Terms & Policies

1. SCOPE; ROLES OF THE PARTIES

Nitro will receive and process Personal Data on behalf of the ISV when providing the Services, according to the instructions and purposes defined in the Data Processing Details. This Data Processing Addendum sets forth the Parties’ specific agreements in respect to processing Personal Data within the framework of this Data Processing Addendum and the Agreement.

By default, Nitro shall act as a Sub-Processor and the ISV shall act as a Processor in respect of the Services provided by Nitro to the ISV. Nitro acknowledges that the ISV acts on behalf of the Controller for the processing of Personal Data. This Data Processing Addendum supersedes and replaces all previous agreements made (if any) in respect of processing Personal Data and data protection between the Parties related to the Services offered by Nitro under the Agreement.

This Data Processing Addendum supplements and forms part of the Agreement, and together the Agreement and this Data Processing Addendum constitute a single legal agreement between the Parties. In case of discrepancies or contradictions between this Data Processing Addendum and the Agreement, the Data Processing Addendum will prevail.

2. DEFINITIONS

“Agreement” means the Independent Software Vendor Agreement, any Schedules attached thereto, the Nitro ISV Order Form(s) and any information incorporated by reference herein from the Nitro Partner Portal (if applicable);

“Annex” means any annex to the present Data Processing Addendum;

“Controller” refers to the customer of the Processor (which is considered the End Customer in relation to the Agreement) to which the Processor (i.e. the ISV) provides the Integrated Solution (which includes Services provided by Nitro to the Processor);

“Data Processing Details” means Annex 1 to the present Data Processing Addendum which describes the Controller’s instructions on the processing of Personal Data, conveyed by the Processor to Nitro, such as the purpose, object and nature of processing and the kind of Personal Data being processed;

“Data Subject” or any equivalent term (such as “individual”) has the meaning set forth in the applicable data protection legislation, or where no such laws apply, means an identified or identifiable natural person that relates to Controller;

“Data Breach” or any equivalent term (such as “personal data breach”, “security incident”) has the meaning set forth in the applicable data protection legislation, or where no such laws apply, means any (i) unauthorized access to, or use, disclosure or other processing of ISV Personal Data in Nitro’s custody, (ii) theft or unauthorized acquisition of such Personal Data, (iii) incident that compromises the security of such Personal Data;

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Exhibit” means any exhibit to the present Data Processing Addendum;

“FADP” means the Swiss Federal Act on Data Protection (as amended);

“Nitro sub-processor List” refers to the list of Nitro sub-processors as made available online by Nitro that includes the Nitro sub-processors engaged by Nitro for the provisioning of the Services and the fulfillment of Nitro’s obligations under the Agreement in general. Nitro may update the Nitro sub-processor List from time to time as per the process set out in this Data Processing Addendum;

“Nitro sub-processor” means any third party processor engaged by Nitro for the processing of Personal Data related to the provisioning of the Services to the Processor;

“Personal Data” means personal data or any equivalent term (such as Personal Information) has the meaning given in the applicable data protection legislation, means any information that by itself or when combined with other information (e.g. such as telephone number or e-mail address) can be used by Nitro to identify a specific natural person that Nitro processes on behalf of the Processor when providing the Services according to the instructions and purpose defined in the Data Processing Details;

“Processor” refers to the ISV as identified in the Agreement and/or the corresponding Nitro ISV Order Form (or any equivalent term has the meaning set forth in the applicable data protection legislation or where no such laws apply, means the entity that processes Personal Data on behalf of the Controller);

“Sub-Processor” refers to Nitro Software Inc., supplier of the Services to the Processor;

“UK GDPR” means the EU GDPR transposed into UK domestic law by virtue of section 3 of the European Union Withdrawal Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended).

All other terms and definitions written with capital letters and which are not defined expressly in this Data Processing Addendum, are defined as set out in the applicable data protection legislation or the Agreement.

3. PURPOSE OF THIS DATA PROCESSING AGREEMENT

3.1  This Data Processing Addendum determines the conditions of the processing by Nitro of Personal Data on behalf of the Processor in the context of the Agreement. The nature and purpose of the processing, a list and the kind of Personal Data as well as the categories of the Data Subjects are listed in the Data Processing Details (Annex 1).

4. TERM

4.1  This Data Processing Addendum is applicable to all processing of Personal Data and applies as long as Nitro processes Personal Data on behalf of the Processor in the context of the Agreement. This Data Processing Addendum supplements the Agreement. and is meant to ensure the Parties’ compliance with the requirements imposed by the applicable data protection laws and regulations.

4.2  This Data Processing Addendum ends automatically upon termination of the Agreement (or at the moment the processing by Nitro is terminated). The provisions of this Data Processing Addendum that are either expressly or implicitly (given their nature) intended to have effect after termination of the Data Processing Addendum shall survive the end of the Agreement with regard to the Personal Data processed on behalf of the Processor in the context of the Agreement.

5. TECHNICAL AND ORGANIZATIONAL MEASURES

5.1  Nitro has implemented appropriate technical and organizational measures (“TOMs”) aimed at securing the processing of Personal Data. The TOMs implemented by Nitro are set out in the Data Processing Details and may be updated by Nitro from time to time, however Nitro will ensure not to downgrade the overall security it has implemented at the moment of the Data Processing Addendum’s execution. The Processor acknowledges the TOMs to be providing an adequate level of security appropriate to the risk for the processing of its Personal Data on behalf of the Processor at the moment of signing or accepting this Data Processing Addendum.

5.2  In case the Processor (or the Controller) is requesting specific technical and organizational measures to be implemented by Nitro (which Nitro has not implemented by default), the Processor will reimburse Nitro for implementing such additional measures according to Section 11 “Costs” of this Data Processing Addendum.

6. RETENTION

6.1 Nitro will not keep Personal Data any longer than required for processing of such Personal Data in the context of the Agreement. The Processor will not instruct Nitro to store any Personal Data longer than necessary. The applicable retention period is set out in the Data Processing Details.

6.2  Nitro shall delete or return all Personal Data to the Processor after the end of the provisioning of Services and shall delete existing copies unless applicable law requires storage of the Personal Data. The Processor acknowledges the Services might include download functionalities at the disposal of the Processor to enable Processor to download its data. To the extent such functionalities are available, the Processor shall ensure that the Controller uses such functionalities to extract or delete its data.

7. CONFIDENTIALITY

7.1  Parties have agreed on a confidentiality clause in the Agreement which applies to the processing of Personal Data in the context of the Agreement.

7.2  Nitro acknowledges and agrees that only those employees, contractors or agents of Nitro who are involved in the processing of Personal Data may be informed about the Personal Data and only to the extent as reasonably necessary for the performance of the Agreement. Nitro ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.

8. DUTY TO NOTIFY

8.1  Upon becoming aware of a Data Breach, Nitro shall, to the extent required by applicable law or an Exhibit to this Data Processing Addendum, notify the Processor thereof without undue delay by contacting the contact person indicated in the Agreement or the relevant Order Form (or alternatively via the Processor’s Notification Email Address or (if applicable) any other e-mail address the Processor has shared in the admin portal as privacy contact). Nitro’s contact person for any data protection related matters can be contacted per email: privacy@gonitro.com.

9. SUB-PROCESSING

9.1  The Processor warrants that Nitro is expressly authorized to engage Nitro sub-processors for the processing of Personal Data for the performance of the Agreement and to facilitate the provisioning of the Services in general. To this extent, the Processor grants a general written authorization to Nitro to decide with which Nitro sub-processor(s) Nitro cooperates for the fulfilment of its obligations under the Agreement. Nitro publishes a list of Nitro sub-processors referring to the Nitro sub-processors.

10. AUDIT RIGHT

10.1  At Processor’s request, Nitro shall permit audits by the Processor regarding the compliance by Nitro with its obligations under this Data Processing Addendum and the applicable data protection legislation. Nitro shall use its reasonable efforts to cooperate with such audits and to make available all information necessary to prove its compliance with its obligation. The Processor shall notify Nitro of such audit at least one (1) month prior to the date on which the audit will be performed, by given written notice to Nitro via privacy@gonitro.com.

10.2  In case an audit is being performed, all parties involved shall first sign a specific non-disclosure agreement issued by Nitro with respect to such audit and the audit results before the start of the audit. Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify its compliance with this Data Processing Addendum and the applicable laws and regulations in respect of data protection. The Processor has the option to perform the audit itself or to assign an independent auditor, however such independent auditor must duly sign the non-disclosure agreement referred to in this Section. The Controller has the same audit rights as the Processor under this Clause.

10.3  Both Parties and where applicable their representatives, shall reasonably cooperate, upon request, with any competent regulator in connection with the audit.

10.4  The Processor will reimburse Nitro for the assistance provided by Nitro in relation to audit(s) in accordance with Section 11 “Costs” of this Data Processing Addendum. It being understood, such reimbursement shall not apply in case (i) the audit is a result of a Data Breach proven attributable to Nitro or, (ii) in case Nitro’s assistance does not exceed four (4) working hours during the term of the Agreement.

11. COSTS

11.1  The assistance to be performed under this Data Processing Addendum for which Nitro may charge the Processor, will be charged on the basis of the hours worked and the applicable standard hourly rates of Nitro (USD 295/hour taxes excluded). Nitro will invoice these amounts on a monthly basis but also has the right to request an upfront retainer fee.

11.2  The payment by the Processor to Nitro for assistance and professional services provided by Nitro under this Data Processing Addendum will take place in accordance with the provisions in the Agreement.

12. LIABILITY

12.1  Subject to the maximum extent permitted under applicable law, the provisions of the Agreement concerning limitation of liability also apply to this Data Processing Addendum and the damages arising out of it.

13. MISCELLANEOUS

13.1. The provisions of the Agreement concerning changes, entire agreement, severability, applicable law and competent courts are applicable to this Data Processing Addendum.

13.2  This Data Processing Addendum is supplemented by the CCPA-specific terms contained as set out in Exhibit 1 hereto, to the extent required as set forth in Exhibit 1.

ANNEX 1 – DATA PROCESSING DETAILS

DESCRIPTION OF PROCESSING

1. SUBJECT MATTER OF THE PROCESSING OF THE PERSONAL INFORMATION

The subject matter is determined by the Processor as set out in the Agreement (and/or relevant Nitro ISV Order Form).

2. THE NATURE AND PURPOSES OF THE PROCESSING OF PERSONAL INFORMATION

The nature and purposes of processing are determined by the Processor as set out in the Agreement (and/or relevant Nitro ISV Order Form).

By default, such processing shall have as purpose to make available the Services including all its features and functionalities to the Processor (who will make those available to the Controller) and more in general to permit Nitro to fulfil its contractual obligations under the Agreement. Such purpose can be making available the Cloud Services (for example but without limitation making available the customer cloud portal, electronic signing services, analytics services etc.) as well as the provisioning of Support.

The nature of processing shall, among other instructions given by the Processor in the Agreement (and/or relevant Nitro ISV Order Form), include the processing, collection, storage, communication and transfer of Personal Data.

3. PERSONAL INFORMATION PROCESSED

Depending on the functionalities used within the Services (e.g. customer portal, electronic signing services, analytics services etc.) and the content of the End Customer Data which qualifies as Personal Data uploaded by the Processor or the Controller into the Services, Nitro processes different kinds of Personal Data. In general, the Personal Data processed by Nitro includes without limitation:

• Identification details (for example regarding Data Subjects who make use of the Services - and usage details)
• Document data (for example Personal Data included in PDF documents processed)

A detailed overview of the kind of Personal Data being processed when using the Services is available via Nitro’s Trust Center: https://www.gonitro.com/security-compliance/data-protection/processing-of-personal-data

4. CATEGORY OF DATA SUBJECTS

The following categories of Data Subjects are by default in scope:

• All Data Subjects having access to the Services (which includes admin users, general users or invited users such as signatories).
• All Data Subjects included in the End Customer Data which qualifies as Personal Data uploaded into the Services by the Processor or the Controller.

The Processor confirms those data subjects will by default be considered one of the following categories:

• Users of the Services
• Processor's customers
  
  

5.  SUB-PROCESSORS

Nitro engages Nitro sub-processors for ensuring all functionalities are available within the Services. Which Nitro sub-processors are applicable depends on the Services used and the functionalities and set-up requested by the Processor or the Controller. A detailed listing of the Nitro sub-processors engaged by Nitro (including the procedure we apply when engaging new Nitro sub-processors) is available via our Trust Center: https://www.gonitro.com/security-compliance/data-protection/subprocessors-and-subcontractors

6. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Nitro implements appropriate technical and organizational measures to ensure adequate security when using the Services. We are continuously updating such measures. A detailed overview of the measures taken is available via our Trust Center on our Security section: https://www.gonitro.com/security-compliance/security and in our Information Security Policy. Our Trust Center also lists the certifications Nitro holds in the Compliance section: https://www.gonitro.com/security-compliance/compliance

7. RETENTION PERIOD

Nitro will not store Personal Data any longer than necessary for the provisioning of the Services. Depending on the Services and the functionalities the Processor or the Controller is using, the applicable retention period(s) might differ. The Processor, acting on behalf of the Controller, can request Nitro to configure specific retention periods on their environment (as far as this is technically feasible).

In case no specific retention periods were configured, Personal Data will by default be stored by Nitro until deletion by the Processor or the Controller or until termination of the Agreement between Nitro and the Processor (plus maximum 30 days), whichever of both situations comes first. A detailed overview of the retention periods is available via our Trust Center: https://www.gonitro.com/security-compliance/data-protection/processing-of-personal-data.

8. NITRO PRIVACY TEAM CONTACT DETAILS

privacy@gonitro.com
Nitro Software Inc.
447 Sutter St, STE 405 #1015, San Francisco, CA 94108
United States

EXHIBIT 1 – CCPA-SPECIFIC TERMS

1. To the extent that Nitro receives Personal Data from or on behalf of the ISV and that information is subject to the CCPA, the following provisions shall apply. To the extent of any conflict between this Exhibit 1 and the Data Processing Addendum, the former shall control.

1.1  CCPA. To the extent that (a) Nitro (as Service Provider or Contractor) receives Personal Data from or on behalf of ISV (as Service Provider or Contractor) in order to process it on behalf of the Controller (as a Business) to provide the Services, and (b) that Personal Data is subject to the CCPA (“ISV PI”), Nitro shall (i) comply with all obligations applicable to Nitro under the CCPA and shall provide the same level of privacy and security protection as required by the CCPA; (ii) not Sell or Share ISV PI; (iii) not retain, use, or disclose the ISV PI (a) for any purpose other than the Business Purposes specified in this Data Processing Addendum or the Agreement (including retaining, using, or disclosing the ISV PI for a Commercial Purpose other than the Business Purpose specified in this Data Processing Agreement or the Agreement) or as otherwise permitted by the CCPA, or (b) outside of the direct business relationship between the ISV and Nitro; (iv) to the extent that the ISV discloses or otherwise makes available Deidentified Data to Nitro, Nitro will (a) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual or household, (b) publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information, and (c) contractually obligate any further recipient to comply with all provisions of this sub-paragraph (iv); (v) not combine the ISV PI regarding an individual that Nitro receives from, or on behalf of, the ISV with Personal Data that it receives from, or on behalf of, another person, or collects from Nitro’s own interaction with the individual, provided that Nitro may combine the ISV PI to perform any Business Purpose as defined in any relevant regulations adopted pursuant to the CCPA; (vi) notify the ISV if it engages any subcontractor to process the ISV PI, and disclose the ISV PI to such subcontractor pursuant to a written contract that includes terms providing the same level of protection of said PI as those required by the CCPA; (vii) implement appropriate organizational and technical measures appropriate to the nature of the ISV PI to protect the security of the ISV PI and systems from unauthorized access, destruction, use, modification, or disclosure; (viii) notify the ISV if Nitro determines that it can no longer meet its obligations under CCPA; (ix) provide reasonable assistance to the ISV in ensuring compliance with the ISV's obligation to carry out data protection assessments, cybersecurity audits, and risk assessments considering the nature of the processing and the information available to Nitro. Nitro shall also assist the ISV in complying with the Controller's automated decision-making technology requirements, if any; (x) notify the ISV if Nitro receives a request to exercise privacy rights from an individual relating to that individual’s the ISV PI (a “Request”). Nitro shall not otherwise communicate with an individual regarding his or her Request unless the ISV directs Nitro to do so or Nitro is required to communicate with an individual under applicable law. Nitro shall, in a manner consistent with the nature and functionality of the services provided under this Data Processing Addendum and Nitro’s role as a Service Provider, provide reasonable support to the ISV to enable the ISV to respond to, and comply with, a Request under the CCPA; and no more than once annually, make available to the ISV on request information reasonably necessary to demonstrate compliance with this Section 1, including by providing summaries of applicable privacy and security policies for review and audit purposes.

1.2  Support. The ISV will reimburse Nitro for the assistance provided by Nitro under Clause 1.1.(ix) of this Exhibit 1 in accordance with Section 11 “Costs” of this Data Processing Addendum.

1.3  Certification. To the extent Nitro is a Contractor, Nitro certifies that it understands and will comply with the restrictions set forth in Subsection 1.1.