.png)
Last Updated: March 30, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between nMetric, LLC ("Processor" or "Provider") and the subscriber to the Service ("Controller" or "Customer"). For purposes of this DPA, the terms "Processor" and "Provider" are used interchangeably, as are the terms "Controller" and "Customer."
1. Definitions
· "AI Features" means the artificial intelligence capabilities of the Service, including the patented AI Genetic Algorithm used for scheduling optimization, resource matching, and scenario analysis.
· "Controller" implies the Customer/Subscriber who determines the purposes and means of the processing of Personal Data.
· "ERP/MRP Integration" refers to the connection between Processor’s Service and Controller’s external resource planning systems.
· "Processor" implies nMetric, LLC, who processes Personal Data on behalf of the Controller.
· "Personal Data" means any information relating to an identified or identifiable natural person (e.g., employee names, customer names) provided by Controller to Processor.
· "Profiling" means any automated processing of Personal Data to evaluate, analyze, or predict aspects related to an identified or identifiable individual's work performance, availability, capabilities, or other characteristics relevant to scheduling.
· "Sensitive Data" means Personal Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, data collected from a known child, precise geolocation data, and financial account credentials or government-issued identification numbers, as defined under applicable U.S. state data privacy laws.
2. Scope and Purpose of
Processing
Processor will process Personal Data solely for the purpose of providing the Scheduling Service, including:
1. Ingesting data from Controller’s ERP/MRP systems to calculate schedules using AI-powered optimization.
2. Generating reports and operational tools.
3. Performing CRUD (Create, Read, Update, Delete) operations as requested by the Controller, including writing data back to the Controller’s source systems.
4. Running AI Genetic Algorithm analysis for scheduling optimization, resource matching, and "what-if" scenario modeling.
Processor will not process Personal Data for any purpose other than providing the Service to Controller, including but not limited to: selling Personal Data, using Personal Data for targeted advertising, or using Personal Data to train large language models or other generative AI systems.
3. Categories of Data and
Data Subjects
To perform the Service, the Controller authorizes the Processor to handle the following categories of data:
· Data Subjects: Controller’s employees/personnel ("Resources"), Controller’s customers, and system users.
· Types of Personal Data: Names of personnel (Resources), contact details, capabilities/skills data, availability schedules, and Customer names associated with orders.
· Operational Data (Non-Personal): Build part numbers, routing instructions, Bills of Materials (BOMs), and order specifications.
Note: While this DPA focuses on Personal Data, Processor agrees to treat Operational Data with the same standard of security. Controller is responsible for ensuring that any Sensitive Data uploaded to the Service is processed in compliance with applicable law.
4. Controller
Responsibilities
Controller shall:
a. Ensure a lawful basis exists for the processing of Personal Data provided to Processor.
b. Provide all required notices to Data Subjects regarding the processing of their Personal Data through the Service, including disclosures required under applicable U.S. state data privacy laws.
c. Obtain any consents required for the processing of Sensitive Data.
d. Respond to requests from Data Subjects to exercise their rights (access, correction, deletion, portability, opt-out) and notify Processor as necessary to facilitate such requests.
e. Conduct data protection assessments as required by applicable law for processing activities presenting a heightened risk of harm, including targeted advertising, sale of Personal Data, profiling, and processing of Sensitive Data.
f. Comply with applicable AI governance laws, including providing required notices to individuals when AI is used to make or substantially influence consequential decisions, and ensuring human review of automated decisions where required.
g. Ensure that use of the AI Features does not result in algorithmic discrimination or unlawful disparate impact on any individual or group.
5. Processor Obligations
5.1 General Processing
Requirements
Processor shall:
a. Process Personal Data only in accordance with Controller's documented instructions, except where required by applicable law.
b. Ensure that all personnel authorized to process Personal Data are subject to a duty of confidentiality.
c. Not sell, share, or otherwise disclose Personal Data to third parties except as permitted under this DPA or as instructed by Controller.
d. Not process Personal Data for targeted advertising purposes.
e. Not use Personal Data to train artificial intelligence or machine learning models other than as necessary to provide the Service to Controller.
5.2 Security Measures
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
· Encryption of data in transit (e.g., SSL/TLS) between the Service and the Controller’s ERP/MRP system.
· Access controls ensuring that only authorized employees, contractors, and partners have access to the data on a "need-to-know" basis.
· Regular security assessments and vulnerability testing.
· Regular backups and disaster recovery protocols.
· Procedures for regularly testing, assessing, and evaluating the effectiveness of security measures.
5.3 Assistance with
Controller Obligations
Processor shall, taking into account the nature of processing and the information available to Processor:
a. Assist Controller in responding to Data Subject requests to exercise their rights under applicable data privacy laws, including requests for access, correction, deletion, and portability.
b. Assist Controller in ensuring compliance with security obligations, including breach notification requirements.
c. Provide information reasonably necessary for Controller to conduct data protection assessments and demonstrate compliance with applicable data privacy and AI laws.
d. Upon Controller's request, provide information regarding the AI Features, including the nature of automated processing, the categories of data processed, and the outputs generated, to enable Controller to comply with AI transparency and disclosure obligations.
5.4 Data Subject
Rights Requests
Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise their rights (e.g., right to access, correction, deletion, portability, or opt-out). Processor shall not respond to such request without Controller’s prior written consent, except to confirm that the request relates to the Controller. Processor shall provide commercially reasonable assistance to Controller in responding to such requests.
5.5 Security Incident
Notification
Processor shall notify Controller without undue delay after becoming aware of any security incident involving Personal Data. The notification shall include:
· A description of the nature of the incident
· The categories and approximate number of Data Subjects affected
· The likely consequences of the incident
· Measures taken or proposed to address the incident
6. Sub-processors
6.1 Authorization
Controller grants general authorization to Processor to engage third-party sub-processors (including cloud hosting providers, internal contractors, and development partners) to support the delivery of the Service.
6.2 Sub-processor
Requirements
Processor shall:
a. Maintain a current list of sub-processors, which shall be made available to Controller upon request.
b. Enter into written agreements with sub-processors that impose data protection obligations no less protective than those in this DPA.
c. Remain fully liable for the acts and omissions of its sub-processors.
7. ERP/MRP Integration and
"Write-Back" Authority
Controller hereby grants Processor explicit authorization to connect to its designated ERP/MRP application(s). Controller acknowledges that the Service includes "write-back" capabilities (writing data from the Service back to the Controller's database).
· Controller Responsibility: Controller is responsible for configuring permissions and ensuring that the data source accepts updates from the Processor.
· Processor Responsibility: Processor will strictly follow the logic and rules defined in the Service when writing data back to the source system.
8. Data Protection
Assessments
8.1 Processor Assistance
Upon Controller's request, Processor shall provide information reasonably necessary for Controller to conduct and document data protection assessments required under applicable law, including assessments for:
· Processing activities presenting a heightened risk of harm to consumers
· Profiling activities
· Use of AI and automated decision-making
8.2 AI Impact Assessments
If Controller is required to conduct impact assessments related to use of high-risk AI systems under applicable law (including the Colorado AI Act), Processor shall provide:
· Documentation regarding the purpose, intended use cases, and benefits of the AI Features
· Information about the types of data processed by the AI Features and the outputs generated
· Information about measures taken to identify and mitigate risks of algorithmic discrimination
· Information about how the AI Features should be monitored and used
9. Audits
Upon reasonable request and subject to appropriate confidentiality obligations, Processor shall make available to Controller information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller. Controller shall provide at least thirty (30) days' prior written notice before conducting any audit. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Processor's operations. Controller shall bear its own costs associated with any audit.
10. International Transfers
If Personal Data originates from the European Economic Area (EEA), the UK, or Switzerland, the parties agree to enter into and abide by the Standard Contractual Clauses (SCCs) as approved by the European Commission. The applicable SCCs shall be the Controller-to-Processor Module (Module Two) of Commission Implementing Decision (EU) 2021/914. The SCCs are incorporated by reference and shall be deemed executed upon execution of this DPA. For UK transfers, the parties shall execute the UK International Data Transfer Addendum to the EU SCCs. For transfers subject to other jurisdictions' requirements, the parties shall implement appropriate safeguards as required by applicable law.
11. Term and Termination
11.1 Duration
This DPA remains in effect as long as Processor processes Personal Data on behalf of Controller.
11.2 Data Return and
Deletion
Upon termination of the Agreement, Processor shall, at Controller's election:
a. Return all Personal Data to Controller in a commonly used, machine-readable format; or
b. Delete all Personal Data, except to the extent retention is required by applicable law.
Processor shall complete the return or deletion within 30 days of termination and shall certify in writing that deletion has been completed upon Controller's request.
11.3 Continuing Obligations
The confidentiality and security obligations of this DPA shall survive termination.
12. Liability
Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement.
13. Governing Law
This DPA shall be governed by the laws of the State of Delaware, without regard to its conflict of law principles.
14. Contact
Questions regarding this DPA or data processing activities may be directed to:
nMetric, LLC
1710 Keller Parkway #1996
Keller, TX 76248
privacy@nmetric.com
