Skip to main content
Nami ML
Book a demo

Data Protection Addendum

Effective Date: May 13, 2026 Last reviewed: May 13, 2026

1. Introduction

This Data Protection Addendum ("Addendum") is entered into by and between Nami ML Inc., a Delaware corporation ("Nami"), and Customer effective as of the later date of each party's signature below. This Addendum applies to Nami's Processing of User Personal Data under the agreement executed between Nami and Customer for Nami's provision of the Services (the "Agreement"). To the extent of any conflict between this Addendum and the Agreement, this Addendum shall govern with respect to the subject matter herein.

2. Definitions

For purposes of this Addendum, the terms below have the meanings set forth below. Capitalized terms used but not defined in this Addendum have the meanings given in the Agreement.

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract, or otherwise.

"Applicable Data Protection Laws" means all data protection, privacy, and information security laws and regulations applicable to a party's Processing of Personal Data, including without limitation:

  • United States: California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"); Colorado Privacy Act; Connecticut Data Privacy Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act; Texas Data Privacy and Security Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; and any other US state-level comprehensive privacy law that becomes effective during the Subscription Term.
  • European Economic Area: Regulation (EU) 2016/679 ("GDPR") and any national legislation implementing or supplementing GDPR.
  • United Kingdom: Data Protection Act 2018 and the UK GDPR ("UK GDPR").
  • Other jurisdictions: Brazil's Lei Geral de Proteção de Dados (LGPD); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); the Mexican Federal Law on the Protection of Personal Data Held by Private Parties; and any successor or equivalent legislation in any jurisdiction where Customer authorizes Nami to Process User Personal Data.

"Controller" has the meaning given to that term, or to an equivalent term, under Applicable Data Protection Laws (including "controller" under GDPR/UK GDPR and "business" under CCPA/CPRA).

"Data Subject" has the meaning given to that term, or to an equivalent term ("consumer" under CCPA/CPRA), under Applicable Data Protection Laws.

"EU Data Protection Law" means GDPR and any national legislation implementing GDPR, as amended from time to time.

"Personal Data" means (i) information that identifies or reasonably could identify a natural person; or (ii) information that constitutes "personal data," "personal information," "personally identifiable information," or an equivalent term under Applicable Data Protection Laws.

"Processing" has the meaning given to that term under Applicable Data Protection Laws, including any operation or set of operations performed on Personal Data — whether or not by automated means — such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Processor" has the meaning given to that term, or to an equivalent term, under Applicable Data Protection Laws (including "processor" under GDPR/UK GDPR and "service provider" under CCPA/CPRA).

"Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data being Processed by Nami. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.

"Subprocessor" means any third party authorized by Nami or its Affiliates to Process any User Personal Data.

"Third Party Subprocessor" means any Subprocessor who is not an Affiliate of Nami.

"User Personal Data" means any User Data (as defined in the Agreement) that is Personal Data. For purposes of this Addendum, User Personal Data does not include personal information of employees or other representatives of Customer with whom Nami has a direct business relationship.

3. General; Termination

This Addendum forms part of the Agreement and, except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall govern.

Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.

This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

This Addendum will automatically terminate upon expiration or termination of the Agreement, provided that any obligations intended to survive the expiration or termination of the Addendum or the Agreement (including but not limited to Nami's deletion of User Personal Data) shall so survive.

4. Scope of this Addendum

This Addendum applies to Nami's Processing of User Personal Data under the Agreement. Annex A (EU Annex) applies to Processing governed by EU Data Protection Law. Annex B (California Annex) applies to Processing governed by CCPA/CPRA. Annex C (UK Annex) applies to Processing governed by UK GDPR. Annex D (Technical and Organisational Security Measures) applies to all Processing of User Personal Data under this Addendum and sets forth the Security Measures referenced in Section 7.

5. Role and Scope of the Processing

The parties acknowledge and agree that, with regard to the Processing of User Personal Data, Nami is the Processor and Customer is the Controller. Nami will Process User Personal Data only in accordance with Customer's instructions. By entering into the Agreement, Customer instructs Nami to Process User Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) as permitted by Applicable Data Protection Laws; and (c) to perform its legal obligations and to establish, exercise, or defend legal claims in respect of the Agreement. Nami will not (i) sell or share User Personal Data, (ii) retain, use, or disclose any User Personal Data outside of the direct business relationship between Nami and Customer, or (iii) combine User Personal Data with Personal Data Nami receives from or on behalf of another person or customer except as expressly permitted by Applicable Data Protection Laws.

Customer is solely responsible for its compliance with Applicable Data Protection Laws and represents and warrants that it has obtained all necessary consents, licenses, and permissions, if any, required from Data Subjects and any third parties as required by Applicable Data Protection Laws.

To the extent that any Customer Data (as defined in the Agreement) is considered Personal Data, Nami is the Controller (or business) with respect to such data and shall Process such data in accordance with its Privacy Policy, accessible at https://www.nami.ml/privacy.

Use of Data for Machine-Learning and Algorithm Development. Nami will not use User Personal Data to train, fine-tune, or develop any machine-learning models or features that are deployed for or made available to any other customer. Any use of aggregated or de-identified data for general platform improvement, including improvement of Nami's algorithms, shall apply only to data that has been irreversibly aggregated or de-identified in accordance with the de-identification standard set forth in Applicable Data Protection Laws (including, where applicable, the standard articulated in CPRA Section 1798.140(m)). Nami shall maintain technical and organizational measures designed to prevent the re-identification of such data and shall not attempt to re-identify it.

6. Subprocessing

Customer specifically authorizes Nami to use its Affiliates as Subprocessors, and generally authorizes Nami to engage Third Party Subprocessors to Process User Personal Data solely for the purpose of providing the Services as set forth in the Agreement. Nami:

  • shall enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and
  • remains liable for compliance with the obligations of this Addendum and for any acts or omissions of any Subprocessor that cause Nami to breach any of its obligations under this Addendum.

A list of Nami's current Subprocessors, including their functions and locations of Processing, is available at https://www.nami.ml/legal/subprocessors or such other website as Nami may designate (the "Subprocessor Page") and may be updated by Nami in accordance with this Section 6.

When any new Third Party Subprocessor is engaged, Nami will notify Customer in writing (which notice may be given by updating the Subprocessor Page) at least ten (10) calendar days before the new Subprocessor Processes any User Personal Data, except that if Nami reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of User Personal Data or avoid material disruption to the Services, Nami will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Nami in writing that Customer objects to Nami's appointment of a new Third Party Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are unable to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with a pro-rated refund of any prepaid unused Fees.

7. Security

Nami shall implement and maintain the technical and organisational security measures set forth in Annex D (Technical and Organisational Security Measures) to this Addendum (the "Security Measures"), which are designed to protect User Personal Data from Security Incidents and to preserve the security and confidentiality of User Personal Data. Nami will document the Security Measures in formal written policies and standards that: (i) expressly define administrative, physical, and technological controls to protect the confidentiality, integrity, and availability of User Personal Data; (ii) maintain secure access, retention, and transfer of User Personal Data; (iii) are designed to prevent unauthorized access to User Personal Data and Nami's systems, including access by terminated employees; (iv) require assessment, monitoring, and auditing procedures and mechanisms to ensure compliance with such written policies, including an annual assessment of the policies; and (v) provide for disciplinary action in the event of violation of such policies by employees. Nami will maintain a qualified information security leader responsible for the development, implementation, and maintenance of Nami's information security program.

Customer is responsible for reviewing the information made available by Nami relating to data security and making an independent determination as to whether the Services meet Customer's requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable written notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Nami's obligations as compared to those reflected in such terms as of the Effective Date.

Security Incident Notification. Upon becoming aware of a confirmed Security Incident, Nami shall notify Customer without undue delay and in any event no later than seventy-two (72) hours following Nami's confirmation of the Security Incident, unless prohibited by applicable law or specifically requested by law enforcement to delay such notification in light of an ongoing investigation. Such notice will describe, to the extent then known: (a) the nature of the Security Incident, including the categories and approximate number of affected Data Subjects and User Personal Data records; (b) the likely consequences of the Security Incident; (c) the measures taken or proposed to address the Security Incident, including, where appropriate, measures to mitigate possible adverse effects; and (d) the name and contact details of Nami's data protection contact. Without prejudice to Nami's obligations under this Section 7, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. Nami's notification of, or response to, a Security Incident under this Section will not be construed as an acknowledgement by Nami of any fault or liability with respect to the Security Incident.

Customer agrees that, without limitation of Nami's obligations under this Section 7, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of User Data; (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services; and (c) securing Customer's systems and devices used with the Services.

8. Data Subject Requests

Nami shall, upon Customer's request, provide Customer with such assistance as Customer may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (including rights of data access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Nami receives a request from a Data Subject in relation to their User Personal Data, Nami will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

9. Cross-Border Transfers

Nami may, subject to this Section 9, store and Process User Personal Data in the United States or anywhere Nami or its Subprocessors maintain facilities. Cross-border transfers of User Personal Data shall be governed by (a) the EU Annex (Annex A) where Processing is subject to EU Data Protection Law; (b) the California Annex (Annex B) where Processing is subject to CCPA/CPRA; and (c) the UK Annex (Annex C) where Processing is subject to UK GDPR. Customer is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Applicable Data Protection Laws.

10. Data Protection Impact Assessment and Prior Consultation

Nami may (taking into account the nature of the Processing and the information available to Nami) reasonably assist Customer in complying with Customer's obligations under Articles 35 and 36 of the GDPR (and equivalent obligations under other Applicable Data Protection Laws), including by making available documentation describing relevant aspects of Nami's information security program and the Security Measures applied in connection therewith, and providing other information obtained pursuant to the Agreement, including this Addendum.

11. Deletion or Return of User Personal Data

Upon termination or expiration of the Agreement, Nami shall, at Customer's choice, delete or return all User Personal Data Processed under the Agreement, and delete existing copies thereof, unless Nami is required by Applicable Data Protection Laws to retain some or all of such User Personal Data. Where retention is required by law, Nami shall continue to protect such User Personal Data in accordance with this Addendum and shall delete it once the retention obligation expires.

Annex A — EU Annex (GDPR)

This Annex A applies to Nami's Processing of User Personal Data governed by EU Data Protection Law.

A.1 Roles and Regulatory Compliance

The parties acknowledge and agree that (a) Nami is a processor of User Personal Data under EU Data Protection Law; (b) Customer is a controller of User Personal Data under EU Data Protection Law; and (c) each party will comply with the obligations applicable to it in such role under EU Data Protection Law with respect to the Processing of User Personal Data.

A.2 Subject Matter and Details of Processing

The parties acknowledge and agree that (a) the subject matter of the Processing under the Agreement is Nami's provision of the Services; (b) the Processing commences from Nami's receipt of User Personal Data and shall continue for a duration determined by Customer; (c) the nature and purpose of the Processing is to provide the Services; (d) the Data Subjects to whom the Processing pertains are Customer's customers, end users, or other individuals to whom User Personal Data pertains; and (e) the categories of User Personal Data are such categories as Customer is authorized to ingest into the Services under the Agreement.

A.3 Standard Contractual Clauses

Where Customer transfers User Personal Data subject to EU Data Protection Law to Nami in a country not deemed by the European Commission to provide an adequate level of data protection, such transfer shall be governed by the Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "2021 SCCs"), which are hereby incorporated into this Addendum by reference. The parties further agree that:

  • Module Two (Controller to Processor) of the 2021 SCCs shall apply to the transfers contemplated by this Addendum, except where the Processing involves Nami acting as a sub-processor of Customer's own processor, in which case Module Three (Processor to Processor) shall apply.
  • For purposes of the 2021 SCCs: (a) Customer is the "data exporter"; (b) Nami is the "data importer."
  • Clause 7 (Docking Clause) is incorporated.
  • Clause 9 (Use of sub-processors) Option 2 (general written authorisation) is selected, with the prior notice period set to ten (10) calendar days as specified in Section 6 of this Addendum.
  • Clause 11 (Redress) — the optional language is excluded.
  • Clause 17 (Governing law) — the governing law shall be the law of Ireland.
  • Clause 18 (Choice of forum and jurisdiction) — disputes shall be resolved by the courts of Ireland.
  • Annex I.A (List of Parties) — the parties are as identified in the Agreement and this Addendum.
  • Annex I.B (Description of transfer) — the subject matter, nature, and purpose of Processing are as set forth in Section 2 of this Annex A; the categories of Data Subjects and Personal Data are as set forth in the Agreement.
  • Annex I.C (Competent supervisory authority) — the Irish Data Protection Commission.
  • Annex II (Technical and organisational measures) — the Security Measures set forth in Annex D to this Addendum.
  • Annex III (List of sub-processors) — as published at https://www.nami.ml/legal/subprocessors and updated pursuant to Section 6 of this Addendum.

EU-US Data Privacy Framework (alternative transfer mechanism). In addition to the 2021 SCCs, where Nami is certified under the EU-US Data Privacy Framework (the "DPF") and, where applicable, the UK Extension to the DPF, transfers of User Personal Data from the EEA or the UK to Nami in the United States may also be effected pursuant to the DPF, in which case the DPF Principles shall apply in lieu of, or in addition to, the 2021 SCCs as the parties may agree in writing. Nami shall maintain its DPF certification (if obtained) in accordance with the requirements published by the U.S. Department of Commerce, and shall notify Customer promptly if Nami's DPF certification lapses or is withdrawn. Until Nami is DPF-certified, the 2021 SCCs as set forth above remain the operative transfer mechanism.

Swiss-US Data Privacy Framework. Where Customer transfers User Personal Data subject to the Swiss Federal Act on Data Protection (FADP) to Nami in the United States, and Nami is certified under the Swiss-US Data Privacy Framework, such transfer may also be effected pursuant to the Swiss-US DPF on the same terms.

A.4 Transfer Impact Assessment

The parties acknowledge that, in accordance with the European Data Protection Board's recommendations following the Schrems II decision (Case C-311/18), a Transfer Impact Assessment ("TIA") is required for transfers of User Personal Data outside the EEA. Nami will provide Customer with reasonable assistance and information needed to conduct such a TIA, including information about Nami's data Processing locations, applicable government access laws, and supplementary measures Nami has implemented.

A.5 Audits and Reviews of Compliance

To the extent Applicable Data Protection Laws include a right for Customer to audit Nami's Processing of User Personal Data, Customer may exercise such audit right, and Nami will fulfill its corresponding obligations, as follows:

Not more than once per calendar year and at Customer's expense, Customer may audit Nami's Processing of User Personal Data for compliance with its obligations under this Addendum by submitting reasonable requests for information, including security and audit questionnaires. Nami will provide written responses to the requested information as necessary to confirm Nami's compliance with this Addendum. If the requested information is addressed in a SOC 2 Type II report (or successor framework report) issued within the six-month period prior to Customer's request and Nami confirms there have been no material changes in the interim relevant to Customer's request, Customer agrees to accept such report in lieu of a written response. Any information provided by Nami under this Section constitutes Nami's Confidential Information under the Agreement.

If a third party is to conduct an audit under this Section, Nami may object to the auditor if, in Nami's reasonable opinion, the auditor is not independent, is a competitor of Nami, or is otherwise unqualified. Such objection by Nami will require Customer to appoint another auditor.

Annex B — California Annex (CCPA/CPRA)

This Annex B applies to Nami's Processing of User Personal Data governed by CCPA/CPRA. For purposes of this Annex B, the terms "business," "commercial purpose," "service provider," "sell," "share," and "personal information" have the meanings given in the CCPA/CPRA.

B.1 Service Provider Status

With respect to User Personal Data, Nami represents and warrants that it is a service provider under CCPA/CPRA. In the event Nami no longer qualifies as a service provider under CCPA/CPRA, Nami shall immediately notify Customer of such change in writing.

B.2 Restrictions on Processing

Nami will not:

  • sell or share User Personal Data;
  • retain, use, or disclose any User Personal Data for any purpose other than for the specific business purpose of providing the Services under the Agreement, including retaining, using, or disclosing the User Personal Data for a commercial purpose other than providing the Services;
  • retain, use, or disclose User Personal Data outside of the direct business relationship between Nami and Customer; or
  • combine User Personal Data with personal information that Nami receives from or on behalf of another person or customer, except as expressly permitted by CCPA/CPRA.

B.3 Cooperation with Consumer Rights Requests

Nami shall reasonably cooperate with Customer's efforts to respond to verifiable consumer requests under CCPA/CPRA, including the right to know, right to delete, right to correct, right to opt out of sale/sharing, and right to limit use of sensitive personal information.

B.4 Sensitive Personal Information

Nami does not Process Sensitive Personal Information (as defined in CPRA Section 1798.140(ae)) on Customer's behalf in connection with the Services. Customer shall not transmit, upload, or otherwise make Sensitive Personal Information available to Nami via the Services without Nami's prior written agreement. If Customer requires Processing of Sensitive Personal Information, the parties shall enter into a separate written agreement specifying the categories of Sensitive Personal Information, the purposes of Processing, and the applicable security, retention, and consent obligations. Nothing in this Section is intended to limit Nami's ability to receive ordinary technical information necessary for delivery of the Services that may incidentally fall within a category of Sensitive Personal Information (such as IP address, where treated as Sensitive Personal Information under Applicable Data Protection Laws); any such incidental Processing remains subject to the limitations on use set forth in this Addendum.

B.5 Acknowledgment

The parties acknowledge and agree that the Processing of User Personal Data authorized by Customer's instructions described in Section 5 of this Addendum is integral to and encompassed by Nami's provision of the Services and the direct business relationship between the parties.

To the extent that any Customer Data (as defined in the Agreement) is considered Personal Information, Nami is the business with respect to such data and shall Process such data in accordance with its Privacy Policy, accessible at https://www.nami.ml/privacy.

Annex C — UK Annex (UK GDPR)

This Annex C applies to Nami's Processing of User Personal Data governed by UK GDPR.

C.1 UK International Data Transfer Addendum

Where Customer transfers User Personal Data subject to UK GDPR to Nami in a country not covered by an adequacy regulation issued under the UK GDPR, such transfer shall be governed by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (the "UK IDTA"), version B1.0 in force on 21 March 2022, which is hereby incorporated by reference. The 2021 SCCs as incorporated in Annex A above shall serve as the "Approved EU SCCs" referenced in the UK IDTA, with the modifications described in the UK IDTA Table 4.

C.2 Modifications for UK Application

For purposes of the UK IDTA:

  • The "data exporter" is Customer and the "data importer" is Nami, consistent with the 2021 SCCs as incorporated in Annex A.
  • The "Linked Agreement" referenced in the UK IDTA is the Agreement and this Addendum.
  • The "Importer's Decision-Making Powers" referenced in Table 1 of the UK IDTA are as set forth in this Addendum.
  • The "Appendix Information" required by the UK IDTA Tables 1, 2, and 3 corresponds to the equivalent annexes of the 2021 SCCs as set forth in Section 3 of Annex A above.
  • The information required by Table 4 (Ending the Addendum when the Approved Addendum Changes) provides that either party may terminate this Addendum if a change to the UK IDTA results in a material increase in cost or risk to that party.

C.3 UK ICO as Supervisory Authority

For Processing governed by UK GDPR, the competent supervisory authority is the UK Information Commissioner's Office.

Annex D — Technical and Organisational Security Measures

This Annex D sets forth the Security Measures referenced in Section 7 of this Addendum and serves as the Technical and Organisational Measures referenced in Annex II of the 2021 SCCs incorporated by Section 3 of Annex A. The Security Measures described below are designed to satisfy Nami's obligations under Article 32 of the GDPR and equivalent provisions of other Applicable Data Protection Laws.

D.1 Information Security Program

Nami maintains a documented information security program that establishes policies and procedures aligned with applicable industry-recognised frameworks (which may include SOC 2 and NIST CSF). The program is owned by a designated information security leader who reports to Nami's executive leadership, and is reviewed at least annually and updated as needed to reflect changes in the threat landscape, applicable laws, and Nami's services.

D.2 Personnel Security

All Nami personnel are subject to confidentiality obligations and background screening to the extent permitted by applicable law. Personnel with access to User Personal Data complete security and privacy training upon hire and at least annually thereafter. Access to User Personal Data is granted on a least-privilege, need-to-know basis and is revoked promptly upon role change or termination.

D.3 Access Controls

Nami implements logical access controls including unique user identification, role-based access controls (RBAC), and multi-factor authentication for access to systems that store or Process User Personal Data. Production systems are segregated from development and testing environments. Access rights are reviewed periodically and adjusted based on the principle of least privilege.

D.4 Encryption

User Personal Data is encrypted in transit between Customer and the Nami Platform using industry-standard transport layer security (TLS 1.2 or higher). User Personal Data at rest in Nami's production systems is encrypted using industry-standard algorithms (AES-256 or equivalent). Encryption key management follows documented procedures with periodic key rotation.

D.5 Network Security

Nami's production environment is protected by network firewalls, intrusion detection and prevention controls, and network segmentation. Public-facing interfaces are continuously monitored for malicious traffic patterns. Inbound and outbound network traffic affecting systems that Process User Personal Data is subject to logging and review.

D.6 Application Security

Nami follows a secure software development lifecycle (SDLC) that includes code review, static and dynamic application security testing (SAST/DAST) as appropriate, and dependency vulnerability scanning prior to production deployment. Identified vulnerabilities are tracked and remediated based on severity according to documented timelines.

D.7 Physical and Environmental Security

Nami's production infrastructure is hosted in third-party data centres operated by Amazon Web Services (AWS), Google Cloud Platform (GCP), or comparable providers that maintain industry-standard physical security controls (including 24×7 surveillance, access logging, biometric access controls, fire suppression, and environmental controls). Nami does not operate its own data centres.

D.8 Operations Security

Nami maintains documented procedures for change management, configuration management, vulnerability management, and patching of production systems. Security-relevant events — including authentication events, administrative actions, and data access events affecting User Personal Data — are logged and retained for a period consistent with applicable legal requirements and Nami's incident-response needs.

D.9 Incident Management

Nami maintains a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review of Security Incidents. The plan is tested at least annually. Customer notification of Security Incidents is governed by Section 7 of this Addendum.

D.10 Business Continuity and Disaster Recovery

Nami maintains backup and disaster recovery procedures for production data and systems. Backups are encrypted in accordance with the encryption controls described in Section D.4. Nami tests its disaster recovery procedures at least annually and maintains documented recovery time and recovery point objectives appropriate to the criticality of the affected systems.

D.11 Vendor and Subprocessor Management

Nami's Subprocessor selection process includes security and privacy due diligence appropriate to the Subprocessor's access to User Personal Data. Subprocessor agreements impose data-protection obligations substantially similar to those set forth in this Addendum, consistent with Section 6.

D.12 Updates to Security Measures

The Security Measures described in this Annex D may be updated from time to time upon reasonable written notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Nami's obligations as compared to those reflected in this Annex D as of the Effective Date of the Agreement.