Nooks Online Data Processing Addendum

Last Modified: May 1, 2026

This Data Processing Addendum (this “Addendum”) forms part of, and is incorporated into, the online terms of service, Master Services Agreement, Order Form, or other written or electronic agreement governing the provision of Services by Nooks Communications, Inc. to the customer identified in the applicable Order Form or Agreement (“Customer” or “Controller”) (the “Agreement”). “Customer” means the entity that enters into the applicable Order Form or Agreement with Nooks. This Addendum is entered into by and between Customer and Nooks Communications, Inc., a Delaware corporation with offices at 350 Bush Street, 8th Floor, San Francisco, CA 94104 (“Nooks” or “Processor”), without the need for a separate signature to this Addendum. Controller and Processor are each a “Party” and together the “Parties.”

This Addendum applies only to the extent that Processor Processes Customer Personal Data on behalf of Controller in connection with Customer’s access to and use of the Services under the Agreement.

1. Definitions

1.1 “Adequacy Decision,” “Controller,” “Data Subject,” “Personal Data Breach,” “Process” or “Processing,” “Processor,” “Sub-Processor,” and “Supervisory Authority” have the meanings given to them under applicable Data Protection Laws.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

1.3 “Aggregated Data” has the meaning given to it in the Agreement.

1.4 “Agreement” has the meaning set forth in the preamble to this Addendum and includes the applicable online terms, Order Form, Master Services Agreement, or other written or electronic agreement between Customer and Nooks governing the Services.

1.5 “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations.

1.6 “Customer Personal Data” means Personal Data Processed by Processor on behalf of Controller in connection with the Services, as further described in Annex 1.

1.7 “Data Protection Laws” means all applicable privacy, data protection, and data security laws, rules, and regulations applicable to the Processing of Customer Personal Data under the Agreement and this Addendum, as amended, replaced, or superseded from time to time, including, where applicable, the GDPR, UK GDPR, the Swiss Federal Act on Data Protection, the CCPA, and other applicable U.S. state privacy laws.

1.8 “Data Subject Request” means any request from a Data Subject to exercise rights under applicable Data Protection Laws, including rights of access, correction, deletion, restriction, objection, portability, or withdrawal of consent, as applicable.

1.9 “GDPR” means Regulation (EU) 2016/679.

1.10 “Sensitive Personal Data” means any Personal Data subject to heightened protection under applicable Data Protection Laws, including special categories of personal data under Article 9 of the GDPR and sensitive personal information under the CCPA.

1.11 “Services” means the services provided by Processor to Controller under the Agreement.

1.12 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914, as may be amended, replaced, or superseded from time to time.

1.13 “UK Addendum” means the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers issued by the UK Information Commissioner’s Office, as may be amended, replaced, or superseded from time to time.

1.14 “UK GDPR” means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.

2. Roles of the Parties

2.1 The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data, Controller is the Controller or Business, as applicable, and Nooks is the Processor or Service Provider, as applicable.

2.2 If Controller acts as a Processor on behalf of a third-party controller, Controller represents and warrants that its instructions to Processor, including its appointment of Processor as another processor, have been authorized by the relevant controller.

3. Processing of Customer Personal Data

3.1 Processor shall Process Customer Personal Data only on documented instructions from Controller, including as set forth in the Agreement, this Addendum, and Controller’s use and configuration of the Services, unless otherwise required by applicable law. In such event, Processor shall inform Controller of that legal requirement before Processing, unless applicable law prohibits such notice on important grounds of public interest.

3.2 Processor shall Process Customer Personal Data only for the limited and specific purposes necessary to provide the Services, to perform its obligations and exercise its rights under the Agreement and this Addendum, and as otherwise permitted by applicable Data Protection Laws.

3.3 To the extent Processor Processes Personal Information subject to the CCPA, Processor agrees that it shall: (a) Process such Personal Information only for the business purposes and limited purposes described in the Agreement and this Addendum; (b) not sell or share such Personal Information (as defined under the CCPA); (c) not retain, use, or disclose such Personal Information for any purpose other than the business purposes and limited purposes described in the Agreement and this Addendum, except as otherwise permitted by the CCPA; (d) not retain, use, or disclose such Personal Information outside of the direct business relationship between Controller and Processor; and (e) not combine Personal Information received from or on behalf of Controller with Personal Information received from or on behalf of another person, or collected from Processor’s own interaction with a consumer, except as permitted by the CCPA.

3.4 To the extent permitted by the CCPA and other applicable Data Protection Laws, Processor may Process Personal Information solely for the limited and specific business purposes necessary to perform the Services, to carry out the rights and obligations expressly set out in the Agreement and this Addendum, and for such other purposes expressly permitted for a service provider or processor under applicable Data Protection Laws.

3.5 Processor certifies that it understands the restrictions in Section 3.3 and will comply with them.

3.6 Processor shall not use Customer Personal Data to train third-party generative artificial intelligence models. Processor is authorized to create and use Aggregated Data in accordance with the Agreement. Aggregated Data is not Customer Personal Data for purposes of this Addendum.

3.7 Controller shall not submit Sensitive Personal Data to the Services without Processor’s prior written consent.

3.8 If Processor receives a Data Subject Request relating to Customer Personal Data, Processor shall promptly notify Controller and shall not respond to the request except on Controller’s documented instructions or as required by applicable law.

3.9 If Processor believes that an instruction from Controller infringes applicable Data Protection Laws, Processor shall promptly inform Controller.

4. Confidentiality and Personnel

4.1 Processor shall ensure that all personnel authorized to Process Customer Personal Data are subject to a contractual, professional, or statutory duty of confidentiality.

4.2 Processor shall ensure that access to Customer Personal Data is limited to personnel who require such access to perform the Agreement and this Addendum.

5. Security Measures

5.1 Processor shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.2 The technical and organizational measures implemented by Processor are described in Annex 2.

5.3 Processor shall regularly review and, where appropriate, update its technical and organizational measures.

6. Personal Data Breach Notification

6.1 Processor shall notify Controller without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 Such notification shall include, to the extent available: (a) a description of the nature of the Personal Data Breach; (b) the name and contact details of a contact point from which more information can be obtained; and (c) the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.3 Processor shall promptly provide Controller with such further information and assistance as Controller may reasonably require in connection with a Personal Data Breach.

7. Authorized Sub-Processors

7.1 Controller provides a general written authorization for Processor to engage Sub-Processors.

7.2 A current list of Sub-Processors engaged by Processor is maintained at www.nooks.ai/subprocessors or such successor website designated by Processor from time to time (the “Sub-Processor List”).

7.3 Processor shall notify Controller of any addition or replacement of Sub-Processors by: (a) posting such changes to the Sub-Processor List; and (b) sending an email notification to those individuals who have opted in to receive such updates through Processor’s designated notification form located at www.nooks.ai/privacy-notifications or such successor website designated by Processor from time to time.

7.4 Controller may object to a change on documented, reasonable grounds relating to a Sub-Processor’s inability to comply with applicable Data Protection Laws or the data protection obligations in this Addendum. Such objection must be made in writing within fourteen (14) days after the update is posted or, if the relevant individual has subscribed, the notification is sent.

7.5 If Controller objects on such grounds, the Parties shall work in good faith for a period of thirty (30) days to find an appropriate workaround or to provide additional evidence of the Sub-Processor’s compliance.

7.6 If no resolution is reached, Processor may, at its option, either: (a) refrain from using the Sub-Processor for Controller’s Customer Personal Data; or (b) permit Controller to terminate the affected Service as its sole and exclusive remedy.

8. Sub-Processor Obligations,

8.1 Processor will enter into a written agreement with each Sub-Processor containing data protection obligations that are no less protective than those in this Addendum.

8.2 Such obligations shall include implementing appropriate technical and organizational security measures to ensure a level of security appropriate to the risk.

8.3 Processor will remain fully liable to Controller for the performance of the Sub-Processor’s data protection obligations to the extent required by applicable Data Protection Laws.

9. Assistance with Data Subject Rights, DPIAs, and Legal Requests

9.1 Taking into account the nature of the Processing, Processor shall provide reasonable assistance to Controller, through appropriate technical and organizational measures, insofar as possible, for the fulfilment of Controller’s obligation to respond to Data Subject Requests under applicable Data Protection Laws.

9.2 Taking into account the nature of the Processing and the information available to Processor, Processor shall provide reasonable assistance to Controller with Data Protection Impact Assessments (“DPIAs”), prior consultations with Supervisory Authorities, and similar regulatory assessments where required by applicable Data Protection Laws.

9.3 Unless prohibited by applicable law, Processor shall promptly notify Controller if Processor receives a legally binding request from a government authority or law enforcement agency for disclosure of Customer Personal Data before making any such disclosure.

10. Audit and Demonstration of Compliance

10.1 Processor shall make available to Controller, upon reasonable written request, all information reasonably necessary to demonstrate Processor’s compliance with this Addendum.

10.2 Subject to reasonable confidentiality obligations and appropriate safeguards, and only to the extent that Processor’s then-current audit documentation (including ISO 27001:2022 certification and SOC 2 Type II reports) does not reasonably satisfy Controller’s audit requirements, Processor shall allow for and contribute to reasonable audits and inspections by Controller or an independent auditor mandated by Controller, provided that: (a) Controller provides at least thirty (30) days’ prior written notice; (b) audits occur no more than once per calendar year, unless required by a competent authority or following a confirmed Personal Data Breach; (c) audits are conducted during normal business hours, in a manner that minimizes disruption to Processor’s business; and (d) Controller bears its own audit costs and reimburses Processor for reasonable costs incurred in connection with the audit, except where the audit reveals a material breach of this Addendum by Processor.

11. Return and Deletion of Customer Personal Data

11.1 Upon termination or expiration of the Agreement or this Addendum, Processor shall, at Controller’s written request, delete or return all Customer Personal Data to Controller promptly following termination, unless applicable law requires Processor to retain some or all of the Customer Personal Data. For the avoidance of doubt, the obligations in this Section 11 do not apply to Aggregated Data, which Processor may continue to retain and use in accordance with the Agreement.

11.2 Where Processor is required by applicable law to retain Customer Personal Data, Processor shall continue to protect such Customer Personal Data in accordance with this Addendum and shall not Process such Customer Personal Data for any purpose other than compliance with the applicable legal obligation.

12. International DataTransfers

12.1 Processor is certified under the EU-U.S. Data Privacy Framework ("EU-U.S. DPF") as administered by the U.S. Department of Commerce. To the extent that Processor Processes Customer Personal Data from the EEA, the United Kingdom, or Switzerland in reliance on its DPF certification, Processor commits to handle such data in accordance with the applicable DPF Principles. To the extent that Processor Processes Customer Personal Data originating from the EEA, Switzerland, or the United Kingdom in a country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, and that the EU-U.S. DPF does not apply, Processor shall implement alternative transfer mechanisms as set out in Section 12 of this Addendum.

12.2 For transfers of Personal Data subject to the GDPR from the EEA to a country outside the EEA that is not subject to an Adequacy Decision, the European Commission Standard Contractual Clauses (“SCCs”) are hereby incorporated by reference and shall apply as follows: (a) Module Two (Controller to Processor) shall apply; (b) the optional docking clause in Clause 7 shall apply; (c) in Clause 9, Option 2 shall apply, and the time period for prior notice of Sub-Processor changes shall be fourteen (14) days; (d) in Clause 11, the optional language shall not apply; (e) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the laws of Ireland; (f) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (g) Annex I to the SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum; and (h) Annex II to the SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.

12.3 For transfers of Personal Data subject to the UK GDPR from the UK to a country outside the UK that is not subject to an adequacy regulation under the UK GDPR, the SCCs as modified by the UK Addendum are hereby incorporated by reference. The relevant tables and appendices of the UK Addendum shall be deemed completed using the information set out in Annex 1 and Annex 2 to this Addendum.

12.4 For transfers of Personal Data subject to the Swiss Federal Act on Data Protection from Switzerland to a country outside Switzerland that is not subject to an Adequacy Decision, the SCCs shall apply with the following modifications: (a) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection; (b) references to “EU,” “Union,” and “Member State” shall be interpreted to include Switzerland; (c) the competent Supervisory Authority shall be the Swiss Federal Data Protection and Information Commissioner; and (d) references to the courts and governing law shall be interpreted to permit data subjects in Switzerland to enforce their rights in Switzerland as required by Swiss law.

13. Term and Termination

13.1 This Addendum shall remain in effect for so long as Processor Processes Customer Personal Data on behalf of Controller under the Agreement.

13.2 Any obligations under this Addendum that by their nature are intended to survive termination or expiration shall survive, including obligations relating to confidentiality, return or deletion of Customer Personal Data, liability, international transfers, and audit rights.

14. Liability and Indemnification

14.1 Each Party shall be liable for damages caused by its breach of this Addendum to the extent provided by applicable law and the Agreement.

14.2 Any claims, liabilities, damages, losses, costs, expenses, or indemnification obligations arising under or in connection with this Addendum shall be subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent prohibited by applicable Data Protection Laws or the Standard Contractual Clauses.

15. General Provisions

15.1 In the event of any conflict between this Addendum and the Agreement with respect to the subject matter of this Addendum, this Addendum shall prevail.

15.2 If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid provision that most closely reflects the Parties’ original intent.

15.3 Nooks may update this Addendum from time to time by posting an updated version on its website or trust center; provided that no update will materially reduce the level of protection for Customer Personal Data during the then-current subscription term unless required to comply with applicable Data Protection Laws. The version of this Addendum in effect as of the effective date of the applicable Order Form or Agreement will apply to that Order Form or Agreement, unless the Parties agree otherwise or the updated version is required by applicable Data Protection Laws. Updates to the Sub-Processor List may be made in accordance with Section 7.

15.4 This Addendum is effective without a separate signature when incorporated into the Agreement. If this Addendum is separately executed, it may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one instrument.

15.5 This Addendum shall be governed by the governing law and jurisdiction provisions set forth in the Agreement, except to the extent otherwise required by the SCCs or UK Addendum with respect to international data transfers.

This Addendum is effective as of the effective date of the Agreement or the date Customer first accesses or uses the Services, whichever is earlier.

ANNEX 1: DESCRIPTION OF PROCESSING

A. List of Parties

Data Exporter:

The Customer identified in the Agreement.

Role:

Controller, or Processor where applicable.

Stored Data Location:

United States

Activities relevant to the transfer:

Receipt and use of the Services as described in the Agreement.

Data Importer:

Nooks Communications, Inc., 350 Bush Street, 8th Floor, San Francisco, CA 94104

Role:

Processor

Activities relevant to the transfer:

Provision of the Services as described in the Agreement.

B. Description of Processing

Categories of Data Subjects:

Customer’s authorized users; Customer’s employees, contractors, and agents; Customer’s prospects, leads, business contacts, and communication recipients.

Categories of Personal Data:

Contact and identification data, including name, email address, phone number, job title, and company; authentication and account data, including user email address, and login information; CRM and sales engagement data, including contact, account, sequence, task, and engagement information; communication data, including call recordings, call transcripts, email content, email metadata, and attachments; product usage data; and technical data such as IP address, browser information and session data.

Sensitive Personal Data:

No Sensitive Personal Data is intended to be transferred unless expressly authorized in writing by Processor.

Frequency of the Processing:

Continuous.

Nature and Purpose of the Processing:

To provide the Services as described in the Agreement.

Retention Period:

For the term of the Agreement and thereafter in accordance with Section 11 of this Addendum.

For transfers to Sub-Processors, the subject matter, nature, and duration of the Processing are as necessary for the Sub-Processor to perform the applicable outsourced services on behalf of Processor in connection with the Services.

C. Competent Supervisory Authority

For GDPR transfers, the competent Supervisory Authority shall be determined in accordance with Clause 13 of the SCCs. Where Customer is established in an EU Member State, the Supervisory Authority of that Member State shall act as the competent Supervisory Authority. Where Customer is not established in the EU but falls within Article 3(2) of the GDPR and has appointed an EU representative under Article 27, the Supervisory Authority of the Member State in which such representative is established shall act as the competent Supervisory Authority. For UK transfers, the UK Information Commissioner’s Office shall be the competent Supervisory Authority. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner shall be the competent Supervisory Authority.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Processor shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, including measures addressing the following, as appropriate to the Services and risk profile:

  • Relevant employees and contractors are to be trained in relation to specific technical and organizational security measures;
  • Personal Data is to be stored on secured servers behind a firewall or equivalent;
  • Servers are to be monitored by industry standard network monitoring tools to prevent any potential security breaches;
  • Corporate systems and databases are to be password protected;
  • VPN and direct network access are to be limited to company-issued devices rolled out no later than Q2 2026;
  • Single Sign-on or multi-factor authentication is required for all access to production systems;
  • Segregation and limitation of employee access permissions;
  • Active and automated monitoring of critical access logs and anomaly detection;
  • Pseudonymization and encryption methods when applicable;
  • All data is encrypted in transit with TLS 1.2 or higher, and at rest with AES-256 or equivalent;
  • All access is logged and regularly reviewed;
  • Controls are regularly audited and aligned with SOC 2 and ISO 27001 compliance programs;
  • System(s) to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • Process(es) for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and
  • Information Security Policies and Procedures are maintained and reviewed at least annually.

ANNEX 3: SUB-PROCESSOR LIST

A current list of Sub-Processors engaged by Processor in connection with the Services is maintained at: www.nooks.ai/subprocessors or such successor website designated by Processor from time to time.

For each Sub-Processor, the Sub-Processor List shall identify, as applicable:

  • the Sub-Processor’s name;
  • the location where Customer Personal Data is stored or processed;
  • a description of the outsourced services;
  • the categories of Customer Personal Data involved; and
  • the categories of Data Subjects affected.

Last reviewed May 1, 2026.

The agent workspace for intelligent outbound. More pipeline. Less busywork.

Product

AI SequencingAI DialerSignals and IntelligenceAI Coaching

Resources

BlogCustomer StoriesPlaybooksEventsSDR Job Hotlist

Company

Wall of LovePricingCareersSign In

© Nooks AI. 2026

Terms of Service

|

Privacy Policy

|

Cookie Policy

|

Trust Center

|

Responsible Disclosure

|

Your Privacy Choices
Consent Preferences