Amendment Five to Manufacturing Services Agreement, dated October 5, 2020, by and between Nutanix, Inc., Nutanix Netherlands B.V. and Flextronics Telecom Systems, Ltd and its affiliates

Contract Categories: Business Operations - Services Agreements
EX-10.6 5 ex106-10312020x10q.htm EX-10.6 Document

Exhibit 10.6


This Amendment Five (“Amendment Five”) to the Manufacturing Services Agreement (“Agreement”) by and between Flextronics Telecom Systems, Ltd and its Affiliates (“Flextronics”) and Nutanix, Inc. and Nutanix Netherlands B.V. (together known as “Nutanix”) is entered into as of October 5, 2020 (“Amendment Effective Date”). Collectively Flextronics and Nutanix are referred to as the “Parties”.
A. The Parties entered into the Agreement as of November 1, 2017.
B. The parties now desire to amend the Agreement to amend certain terms related to compliance and Counterfeit Components.
NOW THEREFORE, in consideration of the foregoing, and for good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree as follows:
1.The following definitions are added:
a."Nutanix Data" means any data that is protected as "personal data" or "personal information" under applicable privacy laws or any data about Nutanix’s business operations, customers, vendors, strategy, pricing or any other information that should reasonably be considered confidential and that may be provided to Flextronics under this agreement.
b."Data Security Incident" means: any unauthorized access or unlawful breach of security leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to any Nutanix Data.
2.Section 12.5 “Counterfeit Components” is amended to add the following sentence:
If a Counterfeit Component is detected or known by Flextronics, Flextronics shall use commercial reasonable efforts to notify Nutanix of such.
3.Section 12.5.1 is deleted in its entirety and replaced with the following:
Any Counterfeit Components discovered in the Products must be immediately replaced at Flextronics’s expense even if such detection occurs after the warranty period described in Section 15; provided that these Components were procured by a supplier solely selected by Flextronics, including any Flextronics-selected supplier that is performing RMA or repair activities. Notwithstanding the foregoing, if Nutanix executes a release form or otherwise expressly authorizes Flextronics to purchase from certain vendors, distributors or brokers, then Flextronics shall not be liable for the quality of components or for any Counterfeit Components.
4.Section 20, “CONFIDENTIAL INFORMATION” is amended to add the following sections:
a.20.2 Flextronics shall notify Nutanix of any Data Security Incident within forty-eight (48) hours of the discovery of such Data Security Incident by providing notice in writing to: and
b.20.3 Flextronics agrees to the Nutanix Vendor Data Processing Agreement (“DPA”) attached hereto as Attachment 1 and such DPA is incorporated into the Agreement as Exhibit I.

5.No other changes are made to the Agreement, and following the Amendment Effective Date, all references to the “Agreement” shall include the amendments incorporated by this Amendment Four.

IN WITNESS WHEREOF, the parties have executed this Amendment as of the Amendment Effective Date.
By: /s/ David Sangster
Name: David Sangster
Title: Chief Operating Officer, Nutanix
Date: 10/5/2020
By: /s/ Aaron Boynton
Name: Aaron Boynton
Title: Managing Director A
Date: 10/5/2020
By: /s/ Servais Willie Ngabo
Name: Servais Willie Ngabo
Title: Managing Director B
Date: 10/5/2020

By: /s/ B. Vijayandran A/L S. Balasingam
Name: B. Vijayandran A/L S. Balasingam
Title: Director
Date Oct 14, 2020

Attachment 1:
Nutanix – Vendor Data Processing Addendum
This Data Processing Addendum ("Addendum" or “DPA”) sets out the terms that apply as between Nutanix and Flextronics Telecom Systems, Ltd. (“Company”) when processing EEA personal data in connection with the Manufacturing Services Agreement dated November 1, 2017 (the “Agreement”) and forms part of the Agreement between the parties. Capitalized terms used in this Addendum shall have the meanings given to them in the Agreement, the Model Clauses, or unless otherwise defined in this Addendum.
1.Definitions: (a) "controller," "processor," "data subject," and "processing" (and "process") shall have the meanings given to them in Applicable Data Protection Law; (b) "Applicable Data Protection Law" means any and all applicable privacy and data protection laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law and California Consumer Privacy Act (CCPA) (in each case, as may be amended, superseded or replaced from time to time); (c) "EU Data Protection Law" means: (i) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); and (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to clause (i) or (ii); (d) "Personal Data" means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under Applicable Data Protection Law; (e) “Model Clauses” means the Standard Contractual Clauses for Controllers as approved by the European Commission and available at (as amended, superseded or updated from time to time); and (f) “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199).
2.Purposes of processing. The parties acknowledge that in connection with the Agreement, each party may provide or make available to the other party Personal Data. Each party shall process such data: (i) for the purposes described the Agreement; and/or (ii) as may otherwise be permitted under Applicable Data Protection Law.
3.Relationship of the parties. Each party will process the copy of the Personal Data in its possession or control as an independent controller with the other party.
4.Compliance with law. Each party shall separately comply with its obligations under Applicable Data Protection Law and this Addendum when processing Personal Data. Neither party shall be responsible for the other party's compliance with Applicable Data Protection Law. In particular, each party shall be individually responsible for ensuring that its processing of the Personal Data is lawful, fair and transparent, and shall make available to data subjects a privacy statement that fulfils the requirements of Applicable Data Protection Law.
5.International transfers. Where Applicable Data Protection Law in the European Economic Area ("EEA"), United Kingdom and/or Switzerland (collectively for the purposes of this Addendum, the "EU'), applies to the Personal Data ("EU Personal Data"), neither party shall process any EU Personal Data (nor permit any EU Personal Data to be processed) in a territory outside of the EU unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. To the extent either party transfers EU Personal Data in a territory outside the EU that does not provide adequate protection for Personal Data (as determined by Applicable Data Protection Law), both parties agree to abide by and process such EU Personal Data in accordance with the Model Clauses, which are hereby incorporated by reference in, and form an integral part of, this Addendum.
6.Security. Each party shall implement and maintain all appropriate technical and organizational measures to protect any copies of the Personal Data in their possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorised disclosure or access and to preserve the security and confidentiality of such Personal Data. Each party shall notify the other party without undue delay (but no later than seventy-two (72) hours) on becoming aware of any breach of EU Data Protection Law/Applicable Data Protection Law. Both parties to ensure that the level of security of personal data processed by them is appropriate to the risk, pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to each Party. Each party shall provide

notification of a Security Breach to the competent supervisory authority or the affected data subject(s), as required by Articles 33 and 34 of GDPR.
7.Cooperation and data subjects' rights. In the event that either party receives: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, restriction or data portability, as applicable); or (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively, "Correspondence"), then where such Correspondence relates to processing conducted by the other party, it shall promptly inform the other party and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Data Protection Law. In the event additional documents are required for either party’s compliance purposes, the parties each agree to cooperate in executing such compliance related documents.
8.Records of Processing Activities. Each Data Controller agrees to maintain a record of processing activities of personal data under its responsibility, in accordance with Article 30 of the GDPR.
9.Processors. Each party shall only engage a processor, after duly notifying the other party of such engagement, to process the personal data on its behalf if that processor provides sufficient guarantees, by way of a written contract or other legal act under European Union or Member State law, that it will implement the same data protection obligations as this Addendum and the requirements of the Regulation.
10.Indemnity. Each party shall indemnify (the “Indemnifying Party”) the other party, including its subsidiaries, affiliates, officers, directors, agents (the “Indemnified Party”), from any and all third party claims and resulting fines, sanctions, claims, losses, liabilities, damages, costs and expenses demands, reasonable attorneys’ fees, consultants’ fees and court costs (collectively, “Claims”) to the extent that such Claims arise from, or may be in any way attributable to (i) any violation by the Indemnifying Party of its obligations under this Data Privacy Addendum; and (ii) the negligence, gross negligence, bad faith, or intentional or willful misconduct of the Indemnifying Party or its personnel in connection with obligations set forth in this Data Privacy Addendum. The parties agree that the foregoing indemnification obligations shall (a) amend and replace any existing indemnification obligations under the Services Agreement (and any amendments thereto) with respect to the protection of Personal Data; and (b) apply irrespective of the location where such Claim is made, filed or adjudicated, and irrespective of any choice of law/forum language in the Services Agreement.
Nothing within the Agreement or this DPA relieves the parties of their own direct responsibilities and liabilities under the GDPR.
11.Termination. This DPA constitutes an integral part of the Agreement and shall automatically terminate upon termination of the Agreement. If either party wishes to terminate its participation in the DPA, it may do so by providing written notice to the other party duly specifying the reason for its termination, at least 60 days prior to proposed termination.
Notwithstanding the expiry or termination of this agreement for any reason the provisions of this DPA shall continue to apply to any personal data in the possession of either party which was covered by the DPA.
12.Dispute Resolution. In the event of a dispute or claim brought by a data subject or an EEA or UK data protection authority concerning the processing of personal data against either or both of the parties, the parties will inform each other about any such disputes or claims without undue delay and will cooperate with a view to settling them amicably in a timely fashion.
13.Further Amendments. Except as expressly provided in this DPA, the parties intend no amendment or modification of the Agreement.

Nutanix, Inc.
Flextronics Telecom Systems, Ltd.
By: /s/ David Sangster
By: /s/ B. Vijayandran A/L S. Balasingam
Name: David Sangster
Name: B. Vijayandran A/L S. Balasingam
Title: Chief Operating Officer, Nutanix
Title: Director
Date: 10/5/2020
Date: Oct 14, 2020