Open Nav

EU Data Act Addendum

EU Data Act Addendum Infrastructure Jurisdiction and Governmental Access Safeguards

EU Data Act Addendum

1. Scope and Applicability

The following EU Data Act Addendum (“Addendum”) applies solely to requests submitted by a customer with registered seat or business address in the EU or EEA pursuant to Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 concerning harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (the “Data Act”) in relation to the Services provided by the Nexoya in accordance with the Agreement. This Addendum applies only to Agreements formed or orders placed on or after September 12, 2025.

This Addendum is incorporated by reference into and forms an integral part of the Agreement between Nexoya and the Customer. Nexoya’s website can be found under: https://www.nexoya.com/. If there is a conflict between this Addendum and the Agreement or any other contract terms or documents (including the Subscription Order Confirmation, policies, or annexes), this Addendum will take priority for the topics it covers, unless expressly stated otherwise.

Unless otherwise stated herein, defined terms shall have the meaning given in the Agreement.

2. Initiation of Switching and/or Deletion Process

2.1 Request Process

At any time during the applicable Term of the Agreement, the Customer may notify Nexoya of the intention of (i) switching its Exportable Data to a different third party service provider or to its own on-premise infrastructure (“Switching Request”), or (ii) deleting its Exportable Data from the Services (“Deletion Request”).

“Exportable Data” includes all exportable input and output data, including metadata, (co)generated by or directly or indirectly relating to the Customer’s use of the Services, in commonly used, machine-readable, interoperable formats, such as XML, CSV or JSON, as well as all digital assets (including applications), for which the Customer has the right of use independently from the contractual relationship with Nexoya. Data and assets protected by intellectual property rights or constituting trade secrets of Nexoya or third parties, or data related to the integrity and security of the Services will not be included, provided that such exclusions do not hinder or delay the switching process.

The Switching or Deletion Request must be clearly identified as a request under the Data Act and shall be communicated to Nexoya in written form and no later than 2 months prior to the initiation of the switching or deletion process (“Notice Period”). In case of a Switching Request, the Customer shall provide the necessary details of the destination provider (whether third party or on-premise infrastructure).

2.2 Switching Assistance & Transition Period

If the Customer submits a Switching Request, Nexoya shall provide reasonable assistance to the Customer once the Switching process starts and support the Customer’s Switching Request in accordance with the Data Act by providing Customer with adequate instructions or self-serve application programming interfaces (“Switching Assistance”), so that the Customer can switch within 30 calendar days after the end of the Notice Period (“Transition Period”).

If the Transition Period is technically unfeasible, Nexoya shall notify the Customer within 14 days of the Switching Request (“Extension Notice”), duly justifying the technical unfeasibility and indicate an alternative transition period, which shall not exceed seven months (“Alternative Transition Period”). The Customer shall confirm receipt of the Extension Notice within 7 days.

The Customer also has the right to request an extension of the Transition Period that is reasonably appropriate under the circumstances at the time of the request, which shall not exceed seven months (“Customer Extension Period”). The Customer shall request an extension of the Transition Period no later than 1 month before the Transition Period would end. Nexoya shall use reasonable efforts to comply with such Customer’s request.

Throughout the switching process, including the Transition Period, the Alternative Transition Period or the Customer Extension Period, if applicable, Nexoya will act with due care to maintain business continuity and the agreed level of security continuity. Nexoya may further inform Customer about any known risks to the continuity in the provision of the Services and/or technical limitations as a result of the switching once the Switching Request is submitted.

Nexoya may, at its discretion, charge the Customer reasonable charges in relation to switching as permitted under the Data Act (such as for data storage costs during the Retrieval Period or requested switching assistance). If the Subscription Order Confirmation specifies standard rates for professional services, these shall apply to switching assistance services.

The Customer undertakes to take all reasonable steps and measures to achieve effective switching. For the avoidance of doubt, any migration of Exportable Data to a successor service provider, or to an on-premises infrastructure of the Customer will be performed solely by the Customer and at its own risk and liability.

The Customer shall notify Nexoya once the export of the Exportable Data is completed.

2.3 Exclusions

In accordance with the Data Act, Switching or Deletion Requests will not be accepted for any beta Services or any other Service that has been provided by Nexoya for a limited period of time specifically for testing and evaluation purposes (such as proof-of-concepts or a sandbox). The same applies to Services that have been custom-built or (co-)developed to meet the specific needs of the Customer and are not offered at a broad commercial scale by Nexoya.

2.4 Data Retrieval and Erasure

The Customer will have 30 calendar days after the Transition Period, the Alternative Transition Period or the Customer Extension Period, if applicable, to download its Exportable Data (“Retrieval Period”). Following the Retrieval Period, provided the switching process has been completed successfully, Nexoya will permanently delete all Exportable Data generated by or directly relating to the Customer within a reasonable time period or as otherwise agreed, unless applicable law requires retention. Nexoya may generate, retain, and use anonymized or aggregated metadata derived from the Exportable Data for internal business purposes, including but not limited to service improvement, analytics, and security enhancement. Non-exportable security and audit logs may be retained as required by law or legitimate security needs, subject to the applicable DPA and the Privacy Policy.

2.5 Deletion Request

Upon receipt of a Deletion Request, Nexoya will proceed with the deletion of the Exportable Data within a reasonable time period or as otherwise agreed, and to the extent permitted by applicable law. Non-exportable security and audit logs may be retained as required by law or legitimate security needs, subject to the applicable DPA and the Privacy Policy.

A Deletion Request is irrevocable and binding upon its receipt by Nexoya.

3. Termination

Notwithstanding any other conditions for termination provided in the Agreement, the Agreement will terminate (“Termination Date”):

a) Upon successful completion of the switching process, either upon notification of completion of the export of the Exportable Data in accordance with Section 2, or, in absence of such notification, at the end of the Transition Period (or another later period agreed by the parties); or

b) Two months after Nexoya has received the Deletion Request.

Nexoya shall notify the Customer of the termination of the Agreement as set out above.

It is expressly understood that such termination does not relieve the Customer of its obligation to pay all fees accrued or payable up to the Termination Date. Furthermore, the Customer shall pay an early termination fee equivalent to all fees that would have been due for the remainder of the Term of the relevant Subscription Order Confirmation(s). The Customer shall not be entitled to a refund of any pre-paid fees or a discount for the applicable fees corresponding to Services terminated before the end of the Term.

Customer acknowledges and agrees that:

  • Pricing for Services with annual or multi-year terms is generally lower than for services offered through monthly agreements;
  • Nexoya has relied on the Customer’s fixed duration contract commitments to be able to offer the Services to the Customer for the agreed upon fees and to make investments in developing and improving the Services;
  • the aforementioned early termination fee is a proportionate penalty for the early termination of a fixed duration contract, which proportionately and effectively balances Nexoya’s ability to rely on the Customer’s fixed duration contract commitment so that it can invest in developing and improving the Services and the Customer’s ability to switch data processing providers without commercial or contractual obstacles.

Nexoya will continue to provide the Services in accordance with the Agreement until the Termination Date as described in this Addendum or until the end of the Term of the Agreement, whichever is sooner.

4. Liability

Nexoya shall not be liable for any damages, losses, costs, or expenses arising out of or in connection with the Switching and/or Deletion Request in accordance with this Addendum. This exclusion of liability includes, but is not limited to, any issues related to Exportable Data integrity or loss, system downtime, compatibility issues, or any other disruptions or failures that may occur during or as a result of the Switching and/or Deletion Request. The Customer assumes full responsibility for the successful switching or deletion of its Exportable Data. Nothing in this clause excludes or limits either party’s liability for gross negligence or wilful misconduct.

In the event multiple legal entities may be entitled to use the Services under the Agreement, and such entities other than the Customer could therefore be impacted by the Customer’s Switching and/or Deletion Request (“Impacted Parties”), it is the Customer’s sole responsibility to ensure that the Customer has all rights and permissions concerning the Switching or Deletion Request and the Exportable Data before exercising its rights hereunder. The Customer shall defend, indemnify, and hold Nexoya harmless from and against any claim, demand, suit or proceeding brought against Nexoya by Impacted Parties in connection with a Switching or Deletion Request and from any resulting damages, losses, costs, or expenses (including attorneys’ fees).

5. Data Register

The table below includes a list of all categories of data and digital assets that can be exported during the switching process as well as of all categories of non-exportable data.

Exportable Data & Formats: CSV
Methods of Data Export: API or bulk download
Restrictions / Non-Exportable Data: Internal system logs; metadata for fraud prevention/security; aggregated usage stats; System-level authentication logs; SSO configs from external IdPs

 

Infrastructure Jurisdiction and Governmental Access Safeguards

Server Locations and Jurisdictions

The information and communication technology (ICT) infrastructure used to provide our services is hosted in Microsoft Azure data centers located in Switzerland
(currently the Switzerland North and Switzerland West regions).

The infrastructure and the data stored there are subject to Swiss law and the jurisdiction of Swiss courts. Our services are designed so that customer application data are stored and processed only in these Swiss Azure regions. If in the future specific services require processing in another jurisdiction, we will inform affected customers in advance and ensure appropriate contractual and legal safeguards are in place.

Measures to Prevent International Governmental Access to Non Personal Data

Although our infrastructure is located in Switzerland. we provide services to customers in the EU. For that reason. and in line with Article 28 EU Data Act. we implement technical. organisational and contractual measures to prevent international governmental access to non personal data where such access would create a conflict with applicable Union or Member State law.

Technical measures

  • Data storage (at rest) restricted to clearly defined Swiss Azure regions with controlled access.
  • Encryption in transit and at rest using industry standard protocols.
  • Strong authentication, role based access control and least privilege principles for administrative access.
  • Centralised loggingm monitoring and alerting to identify and investigate unauthorised access.

Organisational measures

  • Internal access policies that restrict production access to specifically authorised personnel bound by confidentiality obligations.
  • Regular security and sovereignty compliance training for relevant employees.
  • Periodic internal reviews and independent audits of security and access controls.

Contractual measures

  • Use of cloud and infrastructure providers that are subject to Swiss law and that commit contractually to confidentiality. security and data sovereignty obligations consistent with EU requirements.
  • Contractual provisions that prohibit disclosures of customer data to non Swiss or non EU authorities where such disclosures would conflict with applicable Union or Member State law.
  • Obligations, where legally permitted, to notify us of any access request from non Swiss or non EU authorities and to challenge such requests if they appear unlawful or extraterritorial.
  • Engagement of subcontractors only under agreements that impose equivalent data protection. security and governmental access safeguards.

These measures are designed to ensure that any access by foreign governmental authorities to non personal data processed in Switzerland for our EU customers is technically restricted and legally controlled in accordance with the EU Data Act.