Data Processing Addendum (DPA)
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Novacy Subscription Terms available at https://www.novacy.io/subscription-terms (the “Principal Agreement”) entered into by and between Company (hereinafter referred to as “Controller” or “Client”) and Novacy ltd hereinafter referred to as “Processor” or “Novacy”). Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.
Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
- “Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws;
- “Authorized Personnel” means any person who processes Controller Personal Data on Processor’s behalf, including Processor’s employees, officers, partners, principals, contractors and Sub Processors;
- “CCPA” means the California Civil Code Section 1798.100-1978.199;
- “Controller Personal Data” means any Personal Data Processed by Novacy on behalf of the Client pursuant to or in connection with the Principal Agreement, including without limitation, information pertaining to an End-User;
- "Data Protection Laws" means, as applicable in connection with the Processing of Controller Personal Data under the Principal Agreement, (a) EU Data Protection Laws, or (b) CCPA and any legislation and/or regulation implementing or made pursuant to the GDPR and the CCPA, or which amends or replaces any of them;
- "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- "GDPR" means EU General Data Protection Regulation 2016/679;
- “User(s)” – shall hold the meaning ascribed to it under the Principal Agreement.
- "Restricted Transfer" means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Sub Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
- "Sub Processor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Principal Agreement;
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein for convenience by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
- The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
- The terms “Service Provider”, “Sell”, “Sub-Contractor” and “Consumer” shall be interpreted in accordance with the CCPA; Where applicable, references to Processor shall also refer to ‘Service Provider’, references to Sub Processor shall refer to ‘Sub-Contractor’ and references to Data Subject shall also refer to ‘Consumer’.
Roles of the Parties; Processing of Controller Personal Data
- In the scope of Novacy’s processing of Controller Personal Data, as between the Parties, for the purposes of this DPA only, and except where otherwise indicated, Novacy shall be deemed the Data Processor/Service Provider and Client shall be deemed the Data Controller (or its equivalent under the CCPA).
- Novacy shall be deemed the Controller (as such a term is defined under the EU Data Protection Laws) with respect to any Personal Data provided to it by an individual who is a User when such data is provided without relation to the provision of Services under the Principal Agreement, and shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent Controller under the GDPR.
- Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Principal Agreement or this DPA that were specifically and explicitly agreed to by Processor, unless such Processing is required by Applicable Laws to which the Processor is subject.
- Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the services provided under the Principal Agreement and consistent with Sections 2.1 above and the Principal Agreement, and in accordance with Applicable Laws.
- Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.2 and any additional instructions as provided pursuant to the Principal Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Principal Agreement is in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.
- Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data), attached hereto.
Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller Personal Data.
Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
- Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Principal Agreement.
- Processor and each Processor Affiliate may continue to use those Sub Processors already engaged by Processor or any Processor Affiliate as of the date of this DPA, including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Controller requested Processor to use. A current list of Sub Processors is either attached hereto as Annex 2.
- Processor may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor (for instance by e-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If, within seven (7) days of such notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, Processor shall not appoint for the processing of Controller Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
- With respect to each new Sub Processor, Processor shall:
- before the Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to provide the level of protection for Controller Personal Data required by the Principal Agreement; and
- ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Controller Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
Data Subject Rights
- Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller's said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
- promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
Personal Data Breach
- Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor or Processor Affiliates. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
- At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
- Data Protection Impact Assessment and Prior Consultation. At the written request of the Controller, the Processor and each Processor Affiliate shall provide reasonable assistance to Controller, at Controller's expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Controller Personal Data by the Processor.
- Deletion or return of Controller Personal Data
- Subject to Section 9.2, Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of any services involving the Processing of Controller Personal Data (the "Cessation Date"), delete or anonymize all copies of those Controller Personal Data, except such copies as authorized including under the Principal Agreement and this DPA or required to be retained in accordance with applicable law and/or regulation. Without derogating from the foregoing, Processor may also retain one copy of the Controller Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
- Subject to the Principal Agreement, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).
- Subject to Sections 10.2 and 10.3, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
- Provisions of information and audits are and shall be at Controller’s sole expense and may only arise under Section 10.1 to the extent that the Principal Agreement does not otherwise give Controller information and audit rights meeting the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Principal Agreement, and to Processor's obligations to third parties, including with respect to confidentiality.
- Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- if Processor was not given a written notice of such audit or inspection at least 2 weeks in advance;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given notice to Processor that this is the case before attendance outside those hours begins;
- for premises outside the Processor's control (such as data storage farms of Processor's cloud hosting providers);
- if more than one (1) audit or inspection, in respect of each Processor, already took place in the same calendar year, except for any additional audits or inspections which:
- Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
- Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
- Client acknowledges that Novacy may operate and provide services outside the EU, therefore any transfer of EU Data Subjects Personal Data shall be subject to (i) Adequacy Decisions; or (ii) Module II and Module III of the Standard Contractual Clauses, in which case Novacy shall be deemed as a "Data Importer" and Client shall be deemed as a "Data Exporter" in which case Annex 1 shall apply to Module II (Data Controller to Data Processor transfer) and Module 2 (Data Processor to Data Processor transfer).
- If Novacy engages a Sub-Processor, in accordance with Section 5, for carrying out specific processing activities (on behalf of Client), Novacy and the Sub-Processor shall ensure compliance with GDPR Chapter V by using the Standard Contractual Clauses. In such event, Novacy shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Novacy and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
- Specifically, EU-US Transfers: Following Schrems II, Case No. C-311/18, and related guidance from supervisory authorities, the parties acknowledge that supplemental measures may be needed with respect to EU-U.S. data transfers where Personal Data may be Processed in the US. The parties acknowledge and warrants that Novacy’s EU operations involve merely ordinary commercial services, and any EU-U.S. transfers of Personal Data contemplated by this DPA involve ordinary commercial information, which is not the type of data that is of interest to, or generally subject to, surveillance by U.S. intelligence agencies. Accordingly, Novacy acknowledges that it will not provide access to Data Subject Personal Data to any US government or intelligence agency, except where, following consultancy with its legal advisors, it is necessary under the US law or a valid and binding order of a government authority (such as pursuant to a court order). In any such case, Novacy will attempt to redirect the law enforcement agency to request the data directly from You. Unless Novacy is legally prohibited from doing so, in any such case Novacy will: (1) promptly give Client and Data Subject in subject a written notice of such demand I order to allow You to seek resource or other appropriate remedy to adequately protect the privacy of the Data Subject Personal Data; and (2) in any event, provide access only to such Personal Data as is strictly required by the relevant law or binding order (having used reasonable efforts to minimize and limit the scope of any such access), as determined solely by Novacy’s legal advisors.
Governing Law and Jurisdiction.
- The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Order of Precedence.
Nothing in this DPA reduces Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this DPA and the Principal Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Principal Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Processor and/or providing access thereto to Processor.
Subject to this Section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Data Protection Laws.
- Controller may by at least forty-five (45) calendar days' prior written notice to Processor, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and
- If Controller gives notice with respect to its request to modify this DPA under Section 11.3.1:
- Processor shall make commercially reasonable efforts to accommodate such modification request; and
- Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
- If Controller gives notice under Section 11.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Principal Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.
Processor: Novacy ltd.
Annex 1: Details Of Processing Of Controller Personal Data
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Contact Person Name:
Contact Person Position:
Contact Person Email:
Name: Novacy ltd
Contact Person Name: Uria Franko
Contact Person Position: CTO
Contact Person Email: firstname.lastname@example.org
Subject matter and duration of the Processing of Controller Personal Data. The subject matter and duration of the Processing of the Controller Personal Data are set out in the Principal Agreement.
The nature and purpose of the Processing of Controller Personal Data: the purposes of Processing Controller Personal Data shall include the following: (i) Performance, management and enforcement of the Agreement, this DPA, and, to the extent applicable, other contracts executed by the Parties, including with respect to the provision of support and technical maintenance; (ii) setting up applicable Novacy Accounts for Client Users; (iii) for Novacy to comply with Clients’ instructions where such instructions are consistent with the terms of the Principal Agreement; (iv) resolving disputes; (v) Defending Novacy’s rights; (vi) compliance with applicable laws and regulations, including where such compliance entails cooperation with local and foreign tax authorities; any and all tasks related to the foregoing.
The types of Controller Personal Data to be Processed are as follows:
- Full name
- Email address
- IP address
- Audiovisual content (1) recording of video based calls (2) photos.
The categories of Data Subjects to whom the Controller Personal Data relates to are as follows:
- Client User (as defined under the Principal Agreement)
- End-User (as defined under the Principal Agreement)
The competent supervisory authority, in accordance with Clause 13 of the SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.
Annex 2: List of approved Sub-Processors