Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and is incorporated into the Nuxari Terms of Service and any applicable subscription or evaluation agreement between Nuxari, Inc. ("Nuxari") and the Customer. In the event of a conflict between this DPA and those agreements with respect to data processing, this DPA controls.

This DPA applies when Nuxari processes Customer Personal Data to provide the Services. It sets out the parties' respective obligations regarding data protection and describes the technical and organizational measures Nuxari implements to protect Customer Personal Data.

This document is provided for informational purposes. It is not a final, attorney-approved agreement and is subject to legal review before being offered as a binding DPA to platform customers.

For the purposes of this DPA, the following terms have the meanings set out below:

• ·Customer, The organization that subscribes to or evaluates the Nuxari platform under an applicable agreement.
• ·Nuxari, Nuxari, Inc., the provider of the platform Services.
• ·Customer Data, All data that Customer or its users submit to or generate through the Services, including Customer Personal Data.
• ·Customer Personal Data, Any information within Customer Data that relates to an identified or identifiable natural person.
• ·Data Protection Laws, All applicable laws and regulations relating to the processing of personal data, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy and data protection legislation.
• ·Controller, The entity that determines the purposes and means of processing personal data.
• ·Processor, The entity that processes personal data on behalf of the Controller.
• ·Subprocessor, A third party engaged by Nuxari to process Customer Personal Data in connection with the Services.
• ·Services, The Nuxari governance, access drift, remediation, evidence, reporting, AI assistant, connector, and workflow platform and related services.
• ·Security Incident, A confirmed breach of Nuxari's security measures leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

The parties acknowledge that, with respect to Customer Personal Data processed through the Services:

• ·Customer is generally the Controller of Customer Personal Data.
• ·Nuxari is generally the Processor or service provider, processing Customer Personal Data on behalf of and under the instructions of Customer.
• ·To the extent Nuxari processes Customer Personal Data for its own purposes outside the scope of the Services, Nuxari acts as a Controller for such processing, which is governed by Nuxari's Privacy Policy.

The following table describes the nature of Nuxari's processing of Customer Personal Data in connection with the Services.

Nuxari processes Customer Personal Data only on documented instructions from Customer, including as set out in these Terms, the applicable agreement, and any configuration settings Customer applies within the Services.

If Nuxari is required by applicable law to process Customer Personal Data outside the scope of Customer's instructions, Nuxari will inform Customer before doing so, unless prohibited by law.

Customer is responsible for ensuring that its instructions comply with applicable Data Protection Laws, and that it has obtained any necessary consents or has an appropriate legal basis for the processing it instructs Nuxari to perform.

Nuxari ensures that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract or applicable professional duty.

Access to Customer Personal Data is limited to personnel who require such access to perform their responsibilities in connection with the Services.

Nuxari implements appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• ·Access controls limiting platform access to authenticated and authorized personnel
• ·Role-based access control (RBAC) enforced across all platform operations
• ·Strict tenant isolation ensuring no cross-organization data access
• ·Encryption of data in transit using TLS
• ·Encryption of data at rest where applicable
• ·Comprehensive audit logging of all platform actions
• ·Credential redaction, raw secrets are excluded from audit logs and storage
• ·Approval-controlled remediation, high-impact actions require explicit human authorization before execution
• ·Secure connector lifecycle, connectors operate with minimum required permissions and are governed and audited
• ·Least privilege principles applied to internal system components and personnel access
• ·Incident response procedures enabling timely detection, containment, and notification

For additional detail on Nuxari's security architecture, see the Security overview.

Nuxari may engage Subprocessors to assist in providing the Services. A list of Subprocessor categories is maintained at /legal/subprocessors.

Nuxari will provide advance notice of material changes to Subprocessors through the platform or via email to the Customer's primary contact. Nuxari imposes data protection obligations on Subprocessors equivalent to those in this DPA.

Customer may reasonably object to a new Subprocessor by notifying Nuxari in writing within the notice period specified in the applicable agreement. If the parties cannot resolve the objection, Customer may terminate the applicable agreement in accordance with its terms.

Customer is responsible for receiving and responding to data subject rights requests (such as access, correction, deletion, or portability requests) in accordance with applicable Data Protection Laws.

Nuxari will provide reasonable technical assistance to Customer to help it fulfill data subject requests, taking into account the nature of processing and the information available to Nuxari. Such assistance may be subject to additional fees as agreed in the applicable agreement.

Upon becoming aware of a confirmed Security Incident affecting Customer Personal Data, Nuxari will notify Customer without undue delay and in accordance with the timeframes specified in the applicable agreement.

The notification will include, to the extent available at the time, a description of the nature of the incident, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the incident.

Notification of a Security Incident does not constitute an acknowledgment of fault or liability by Nuxari. Customer is responsible for determining whether a Security Incident triggers its own notification obligations to data subjects or regulatory authorities.

Upon termination or expiry of the applicable agreement, Nuxari will handle Customer Data in accordance with the data return and deletion provisions of that agreement. Where no specific terms are agreed, Nuxari will delete or render inaccessible Customer Personal Data within a reasonable period following termination, except to the extent retention is required by applicable law.

Any transfer of Customer Personal Data to countries outside the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions is subject to the applicable transfer mechanism specified in the applicable agreement and applicable Data Protection Laws.

Nuxari's international transfer arrangements are subject to ongoing legal review. Customers with specific international transfer requirements should contact Nuxari prior to processing.

Nuxari will provide Customer with information reasonably necessary to demonstrate Nuxari's compliance with this DPA, subject to reasonable confidentiality protections.

Any on-site audit rights are subject to the terms of the applicable agreement, reasonable advance notice, and appropriate limitations to protect the confidentiality of other customers' data and Nuxari's proprietary information.

In the event of a conflict between this DPA and any other agreement between the parties with respect to the processing of Customer Personal Data, this DPA controls. In all other respects, the applicable agreement governs.

Questions about Nuxari's DPA? Contact us.