THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) SUPPLEMENTS THE NOVA MASTER SERVICES AGREEMENT, AS APPLICABLE (THE “AGREEMENT”), ENTERED INTO BY AND BETWEEN THE CUSTOMER ENTITY THAT IS A PARTY TO THE AGREEMENT (“CUSTOMER”) AND NOVA ORBIS, INC. (“NOVA”), (COLLECTIVELY, THE “PARTIES”). BY ENTERING INTO THE AGREEMENT, CUSTOMER ENTERS INTO THIS ADDENDUM ON BEHALF OF ITSELF AND, TO THE EXTENT REQUIRED UNDER APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW), IN THE NAME AND ON BEHALF OF ITS AFFILIATES (DEFINED BELOW), IF ANY. ANY TERMS NOT DEFINED IN THIS ADDENDUM SHALL HAVE THE MEANING SET FORTH IN THE AGREEMENT.
THIS ADDENDUM IS EFFECTIVE AS OF THE LATER OF (I) THE EFFECTIVE DATE SPECIFIED IN THE AGREEMENT OR (II) THE EFFECTIVE DATE STATED IN THE NOTICE POSTED OR PROVIDED TO YOU IN CONNECTION WITH THIS ADDENDUM. WE MAY AMEND THIS ADDENDUM FROM TIME TO TIME. THE REVISED VERSION WILL BE EFFECTIVE AT THE TIME WE POST IT ON OUR WEBSITE, UNLESS OTHERWISE NOTED. IF YOU DO NOT AGREE WITH ANY CHANGE TO THIS ADDENDUM, YOU MAY DISCONTINUE YOUR USE OF THE SERVICES.
1. Subject Matter and Duration.
a) Subject Matter. This Addendum
reflects the Parties’ commitment to abide by
Applicable Data Protection Laws (as defined below)
concerning the Processing of Customer Personal Data
in connection with Nova’s provision of services
under the Agreement. All capitalized terms that are
not expressly defined in this Data Processing
Addendum will have the meanings given to them in the
Agreement. If and to the extent language in this
Addendum or any of its Exhibits conflicts with the
Agreement, this Addendum shall control.
b) Duration and Survival. This
Addendum will become legally binding upon the
Effective Date of the Agreement or upon the date
upon which both Parties have entered into this
Addendum, if it is completed after the Effective
Date of the Agreement. Nova will Process Customer
Personal Data until the relationship terminates as
specified in the Agreement. Nova’s obligations and
Customer’s rights under this Addendum will continue
in effect so long as Nova Processes Customer
Personal Data.
2. Definitions.
For the purposes of this
Addendum, the following terms and those defined
within the body of this Addendum apply.
a) “Applicable Data Protection Law(s)” means all applicable data privacy, data
protection, and cybersecurity laws, rules and
regulations to which the Customer Personal Data are
subject. “Applicable Data Protection Laws” shall
include, but not be limited to: a) applicable laws
of the European Economic Area and Switzerland,
including the EU General Data Protection Regulation
2016/679 (“GDPR”), EU Member State
laws supplementing the GDPR, and the Swiss Federal
Act on Data Protection; (b) the UK Data Protection
Act of 2018, and the UK General Data Protection
Regulation (collectively, “UK GDPR”); (c) the California Consumer Privacy Act of
2018, as amended by the California Privacy Rights
Act of 2020 and its implementing regulations
(collectively, the “CCPA”); (d) the
Virginia Consumer Data Protection Act
(“VCDPA”); (e) the Colorado Privacy
Rights Act (“CPA”); (f) the
Connecticut Data Privacy Act
(“CTDPA”); and (g) the Utah
Consumer Privacy Act (“UCPA”).
b) “Authorized Persons” means (i)
personnel of Nova and (ii) Third Parties engaged by
Nova in accordance with Sections 3(c)-(e) of this
Addendum.
c) “Controller” means the natural or
legal person, public authority, agency or other body
which, alone or jointly with others, determines the
purposes and means of the Processing of Personal
Data, and includes, where applicable, a “business”
as that term is defined by the CCPA.
d) “Customer Personal Data” means Personal Data included in the Customer
Data. The Customer Personal Data and the specific
uses of the Customer Personal Data are detailed in
Exhibit A attached
hereto, as required by the GDPR. For clarity,
Customer Personal Data shall not include any End
User Data.
e) “EU SCCs” means the standard contractual clauses approved
by the European Commission in Commission Decision
2021/914 dated 4 June 2021, for transfers of
Customer Personal Data to countries not otherwise
recognized as offering an adequate level of
protection for Customer Personal Data by the
European Commission (as amended and updated from
time to time), as modified by Section 4(c) of this
Addendum.
f) “ex-EEA transfer” means the transfer of Customer Personal Data,
which is Processed in accordance with the GDPR, from
Customer to Nova (or its premises) outside the
European Economic Area (the “EEA”),
and such transfer is not governed by an adequacy
decision made by the European Commission in
accordance with the relevant provisions of the GDPR.
g) “ex-UK Transfer” means the transfer of Customer Personal Data
covered by Chapter V of the UK GDPR, which is
Processed in accordance with the UK GDPR and the
Data Protection Act 2018, from Customer to Nova (or
its premises) outside the United Kingdom (the
“UK”), and such transfer is not
governed by an adequacy decision made by the
Secretary of State in accordance with the relevant
provisions of the UK GDPR and the Data Protection
Act 2018.
h) “Personal Data” shall have the meaning assigned to the terms
“personal data” or “personal information” under
Applicable Data Protection Law(s).
i) “Process,”
“Processes,”
“Processing,”
“Processed” means any operation or
set of operations which is performed on data or sets
of data, whether or not by automated means, such as
collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission,
dissemination, or otherwise making available,
alignment or combination, restriction, erasure, or
destruction.
j) “Processor” means a natural or
legal person, public authority, agency or other body
which Processes Customer Personal Data on behalf of
Customer subject to this Addendum, including where
applicable, any “service provider” as that term is
defined by the CCPA.
k) “Security Incident(s)” means the breach of security leading to the
accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to
Customer Personal Data Processed by Nova.
l) Services” means the Services and
Professional Services, as defined in the Agreement.
m) “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
n) “Third Party(ies)” means Nova’s authorized contractors, agents,
vendors and third party service providers that
Process Customer Personal Data.
o) “UK Addendum” means the addendum
attached hereto as
Exhibit D.
p) “UK SCCs”
means the EU SCCs, as amended by the UK Addendum.
3. Data Use and Processing.
a) Compliance with Laws. Customer Personal Data shall be Processed in
compliance with the terms of this Addendum and all
Applicable Data Protection Law(s).
b) Documented Instructions. Nova and its
Third Parties shall Process Customer Personal Data
only in accordance with the documented instructions
of Customer or as specifically authorized by this
Addendum, the Agreement, or any applicable Service
Order. Nova will, unless legally prohibited from
doing so, inform Customer in writing if it
reasonably believes that there is a conflict between
Customer’s instructions and applicable law or
otherwise seeks to Process Customer Personal Data in
a manner that is inconsistent with Customer’s
instructions.
c) Authorization to Use Third Parties. To
the extent necessary to fulfill Nova’s contractual
obligations under the Agreement or any Service
Order, Customer hereby authorizes (i) Nova to engage
Third Parties and (ii) Third Parties to engage
subprocessors. Any Third Party Processing of
Customer Personal Data shall be consistent with
Customer’s reasonable documented instructions and
comply with all Applicable Data Protection Law(s).
d) Nova and Third Party Compliance. Nova
agrees to (i) enter into a written agreement with
Third Parties regarding such Third Parties’
Processing of Customer Personal Data that imposes on
such Third Parties (and their subprocessors) data
protection and security requirements for Customer
Personal Data that are compliant with Applicable
Data Protection Law(s); and (ii) remain responsible
to Customer for Nova’s Third Parties’ (and their
subprocessors if applicable) failure to perform
their obligations with respect to
the Processing of Customer Personal Data.
e) Right to Object to Third Parties. The
list of Nova’s Third Parties that Process Customer
Personal Data is set forth on
Exhibit A. Prior to engaging any new Third Parties to
Process Customer Personal Data, Nova will notify
Customer via email and allow Customer thirty (30)
days to object. If Customer has legitimate
objections to the appointment of any new Third
Party, the Parties will work together in good faith
to resolve the grounds for the objection for no less
than thirty (30) days, and failing any such
resolution, Customer may terminate the part of the
service performed under the Agreement that cannot be
performed by Nova without use of the objectionable
Third Party.
f) Confidentiality. Any person or Third
Party authorized to Process Customer Personal Data
must agree to maintain the confidentiality of such
information or be under an appropriate statutory or
contractual obligation of confidentiality.
g) Personal Data Inquiries and Requests.
Nova agrees to comply with all reasonable
instructions from Customer related to any requests
from individuals exercising their rights in Personal
Data granted to them under Applicable Data
Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay,
Nova agrees to assist Customer in answering or
complying with any Privacy Request in so far as it
is possible.
h) Data Protection Impact Assessment and Prior
Consultation. Nova agrees to provide reasonable assistance at
Customer’s expense to Customer where, in Customer’s
judgment, the type of Processing performed by Nova
is likely to result in a high risk to the rights and
freedoms of natural persons (e.g., systematic and
extensive profiling, Processing sensitive Personal
Data on a large scale and systematic monitoring on a
large scale, or where the Processing uses new
technologies) and thus requires a data protection
impact assessment and/or prior consultation with the
relevant data protection authorities.
i) Demonstrable Compliance. Nova agrees
to keep records of its Processing in compliance with
Applicable Data Protection Law(s) and provide any
necessary records to Customer to demonstrate
compliance upon reasonable request.
j) Sale of Information. Nova (i) will
only use Customer Personal Data to provide the
Services under the Agreement; (ii) will not collect,
retain, use, sell, share, disclose or otherwise
Process any Customer Personal Data, for any purpose
other than providing the Services under the
Agreement, or as otherwise permitted under
applicable law. Notwithstanding anything to the
contrary in the Agreement (including this Addendum),
Customer acknowledges that Nova shall have a right
to Process Personal Data in relation to the support
and/or use of the Services for its legitimate
business purposes, such as billing, account
management, technical support and product
development. Nova understands the
restrictions in this Section 3(j) and certifies that
it understands its obligations under the Applicable
Data Protection Laws and will comply with them.
4. Cross-Border Transfers of
Personal Data.
a) If Nova transfers Customer Personal Data protected
under this Addendum to a jurisdiction for which the
European Commission has not issued an adequacy
decision (each, a “Restricted Transfer”), Nova represents, warrants, and covenants
that (i) Restricted Transfers by
Nova may only be made to Authorized Persons; (ii)
any Restricted Transfer conducted by Nova or any
Authorized Person shall be undertaken in accordance
with the appropriate Standard Contractual Clauses
entered into in accordance with Applicable Data
Protection Laws; and (iii) that each Restricted
Transfer will be made after appropriate safeguards
have been implemented for the Restricted Transfer of
Customer Personal Data in accordance with Applicable
Data Protection Laws.
b) Ex-EEA Transfers. The Parties agree
that ex-EEA Transfers are made pursuant to the EU
SCCs, which are deemed entered into (and
incorporated into this Addendum by this reference)
and completed under Module Two (Controller to
Processor) of the EU SCCs.
c) For each
module, where applicable the following applies:
i) The optional
docking clause in Clause 7 does not apply;
ii) In Clause 9,
Option 2 (general prior authorization) applies, and
the minimum time period for prior notice of
sub-processor changes shall be as set forth in 3(e)
of this Addendum;
iii) In Clause
11, the optional language does not apply;
iv) All square
brackets in Clause 13 are hereby removed;
v) In Clause 17
(Option 1), the EU SCCs will be governed by Irish
law;
vi) In Clause
18(b), disputes will be resolved before the courts
of Ireland;
vii) Exhibit B
to this Addendum contains the information required
in Annex I of the EU SCCs;
viii) Exhibit C
to this Addendum contains the information required
in Annex II of the EU SCCs; and
ix) By entering
into this Addendum, the Parties are deemed to have
signed the EU SCCs incorporated herein, including
their Annexes.
d) Ex-UK Transfers. The Parties agree
that ex-UK Transfers are made pursuant to the UK
SCCs, which are deemed entered into and incorporated
into this Addendum by reference, and amended and
completed in accordance with the UK Addendum, which
is incorporated herein as
Exhibit D of this
Addendum.
e) Transfers from Switzerland. The
Parties agree that transfers from Switzerland are
made pursuant to the EU SCCs with the following
modifications:
i) The terms “General Data Protection Regulation” or
“Regulation (EU) 2016/679” as utilized in the EU
SCCs shall be interpreted to include the Federal Act
on Data Protection of 19 June 1992 (the
“FADP,” and as revised as of 25
September 2020, the “Revised FADP”)
with respect to data transfers subject to the FADP.
ii) The terms of
the EU SCCs shall be interpreted to protect the data
of legal entities until the effective date of the
Revised FADP.
iii) Clause 13
of the EU SCCs is modified to provide that the
Federal Data Protection and Information Commissioner
of Switzerland shall have authority over data
transfers governed by the FADP and the appropriate
EU supervisory authority shall have authority over
data transfers governed by the GDPR. Subject to the
foregoing, all other requirements of Clause 13 shall
be observed.
iv) The term “EU
Member State” as utilized in the EU SCCs shall not
be interpreted in such a way as to exclude data
subjects in Switzerland from exercising their rights
in their place of habitual residence in accordance
with Clause 18(c) of the EU SCCs.
f) Supplementary Measures. In respect of
any ex-EEA Transfer or ex-UK Transfer, the following
supplementary measures shall apply:
i) As of the
date of this Addendum, Nova has not received any
formal legal requests from any government
intelligence or security service/agencies in the
country to which the Customer Personal Data is being
exported, for access to (or for copies of) Personal
Data (“Government Agency Requests”);
ii) If, after
the date of this Addendum, Nova receives any
Government Agency Requests, Nova shall attempt to
redirect the law enforcement or government agency to
request that data directly from Customer. As part of
this effort, Nova may provide Customer’s basic
contact information to the government agency. If
compelled to disclose Nova’s Personal Data to a law
enforcement or government agency, Nova shall give
Customer reasonable notice of the demand and
cooperate to allow Customer to seek a protective
order or other appropriate remedy unless Nova is
legally prohibited from doing so. Nova shall not voluntarily disclose Customer
Personal Data to any law enforcement or government
agency. Customer and Nova shall (as soon as
reasonably practicable) discuss and determine
whether all or any transfers of Customer Personal
Data pursuant to this Addendum should be suspended
in the light of such Government Agency Requests; and
iii) The
Customer and Nova will meet regularly to consider
whether:
(1) the protection afforded by
the laws of the country of Nova to data subjects
whose Personal Data is being transferred is
sufficient to provide broadly equivalent protection
to that afforded in the EEA or the UK, whichever the
case may be;
(2) additional measures are
reasonably necessary to enable the transfer to be
compliant with the Applicable Data Protection Laws;
and
(3) it is still appropriate for
Customer Personal Data to be transferred to Nova,
taking into account all relevant information
available to the Parties, together with guidance
provided by the supervisory authorities.
iv) If Data
Protection Laws require the Customer to execute the
Standard Contractual Clauses applicable to a
particular transfer of Customer Personal Data to
Nova as a separate agreement, Nova shall, on request
of the Customer, promptly execute such Standard
Contractual Clauses incorporating such amendments as
may reasonably be required by the Customer to
reflect the applicable appendices and annexes, the
details of the transfer and the requirements of the
relevant Applicable Data Protection Laws.
v) If either (i)
any of the means of legitimizing transfers of
Customer Personal Data outside of the EEA or UK set
forth in this Addendum cease to be valid or (ii) any
supervisory authority requires transfers of Customer
Personal Data pursuant to those means to be
suspended, Nova agrees to amend the means of
legitimizing transfers or alternative arrangements
with Customer, with effect from the date set out in
such notice, amend or put in place alternative
arrangements in respect of such transfers, as
required by Applicable Data Protection Laws.
5. Information Security
Program.
a) Nova agrees
to implement appropriate technical and
organizational measures designed to protect Customer
Personal Data as required by Applicable Data
Protection Law(s) (the “Information Security Program”). Such measures shall be designed to include:
i) Pseudonymisation of Customer Personal Data where
appropriate, and encryption of Customer Personal
Data in transit and at rest;
ii) The ability
to ensure the ongoing confidentiality, integrity,
availability of Nova’s Processing and Customer
Personal Data;
iii) The ability
to restore the availability and access to Customer
Personal Data in the event of a physical or
technical incident;
iv) A process
for regularly testing, assessing and evaluating the
effectiveness of Nova’s Information Security Program
to ensure the security of Customer Personal Data
from reasonably suspected or actual accidental or
unlawful destruction, loss, alteration, unauthorized
disclosure or access.
6. Security Incidents.
a) Security Incident Procedure. Nova will
deploy and follow policies and procedures to detect,
respond to, and otherwise address Security Incidents
including procedures to (i) identify and respond to
reasonably suspected or known Security Incidents,
mitigate harmful effects of Security Incidents,
document Security Incidents and their outcomes, and
(ii) restore the availability or access to Customer
Personal Data in a timely manner.
b) Notice. Nova agrees to provide prompt
written notice without undue delay and within the
time frame required under Applicable Data Protection
Law(s) to Customer’s Designated POC upon becoming
aware that a Security Incident has taken place. Such
notice will include all available details required
under Applicable Data Protection Law(s) for Customer
to comply with its own notification obligations to
regulatory authorities or individuals affected by
the Security Incident.
7. Audits.
a) Right to Audit; Permitted Audits. Nova
shall make available to Customer and its regulators
all information necessary to demonstrate compliance
with Applicable Data Protection Laws and this
Addendum:
i) Following any
notice from Nova to Customer of an actual or
reasonably suspected Security Incident involving
Customer Personal Data;
ii) As required
by governmental regulators;
iii) For any
reason, or no reason at all, once annually.
b) Audit Terms. Any audits described in
this Section shall be:
i) Conducted by
Customer or its regulator, or through a third party
independent contractor selected by one of these
parties, and to whom Nova does not reasonably
object.
ii) Conducted
during reasonable times.
iii) Conducted
upon reasonable advance notice to Nova.
iv) Of
reasonable duration and scope and shall not
unreasonably interfere with Nova’s day-to-day
operations.
v) Conducted in
such a manner that does not violate any agreement
between Nova and its service providers, including
cloud providers, or violate or cause Nova to violate
its reasonable policies related to security and
confidentiality.
c) Third Parties. In the event that
Customer conducts an audit through a third party
independent auditor or a third party accompanies
Customer or participates in such audit, such third
party shall be required to enter into a
non-disclosure agreement containing confidentiality
provisions substantially similar to those set forth
in the Agreement to protect Nova’s and Nova’s
customers’ confidential and proprietary information.
For the avoidance of doubt, regulators shall not be
required to enter into a non-disclosure agreement.
d) Audit Results. Upon Nova’s request,
after conducting an audit, Customer shall notify
Nova of the manner in which Nova does not comply
with any of the applicable security, confidentiality
or privacy obligations or Applicable Data Protection
Laws herein. Upon such notice, Nova shall make any
necessary changes to ensure compliance with such
obligations at its own expense and without
unreasonable delay and shall notify Customer when
such changes are complete. Notwithstanding anything
to the contrary in the Agreement, Customer may
conduct a follow-up audit within six (6) months of
Nova’s notice of completion of any necessary
changes. To the extent that a Customer audit
identifies any material security vulnerabilities,
Nova shall promptly remediate those vulnerabilities.
8. Data Storage and
Deletion.
a) Data Storage. Nova will abide by the
following with respect to storage of Customer
Personal Data:
i) Nova will not
store or retain any Customer Personal Data except as
necessary to perform the Services under the
Agreement.
ii) Nova will
(i) inform Customer in writing of all countries
where Customer Personal Data is Processed or stored
and (ii) obtain consent from Customer for Processing
or storage in the identified countries. As of the
Effective Date, Nova stores Customer Personal Data
in the following countries to which Customer hereby
consents: United States.
b) Data Deletion. Nova will abide by the
following with respect to deletion of Customer
Personal Data:
i) Within ninety
(90) calendar days of the Agreement’s expiration or
termination, Nova will securely destroy (per
subsection (iii) below) all copies of Customer
Personal Data (including automatically created
archival copies).
ii) Upon Customer’s request, Nova will promptly return
to Customer a copy of all Customer Personal Data
within thirty (30) calendar days and, if Customer
also requests deletion of the Customer Personal
Data, will carry that out as set forth above.
iii) All
deletion of Customer Personal Data will be conducted
in accordance with standard industry practices for
deletion of sensitive data.
iv) Tapes,
printed output, optical disks, and other physical
media will be physically destroyed by a secure
method, such as shredding performed by a bonded
provider.
v) Upon
Customer’s request, Nova will provide evidence that
Nova has deleted all Customer Personal Data. Nova
will provide the “Certificate of Deletion” within
thirty (30) calendar days of Customer’s request.
9. Limitation of Liability.
The Limitation of Liability provision set forth in
the Agreement will apply to this Addendum.
Exhibit A
1.1 Subject Matter of Processing | The subject matter of Processing is the Services pursuant to the Agreement. |
1.2 Duration of Processing | The Processing will continue until the expiration or termination of the Agreement. |
1.3 Categories of Data Subjects |
Includes the following: ● Prospects, customers, business partners and vendors of Customer (who are natural persons) ● Employees or contact persons of Customer’s prospects, customers, business partners and vendors ● Employees, agents, advisors, freelancers of Customer (who are natural persons) ● Customer’s users and customers |
1.4 Nature and Purpose of Processing |
Includes the following: Nature: Processing of the data uploaded by Customer to Nova's Services. The purpose of Processing of Customer Personal Data by Nova is the performance of the Services pursuant to the Agreement. |
1.5 Types of Personal Information |
Includes the following: ● First and last name ● Title ● Position ● Employer ● Contact information (company, email, phone, physical business address) ● Identification Data (notably email addresses and phone numbers) ● Electronic identification data (notably IP addresses and mobile device IDs) |
1.6 List of Third Parties |
Cloudflare Docusign Fullstory Google Cloud Postmark Stripe |
Exhibit B
The following includes the information
required by Annex I and Annex III of the EU SCCs,
and Table 1, Annex 1A, and Annex 1B of the UK
Addendum.
1. The Parties
Data exporter(s): [Identity and contact details of the data
exporter(s) and, where applicable, of its/their data protection officer and/or
representative in the European Union]
Name:
Customer name within the Service Order or
Agreement
Address:
Customer address within the Service Order or
Agreement
Contact person’s name, position and contact
details: As stated within the Service Order or Agreement
or as otherwise provided in writing to Nova.
Activities relevant to the data transferred
under these Clauses:
Signature and date: By
entering into the DPA, Data Exporter is deemed to
have signed these Standard Contractual Clauses
incorporated herein, as of the Effective Date of the
Agreement.
Role (controller/processor):
Controller
Data importer(s): [Identity and contact details of the data
importer(s), including any contact
person with responsibility for data
protection]
Name: Nova Orbis Inc.
Trading Name (if
different): N/A
Address: 750 N Saint Paul St
Ste 250 PMB 78796 Dallas, Texas 75201
Official
Registration Number (if any) (company number or
similar identifier): N/A
Contact person’s name,
position and contact details: Pradyman Vig - CEO -
[email protected]
Activities relevant to the
data transferred under these Clauses: The provision
of the Services under the Agreement.
Signature
and date: By entering into the DPA, Data Importer is
deemed to have signed these Standard Contractual
Clauses incorporated herein, as of the Effective
Date of the Agreement.
Role
(controller/processor): Processor
2. Description of the Transfer
Data Subjects | As described in Exhibit A of the Addendum. |
Categories of Personal Data | As described in Exhibit A of the Addendum. |
Special Category Personal Data (if applicable) | None. |
Nature of the Processing | As provided in Exhibit A of the Addendum. |
Purposes of Processing | As described in Exhibit A of the Addendum. |
Duration of Processing and Retention (or the criteria to determine such period) | As described in Exhibit A of the Addendum. |
Frequency of the transfer | As necessary to perform the Services. |
Recipients of Personal Data Transferred to the Data Importer | As described in Section 4 below and as supplemented by any Third Parties added in accordance with Section 3(e) of the Addendum. |
3. Competent Supervisory
Authority
The supervisory authority
shall be the supervisory authority of the Customer,
as determined in accordance with Clause 13 of the EU
SCCs. The supervisory authority for the purposes of
the UK Addendum shall be the UK Information
Commissioner’s Officer.
4. List of Authorized
Subprocessors
Name of Authorized Subcontractor (Sub-processor) | Description of processing | Country in which subprocessing will take place |
Cloudflare | Content delivery network and DDoS mitigation services | US |
Docusign | E-signature tool for documents | US |
Fullstory | Website analytics | US |
Google Cloud | Cloud computing infrastructure | US |
Postmark | Email delivery service | US |
Stripe | Payment processing tool | US |
Exhibit C
Description of the Technical and Organizational
Security Measures implemented by the Data
Importer
The following includes the information
required by Annex II of the EU SCCs and Appendix II
of the UK Addendum.
1. Adopting and implementing
reasonable policies and standards related to
security;
2. Assigning responsibility for
information security management;
3. Devoting adequate personnel
resources to information security;
4. Conducting appropriate
background checks and requiring employees, vendors
and others with access to the Personal Data to enter
into written confidentiality agreements;
5. Conducting training to make
employees and others with access to Personal Data
aware of information security risks and to enhance
compliance with its policies related to data
protection;
6. Preventing unauthorized access
to Personal Data through the use, as appropriate, of
physical and logical entry controls, secure areas
for data processing, procedures for monitoring the
use of data processing, audit trails, use of secure
passwords, network intrusion detection technology,
authentication technology, secure log-on procedures,
and virus protection, on-going monitoring of
compliance with its policies related to data
protection, including:
6.1 Appropriate physical access
control measures (e.g., access ID cards, card
readers, desk officers, alarm systems, motion
detectors, burglar alarms, video surveillance and
exterior security);
6.2 Denial-of-use control
measures to prevent unauthorized use of data
protection systems (e.g., automatically enforced
password complexity and change requirements,
firewalls, etc.);
6.3 Requirements-driven
authorization scheme and access rights, and
monitoring and logging of system access to identify
unauthorized Processing of Personal Data by
Authorized Personnel;
6.4 Data transmission control
measures to ensure that Personal Data cannot be
read, copied, modified or removed without
authorization during electronic transmission,
transport or storage on data media, and transfer and
receipt records.
6.5 Encryption of any Personal
Data transmitted electronically to a person outside
Vendor’s IT system, transmitted over a wireless
network, or stored on any movable or portable media.
6.6 Data entry control measures
to ensure that it is possible to check and establish
whether and by whom Personal Data has been input
into data processing systems, modified, or removed;
6.7 Subcontractor supervision
measures to ensure compliance with the Addendum;
6.8 Measures to ensure that
Personal Data is protected from accidental
destruction or loss including, as appropriate and
without limitation, data backup, retention and
secure destruction policies; secure offsite storage
of data sufficient for disaster recovery; and
disaster recovery programs;
6.9 Measures to ensure that data
collected for different purposes can be processed
separately including, as appropriate, physical or
adequate logical separation of client data.
Exhibit D
UK Addendum
International Data Transfer Addendum to the EU
Commission Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
Start Date | This UK Addendum shall have the same effective date as the Addendum. |
|
The Parties | Exporter | Importer |
Parties’ Details | Customer | Nova |
Key Contact | See Exhibit B of this Addendum | See Exhibit B of this Addendum |
Table 2: Selected SCCs, Modules and Selected
Clauses
EU SCCs | The version of the Approved EU SCCs which this UK Addendum is appended to as defined in the Addendum and completed by Sections 4(c) and 4(d) of the Addendum. |
Table 3: Appendix Information
“Appendix Information” means the information
which must be provided for the selected modules as
set out in the Appendix of the Approved EU SCCs
(other than the Parties), and which for this UK
Addendum is set out in:
Annex 1A: List of Parties | As per Table 1 above |
Annex 2B: Description of Transfer | See Exhibit B of this Addendum |
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: | See Exhibit C of this Addendum |
Annex III: List of Sub processors (Modules 2 and 3 only): | See Exhibit B of this Addendum |
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Ending this UK Addendum when the Approved UK Addendum changes |
☐ Importer ☒ Exporter ☐ Neither Party |
Entering into this UK Addendum:
1. Each party agrees to be bound
by the terms and conditions set out in this UK
Addendum, in exchange for the other party also
agreeing to be bound by this UK Addendum.
2. Although Annex 1A and Clause 7
of the Approved EU SCCs require signature by the
Parties, for the purpose of making ex-UK Transfers,
the Parties may enter into this UK Addendum in any
way that makes them legally binding on the Parties
and allows data subjects to enforce their rights as
set out in this UK Addendum. Entering into this UK
Addendum will have the same effect as signing the
Approved EU SCCs and any part of the Approved EU
SCCs.
Interpretation of this UK Addendum
3. Where this UK Addendum uses
terms that are defined in the Approved EU SCCs those
terms shall have the same meaning as in the Approved
EU SCCs. In addition, the following terms have the
following meanings:
UK Addendum | means this International Data Transfer Addendum incorporating the EU SCCs, attached to the Addendum as Exhibit D. |
EU SCCs | means the version(s) of the Approved EU SCCs which this UK Addendum is appended to, as set out in Table 2, including the Appendix Information |
Appendix Information | shall be as set out in Table 3 |
Appropriate Safeguards | means the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making an ex-UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved UK Addendum | means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as may be revised under Section 18 of the UK Addendum. |
Approved EU SCCs | means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time). |
ICO | means the Information Commissioner of the United Kingdom. |
ex-UK Transfer | shall have the same definition as set forth in the Addendum. |
UK | means the United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | shall have the definition set forth in the Addendum. |
4. The UK Addendum must
always be interpreted in a manner that is consistent
with UK Data Protection Laws and so that it fulfills
the Parties’ obligation to provide the Appropriate
Safeguards.
5. If the provisions included in
the UK Addendum amend the Approved EU SCCs in any
way which is not permitted under the Approved EU
SCCs or the Approved UK Addendum, such amendment(s)
will not be incorporated in the UK Addendum and the
equivalent provision of the Approved EU SCCs will
take their place.
6. If there is any inconsistency
or conflict between UK Data Protection Laws and the
UK Addendum, UK Data Protection Laws applies.
7. If the meaning of the UK
Addendum is unclear or there is more than one
meaning, the meaning which most closely aligns with
UK Data Protection Laws applies.
8. Any references to legislation
(or specific provisions of legislation) means that
legislation (or specific provision) as it may change
over time. This includes where that legislation (or
specific provision) has been consolidated,
re-enacted and/or replaced after the UK Addendum has
been entered into.
Hierarchy
9. Although Clause 5 of the
Approved EU SCCs sets out that the Approved EU SCCs
prevail over all related agreements between the
parties, the parties agree that, for ex-UK
Transfers, the hierarchy in Section 10 below will
prevail.
10. Where there is any
inconsistency or conflict between the Approved UK
Addendum and the EU SCCs (as applicable), the
Approved UK Addendum overrides the EU SCCs, except
where (and in so far as) the inconsistent or
conflicting terms of the EU SCCs provides greater
protection for data subjects, in which case those
terms will override the Approved UK Addendum.
11. Where this UK Addendum
incorporates EU SCCs which have been entered into to
protect ex-EU Transfers subject to the GDPR, then
the parties acknowledge that nothing in the UK
Addendum impacts those EU SCCs.
Incorporation and Changes to the EU
SCCs:
12. This UK Addendum incorporates
the EU SCCs which are amended to the extent
necessary so that:
a) together they operate for data
transfers made by the data exporter to the data
importer, to the extent that UK Data Protection Laws
apply to the data exporter’s processing when making
that data transfer, and they provide Appropriate
Safeguards for those data transfers;
b) Sections 9 to 11 above
override Clause 5 (Hierarchy) of the EU SCCs; and
c) the UK Addendum (including the
EU SCCs incorporated into it) is (1) governed by the
laws of England and Wales and (2) any dispute
arising from it is resolved by the courts of England
and Wales.
13. Unless the parties have
agreed alternative amendments which meet the
requirements of Section 12 of this UK Addendum, the
provisions of Section 15 of this UK Addendum will
apply.
14. No amendments to the Approved
EU SCCs other than to meet the requirements of
Section 12 of this UK Addendum may be made.
15. The following amendments to
the EU SCCs (for the purpose of Section 12 of this
UK Addendum) are made:
a) References to the “Clauses”
means this UK Addendum, incorporating the EU SCCs;
b) In Clause 2, delete the words:
“and, with respect to data transfers from
controllers to processors and/or processors to
processors, standard contractual clauses pursuant to
Article 28(7) of Regulation (EU) 2016/679”,
c) Clause 6 (Description of the
transfer(s)) is replaced with: “The details of the
transfers(s) and in particular the categories of
personal data that are transferred and the
purpose(s) for which they are transferred) are those
specified in Annex I.B where UK Data Protection Laws
apply to the data exporter’s processing when making
that transfer.”;
d) Clause 8.7(i) of Module 1 is
replaced with: “it is to a country benefitting from
adequacy regulations pursuant to Section 17A of the
UK GDPR that covers the onward transfer”;
e) Clause 8.8(i) of Modules 2 and
3 is replaced with: “the onward transfer is to a
country benefitting from adequacy regulations
pursuant to Section 17A of the UK GDPR that covers
the onward transfer;”
f) References to “Regulation (EU)
2016/679”, “Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the
processing of personal data and on the free movement
of such data (General Data Protection Regulation)”
and “that Regulation” are all replaced by “UK Data
Protection Laws”. References to specific Article(s)
of “Regulation (EU) 2016/679” are replaced with the
equivalent Article or Section of UK Data Protection
Laws;
g) References to Regulation (EU)
2018/1725 are removed;
h) References to the “European
Union”, “Union”, “EU”, “EU Member State”, “Member
State” and “EU or Member State” are all replaced
with the “UK”;
i) The reference to “Clause
12(c)(i)” at Clause 10(b)(i) of Module one, is
replaced with “Clause 11(c)(i)”;
j) Clause 13(a) and Part C of
Annex I are not used;
k) The “competent supervisory
authority” and “supervisory authority” are both
replaced with the “Information Commissioner”;
l) In Clause 16(e), subsection
(i) is replaced with: “the Secretary of State makes
regulations pursuant to Section 17A of the Data
Protection Act 2018 that cover the transfer of
personal data to which these clauses apply;”;
m) Clause 17 is replaced with:
“These Clauses are governed by the laws of England
and Wales.”;
n) Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be
resolved by the courts of England and Wales. A data
subject may also bring legal proceedings against the
data exporter and/or data importer before the courts
of any country in the UK. The parties agree to
submit themselves to the jurisdiction of such
courts.”; and
o) The footnotes to the Approved
EU SCCs do not form part of the UK Addendum, except
for footnotes 8, 9, 10 and 11.
Amendments to the UK Addendum
16. The parties may agree to
change Clauses 17 and/or 18 of the EU SCCs to refer
to the laws and/or courts of Scotland and Northern
Ireland.
17. If the parties wish to change
the format of the information included in Part 1:
Tables of the Approved UK Addendum, they may do so
by agreeing to the change in writing, provided that
the change does not reduce the Appropriate
Safeguards.
18. From time to time, the ICO
may issue a revised Approved UK Addendum which:
a) makes reasonable and
proportionate changes to the Approved UK Addendum,
including correcting errors in the Approved UK
Addendum; and/or
b) reflects changes to UK Data
Protection Laws;
The revised Approved UK Addendum will specify
the start date from which the changes to the
Approved UK Addendum are effective and whether the
parties need to review this UK Addendum including
the Appendix Information. This UK Addendum is
automatically amended as set out in the revised
Approved UK Addendum from the start date specified.
19. If the ICO issues a revised
Approved UK Addendum under Section 18 of this UK
Addendum, if a party will as a direct result of the
changes in the Approved UK Addendum have a
substantial, disproportionate and demonstrable
increase in:
c) its direct costs of performing
its obligations under the UK Addendum; and/or
d) its risk under the UK
Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.
20. The parties do not need the
consent of any third party to make changes to this
UK Addendum, but any changes must be made in
accordance with its terms.