NEAR AI DATA PROCESSING AGREEMENT FOR CUSTOMERS

This Data Processing Agreement (“DPA”) is incorporated into and forms part of (and if applicable, amends the current version of) the Terms of Service between Customer and/or its affiliates (“Customer”) and NEAR AI (“NEAR AI”), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, such as an order form, statement of work, or data processing agreement thereunder (collectively, the “Agreement”), to the extent of any conflict. Capitalized terms not defined herein are defined as in applicable Data Protection Laws. 

Customer and NEAR AI agree as follows:

1. Definitions. For purposes of this DPA:

1. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR“); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP“); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA“), the Virginia Consumer Data Protection Act (“VCDPA“), the Colorado Privacy Act and related regulations (“CPA“), and any other similar state law governing the Processing of Personal Data (collectively, “U.S. State Privacy Laws“). For the avoidance of doubt, if the Parties’ Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
2. “Data Subject,” “Processor,” “Service Provider,” “Controller,” and “Business” shall be defined as provided in applicable Data Protection Laws.
3. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
4. “Personal Data” refers to any information relating to an identified or identifiable natural person that NEAR AI Processes on behalf of Customer under these Terms. For purposes of this DPA, the term “Personal Data” includes “personal information,” “personally identifiable information,” and similar terms defined under Data Protection Laws, but does not include Business Contact Information or Usage Data, as such terms are defined in these Terms.
5. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
6. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data occurring on NEAR AI’s systems or otherwise under NEAR AI’s control.
7. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

2. Scope and Purposes of Processing. 

1. The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Law.
2. NEAR AI will Process Personal Data solely: (1) to fulfill its obligations to Customer under these Terms, including this DPA; (2) on Customer’s behalf; and (3) in compliance with Data Protection Laws. NEAR AI will not “sell” Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer. For the avoidance of doubt, NEAR AI will Process Personal Data solely to provide the cloud processing services to Customer as set forth in these Terms, or as otherwise permitted by Data Protection Laws (for example, to comply with NEAR AI’s legal obligations).
3. NEAR AI will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that NEAR AI receives from, or on behalf of, another person or persons, or that NEAR AI collects from any interaction between it and any Data Subject.
4. NEAR AI will provide the same level of protection for the Personal Data as is required under Data Protection Laws applicable to Customer.
5. Customer retains the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.

3. Personal Data Processing Requirements. NEAR AI will: 

1. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws with respect to their Personal Data.
3. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, and notify Customer of (i) any third-party complaints regarding the Processing of Personal Data; or (ii) any government requests for access to or information about NEAR AI’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws. NEAR AI will provide Customer with reasonable cooperation and assistance in relation to any such request. If NEAR AI is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Customer, NEAR AI shall inform Customer that it can no longer comply with Customer’s instructions under this DPA without providing more details.
4. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Customer’s reasonable expense.
5. Notify Customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.
6. NEAR AI certifies it understands its obligations under this DPA (including without limitation the restrictions under Sections 2 and 3) and that it will comply with them.

4. Data Security. NEAR AI will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule A, Annex II.  

5. Security Breach. NEAR AI will notify Customer without undue delay of any known Security Breach resulting from NEAR AI’s Processing of Personal Data on behalf of Customer. NEAR AI will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will provide reasonable assistance to Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:

1. Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved.
2. Providing Customer with the following information, to the extent known:
   
   1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
   2. The likely consequences of the Security Breach.
   3. Measures taken or proposed to be taken by NEAR AI to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6. Subprocessors. 

1. Customer acknowledges and agrees that NEAR AI may use NEAR AI affiliates and other Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where NEAR AI sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, NEAR AI will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws and require that each Subprocessor complies with obligations that are no less restrictive than those imposed on NEAR AI under this DPA.
2. To the extent required by applicable Data Protection Laws, NEAR AI’s current list of Subprocessors are provided in Schedule B hereto, and Customer hereby consents to NEAR AI’s use of such Subprocessors. NEAR AI will maintain an up-to-date list of its Subprocessors, and it will provide Customer with reasonable prior notice of any new Subprocessor added to the list. In the event Customer has a commercially reasonable objection to a new Subprocessor, NEAR AI will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to Subprocessor. Customer may, in its sole discretion, terminate these Terms at any time and by providing written notice to NEAR AI in the event that it objects to a Subprocessor and NEAR AI is unable to offer reasonable changes the services to satisfy Customer.

7. Data Transfers.

1. NEAR AI will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where NEAR AI engages in an onward transfer of Personal Data, NEAR AI shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
2. To the extent legally required, by signing this DPA, Customer and NEAR AI are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
   1. 1. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to NEAR AI (as a processor);
      2. Clause 7 (the optional docking clause) is included;
      3. Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization). The initial list of subprocessors is set forth in Schedule B of this DPA and NEAR AI shall update that list and provide a notice to Customer in advance of any intended additions or replacements of subprocessors as provided in Section 6.
      4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
      5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
      6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
      7. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
      8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
      9. Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
      10. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. However, a list of NEAR AI’s subprocessors is available in Schedule B.
3. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (ii) the Key Contacts shall be the contacts set forth in Schedule A; (iii) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (iv) Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below; (v) either Party may end this DPA as set out in Section 19 of the UK SCCs; and (vi) by entering into this DPA, the Parties are deemed to be signing the UK SCCs.
4. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (iii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iv) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority.

8. Audits. To the extent required by applicable Data Protection Law, NEAR AI shall make available all information necessary for Customer to confirm NEAR AI’s compliance with this DPA.  If Customer has a reasonable basis to conclude that such information provided by NEAR AI is not satisfactory to confirm such compliance, Customer may, at Customer’s sole expense, upon reasonable prior notice, conduct an audit during normal business hours and in a manner that does not disrupt NEAR AI’s business of those NEAR AI systems and records relevant to NEAR AI’s Processing of Personal Data on Customer’s behalf. Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (i) required by instruction of a Supervisory Authority; or (ii) following a Security Breach.

9. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, upon termination or expiry of these Terms, NEAR AI will (at Customer’s election and written request) delete or return all Personal Data in its possession or control as soon as reasonably practicable. Except to the extent prohibited by Data Protection Laws, NEAR AI will inform Customer if it is not able to return or delete the Personal Data.

10. General Terms.

1. The provisions of this DPA survive the termination or expiration of these Terms for so long as NEAR AI or its Subprocessors Process the Personal Data.
2. If there is a conflict between these Terms and this DPA, the terms of this DPA will prevail. In the event of a conflict between this DPA and the EU SCCs or UK SCCs, the terms of the EU SCCs or UK SCCs, as relevant, will control.
3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in these Terms.

Schedule A

ANNEX I

A. LIST OF PARTIES

Data exporter(s):   The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in these Terms and the DPA.

Data importer(s):   The importer (Processor) is NEAR AI and NEAR AI’s contact details and signature are as provided in these Terms and the DPA. 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:  The Personal Data transferred concerns data subjects whose information Customer makes available through its use of the services under these Terms. 

Categories of personal data transferred: Any personal data provided by Customer to NEAR AI AI for NEAR AI AI to perform services under these Terms.

Sensitive data transferred (if applicable): N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):  On a continuous basis as needed to provide the services to Customer.

Nature of the processing:  The nature of the Processing is set out in these Terms between the Parties.

Purpose(s) of the data transfer and further processing:  The purposes of the data transfer is to provide the services chosen by Customer in connection with these Terms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:  The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:  Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the services under these Terms to Customer.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:  The data exporter’s competent supervisory authority will be determined in accordance with the GDPR, and where possible, will be the Irish Data Protection Commissioner.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

NEAR AI, as Provider, will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Provider must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements. 

Security policies and procedures: Provider shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.

Confidentiality, Integrity and Availability: Provider shall maintain confidentiality, integrity and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, network/data segregation controls.

Vulnerability management: Wherever applicable, Provider must ensure that any software component (such as code or API) provided to Provider is free for any security vulnerability or issues and ensure security of data processed using such component. 

Incident Handling: In the event of a confirmed personal data breach (as defined by Applicable Data Protection Law), Provider must inform the Disclosing Controller about any impact to its Personal Data promptly and designate a security point of contact (POC) to interact and notify the Disclosing Controller on security matters.

Notification obligation: Any operational change that impacts the security of the Disclosing Controller’s Personal Data and confidential information or systems that handles such data must be notified to the Disclosing Controller without undue delay. 

Secure destruction of data: At the end of the Existing Agreement or as otherwise in accordance with Annex A – Description of Processing, on Disclosing Controller’s request, the Provider must destroy all Personal Data disclosed or authorized to be collected by the Disclosing Controller in a secure manner making the Personal Data un-readable and un-recoverable. If the Personal Data cannot be deleted, the Personal Data must be archived and protected from unauthorized access, modification, and disclosure until securely deleted. The Disclosing Controller at its discretion may request for a data destruction certification that includes method of data destruction used. 

Security risk management program relating to Third Parties: The Provider will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.

Encryption: To the extent the Personal Data disclosed by the Disclosing Controller includes sensitive data (as defined by Applicable Data Protection Laws), Provider will ensure that such Personal Data is encrypted at rest and in transit. 

Schedule B

NEAR AI SUBPROCESSORS

The Parties agree that the following list of Subprocessors are approved: