Download the latest OT/IoT Security Report from Nozomi Networks Labs
Download Report
Academy
Labs
Careers
Partner Login
Support

Nozomi Networks DPA Addendum

Data Protection Agreement (DPA)

Last Updated: April 6, 2025

  • Service Provider: Nozomi Networks, Inc., a corporation registered in the US State of Delaware, with offices at 575 Market Street, Suite 3650, San Francisco, CA 94105, USA (“Provider,” “we,” “us,” or “our”).
  • End User: Any individual or organization using our products or services (“End User,” “you,” or “your”).

1. Purpose and Scope

This Data Protection Agreement ("DPA") supplements our End User License Agreement. It governs our processing of Personal Data on your behalf, ensuring compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, including collection, storage, or transfer.
  • Controller: The End User, determining the purposes and means of data processing.
  • Processor: The Provider, processing data on the End User's behalf.
  • Subprocessor: A third party engaged by the Provider to assist in data processing.

3. Data Processing Purposes

The Provider processes Personal Data solely for the following purposes:

  • Service Delivery: To provide and manage access to our SaaS platform.
  • End User Account Management: To create, maintain, and support End User accounts.
  • Customer Support: To respond to user inquiries and troubleshoot issues.
  • Service Improvement: To analyze performance and enhance platform features.
  • Security and Compliance: To ensure service security, fraud prevention, and legal compliance.
  • Billing and Payments: To manage subscriptions and transactions.

4. Types of Personal Data Collected

We process the following Personal Data categories:

  • Identity Data: Name, email, phone number, company name, job title.
  • Account Data: Usernames, passwords, account settings.
  • Usage Data: IP addresses, device details, browser types, interaction logs.
  • Billing Data: Payment information, billing address (via secure payment processors).
  • Support Data: End User messages, support tickets, logs.

5. Legal Basis for Processing

We process data based on:

  • End User consent (for marketing and optional features).
  • Performance of a contract (providing SaaS services).
  • Legal obligations (e.g., tax records, fraud prevention).
  • Legitimate interests (e.g., service optimization, security).

6. Subprocessors

The Provider engages trusted subprocessors for specialized functions. Each subprocessor adheres to GDPR or equivalent data protection standards. The current list of subprocessor can be found here.

7. International Data Transfers

We transfer Personal Data from the EU/EEA to countries outside those regions, including the US. To ensure lawful and secure transfers, we rely on:

  • Standard Contractual Clauses (SCCs): The parties agree to incorporate the European Commission’s Standard Contractual Clauses (2021/914) for international data transfers as part of this DPA.
    • Module Two: Controller to Processor (for End User to Provider relationship).
    • Module Three: Processor to Subprocessor (for Provider to listed subprocessors).
    • Supplementary measures, including data encryption, pseudonymization, and ongoing risk assessments, are implemented as required by the Schrems II ruling.
  • Adequacy Decisions: Where applicable, we rely on countries recognized by the European Commission as having adequate data protection laws.
  • Binding Corporate Rules (BCRs): If relevant, for specific subprocessors with BCR approval.

8. Data Subject Rights

Under GDPR, you (the End User) have rights to:

  • Access, rectify, or delete your data.
  • Restrict or object to data processing.
  • Portability: Obtain a copy of your data in a usable format.
  • Lodge a complaint with a Data Protection Authority (DPA).

When we receive requests from data subjects, we will promptly notify you so that you, as Controller, will be able to fulfill such requests in relation to the exercise of their rights.

9. Duration of processing and Data Retention

We only process Personal Data for the duration of the contract and to fulfill any obligations based on the purposes specified.

We retain Personal Data only as long as necessary for service delivery and legal compliance. Upon contract termination, we:

  • Delete Personal Data within 30 days, unless required by law.
  • Provide the End User a data export (upon request) before deletion.

10. Security Measures

We implement industry-standard security, including:

  • Access Control: Policies to restrict unauthorized access to systems and data. This includes multi-factor authentication (MFA) and regular reviews of access permission.
  • Cryptographic Measures: Encryption of data both at rest and in transit to ensure confidentiality and integrity.
  • Incident Management: Comprehensive plans for responding to security breaches, including immediate notification to the Controller and detailed incident reports.
  • Physical Security: Measures to protect IT infrastructure, such as secure facilities, surveillance systems, and restricted access areas.
  • Supplier Security Assessments: Regular evaluations of third-party vendors to ensure their compliance with security standards.
  • Security Awareness Training: Regular training programs for our employees to ensure they are aware of security policies and procedures.
  • Endpoint Security: Implementation of antivirus software, Mobile Device Management (MDM) solutions, and regular patch management to protect devices accessing our systems.
  • Network Security: Monitoring and responding to network security threats, including firewalls, intrusion detection systems, and regular vulnerability assessments.
  • Risk Management: Continuous assessment and management of security risks, including regular audits and reviews of security controls.
  • Data Erasure: Ensuring that Personal Data is securely erased from our systems and devices upon termination of the engagement.
  • Vulnerability Scanning and Management: Conducting regular internal and external vulnerability scans to identify and address weaknesses in our systems. This includes documenting findings, implementing remediation strategies, and verifying the success of these strategies.
  • Environment Segregation: Implementing strict separation of development, test, and production environments to prevent security risks such as data exposure or unauthorized access. This includes authorisation controls and access restrictions to maintain data integrity and security.

11. Breach Notification

In case of a data breach, we will:

Notification to the End User: Notify the End User within 48-72 hours of discovery of the breach. The notification will include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  • The name and contact details of the data protection officer or other contact point where more information can be obtained.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to be taken by the Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notification to Supervisory Authorities: Notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Communication to Data Subjects: When the breach is likely to result in a high risk to the rights and freedoms of natural persons, communicate the breach to the affected data subjects without undue delay, in accordance with Article 34 of the GDPR. The communication to the data subjects shall include:

  • The nature of the breach.
  • The name and contact details of our data protection officer or other contact point where more information can be obtained.
  • The likely consequences of the breach.
  • The measures taken or proposed to be taken by us to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Mitigation and Remediation: Take all necessary steps to mitigate the impact of the breach and prevent further breaches. This includes conducting a thorough investigation, implementing corrective actions, and providing regular updates to the End User on the status of the remediation efforts.

Documentation and Reporting: Maintain a record of all data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This record shall be made available to the supervisory authority upon request.

Assistance with Regulatory Reporting: Assist you with regulatory reporting requirements, including providing necessary information and support for any investigations conducted by supervisory authorities.

12. Audit Rights

We will allow you, or an auditor mandated by you, to conduct audits and inspections to verify our compliance with this DPA and GDPR requirements. Audits must be scheduled with at least 90 days' notice and are subject to our approval and confirmation. We will provide access to all relevant information, systems, and premises necessary to conduct the audit during our normal business hours. We will cooperate fully with you or your auditor during the audit and address any issues identified in the audit report within a reasonable timeframe.

13. Liability and Indemnity

Each party is liable for its own GDPR non-compliance. The Provider’s liability is limited to 12 months of service fees, except for willful misconduct or gross negligence.

14. Governing Law

This DPA is governed by laws of the Netherlands, with disputes settled in the courts of the Hague, the Netherlands.

15. Amendments

We may update this DPA to reflect legal changes or service improvements. Users will be notified of significant changes 30 days in advance.

16. Contact Information

For questions or data protection concerns:

Nozomi Networks, Inc.
Data Protection Officer:
Director of Governance, Risk and Compliance

Email: privacy@nozominetworks.com
Address: 575 Market Street, Suite 3650, San Francisco, CA 94105, USA

Privacy

Nozomi Networks Sub-processors
Confidentiality of Information Sharing of Information Data Under the TLP Protocol
Nozomi Networks Data Requests
Nozomi Networks Cookie Policy
Nozomi Networks Privacy Policy and Legal Notices

Terms & Conditions

Nozomi Networks Vantage Terms of Use and Service Level Agreement
Nozomi Networks RMA Procedures and Policies
Optimization Agreement
Health Check Agreement
Training Agreement
Nozomi Networks, Inc. Fast Track Service Agreement
Workorder Agreement
Nozomi Networks Professional Services & Terms Conditions
Hardware as a Service (HaaS) Program Guidelines
End User License Agreement (EULA)
Nozomi Networks End of Life Policy
Nozomi Networks DPA Addendum
Nozomi Networks Customer Support Terms and Conditions

Business Practices

Nozomi Networks Vulnerability Disclosure Policy
Nozomi Networks Code of Ethics and Business Conduct
Nozomi Networks Anti-Bribery & Anti-Corruption Policy
Global Trade Compliance
Sustainability Policy
Equity, Diversity, and Inclusion Policy

Certifications

AICPA SOC 2 for Service Organizations
Customs Trade Partnership Against Terrorism (CTPAT)
Nozomi Networks Certifications ISO 27001:2013
Nozomi Networks Certifications ISO 9001:2015

Subscribe

LinkedIn

Demo

PLATFORM

Platform OverviewVantageCentral Management ConsoleGuardianGuardian AirArcAsset IntelligenceThreat IntelligenceSmart PollingPSIRT

Professional Services

OverviewDesignDeploymentFast TrackOptimizationProject Management

Solutions: Business needs

Threat Detection & ResponseContinuous Network MonitoringAsset Inventory ManagementRisk & Vulnerability ManagementIoT SecurityData Center Cybersecurity

Solutions: Compliance

NERC CIPNIS2 DirectiveTSA Security Directives

Solutions: Industry

AirportsElectric UtilitiesHealthcareFederal GovernmentManufacturingMaritimeMiningOil & GasPharmaceuticalRailRetailSmart CitiesWater & Wastewater

Learn

PartnersResourcesCompanyContact UsAcademyCareersLabsLegal
LinkedIn logo
© 2025 Nozomi Networks Inc. All Rights Reserved. Privacy Policy and Certifications. System Status.