Skip to content
Contact Sales Free Trial Buy Now

Terms & Policies

Product Specific Terms

Nitro EU Data Act Addendum - Nitro Sign Enterprise Verified & Identity Services

THIS EU DATA ACT ADDENDUM APPLIES TO ANY DATA PROCESSING SERVICE PROVIDED BY NITRO THAT QUALIFIES AS SUCH UNDER THE DATA ACT, IS GOVERNED BY NITRO’S TERMS OF SERVICE FOR NITRO SIGN ENTERPRISE AND IDENTITY SERVICES AND IF CUSTOMER IS ESTABLISHED IN THE EUROPEAN UNION.

Article 1. Scope, ranking and definitions

1.1 This Addendum shall, with effect from 12 September 2025, form part of the Agreement      pursuant to which Nitro provides one or more Data Processing Services, unless expressly provided otherwise in this Addendum, and only to the extent that the Data Act applies.

1.2 This Addendum does not apply to Data Processing Services provided by Nitro as a test version or for trial or evaluation purposes.

1.3 Unless the Agreement or the Data Act provides otherwise, this Addendum does not affect any existing arrangements between the Parties under or pursuant to the Agreement, including the provisions relating to the formation, performance, validity, or consequences of the Agreement, or the consequences of its termination.

 

Article 2. Definitions

“Addendum” refers to this EU Data Act addendum that, with effect from 12 September 2025, forms part of the Agreement;

“Data” means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording;

“Data Act” means Regulation (EU) 2023/2854;

“Data Processing Service” means a digital service that is provided to a Customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction;

“Deletion Request” means a Request submitted by the Customer for the deletion of its Relevant Data;

“Digital Assets” means elements in digital form, including applications, for which the Customer has the right of use, independently from the contractual relationship with the Data Processing Service it intends to switch from;

“Early Termination” means the termination of the Agreement pursuant to this Addendum earlier than the Agreement could have been terminated by the Customer in the absence of this Addendum;

“Excluded Data” refers to the categories of Data referred to in Article 25(2)(f) of the Data Act which do not form part of the Relevant Data, as specified in Annex 1;

“Exportable Data” means the input and output Data, including metadata, directly or indirectly generated, or cogenerated, by the Customer’s use of the Data Processing Service, excluding any assets or Data protected by intellectual property rights, or constituting a trade secret, of providers of Data Processing Services or third parties;

“Notice Period” refers to the notice period that commences upon Nitro’s receipt of a Request that complies with this Addendum, as specified in Section 4.3.;

“Relevant Data” refers to all Data, including Exportable Data and Digital Assets, which may be transferred during the Switching process, be subject to a Deletion Request, as further specified in Annex 1;

“Request” refers to a request submitted by the Customer to Nitro choosing one or more of the options referred to in Section 4.1 of this Addendum;

“Retrieval Period for Relevant Data” refers to the period following the Transitional Period during which the Customer can retrieve the Relevant Data;

“Switching Request” refers to a Request submitted by the Customer to switch to another provider of Data Processing Services or to an on-premises ICT infrastructure;

“Transitional Period” refers to the transitional period referred to in Article 25(2)(a) of the Data Act that commences after the end of the Notice Period.

All other terms and definitions written with capital letters and which are not defined expressly in this Addendum, are defined as set out in Nitro’s Terms of Service.  

Article 3. Service-Specific Details

3.1. To the extent not already provided for in the Agreement, Annex 1 to this Addendum sets out, in respect of the Data Processing Service(s) supplied:

a) a specification of all Relevant Data  and Excluded Data ;

b) the jurisdiction applicable to the ICT infrastructure used by Nitro for the Data Processing Service, and information regarding the measures relating to international access to and transfer of data;

c) any deviations from the standard periods referred to in Section 4.4. and Section 7.2.

Article 4. Request to Switch or Delete Relevant Data

4.1. The Customer has the right at any time to submit a Request to Nitro choosing one or more  of the following options:

a) switching to another provider of Data Processing Services (Switching Request);

b) switching to an on-premises ICT infrastructure (Switching Request);

c) deletion of its Relevant Data (Deletion Request).

4.2. To the extent that the Data Processing Service provides self-service functionalities enabling the Customer to export, retrieve or delete Relevant Data, the Customer shall use such functionalities as the primary means to exercise its rights under this Addendum. Nitro shall provide reasonable assistance through support channels where such self-service functionalities are not available, are technically not feasible, or where additional support is reasonably required. In such case, a Request may be submitted via legalnotices@gonitro.com.

4.3. The Request must at a minimum indicate:

a) the Data Processing Service to which the Request relates; and

b )the Customer’s express choice as referred to in Section 4.1; and

c) if the option referred to in Section 4.1(a) is (also) chosen, all necessary (identifying) details of the destination provider and the new Data Processing Service.

4.4. The Notice Period shall be two (2) months and, for Agreements with a fixed term of two (2) months or less, shall be equal to the entire term, unless agreed otherwise.

4.5. If the Agreement has an end date upon which it terminates by operation of law, the Customer must submit the Request in good time so that the Notice Period ends no later than that end date. If this does not occur, the Agreement terminates by operation of law on the agreed end date, this Addendum ceases to have effect at that time, and the Agreement is terminated in accordance with its terms, unless the Parties agree otherwise.

4.6. During the Notice Period the Customer has the right to change a choice previously communicated to Nitro under Section 4.1. In that case, the Customer must submit a new Request, and the earlier Request shall automatically lapse. After the end of the Notice Period, the choice may only be changed with the prior consent of Nitro.

4.7. The Customer shall be responsible for managing all Requests arising from use of the Data Processing Services by its Beneficiaries. Nitro shall have no obligation to respond to a Request made directly by Beneficiaries. The Customer shall procure that its Beneficiaries direct any Requests through the Customer, and the Customer shall submit consolidated Requests to Nitro on their behalf.

Article 5. Deletion Request

5.1. In the case of a Deletion Request as referred to in Section 4.1(c), Nitro shall delete the Relevant Data concerned as soon as possible after the end of the Notice Period, unless otherwise agreed, for example in Nitro’s Terms of Service or Data Processing Addendum.

5.2. The obligation under Section 5.1 does not apply to the extent that (i) this would conflict with statutory retention obligations applicable to Nitro, or (ii) Nitro is entitled to retain and use (parts of) the Relevant Data, for example where Nitro has a right of use in respect thereof under the Agreement.

Article 6. Switching During the Transitional Period  

6.1. In the case of a Switching Request as referred to in Section 4.1(a) and/or (b) the Transitional Period shall commence after the Notice Period ends, unless a situation as described in Section 4.5 occurs.

6.2. The Transitional Period shall last a maximum of thirty (30) calendar days, except in the cases described in Section 6.6 and Section 6.7.

6.3. During the Transitional Period, Nitro and the Customer shall cooperate in good faith to ensure a smooth Switching process. Nitro shall enable the transfer of Relevant Data and ensure the continuity of the Data Processing Service(s) provided.

6.4. Nitro shall perform its obligations relating to the form of Switching requested by the Customer without undue delay  and within the Transitional Period, and shall in any event:

a) in accordance with the Data Act, reasonably assist the Customer in implementing its exit strategy insofar as it relates to the Data Processing Service(s) for which a Switching Request has been submitted;

b) provide reasonable assistance to the Customer and third parties authorized by the Customer in the Switching process;

c) act with due care to maintain the Customer’s business continuity and continue to provide the agreed Data Processing Services in accordance with the Agreement;

d) provide the Customer with information on any risks known to Nitro that are associated with the Switching process and may affect the continuity of the Data Processing Services supplied by Nitro;

e) maintain a high level of security throughout the entire Switching process, in particular with regard to the protection of the Relevant Data during its transfer and the continued protection of such data during the Retrieval Period for Relevant Data as referred to in Section 7, in accordance with the technical and organizational measures set out in the Data Processing Addendum and the applicable Service Level Agreement.

6.5. During the Transitional Period, the Customer shall:

a) timely provide all information required by Nitro to carry out the Switching Request;

b) perform all actions relevant to the Customer that are necessary to complete the Switching successfully within the Transitional Period, including exporting, converting where necessary, and importing its Relevant Data, and ensuring that the chosen destination environment is adjusted where required.

6.6. The Customer has the right to extend the Transitional Period once, for a period it considers appropriate for implementing the chosen form of Switching pursuant to Section 4.1, subject to the obligation to act in good faith as referred to in Section 6.3. The Customer may notify (via legalnotices@gonitro.com) Nitro of this choice in writing either before or during the Transitional Period. In such notification, the Customer shall at least specify the date on which the Transitional Period will end.  

6.7. If Nitro considers that the form of Switching chosen by the Customer is technically not feasible within the Transitional Period, Nitro has the right to extend that period up to a maximum of seven (7) months from the start date of the original Transitional Period.  Nitro shall notify the Customer of this in writing by sending a notice to the Customer’s Notification Email Address within fourteen (14) Business Days after receiving the Switching Request, duly justify the technical infeasibility, and indicate the alternative duration of the Transitional Period that Nitro considers feasible.

6.8. Nitro and the Customer shall acknowledge receipt of a notice as referred to in Section 6.6 and Section 6.7 as soon as possible, in writing (email allowed).

6.9. From the start of the Transitional Period, the Agreement shall remain in effect, including any payment obligations of the Customer arising therefrom, and the Agreement shall, where relevant, be automatically extended until the end of the Retrieval Period for Relevant Data as referred to in Section 7.

6.10. To the extent any delay, failure or disruption during the Transitional Period is caused by Customer’s acts or omissions, including but not limited to a failure to timely respond to requests, provide required information, grant necessary access or take required actions, Nitro shall not be liable for any resulting delay, failure or damages arising therefrom.

6.11. From the start of the Transitional Period, the rights of either Party to terminate the Agreement for cause or to suspend its performance under the existing terms of the Agreement shall remain unaffected.


Article 7. Retrieval Period for Relevant Data

7.1. After the end of the Transitional Period the Retrieval Period of Relevant Data shall commence.

7.2. The Retrieval Period for Relevant Data shall last thirty (30) calendar days, unless the Parties have expressly agreed upon a longer period.

7.3. During the Retrieval Period for Relevant Data, Nitro shall (continue to) enable the Customer to export the Relevant Data, or have it exported, in the agreed manner and in the agreed file format. The other obligations of Nitro that applied during the Transitional Period shall end at the commencement of the Retrieval Period for Relevant Data, unless the Parties have expressly agreed otherwise in writing.

7.4. Nitro shall ensure that all Relevant Data is fully deleted as soon as possible after the end of the Retrieval Period for Relevant Data, or - if the Parties have expressly agreed otherwise in writing - after the expiry of an alternative period following the Retrieval Period for Relevant Data, but not before it has been established that the Switching process has been successfully completed as referred to in Section 8.

7.5. The obligation under Section 7.4 does not apply to the extent that (i) this would conflict with statutory retention obligations applicable to Nitro, or (ii) Nitro is entitled to retain and use (parts of) the Relevant Data, for example where Nitro has a right of use thereto under the Agreement.


Article 8. Determination of Successful Switching and Termination

8.1. No later than before the end of the Transitional Period, the Customer shall notify Nitro in writing whether the Switching process has been successfully completed.

8.2. The Switching process shall be considered successfully completed once one of the following situations arises:

a) the Customer has confirmed to Nitro in writing that the Switching process has been successfully completed;

b) Nitro has, on reasonable grounds, determined that the Switching has been successfully completed and has notified the Customer thereof in writing, and the Customer has not duly contested this within seven (7) calendar days.

8.3. The Agreement shall automatically terminate, without any further notice being required, if:

a) the Switching process has been successfully completed as referred to in Section 8.2;

b) at the end of the applicable Notice Period, if the Customer has requested the deletion of the Relevant Data within the meaning of Section 4.1(c).

8.4. If it is apparent to Nitro that the Agreement has terminated pursuant to Section 8.3, Nitro shall send the Customer a written confirmation of the termination of the Agreement as soon as possible thereafter.

8.5. The Agreement shall terminate automatically and without any further notice being required immediately after the end of the Relevant Data Retrieval Period, provided that the Agreement remained in force pursuant to Section 6.9 of this Addendum. The foregoing does not affect the fact that the Parties may make mutual agreements about the continuation of the Agreement after this period.

8.6. Termination of the Agreement pursuant to this Addendum applies exclusively to the relevant Data Processing Service(s) and does not affect the Agreement in its entirety with respect to any Other Services.

Article 9. Early Termination Fee

9.1. If a request results in an Early Termination the Customer shall owe Nitro an Early Termination fee.

9.2. The Early Termination fee shall consist of the full amount of all remaining Subscription Fee installments that would have become due during the period of which the Agreement would have continued in the absence of the Early Termination.

9.3. Nitro shall determine the amount of the Early Termination fee as soon as possible and shall then provide the Customer with a written specification thereof. This specification shall be deemed binding unless the Customer provides evidence showing that the calculation is incorrect. The Early Termination fee shall qualify as a contractual fee under Nitro’s Terms of Service.

9.4. In addition to Section 8.4 of Nitro’s Terms of Service, Early Termination does not entitle the Customer to any reduction, credit, or refund of amounts already invoiced and/or paid in accordance with the Agreement. Such amounts shall remain fully due and shall not be reversed as a result of the termination.

9.5. The Customer acknowledges and agrees that this Section 9 is reasonable and proportionate. To the extent that (any part of) this Section 9 is found to be contrary to applicable law, it shall be replaced by a provision that most closely reflects the intended purpose and effect.


Article 10. Miscellaneous

10.1. The governing law and jurisdiction provisions set out in the Agreement shall also apply to this Addendum.

10.2. For the purposes of this Addendum, “written” and “in writing” shall include communication by email or other forms of electronic messaging, provided that the sender’s identity and the integrity of the content of the message can be sufficiently verified.

 

Annex 1. Service Specific Details

This Annex forms an integral part of Nitro’s EU Data Act Addendum and serves, among other things, to elaborate on the information referred to in Section 3 of the Addendum.


This table relates to the Data Processing Service: Nitro Sign Enterprise Verified

For avoidance of doubt, Nitro Sign Enterprise Verified does not qualify as a custom version within the meaning of Article 31(1) of the Data Act.
Subject Details
Relevant Data

The Relevant Data consists of:

  • Customer Content - Data uploaded, created, or otherwise provided by the Customer or its users within the Service (e.g. documents uploaded for signature, contacts)
  • Output Data - Data generated through the use of the Service (e.g. signed documents, documents in any intermediate signing state, audit logs, audit trails, processed files, results, reports)
  • Signing Evidence and Audit Trails - evidence data generated in the course of signing transactions, including: audit trails capturing package information, signer and viewer events, reassignment events, approval and refusal events, and associated timestamps, names, email addresses and IP addresses of participants; and, where captured, phone numbers and email addresses used for SMS or email one-time-password signing.
  • Metadata - Data relating to the use of the Service (e.g. timestamps, activity logs, and configuration data)
  • User Data - Basic user information necessary for the operation of the Service (e.g. user identifiers, roles, permissions, delegation configurations, out-of-office rules)
  • Configuration Data - Customer-specific settings, preferences, and service configurations (e.g. custom-built templates, sign workflows settings, API configuration settings, branded signing experiences, retention policies)
  • Integration Configuration Metadata - metadata describing how the Service is connected to the Customer's own systems and to third parties (e.g. identifiers of configured connections, field mappings, callback URLs), excluding any live credentials, client secrets or cryptographic material.
  • Licensing and Account Data - data held in respect of the Customer's account, licences and subscription, including company information and user licence assignments.
  • Tenant Audit Logs - administrative action logs and tenant-level event logs attributable to the Customer's tenant (e.g. configuration changes, administrator actions, API access logs), to the extent such logs are retained in accordance with the Service's retention policies.
  • Usage Data (Customer-specific) - Data relating to the Customer’s use of the Service, to the extent required to ensure continuity when switching providers (e.g. Customer specific analytics data)
Excluded Data

The following Data are not part of the Relevant Data and therefore cannot be transferred or deleted pursuant to the EU Data Act Addendum at the Customer’s request:

  • Security and Integrity Data - Data necessary to ensure the security, integrity, and proper functioning of the Service (e.g. security logs, encryption keys, intrusion detection logs, penetration test results, vulnerability scan data, internal access tokens, session tokens, authentication secrets, cryptographic material used to encrypt signed documents or audit proofs at rest, and fraud or anomaly detection signals).
  • Nitro Proprietary Data - Trade secrets, algorithms, models, and other confidential business information of Nitro, including but not limited to Nitro's source code, signing engine, document processing and conversion libraries, OCR engines, AI components used within the Service, and Nitro-provided template libraries in their unmodified form.
  • Internal Analytics and Improvement Data - Data used internally by Nitro for service improvement, analytics, and benchmarking, to the extent it is not Customer-specific (e.g. platform telemetry, performance monitoring, service health metrics, aggregated analytics, internal support ticket metadata, anonymous product usage data collected at platform level).
  • Third-Party Licensed Components - third-party software components, libraries, content and services that Nitro sublicenses or integrates within the Service (including but not limited to third-party libraries embedded within the desktop PDF application, the Knowledge Assistant and Document Assistant foundation model infrastructure, and third-party conversion or processing components), which Nitro does not have the right to redistribute.
  • Third-Party Data - Data of other Nitro customers held in shared infrastructure, data of third-party signers, viewers or data subjects where export would exceed what the Customer is entitled to receive in the ordinary course.
  • Aggregated or Anonymised Data - Data that has been aggregated and/or anonymised in such a way that it can no longer be linked to the Customer.
  • Legally Restricted Data - Data that cannot be shared due to applicable laws or regulatory requirements.

The exclusions set out above shall not be applied or interpreted in a manner that impedes or delays the Customer's exercise of its switching rights under Chapter VI of the EU Data Act. Where an exclusion would in practice have such an effect, Nitro will work in good faith with the Customer to provide an equivalent or alternative output that enables the switching process to proceed.

Transparency regarding Jurisdiction, International Access and Transfer

Information concerning (a) the jurisdiction applicable to the ICT infrastructure used by Nitro, and (b) a general description of the technical, organizational, and contractual measures implemented by Nitro to prevent unauthorized international access or transfers, is available at:

(a) https://www.gonitro.com/security-compliance/data-protection/subprocessors-and-subcontractors  (b) https://www.gonitro.com/hubfs/information-security-policy.pdf 

 

 

 

This table relates to the Data Processing Service: Nitro Identity Hub

For avoidance of doubt, Nitro Identity Hub does not qualify as a custom version within the meaning of Article 31(1) of the Data Act.
Subject Details
Relevant Data

The Relevant Data consists of:

  • User Data - user information relating to the Customer's administrators and operators of the Service (e.g. user identifiers, names, email addresses, roles, permissions, API access assignments).
  • Configuration Data - Customer-specific settings and service configurations, including: identity schemes and identity sources enabled for the Customer's tenant; verification workflow configurations; session auto-deletion settings; API configuration settings; branding and user experience settings; tenant-level retention policies.
  • Integration Configuration Metadata - metadata describing how the Service is connected to the Customer's own systems and to third-party identity schemes (e.g. identifiers of configured connections, field mappings, callback URLs), excluding any live credentials, client secrets or cryptographic material.
  • Tenant Audit Logs - administrative action logs and tenant-level event logs attributable to the Customer's tenant (e.g. configuration changes, administrator actions, aggregated verification event counts), to the extent such logs are retained in accordance with the Service's retention policies. Logs are not a substitute for a persistent identity verification history, which the Service does not maintain.
  • Active Session Data (if any) - identity data retrieved during a verification session that has not yet been auto-deleted (subject to the default 15-minute session deletion and any Customer-configured deletion period).
Excluded Data

The following Data are not part of the Relevant Data and therefore cannot be transferred or deleted pursuant to the EU Data Act Addendum at the Customer’s request:  

  • Security and Integrity Data - Data necessary to ensure the security, integrity, and proper functioning of the Service (e.g. security logs, encryption keys, intrusion detection logs, penetration test results, vulnerability scan data, internal access tokens, session tokens, authentication secrets, fraud and anomaly detection signals, device fingerprints, risk scoring signals, and cryptographic keys or certificates held by Nitro in connection with identity scheme integrations).

  • Nitro Proprietary Data - Trade secrets, algorithms, models, and other confidential business information of Nitro, including but not limited to Nitro's source code, identity orchestration engine, scheme integration logic, verification decision logic, and any proprietary software components underlying the Service.

  • Internal Analytics and Improvement Data - Data used internally by Nitro for service improvement, analytics, and benchmarking, to the extent it is not Customer-specific (e.g. platform telemetry, performance monitoring, service health metrics, aggregated analytics, internal support ticket metadata).  

  • Third-Party Identity Scheme Data - Data held by third-party identity providers (including but not limited to itsme®, BankID Norway, BankID Sweden, MitID, FTN, One.id, and Belgian eID infrastructure) that Nitro orchestrates on the Customer's behalf. Such data is subject to those providers' own retention, deletion, and access terms and is not held by Nitro. Nitro will, where reasonably possible and within the transitional period, assist the Customer in directing requests to such providers.

  • Biometric and Source Identity Evidence - raw biometric data, liveness captures, identity document images, and source identity evidence are not retained by Nitro beyond the verification session and are therefore not available for export. Where such data exists within an active session at the time of a switching request, it remains subject to the Service's auto-deletion configuration.

  • Third-Party Data - Data of other Nitro customers held in shared infrastructure, data of third-party signers or data subjects where export would exceed what the Customer is entitled to receive in the ordinary course, and third-party licensed content or components that Nitro does not have the right to redistribute.

  • Aggregated or Anonymised Data - Data that has been aggregated and/or anonymised in such a way that it can no longer be linked to the Customer.

  • Legally Restricted Data - Data that cannot be shared due to applicable laws or regulatory requirements, including where applicable anti-money-laundering, counter-terrorist financing, or other statutory retention or confidentiality obligations. 

The exclusions set out above shall not be applied or interpreted in a manner that impedes or delays the Customer's exercise of its switching rights under Chapter VI of the EU Data Act. Where an exclusion would in practice have such an effect, Nitro will work in good faith with the Customer to provide an equivalent or alternative output that enables the switching process to proceed.

Transparency regarding Jurisdiction, International Access and Transfer

Information concerning (a) the jurisdiction applicable to the ICT infrastructure used by Nitro, and (b) a general description of the technical, organizational, and contractual measures implemented by Nitro to prevent unauthorized international access or transfers, is available at:

(a) https://www.gonitro.com/security-compliance/data-protection/subprocessors-and-subcontractors 

(b) https://www.gonitro.com/hubfs/information-security-policy.pdf 

See what Nitro can do for you

Take the next step to digital success today.

Icon-48px-Rapid Support

Contact sales

Talk to our experts about your business needs, and explore cost-effective options for Nitro's world-class PDF and eSign solutions.
Get in touch
Icon-48px-Smart signing

Free trial

Try Nitro’s PDF and eSign solutions to edit, sign, and organize documents effortlessly—free for 14 days!
Start your free trial
icon of people with a plus sign

Become a partner

Learn about our exciting partner opportunities for Nitro's trusted document solutions.
Partner with Nitro today