Data Protection Addendum

Digital Nester Inc., dba ProfileNest
‍This Data Protection Addendum (“Addendum”) forms part of the Services Agreement (“Agreement”) between Digital Nester Inc., doing business as ProfileNest (“Company”) and the Customer (“Customer”), and reflects the parties’ agreement on the processing of Personal Data.

• Definitions
• Data Protection Laws: All applicable privacy and data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and any equivalent laws in other jurisdictions.
• Personal Data: Any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
• Processing, Data Subject, Data Controller, Data Processor, Subprocessor, and other capitalized terms shall have the meanings ascribed under the applicable Data Protection Laws.

• Scope and Applicability
• This Addendum applies to Company’s processing of Personal Data on behalf of the Customer in connection with services provided under the Agreement. The Customer acts as the Data Controller and the Company acts as the Data Processor.

• Compliance and Security Measures
  
  Company shall:
• Process Personal Data only on documented instructions from the Customer;
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• Ensure that persons authorized to process the Personal Data are bound by confidentiality obligations;
• Comply with all applicable Data Protection Laws in its performance of the Agreement.

• Subprocessors
• Company may engage Subprocessors to support the delivery of services. A current list of Subprocessors will be made available to Customer upon request. Company shall ensure that all Subprocessors are bound by written agreements that impose data protection obligations no less protective than those set out in this Addendum.
  
  Customer will be notified of any intended changes concerning the addition or replacement of Subprocessors and may object on reasonable grounds relating to data protection.

• Data Subject Rights
• Taking into account the nature of the processing, Company shall assist Customer in fulfilling its obligations to respond to Data Subject requests, including requests to access, rectify, erase, restrict, or port Personal Data, or to object to processing.
  
  If Company receives a Data Subject request directly, it shall promptly notify Customer and refrain from responding unless authorized to do so by Customer or required by law.

• Data Breach Notification
  ‍
  In the event of a confirmed Personal Data breach affecting Customer’s data, Company shall notify Customer without undue delay after becoming aware of the breach. The notification shall include:
• A description of the nature of the breach;
• The categories and approximate number of affected Data Subjects;
• The likely consequences of the breach;
• Measures taken or proposed to address the breach.

• Data Transfers
• If Company processes or transfers Personal Data outside of the European Economic Area, the UK, or any jurisdiction with applicable restrictions, such transfer will be conducted in compliance with applicable Data Protection Laws, including the use of Standard Contractual Clauses or other approved transfer mechanisms.

• Return or Deletion of Data
• Upon termination or expiration of the Agreement, Company shall, at Customer’s request, return or securely delete all Personal Data processed on behalf of Customer, unless retention is required by applicable law. Certification of deletion will be provided upon request.

• Audit and Records
• Company shall make available to Customer all information necessary to demonstrate compliance with this Addendum and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, provided such audits are reasonable and subject to confidentiality agreements.

• Liability
• Each party’s liability arising out of or in relation to this Addendum shall be subject to the limitations of liability set forth in the Agreement, unless otherwise required by applicable Data Protection Laws.

• Governing Law and Jurisdiction
• This Addendum shall be governed by and construed in accordance with the governing law stated in the Agreement. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Agreement.

• Appendices
  ‍
  Appendix 1 – Details of Processing:
• Subject Matter: Processing of Personal Data in connection with the provision of Company’s services.
• Duration: Duration of the Agreement and any required retention period.
• Nature and Purpose: To provide services under the Agreement.
• Types of Personal Data: May include name, contact information, account data, usage data, communications, and other personal identifiers.
• Categories of Data Subjects: End users, customers, clients, employees, or other individuals whose data is processed in connection with the services.
• Appendix 2 – Security Measures
• Company maintains industry-standard technical and organizational measures, including but not limited to:
• Access control and authentication systems;
• Data encryption at rest and in transit;
• Regular vulnerability assessments and penetration testing;
• Incident response protocols;
• Employee training and confidentiality agreements;
• Data backups and disaster recovery procedures;
• Monitoring and logging of system access.

By continuing to use the services under the Agreement, Customer agrees to the terms of this Data Protection Addendum.