Data Processing Addendum ("DPA")

Last Updated: July 3, 2025


This DPA supplements any written, click‑wrap, or electronic agreement for subscription to and use of GarageSpace Inc’s services (the “Agreement”) and is incorporated into the Agreement by reference. By executing the Agreement or otherwise using the Services, the entity identified as the customer in the Agreement ("Customer" or "Controller") accepts this DPA.

1. Description of Nex

Term

Meaning

Applicable Data Protection Law

All data‑protection and privacy laws and regulations that apply to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and any local implementing laws.

Personal Data

Any information relating to an identified or identifiable natural person that Customer (or its end‑users) submits to the Services.

Process/Processing

Any operation performed on Personal Data, whether automated or not, such as collection, recording, organisation, storage, alteration, retrieval, disclosure, or deletion.

Sub‑processor

Any third party engaged by Processor to Process Personal Data on Processor’s behalf.

Unless otherwise defined in this DPA, capitalised terms have the meaning set out in the Agreement or Applicable Data Protection Law.

  1. Scope and Duration

  • Subject Matter. The Processing of Personal Data as necessary to provide, maintain, and improve the Services pursuant to the Agreement.

  • Duration. This DPA remains in force for as long as Processor Processes Personal Data on behalf of Customer under the Agreement.

  1. Nature and Purpose of Processing

Processor will Process Personal Data solely for: (a) providing, maintaining, and improving the Services; (b) preventing or addressing support, security, or technical issues; (c) as documented by Customer; and (d) complying with Processor’s legal obligations.

  1. Categories of Data Subjects and Data

Categories of Data Subjects

Categories of Personal Data

Customer’s employees and contractors (end‑users)

Name, email address, telephone number, job title, usage data, metadata

Prospects, leads, or contacts imported by Customer

Contact details (name, email, phone), account notes

Any other data subjects whose data Customer Processes via the Services

Any Personal Data uploaded by Customer in the ordinary course of use

Special Categories of Data. Customer will not upload special categories of data (GDPR Art. 9) or data relating to criminal convictions (Art. 10) unless the Parties agree in writing and implement additional safeguards.

  1. Roles of the Parties

Customer acts as the data controller; Processor acts as the data processor and will Process Personal Data only on Customer’s documented instructions, unless required by law.

  1. Processor Obligations

  1. Instructions. Processor will Process Personal Data only on Customer’s documented instructions. Processor will promptly inform Customer if an instruction infringes Applicable Data Protection Law.

  2. Confidentiality. Processor ensures that persons authorised to Process Personal Data are bound by confidentiality obligations.

  3. Security Measures. Processor implements and maintains the technical and organisational measures described in Annex II.

  4. Sub‑processing. Processor may engage Sub‑processors listed in Annex I and will impose data‑protection obligations equivalent to this DPA on each Sub‑processor. Processor remains liable for Sub‑processors’ performance.

  5. Assistance. Taking into account the nature of the Processing, Processor will assist Customer in responding to data‑subject requests, data‑protection impact assessments, and consultations with supervisory authorities.

  6. Data Breach Notification. Processor will notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.

  7. International Transfers. If Processor transfers Personal Data outside the EEA/UK to a country not subject to an adequacy decision, Processor will rely on a valid transfer mechanism, such as the EU Standard Contractual Clauses (Module 2) and the UK Addendum.

  8. Audit Rights. Upon 30 days’ written notice (no more than once annually), Customer may conduct audits or inspections, subject to reasonable confidentiality and security constraints.

  9. Return or Deletion. Within 30 days of termination of the Agreement, Processor will, at Customer’s choice, delete or return all Personal Data, unless retention is required by law.

  1. Customer Obligations

Customer shall (a) have all necessary rights to provide Personal Data to Processor; (b) make appropriate disclosures and obtain relevant consents from data subjects; and (c) maintain adequate security of its own systems.

  1. Liability

The limitation‑of‑liability provisions in the Agreement apply to this DPA. Nothing in this DPA limits the rights of data subjects under Applicable Data Protection Law.

  1. Governing Law and Jurisdiction

This DPA is governed by the same law and jurisdiction as the Agreement unless otherwise required by Applicable Data Protection Law.

Annex I – Sub‑processors

Sub‑processor

Address

Description of Service

Primary Processing Location

Amazon Web Services, Inc.

410 Terry Ave North, Seattle, WA 98109, USA

Cloud hosting (AWS us‑east‑1, eu‑central‑1)

USA / Germany

Google LLC

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Cloud infrastructure, AI inference (Google Cloud Platform, Gemini)

USA / EU

OpenAI, L.L.C.

3180 18th Street, San Francisco, CA 94110, USA

Cloud hosting (AWS us‑east‑1, eu‑central‑1)

USA / Germany

Anthropic PBC

548 Market St PMB 89018, San Francisco, CA 94104, USA

AI model inference & analytics

USA

The Companies API SAS

8 Place Général Mellinet, 44100 Nantes, France

Company data enrichment API

France

Enrich.so FZ‑LLC

6th Floor, Meydan Hotel, Meydan, Dubai, United Arab Emirates

Data enrichment & intelligence

United Arab Emirates

Processor will notify Customer of any intended changes to Sub‑processors and give Customer an opportunity to object in accordance with Applicable Data Protection Law.

Annex II – Technical and Organisational Measures

Processor maintains at minimum the following safeguards:

  1. Access Control. Unique user IDs, strong password policies, MFA for privileged accounts, role‑based access.

  2. Encryption. TLS 1.2+ in transit; AES‑256 at rest for databases and object storage.

  3. Network Security. Firewalls, VPC isolation, intrusion detection, and least‑privilege security groups.

  4. Security Monitoring. 24/7 log aggregation, alerting, and anomaly detection.

  5. Change Management. Formal change‑control procedures and peer code reviews.

  6. Business Continuity & DR. Daily encrypted backups; disaster‑recovery environment in a separate AWS region; RPO ≤ 24 hours; RTO ≤ 8 hours.

  7. Incident Response. Documented incident‑response plan with designated response team and root‑cause analysis.

  8. Personnel Security. Background checks, security‑awareness training, termination off‑boarding procedures.

  9. Physical Security. Data centres certified under ISO 27001 and SOC 2 Type II.

  10. Penetration Testing. Annual third‑party penetration tests and remediation tracking.

Acceptance of this DPA

This DPA becomes legally binding on the Customer and forms part of the Agreement on the earliest of the following events:

  1. Execution or electronic acceptance of the Agreement (including click‑wrap acceptance) that references and links to this DPA; or

  2. First access to or use of the Services by the Customer after the “Last Updated” date above.

No further signature or acknowledgment is required. If the Customer needs a countersigned copy for its records, it may email compliance@nex.ai with its request, and the Provider will promptly return an executed PDF.

End of DPA