Nugget
Back to Legal

Data Processing Agreement

enterprise

For enterprise customers processing personal data with Nugget

Last updated: January 15, 2024

Data Processing Agreement

Last updated: January 15, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Nugget and Customer for the use of Nugget's AI platform services ("Services"). This DPA governs the processing of Personal Data in accordance with applicable Data Protection Laws.

2. Definitions

"Data Protection Laws" means all applicable privacy and data protection laws, regulations, and guidelines, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and any successor legislation.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Nugget on behalf of Customer in connection with the Services.

"Processing" has the meaning set out in applicable Data Protection Laws.

3. Scope and Applicability

This DPA applies where and only to the extent that Nugget processes Personal Data on behalf of Customer in the provision of the Services, and such processing is subject to Data Protection Laws.

4. Roles and Responsibilities

4.1 Customer as Data Controller

Customer acknowledges and agrees that:

  • It is the Data Controller for any Personal Data processed through the Services
  • It will comply with its obligations under applicable Data Protection Laws
  • It has obtained all necessary consents and provided all required notices
  • It will ensure the accuracy and lawfulness of Personal Data

4.2 Nugget as Data Processor

Nugget acknowledges and agrees that:

  • It acts as a Data Processor on behalf of Customer
  • It will process Personal Data only in accordance with Customer's documented instructions
  • It will not process Personal Data for its own purposes
  • It will assist Customer in meeting its Data Protection Law obligations

5. Data Processing Principles

Nugget will:

  • Process Personal Data only for the specific purposes set out in the Agreement
  • Ensure Personal Data is processed lawfully, fairly, and transparently
  • Collect Personal Data only to the extent necessary for the specified purposes
  • Keep Personal Data accurate and up to date
  • Retain Personal Data only for as long as necessary
  • Process Personal Data securely using appropriate technical and organizational measures

6. Security Measures

Nugget implements and maintains appropriate technical and organizational security measures, including:

6.1 Technical Measures

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Secure development practices
  • Network security monitoring

6.2 Organizational Measures

  • Staff training on data protection and security
  • Background checks for personnel with access to Personal Data
  • Incident response procedures
  • Regular security policy reviews
  • Vendor management and due diligence

7. Subprocessors

7.1 Authorized Subprocessors

Customer agrees that Nugget may engage subprocessors to assist in providing the Services, provided that:

  • Nugget maintains an up-to-date list of subprocessors
  • All subprocessors are bound by data protection obligations equivalent to this DPA
  • Nugget remains fully liable for subprocessor performance

7.2 Subprocessor Changes

Nugget will provide Customer with at least 30 days' notice of any new subprocessors. Customer may object to new subprocessors within 30 days of notice.

8. Data Subject Rights

Nugget will assist Customer in responding to Data Subject requests, including:

  • Requests for access to Personal Data
  • Requests for rectification or erasure
  • Requests for restriction of processing
  • Data portability requests
  • Objections to processing

9. Data Breach Notification

In the event of a Personal Data breach, Nugget will:

  • Notify Customer without undue delay and within 72 hours of becoming aware
  • Provide all reasonably available information about the breach
  • Take appropriate measures to address the breach
  • Cooperate with Customer's breach response efforts

10. Data Transfers

10.1 International Transfers

Personal Data may be transferred to and processed in countries outside the EEA/UK. Nugget ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Other lawful transfer mechanisms

10.2 Transfer Impact Assessments

Nugget will cooperate with Customer in conducting transfer impact assessments where required by applicable Data Protection Laws.

11. Data Return and Deletion

Upon termination of the Agreement, Nugget will:

  • Return or delete all Personal Data within 30 days
  • Provide certification of deletion upon request
  • Retain Personal Data only where required by law

12. Audits and Compliance

12.1 Audit Rights

Customer may audit Nugget's compliance with this DPA, subject to:

  • Reasonable advance notice (at least 30 days)
  • Execution of appropriate confidentiality agreements
  • Limitation to once per calendar year unless required by Data Protection Laws
  • Customer bearing the costs of audits

12.2 Compliance Documentation

Nugget will maintain records demonstrating compliance with this DPA and make such records available to Customer upon request.

13. Liability and Indemnification

Each party's liability under this DPA will be subject to the limitation of liability provisions in the main Agreement, except where prohibited by applicable Data Protection Laws.

14. Term and Termination

This DPA will remain in effect for as long as Nugget processes Personal Data on behalf of Customer.

15. Amendments

This DPA may only be amended in writing and signed by both parties, except where amendments are required to comply with applicable Data Protection Laws.

16. Governing Law

This DPA is governed by the same law as the main Agreement, except where Data Protection Laws require otherwise.

Contact Information

For questions about this DPA, please contact:

Schedule 1: Processing Details

  • Categories of Data Subjects: Customer's end users and employees
  • Types of Personal Data: As specified by Customer in its use of the Services
  • Processing Purposes: Provision of AI platform services
  • Retention Period: As specified in the main Agreement or as instructed by Customer