Terms & Policies

Effective: September 18, 2025

FOR INDEPENDENT SOFTWARE VENDORS (“ISV” or “Processor”)

 THIS DATA PROCESSING ADDENDUM APPLIES IF YOU HAVE SIGNED UP FOR PROVIDING NITRO SERVICES AS AN ISV UNDER AN INDEPENDENT SOFTWARE VENDOR AGREEMENT (AS DEFINED IN SECTION 2 BELOW) AND THE EU GDPR APPLIES TO THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE AGREEMENT.

1. SCOPE; ROLES OF THE PARTIES

Nitro will receive and process Personal Data on behalf of the ISV when providing the Services, according to the instructions and purposes defined in the Data Processing Details. By means of this Data Processing Addendum, Parties wish to lay down their specific agreements in respect to processing Personal Data within the framework of the Agreement.

By default, Nitro shall act as a Sub-Processor and the ISV shall act as a Processor in respect of the Services provided by Nitro to the ISV. Nitro acknowledges that the ISV acts on behalf of the Controller for the processing of Personal Data. This Data Processing Addendum supersedes and replaces all previous agreements made (if any) in respect of processing Personal Data and data protection between the Parties related to the Services offered by Nitro under the Agreement.

This Data Processing Addendum supplements and forms part of the Agreement, and together the Agreement and this Data Processing Addendum constitute a single legal agreement between the Parties. In case of discrepancies or contradictions between this Data Processing Addendum and the Agreement, the Data Processing Addendum will prevail.

2. DEFINITIONS

“Agreement” means the Independent Software Vendor Agreement, any Schedules attached thereto, the Nitro ISV Order Form(s) and any information incorporated by reference herein from the Nitro Partner Portal (if applicable);

“Annex” means any annex to the present Data Processing Addendum;

“Controller” means the customer of the Processor (which is considered the End Customer in relation to the Agreement) to which the Processor (i.e. the ISV) provides the Integrated Solution (which includes Services provided by Nitro to the Processor);

“Data Processing Details” means Annex 1 to the present Data Processing Addendum which includes more details on the Controller’s instructions on the processing of Personal Data, conveyed by the Processor to Nitro, such as the purpose, object and nature of processing and the kind of Personal Data being processed;

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“EU Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021 including the Processor to Processor SCCs and text from Module 3 of such standard contractual clauses and not any other module and not including any clauses marked as optional in the clauses, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws. Where the European Parliament and the Council adopt an updated set of EU standard contractual clauses, “EU Standard Contractual Clauses” will be taken to mean the most recent adaptation;

“Nitro sub-processor List” refers to the list of Nitro sub-processors as made available online by Nitro that includes the Nitro sub-processors engaged by Nitro for the provisioning of the Services and the fulfillment of Nitro’s obligation under the Agreement in general. Nitro may update the Nitro sub-processor List from time to time as per the process set out in this Data Processing Addendum;

“Nitro sub-processor” means any third party processor engaged by Nitro for the processing of Personal Data related to the provisioning of the Services to the Processor;

“Personal Data” means personal data as defined under EU GDPR that Nitro processes on behalf of the Processor when providing the Services according to the instructions and purpose defined in the Data Processing Details;

“Processor to Processor SCCs" means Module 3 of the EU Standard Contractual Clauses;

“Processor” refers to the ISV as identified in the Agreement and/or the corresponding Nitro ISV Order Form;

“Sub-Processor” refers to Nitro Software Inc., supplier of the Services to the Processor.

All other terms and definitions written with capital letters and which are not defined expressly in this Data Processing Addendum, are defined as set out in the applicable data protection legislation or the Agreement.

3. OBJECT OF THIS DATA PROCESSING ADDENDUM

3.1  This Data Processing Addendum determines the conditions of the processing by Nitro of Personal Data on behalf of the Processor in the context of the Agreement. The nature and purpose of the processing, a list and the kind of Personal Data as well as the categories of the Data Subjects are listed in the Data Processing Details (Annex 1).

3.2  The processing will take place on behalf of the Processor who acts on behalf of the Controller and for the purposes defined in the Data Processing Details. Nitro shall immediately inform the Processor if, in its opinion, an instruction infringes the applicable (data protection) legislation. Nitro will only process the Personal Data according to the documented instructions of the Controller, conveyed to Nitro by the Processor, as set out in this Data Processing Addendum and will not use these Personal Data for its own purpose, unless as explicitly permitted in the Terms of Service. If Nitro is legally obliged to proceed with any processing of Personal Data, Nitro will, unless this would violate applicable mandatory rules, inform the Processor of such obligation. The Processor may transmit such information to the Controller.

3.3  The Processor warrants that this Data Processing Addendum reflects the arrangements between the Processor and the Controller and the Processor also warrants on an ongoing basis that the Controller has authorized the Processor's engagement of Nitro as a Sub-Processor and Nitro's engagement of Nitro sub-processors as described in Section 10.

4. TERM

5. TECHNICAL AND ORGANIZATIONAL MEASURES

5.1  Nitro offers adequate guarantees with regard to the implementation of appropriate technical and organizational measures (“TOMs”) to ensure secure processing of Personal data and so the protection of the Data Subject's rights is guaranteed. The TOMs implemented by Nitro are set out in the Data Processing Details. The TOMs may be updated by Nitro from time to time, however Nitro will ensure not to downgrade the overall security it has implemented at the moment of the Data Processing Addendum’s execution. The Processor acknowledges the TOMs to be providing an adequate level of security appropriate to the risk for the processing of Personal Data on behalf of the Processor at the moment of signing or accepting this Data Processing Addendum.

5.2  Nitro shall take all appropriate technical and organizational measures as referred to in article 32 EU GDPR to ensure an adequate level of security appropriate to the risk.

5.3  If Nitro would be required to process sensitive Personal Data, as referred to in articles 9 and 10 EU GDPR in the context of the Agreement, the Processor will notify Nitro thereof in writing via privacy@gonitro.com.

5.4  In case the Processor (or the Controller) is requesting specific technical and organizational measures to be implemented by Nitro (which Nitro has not implemented by default), the Processor will reimburse Nitro for implementing such additional measures according to Section 14 “Costs” of this Data Processing Addendum.

5.5  Adherence by Nitro to an approved code of conduct as referred to in article 40 EU GDPR, or an approved certification mechanism as referred to in article 42 EU GDPR may be used as an element of proof of sufficient guarantees as referred to in EU GDPR.

6. RETENTION

6.1  Nitro will not keep Personal Data any longer than required for processing of such Personal Data in the context of the Agreement. The Processor will not instruct Nitro to store any Personal Data longer than necessary. The applicable retention period is set out in the Data Processing Details.

6.2  At the choice of the Processor, Nitro shall delete or return all Personal Data to the Processor after the end of the provisioning of Services and shall delete existing copies unless Union or Member State law requires storage of the Personal Data, which may then be transmitted to the Controller by the Processor. The Processor acknowledges that the Services might include download functionalities at the disposal of the Controller to enable the Controller to download its data. To the extent such functionalities are available, the Processor shall ensure that the Controller uses such functionalities to extract or delete its data.

7. CONFIDENTIALITY

7.1  Parties have agreed on a confidentiality clause in the Agreement which applies to the processing of Personal Data in the context of the Agreement.

7.2  Nitro acknowledges and agrees that only those employees, contractors or agents of Nitro who are involved in the processing of Personal Data may be informed about the Personal Data and only to the extent as reasonably necessary for the performance of the Agreement. Nitro ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.

8. DATA SUBJECT RIGHTS

8.1. Taking into account the nature of the processing, Nitro shall use all reasonable efforts, by taking appropriate technical and organizational measures, to assist the Controller, at the Processor's request, in the fulfillment of the Controller's obligation to respond to requests from Data Subjects.

8.2  For all assistance performed by Nitro in the context of the treatment of such requests from Data Subjects, the Processor will reimburse Nitro in accordance with Section 14 “Costs” of this Data Processing Addendum. Such reimbursement by the Processor shall not apply (i) in case the Data Subject is invoking its rights because of a Personal Data Breach proven attributable to Nitro or (ii) in case such assistance by Nitro does not exceed four (4) hours of work during the term of the Agreement.

9. DUTY TO NOTIFY

9.1  Upon becoming aware of a Personal Data Breach, Nitro shall notify the Processor thereof without undue delay by contacting the contact person indicated in the Agreement (or alternatively via the Processor’s Notification Email Address or (if applicable) any other e-mail address the Processor has shared in the Nitro Partner Portal). Nitro’s contact person for any data protection related matters can be contacted per email: privacy@gonitro.com.

9.2  At the request of the Processor, Nitro will inform the Processor of any new developments with regard to any Personal Data Breach and of the measures taken to limit its consequences and to prevent the repetition of such Personal Data Breach. It is the responsibility of the Processor to transmit the information received from Nitro to the Controller to enable the Controller to comply with its obligation to report any Personal Data Breach to the Supervisory Authority or the Data Subject(s), as required.

10. SUB-PROCESSING

10.1  The Processor warrants that Nitro is expressly authorized by the Controller to engage Nitro sub-processors for the processing of Personal Data for the performance of the Agreement and to facilitate the provisioning of the Services in general. To this extent, the Processor grants a general written authorization to Nitro to decide with which Nitro sub-processor(s) Nitro cooperates for the fulfilment of its obligations under the Agreement. Nitro publishes a Nitro sub-processor List referring to the Nitro sub-processors.

10.2  Nitro will inform the Processor of any intended changes concerning the addition or replacement of Nitro sub-processors via the Processor’s contact person indicated in the Agreement (or via the Processor’s Notification Email Address or (if applicable) any other e-mail address the Processor has shared in the Nitro Partner Portal). The Processor will have the right to object to the addition or replacement by addressing Nitro in writing where the Controller would object to such addition or replacement. Parties will in such case discuss the addition, replacement or alternative in good faith and as soon as reasonably possible after the Processor's written notice of objection.

10.3  Where Nitro engages a Nitro sub-processor for carrying out specific processing activities, the same or similar data protection obligations as set out in this Data Processing Addendum shall be imposed on that Nitro sub-processor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures (and complying with the relevant technical and organizational measures). Where a Nitro sub-processor fails to fulfil its data protection obligations, Nitro shall remain fully liable to the Processor for the performance of such Nitro sub-processor’s obligation.

11. INTERNATIONAL DATA TRANSFERS

11.1  The Processor acknowledges that Nitro is established in the United States of America, and authorizes international transfers of personal data for the purposes of providing the Services. Such international data transfer is considered an instruction of the Controller, conveyed to Nitro by the Processor.

11.2  If, at any time during the term of this Data Processing Addendum, Nitro is certified under the EU-U.S. Data Privacy Framework (the “Framework”) for the Services then the Parties acknowledge that no appropriate safeguards are required in respect of transfers between the Processor and Nitro.

11.3  Where the conditions set out in Section 2 do not apply, the Processor (as "data exporter") and Nitro (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the Processor to Processor SCCs. Annex 1 to the Processor to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Annex 1 to this Data Processing Addendum. Annex 2 to the Processor to Processor SCCs shall be deemed to be pre-populated with the information contained in Section 5 to this Data Processing Addendum, and:

• in Clause 7, the optional docking clause will not apply;
• in Clause 9, option 2 will apply, and the time period shall be 30 days;
• in Clause 11, the optional redress language will not apply;
• in Clause 13(a) the following shall be inserted: Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C to this Data Processing Addendum, shall act as competent supervisory authority.
  Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
  Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
• in Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by the laws of the data exporter; and 
• in Clause 18(b), disputes shall be resolved before the courts of the data exporter. 

11.4  The Processor acknowledges that Nitro sub-processors authorized under clause 9 may also process Personal Data in third countries. Nitro may conduct such transfers, subject to Nitro taking all steps necessary to ensure such transfers comply with the provisions of Chapter V of the EU GDPR and other applicable data protection laws.

11.5  In case the transfer of Personal Data to a third country or an international organization is mandatory under applicable EU or Member State law to which Nitro is subject, Nitro shall be allowed to perform such transfer and shall inform the Processor of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest. The Processor may transmit such information to the Controller.

12. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

12.1  If the Controller performs a Data Protection Impact Assessment (“DPIA”) (article 35 EU GDPR) or a prior consultation (article 36 EU GDPR) linked to the processing of Personal Data in the context of the performance of the Agreement, Nitro, at the Processor's written request, shall reasonably assist the Controller. The Processor will reimburse Nitro for assistance provided according to Section 14 “Costs” of this Data Processing Addendum. Such reimbursement of costs shall not apply in case (i) the assistance requested from Nitro is less than four (4) working hours during the term of the Agreement, or (ii) the DPIA or prior consultation is triggered by a Personal Data Breach proven attributable to Nitro. 

13. AUDIT RIGHT

13.1  At the Processor's request, Nitro shall permit audits by the Processor regarding the compliance by Nitro with its obligations under this Data Processing Addendum and the applicable data protection legislation. Nitro shall use its reasonable efforts to cooperate with such audits and to make available all information necessary to prove its compliance with its obligation. The Processor shall notify Nitro of such audit at least one (1) month prior to the date on which the audit will be performed, by given written notice to Nitro via privacy@gonitro.com.

13.2  In case an audit is being performed, all parties involved shall first sign a specific non-disclosure agreement issued by Nitro with respect to such audit and the audit results before the start of the audit. Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify its compliance with this Data Processing Addendum and the applicable laws and regulations in respect of data protection. The Processor has the option to perform the audit itself or to assign an independent auditor, however such independent auditor must duly sign the non-disclosure agreement referred to in this Section. The Controller has the same audit rights as the Processor under this Clause.

13.3  Both Parties, and where applicable their representatives, shall reasonably cooperate, upon request, with the Supervisory Authority in the performance of its tasks.

13.4  The Processor will reimburse Nitro for the assistance provided by Nitro in relation to audit(s) in accordance with Section 14 “Costs” of this Data Processing Addendum. It being understood, such reimbursement shall not apply in case (i) the audit is a result of a Personal Data Breach proven attributable to Nitro or, (ii) in case Nitro’s assistance does not exceed four (4) working hours during the term of the Agreement.

14. COSTS

14.1  The assistance to be performed under this Data Processing Addendum for which Nitro may charge the Processor, will be charged on the basis of the hours worked and the applicable standard hourly rates of Nitro (USD 295/hour taxes excluded). Nitro will invoice these amounts on a monthly basis but also has the right to request an upfront retainer fee.

14.2. The payment by the Processor to Nitro for the assistance and professional services provided by Nitro under this Data Processing Addendum will take place in accordance with the provisions in the Agreement.

15. LIABILITY

16. MISCELLANEOUS

ANNEX 1 – DATA PROCESSING DETAILS

A. LIST OF PARTIES

1. Data exporter(s):

Name: ISV, as identified in the Agreement (and/or relevant Nitro ISV Order Form).

Address: The address of the data exporter is set out in the Agreement (and/or relevant Nitro ISV Order Form).

Contact person’s name, position and contact details: The contact details of the contact person for the data exporter are set out in the Agreement, (and/or the relevant Nitro ISV Order Form) or in the Nitro Partner Portal.

Activities relevant to the data transferred: The activities that are relevant to the data transferred under these EU Standard Contractual Clauses are described below in Section B “Description of processing/transfer”.

Signature and date: By signing or accepting the Agreement, the data exporter will be deemed to have signed this Annex I.

Role (controller/processor): Processor

2. Data importer(s):

Name: Nitro Software Inc.

Address: 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Contact person’s name, position and contact details: privacy@gonitro.com, Nitro Software Inc. 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States.

Activities relevant to the data transferred: The activities that are relevant to the data transferred under these EU Standard Contractual Clauses are described below in Section B “Description of processing/transfer”.

Signature and date: By signing or accepting the Agreement, the data exporter will be deemed to have signed this Annex I.

Role (controller/processor): Processor

B. DESCRIPTION OF PROCESSING/TRANSFER

The subject matter is determined by the Processor as set out in the Agreement (and/or relevant Nitro ISV Order Form).

The nature and purposes of processing are determined by the Processor as set out in the Agreement (and/or relevant Nitro ISV Order Form).

By default, such processing shall have as purpose to make available the Services including all its features and functionalities to the Processor (who will make those available to the Controller) and more in general to permit Nitro to fulfil its contractual obligations under the Agreement. Such purpose can be making available the Cloud Services via (API) integrations (for example but without limitation making available the electronic signing services, or particular PDF workflows etc.) as well as the provisioning of Support.

The nature of processing shall, among other instructions given by the Processor in the Agreement (and/or relevant Nitro ISV Order Form), include the processing, collection, storage, communication and transfer of Personal Data.

Depending on the functionalities used within the Services (e.g. electronic signing services, PDF workflows etc.) and the content of the End Customer Data which qualifies as Personal Data, uploaded by the Processor or the Controller into the Services, Nitro processes different kinds of Personal Data. In general, the Personal Data processed by Nitro includes without limitation:

• Identification details (for example regarding Data Subjects who make use of the Services - and usage details) 
• Document data (for example Personal Data included in PDF documents processed)

A detailed overview of the kind of Personal Data being processed when using the Services is available via Nitro’s Trust Center: https://www.gonitro.com/security-compliance/data-protection/processing-of-personal-data

The dataset might include sensitive Personal Data in the Personal Data in accordance with Section 5.3 of this Data Processing Addendum. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: reference is made to the TOMs as listed or referenced in the Data Processing Details below.

The following categories of Data Subjects are by default in scope:

• All Data Subjects having access to the Services (which includes admin users, general users or invited users such as signatories).
• Add Data Subjects included in the End Customer Data which qualifies as Personal Data uploaded into the Services by the Processor or the Controller. 

The Processor confirms those Data Subjects will by default be considered one of the following categories:

• Users of the Services 
• Processor's customers 
  
  

Nitro engages Nitro sub-processors for ensuring all functionalities are available within the Services. Which Nitro sub-processors are applicable depends on the Services used and the functionalities and set-up requested by the Processor or the Controller. A detailed listing of the Nitro sub-processors (including the procedure we apply when engaging new Nitro sub-processors) is available via our Trust Center: https://www.gonitro.com/security-compliance/data-protection/subprocessors-and-subcontractors

Nitro implements appropriate technical and organizational measures to ensure adequate security when using the Services. We are continuously updating such measures. A detailed overview of the measures taken is available via our Trust Center on our Security section: https://www.gonitro.com/security-compliance/security and in our Information Security Policy. Our Trust Center also lists the certifications Nitro holds in the Compliance section: https://www.gonitro.com/security-compliance/compliance

Nitro will not store Personal Data any longer than necessary for the provisioning of the Services. Depending on the Services and the functionalities the Processor or the Controller is using, the applicable retention period(s) might differ. The Processor, acting on behalf of the Controller, can request Nitro to configure specific retention periods on their environment (as far as this is technically feasible).

In case no specific retention periods were configured, Personal Data will by default be stored by Nitro until deletion by the Processor or the Controller or until termination of the Agreement between Nitro and the Processor (plus maximum 30 days), whichever of both situations comes first. A detailed overview of the retention periods is available via our Trust Center: https://www.gonitro.com/security-compliance/data-protection/processing-of-personal-data.

On an ongoing basis, as necessary to provide the Services to the Processor.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU Standard Contractual Clauses: The competent supervisory authority is the supervisory authority applicable to the Processor (or, where relevant, applicable to the Processor's representative).