.8.1. We will not discriminate against you for exercising any of your CCPA rights, including, unless permitted by the CCPA, by:
12.8.1.1. Denying you goods or services;
12.8.1.2. Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
12.8.1.3. Providing you a different level or quality of goods or services;
12.8.1.4. Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services; or
12.8.1.5. Retaliating against an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145 of the CCPA for exercising their rights under the CCPA.
12.9. Consumer Information Retention. We will only retain your consumer information for as long as necessary to fulfill the purposes for which we collected it or as otherwise permitted by applicable law. To determine the appropriate retention period for consumer information, we consider the amount, nature, and sensitivity of that consumer information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your consumer information and whether we can achieve those purposes through other means, and the applicable legal requirements.
12.10. Contact. If you have any questions or concerns relating to this Policy and/or our consumer information practices, please contact us in accordance with Section 10.
NERDIO FOR AZURE STANDARD TERMS AND CONDITIONS
Please see Microsoft Commercial Marketplace terms and conditions here.
Effective November 17, 2024
Exhibit C
This Data Protection Addendum (“Addendum”) forms part of the Master Customer Agreement (“Agreement”) between Nerdio and Customer. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below will be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this Addendum where applicable.
1. Definitions
1.1. In this Addendum, the following terms will have the meanings set out below and cognate terms will be construed accordingly:
1.1.1. “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to any other Data Protection Laws;
1.1.2. “CCPA” means (to the extent applicable) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder;
1.1.3. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor solely on behalf of Customer to provide the Services pursuant to or in connection with the Agreement;
1.1.4. “Contracted Processor” means Nerdio or a Subprocessor;
1.1.5. “Data Protection Laws” means collectively, the GDPR and the UK Data Protection Laws, as applicable;
1.1.6. “EEA” means the European Economic Area;
1.1.7. “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.1.9.“Restricted Transfer” means:
- a transfer of Customer Personal Data from Customer to a Contracted Processor; or
- an onward transfer of Customer Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses and/or UK DTA;
1.1.10. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Nerdio for Customer pursuant to the Agreement;
1.1.11. “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN;
1.1.12. “Subprocessor” means any person (including any third party, but excluding an employee of Nerdio or any of its sub-contractors) appointed by or on behalf of Nerdio to Process Customer Personal Data on behalf of Customer in connection with the Agreement;
1.1.15. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor” and “Supervisory Authority” will have the same meaning as in the Data Protection Laws (as applicable), and their cognate terms will be construed accordingly;
1.1.16. “UK” means the United Kingdom;
1.1.17. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”);
1.1.18. “UK DTA” means the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx.
1.1.19. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018; and
2.Processing of Customer Personal Data
2.1. Nerdio will:
- 2.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
- 2.1.2. not Process Customer Personal Data other than on the Customer’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Nerdio will to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Data.
2.2. Customer:
- 2.2.1. instructs Nerdio (and authorizes Nerdio to instruct each Subprocessor) to:
- 2.2.1.1. Process Customer Personal Data; and
- 2.2.1.2. in particular, transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement.
2.3. Exhibit A to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
3. Nerdio Personnel
Nerdio will take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nerdio will in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and/or the equivalent provision(s) of the UK Data Protection Laws.
4.2. In assessing the appropriate level of security, Nerdio will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessing
5.1. Customer authorizes Nerdio to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2.Nerdio may continue to use those Subprocessors already engaged by Nerdio as at the date of this Addendum, subject to Nerdio in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3. Nerdio will give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within five (5) business days of receipt of that notice, Customer notifies Nerdio in writing of any objections (on reasonable grounds) to the proposed appointment:
- 5.3.1 Nerdio will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
- 5.3.2 where such a change cannot be made within ten (10) business days from Nerdio’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may by written notice to Nerdio with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, Nerdio will:
- 5.4.1. before the Subprocessor first Processes Customer Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Agreement;
- 5.4.2. ensure that the arrangement between on the one hand (a) Nerdio or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR and/or the equivalent provision(s) of the UK Data Protection Laws;
- 5.4.3. if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses and/or UK DTA are at all relevant times incorporated into the agreement between on the one hand (a) Nerdio or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, or before the Subprocessor first Processes Customer Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses and/or UK DTA with the Customer; and
- 5.4.4. provide to Customer for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
5.5. Nerdio will ensure that each Subprocessor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8 and 10.1, as they apply to Processing of Customer Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Nerdio.
6. Data Subject Rights
6.1. Taking into account the nature of the Processing, Nerdio will assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Nerdio will:
- 6.2.1. promptly notify Customer if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
- 6.2.2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Contracted Processor is subject, in which case Nerdio will to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1. Nerdio will notify Customer promptly upon Nerdio becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. Nerdio will co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, provided that such assistance shall be provided at Customer’s expense, except in the event that such Personal Data Breach is caused by Contracted Processor’s act or omissions, in which case such assistance shall be provided at Contracted Processor’s expense.
8. Data Protection Impact Assessment and Prior Consultation
Nerdio will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Customer Personal Data
9.1. Subject to sections 9.2 and 9.3 Nerdio will promptly and in any event within thirty-one (31) days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
9.2. Subject to section 9.3, Customer may in its absolute discretion by written notice to Nerdio within thirty (30) days of the Cessation Date require Nerdio to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Nerdio; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Contracted Processor. Nerdio will comply with any such written request within thirty-one (31) days of the Cessation Date.
9.3. Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Nerdio will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4. Nerdio will provide written certification to Customer that it has fully complied with this section 9 within thirty-one (31) days of the Cessation Date.
10. Audit rights
10.1. Subject to sections 10.1 to 10.3, Nerdio will make available to Customer on request all information necessary to demonstrate compliance with this Addendum, and will allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer, provided that no such auditor will be a competitor of Nerdio or compensated on a contingency basis, in relation to the Processing of the Customer Personal Data by the Contracted Processors.
10.2. Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR and/or equivalent provisions of the UK Data Protection Laws).
10.3. Customer will give Nerdio reasonable prior notice of any audit to be conducted under section 10.1 and will make (and ensure that each of its mandated auditors makes) reasonable efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business in the course of such an audit. Notwithstanding anything to the contrary in this section 10 no audit shall be undertaken unless or until Customer has requested, and Nerdio has provided, information about Nerdio’s data protection practices and Customer reasonably determines that an audit remains necessary to demonstrate material compliance with the obligations laid down in this Addendum.
For the purposes of such an audit:
- 10.3.1. A Contracted Processor need not give access to its premises to any individual unless he or she produces reasonable evidence of identity and authority;
- 10.3.2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Nerdio that this is the case before attendance outside those hours begins; or
- 10.3.3. for the purposes of more than [one] audit or inspection, in respect of each Contracted Processor, in any [calendar year], except for any additional audits or inspections which:
- 10.3.3.1. Customer reasonably considers necessary because of genuine concerns as to Nerdio’s compliance with this Addendum; or
- 10.3.3.2. Such audit shall not occur outside normal business hours;
- where Customer has identified its concerns or the relevant requirement or request in its notice to Nerdio of the audit.
- 10.3.4. In no event shall Customer or any mandated auditor have access to the information of any other client of Nerdio;
- 10.3.5. The disclosures made pursuant to this section 10 shall be held in confidence as Nerdio’s confidential information and subject to any confidentiality obligations in the Agreement; and
- 10.3.6. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard information it receives under this section 10 that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of information received under this section 10 by Customer or its agents.
11. Transfers
11.1. To the extent Nerdio Processes Customer Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a Controller and Nerdio is a Processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Nerdio and to Nerdio’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit B. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
11.2. To the extent Nerdio Processes EU Personal Data, and to the extent Customer is a Processor on behalf of a third party with respect to EU Personal Data and Nerdio is a Processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Nerdio and to Nerdio’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit C. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
11.3. To the extent Nerdio Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK DTA will apply to the transfer of such UK Personal Data by Customer to Nerdio and to Nerdio’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit D. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
11.4. To the extent Customer makes available to Nerdio any information relating to any identified or identifiable individual or household that is regulated by the CCPA for a business purpose pursuant to the Agreement and/or to the extent Nerdio Processes Personal Data regulated by the CCPA solely on behalf of Customer (collectively, “California Personal Data”), then to the extent required by the CCPA, the California Data Exhibit (attached hereto as Exhibit E, the “California Data Exhibit”) will apply to Nerdio’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.
12. General Terms
Governing law and jurisdiction
12.1. Without prejudice to clauses 17 and 18 of the Standard Contractual Clauses and/or equivalent provision(s) in the UK DTA:
- 12.1.1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- 12.1.2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
12.2. Nothing in this Addendum reduces Nerdio’s obligations under the Agreement in relation to the protection of Personal Data or permits Nerdio to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.
12.3. Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum will prevail.
Miscellaneous.
12.4. Customer may:
- 12.4.1. by at least 30 (thirty) calendar days’ written notice to Nerdio from time to time make any variations to the Standard Contractual Clauses and/or UK DTA (including any Standard Contractual Clauses and/or UK DTA entered into under section 11), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
- 12.4.2. propose any other variations to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5. If Customer gives notice under section 12.4.1:
- 12.5.1. Nerdio will promptly co-operate (and take reasonable steps designed to ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.4.3; and
- 12.5.2. Customer will not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Nerdio to protect the Contracted Processors against additional risks associated with the variations made under section 12.4.1 and/or 12.5.1.
12.6. If Customer gives notice under section 12.4.2, the parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable.
12.7. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.8. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Personal Data and California Personal Data (collectively, “Processed Personal Data”) in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Nerdio to lawfully Process Processed Personal Data as permitted by the Agreement and/or this Addendum; (ii) it has (and will continue to have) full right and authority to make the Processed Personal Data available to Nerdio under the Agreement and this Addendum; and (iii) Nerdio’s Processing of the Processed Personal Data in accordance with the Agreement, this Addendum, and/or Customer’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Nerdio harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this section 12.8. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this section 12.8 shall not be subject to any limitations of liability set forth in the Agreement.
12.9. Notwithstanding anything to the contrary in the Agreement (including this Addendum), Customer acknowledges that Nerdio shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the Data Protection Laws), then, to the extent Nerdio is subject to the Data Protection Laws as a Controller, Nerdio is the Controller of such data and accordingly shall Process such data in accordance with the Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CCPA), then, to the extent Nerdio is subject to the CCPA as a business (as defined in the CCPA), Nerdio is the business (as defined in the CCPA) with respect to such data and accordingly shall Process such data in accordance with the CCPA.
Exhibit A: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Exhibit A includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR (and, possibly, equivalent requirements of other Data Protection Laws).
Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum. The duration of the Processing shall continue as long as Nerdio carries out Customer Personal Data Processing operations on behalf of Customer or until the termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with this Addendum).
The nature and purpose of the Processing of Customer Personal Data
The nature of the processing is such that the Customer Personal Data will be subject to basic Processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by Nerdio to Customer in accordance with the terms of the Agreement.
The types of Customer Personal Data to be Processed
The categories of Personal Data included within the Customer Personal Data to which Customer provides Nerdio access.
The categories of Data Subject to whom the Customer Personal Data relates
Individuals whose Personal Data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
EXHIBIT B: MODULE 2 CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
(a) For the purposes of the Controller to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included.
(2) Clause 9(a). The parties agree that under Option 2, Nerdio has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in section (a)(11)(i). Nerdio will inform Customer in writing of any intended changes to the list of sub-processors set out in section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
(5) Clause 17. Option 1 shall apply and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
(7) Annex I.A.
i. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
ii. The name and address of Nerdio, and the name, position, and contact details of the contact person of Nerdio (which is the data importer) are as follows:
- Name: Nerdio, Inc.
- Address: 7061 N. Kedzie Ave., Suite 515, Chicago, IL 60645
- Kevin Murray , VP, Technical Solutions, [email protected]
iii. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
iv. The signature and date are the signature and date set forth in the Agreement.
v. The roles of the parties are as follows: Nerdio is a processor and Customer is a controller.
(8) Annex I.B.
i. The categories of data subjects are individuals whose personal data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
ii. The categories of personal data transferred are the categories of personal data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
iii. The categories of sensitive data transferred are the categories of sensitive data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
vii. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined by the GDPR.
(10) Annex II.
i. The data importer employs a number of technical and organizational measures as further specified in _N/A___. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nerdio shall implement commercially reasonable technical and organizational measures with respect to Customer Personal Data intended to meet the security requirements under Applicable Laws
(11) Annex III.
i. Customer hereby authorizes the use of the following sub-processors:
- N/A
EXHIBIT C: MODULE 3 PROCESSOR TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
(a) For the purposes of the Processor to Processor Standard Contractual Clauses:
(1) Clause 7. The parties agree that the optional language in Clause 7 is included.
(2) Clause 9(a). The parties agree that under Option 2, Nerdio has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in section (a)(11)(i). Nerdio will inform Customer in writing of any intended changes to the list of sub-processors set out in section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
(3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
(4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
(5) Clause 17. Option 1 shall apply and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
(6) Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
(7) Annex I.A.
i. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the Agreement.
ii. The name and address of Nerdio, and the name, position, and contact details of the contact person of Nerdio (which is the data importer) are as set forth in Exhibit B, Section (a)(7)(ii).
iii. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
iv. The signature and date are the signature and date set forth in the Agreement.
v. The roles of the parties are as follows: Nerdio is a processor and Customer is a processor.
(8) Annex I.B.
i. The categories of data subjects are individuals whose personal data is included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
ii. The categories of personal data transferred are the categories of personal data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
iii. The categories of sensitive data transferred are the categories of sensitive data included within the Customer Personal Data uploaded to the Services by or behalf of Customer.
iv. The frequency of the transfer shall be on a continuous basis.
v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
vi. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
vii. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
(9) Annex I.C.
i. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
(10) Annex II.
i. Section (a)(10)(i) of Exhibit B is incorporated herein by reference.
(11) Annex III.
i. Section (a)(11)(i) of Exhibit B is incorporated herein by reference.
EXHIBIT D: UK DTA
(a) For the purposes of the UK DTA:
(1) For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit B section (a)(7) and Exhibit C section (a)(7), respectively;
(2) For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit B section (a)(8), (10), and (11)(i) and Exhibit C section (a)(8), (10), and (11)(i), respectively, shall apply; and
(3) For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.
EXHIBIT E: CALIFORNIA DATA EXHIBIT
- This California Data Exhibit (this “Exhibit E”), forms part of the Addendum. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Addendum or the Agreement (as applicable). The following types of California Personal Data will be subject to processing hereunder: the categories of California Personal Data uploaded to the Services by or behalf of Customer.
- CCPA Provisions.
a. In this Exhibit E, the following terms have the meanings given in the CCPA: “business purpose”, “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
b. Except as otherwise required by applicable law or as otherwise permitted by the CCPA, Nerdio shall:
i. not sell or share California Personal Data;
ii. not retain, use, or disclose California Personal Data for any purpose other than for the business purposes of providing the Services specified in the Agreement for the Customer, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA;
iii. not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
iv. not combine California Personal Data, which Nerdio receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CCPA;
v. reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CCPA, and including instructing Nerdio’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
vi. reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of section 1798.100 of the CCPA, taking into account the nature of the California Personal Data processing by Nerdio;
vii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
viii. comply with all applicable obligations under the CCPA and provide the same level of privacy protection with respect to California Personal Data as required by the CCPA;
ix. notify Customer if Nerdio determines it can no longer meet its obligations under the CCPA; and
x. comply with section 1798.140(m) of the CCPA with respect to deidentified data (as defined in the CCPA) received by Nerdio from Customer.
To the extent Nerdio is a contractor, Nerdio certifies that Nerdio understands the restrictions provided in sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.
c. Nerdio acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Nerdio further acknowledges and agrees Customer shall have the right: (i) to take reasonable and appropriate steps to ensure that Nerdio uses California Personal Data in a manner consistent with Customer’s obligations under the CCPA; and (ii) upon notice from Customer to Nerdio, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
d. To the extent required by the CCPA and to the extent Nerdio is a contractor, Nerdio shall permit Customer to monitor Nerdio’s compliance with this Exhibit E by conducting audits in accordance with section 10 of this Addendum and including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing.
e. If Nerdio engages any other person to assist Nerdio in processing California Personal Data for a business purpose on behalf of Customer, Nerdio shall notify Customer of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit E. Nerdio hereby notifies Customer that Nerdio may engage the persons listed in section (a)(11)(i) of Exhibit B to this Addendum to assist Nerdio in processing California Personal Data for a business purpose on behalf of Customer.
Structured Onboarding & Training
90-day onboarding support with structured methodology
Curated training plan for day-to-day operation of Nerdio
Unlimited self-paced learning via Learning Management System (LMS) and up to four (4) credits for the virtual instructor led training (VILT) sessions within the first 12-months (1 credit = a single session of up to 2 hours of VILT.)
Ongoing Enablement & Technical Support
Designated Technical Account Manager
Access to best practices
Quarterly Executive Business Reviews
Unlimited technical support and premium support SLAs (details below)
Enhanced Product Experience
Semi-annual product roadmap presentations
Product release reviews and technical working sessions
Access to new Nerdio features in preview or private beta based on eligibility
Premium Support / Service Level Agreement
As part of the Customer Success Package, Customer is being provided premium support by Nerdio. The following service levels and support components are effective as of the Effective Date:
Service Description
Nerdio agrees to provide 24×7 support for the software product, Nerdio Manager for Enterprise, hereinafter referred to as “Product”. For a detailed view of the support scope please refer to https://nerdio.co/nmescope . Support includes and is not limited to:
- Technical support via webform located at https://nmehelp.getnerdio.com or via email
- Webform is the preferred method and will allow for Customer specified priority
- Software updates and patches via the application
- Bug fixes and issue resolution
Service Level Objectives
Nerdio commits to the following Service Level Objectives
- Application update availability 24×7
- Response times in hours adhere to the following matrix with Customer priority and Nerdio severity levels
Prioritization
- Low Priority:
- Impact: Minimal disruption to business operations or end-users.
- Urgency: No immediate resolution required; can be addressed within a reasonable timeframe.
- Description: Low-priority incidents or requests have minimal impact on business continuity. They may involve non-critical issues or minor enhancements. Resolution timeframes are flexible.
- Medium Priority:
- Impact: Moderate impact on business operations or end-users.
- Urgency: Requires timely resolution but not immediate attention.
- Description: Medium-priority incidents or requests affect specific users or services. They need attention within a reasonable timeframe to prevent escalation. Balancing urgency and impact are essential.
- High Priority:
- Impact: Significant disruption to business operations or end-users.
- Urgency: Urgent resolution needed to minimize impact.
- Description: High-priority incidents or requests impact critical services, affecting multiple users or key processes. Immediate attention and swift resolution are necessary.
- Urgent Priority:
- Impact: Severe disruption to business operations or end-users.
- Urgency: Requires immediate action and rapid resolution.
- Description: Urgent-priority incidents or requests pose a critical threat to business continuity. Immediate attention, escalation, and rapid resolution are imperative.
Service Reporting
Nerdio will provide quarterly performance reports to the Customer that includes and is not limited to:
- Nerdio support performance for in scope issue resolutions
- Customer Performance
- Escalation Performance
Support and Escalation
Support issues specific to the Product will be addressed via ticketing (see above) at which time severity will be applied to the issue. Any issues specific to the Product or its delivery of features may be designated as a software defect. Remediation of those defect includes and is no limited to:
- Escalation to Product Development and Nerdio Customer Success
- Assessment of a hotfix or new release within 72 hours with the established priority and severity
- Best effort to mitigate the defect within 72 hours based on priority and severity
Severity 1 (Critical) – Critical Outage: Halts Operations with Financial Impact or relates to a high-risk security issue. No Workaround exists.
- Conditions that severely impact the primary functionality of the product, halts business operations creating significant financial events, and no workaround exists.
- The issue occurs with high frequency or duration and could require drastic measures to restore services.
- There is a high-risk security issue, as determined by Nerdio.
Severity 2 (High) – Production Impact: Service is highly degraded and impacts the ability for operations. No reasonable workaround exists.
- Impact to large portions of business operations, services are degraded to the point of major impact on usage preventing critical documented functions from working as expected.
- Workarounds may be available, but not scalable.
- Productivity is impacted or a significant portion of operations are at risk.
Severity 3 (Medium) – System Impaired: Features or functionality are impaired, but users can still leverage the service.
- The issue has an impact on administration, maintenance, operation, or other secondary functions or a major issue for which a temporary workaround is available.
- There’s a reduction in the software capacity, but still able to handle the expected load. With available workarounds, functionality, and operations are impaired but can continue with some restrictions.
- Some operational impairment but users can continue to operate.
Severity 4 (Low) – General Guidance: General usage or configuration questions. No business or production impact.
- Question or issue that does not impact the system’s functions and doesn’t affect the system’s ability to deliver expected services to end-users.
- Includes routine technical queries such as usage, configuration, navigation, and feature-related questions.
- Minimal or no impact on business operations.
- “How to” questions regarding features/functionality
- Errors in documentation
Product Update and Release Schedule
The Product updates and releases include and are not limited to:
- *Scheduled releases with new features or remediation for known issues
- Hotfixes for high and critical product issues
- Documentation for known issues where manual mitigation is required
Note: Hotfixes applicable between releases with the exception for 7 days prior to a scheduled* release. Any hotfix within that period will be included in the *scheduled release.
*Current schedule for minor release is 6 weeks