Nakamo Logo

Data Processing Agreement

Valid from 1 April 2026 โ€” Currently active

Nakamo AG, Brown Boveri Platz 3, 5400 Baden, Switzerland privacy@nakamo.io ยท www.nakamo.io

1 Subject

1.1 The Parties have entered into the Nakamo Terms of Use ("Terms of Use") due to Customer ordering, accessing or using the Services. To the extent the Services may relate to Nakamo's processing of Customer Personal Data on behalf of Customer, the Parties wish to extend the Terms of Use to ensure their continuous compliance with the applicable Data Protection Laws.

1.2 This Data Processing Agreement ("DPA") forms an integral part of the Terms of Use and shall terminate upon termination or expiration of the Terms of Use for whatever reason. The terms set forth in this DPA amend, supplement and supersede the Terms of Use in respect of provisions relating to Nakamo's processing of Customer Personal Data. All terms and conditions of the Terms of Use not otherwise amended and supplemented herein remain unchanged and in full force and effect.

1.3 Any capitalized terms used in this DPA not otherwise defined hereunder shall have the same meaning as defined in the Terms of Use. In the event of a conflict between provisions of this DPA and the Terms of Use, this DPA shall prevail.

1.4 Nakamo may modify this DPA from time to time. Unless otherwise specified by Nakamo, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service order after the updated version of this DPA goes into effect. Nakamo will use reasonable efforts to notify Customer of the changes through communications via Customer's account, email or other means.

2 General Provisions

2.1 Customer, as the Data Controller of Customer Content and Customer Personal Data, is responsible for its compliance with the applicable Data Protection Laws and shall keep records of its processing activities according to Art. 30 (1) GDPR respectively Art. 12 (1) FADP.

2.2 The Parties agree that Nakamo and its Approved Third Parties may process Customer Personal Data in accordance with the provisions of this DPA. Nakamo shall comply with and procure that its Approved Third Parties comply with the obligations imposed under the applicable Data Protection Laws in relation to the Customer Personal Data processed hereunder.

2.3 Nakamo shall process Customer Personal Data on behalf of Customer solely for the purposes of performing the Services under the Terms of Use. Nakamo will process Customer Personal Data in accordance with Customer's instructions. The Terms of Use, including this DPA and the Nakamo Privacy Policy, shall contain Customer's initial instructions to Nakamo with regards to the processing under this DPA. Customer may communicate any change in its initial instructions to Nakamo by way of written notification. For the avoidance of doubt, any instructions that would lead to processing outside the scope of the Terms of Use, including this DPA and the Privacy Policy, require a prior agreement between the Parties.

2.4 Nakamo shall immediately notify Customer if it considers, in its opinion acting reasonably, that it is required by law to act other than in accordance with the instructions of Customer pursuant to clause 2.3 of this DPA. Nakamo is not obliged to adhere to these instructions until the instruction is either confirmed or corrected by Customer. Instructions that are unlawful shall not be followed. Nakamo shall not be liable for any losses arising from or in connection with any processing made in accordance with such instructions.

2.5 Except in relation to the deletion and/or return of Customer Personal Data following expiry or termination of this DPA, the right of Nakamo and its Approved Third Parties to process Customer Personal Data under this DPA ends automatically with termination of the Terms of Use for whatever reason, unless required otherwise by the applicable Data Protection Laws.

3 Data Processing Activities

3.1 Customer understands that Nakamo and its Approved Third Parties will process Customer Personal Data in accordance with the applicable Data Protection Laws, the Terms of Use, this DPA and the Nakamo Privacy Policy, as amended from time to time.

3.2 Customer Personal Data is processed to perform the contractual obligations as set out in the Terms of Use, specifically the following processing activities:

- Support and Maintenance Services: Nakamo may provide support and maintenance services to Customer in connection with the Terms of Use. Support and maintenance may be provided either in the context of Software or cloud-based Services (as may be applicable). When providing support and maintenance, Nakamo may be required to access or receive Customer Personal Data.

- Professional Services: If Customer requires professional services as part of a Service offering, then Nakamo may be required by Customer to process Customer Personal Data as part of such an engagement.

- Cloud-based Services: If Customer subscribes to cloud-based Services then Customer will upload Customer Content, including Customer Personal Data to that cloud-based Service in order to properly use the Service.

3.3 Data Protection Contact for Nakamo. Email privacy@nakamo.io to the attention of the Data Protection Contact of Nakamo AG (Brown Boveri Platz 3, 5400 Baden, Switzerland).

3.4 Nakamo shall maintain the written log of its processing activities up to date.

4 Place of Processing

4.1 Customer Personal Data is processed exclusively within Microsoft Azure infrastructure operated by Microsoft Ireland Operations Limited. Persistent storage of Customer Personal Data takes place in Switzerland. AI inference is performed within Microsoft Azure AI Foundry; whenever the relevant AI model is available within the European region, inference is performed in Europe. Where the relevant AI model is not available in the European region, inference may be performed in any Microsoft Azure region globally (including outside the EEA), in which case the safeguards described in clause 4.3 apply. Inputs and outputs sent to Microsoft's foundation-model APIs may be retained by Microsoft for up to thirty (30) days for abuse-monitoring purposes in the region of the relevant Azure resource.

4.2 The processing under this DPA otherwise takes place in an EEA member state, Switzerland or the United Kingdom. Any transfer of Customer Personal Data to a third country which does not have a valid adequacy decision of the European Commission according to Art. 45 (3) GDPR respectively of the Federal Council according to Art. 16 (1) FADP is only permitted if approved by Customer and if at least one of the conditions in Art. 46 (2) or Art. 49 GDPR respectively Art. 16 (2) or Art. 17 FADP is met to ensure appropriate protection of the Customer Personal Data in that third country.

4.3 Where there is international transfer of Customer Personal Data to countries which do not ensure an adequate level of data protection in accordance with Art. 45 (3) GDPR respectively Art. 16 (1) FADP, the Parties or Nakamo and its Approved Third Parties, as the case may be, enter into EU Standard Contractual Clauses with the Swiss and UK Addendum ("SCC") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Nakamo shall perform a risk assessment before such a transfer.

5 Approved Third Parties

5.1 Nakamo may appoint third parties and disclose Customer Personal Data to such third parties only insofar as this is necessary to fulfill its obligations under the Terms of Use or as necessary to comply with applicable mandatory law. Nakamo will give Customer the opportunity to object to the engagement of new third parties on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Customer of the appointment of new third parties. If Customer does notify Nakamo of such an objection in writing, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached within 15 days, Nakamo will, at its sole discretion, either not appoint the new third party, or permit Customer to terminate the affected Subscription Service in accordance with the termination clause of the Terms of Use without liability to either Party (but without prejudice to any fees incurred by Customer prior to termination). All Fees payable upon the effective date of termination shall become immediately due for payment.

5.2 Nakamo shall procure a legally binding agreement with the third party which shall be on terms that are similar to the terms of this DPA. Nakamo shall regularly monitor that its Approved Third Parties abide to such agreement and the applicable Data Protection Laws.

5.3 Nakamo shall remain responsible for the acts and omissions of its Approved Third Parties in connection with this DPA. Nakamo shall, without undue delay, notify Customer in the event that it becomes aware of any Data Breach by any of its Approved Third Parties in connection with this DPA.

5.4 Approved Third Parties. A current list of Approved Third Parties involved in the provision of the Services under the Terms of Use is published at https://nakamo.io/en/legal/subprocessors.

6 Data Processing

6.1 Nakamo ensures that its internal organization is set up in a way that enables it to comply with the applicable Data Protection Laws and good industry practice. Nakamo ensures that the technical and organizational measures taken provide appropriate protection regarding the confidentiality, integrity, availability and capacity of the respective systems. The state-of-the-art technique, costs of implementation, purpose, scope, type of Personal Data and method of processing as well as the risks of varying likelihood and severity for the rights and freedom of the Data Subject shall be taken into account when choosing the appropriate technical and organizational measures. Nakamo reviews its measures taken on a regular basis.

6.2 Nakamo shall regularly review and assess its technical and organizational security measures in compliance with applicable Data Protection Laws and good industry practice.

6.3 Nakamo shall not modify, delete or rectify Customer Personal Data unless authorized by Customer or to the extent required for the proper performance of the Services under the Terms of Use. Nakamo shall not make copies of Customer Personal Data without the prior consent of Customer. Back-up copies are permitted provided they are necessary for the proper performance of the Services or required according to the applicable laws.

6.4 Nakamo shall procure that only these employees, contractors and agents and those employees, contractors and agents of its Approved Third Parties that need to have access to Customer Personal Data for the performance of the Services are granted such access. It shall take reasonable measures to ensure the reliability and integrity of these employees, contractors and agents and shall procure that appropriate contractually binding confidentiality undertakings have been entered into between itself and such parties. The confidentiality undertakings shall survive the termination of this DPA for whatever reason.

6.5 Nakamo shall, and shall procure that its Approved Third Parties, transfer Customer Personal Data only in accordance with this DPA as is strictly necessary for the performance of the Services hereunder, where authorized or instructed by Customer or where required by the applicable Data Protection Laws. In the latter case, Nakamo shall inform Customer before such a transfer is made, and in any case immediately after such disclosure, unless prohibited by the applicable Data Protection Laws.

6.6 Upon written request, Nakamo shall make available to Customer information reasonably requested by it to demonstrate Nakamo's compliance with the obligations set out in this DPA and the applicable Data Protection Laws, in accordance with the following process:

(i) Upon Customer's reasonable request, Nakamo shall provide the relevant and necessary material, documentation and information in relation to Nakamo's technical and organizational security measures used to protect Customer Personal Data in relation to the Services in order to demonstrate compliance with applicable Data Protection Laws and this DPA.

(ii) If, following completion of the actions set out under clause 6.6 (i) of this DPA, Customer reasonably believes that Nakamo is non-compliant with the applicable Data Protection Laws or this DPA, Customer may request that Nakamo make available, either by webinar or in a face-to-face review, extracts of the relevant information necessary to further demonstrate its compliance. Customer wishing undertaking such review shall give Nakamo reasonable notice thereof by contacting Nakamo's Data Protection Contact privacy@nakamo.io with the subject line "Customer Audit Request" of any review to be conducted under this section.

(iii) In the event that Customer reasonably believes that its findings following the steps set out under clause 6.6 (ii) do not enable it to comply materially with its obligations mandated under the applicable Data Protection Laws in relation to its appointment of Nakamo, then Customer may give Nakamo no less than thirty (30) days' prior written notice of its intention to undertake an audit which may include inspections of Nakamo's premises to be conducted by an independent auditor mandated by Customer (not being a competitor of Nakamo). Such audit shall (a) be subject to confidentiality obligations agreed between Customer and Nakamo, (b) be undertaken solely to the extent mandated by, and may not be further restricted under the applicable Data Protection Laws, (c) not require Nakamo to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Approved Third Parties), and (d) not be undertaken where it would place Nakamo in breach of its confidentiality obligations towards customers, vendors and/or partners, or (d) generally or otherwise cause Nakamo to breach laws applicable to it. The appointed auditor shall avoid causing any damage, injury or disruption to Nakamo's premises, equipment, personnel or business in the course of such audit. To the extent that such audit performed exceeds one (1) business day, Nakamo reserves the right to charge Customer for each additional day at its then-current daily rates.

(iv) If following such an audit, Customer reasonably determines that Nakamo is non-compliant with the applicable Data Protection Laws then Customer shall provide details thereof in writing to Nakamo upon receipt of which Nakamo shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the Parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the "Remediation Plan"). Where the Parties are unable to reach agreement on the Remediation Plan, or if an agreement is reached, Nakamo materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer's notice or another period as mutually agreed between the Parties, Customer may terminate the Services in part or in whole which relate to the non-compliant processing and the remaining Services shall otherwise continue unaffected by such termination.

6.7 The rights of Customer under clause 6.6 of this DPA may only be exercised once per calendar year unless Customer reasonably believes Nakamo to be in material breach of its obligations under this DPA or the applicable Data Protection Laws.

7 Assistance, breach notification and Deletion

7.1 Nakamo shall provide any reasonably necessary cooperation or assistance requested by Customer in connection with steps that Customer takes to comply with the applicable Data Protection Laws insofar as they directly relate to the Services. This includes assisting Customer with regulatory requirements and managing and responding to requests or complaints from Data Subjects, authorities and/or other third parties with respect to their rights under the applicable Data Protection Laws.

7.2 Where a Data Protection Impact Assessment ("DPIA") is required under the applicable Data Protection Laws for the processing of Personal Data, Nakamo shall provide Customer, upon request, with reasonable cooperation and assistance needed to fulfill Customer's obligation to carry out a DPIA related to Customer's use of the Services, to the extent that Customer does not otherwise have access to the relevant information and such information is available to Nakamo.

7.3 Data Subject Request. Nakamo shall promptly notify Customer if it or one of its Approved Third Party receive a request by a Data Subject and shall (i) not disclose any Personal Data in response to any such request without the prior written consent of Customer, (ii) promptly provide Customer with reasonable co-operation and assistance to any such request by the Data Subject, and (iii) provide Customer with any information reasonably requested by it.

7.4 Authority Request. If Nakamo is obliged by law to disclose Customer Personal Data to a law enforcement agency or other third party, Nakamo shall give Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. Where such notice is legally prohibited, Nakamo shall take reasonable measures to limit the disclosure of Customer Personal Data.

7.5 Customer shall pay Nakamo reasonable charges mutually agreed between the Parties for providing the assistance under clauses 7.1, 7.2, 7.3 and 7.4 of this DPA, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

7.6 Data Breach Notification. Nakamo shall, without undue delay provide Customer with all information in Nakamo's possession concerning a Data Breach in connection with the Terms of Use or this DPA. Following such notification and, within such timescale to be agreed between the Parties (acting reasonably and in good faith), both Parties shall support each other to (i) implement any measures necessary to restore the integrity of compromised Customer Personal Data, and (ii) make any necessary notifications to the relevant authorities, affected Data Subjects and other relevant third parties.

7.7 Return and Deletion. Upon termination or expiration of this DPA for whatever reason, Nakamo will make Customer Personal Data available for export for thirty (30) days from the effective date of termination or expiration ("Export Period"). For Customer Personal Data that is retained by Nakamo and is exportable, and provided that Customer has paid all applicable Fees, Customer may contact Nakamo via support@nakamo.io within the Export Period and have Customer Personal Data exported by Nakamo, subject to the applicable professional services fees. After the expiration of the Export Period, Nakamo will delete available Customer Personal Data except as necessary to comply with Nakamo's legal obligations, resolve disputes, and enforce this DPA. Once deleted, Customer Content cannot be recovered.

8 Final provisions

8.1 Neither Party may assign any of its rights or obligations under this DPA, without the prior written consent of the other Party (not to be unreasonably withheld). Either Party may however assign this DPA to a successor of all or substantially all of the business of such Party whether by merger, acquisition, corporate reorganization, or sale of substantially all of its assets without the other Party's consent. This DPA shall be binding upon and inure to the benefit of the Parties' successors.

8.2 If individual clauses of this DPA are either fully or partially unlawful, invalid, or for any other reason unenforceable, the validity of the remaining clauses of this DPA shall not be affected. The Parties are obliged to cooperate in good faith to replace such invalid clauses with clauses which the Parties would have intended at the time of concluding this DPA and which come as close as possible to the invalid clause.

8.3 Neither Party will be liable to the other for any delay or failure to perform any obligation under this DPA if the delay or failure results from any cause beyond that Party's reasonable control, including but not limited to, acts of God, acts of government, acts of terror or civil unrest, internet failures, or acts undertaken by third parties not under the performing Party's control, including, without limitation, denial of service attacks ("Force Majeure Event"). In the event that a Force Majeure Event continues for a period of thirty (30) consecutive days, the other Party may terminate this DPA on written notice to the non-performing Party.

8.4 This DPA shall terminate upon termination or expiration of the Terms of Use for whatever reason. Each Party's right of extraordinary and immediate termination according to statutory provisions shall not be affected. Notwithstanding the foregoing, this DPA shall survive the termination or expiry of the Terms of Use to the extent that Nakamo continues to process Customer Personal Data.

8.5 This DPA shall be governed by and be construed in accordance with the laws of Switzerland under the explicit exclusion of the UN Convention on Contracts for the International Sale of Goods. Place of jurisdiction is Baden, Aargau, Switzerland subject to mandatory legal provisions.

---

Annex 1: Details of Processing Activities

This Annex 1 describes the subject, the duration of the processing, the nature and purpose of the processing operations, the types of personal data and categories of data subjects that are governed by the provisions of this DPA, of which it forms an integral part.

Subject-matter

Processing of Personal Data for the provision of Services in accordance with the Nakamo Terms of Use.

Duration of the processing

Nakamo will process Personal Data for the term of the Nakamo Terms of Use or written individual Agreement in a Nakamo offer, unless otherwise agreed in writing.

Nature and purpose of the processing

Provision, operation, support and maintenance of the Services as ordered by Customer.

Types of personal data

Depending on the products and services used by the Customer, personal data from the following categories may be included:

- Identification and contact data (e.g. first name, last name, business email address, business phone number, professional title);

- Account and authentication data (e.g. user identifiers, audit logs);

- Any personal data contained in materials uploaded to, or generated through, the Services by Customer.

Categories of data subjects

- Customer's representatives;

- Users authorised by Customer to access the Services;

- Individuals named or referenced in materials uploaded to, or generated through, the Services by Customer.

Nakamo AG
Brown Boveri Platz 3
5400 Baden
Switzerland

hello@nakamo.io

Built with love and passion in Switzerland ๐Ÿ‡จ๐Ÿ‡ญ

Privacy PolicyImprintCookie PolicyTerms of UseData Processing Agreement

Cookies

We use cookies for basic functionality and analytics. Would be amazing if you allow us to capture analytics, as this helps us to understand in detail how users interact with our website.

To learn more about our privacy practices, please see our policies.

Imprint