Nutanix Customer Data Processing Addendum

Last Updated: October 6, 2023 | Previous Versions

This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the “DPA”) is incorporated into and is subject to, the terms and conditions of the Nutanix License and Services Agreement or other written or electronic service or subscription agreement or order (“Agreement”) between the Nutanix contracting entity identified in the Agreement Nutanix and You (“Customer”) pursuant to which Nutanix provides certain Products to Customer. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

By entering into the Agreement, Customer enters into this DPA and the Standard Contractual Clauses (as applicable and as defined below) on behalf of itself and, to the extent required under Applicable Privacy Law, in the name and on behalf of its Affiliates (if any) permitted to use the Products. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Affiliates.

The parties agree as follows:

1.   Definitions

1.1. “Account and Usage Data” means Personal Data that relates to Customer’s relationship with Nutanix, including: (i) business contact information of Customer’s representative for support, account billing and payment, renewals, and entitlements; (ii) information related to account creation for Customer’s authorized end users; (iii) information relating to identity verification, security and fraud prevention for the Services; and (iv) Usage Data (as defined in the Agreement).

1.2. “Applicable Privacy Law” means all data protection and privacy laws and regulations applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, European Data Protection Law and the California Consumer Privacy Act of 2018 and its regulations ("CCPA”), as may be amended, superseded or replaced from time to time.

1.3. "Customer Personal Data" means any Personal Data contained in content that Customer uploads or submits using the Services, or which is otherwise Processed by Nutanix on behalf of Customer as a result of Customer’s utilization of the Services, as more particularly described in Schedule 2 of this DPA.

1.4. Data Privacy Framework” or "DPF" means (as applicable) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and any respective successors.

1.5. DPF Principles” means the Principles and Supplemental Principles contained in the relevant DPF (as amended, superseded or replaced from time to time).

1.6. Europe” means, for the purposes of this DPA, the member states of the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”).

1.7. European Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively referred to for these purposes as the “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances (“Swiss DPA”); (iv) the e-Privacy Directive (Directive 2002/58/EC); (v) any applicable national data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) or (iv) (in each case, as superseded, amended or replaced from time to time).

1.8. Personal Data” means any information relating to an identified or identifiable natural person and includes “personal information” or similarly defined terms in Applicable Privacy Laws. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.9. Process” and “Processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Data, such as collection, recording, organisation, structuring, storage, analysis, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, modification, erasure or destruction.

1.10. “Restricted Transfer” means a transfer (directly or via onward transfer) of Personal Data that is subject to European Data Protection Law, Brazil’s General Personal Data Protection Law 13709/2018, or other Applicable Privacy Law in jurisdictions that impose similar safeguards for transfers of Personal Data to a country outside of the exporting jurisdiction, which is not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts (e.g., European Commission, United Kingdom, Swiss, or Brazilian authorities, as applicable) as providing an adequate level of protection for Personal Data.

1.11. Security Breach ” means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data transmitted, stored or otherwise Processed by Nutanix in connection with the provision of the Services. “Security Breach” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.

1.12. Services” means Nutanix’s Cloud Services, Support Services, and Professional Services.

1.13. Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.

1.14. Sub-processor” means: (a) Nutanix, when Nutanix Processes Customer Personal Data and where Customer is a processor of such Customer Personal Data; or (b) any third party or Affiliate engaged by Nutanix to Process Customer Personal Data in connection with providing the Services pursuant to the Agreement or this DPA.

1.15. UK Addendum” means the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

1.16. The terms “controller,” “data subject,” “supervisory authority,” “processor,” “consumer,” “business,” “business purpose,” “sale” (including the terms “sell,” “selling,” “sold,” and other variations thereof), and “service provider” shall have the meaning given to them under Applicable Privacy Law.

2. Scope and Relationship of the Parties

2.1  Scope. This DPA applies where and only to the extent Nutanix Processes any Personal Data protected by Applicable Privacy Law in the course of providing the Services pursuant to the Agreement as follows:

2.1.1.  Nutanix as a Processor. Where Customer is a controller or business (as applicable) of the Customer Personal Data covered by this DPA, Nutanix shall be a processor or service provider (as applicable) Processing Customer Personal Data on behalf of the Customer and this DPA shall apply accordingly;

2.1.2.  Nutanix as a Sub-processor. Where Customer is a processor or service provider (as applicable) of the Customer Personal Data covered by this DPA, Nutanix shall be a Sub-processor or service provider (as applicable) of the Customer Personal Data and this DPA shall apply accordingly; and

2.1.3. Nutanix as a Controller. The parties acknowledge that, with regard to the Processing of Personal Data, including Account and Usage Data, both parties are independent controllers, not joint controllers. Where and to the extent Nutanix and/or each relevant Nutanix Affiliate Processes Personal Data, including Account and Usage Data, as a controller or business (as applicable), Nutanix will Process Personal Data to: (a) manage its business relationship with Customer and Nutanix’s internal operations, including for accounting, billing, and licensing; (b) detect, prevent, and investigate security incidents, fraud, abuse, or misuse of the Services; (c) provide user account management and identity verification; (d) develop, provide and improve the Services and security measures; (e) sell and market Our Services; (f) comply with legal obligations; and (g) as otherwise permitted under Applicable Privacy Law and in compliance with the Agreement the Nutanix Privacy Statement which can be found at https://www.nutanix.com/legal/privacy-statement, and Sections 3., 6., 8.1, and 9. of this DPA apply, to the extent applicable, only.  

2.2.   Nutanix Processing of Personal Data. As a processor or service provider, Nutanix shall Process Customer Personal Data only to fulfil its obligations under the Agreement (including to provide and improve the Services; detect and prevent data security incidents or protect against fraudulent or illegal activity; and comply with law, legal inquiry, or law enforcement or exercise and defend legal claims), for the purposes described in this DPA including Schedule 2, and consistent with Customer’s documented lawful instructions, except to the extent required by Applicable Privacy Law. To the extent prohibited by Applicable Privacy Law, Nutanix shall not (i) Process Customer Personal Data for its own purposes or those of any third party (including for its own commercial purposes); (ii) sell Customer Personal Data (within the meaning of Applicable Privacy Law or otherwise) or transfer, provide or make available Customer Personal Data to any third party for the purposes of targeted or cross-context behavioural advertising; (iii) retain, use or disclose Customer Personal Data outside of the direct business relationship between the parties, except as necessary to provide the Services or as required by applicable law; (iv) combine any Customer Personal Data with other information that Nutanix may receive from or on behalf of any third party, unless directed to do so by Customer and except as necessary to provide the Services or comply with applicable law; or (v) perform its obligations under the Agreement or this DPA in such a way as to cause Customer to breach any of its obligations under Applicable Privacy Law. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Nutanix in relation to the Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from third party controllers, and Processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Nutanix. Without prejudice to Section 2.3., Nutanix shall notify Customer in writing, unless prohibited from doing so under Applicable Privacy Law, if it becomes aware or believes that any Processing instruction from Customer violates Applicable Privacy Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that Nutanix may be required to provide to or receive from a third-party controller pertaining to Customer Personal Data.

2.3.   Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data Processing under or in connection with the Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Privacy Law for Nutanix to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement; (ii) it has complied with Applicable Privacy Law in the collection and provision of Customer Personal Data to Nutanix and its Sub-processors; and (iii) it shall ensure its Processing instructions comply with applicable laws (including Applicable Privacy Law) and that the Processing of Customer Personal Data by Nutanix in accordance with Customer’s instructions will not cause Nutanix to be in breach of Applicable Privacy Law.

2.4.   Aggregate Data. Notwithstanding the foregoing or anything to the contrary in the Agreement, Customer acknowledges that Nutanix and its Affiliates shall have a right to collect and create anonymized, aggregate and/or de-identified information (as defined by Applicable Privacy Law) for its own legitimate business purposes.

3.  Independent Controllers

Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent controller under Applicable Privacy Law and neither party shall be responsible for the other party’s compliance with Applicable Privacy Law.

4.  Sub-processing

4.1. Authorized Sub-processors. Customer hereby provides a general authorization to Nutanix to engage Sub-processors to Process Customer Personal Data on Customer’s behalf. The Sub-processors engaged by Nutanix depend on the Services purchased by Customer and are made available on Nutanix’s website at https://www.nutanix.com/trust/subprocessors (“Sub-processor List”).

4.2. Notice. Nutanix shall, to the extent required under Applicable Privacy Law, notify Customer of any new engagement of a Sub-processor at least ten (10) days before any such changes by sending an email to the email address designated by Customer to receive notifications. Customer may object in writing to the appointment of any new Sub-processor on reasonable data protection grounds by promptly notifying Nutanix in writing upon Customer’s receipt of such notice. The parties shall discuss the concerns in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached within ninety (90) days after Nutanix’s receipt of notice, and Nutanix elects to use the Sub-processor in question, then Customer may, as Customer’s sole and exclusive remedy, discontinue the affected Service(s) by providing written notice to Nutanix. The discontinuation of the Service(s) is without prejudice to any fees or other liability incurred by Customer before the effective termination date. If Customer does not object, Nutanix will deem Customer to have authorized the new Sub-processor.

4.3. Sub-processor Obligations. Nutanix shall, to the extent required under Applicable Privacy Law: (i) enter into a written agreement with each Sub-processor imposing appropriate technical and organizational measures to protect Customer Personal Data, including data protection terms which are no less protective of Customer Personal Data than the measures specified in this DPA and the requirements under Applicable Privacy Laws;(ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Nutanix to breach any of its obligations under this DPA; and (iii) upon Customer’s reasonable request, Nutanix shall provide reasonable assurance of the data protection measures in place with any Sub-processor used for the Services provided to Customer.

5.   Security and Audits

5.1. Security Measures. Nutanix shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from a Security Breach and to preserve the security and confidentiality of Customer Personal Data. Such measures will include, at minimum, those measures described in Schedule 3 of this DPA (“Security Measures”). Nutanix shall ensure that any person who is authorized by Nutanix to Process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.2. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Nutanix may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

5.3. Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Personal Data Processed in connection with the Services. Customer acknowledges that there are certain features and configuration settings within the Services which may impact the security of the Customer Personal Data Processed by Customer’s use of the Services. Customer is responsible for reviewing the data security and product Documentation that Nutanix makes available to: (a) determine whether the Services meet Customer’s requirements, including its obligations under Applicable Privacy Law; and (b) properly configure or implement and maintain appropriate technical and organizational security measures, including through the use of such features and configuration settings made available by Nutanix, designed to protect Customer Personal Data from a Security Breach and to preserve the security and confidentiality of Customer Personal Data while in Customer’s dominion and control.

5.4. Security Breach Response. Upon becoming aware of a Security Breach, Nutanix shall, in accordance with Applicable Privacy Law, notify Customer without undue delay and shall provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer to allow Customer to meet its notification obligations in accordance with Applicable Privacy Law. Nutanix will promptly investigate the cause of the Security Breach, and to the extent such cause was due to Nutanix’s violation of this DPA, take reasonably necessary action to mitigate the impact of and remediate the Security Breach. Nutanix’s notification of or response to a Security Breach in accordance with this section will not be construed as an acknowledgment by Nutanix of any fault or liability with respect to the Security Breach.

5.5. Security Audits. Nutanix utilizes external auditors to verify the adequacy of its Security Measures with respect to its Processing of Customer Personal Data in connection with the Services. To the extent required under Applicable Privacy Law and on written request from Customer, Nutanix shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data necessary to confirm Nutanix’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12)-month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Nutanix has experienced a Security Breach. Nothing herein shall be construed to require Nutanix to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Nutanix’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Nutanix’s infrastructure, networks, systems, or data.

6. Deletion of Personal Data

6.1. Deletion. Upon termination or expiration of the Agreement, on Customer’s request Nutanix shall delete all Customer Personal Data processed by Nutanix as a processor (including copies) in its possession or control in accordance with the Agreement, except to the extent Nutanix is required by applicable law to retain some or all of the Customer Personal Data, or has archived on back-up systems, which data Nutanix shall securely isolate and protect from any further Processing and delete in accordance with its deletion practices. Personal Data processed by Nutanix as a controller will be deleted or retained in accordance with the Nutanix Privacy Statement.

7. Rights of Individuals and Cooperation

7.1. Data Subject Requests. To the extent Customer is unable to independently access the relevant Customer Personal Data within the Services, Nutanix shall, at Customer's expense and taking into account the nature of the Processing by Nutanix, provide reasonable cooperation to assist Customer to respond to any requests from individuals based on Applicable Privacy Law or applicable data protection authorities relating to the Processing of Customer Personal Data under the Agreement. In the event that any such request is made to Nutanix directly, Nutanix shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so and except to acknowledge receipt of the request or to determine that such request relates to Customer. If Nutanix is required to respond to such a request, Nutanix shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

7.2. Data Protection Impact Assessment. Taking into account the nature of Processing of Customer Personal Data and the information available to Nutanix, Nutanix shall provide reasonably requested information regarding Nutanix’s Processing of Customer Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by Applicable Privacy Law.

8. International Data Transfers

8.1. Nutanix as Data Exporter. Customer acknowledges that Nutanix and its Sub-processors may maintain data processing operations in countries that are outside of the country in which the Services are deployed, and therefore Nutanix may transfer and Process Personal Data to and in the United States and other locations in which Nutanix or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor List. The parties shall ensure that such transfers are made in compliance with Applicable Privacy Law and this DPA. If Nutanix engages in a Restricted Transfer, such measures may include (without limitation) transferring the Personal Data to a recipient that: (i) is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, Including the DPF; (ii) has achieved binding corporate rules authorization; or (iii) has executed SCCs; in each case as adopted or approved in accordance with Applicable Privacy Law. Nutanix must provide at least the same level of protection as required under this DPA.

8.2. Nutanix as Data Importer.

8.2.1. Data Privacy Framework. Nutanix shall rely on the DPF to lawfully receive Personal Data in the United States, and Nutanix shall ensure that it provides at least the same level of protection to such Personal Data as is required by the DPF Principles.

8.2.2. Restricted Transfers. The parties agree that when the transfer of Personal Data from Customer to Nutanix is a Restricted Transfer or the DPF is invalidated or cannot be relied upon for any other reason, the SCCs shall automatically be incorporated into this DPA and apply to the Restricted Transfers as follows

8.2.3. Restricted Transfers originating from the EEA. In relation to Restricted Transfers of Personal Data that is protected by the EU GDPR, the SCCs will apply completed as follows:

8.2.3.1. Nutanix as a Controller. In relation to Personal Data Processed in accordance with Section 2.1.3. of this DPA:

i.  Module One will apply;

ii. in Clause 7, the optional docking clause will apply;

iii.  in Clause 11, the optional language will not apply;

iv.  in Clause 17, Option 1 will apply, and the SCCs will be governed by Dutch law;

v. in Clause 18(b), disputes shall be resolved before the courts of the Netherlands;

vi.  Annex I of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and

vii.  Subject to Sections 5.1. and 5.2. of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.

8.2.3.2. Nutanix as a Processor. In relation to Restricted Transfers of Customer Personal Data Processed in accordance with Sections 2.1.1. and 2.1.2. of this DPA:

i.  Module Two (Section 2.1.1.) or Three (Section 2.1.2.) will apply;

ii. in Clause 7, the optional docking clause will apply;

iii.  in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4. above;

iv.  in Clause 11, the optional language will not apply;

v. in Clause 17, Option 1 will apply, and the SCCs will be governed by Dutch law;

vi.  in Clause 18(b), disputes shall be resolved before the courts of the Netherlands;

vii.  Annex I of the SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA; and

viii. subject to Sections 5.1. and 5.2. of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;

8.2.4. Restricted Transfers originating from the UK. In relation to Restricted Transfers subject to UK Data Protection Law:

i.  the SCCs as completed above shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA;

ii. Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedules 1, 2 and 3 of this DPA (as applicable); and

iii.  Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”

8.2.5. Restricted Transfers originating from Switzerland, Brazil, and Other Jurisdictions with Similar Requirements. In relation to Personal Data that is protected by the Swiss DPA, Brazil’s General Personal Data Protection Law 13709/2018, or other Applicable Privacy Law in jurisdictions that impose similar safeguards for transfers of Personal Data and which constitute Restricted Transfers, the parties shall take all such measures as are necessary to ensure the Restricted Transfer is in compliance with Applicable Privacy Law and the DPA. The parties agree that the SCCs as completed above will apply for Restricted Transfers where accepted by the applicable data protection authority, with the following modifications, as applicable:

i.  references to “Regulation (EU) 2016/679” shall be interpreted as references to Applicable Privacy Law;

ii. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of Applicable Privacy Law;

iii.  references to “EU,” “Union,” “Member State” and “Member State law” shall be replaced with references to applicable country of the data exporter;

iv.  the term “Member State” shall not be interpreted in such a way as to exclude data subjects from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland, Brazil, or other applicable country);

v. Clause 13(a) and Part C of Annex I are not used;

vi.  references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the applicable data protection authority and courts governing the country where the data exporter is established;

vii. in Clause 17, the SCCs shall be governed by the laws of the applicable country of the data exporter; and

viii.  Clause 18(b) shall state that disputes shall be resolved before the applicable courts of the applicable country of the data exporter.

8.2.6. Conflicts. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

8.3. Alternative Transfer Arrangement. If, and to the extent Nutanix adopts an alternative data export solution (including adopting Binding Corporate Rules or any new version of or successor to the SCCs or Data Privacy Framework adopted pursuant to Applicable Privacy Law) for the transfer of Personal Data as prescribed by Applicable Privacy Law, including European Data Protection Laws (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Privacy Law and extends to the territories to which Personal Data is transferred), and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data to a country that does not ensure an adequate level of protection (within the meaning of Applicable Privacy Law), the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or safeguards not described in this DPA or alternative transfer mechanisms (“Alternative Transfer Arrangements”) to enable the lawful transfer of Personal Data.

9. Miscellaneous

9.1. Disclosures. Customer acknowledges that Nutanix may disclose this DPA (including the SCCs) and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a data protection authority or any other judicial or regulatory body upon their request.

9.2. Necessary Modifications. Notwithstanding anything to the contrary in the Agreement, Nutanix may modify the terms of this DPA where necessary to (i) comply with a request or order by a supervisory authority or other government or regulatory entity; (ii) comply with Applicable Privacy Law; or (iii) implement or adhere to SCCs, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Applicable Privacy Law. Supplemental terms may be added as an Annex to this DPA where such terms only apply to the Processing of Personal Data under the Applicable Privacy Law of specific countries or jurisdictions. Nutanix shall provide notice of such changes to Customer as provided on Nutanix's website.

9.3. Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

9.4. Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In particular, any claim or remedy Customer or its Affiliates may have against Nutanix, its Affiliates, employees, contractors, agents and Sub-processors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together. Notwithstanding the foregoing, in no event shall any party limit its liability with respect to any data subject rights under the SCCs.

9.5. Severability. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.

9.6. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Privacy Law or the SCCs.

Previous Versions

2023

May 11, 2023 – Data Processing Addendum

2021

September 24, 2021 – Data Processing Addendum

2020

October 23, 2020 – Data Processing Addendum

SCHEDULE 1 (C2C TRANSFERS)

Description of Processing Activities / Transfer

Annex 1(A) List of Parties:

Data Exporter

Data Importer

Name: The party identified as the "Customer" in the Agreement and this DPA.

Nutanix

Contact Person's Name, position and contact details: As set out in the Agreement, Portal, and/or Entitlement.

Contact Person's Name, position and contact details:

Head of Privacy, Legal Department, privacy@nutanix.com

Activities relevant to the transfer: See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below

Role: Controller

Role: Controller

Annex 1(B) Description of transfer:

 

Description

Categories of data subjects:

Data subjects include individuals that use our Services and may include:

  • Representatives of Customer (administrators, users, business contacts)
  • End-user of the Customer (internal and external)

 

Categories of personal data:

Account and Usage Data may include the following Personal Data:

  • account registration and management data (such as your name, contact details including phone number, email address, company, company address, geographic area, preferences, job title, username, password, purchase history);
  • billing, payment, licensing, and entitlements data;
  • data related to Customer communications, relationship management, training, events, webinars, conferences, and support (such as name, contact details and the content of the communications and preferences);
  • Usage Data (including your feedback or any other information related to your utilization of the Services and offerings that you provide to Nutanix); and
  • information used for security and fraud prevention for the Services  (such as username to authenticate authorized users).

 

Sensitive data:

N/A. Sensitive data will not be part of C2C data transfers.

If sensitive data, the applied restrictions or safeguards[1]

N/A

Frequency of the transfer:

Frequency of transfer depends on Customer’s use of the Services and the interactions with Nutanix.

Nature of processing:

Nutanix offers a hybrid multi-cloud software solution that runs on a hyper-converged infrastructure, combining servers and storage into a distributed infrastructure platform with intelligent software to create flexible building blocks. Nutanix also offers a suite of hosted product offerings to help with optimizing hybrid, multi-cloud deployments. The Services, additional services, and other business activities are set out in the Agreement. In order to conduct its business and for the other purposes herein, Nutanix may perform the following types of Processing with respect to Personal Data for which it is a Controller, including Account and Usage Data: collection, recording, organization, storage, analysis, retrieval, consultation, use, disclosure by transmission or otherwise making available (to Nutanix service providers, internal employees, and others with consent), combination, restriction, modification, and destruction.

Purpose(s) of the data transfer and further processing:

Nutanix will Process the Personal Data for the following business purposes (i) manage its business relationship with Customer and for internal operations, including for accounting, billing, licensing, and entitlements; (ii) account registration and management, (iii) order, purchase, delivery, and customization of the Services (iv) customer communications and support, (v) marketing, selling, training, events and promotions, (vi) to develop, operate, support, improve, and enhance Nutanix offerings and Services, (vi) for user authentication, identity verification, and security purposes, including to detect, prevent, and investigate security incidents, fraud, abuse or misuse of the Services; (vii) comply with legal obligations; and (viii) as further described in the DPA, Agreement, and Nutanix Privacy Statement.

Retention period (or, if not possible to determine, the criteria used to determine that period):

See See Section 6.1. of the DPA and Section “Data Retention” of the Nutanix Privacy Statement.

Annex 1(C) Competent supervisory authority:

The competent supervisory authority will be determined in accordance with Applicable Privacy Law.

[1] Such restrictions or safeguards must fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff have followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

SCHEDULE 2 (C2P AND P2P TRANSFERS)

Description of the Processing Activities / Transfer

Annex 1(A) List of Parties:

Data Exporter

Data Importer

Name: the party identified as the "Customer" in the Agreement and this DPA.

Nutanix

Contact Person's Name, position and contact details: As set out in the Agreement, Portal, and/or Entitlement.

Contact Person's Name, position and contact details:

Head of Privacy, Legal Department, privacy@nutanix.com

Activities relevant to the transfer: See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below

Role: Controller or processor

Role: Processor

Annex 1(B) Description of Transfer

 

Description

Categories of data subjects:

There are two main categories of data subjects:

  • Customer’s end-users
  • Data Subjects within the customer data submitted to the Services for Processing by or on behalf of Customer or a customer of Customer which may include, as determined by Customer, Customer’s employees, contractors, business partners, representatives, end customers, or other individuals

 

Categories of personal data:

In general, the following Nutanix Services, if selected by Customer, may Process the following categories of Customer Personal Data for Customer’s end users: name, username, email address, online identifiers such as IP address, geolocation data (based on IP address), and usage data pertaining to Customer’s authorized user when such data is provided to Customer through the functionality in the Services.

If Customer licenses certain Services such as Nutanix Disaster Recovery as a Service, in addition to the categories above, Customer may upload or submit workloads containing Customer Personal Data for Processing using the Services. Such Customer workloads could include any information that is located in the Customer’s environment, at the Customer’s discretion, subject to the acceptable use restrictions in Section 5.9. of the Agreement.

Sensitive data:

Depending on the Services selected by Customer (in particular with Nutanix Disaster Recovery as a Service), Customer may submit Customer Personal Data containing sensitive Customer Personal Data at Customer’s discretion as part of the entire workload submitted to the Services.

If sensitive data, the applied restrictions or safeguards[2]

The Customer must take into consideration the nature of the data and the risks involved prior to choosing to submit workloads containing sensitive Customer Personal Data using the Services. Nutanix’s Technical and Organizational Measures can be found in Schedule 3 below.

Frequency of the transfer:

Customer Personal Data is transferred in accordance with Customer’s documented lawful instructions as described in Section 2.2. of the DPA, and the frequency is determined by Customer’s use of the Services, typically on a continuous basis.

Nature of processing:

Customer Personal Data transferred will be Processed in accordance with Section 11.2. of the Agreement and with this DPA. Processing actions may include: collection, recording, organisation, structuring, storage, analysis, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, modification, erasure or destruction.

Purpose(s) of the data transfer and further processing:

The purposes of the data transfer are to fulfil obligations under the Agreement and the DPA, including providing and improving the Services for Customer, detecting and preventing data security incidents, complying with law or legal obligation, and complying with Customer’s documented lawful instructions from time to time.

Retention period (or, if not possible to determine, the criteria used to determine that period):

See Section 6.1. of the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

 

The subject matter, nature and duration of Processing for Sub-processors is dependent upon the Services licensed by Customer (and as specified in the Sub-processor List). In particular:

  • For Cloud Services, Nutanix’s Sub-processors provide infrastructure, security and alert monitoring, and reporting services, and Process Customer Personal Data that the Customer uploads for the duration of the Services under the Agreement.
  • For Professional and Support Services, Sub-processors Process Customer Personal Data if provided by the Customer in order to provide the Professional or Support Services pursuant to the Agreement and for the duration of the Services term or engagement. Customer Personal Data will be deleted systems upon termination or expiration of Customer’s engagement, as applicable.

 

Annex 1(C): Competent supervisory authority

The competent supervisory authority will be determined in accordance with Applicable Privacy Law.

[2] Such restrictions or safeguards must fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff have followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

SCHEDULE 3

Technical and Organizational Measures

The following technical measures are in place to protect the Personal Data processed by Nutanix.

1.     Encryption of Personal Data

  • Encryption in Transit. Personal Data is encrypted while in transit over any public network or wireless network via Transport Layer Security (TLS) using TLS 1.2 or greater, Internet Protocol Security (IPSEC), or Secure File Transfer Protocol (SFTP).
  • Encryption at Rest. Personal Data at rest is stored leveraging AES-256 Encryption.
  • Employee Laptop Encryption. Employee laptops are encrypted using full disk AES-256 encryption.

2.     Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Confidentiality Obligations. Nutanix personnel are required to agree to confidentiality obligations before undertaking work for Nutanix or accessing any Nutanix facilities and/or systems.
  • Data handling and trainings. Nutanix requires security and privacy awareness training for all Nutanix employees as well as acknowledgement and agreement to acceptable use and security policies for Nutanix systems and data by all Nutanix personnel.
  • Password Policy. Password management systems enforce password policy requirements across applications, such as password complexity, rotation frequency, and account lockout after multiple failed login attempts.
  • Operational Security & Vulnerability Response. Nutanix monitors a variety of communication channels for operational and capacity management, security vulnerabilities, and Nutanix’s operations and security team will react promptly to known operational issues and/or security vulnerabilities.
  • Network Controls. Nutanix utilizes firewalls for access control between Nutanix’s networks and the Internet. Firewall access is restricted to a small set of administrators with appropriate seniority and authority. Firewalls are established with minimum rights necessary to accomplish tasks by role and access is authorized on a “deny by default” policy.
  • Network Separation. Nutanix maintains network separation based on company policy and system requirements.
  • Server Operating System. Nutanix uses a hardened operating system implementation customized for the Nutanix Cloud Services.
  • Backups. The Cloud Services are incrementally backed up and virtually replicated.

3.     Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Business Continuity Plan. Nutanix maintains internal practices, plans or procedures that are designed to reasonably ensure the Cloud Services are uninterrupted during the term of the Agreement ("Business Continuity Plan"). Nutanix will follow the Business Continuity Plan in order to maintain the applicable service levels set forth in the Documentation.
  • Backups. See Section 2. of this Schedule.

4.     Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Certifications. Nutanix undergoes independent third-party auditing and obtains certifications for its Cloud Services as listed in our trust center at https://www.nutanix.com/trust/compliance-and-certifications, and will maintain such certification or similar certification for select Cloud Services by a certifying third party auditor.
  • Software Development Lifecycle. The Cloud Services are developed using a standardized and reviewed Secure Software Development Lifecycle (SDL) to reduce the risk of introducing security vulnerabilities into the production Cloud Services.
  • Vulnerability Disclosure Program. Nutanix has a vulnerability disclosure program for its customers and a bug bounty program.
  • Penetration Testing & Vulnerability Scans. External penetration tests are performed by an independent third party on an annual basis and incorporated as a requirement to the Nutanix product compliance programs. Vulnerabilities identified are routinely documented, tracked, and resolved by the respective service team with oversight by the Nutanix product security organization.

5.     Measures for user identification and authorisation

  • User Roles. Customer has primary control over the creation, deletion, and suspension of user roles within the Customer’s environment of the Cloud Services.
  • Access Management. Access management procedures define the request, approval, access provisioning and de-provisioning processes. Nutanix logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access), and systems to ensure segregation of duties and are reviewed, administered, and documented based on onboarding, resource re-assignment, or termination of personnel. Periodic Nutanix user access reviews are routinely performed to ensure access is appropriate.
  • Firewalls. Firewalls are used and configured to prevent unauthorized access to the production environment.

6.     Measures for the protection of Personal Data during transmission

  • Encryption in Transit. See Section 1. of this Schedule.

7.     Measures for the protection of Personal Data during storage

  • Encryption at Rest. See Section 1. of this Schedule.
  • Access Control and Privilege Management. Nutanix employs systems and processes to limit physical and logical access based on least privileges and according to job responsibilities designed to ensure that Customer Personal Data can only be accessed by authorized Nutanix personnel. Nutanix maintains an access control policy and that is regularly reviewed based on business and information security requirements.
  • Multi-Factor Authentication. Multifactor authentication is enabled for Nutanix user access to the production environment.

8.     Measures for ensuring physical security of locations at which personal data are processed

  • Hosting Infrastructure and Data Center Security. Nutanix currently uses; (i) its own secure colocation data center environment; (ii) infrastructure provided by Amazon Web Services, Microsoft Azure, and Google Cloud Platform, for the infrastructure of its Cloud Services. Each year, Nutanix will review and audit the applicable third party security and compliance of these infrastructure and data center providers for environmental and physical security controls.

9.     Measures for ensuring events logging

  • Events Logging. Nutanix produces and regularly reviews event logs recording user activity, exceptions, faults, and information security events.

10.  Measures for ensuring system configuration, including default configuration

  • System Configuration and Code Review Process. Nutanix’s change management includes a system configuration and code review process within an established review board and in accordance with a defined policy for justification and escalation for approval.

11.  Measures for internal IT and IT security governance and management

  • Certifications. See Section 4. of this Schedule.
  • Information Risk Governance. Nutanix has a formal Governance, Risk, and Compliance organization and reviews, maintains, and ensures adherence to formal IT security and data handling policies for internal IT systems and Nutanix personnel.
  • Information Security Roles & Responsibilities. All information security responsibilities are defined and allocated. Conflicting duties and areas of responsibilities have been segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Nutanix's assets.

12.  Measures for certification/assurance of processes and products

  • Third Party Audits. See Section 4. of this Schedule.

13.  Measures for ensuring data minimization

  • Product Privacy Assessments. Product privacy assessments are performed when introducing any new product that involves processing of Personal Data.
  • Software Development Lifecycle. Privacy checks are performed during the SDL process when new product features are developed.
  • Access Restrictions. Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.

14.  Measures for ensuring Data quality

  • Exercise of Rights. See Section 7.1. of the DPA (processor role) and the Nutanix Privacy Statement (controller role).
  • Secure Development Environment. Development environments are protected from malicious or accidental development and update of code that may compromise confidentiality, integrity, and availability of the platform.

15.  Measures for ensuring limited data retention

  • Data Retention. See Annex 1(B) in Schedules 1 and 2 of the DPA.

16.  Measures for ensuring accountability

  • Product Privacy Assessments. See Section 14. of this Schedule.
  • Software Development Lifecycle. See Section 14. of this Schedule.

17.  Measures for allowing Data portability and ensuring erasure

  • Exercise of Rights. See Section 7.1. of the DPA.
  • Return of Customer Content. See Section 13.5. of the Agreement.