Nutanix Customer Data Processing Addendum

This is an archived version of our Nutanix Customer Data Processing Addendum dated September 24, 2021. View the current version.

This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the "DPA") is incorporated into and is subject to, the terms and conditions of the Nutanix License and Services Agreement ("Agreement") between the Nutanix contracting entity identified in the Agreement ("Nutanix") and the party identified as the customer in the Agreement ("Customer") pursuant to which Nutanix provides certain Products to Customer.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Nutanix processes personal data on behalf of Customer when providing the Products protected by Applicable Privacy Law under the Agreement.

By entering into the Agreement, Customer enters into this DPA, and the Standard Contractual Clauses (as applicable and as defined below) on behalf of itself and, to the extent required under Applicable Privacy Law, in the name and on behalf of its Affiliates (if any) permitted to use the Products. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and such Affiliates.

The parties agree as follows:

1.     Definitions

1.1.   "Applicable Privacy Law" means European Data Protection Law and the CCPA.

1.2.   "CCPA" means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), including any amendments and its implementing regulations that become effective on or after the effective date of this DPA (as amended, superseded, or replaced from time to time).

1.3.   "Customer Data" means any data that is protected as "personal data" or "personal information" under Applicable Privacy Law and processed by Nutanix in accordance with Section 2.1. of this DPA in connection with the Products, and as more particularly described in Schedules 1 and 2 of this DPA (as applicable).

1.4.   "Europe" means, for the purposes of this DPA, the member states of the European Economic Area ("EEA"), Switzerland and the United Kingdom ("UK").  

1.5.   "European Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively referred to for these purposes as the "UK GDPR"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); (iv) the e-Privacy Directive (Directive 2002/58/EC); (v) any applicable national data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) or (iv) (in each case, as superseded, amended or replaced from time to time).

1.6.   "Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield self-certification programs operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on 11 January 2017 respectively (as amended, superseded or replaced from time to time).

1.7.   "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 (as amended, superseded, or replaced from time to time).

1.8.   "Security Incident" means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Nutanix in connection with the provision of the Products. "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.

1.9.   "Standard Contractual Clauses" or the "SCCs" means: (i) where the GDPR applies, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “EU SCCs”); (ii) where UK Privacy Laws apply, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (the “UK SCCs”); and where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs").

1.10.  "Sub-processor" means any third party that has access to the Customer Data and which is engaged by Nutanix or its Affiliates to assist in fulfilling its obligations with respect to providing the Products pursuant to the Agreement or this DPA. Sub-processors may include third parties or Nutanix Affiliates but shall exclude any Nutanix employee, contractor, or consultant.

1.11.  The terms "personal data", "controller", "data subject", " supervisory authority", "processor" and "processing" shall have the meaning given to them in European Data Protection Law for all Non-US Customer Data and "process", "processes" and "processed" shall be interpreted accordingly. The terms "consumer", "business", "business purpose", "sale" (including the terms “sell,” “selling,” “sold,” and other variations thereof), "service provider" and "personal information" shall have the meaning given to them in the CCPA for all US Customer Data.

2.     Scope and Relationship of the Parties

2.1.   Scope. This DPA applies to the extent Nutanix processes any Customer Data protected by Applicable Privacy Law in the course of providing the Products pursuant to the Agreement as follows:

2.1.1.Nutanix as a Processor. Where Customer is a controller or business (as applicable) of the Customer Data covered by this DPA, Nutanix shall be a processor or service provider (as applicable) processing Customer Data on behalf of the Customer and this DPA shall apply accordingly;

2.1.2.Nutanix as a Sub-processor. Where Customer is a processor or service provider (as applicable) of the Customer Data covered by this DPA, Nutanix shall be a Sub-processor or service provider (as applicable) of the Customer Data and this DPA shall apply accordingly; and

2.1.3.Nutanix as a Controller. Where and to the extent Nutanix and/or each relevant Nutanix Affiliates process Customer Data as controller or business (as applicable), Nutanix will process such Customer Data in compliance with Applicable Privacy Law, the Nutanix Privacy Statement which can be found at https://www.nutanix.com/legal/privacy-statement, and Sections 3., 5.1., 5.2., 6., 7., and 9.1.3.) of this DPA, to the extent applicable, only.

2.2.   Nutanix Processing of Personal Data. As a processor, Nutanix shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer's documented lawful instructions, except to the extent required by Applicable Privacy Law. The parties agree that this DPA and the Agreement set out the Customer's complete and final instructions to Nutanix in relation to the processing of Customer Data, and (if applicable) include and are consistent with all instructions from third party controllers, and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Nutanix. Without prejudice to Section 2.3., Nutanix shall notify Customer in writing, unless prohibited from doing so under Applicable Privacy Law, if it becomes aware or believes that any data processing instruction from Customer violates Applicable Privacy Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that Nutanix may be required to provide to or receive from a third party controller.

2.3.   Customer Responsibilities. Customer is responsible for the lawfulness of Customer Data processing under or in connection with the Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Privacy Law for Nutanix to lawfully process Customer Data for the purposes contemplated by the Agreement; (ii) it has complied with Applicable Privacy Law as a controller and/or business of Customer Data for the collection and provision to Nutanix and its Sub-processors of such Customer Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Applicable Privacy Law) and that the processing of Customer Data by Nutanix in accordance with Customer's instructions will not cause Nutanix to be in breach of Applicable Privacy Law.

2.4.   Aggregate Data. Notwithstanding the foregoing or anything to the contrary in the Agreement, Customer acknowledges that Nutanix and its Affiliates shall have a right to collect and create anonymized, aggregate and/or de-identified information (as defined by Applicable Privacy Law) for its own legitimate business purposes.

3.     Nutanix as a Controller

3.1.   Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent controller under Applicable Privacy Law and neither party shall be responsible for the other party's compliance with Applicable Privacy Law.

4.     Sub-processing

4.1.   Authorized Sub-processors. Customer hereby provides a general authorization to Nutanix to engage Sub-processors to process Customer Data on Customer's behalf (with respect to its role as a processor or service provider, as applicable). The Sub-processors engaged by Nutanix depend on the Products purchased by Customer and are made available on Nutanix's website at https://www.nutanix.com/trust/subprocessors.

4.2.   Notice. Nutanix shall notify Customer of any new engagement of a Sub-processor at least ten (10) days before any such changes by sending an email to the email address designated by Customer to receive notifications.

5.     Security and Audits

5.1.   Security Measures. Nutanix shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data. Such measures will include, at minimum, those measures described in Schedule 3 of this DPA ("Security Measures"). Nutanix shall ensure that any person who is authorized by Nutanix to process Customer Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.2.   Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Nutanix may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Products purchased by the Customer.

5.3.   Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Products, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Products and taking any appropriate steps to securely encrypt or backup any Customer Data processed in connection with the Products. Customer shall implement and maintain appropriate technical and organizational security measures designed to protect personal data from Security Incidents and to preserve the security and confidentiality of personal data while in its dominion and control.

5.4.   Security Incident Response. Upon becoming aware of a Security Incident, Nutanix shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Nutanix's notification of or response to a Security Incident in accordance with this section will not be construed as an acknowledgment by Nutanix of any fault or liability with respect to the Security Incident.

5.5.   Security Audits. On written request from Customer, Nutanix shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to its processing of Customer Data necessary to confirm Nutanix's compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Nutanix has experienced a Security Incident, or on another reasonably similar basis. Nothing herein shall be construed to require Nutanix to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Nutanix’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Nutanix’s infrastructure, networks, systems, or data.

6.     International Transfers

6.1.   Processing Locations. Customer acknowledges and agrees that Nutanix may transfer and process Customer Data to and in the United States and anywhere else in the world where Nutanix, its Affiliates or its Sub-processors maintain data processing operations. Nutanix shall at all times ensure such transfers are made in compliance with the requirements of Applicable Privacy Law and this DPA.

7.     Deletion of Customer Data

7.1.   Deletion. Upon termination or expiry of the Agreement, on Customer's request Nutanix shall delete all Customer Data processed by Nutanix as a processor (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Nutanix is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data Nutanix shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable law. Customer Data processed by Nutanix as a controller will be deleted or retained in accordance with the Nutanix Privacy Statement.  

8.     Rights of Individuals and Cooperation

8.1.   Data Subject Requests. To the extent Customer is unable to independently access the relevant Customer Data within the Products, Nutanix shall, at Customer's expense and taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made to Nutanix directly, Nutanix shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Nutanix is required to respond to such a request, Nutanix shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

9.     Jurisdiction Specific Terms

9.1.   Europe. To the extent Customer Data is subject to European Data Protection Law, the following terms shall apply in addition to the terms in the remainder of this DPA:

9.1.1.Sub-processor Obligations. Nutanix shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Customer Data to the standard required by applicable European Data Protection Law and this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Nutanix to breach any of its obligations under this DPA. Nutanix shall use reasonable efforts to provide relevant extracts of the agreement with any  Sub-processor it appoints to Customer upon request.

9.1.2.Objections to Sub-processors. Customer may object in writing to Nutanix’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Customer Data available to the Sub-processor may violate European Data Protection Law or weaken the protections for such Customer Data) by notifying Nutanix promptly in writing within five (5) calendar days of receipt of Nutanix’s notice in accordance with Section 4.1. above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Nutanix will, at its sole discretion, either not appoint the Sub-processor, or permit Customer to suspend or terminate the affected Product in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer before suspension or termination). If such objection right is not exercised by Customer in the terms described above, silence shall be deemed to constitute an approval of such engagement.

9.1.3.Data Transfers. Customer acknowledges that Nutanix and its Sub-processors may maintain data processing operations in countries that are outside of the country in which the Products are deployed, and therefore may transfer and process personal data to and in the United States and other locations in which Nutanix or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor List. The parties shall ensure that such transfers are made in compliance with Applicable Privacy Law and this DPA.

Where Customer transfers (directly or via onward transfer) Customer Data that originated from Europe to Nutanix located in a country that does not provide an adequate level of protection for Customer Data (as described in European Data Protection Law), the parties agree to be subject to the Standard Contractual Clauses, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:

A. Nutanix as a Controller. In relation to Customer Data that is protected by the EU GDPR and is processed in accordance with Section 2.1.3. of this DPA, the EU SCCs shall apply, completed as follows:

i. Module One will apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 11, the optional language will not apply;

iv. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;

v. in Clause 18(b), disputes shall be resolved before the courts of the Netherlands;

vi. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and

vii. Subject to Sections 5.1. and 5.2. of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.

B. Nutanix as a Processor. In relation to Customer Data that is protected by the EU GDPR and is processed in accordance with Sections 2.1.1.) and 2.1.2.) of this DPA, the EU SCCs shall apply, completed as follows:

i. Module Two (Section 2.1.1.) or Three (Section 2.1.2.) will apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4. above;

iv. in Clause 11, the optional language will not apply;

v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;

vi.  in Clause 18(b), disputes shall be resolved before the courts of the Netherlands;

vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA; and

viii. Subject to Sections 5.1. and 5.2. of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;

C.     Transfers relating to the UK and Switzerland. Subject to paragraph D. below, in relation to Customer Data that is protected by the UK GDPR or Swiss DPA, the EU SCCs as implemented under sub-paragraphs (i) and (ii) above will apply with the following modifications :

i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);

ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);

iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the United Kingdom Information Commissioner or Swiss Federal Data Protection and Information Commissioner (as applicable);

vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland" (as applicable);

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

viii. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

ix. with respect to transfer to which the Swiss DPA applies, the SCCs also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.  

D. UK Standard Contractual Clauses. Only to the extent that and for so long as the EU SCCs as implemented in accordance with paragraphs A. - C. above cannot be used to lawfully transfer Customer Data protected by the UK GDPR to Nutanix, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by the UK GDPR. For the purposes of the UK SCCs, the relevant Annexes of the UK SCCs shall be populated using the information contained in Schedules 1, 2 and 3 (as applicable) of this DPA.

E. Conflicts. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

9.1.4.Privacy Shield. Although Nutanix does not rely on the Privacy Shield as a legal basis for transfers of Customer Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for so long as Nutanix is self-certified to the Privacy Shield it shall continue to process Customer Data in compliance with the Privacy Shield Principles and agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the level of protection as is required by the Privacy Shield Principles.

9.1.5.Alternative Transfer Arrangement. If, and to the extent Nutanix adopts an alternative data export solution (including adopting Binding Corporate Rules or any new version of or successor to the SCCs or Privacy Shield adopted pursuant to applicable European Data Protection Law) for the transfer of Customer Data as prescribed by applicable European Data Protection Laws ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Law and extends to the territories to which Customer Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Data to a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Law), the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or safeguards not described in this DPA or alternative transfer mechanisms ("Alternative Transfer Arrangements") to enable the lawful transfer of such Customer Data.

9.1.6.Data Protection Impact Assessment. To the extent Nutanix is required under applicable European Data Protection Law, Nutanix shall provide reasonably requested information regarding Nutanix processing of Customer Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

9.2.   California. To the extent the Customer Data is subject to the CCPA, the parties agree that Customer is a business and that it appoints Nutanix as its service provider to process Customer Data as permitted under the Agreement and the CCPA, or for purposes otherwise agreed in writing ("Permitted Purposes"). Customer and Nutanix agree that: (i) Nutanix shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (ii) Customer Data was not sold to Nutanix and Nutanix shall not sell personal information; (iii) Nutanix shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Nutanix; and (iv) Nutanix may de-identify or aggregate personal information in the course of providing the Products. Nutanix certifies that it understands the restrictions set out in this Section 9.2. and will comply with them.

10.  Miscellaneous

10.1.   Disclosures. Customer acknowledges that Nutanix may disclose this DPA (including the Standard Contractual Clauses) and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a European data protection authority or any other U.S. or European judicial or regulatory body upon their request.

10.2.  Necessary Modifications. Notwithstanding anything to the contrary in the Agreement, Nutanix may modify the terms of this DPA where necessary to (i) comply with a request or order by a supervisory authority or other government or regulatory entity; (ii) comply with Applicable Privacy Law; or (iii) implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Applicable Privacy Law. Supplemental terms may be added as an Annex to this DPA where such terms only apply to the processing of Customer Data under the Applicable Privacy Law of specific countries or jurisdictions. Nutanix shall provide notice of such changes to Customer, and the modified DPA shall become effective in accordance with the terms of the Agreement or, if not specified in the Agreement, as otherwise provided on Nutanix's website.

10.3.  Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

10.4.  Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In particular, any claim or remedy Customer or its Affiliates may have against Nutanix, its Affiliates, employees, contractors, agents and Sub-processors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together. Notwithstanding the foregoing, in no event shall any party limit its liability with respect to any data subject rights under the SCCs.

10.5.  Severability. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.

10.6.  Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Law or the SCCs. 

SCHEDULE 1 (C2C TRANSFERS)

Description of Processing Activities / Transfer

Annex 1(A) List of Parties:

Annex 1(B) Description of transfer:

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to the processing of personal data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO"). With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

SCHEDULE 2 (C2P AND P2P TRANSFERS)

Description of the Processing Activities / Transfer

Annex 1(A) List of Parties:

Annex 1(B) Description of Transfer

Annex 1(C): Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to the processing of personal data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO"). With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

SCHEDULE 3

Technical and Organizational Measures

The following technical measures are in place across the Cloud Services to protect the personal data processed by Nutanix.

1.     Encryption of personal data

• Encryption in Transit. Customer Data is encrypted while in transit over any public network or wireless network via Transport Layer Security (TLS) using TLS 1.2 or greater, Internet Protocol Security (IPSEC), or Secure File Transfer Protocol (SFTP).
• Encryption at Rest. Customer Data at rest is stored leveraging AES-256 Encryption.
• Employee Laptop Encryption. Employee laptops are encrypted using full disk AES-256 encryption.

2.     Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Confidentiality Obligations. Nutanix personnel are required to agree to confidentiality obligations before undertaking work for Nutanix or accessing any Nutanix facilities and/or systems.
• Data handling and trainings. Nutanix requires security and privacy awareness training for all Nutanix employees as well as acknowledgement and agreement to acceptable use and security policies for Nutanix systems and data by all Nutanix personnel.
• Password Policy. Password management systems enforce password policy requirements across applications, such as password complexity, rotation frequency, and account lockout after multiple failed login attempts.
• Operational Security & Vulnerability Response. Nutanix monitors a variety of communication channels for operational and capacity management, security vulnerabilities, and Nutanix’s operations and security team will react promptly to known operational issues and/or security vulnerabilities.
• Network Controls. Nutanix utilizes firewalls for access control between Nutanix’s networks and the Internet. Firewall access is restricted to a small set of administrators with appropriate seniority and authority. Firewalls are established with minimum rights necessary to accomplish tasks by role and access is authorized on a “deny by default” policy.
• Network Separation. Nutanix maintains network separation based on company policy and system requirements.
• Server Operating System. Nutanix uses a hardened operating system implementation customized for the Nutanix Cloud Services.
• Backups. The Cloud Services are incrementally backed up and virtually replicated.

3.     Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Business Continuity Plan. Nutanix maintains internal practices, plans or procedures that are designed to reasonably ensure the Cloud Services are uninterrupted during the term of the Agreement ("Business Continuity Plan"). Nutanix will follow the Business Continuity Plan in order to maintain the applicable service levels set forth in the Documentation.
• Backups. See Section 2. of this Schedule.

4.     Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

• Certifications. Nutanix has obtained ISO 27001 certification for its Cloud Services and will maintain such certification or similar certification by a certifying third party auditor.
• Software Development Lifecycle. The Cloud Services are developed using a standardized and reviewed Secure Software Development Lifecycle (SDL) to reduce the risk of introducing security vulnerabilities into the production Cloud Services.
• Vulnerability Disclosure Program. Nutanix has a vulnerability disclosure program for its customers and a bug bounty program.
• Penetration Testing & Vulnerability Scans. External penetration tests are performed by an independent third party on an annual basis and incorporated as a requirement to the Nutanix product compliance programs. Vulnerabilities identified are routinely documented, tracked, and resolved by the respective service team with oversight by the Nutanix product security organization.

5.     Measures for user identification and authorisation

• User Roles. Customer has primary control over the creation, deletion, and suspension of user roles within the Customer’s environment of the Cloud Services.
• Access Management. Access management procedures define the request, approval, access provisioning and de-provisioning processes. Nutanix logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access), and systems to ensure segregation of duties and are reviewed, administered, and documented based on onboarding, resource re-assignment, or termination of personnel. Periodic Nutanix user access reviews are routinely performed to ensure access is appropriate.
• Firewalls. Firewalls are used and configured to prevent unauthorized access to the production environment.

6.     Measures for the protection of Data during transmission

• Encryption in Transit. See Section 1. of this Schedule.

7.     Measures for the protection of Data during storage

• Encryption at Rest. See Section 1. of this Schedule.
• Access Control and Privilege Management. Nutanix employs systems and processes to limit physical and logical access based on least privileges and according to job responsibilities designed to ensure that Customer Data can only be accessed by authorized Nutanix personnel. Nutanix maintains an access control policy and that is regularly reviewed based on business and information security requirements.
• Multi-Factor Authentication. Multifactor authentication is enabled for Nutanix user access to the production environment.

8.     Measures for ensuring physical security of locations at which personal data are processed

• Hosting Infrastructure and Data Center Security. Nutanix currently uses; (i) its own secure colocation data center environment; (ii) infrastructure provided by Amazon Web Services, Microsoft Azure, and Google Cloud Platform, for the infrastructure of its Cloud Services. Each year, Nutanix will review and audit the applicable third party security and compliance of these infrastructure and data center providers for environmental and physical security controls.

9.     Measures for ensuring events logging

• Events Logging. Nutanix produces and regularly reviews event logs recording user activity, exceptions, faults, and information security events.

10.  Measures for ensuring system configuration, including default configuration

• System Configuration and Code Review Process. Nutanix’s change management includes a system configuration and code review process within an established review board and in accordance with a defined policy for justification and escalation for approval.

11.  Measures for internal IT and IT security governance and management

• Certifications. See Section 4. of this Schedule.
• Information Risk Governance. Nutanix has a formal Governance, Risk, and Compliance organization and reviews, maintains, and ensures adherence to formal IT security and data handling policies for internal IT systems and Nutanix personnel.
• Information Security Roles & Responsibilities. All information security responsibilities are defined and allocated. Conflicting duties and areas of responsibilities have been segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Nutanix's assets.

12.  Measures for certification/assurance of processes and products

• Third Party Audits. See Section 4. of this Schedule.

13.  Measures for ensuring data minimization

• Product Privacy Assessments. Product privacy assessments are performed when introducing any new product that involves processing of personal data.
• Software Development Lifecycle. Privacy checks are performed during the SDL process when new product features are developed.
• Access Restrictions. Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.

14.  Measures for ensuring Data quality

• Exercise of Rights. See Section 8.1. of the DPA (processor role) and the Nutanix Privacy Statement (controller role).
• Secure Development Environment. Development environments are protected from malicious or accidental development and update of code that may compromise confidentiality, integrity, and availability of the platform.

15.  Measures for ensuring limited data retention

• Data Retention. See Annex 1(B) in Schedules 1 and 2 of the DPA.

16.  Measures for ensuring accountability

• Product Privacy Assessments. See Section 14. of this Schedule.
• Software Development Lifecycle. See Section 14. of this Schedule.

17.  Measures for allowing Data portability and ensuring erasure

• Exercise of Rights. See Section 8.1. of the DPA.
• Return of Customer Content. See Section 13.5. of the Agreement.

_______________

[¹] Such restrictions or safeguards must fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff have followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

[²] Such restrictions or safeguards must fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff have followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.