NEAR AI Data Processing Agreement for Customers

For purposes of this DPA:

“Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), and any other similar state law governing the Processing of Personal Data (collectively, “U.S. State Privacy Laws”).

“Data Subject,” “Processor,” “Service Provider,” “Controller,” and “Business” shall be defined as provided in applicable Data Protection Laws.

“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, and completed as set forth in Section 7 below.

“Personal Data” refers to any information relating to an identified or identifiable natural person that NEAR AI Processes on behalf of Customer under these Terms. For purposes of this DPA, the term “Personal Data” includes “personal information,” “personally identifiable information,” and similar terms defined under Data Protection Laws, but does not include Business Contact Information or Usage Data, as such terms are defined in these Terms.

“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data occurring on NEAR AI's systems or otherwise under NEAR AI's control.

“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.

The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Law.

NEAR AI will Process Personal Data solely: (1) to fulfill its obligations to Customer under these Terms, including this DPA; (2) on Customer's behalf; and (3) in compliance with Data Protection Laws. NEAR AI will not “sell” Personal Data, “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising,” or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. Notwithstanding anything to the contrary in this DPA, NEAR AI may process Personal Data as an independent Controller for its own legitimate business operations, including security, fraud prevention, compliance, internal reporting, and product development and improvement, as described in NEAR AI's Privacy Policy.

NEAR AI will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that NEAR AI receives from, or on behalf of, another person or persons, or that NEAR AI collects from any interaction between it and any Data Subject.

NEAR AI will provide the same level of protection for the Personal Data as is required under Data Protection Laws applicable to Customer.

Customer retains the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.

NEAR AI will:

• Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Assist Customer in the fulfilment of Customer's obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws with respect to their Personal Data.
• Provide reasonable assistance to and cooperation with Customer for Customer's consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, and notify Customer of (i) any third-party complaints regarding the Processing of Personal Data; or (ii) any government requests for access to or information about NEAR AI's Processing of Personal Data on Customer's behalf, unless prohibited by Data Protection Laws.
• Provide reasonable assistance to and cooperation with Customer for Customer's performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Customer's reasonable expense.
• Notify Customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.
• Certify it understands its obligations under this DPA and that it will comply with them.

NEAR AI will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule A, Annex II.

NEAR AI will notify Customer without undue delay of any known Security Breach resulting from NEAR AI's Processing of Personal Data on behalf of Customer. NEAR AI will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will provide reasonable assistance to Customer in Customer's compliance with its Security Breach-related obligations, including without limitation by:

• Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved.
• Providing Customer with the following information, to the extent known: (a) the nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (b) the likely consequences of the Security Breach; (c) measures taken or proposed to be taken by NEAR AI to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Customer acknowledges and agrees that NEAR AI may use NEAR AI affiliates and other Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where NEAR AI sub-contracts any of its rights or obligations concerning Personal Data, NEAR AI will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures and require that each Subprocessor complies with obligations that are no less restrictive than those imposed on NEAR AI under this DPA.

To the extent required by applicable Data Protection Laws, NEAR AI's current list of Subprocessors are provided in Schedule B hereto, and Customer hereby consents to NEAR AI's use of such Subprocessors. NEAR AI will maintain an up-to-date list of its Subprocessors, and it will provide Customer with reasonable prior notice of any new Subprocessor added to the list. In the event Customer has a commercially reasonable objection to a new Subprocessor, NEAR AI will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer's use of the services to avoid Processing of Personal Data by the objected-to Subprocessor.

NEAR AI will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where NEAR AI engages in an onward transfer of Personal Data, NEAR AI shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.

To the extent legally required, by signing this DPA, Customer and NEAR AI are deemed to have signed the EU SCCs, which form part of this DPA and will be deemed completed as follows:

• (a) Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to NEAR AI (as a processor);
• (b) Clause 7 (the optional docking clause) is included;
• (c) Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization). The initial list of subprocessors is set forth in Schedule B;
• (d) Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
• (e) Under Clause 17 (Governing law), the Parties select the laws of Ireland;
• (f) Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
• (g) Annex I(A) and I(B) is completed as set forth in Schedule A of this DPA;
• (h) Under Annex I(C) (Competent supervisory authority), the Parties select the Irish Data Protection Commission to the extent legally permissible.

With respect to Personal Data transferred from the United Kingdom, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. For purposes of the UK SCCs, either Party may end this DPA as set out in Section 19 of the UK SCCs; and by entering into this DPA, the Parties are deemed to be signing the UK SCCs.

For transfers of Personal Data subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP; (ii) references to personal data also refer to data about identifiable legal entities; (iii) the term “member state” shall not be interpreted to exclude Data Subjects in Switzerland; and (iv) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

To the extent required by applicable Data Protection Law, NEAR AI shall make available all information necessary for Customer to confirm NEAR AI's compliance with this DPA. If Customer has a reasonable basis to conclude that such information provided by NEAR AI is not satisfactory to confirm such compliance, Customer may, at Customer's sole expense, upon reasonable prior notice, conduct an audit during normal business hours and in a manner that does not disrupt NEAR AI's business of those NEAR AI systems and records relevant to NEAR AI's Processing of Personal Data on Customer's behalf. Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (i) required by instruction of a Supervisory Authority; or (ii) following a Security Breach.

Except to the extent required otherwise by Data Protection Laws, upon termination or expiry of these Terms, NEAR AI will (at Customer's election and written request) delete or return all Personal Data in its possession or control as soon as reasonably practicable. Except to the extent prohibited by Data Protection Laws, NEAR AI will inform Customer if it is not able to return or delete the Personal Data.

• The provisions of this DPA survive the termination or expiration of these Terms for so long as NEAR AI or its Subprocessors Process the Personal Data.
• If there is a conflict between these Terms and this DPA, the terms of this DPA will prevail. In the event of a conflict between this DPA and the EU SCCs or UK SCCs, the terms of the EU SCCs or UK SCCs, as relevant, will control.
• Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in these Terms.