Contracts
nCino Global Data Processing Addendum
Effective June 20th 2025
DownloadTable of Contents
This Data Processing Addendum including any schedules, exhibits, or appendices attached hereto (the “DPA”) supplements all service agreements between the parties including, without limitation and as applicable, the Subscription Services Agreement, Order Form, and Statement of Work, as any may be amended from time to time (“Agreement”). This DPA applies to the Processing of Personal Data by nCino on behalf of the Subscriber in connection with the Services. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
1. Definitions.
1.1 “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.2 “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller (also referred to as a "service provider" under the CCPA).
1.3 “Data Protection Laws” means all local, state, federal, or international laws, regulations, ordinances, or treaties relating to the privacy or protection of Personal Data, including, but not limited to, European Area Law, U.S. state privacy laws (such as the California Consumer Protection Act of 2018 (“CCPA”)), and any subsequent supplements, amendments, or replacements to the same, all as applicable to each party.
1.4 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.5 “European Area” means the European Union, European Economic Area, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).
1.6 “European Area Law” means (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection of 25 September 2020 (Status as of 1 September 2023) (“Swiss DPA”); (iv) any successor amendments or implementing acts thereto (including without limitation implementation of GDPR by member states into their national law); or (v) any other law relating to the privacy or protection of Personal Data that applies in the European Area.
1.7 “Personal Data” means Subscriber Data that relates to an identified or identifiable natural person or as otherwise defined under applicable Data Protection Laws.
1.8 “Personal Data Breach” means a breach of Personal Data requiring notification as set forth in applicable Data Protection Laws.
1.9 “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, retention, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, transfer, disclosure by transmission, or dissemination. “Process,” “Processes,” and “Processed” will be interpreted accordingly.
1.10 “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for cross- border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to third countries as adopted by the European Commission (“EU SCCs”); (ii) the international data transfer addendum (“UK SCCs”) approved by the UK Parliament for data transfers from the UK to third countries, or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to third countries, such as the Swiss DPA, including without limitation any successor clauses thereto.
1.11 “Sub-processor” means any other Data Processors, including Affiliates, engaged by nCino to Process Personal Data in connection with the Services.
2. Scope and Applicability of this DPA.
This DPA applies where and only to the extent that nCino Processes Personal Data on behalf of Subscriber as a Data Processor in the course of providing the Services.
3. Roles and Scope of Processing.
3.1 Role of the Parties. Under this DPA and the Agreement, Subscriber is the Data Controller and nCino is the Data Processor.
3.2 Compliance with Data Protection Laws. nCino will comply with Data Protection Laws that apply to the provision of the Services. Subscriber will comply with Data Protection Laws relating to its Processing of Personal Data. Subscriber is solely responsible for the accuracy, quality, and lawful collection of Personal Data and the means by which Subscriber obtained the Personal Data. Subscriber will not provide or cause to provide any Personal Data that is not necessary for nCino to provide the Services or for the parties’ compliance with the Agreement. Subscriber is solely responsible for providing Data Subjects with appropriate notice and obtaining all necessary consents, authorizations, or approvals for the Processing of any Personal Data as part of the Services. If nCino determines it can no longer meet its obligations under applicable Data Protection Laws, and if required by applicable Data Protection Laws, nCino will notify Subscriber without undue delay.
3.3 Details of Processing. Exhibit 1 (Details of Data Processing) describes the subject matter and details of the Processing of Personal Data.
3.4 Subscriber Instructions. nCino will Process Personal Data only on behalf of Subscriber and for (i) the limited and specific business purposes as set out in Exhibit 1, (ii) in accordance with Subscriber’s instructions, including as described in the Agreement, and (iii) as necessary for nCino to provide the Services under the Agreement. Subscriber will ensure its Processing instructions are lawful and that the Processing of Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The parties agree that the Agreement (including this DPA) sets out the complete instructions to nCino for all Processing of Personal Data.
3.5 No Combination of Personal Data; No Sale or Sharing of Personal Data. nCino, in its role as Processor, will not (i) combine Personal Data with other personal data it receives from or on behalf of another person or persons, or collects from its own interaction with an individual or (ii) process Personal Data outside of the direct business relationship between nCino and Subscriber; provided, however, that nCino may perform such combination or processing for any business purpose permitted or required under the Agreement to perform the Services. nCino will not independently “sell” or “share” Personal Data (as such terms are defined under CCPA and other U.S. Data Protection Laws). With respect to Personal Data subject to CCPA, Subscriber may, with prior notice to and coordination with nCino, take reasonable and appropriate steps designed to (i) ensure that nCino Processes Personal Data in compliance with this DPA and applicable Data Protection Laws, which are set forth in and subject to the obligations set forth in Section 6 of this DPA regarding audit rights; and (ii) stop and remediate unauthorized Processing of Personal Data.
3.6 No Assessment of Personal Data by nCino. nCino will not assess the contents or accuracy of Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Subscriber is responsible for making an independent determination as to whether its use of the Services will meet Subscriber’s requirements and legal obligations under Data Protection Laws.
4. Sub-Processing.
4.1 Authorized Sub-Processors. Subscriber provides nCino with a general authorization to engage Sub-processors, including nCino Affiliates. nCino may change Sub-processors pursuant to Section 4.3 below.
4.2 Sub-processor Obligations. nCino will: (i) enter into a written agreement with each Sub-processor imposing data protection obligations and security measures materially no less protective of Personal Data as nCino’s obligations under this DPA to the extent applicable to the services provided by the Sub-processor in connection with the Services and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
4.3 Changes to Sub-processors. nCino will provide Subscriber no less than fourteen (14) days prior written notice of its intention to appoint any new Sub-processor. nCino will provide such notice via i) email at least fourteen (14) days in advance of allowing the new Sub-processor to Process Personal Data, or ii) via nCino Community.
5. Security.
5.1 Security Measures. nCino has implemented and maintains reasonable and appropriate technical and organizational measures regarding the protection of Personal Data Processed.
5.2 Certifications. nCino has obtained the third-party certifications and audits evaluating the Measures and will make those reports available upon request in accordance with the Agreement.
5.3 Confidentiality of Processing. nCino will ensure that any person who is authorized by nCino to Process Personal Data (including its staff, agents and subcontractors) will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6. Subscriber Audit Rights.
6.1 nCino will make available to Subscriber access to reasonably requested documentation evidencing nCino’s compliance with its obligations under this DPA.
6.2 Upon Subscriber’s reasonable request, nCino will complete a security questionnaire or provide other information to Subscriber relating to this DPA and applicable Data Protection Laws.
6.3 If the Subscriber in its reasonable opinion determines that the information provided under Sections 6.1 and 6.2 is not sufficient to confirm nCino’s compliance with its obligations under this DPA, nCino will allow the Subscriber to conduct an audit solely as necessary to fulfill Subscriber's obligations under Data Protection Laws no more than once annually. Any such audit will occur at a mutually agreed upon date and time (but following no less than sixty (60)-days' notice unless otherwise agreed in writing) and will be in accordance with a mutually agreed upon format, subject to the following:
a. Audits must not unreasonably interfere with nCino’s business or operations, and the scope of such audit will be subject to nCino’s reasonable pre-approval. Individuals responsible for conducting such audit will be subject to a contract of confidentiality with nCino. Each party will bear its own costs related to an audit
b. nCino is not required to provide the Subscriber with (i) access to nCino’s or nCino’s Sub-processors’ systems or information in a manner that may compromise the security, privacy, or confidentiality of nCino’s other customers’ confidential information or (ii) physical access to nCino’s or Sub-processors’ environment. Any information disclosed pursuant to this Section 6 will be deemed nCino’s Confidential Information.
7. Data Transfers.
7.1 General Transfer Mechanisms. If Data Protection Laws prescribe specific rules for (i) Subscriber’s transfer of Personal Data to nCino from a country or jurisdiction or (ii) the onward transfer of Personal Data by nCino to a country or jurisdiction (collectively, a “Transfer Mechanism”), then nCino will, at its discretion, use such an appropriate Transfer Mechanism.
7.2 European Data Transfers. Under European Area Law, nCino consolidates the Processing of Personal Data via nCino Global Ltd. as the initial data recipient (“nCino Global”). nCino transfers data outside of the European Area as necessary to provide the Services and nCino Global, as exporter, will ensure the appropriate Transfer Mechanism for the export or onward transfer of Personal Data outside of the European Area. Upon written request by Subscriber, nCino will provide evidence of nCino’s evaluation of the level of privacy and security controls that takes account of the applicable additional measures, appropriate safeguards and risk considerations for the applicable third country transfer (including, where applicable, evidence of the conclusion of the SCCs between nCino and any applicable Sub-processors). If a Sub-processor fails to comply with its data protection obligations under the Transfer Mechanism, nCino will be liable to Subscriber for the performance of the Sub-processor’s obligations.
8. Personal Data Breach Response.
8.1 Personal Data Breach Reporting. If nCino becomes aware of a Personal Data Breach, nCino will notify Subscriber without undue delay per the notice provision in the Agreement. nCino will promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. nCino will provide Subscriber with reasonable cooperation and support to facilitate Subscriber’s investigation of the Personal Data Breach.
8.2 Personal Data Breach Communications. nCino will provide Subscriber timely information about the Personal Data Breach, including, to the extent nCino has knowledge of, the nature and consequences of the Personal Data Breach, the measures taken or proposed by nCino to mitigate or contain the Personal Data Breach, the status of nCino’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned.
9. Cooperation.
9.1 Individual Rights. nCino will promptly notify Subscriber if nCino receives a request from a Data Subject relating to Subscriber’s use of the Services, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). Subscriber will be responsible for responding to any such Data Subject Requests. To the extent Subscriber is unable to access the relevant Personal Data within the Services, upon Subscriber’s written request, nCino will provide commercially reasonable cooperation to assist Subscriber in responding to a Data Subject Request.
9.2 Additional Assistance. In the event Subscriber instructs nCino to provide assistance which goes beyond the purchased functionality of the applicable Services, then nCino may charge Subscriber for any costs beyond the agreed upon fees to the extent it is not commercially reasonable for nCino to provide such assistance without charge (considering relevant factors such as volume of requests, complexity of instructions, and timescale requested).
9.3 Data Protection Impact Assessments. nCino will provide reasonably requested information regarding the Services to enable Subscriber to carry out data protection impact assessments or consultations with data protection authorities as required by Data Protection Laws, so long as Subscriber does not otherwise have access to the relevant information.
9.4 Disposal. nCino will delete Personal Data after the end of the applicable term for Services in accordance with its then-current retention and disposal policy or as further specified under the Agreement.
9.5 Government and Law Enforcement Inquiries. If nCino receives a demand to retain, disclose, or otherwise Process Personal Data from law enforcement or any other government or public authority (“Third-Party Demand”), then nCino will attempt to redirect the Third-Party Demand to Subscriber. Subscriber agrees that nCino can provide information to such third-party to the extent reasonably necessary to redirect the Third-Party Demand to Subscriber. If nCino cannot redirect the Third-Party Demand to Subscriber, then nCino will, to the extent legally permitted to do so, provide Subscriber reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Subscriber to seek a protective order or other appropriate remedy. This section does not diminish nCino’s obligations under any applicable Transfer Mechanisms with respect to access by public authorities.
10. Relationship with Agreement.
10.1 Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
10.2 The liability of each party and its Affiliates, taken together in the aggregate, arising out of or relating to this DPA and the Transfer Mechanisms, will be subject to the relevant limitations on liability set out in the Agreement.
10.3 In no event will this DPA benefit or create any right or cause of action on behalf of a third party, provided, that it will not restrict the rights or remedies available to individuals under Data Protection Laws or this DPA (including the Transfer Mechanisms).
10.4 Except to the extent otherwise mandated by Data Protection Laws, this DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
Exhibit 1 to Data Processing Addendum - Details of Data Processing
1. Subject Matter: The subject matter of the Processing under this DPA is the Personal Data that nCino Processes on behalf of Subscriber.
2. Frequency and Duration: Notwithstanding expiration or termination of the Agreement, nCino will Process the Personal Data continuously and until deletion of all Personal Data pursuant to the Agreement.
3. Purpose: The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement.
4. Nature of Processing: nCino will perform Processing as needed for the purpose set out in Section 3, and to comply with Subscriber’s Processing instructions as provided in accordance with the Agreement and this DPA.
5. Location of Processing: nCino will Process Personal Data in (i) the United States of America, (ii) the European Area, (iii) Australia, (iv) Canada, (v) Japan, (vi) South Africa, and at the locations set forth in the Agreement.
6. Retention Period. The period for which Personal Data will be retained and the criteria used to determine that period is determined by Subscriber during the term of the Agreement via Subscriber’s use and configuration of the Services.
7. Categories of Data Subjects: The categories of Data Subjects to which Personal Data relate are determined and controlled by Subscriber in its sole discretion, and may include, but are not limited to, Subscriber’s prospects, customers, business partners, vendors, employees, contractors, or other Authorized Users of the Services.
8. Categories of Personal Data: The types of Personal Data are determined and controlled by Subscriber and may include, but are not limited to: (i) identification and contact data (e.g. name, date of birth, email address, telephone number, title, address, government identifiers such as SSN), (ii) transaction information related to how individuals use Subscriber’s services, (iii) banking information (routing, account, loan numbers, loan values) or (iv) IT information (e.g. IP addresses, cookie data, location data).
9. CCPA Permitted Business Purposes: In accordance with the CCPA, nCino will use Personal Data for the following business purposes, which purposes are described in more detail at Cal. Civ. Code § 1798.140 (e): (i) helping to ensure security and integrity of the Services; (ii) debugging; (iii) short-term, transient use; (iv) performing Services on behalf of Subscriber; (v) providing advertising and marketing Services, except for cross- context behavioral advertising; (vi) internal research for technological development and demonstration; (vii) maintaining the quality or safety of the Services; (viii) to retain and employ another service provider or contractor as a subcontractor where the subcontractor meets the requirements for a service provider or contractor under CCPA; (ix) to build or improve the quality of the Services nCino is providing to Subscriber; (x) to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity; and (xi) providing general support to Subscriber.