Skip to content

NiceGPU Terms of Service Addendum: Data Processing Agreement

Last Updated: April 17, 2025

This Data Processing Agreement ("Agreement") forms part of the Terms of Service ("Principal Agreement") between: (i) Customer ("Controller"); and (ii) NiceGPU Inc. ("Processor" or "Service Provider"). This Agreement is entered into and effective as of the effective day of Customer entering into the Principal Agreement with Processor. The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

1. Definitions

In this Agreement, the following terms shall have the meanings set out below:

  • "Anonymous Data" means information that relates to a group or category of consumers and/or individuals, from which: (i) the Controller cannot be identified as the source of the information; (ii) personally identifiable information allowing the identification of individuals is removed; and (iii) the information is not reasonably identifiable or linkable to any consumer, individual, household, or device.
  • "Applicable Laws" means the GDPR, UK GDPR, Swiss GDPR, CCPA, CPRA, and any other applicable data protection laws.
  • "Personal Data" means any Personal Data Processed by the Contracted Processor on behalf of the Controller pursuant to the Principal Agreement.
  • "Contracted Processor" means Processor or a Subprocessor.
  • "EEA" means the European Economic Area.
  • "GDPR" means EU General Data Protection Regulation 2016/679 and its implementing regulations in the EEA and the United Kingdom.
  • "Restricted Transfer" means a transfer of Personal Data subject to the GDPR outside of the EEA.
  • "Services" means the services and other activities to be supplied to or carried out by or on behalf of Contracted Processor for Controller pursuant to the Principal Agreement.
  • "Standard Contractual Clauses" means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council attached hereto as Schedule A.
  • "Subprocessor" means any person (including any third party, and any Processor Affiliate, but excluding an employee of Processor) or any of its sub-contractors) appointed by or on behalf of Processor or Processor Affiliate to Process Personal Data on behalf of any Controller in connection with the Principal Agreement.
  • "Processor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
  • The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.

2. Data Processing

2.1 Scope and Roles: The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, NiceGPU is the Processor, and that NiceGPU will engage Subprocessors pursuant to the requirements set forth in Section 5 "Subprocessors" below.

2.2 Customer's Processing of Personal Data: Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 Processor's Processing of Personal Data: Processor shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the Principal Agreement; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Principal Agreement.

3. Rights of Data Subjects

3.1 Data Subject Requests: Processor shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, or deletion of that person's Personal Data. Processor shall not respond to any such Data Subject request without Customer's prior written consent except to confirm that the request relates to Customer. Processor shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject's request for access to that person's Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services.

4. NiceGPU Personnel

4.1 Confidentiality: Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability: Processor shall take commercially reasonable steps to ensure the reliability of any NiceGPU personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access: Processor shall ensure that NiceGPU's access to Personal Data is limited to those personnel performing Services in accordance with the Principal Agreement.

4.4 Data Protection Officer: Members of the NiceGPU Group have appointed a data protection officer. The appointed person may be reached at dpo@nicegpu.com.

5. Subprocessors

5.1 Appointment of Subprocessors: Customer acknowledges and agrees that (a) Processor's Affiliates may be retained as Subprocessors; and (b) Processor and Processor's Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Processor or a Processor Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor.

5.2 List of Current Subprocessors and Notification of New Subprocessors: Processor shall make available to Customer the current list of Subprocessors for the Services. Such Subprocessor lists shall include the identities of those Subprocessors and their country of location ("Subprocessor List"). Customer may find on Processor's website a mechanism to subscribe to notifications of new Subprocessors for each applicable Service, to which Customer shall subscribe, and if Customer subscribes, Processor shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to Process Personal Data in connection with the provision of the applicable Services.

5.3 Objection Right for New Subprocessors: Customer may object to Processor's use of a new Subprocessor by notifying Processor promptly in writing within ten (10) business days after receipt of Processor's notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence, Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Processor without the use of the objected-to new Subprocessor by providing written notice to Processor. Processor will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services.

6. Security

6.1 Controls for the Protection of Personal Data: Processor shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data), confidentiality, and integrity of Personal Data, as set forth in the NiceGPU Security Documentation. Processor regularly monitors compliance with these measures. Processor will not materially decrease the overall security of the Services during a subscription term.

6.2 Third-Party Certifications and Audits: Processor has obtained the third-party certifications and audits set forth in the NiceGPU Security Documentation. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Principal Agreement, Processor shall make available to Customer that is not a competitor of Processor (or Customer's independent, third-party auditor that is not a competitor of Processor) a copy of Processor's then most recent third-party audits or certifications, as applicable.

7. Security Breach Management and Notification

Processor maintains security incident management policies and procedures specified in the NiceGPU Security Documentation and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Personal Data, including any Personal Data Breach. Processor shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Processor's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's users.

8. Return and Deletion of Personal Data

Processor shall return Personal Data to Customer and, to the extent allowed by applicable law, delete Personal Data in accordance