Data Policy
Data processing addendum
When providing our service, Nebula may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/ customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it.
The terms of this DPA are attached to Nebula's Terms of Service and form part of your agreement with us when you sign up to use our Services.
However, should there be a requirement for you to sign a separate DPA with us, Nebula offers a Data Processing Addendum that supplements the Terms of Service or any other Agreement. Please have an authorized individual execute this DPA. Once you sign the agreement, you will immediately receive a fully executed downloadable copy via email.
This DPA governs Nebula’s and Customers obligations as to the protection of Personal Data, Content, and other Customer Confidential Information pursuant to Data Protection Law.
Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means Nebula’s Terms of Service, or other written or electronic agreement, which govern the provision of the Services to Customer, as such terms or agreement may be updated from time to time.
“CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
“Controller”, “Data Subject”, “Process” and “Processor” (whether or not capitalized) have the meanings provided in the GDPR and include analogous provisions under Data Protection Laws in other jurisdictions.
“Data Protection Law(s)” means all laws and regulations applicable to Nebula’s processing of Personal Data under the Agreement, including CCPA and GDPR.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Nebula on Customer’s behalf pursuant to the Agreement.
“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Content, User Personal Data or other Customer Confidential Information processed by Nebula on Customer’s behalf pursuant to the Agreement.
Processing of personal data
2.1 Roles of the Parties. Customer may be the controller of Personal Data or a processor. Nebula will act as a processor or Sub-processor, as appropriate. Nebula will comply with obligations under Data Protection Laws that govern Nebula’s activities when processing Personal Data. Customer shall be solely responsible for compliance with Data Protection Laws regarding the collection of and transfer to Nebula of Personal Data, and for advising Nebula of any obligations imposed on Nebula as a Sub-processor of or service provider to Customer.
2.2 Details of the Processing. The subject-matter of processing of Personal Data by Nebula is the performance of the Nebula Application pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex A.
2.3 Processing in Accordance with Data Protection Law. Nebula shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (a) processing in accordance with the Agreement and applicable Order Form(s); (b) processing initiated by Users in their use of the Nebula Software; and (c) processing to comply with other documented instructions provided by Customer. Nebula will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Law.
2.4 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Nebula will not “sell” (as defined in the CCPA) any Personal Data; and (b) Nebula will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.5 Confidentiality of Processing. Nebula will treat Personal Data as Customer’s Confidential Information and protect it in accordance with the confidentiality obligations in the Agreement. Nebula shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements no less protective of Customer’s rights in such data as this DPA.
2.6 Data Subject Requests; Data Impact Assessments. Nebula shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data, and (c) any data protection impact assessment that Customer may be required to perform under Data Protection Law. If any such request, correspondence, enquiry or complaint is made directly to Nebula, Nebula will promptly inform Customer providing full details of the same. Nebula shall not respond to a data subject request without Customer’s prior written consent except to confirm that such request relates to Customer.
Sub-processors
3.1 Authorized Sub-processors. Customer consents to Nebula engaging Nebula Affiliates and third party Sub-processors to process Personal Data for the purposes described in the Agreement and this DPA. The Sub-processors currently engaged by Nebula are available here. Nebula or a Nebula Affiliate will enter a written agreement with each Sub-processor imposing data protection terms on the Sub-processor substantially equivalent to, and no less protective of data subjects’ rights in Personal Data than, this DPA. Nebula shall notify Customer if it adds or removes Sub-processors within ten (10) business days of such changes if Customer opts in to receive such notifications here. Customer may object to Nebula's appointment or replacement of a Sub-processor, provided such objection is based on reasonable grounds relating to data protection. If Customer does not object to a new Sub-processor within ten (10) business days, Customer will be deemed to have authorized Nebula’s use of the new Sub-processor and to have waived its right to object. If Customer objects to a new Sub-processor Nebula will use reasonable efforts to avoid using that Sub-processor to process Personal Data, either by adapting or recommending a change in Customer’s configuration of the Nebula Software. If neither of the foregoing is commercially practicable, Nebula will terminate the applicable subscription with respect to the portion of the Nebula Software that can only be provided by Nebula using that Sub-processor. Customer will not receive a refund of any unused prepaid fees on such termination and if fees remain unpaid for a subscription term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.
3.2 Liability for Sub-processors. Where a Sub-processor fails to fulfill its data protection obligations, Nebula shall remain fully liable to Customer for the performance of that Sub-processor's obligations.
Security
4.1 Security Measures. Nebula will use procedural, technical and administrative safeguards designed to ensure the confidentiality, security, integrity, availability and privacy of Content, Personal Data and other Customer Confidential Information stored in the Nebula Software. Nebula may update or modify such measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Nebula Software during Customer’s subscription term. Nebula is not responsible for any breach or loss caused by Customer, Customer’s users or by Customer’s configuration of and deployment specifications for the Nebula Software.
4.2 Audit Rights. Nebula will make available to Customer such information as Customer may reasonably request to demonstrate Nebula’s compliance with the obligations under Data Protection Laws. Nebula will further allow for and contribute to audits conducted by Customer or an auditor mandated by Customer so long as it is not a competitor of Nebula. All such information and audit requests and procedures: (a) must be reasonable based on the nature of the Nebula Software and the categories of Personal Data processed, (b) must be subject to an appropriate confidentiality agreement; and (c) may be made no more than once per year unless otherwise required by instruction of a competent data protection authority. Before the commencement of any such audit, Customer and Nebula shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Nebula incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Nebula. Customer shall promptly notify Nebula with information regarding any non-compliance discovered during the course of an audit.
4.3 Breach Notice. Nebula will inform Customer via email without undue delay on its discovery of a Security Incident. Nebula will take all actions reasonably necessary to remedy or mitigate the effects of the Security Incident. Nebula will further keep Customer informed of all material developments regarding the incident and provide such information and cooperation as Customer may reasonable require in order to fulfill its data breach reporting obligations under Data Protection Law.
Return and deletion of personal data
Upon termination or expiration of the Agreement, Nebula shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Nebula is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Nebula shall securely isolate, protect from any further processing and eventually delete in accordance with Nebula’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Nebula to Customer only upon Customer’s written request.
