The original document is in English only. The last date of document revisions and edits was November 15, 2025.
Including CCPA / CPRA Requirements
NiamonX LTD
This Data Processing Addendum – USA (the "DPA (USA)" or "Addendum") forms part of, and is subject to, the main agreement or terms of service (the "Agreement") between NiamonX LTD ("NiamonX", "Processor", "Service Provider" or "Contractor") and the customer identified in the Agreement ("Customer", "Business", "Controller" or "Client") (together, the "Parties").
This DPA (USA) is specifically intended to address requirements under:
In case of conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent necessary to comply with applicable privacy laws.
1.1. "Agreement" means the main contract, terms of use, subscription terms, order form, or other binding arrangement between NiamonX and Customer governing the provision and use of the NiamonX OSINT and cybersecurity platform and related services.
1.2. "Customer Personal Data" means any information that is processed by NiamonX on behalf of Customer and that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable consumer, household, or device, as defined under applicable US privacy laws (including CCPA/CPRA), in connection with Customer's use of the Services.
1.3. "Consumer" has the meaning given in CCPA/CPRA, and, where relevant, similar terms under other US state privacy laws (e.g., "resident", "individual").
1.4. "Controller" or "Business" means the entity that determines the purposes and means of processing personal data or "Personal Information" under CCPA/CPRA. For purposes of this Addendum, Customer is the Business or Controller with respect to Customer Personal Data.
1.5. "Processor", "Service Provider" or "Contractor" means NiamonX to the extent it processes Customer Personal Data on behalf of Customer under the Agreement and in accordance with this Addendum.
1.6. "Processing", "Process" and related terms mean any operation or set of operations performed on personal data or Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, deletion or destruction.
1.7. "Sell", "Selling", "Sale" and "Share" have the meanings given in CCPA/CPRA. For clarity, "Share" refers to cross‑context behavioural advertising under CPRA.
1.8. "Applicable US Privacy Laws" means CCPA/CPRA and, where agreed by the Parties, other US state privacy laws that are similar in nature (such as those in Colorado, Virginia, Connecticut, Utah, etc.), to the extent applicable to the Parties' activities.
1.9. "Services" means the NiamonX OSINT and cybersecurity platform and all related tools, products, features and support services provided by NiamonX to Customer under the Agreement, including but not limited to dashboard, OSINT tools, breach search, scanning tools, maps, AI services, integrations, and API access.
1.10. "Sub‑Processor" means any third party engaged by NiamonX that processes Customer Personal Data on behalf of Customer in connection with the provision of the Services.
For purposes of Customer Personal Data processed under this Addendum:
The Parties expressly acknowledge and agree that:
NiamonX may also process personal data as an independent controller, for example:
Those activities are governed by NiamonX's own privacy notices and are not subject to this Addendum.
The subject matter of processing under this Addendum is the Customer Personal Data that NiamonX processes on behalf of Customer in connection with the provision of the Services (e.g. OSINT queries, uploaded content, breach‑related checks, infrastructure metadata associated with Customer's use).
The duration of processing is the term of the Agreement and, if applicable, any post‑termination period during which NiamonX must retain Customer Personal Data for legitimate business or legal reasons, in accordance with Section 12 (Data Retention and Deletion).
The processing operations may include storage, encryption, transmission, indexing (where appropriate), security scanning, anonymisation, pseudonymisation, and technical analysis of Customer Personal Data to:
Customer Personal Data may include, without limitation, the types listed below, to the extent provided or made available by Customer through use of the Services:
Consumers whose Personal Information may be processed may include:
Customer is solely responsible for determining the categories of Consumers.
NiamonX shall process Customer Personal Data only:
unless otherwise required by applicable law.
Customer is solely responsible for ensuring that:
If NiamonX reasonably believes that any instruction from Customer violates Applicable US Privacy Laws, NiamonX may:
To the extent CCPA/CPRA applies, NiamonX agrees that:
NiamonX shall not:
NiamonX does not use Customer Personal Data for cross‑context behavioural advertising and will not "Share" Customer Personal Data as defined in CPRA.
NiamonX may not combine Customer Personal Data with personal information NiamonX receives from other sources except as permitted by CCPA/CPRA (for example, for security and fraud detection, or to improve the Services without inferring characteristics about Consumers in a way that violates CPRA).
If NiamonX determines it can no longer meet its obligations as a Service Provider / Contractor under CCPA/CPRA, it shall:
To the extent Customer is required to respond to a Consumer request to exercise their rights under CCPA/CPRA (e.g., right to know, delete, correct, opt‑out of sale/share):
NiamonX shall ensure that persons authorised to process Customer Personal Data:
NiamonX shall maintain policies and technical controls (including VPN, hardware security keys, role‑based access and monitoring by local AI security models) to reduce the risk of unauthorised access by its personnel to Customer Personal Data.
NiamonX shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
NiamonX operates a multi‑layer security model, including:
AES‑256‑GCM, hashed passwords using bcrypt or Argon2id, mandatory 2FA where applicable, anomaly detection and isolation of suspicious sessions, access via corporate VPN and hardware keys.
Application‑level encryption with AES‑256‑GCM, envelope encryption via KMS/HSM, Transparent Data Encryption at database layer, SHA‑256 hashing of API keys, zero‑log policy for query contents.
Logging and monitoring of staff actions, least‑privilege access, AI‑based anomaly detection, isolation of suspicious nodes/clusters.
Field‑level encryption with AES‑256‑GCM and unique IV/nonce, independent key management, regular rotation, Confidential Computing environments, strict segregation of cryptographic materials.
NiamonX does not store the contents of OSINT/tool queries (e.g. specific search parameters) on its servers. Such contents remain only on the Customer's side/device. This is intended to minimize the risk and exposure in case of security incidents.
To the extent NiamonX holds or may obtain third‑party audits, certifications, or reports relevant to the Services (e.g. security assessments), and where applicable, NiamonX may make summaries available to Customer upon written request and subject to confidentiality obligations.
Customer authorises NiamonX to engage Sub‑Processors for the provision of the Services. Sub‑Processors may include, without limitation:
NiamonX shall enter into written agreements with Sub‑Processors containing data protection obligations that are at least as protective as those set out in this Addendum with respect to Customer Personal Data.
NiamonX remains responsible for the performance of its Sub‑Processors' obligations concerning Customer Personal Data, except where Applicable US Privacy Laws expressly provide otherwise (e.g. payment providers acting as independent controllers under their own privacy policies).
Where required by Applicable US Privacy Laws or by the Agreement, NiamonX may provide Customer with a mechanism (e.g. online list) describing key Sub‑Processors. Customer may raise reasonable and specific objections to a new Sub‑Processor on data protection grounds within a defined period (if provided in the Agreement). If the Parties cannot resolve such objections, either Party may exercise applicable termination rights concerning the relevant Services.
If a Consumer submits a request to NiamonX to exercise rights related to Customer Personal Data and NiamonX can reasonably identify Customer as the Business controlling that data:
NiamonX shall provide reasonable assistance at Customer's cost (if applicable under the Agreement) in responding to Consumer requests, including:
A "Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data processed by NiamonX.
In the event NiamonX becomes aware of a Security Incident involving Customer Personal Data:
Customer is responsible for determining whether to notify regulators, Consumer(s) or other third parties and for complying with any such notification obligations. NiamonX will, upon Customer's request and at Customer's expense, provide reasonable cooperation to support such notifications.
To the extent required by Applicable US Privacy Laws (including CCPA/CPRA), Customer has the right to:
Any audit must:
Where NiamonX has existing independent third‑party audit reports, certifications, or assessments relevant to the Services, NiamonX may make such reports available to Customer as primary evidence of compliance. On‑site audits will be allowed only if necessary and not otherwise satisfied by such documentation.
NiamonX shall retain Customer Personal Data only for as long as necessary to:
Upon termination or expiration of the Agreement, or upon Customer's legitimate written request:
NiamonX may retain minimal backup copies, logs and records to the extent required by law, for security reasons, or for the establishment, exercise or defence of legal claims, subject to ongoing confidentiality and security obligations.
Card payments are processed by Stripe, which acts as an independent controller for the processing of payment card data. NiamonX does not receive full card numbers or sensitive authentication data. Stripe's processing is governed by Stripe's Privacy Policy.
Cryptocurrency payments are processed by NOWPayments, which acts as an independent controller with its own privacy policy: NOWPayments Privacy Policy. NiamonX does not receive private crypto keys.
Where necessary to perform a requested check (for example, URL/file/hash/domain/IP scanning or OSINT lookups), NiamonX may share data with third‑party antivirus companies, operators, or OSINT data suppliers in anonymised or pseudonymised form, avoiding direct disclosure of identifiable Customer Personal Data where feasible.
To the extent this Addendum addresses compliance with US privacy law, it shall be interpreted in light of such laws (including CCPA/CPRA). In all other respects, the governing law and jurisdiction clauses of the Agreement shall apply.
In the event of a direct conflict between this Addendum and any other provisions of the Agreement concerning the processing of Customer Personal Data, this Addendum shall prevail to the extent necessary to comply with Applicable US Privacy Laws.
This Addendum does not create any rights or remedies for any third party, including any Consumer, unless explicitly required by Applicable US Privacy Laws. Consumers may exercise their rights primarily against the Customer as Business/Controller.
If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable.
NiamonX may propose updates to this Addendum to reflect changes in Applicable US Privacy Laws or its Services. Any such amendments shall become effective as set forth in the Agreement or upon mutual written agreement of the Parties.
This Addendum, together with the Agreement, constitutes the entire understanding between the Parties with respect to the subject matter herein and supersedes any prior or contemporaneous communications, whether oral or written, regarding such subject matter.
IN WITNESS WHEREOF, the Parties have caused this Data Processing Addendum (USA – CCPA/CPRA) to be incorporated into and made part of the Agreement as of the effective date of the Agreement or, if later, as of the date both Parties have accepted or signed the Agreement referencing this Addendum.
_______________________________________
____________________________
____________________________
____________________________
_______________________________________
____________________________
____________________________
____________________________
Need assistance with our AI tools, platform, or integrations? Our support team is here to help.
[email protected]
For legal inquiries, compliance questions, or documentation requests, contact our legal team.
[email protected]
To request data removal, takedowns, or privacy-related actions, contact our security desk.
[email protected]