Data Processing Agreement

Last Updated: June 18, 2026

(GDPR & U.S. Consumer Privacy)

This DATA PROCESSING AGREEMENT (this “DPA”) is entered into by and between PerkCity, Inc., a Delaware corporation d/b/a Nectar HR (together with its affiliates, “Nectar HR”), whose principal address is 1300 W Traverse Parkway, Suite 300, Lehi, Utah 84043, USA, and the client named in our online or separately delivered order form (the “Client”), whose principal address is described therein.

Recitals

  1. Nectar HR provides to Client certain software-as-a-service and professional services (collectively, the “Services”) pursuant to that Master Services Agreement between Nectar HR and Client (the “Services Agreement”)—from which this DPA is linked. In connection with the Services, the parties anticipate that Nectar HR may process outside of the European Economic Area (“EEA”), the United Kingdom, and Switzerland certain Personal Data in respect of which the Client or its personnel may be a data controller under applicable Data Protection Laws.
  2. The parties also anticipate that Nectar HR may receive, maintain, use, or disclose Personal Data on behalf of Client in circumstances or with respect to Personal Data that is subject to the CCPA (as amended by CPRA) and other U.S. Data Protection Laws, and in these circumstances the parties desire that Nectar HR shall be a service provider of Client according to the CCPA (as amended by CPRA) and the terms below.
  3. In connection with the Services, the parties to this DPA desire to accept and execute this instrument to ensure that adequate safeguards are put in place with respect to the protection of Personal Data, as required by applicable Data Protection Laws.

Agreement

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are acknowledged by Nectar HR and Client, and in light of the recitals above, the parties agree as follows:

1. Definitions.

  1. Adequate Country” means a country or territory that is recognized under Data Protection Laws as providing adequate protection for Personal Data in connection with transfers thereof.
  2. CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), the CCPA Regulations (Cal. Code Regs. tit. 11, §§7000 to 7304), and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency.
  3. CPRA” means the California Privacy Rights Act of 2020, including any final regulations implementing the provisions of such Act.
  4. Contracted Business Purpose” means the Services and any other purpose specifically identified in written instructions by Client with respect to the Personal Data or the parties’ transaction under the Services Agreement (including by means of opt-in instructions executed by an administrator of Client).
  5. Data Protection Laws” means (i) all laws and regulations of the European Union, the EEA, their member states, and the United Kingdom and Switzerland applicable to the processing of Personal Data under the Services Agreement, including (where applicable) the GDPR and the UK GDPR and (ii) all applicable U.S. federal and state privacy or data protection and consumer privacy laws, including the CCPA (as amended by CPRA).
  6. GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), and all regulations and commission opinions issued thereunder.
  7. Personal Data” means all data and personal information that (i) is defined as “personal data” or “personal information” under applicable Data Protection laws (including GDPR and CCPA/CPRA) and (ii) is provided by Client to Nectar HR (directly or indirectly through employee users of the Services and personnel) for processing, use, or storage as a part of Nectar’s provision of the Services to Client.
  8. Regulator” means any supervisory authority with power and authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the processing of Personal Data.
  9. Security Incident” means an accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.
  10. Standard Contractual Clauses” means the modernized standard contractual clauses for data transfers between EEA and non-EEA countries as approved by the European Commission, as amended or updated from time to time, including amendments adopted on June 4, 2021 (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
  11. Subcontractor” means any third party provider, supplier, or authorized person engaged by Nectar HR to process any Personal Data relating to this DPA or the Services Agreement.
  12. UK GDPR” means the GDPR as adopted into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
  13. The terms “controller”, “processor”, “processing”, “data subject”, “data importer”, and “data exporter” have the meanings given those terms in applicable Data Protection Laws (including GDPR and the UK GDPR). The terms “service provider”, “commercial purpose”, and “sell”, and any other terms defined in CCPA (including the CPRA), carry the same meaning in this DPA when used by the parties.

2. Services Agreement.

The parties acknowledge that this DPA supplements and is incorporated into the Services Agreement, and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement with respect to processing of Personal Data, the terms of this DPA shall prevail and control. The parties further acknowledge and agree that this online, linked DPA is provided to Client as a convenience and only to the extent necessary to comply with applicable Data Protection Laws.

3. Obligations of Nectar HR (as processor and service provider).

Nectar HR hereby agrees to process Personal Data under the Services Agreement only as a processor and service provider acting on behalf of Client or Client’s employee users and personnel, in either respect such person(s) or entities being the controller of the Personal Data for purposes of GDPR or covered business for purposes of CCPA and CPRA.

  1. Written Instructions. Nectar HR will only process Personal Data under the Services Agreement pursuant to the written instructions of Client, as set forth and described on the attached Schedule I. Consistent with the instructions, Nectar HR agrees to process Personal Data only for the purpose of providing the Services to Client (or its employee users or personnel), unless Nectar HR is required to process the Personal Data for other lawful purposes set out under the Data Protection Laws. If such a requirement is placed on Nectar HR, it will deliver prior notice to Client detailing the requirement and additional purposes, unless the relevant Data Protection Law prohibits giving the notice. Nectar HR agrees to notify Client if Nectar HR has knowledge that an instruction relating to the processing hereunder could, or does, infringe on applicable Data Protection Laws.
  2. Agreement not to Sell; Limitation on Scope of Processing. Nectar HR will not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any reason other than for the purposes of performing the Contracted Business Purpose and providing the Services to Client. Nectar HR will limit Personal Data collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes and Services or another compatible operational purpose. Nectar HR certifies that it understands this DPA’s and all applicable Data Protection Laws’ restrictions and prohibitions on selling Personal Data and retaining, using, or disclosing Personal Data outside of the parties’ direct business relationship, and it will comply with them.
  3. Confidentiality. Nectar HR acknowledges that all Personal Data it may receive from Client (including from its employees and consultants) or otherwise acquire by virtue of the performance of Services shall be regarded by Nectar HR as strictly confidential and held by Nectar HR in confidence. Nectar HR’s personnel and Subcontractors authorized to process Personal Data will treat all Personal Data as strictly confidential. Consistent with industry practices, Nectar HR will ensure that its personnel and Subcontractors who are authorized to process the Personal Data are subject to appropriate confidentiality obligations.
  4. Ability to Perform. Nectar HR agrees to promptly notify Client, or the appropriate employee or personnel, if Nectar HR determines that it cannot comply with its obligations under this DPA. If such a scenario should occur, Nectar HR will work with Client and take all reasonable and appropriate steps to stop and remediate (if possible) any processing, including processing performed by Subcontractors, until such time as the processing complies with the requirements of this DPA.
  5. Data Subject and Regulator Requests. In light of Nectar HR’s capacity as the processor and service provider hereunder, if Nectar HR receives a request from a data subject made under Data Protection Laws (including, without limitation, GDPR or CCPA/CPRA) and determines that Nectar HR is not the controller or covered business and that the controller or covered business is the Client, Nectar HR will refer the data subject to Client as the party to whom the request should be made. Nectar HR further agrees to provide reasonable assistance to Client to address any communications and advice or orders from any Regulator relating to the Personal Data.
  6. Security Reports. Nectar HR agrees to maintain records in accordance with reasonable industry standards and shall provide Client with copies of its relevant systems management and records on Client’s written request.
  7. Additional Obligations. Nectar HR will provide reasonable assistance to the Client, including its employee users and personnel, in complying with it or their obligations under Articles 32 through 36 of GDPR (which, in short, address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation). Nectar HR further agrees to promptly comply with any Client request or instruction requiring Nectar HR to provide, amend, transfer, or delete the Personal Data received hereunder, or to stop, mitigate, or remedy any unauthorized processing (which unauthorized processing Client will describe in reasonable detail in the request or instruction to Nectar HR).

4. Obligations of Client (as controller and the covered business).

  1. Instructions. Client agrees and acknowledges that this DPA and the Services Agreement are Client’s complete and final instructions to Nectar HR for the processing of Personal Data, delivered by Client as the controller of the Personal Data or covered business (as applicable). Any additional or alternate instructions must be agreed upon mutually by the parties in writing (pursuant to Section 11(c) hereof), unless such instructions are required by law. Client represents and warrants that the instructions it provides to Nectar HR pursuant to this DPA comply with applicable Data Protection Laws.
  2. Data Subject and Supervisory Authority Requests. Client agrees that it is, and will remain, responsible for communications and leading any efforts to comply with all requests made by data subjects under Data Protection Laws and all communications from any Regulator(s) that relate to the Personal Data, in accordance with Data Protection Laws.
  3. Notice, Consent, and Other Authorizations. Client is responsible for the accuracy, quality, and legality of Personal Data and the means by which Client acquired the Personal Data that it provides to Nectar HR for processing under the Services Agreement and this DPA. Client is responsible for providing any notice to the Data Subjects and for obtaining and demonstrating evidence that it has obtained any necessary consents, authorizations, permissions, or another lawful basis from the Data Subjects in a valid manner for Nectar HR to perform the Services. Client will provide Nectar HR with such evidence of this as Nectar HR may reasonably request if Nectar HR needs this information to comply with Data Protection Laws or the request of any Regulator.

5. Security Measures.

Nectar HR has, or will implement and maintain, all reasonable and appropriate technical and organizational security measures to meet the requirements of the Data Protection Laws, and in particular, to protect against the occurrence of Security Incidents. Such security measures shall take into account industry standards, the costs of implementation, and the purposes of the processing, as well as the risk of a Security Incident and potential impact on the rights and freedoms of natural persons. Nectar HR exercises reasonable efforts to implement the security measures identified in Schedule III hereto.

6. Incidents and Notification.

If the Personal Data is subject to a Security Incident, Nectar HR will promptly (but no later than 48 hours after becoming aware of the incident if required by applicable law) provide written notification to Client of the Security Incident. The written notification will contain information such as (a) a description of the Security Incident; (b) the type of Personal Data involved; (c) the identity of each impacted data subject (and approximate estimation of the number of data subjects); (d) a description of the potential consequences; and (e) information concerning the measures taken by Nectar HR to address the Security Incident. Further, in the event of a Security Incident, Nectar HR agrees to provide timely information and cooperation as Client may require to satisfy its breach reporting requirements under Data Protection Laws and take such reasonable measures and actions to mitigate the effects of the Security Incident.

7. Assessments, and Audits.

Nectar HR agrees to reasonably cooperate with Client (including its employee users and personnel) to:

  1. assist Client in carrying out any privacy impact assessment of the Services as is reasonable in light of the Personal Data that is being processed and as may be required under Data Protection Laws, provided that Client gives fifteen (15) days prior written notice to Nectar HR of the impact assessment; and
  2. on written request from Client, make available to Client information as is reasonably necessary to demonstrate Nectar HR’s compliance with applicable Data Protection Laws and permit Client or its agents to audit the records to the extent reasonably necessary to confirm such compliance.

8. Cross-border Transfers.

Consistent with the terms of this DPA, Nectar HR will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of applicable Data Protection Laws. To the extent that transfers of Personal Data occur under this DPA in connection with the Services, and such transfers are not to an Adequate Country, the parties agree that such transfers shall be subject to the Standard Contractual Clauses, conditioned on Nectar HR complying with (and requiring any Subcontractor to comply with) the Standard Contractual Clauses, which are incorporated by reference and form as an integral part of this DPA (see Schedule II attached hereto). For the purposes of the descriptions in the Standard Contractual Clauses and only as between Nectar HR and Client, Nectar HR agrees that it is a “data importer” and Client is the “data exporter” under the Standard Contractual Clauses. The parties acknowledge and agree that, given the types and categories of Personal Data processed by Nectar HR, any Transfer Impact Assessment (TIA) will only be undertaken by Nectar HR if, after a case-specific analysis of Client, Nectar HR determines such TIA is reasonable and appropriate in accordance with applicable Data Protection Laws.

9. Sub-processing and Subcontractors.

Nectar HR will not subcontract any processing of Personal Data to a Subcontractor without the prior written consent or general authorization of Client, which may be documented through the approval of an administrator on Client’s account for the Services (or their failure to respond to a notice from Nectar HR in accordance with this Section). However, Client hereby expressly consents to Nectar HR appointing and engaging with Subcontractors to process Personal Data as follows:

  1. Nectar HR provides an administrator of Client, who may be designated on the Services platform or application, with a list of all Subcontractors engaged to process Personal Data on Nectar HR’s behalf, an updated list of which is provided at https://nectarhr.com/sub-processor, promptly delivering to Client a current copy of, or link to, the Subcontractor list in the event the Subcontractors therein named are updated with additional Subcontractor parties;
  2. Nectar HR provides at least thirty (30) days’ prior notice to an administrator of Client of the engagement or appointment of any new Subcontractor who will process or receive any Personal Data of Client in relation to the Services;
  3. Nectar HR requires that the Subcontractor it engages agree to the same (or substantially similar) data protection terms set out in this DPA; and
  4. Nectar HR remains liable for any breach of this DPA or the Services Agreement that is caused by an act or omission of the Subcontractor (subject only to the limitations on liability set forth in the Services Agreement).

10. Return or Destruction of Data.

On Client’s written request, including for any request delivered after termination of this DPA or the Services Agreement, Nectar HR will destroy or return to Client, at its election, all Personal Data in its possession or control; provided, however, this Section shall not apply to the extent that Nectar HR is required by any applicable Data Protection Law or other law to retain some or all of the Personal Data. In such an event, Nectar HR will isolate and protect the Personal Data from any further processing except to the extent required by the law.

11. General Terms.

  1. Indemnity. Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions, indemnities, and limitations of liability, as are set out in the Services Agreement. For avoidance of doubt, any such limitation of liability applied from the Services Agreement shall apply in the aggregate to all Nectar HR entities or affiliates taken together, even if such entities are not referred to specifically in the Services Agreement or this DPA.
  2. Governing Law. Without prejudice to the Standard Contractual Clauses, this DPA and any action related thereto shall be governed by and construed in accordance with the governing law, personal jurisdiction, and venue provisions set forth in the Services Agreement.
  3. Amendment. Except for updates to the list of authorized Subcontractors made in accordance with Section 9 above, this DPA may not be modified except by a written consent or amendment signed by both parties hereto.
  4. Counterparts. This DPA may be executed in any number of counterparts, which taken together shall constitute one and the same instrument.
  5. Severability. If any provisions of this DPA shall be found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect the other provisions of this DPA. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
  6. Change in Laws. The parties agree to negotiate modifications to this DPA if changes are required for the parties continued compliance with the Data Protection Laws, including, but not limited to, (i) any changes or amendments in response to updates to the Standard Contractual Clauses issued by the European Commission, (ii) if changes to the membership status of a country in the European Union or the EEA require such modification, or (iii) if adoption of additional Data Protection Laws in the United States warrants or reasonably requires modification to the terms of this DPA.
  7. UK Addendum. In the event that any transfer of Personal Data from the United Kingdom requires implementation of appropriate safeguards under the UK GDPR, the parties acknowledge and agree that such transfer shall be governed by the UK GDPR and the provisions of a UK Addendum appended to this DPA as an additional Schedule (the “UK Addendum”). Unless otherwise agreed to by the parties, the UK Addendum shall be in the form of the International Data Transfer Addendum to the Standard Contractual Clauses, version B1.0, in force 21 March 2022 (available online through the UK Information Commissioner’s Office).

Execution

IN WITNESS WHEREOF, the parties’ authorized signatories have duly executed this DPA on behalf of the party and, where relevant, their affiliates, as of the last date set forth below.

NECTAR HR

Signature:  _________________________________

Printed Name:  _____________________________

Title:  _______________________________________

Date:  _______________________________________

CLIENT

Signature:  _________________________________

Printed Name:  _____________________________

Title:  _______________________________________

Date:  _______________________________________

Schedule I — Instructions and Details of Processing

  1. Categories of data subjects whose Personal Data is processed:
    • Employees, award candidates, and personnel or contact persons of Client; and
    • Natural persons authorized by Client to use the Services (including the Nectar HR portal).
  2. Categories of Personal Data processed:
    • Personal identifiers that constitute Personal Data (including, but not limited to, name, email address, birth date, images of the data subject, and other identifiers disclosed by Client); and
    • Commercial and employment information concerning the job, position, work history (including hiring date), benefits, payroll, and other details of the employees and personnel of Client.
  3. Sensitive data processed (if applicable):
    • None.
  4. The frequency of the processing (e.g., whether the Personal Data is processed or transferred on a one-off or continuous basis):
    • On a continuous basis for the Services provided by Nectar HR, as a processor and service provider, to the Client.
  5. Nature of the processing:
    • The nature of the processing under this DPA (including the attached Standard Contractual Clauses) will include processing, data storage, and support necessary to provide the Services to Client. Client is and shall be the controller of the Personal Data provided to Nectar HR in connection with the Services. As applicable to transfers of the Personal Data, Client will also be the data exporter, and Nectar HR shall be the data importer. For purposes of CCPA/CPRA, Nectar HR is and shall remain a service provider, with Client as the covered business.
  6. Purpose(s) of the Personal Data processing, transfers, and any further processing:
    • The purpose of the processing and transfer is to provide, and reasonably support, the Services, including performance of contracts and legitimate interests of Nectar HR.
  7. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
    • Until Client’s request to return or destroy the Personal Data, in accordance with Section 10 of the DPA.
  8. The following sub-processors are hereby approved by Company. In addition, for transfers to sub-processors, also specify subject matter, nature, and duration of the processing:
    • See Section 9(a) of the DPA for a list of Subcontractors who support the Services.

Schedule II — Standard Contractual Clauses

As adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (“GDPR”) of the European Parliament and of the Council (the “Clauses”)

PERKCITY, INC., a Delaware corporation d/b/a Nectar HR, whose address is set forth in the DPA above (“data importer”), and the Client named in the DPA to which these Clauses are attached (“data exporter”) hereby agree to the implementation and execution of the Clauses identified above to establish appropriate safeguards, including enforceable data subject rights and effective legal remedies, with respect to data transfers from data exporter, as a controller, to data importer, as a processor, in accordance with applicable provisions of GDPR and Module Two of the Clauses. The parties’ selections and modifications for certain Clauses of Module Two, as necessary, shall be attached through a separate addendum, on request from either party.

The parties further acknowledge and agree it is the express intent of data importer and data exporter that the full text of the Clauses be incorporated into the body of this Schedule II, as if fully written herein, which Clauses in their entirety are available at the following link: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. In accordance with the Clauses identified and incorporated herein by reference (regardless of the functionality of the link above), data importer and data exporter represent and warrant that the Appendix hereto (Annexes I through III) contains the parties’ elections, disclosures, and required information for implementation of the Clauses and, in particular, the provisions of Module Two for transfers from a controller to a processor under GDPR.

ADOPTED AS OF THE DATE NECESSARY TO COMPLY WITH APPLICABLE LAWS.

Data exporter:
Client (named in the DPA)
Name/Title: _________________________________

Data importer:
PerkCity, Inc. d/b/a Nectar HR
Name/Title: _________________________________

[Full Appendix I–III follows]

Schedule II — Annex I to the Standard Contractual Clauses

This Annex I forms part of the Clauses and must be completed and signed by the data exporter and data importer.

A. List of Parties

Data exporter:

Name: Client (named in the DPA)

Contact person name, position, and contact details: _________________________________

Activities relevant to the data transferred: Collection, storage, transfer, and processing of personal data to enable data importer to provide the “Services” under the DPA between data importer and data exporter.

Signature: _________________________________
Date: _________________________________
Role: Controller

Data importer:

Name: PERKCITY, INC., a Delaware corporation d/b/a Nectar HR
Contact person name, position, and contact details: _________________________________

Activities relevant to the data transferred: Provision of HR and employee-recognition “Services” under the DPA between data exporter and data importer, including to provide data exporter (and its personnel and employees) with access to data importer’s Services platform and portal.

Signature: _________________________________
Date: _________________________________
Role: Processor

B. Description of Transfer

See Schedule I attached hereto.

C. Competent Supervisory Authority

Identify the competent supervisory authority(ies) in accordance with Clause 13 of the Clauses:

  1. Supervisory authority of each Member State as applicable, depending on the Member State(s) in which the data subject(s) whose personal data is transferred under these Clauses in relation to the offering of goods or services to Client.

Schedule II — Annex II to the Standard Contractual Clauses

This Annex II forms an integral part of the Clauses.

Technical and organizational measures, including technical and organizational measures to ensure the security of the data:

  1. See Schedule III attached to the DPA between data importer and data exporter.

Schedule II — Annex III to the Standard Contractual Clauses

This Annex III forms an integral part of the Clauses.

List of sub-processors:

The controller has authorized the use of the following sub-processors:

  1. See Section 9(a) of the DPA for a list and active hyperlink of processor’s sub-processors.

Schedule III — Security Measures

  • Online Security Measures: Nectar HR’s technical and organizational security measures can be found at: https://nectarhr.com/security/. Nectar HR may update those security measures from time to time in connection with changes to Data Protection Laws or best practices of Nectar HR’s systems.