Last updated: June 2, 2026
This Data Processing Addendum (“DPA“) forms part of, and is subject to, the Nutshell Terms of Service available at nutshell.com/legal/terms (the “Agreement“) between Nutshell, Inc. (“Nutshell“) and the customer entity that is a party to the Agreement (“Customer“). All capitalized terms not defined in this DPA have the meanings given in the Agreement.
This DPA applies to the processing of Personal Data by Nutshell on behalf of Customer in the course of providing the Service. To the extent of any conflict, the documents apply in the following order of precedence: (1) the SCCs and UK Addendum (where applicable), (2) this DPA, (3) the Agreement.
By accepting the Agreement, Customer accepts this DPA on behalf of itself and its Group Companies that use the Service. Customer warrants that the individual accepting this DPA has authority to bind Customer and its applicable Group Companies.
“Group Company” has the meaning given in the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
“Customer Data” has the meaning given in the Agreement and, for purposes of this DPA, means any Personal Data that Nutshell processes on behalf of Customer in providing the Service.
“Data Protection Laws” means all laws and regulations applicable to a party’s processing of Personal Data under the Agreement, including European Data Protection Law, Non-European Data Protection Laws, and any other applicable privacy or data protection law.
“European Data Protection Law” means (a) Regulation (EU) 2016/679 (“EU GDPR“); (b) the EU GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR“); (c) the Swiss Federal Act on Data Protection (“Swiss FADP“); and (d) the EU ePrivacy Directive (2002/58/EC), as amended, and its national implementations.
“Europe” means, for purposes of this DPA, the European Economic Area, the United Kingdom, and Switzerland.
“Non-European Data Protection Laws” means the CCPA and other U.S. state privacy laws, the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA“), the Brazilian Lei Geral de Proteção de Dados (“LGPD“), and other applicable data protection laws.
“Personal Data” has the meaning given in the EU GDPR or, if not defined there, the equivalent term under applicable Data Protection Laws.
“SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), available at eur-lex.europa.eu.
“Security Incident” means a confirmed accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Data in Nutshell’s possession or control. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and similar events.
“Sensitive Data” means (a) Social Security numbers, passport numbers, driver’s-license numbers, or comparable government-issued identifiers; (b) full payment-card numbers (other than truncated card numbers); (c) financial-account credentials, access credentials, or authentication secrets; (d) information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation; (e) protected health information (PHI) subject to HIPAA; and (f) any other category considered “sensitive,” “special category,” or similarly heightened under applicable Data Protection Laws.
“Service Data” has the meaning given in the Agreement.
“Subprocessor” means any third party engaged by Nutshell or its Group Companies to process Customer Data on behalf of Nutshell in connection with the Service.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.
The terms “controller,” “processor,” “data subject,” “process,” “processing,” and equivalents have the meanings given under applicable Data Protection Laws.
The parties acknowledge that, with respect to the processing of Customer Data, Customer is the controller (or, under the CCPA, “business”), Nutshell is the processor (or, under the CCPA, “service provider”), and Nutshell processes Customer Data on Customer’s behalf as described in Annex I.
Where Customer is itself a processor acting on behalf of a third-party controller, Customer warrants that it has the authority to enter into this DPA, including the authority to engage Nutshell as a sub-processor of that controller. Customer is responsible for forwarding instructions, notices, and requests as applicable between Nutshell and the third-party controller.
Nutshell processes Customer Data only on documented instructions from Customer, including:
The Agreement, this DPA, and Customer’s use of the Service constitute Customer’s complete and final documented instructions to Nutshell. Any additional or different instructions require a written amendment to this DPA, which Nutshell may accept or reject in its discretion.
Nutshell will not (a) “sell” or “share” Customer Data as those terms are defined under the CCPA; (b) retain, use, or disclose Customer Data outside the direct business relationship between the parties; or (c) combine Customer Data with personal information Nutshell receives from other sources, except as permitted by Data Protection Laws.
Customer represents and warrants that:
(a) it has, and will maintain throughout the term, all rights, notices, and consents required under Data Protection Laws to provide Customer Data to Nutshell for the processing contemplated by this DPA; (b) its instructions to Nutshell comply with Data Protection Laws; (c) the Personal Data Customer provides is accurate, lawfully obtained, and limited to what is necessary; and (d) Customer will respond to data-subject requests and other obligations as the controller, with Nutshell’s assistance as set forth in Section 7.
Customer must not provide Sensitive Data to Nutshell for processing, and Nutshell will have no liability for Sensitive Data submitted in breach of this Section. This DPA does not apply to Sensitive Data submitted in breach of this Section.
Nutshell will promptly notify Customer, unless prohibited from doing so under applicable law, if Nutshell becomes aware that an instruction from Customer infringes Data Protection Laws.
Nutshell implements and maintains the technical and organizational measures set forth in Annex II to protect Customer Data against Security Incidents and to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Nutshell may update Annex II from time to time, provided that the updated measures do not materially decrease the overall level of protection of Customer Data.
Nutshell ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate training on data protection and information security.
Upon becoming aware of a Security Incident, Nutshell will:
(a) notify Customer without undue delay and, where feasible, no later than 72 hours after Nutshell’s confirmation of the Security Incident; (b) provide Customer with information reasonably necessary for Customer to meet its own notification obligations under Data Protection Laws, including: the nature of the Security Incident; the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address it; and (c) take reasonable steps to contain, investigate, and mitigate the Security Incident.
Notification will be made to the security or privacy contact designated in Customer’s account or, absent a designation, to the administrative contact. Notification of, or response to, a Security Incident under this Section is not an acknowledgment of fault or liability by Nutshell.
Customer is responsible for: securing its account credentials; configuring user permissions; maintaining the security of its own systems and networks; encrypting or backing up Customer Data as it deems appropriate beyond Nutshell’s measures; and notifying Nutshell promptly of any suspected compromise of its account.
Customer grants Nutshell a general authorization to engage Subprocessors to process Customer Data, subject to the conditions in this Section 4. The current list of Subprocessors is published at trust.nutshell.com/subprocessors.
Nutshell will:
(a) enter into a written agreement with each Subprocessor that imposes data-protection obligations no less protective than those in this DPA, to the extent applicable to the services provided by that Subprocessor; and (b) remain responsible for each Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Nutshell to breach this DPA.
Nutshell will notify Customer at least 10 days before authorizing a new Subprocessor (other than a temporary replacement Subprocessor required by an emergency, such as the failure of an existing Subprocessor) by updating the list at the URL above and, at Customer’s option, by email subscription. Customer may object to a new Subprocessor on reasonable data-protection grounds by sending written notice to [email protected] within the 10-day notice period. If the parties cannot in good faith resolve the objection within 10 days of Customer’s notice, Customer may terminate the affected portion of the Service for convenience, and Nutshell will refund any prepaid fees for the unused portion of the Subscription Term attributable to the terminated Service. Customer’s termination right under this Section is its exclusive remedy in the event of an unresolved objection to a new Subprocessor.
Nutshell will not engage Subprocessors that are domiciled in, or that store Customer Data in, the Democratic People’s Republic of Korea (North Korea) or the Islamic Republic of Iran. This restriction applies to all Subprocessors regardless of the Customer’s location.
Nutshell may transfer and process Customer Data in the United States and other countries where Nutshell, its Group Companies, or its Subprocessors maintain processing operations, subject to the geographic restriction in Section 4.4. Nutshell will ensure that all transfers comply with Data Protection Laws.
To the extent Nutshell processes Personal Data that is subject to European Data Protection Law and that is transferred from the EEA or Switzerland to a third country that has not received an adequacy decision, the SCCs (Module Two, Controller to Processor) are incorporated by reference into this DPA and apply as follows:
(a) Nutshell is the “data importer” and Customer is the “data exporter”; (b) Clause 7 (Docking clause) applies; (c) Clause 9(a) (Use of sub-processors): Option 2 (general written authorization) applies, with the 10-day prior notice period set forth in Section 4.3; (d) Clause 11(a) (Redress): the optional independent dispute-resolution body does not apply; (e) Clause 17 (Governing law): the SCCs are governed by the law of Ireland; (f) Clause 18(b) (Choice of forum and jurisdiction): disputes will be resolved by the courts of Ireland; (g) Annex I of the SCCs is populated by Annex I of this DPA; (h) Annex II of the SCCs is populated by Annex II of this DPA; (i) Annex III of the SCCs is populated by Annex III of this DPA; and (j) for transfers subject to the Swiss FADP, references to “GDPR” are deemed to include the Swiss FADP, the term “Member State” is replaced by “Switzerland,” and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with respect to data flows governed exclusively by Swiss law.
By accepting this DPA, both parties are deemed to have signed the SCCs as completed above.
To the extent Nutshell processes Personal Data subject to UK GDPR that is transferred from the UK to a third country that has not received UK adequacy, the UK Addendum is incorporated by reference and applies as follows:
(a) Table 1 (Parties): completed by Annex I of this DPA; (b) Table 2 (Selected SCCs, Modules and Selected Clauses): the Approved EU SCCs Module Two as completed in Section 5.2 above apply; (c) Table 3 (Appendix Information): completed by Annex I (Description of Processing), Annex II (Technical and Organizational Measures), and Annex III (Sub-processors) of this DPA; (d) Table 4 (Ending the Addendum): only the data exporter (Customer) may terminate the Addendum.
By accepting this DPA, both parties are deemed to have signed the UK Addendum as completed above.
If the SCCs, UK Addendum, or any successor mechanism is invalidated or replaced, the parties will work in good faith to put in place an alternative transfer mechanism that complies with Data Protection Laws.
Nutshell will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing Nutshell’s then-current third-party attestations and reports (currently a SOC 2 Type 1 report) that Nutshell maintains in the ordinary course, in each case subject to Customer’s execution of Nutshell’s standard non-disclosure agreement.
To the extent applicable Data Protection Laws (including the SCCs) require an audit right that goes beyond Section 6.1, Customer may, upon at least 30 days’ prior written notice and no more often than once per 12 months (except as required by a supervisory authority or following a Security Incident), conduct an on-site audit of Nutshell’s compliance with this DPA. Audits will: (a) be conducted during normal business hours; (b) avoid unreasonable disruption of Nutshell’s operations; (c) be subject to Nutshell’s confidentiality and security requirements; (d) be performed at Customer’s expense, including reimbursement of Nutshell’s reasonable time at Nutshell’s then-standard rates; and (e) not extend to data of other Nutshell customers, financial information, or other confidential business information unrelated to compliance with this DPA. Customer must provide Nutshell with the audit report and treat it as Nutshell’s Confidential Information.
The Service provides Customer with tools (such as data export, access, correction, and deletion functions) that Customer may use to fulfill its obligations to respond to data-subject requests under Data Protection Laws, at no additional cost.
To the extent the self-service tools are insufficient and applicable Data Protection Laws require it, Nutshell will provide Customer with reasonable additional assistance, taking into account the nature of the processing and the information available to Nutshell, at Customer’s expense.
If a data subject contacts Nutshell directly with a request regarding Customer Data, Nutshell will: (a) not respond to the request other than to acknowledge receipt and to direct the data subject to Customer; and (b) where permitted by law, promptly forward the request to Customer.
If Nutshell receives a binding legal request (such as a subpoena, warrant, or government order) requiring disclosure of Customer Data, Nutshell will: (a) where lawful, redirect the requesting authority to seek the data from Customer; (b) where redirection is not possible and disclosure is not legally prohibited, provide Customer with notice of the request prior to disclosure so that Customer may seek a protective order or other remedy; and (c) limit any disclosure to what is legally required. Nutshell will challenge requests that are overbroad, unlawful, or inconsistent with international human-rights standards where reasonable.
To the extent Customer is required by Data Protection Laws to conduct a data protection impact assessment (“DPIA”) or to consult with a supervisory authority, Nutshell will provide reasonable information and cooperation, taking into account the nature of the processing and the information available to Nutshell, at Customer’s expense.
Upon termination or expiration of the Agreement, and upon Customer’s written request, Nutshell will, at Customer’s option, return or delete all Customer Data in its possession or control in accordance with the data-retention provisions of the Agreement, subject to: (a) Nutshell’s right to retain Customer Data to the extent and for the period required by applicable law, and (b) Customer Data archived on backup systems, which Nutshell will securely isolate, protect from further active processing, and overwrite in accordance with Nutshell’s backup-retention schedule.
Notwithstanding anything to the contrary, Nutshell may collect, use, and disclose Service Data and aggregated or de-identified data for its legitimate business purposes, including: (a) billing, accounting, tax, audit, and other compliance activities; (b) providing, securing, monitoring, troubleshooting, and improving the Service; (c) detecting, investigating, and preventing fraud, abuse, security incidents, and violations of the Agreement; (d) producing aggregate statistics and benchmarks (that do not identify Customer or any individual); and (e) complying with applicable law. To the extent Service Data constitutes Personal Data, Nutshell will process it as a controller in accordance with the Nutshell Privacy Policy. This DPA does not apply to Service Data.
The provisions in Addendum A apply in addition to (and, in the event of conflict, override) the rest of this DPA, but only to the extent that Nutshell processes Customer Data subject to the corresponding jurisdiction’s Data Protection Laws.
Each party’s liability under or in connection with this DPA, including under the SCCs and UK Addendum, is subject to the limitations of liability set forth in the Agreement. The aggregate liability of both parties, taken together, under this DPA (including the SCCs and UK Addendum), is subject to a single cap equal to the cap in the Agreement, not a separate cap.
This DPA continues for so long as Nutshell processes Customer Data on behalf of Customer and until Customer Data is returned or deleted in accordance with Section 8.
In the event of a conflict between this DPA and the Agreement, this DPA controls as to matters concerning the processing of Personal Data. The SCCs and UK Addendum (where applicable) control over this DPA.
This DPA supersedes any prior data processing agreement between the parties relating to the Service.
Except for the data-subject rights expressly granted under the SCCs and the UK Addendum, this DPA does not create third-party beneficiary rights.
Except where the SCCs, UK Addendum, or Data Protection Laws require otherwise, this DPA is governed by the governing-law and dispute-resolution provisions of the Agreement.
Customer’s acceptance of the Agreement constitutes Customer’s acceptance of this DPA. No additional signature is required.
Data subjects whose Personal Data is included in Customer Data may include: Customer’s employees, contractors, and other Authorized Users; Customer’s customers, prospects, leads, and other contacts; visitors to websites operated by Customer that use Nutshell features; senders and recipients of communications routed through the Service; and other persons whose data Customer chooses to upload.
The categories are determined by Customer in its use of the Service and may include: name; contact information (email, phone, postal address); employer and job title; communications content (email, chat, SMS, voice recordings, transcripts, attachments); customer-relationship metadata (lead status, deal stage, notes, tags); IT/device information (IP address, user agent, cookie IDs); approximate location (derived from IP); behavioral data (website-visit activity, email engagement, form submissions); and other Personal Data Customer chooses to upload.
Customer agrees not to provide Sensitive Data to the Service. Nutshell does not intentionally collect or process Sensitive Data through the Service.
For data exporters established in the EU, the competent supervisory authority is identified in accordance with Article 4(22) GDPR. Where no single competent authority can be identified or where required to identify a lead authority, the Irish Data Protection Commission acts as the competent supervisory authority for purposes of the SCCs. For UK transfers, the UK Information Commissioner’s Office (ICO) is the competent supervisory authority. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority.
This Annex II describes the technical and organizational measures Nutshell implements to protect Customer Data, organized to match the categories required by Annex II of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
Nutshell maintains a documented information security program with executive-level ownership and at least annual review. The program is informed by industry frameworks including the AICPA Trust Services Criteria (SOC 2) and ISO/IEC 27001-aligned controls. Nutshell is SOC 2 Type 1 attested by an independent third-party auditor; Nutshell’s most recent attestation report and trust center materials are available to qualified Customers under NDA at trust.nutshell.com.
Nutshell may revise these measures at any time, provided that revisions do not materially reduce or weaken the protection of Customer Data.
Customer can export and erase Customer Data using self-service tools provided in the Service. Specifically:
Further detail and step-by-step instructions are published at support.nutshell.com/en/articles/8429014. Customer’s initiation of an export or deletion via the user interface or via Nutshell support is deemed to satisfy the return-and-deletion obligations of Section 8 of this DPA with respect to the affected data.
When Nutshell engages a Subprocessor (as described in Section 4 of this DPA), Nutshell enters into a written agreement with the Subprocessor that imposes data-protection obligations substantially similar to those of this DPA. Subprocessor agreements require, among other things, that the Subprocessor: (a) notify Nutshell of Security Incidents so Nutshell can in turn notify Customer; (b) delete Personal Data on Nutshell’s instruction; (c) process Personal Data only in accordance with Nutshell’s instructions. Critical Subprocessors are reviewed at least annually, including review of their SOC 2 Type 2 reports, ISO 27001 / 27701 certifications, or comparable third-party attestations.
Nutshell engages Subprocessors to provide the Service. A current and up-to-date list of Subprocessors, including the categories of processing and processing locations, is maintained at:
https://trust.nutshell.com/subprocessors
Categories of Subprocessors include (without limitation):
Nutshell does not engage Subprocessors domiciled in or that process Customer Data in North Korea or Iran (see Section 4.4).
To the extent Nutshell processes Personal Data as a “service provider” under the CCPA:
References to “EU GDPR” or “GDPR” in this DPA are deemed to include the Swiss FADP. References to “Member State” are replaced with “Switzerland.” The competent supervisory authority for data flows governed exclusively by Swiss law is the FDPIC.
References to “EU GDPR” or “GDPR” in this DPA are deemed to include the UK GDPR. References to “Member State” are replaced with “United Kingdom” where appropriate.
This DPA is accepted by Customer’s acceptance of the Agreement. No physical or electronic signature is required; however, Customer may request a counter-signed copy by writing to [email protected].
Nutshell, Inc. By: Andrew Fowler Title: CEO Date: May 18, 2026
