Data processing addendum
This Nasuni Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Nasuni Subscription and Services Agreement or other written or electronic agreement referencing this Addendum (the “Agreement”) between Nasuni Corporation (“Nasuni”) and the entity identified in the table below that has engaged Nasuni to provide the Services (“Customer”). This Addendum amends the Agreement and is effective upon its incorporation into the Agreement, as specified in the Agreement itself or in any Order. Upon its incorporation into the Agreement, this Addendum will form part of the Agreement. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control.
| Nasuni: Nasuni Corporation | Customer: |
| Entity type / incorporated in: Delaware corporation | Entity type / incorporated in: |
| Address: One Marina Park Drive, 6th Floor Boston, MA 02110 | Address: |
| Legal Jurisdiction (for the purposes of relevant supervisory authority). | |
| DPO / Contact for data protection inquiries: Privacy Officer [email protected] | DPO / Contact for data protection inquiries: |
If Customer’s Affiliates have placed Orders for the Services under the Agreement, then this Addendum amends those Orders, and each such Affiliate shall be deemed to be the “Data Controller” for Protected Information pertinent to its Order for the purposes of this Addendum. Customer shall be responsible for coordinating all communications with Nasuni and Customer’s Affiliates under this Addendum and shall be entitled to make and receive any communication in relation to the Addendum, and Customer hereby enters into this Addendum, on behalf of itself and its Affiliates.
This Addendum has been pre-signed by Nasuni. To complete this Addendum, Customer must (a) complete the information in the table above, complete the information in the signature boxes on the signature page and sign on such page, (c) complete the information in the tables in Schedule 1, and (d) send the signed and completed addendum to [email protected].
1. Definitions.
For the purposes of this Addendum, capitalized terms shall have the meaning ascribed to them herein or in the Agreement and in the IDTA and/or SCCs, unless the context otherwise requires.
“Affiliate” means an entity that owns or controls, is owned or controlled by or is under common ownership or control with such entity, where “control” means the power to direct the management or affairs of an entity and “ownership” means the beneficial ownership of fifty percent (50%) or more of the voting securities or other equivalent voting interests of an entity.
“California Personal Data” means any Protected Information contained in Customer Data that constitutes personal information as defined in, and to the extent regulated by, the California Privacy Laws.
“California Privacy Laws” means the California Consumer Privacy Act of 2018, together with any regulations promulgated thereunder (collectively, the “CCPA”), as amended or replaced by the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder (collectively, the “CPRA”).
“Data Protection Laws” means all privacy laws applicable to any Personal Data processed under or in connection with this Addendum, including, without limitation (in each case to the extent applicable), the California Privacy Laws and all privacy laws and regulations of the European Union, the EEA and their member states, Switzerland and the United Kingdom applicable to any Personal Data processed under or in connection with this Addendum, including, without limitation, the General Data Protection Regulation 2016/679 (the “GDPR”), UK Data Protection Act 2018 and UK GDPR (as defined in the Data Protection Act), the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications, (“ePrivacy Regulation”)), and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time.
“Data Controller” means the entity that determines the purposes and means of Processing Personal Data.
“Data Processor” means an entity which Processes Personal Data on behalf of a Data Controller.
“IDTA” means either (i) the International Data Transfer Agreement or (ii) the International Data Transfer Addendum to the EU Commission IDTA, both issued by the UK’s Information Commissioner under section 119A(1) Data Protection Act 2018 for UK transfers of personal data to Processors in Third Countries, dated 21 March 2022, whichever is the appropriate document for the transfer of Personal Data. This document is not attached but is incorporated by reference into this agreement.
“Standard Contractual Clauses” or “SCCs” shall have the meaning set forth in Section 6.
“Personal Data” means all data which is defined as ‘Personal Data’ or ‘personal information’ under Data Protection Laws and which is provided by the Customer to Nasuni or accessed, stored or otherwise processed by Nasuni in connection with the Services.
“Processing” or “processing” (including grammatically inflected forms thereof) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Regulator” means a supervisory authority that is concerned with the Processing of Personal Data under this Addendum and includes (in each case as applicable): (a) the UK Information Commissioner’s Office or any other UK governmental data protection agency which has jurisdiction over a Data Controller’s Processing of Personal Data; (b) the UK Government; and/or (c) the courts of England and Wales.
“Services” means the products or services provided by Nasuni to Customer under the Agreement.
“Third Countries” means all countries outside of the UK or the EU, excluding countries approved as providing adequate protection for Personal Data by the UK Government or other applicable Regulators from time to time.
2. Protected Information.
Customer hereby acknowledges that the Services are not designed (nor is it intended) for Nasuni to access your Customer Data or Protected Information, including any Personal Data. Each party agrees to comply with all applicable data protection laws with respect to its Processing of Protected Information of the other party which the parties agree to process in connection with this Agreement.
3. Business Contact Information.
Without limitation of any other provision contained herein, each party may also access and use the other party’s Protected Information where such Protected Information is included in business contact information provided in connection with this Agreement.
4. California Privacy Laws.
Except as otherwise required by applicable law, Nasuni shall: (i) not sell or share California Personal Data; (ii) not retain, use, or disclose California Personal Data for any purpose other than for the business purposes specified in the Agreement , nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CPRA; (iii) not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties; (iv) not combine California Personal Data, which Nasuni receives pursuant to the Agreement or from or on behalf of Customer, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CPRA; (v) reasonably cooperate with Customer in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Customer in deletion, correction, or limitation of the use of such California Personal Data where required under the CPRA, and including instructing Nasuni’s service providers and/or contractors (if any) to so reasonably cooperate in such response; (vi) reasonably assist Customer through appropriate technical and organizational measures in Customer’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CPRA, taking into account the nature of the California Personal Data Processing by Nasuni; (vii) implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure; (viii) comply with all applicable obligations under the CPRA and provide the same level of privacy protection with respect to California Personal Data as required by the CPRA; and (ix) notify Customer if Nasuni determines it can no longer meet its obligations under the CPRA. Nasuni acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Nasuni further acknowledges and agrees Customer shall have the right: (x) to take reasonable and appropriate steps to ensure that Nasuni uses California Personal Data in a manner consistent with Customer’s obligations under the CPRA; and (y) upon notice from Customer to Nasuni, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data. The following terms have the meanings given in the California Privacy Laws: “business purpose“, “personal information”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
5. UK Personal Data.
To the extent any Protected Information contained in Customer Data is regulated by the UK GDPR (“UK Personal Data”), the IDTA (as defined herein) and Schedule 1 attached hereto will apply to Nasuni’s Processing of such UK Personal Data on your behalf and the parties hereby agree to comply with the IDTA, which is hereby incorporated into this Addendum in its entirety. In the event of a conflict between the Agreement and the IDTA, the IDTA will control to the extent applicable to UK Personal Data.
6. EU Personal Data.
To the extent any Protected Information contained in the Customer Data is regulated by the GDPR (“EU Personal Data”), then to the extent required by the GDPR, the standard contractual clauses for the transfer and Processing of personal data as set out in European Commission Decision 2021/914/EC, modules 2 and 3 (“Standard Contractual Clauses” or “SCCs”) and Schedule 1 attached hereto will apply to Nasuni’s Processing of such Protected Information on your behalf and the parties hereby agree to comply with such Standard Contractual Clauses, which are hereby incorporated into this Addendum by reference, in their entirety. In the event of a conflict between the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will control to the extent applicable to the EU Personal Data.
7. Other Data.
Notwithstanding anything to the contrary in the Agreement or herein, Customer acknowledges that Nasuni shall have a right to use and disclose usage and similar anonymized statistical data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing and such data is not Customer Data. To the extent any such data is considered Personal Data (to the extent regulated by the Data Protection Laws), then, to the extent that Nasuni is subject to the Data Protection Laws, Nasuni is the Data Controller of such data and accordingly shall Process such data in accordance with the applicable Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the California Privacy Laws), then, to the extent Nasuni is subject to the California Privacy Laws as a business, Nasuni is the business with respect to such data and accordingly shall Process such data in accordance with the California Privacy Laws.
8. Processing of Personal Data
As between the parties, (i) Customer is a Data Controller and Nasuni is a Data Processor on behalf of Customer with regard to Personal Data; or (ii) Customer is a Data Processor on behalf of a third party with respect to Personal Data and Nasuni is a Data Processor on behalf of Customer with regard to Personal Data. Customer wishes to appoint Nasuni as a Data Processor to Process Personal Data (i) in accordance with the Agreement; (ii) at the Customer’s or its Authorized User’s request in using the Software; or (iii) to comply with other reasonable instructions of the Customer (e.g., via email or support tickets) that are consistent with the terms of this Addendum (individually and collectively, the “Purpose”). If Customer’s Affiliates have placed Orders with Nasuni for the Software under the Agreement, then this Addendum amends those Orders, and each such Affiliate shall be deemed to be the “Data Controller” for Personal Data pertinent to its Order for the purposes of this Addendum. Customer shall be responsible for coordinating all communications with Nasuni and Customer’s Affiliates under this Addendum and shall be entitled to make and receive any communication in relation to this Addendum, and Customer hereby enters into this Addendum, on behalf of itself and its Affiliates.
9. Customer
(a) Customer will determine the scope, purposes, and manner by which the Personal Data may be accessed or Processed by Nasuni as set out in Schedule 1. Nasuni will process the Personal Data only as set forth in Customer’s written instructions.
(b) Customer warrants that it has all necessary rights to provide the Personal Data to Nasuni for the Processing to be performed in relation to the Services. To the extent required by the UK GDPR, Customer is responsible for ensuring that it has a legal basis for the processing and where necessary, the consent of the Data Subject. Where consent is the legal basis for processing, Customer shall ensure that a record of such consents is maintained. Should such a consent be revoked by the Data Subject, Customer is responsible for promptly communicating the fact of such revocation to Nasuni, and Nasuni remains responsible for implementing any Customer instruction with respect to the further Processing of such Personal Data.
10. Nasuni’s Obligations
To the extent Nasuni Processes Personal Data solely on behalf of the Customer, it shall:
(a) Process the Personal Data only on documented instructions from the Customer in such manner as, and to the extent that, this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which Nasuni is subject. In such a case, Nasuni shall, to the extent legally permitted, inform the Customer of that legal obligation before Processing. Nasuni shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws, including with regard to transfers of Personal Data to Third Countries;
(b) without prejudice to any existing contractual arrangements between the parties, treat all Personal Data as strictly confidential and inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data; further, Nasuni shall ensure that such persons or parties authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the Purpose, subject to the requirements of this Addendum; and
(d) at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures referenced in Section 11 below.
11. Security
(a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for violations of the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, each of the Customer and Nasuni shall independently implement appropriate technical and organizational measures designed for the protection of the security, confidentiality and integrity of the Personal Data appropriate to the risk, taking into account the risks that are presented by the Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, Processing, access or disclosure of Personal Data. These measures may include, as appropriate:
(i) controls to permit access to the Personal Data only by authorized personnel for the Purpose;
(ii) the pseudonymization and encryption of Personal Data;
(iii) controls for the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(iv) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(v) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Personal Data; and
(vi) measures to identify vulnerabilities with regard to the Processing of Personal Data in systems used to provide Services to the Customer.
(b) The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Data Protection Laws or by any Regulator.
(c) Nasuni shall, in accordance with applicable Data Protection Laws, make available to the Customer such information in Nasuni’s possession or control as the Customer may reasonably request with a view to demonstrating Nasuni’s compliance with the obligations of processors under Data Protection Law in relation to its processing of Personal Data. The Customer may exercise its right of audit under Data Protection Laws, through Nasuni providing: (a) an audit report not older than 12 months by a registered and independent external auditor demonstrating that Nasuni’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard (such as ISO 27001 or SSAE 18 SOC 2) and (b) additional information in Nasuni’s possession or control to the applicable regulator, including the UK Information Commissioner and/or an EU supervisory authority, when it requests or requires additional information in relation to the data processing activities carried out by Nasuni under this DPA. In the event that any such audit report identifies any deficiencies or non-compliance with Nasuni’s obligations, Nasuni will use commercially reasonable efforts to promptly address and rectify such deficiencies/non-compliance. Notwithstanding the foregoing, in no event shall Customer have access to the information of any other client of Nasuni and the disclosures made pursuant to this Section 11(c) (“Audit Information”) shall be held in confidence as Nasuni’s confidential information and subject to any confidentiality obligations in the Agreement.
12. International Transfers
IIn order to ensure adequate safeguards for the Personal Data where it is transferred from the Customer to Nasuni in a Third Country, the Customer shall comply with the data exporter’s obligations in the IDTA and/or the SCCs as applicable, and Nasuni shall comply with the data importer’s obligations in the IDTA and/or the SCCs as applicable in respect of that transferred Personal Data. The parties hereby enter into the IDTA and the SCCs, which are incorporated into and form part of this Addendum, by reference. To the extent that the IDTA or the SCCs, as a statutory mechanism to enable international data transfers, have been revoked, or held by a Regulator to be invalid, the Customer and Nasuni agree to cooperate in good faith to promptly terminate the transfer or to ensure suitable security mechanisms and processes are implemented to lawfully effect and support such transfer.
13. Sub-Processing
The Customer hereby grants Nasuni general written authorization to engage Nasuni’s Affiliates to Process the Personal Data of the Customer and authorizes Nasuni and its Affiliates to engage sub-processors in connection with the delivery of Services under the Agreement. As used herein, “sub-processor” means another Data Processor engaged by Nasuni to process Personal Data on behalf of Nasuni. The Customer hereby authorizes the use by Nasuni and its Affiliate of the sub-processors identified at https://www.nasuni.com/legal/data-processing-addendum/subprocessors/ (subject to the requirements of this Section 13). Nasuni may engage new sub-processors or may change sub-processors from time to time. Nasuni will provide the Customer with notice (by updating the sub-processor list at https://www.nasuni.com/legal/data-processing-addendum/subprocessors/ and by providing the Customer with a mechanism to receive notice of such updates) of any new sub-processor at least 14 days in advance of providing such sub-processor with access to Personal Data. The Customer will have 14 days from the date of receipt of the notice to approve or reject the new sub-processor. In the event of no response from the Customer, the sub- processor will be deemed accepted. If the Customer rejects the new or replacement sub-processor, Nasuni may terminate Services with immediate effect, and without liability to Nasuni, on written notice to the Customer. Nasuni shall enter into written agreements with its sub-processors containing data protection obligations that provide at least the same level of protection for the Personal Data as are imposed under this Addendum and shall in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the sub-processing will meet the requirements of the applicable Data Protection Laws. Nasuni shall supervise the sub-processor’s compliance with its obligations and, where a sub-processor fails to fulfill its obligations, Nasuni shall remain fully liable under the applicable Data Protection Laws to the Customer for the performance of that sub-processor’s obligations.
14. Return Or Destruction Of Personal Data
Upon termination of this Addendum, upon the Customer’s written request, or upon fulfillment of the Purpose whereby no further Processing is required, Nasuni and the Customer agree that Nasuni shall either delete or destroy all Personal Data except where otherwise required by applicable law. The return of data may incur additional charges by Nasuni. Nasuni agrees to preserve the confidentiality of any retained Personal Data and will only Process such Personal Data after the date of termination in order to comply with the laws to which it is subject and to fulfill its obligations under this Addendum.
15. Assistance To Customer
(a) Nasuni shall, to the extent legally permissible, promptly notify the Customer of any requests from a Data Subject to exercise the rights of the Data Subject under Data Protection Laws, including: access, rectification, restriction of Processing, erasure (the “right to be forgotten”), data portability, objection to the Processing, or to not be subject to automated individual decision making (each a “Data Subject Request”). Taking into the account the nature of the Processing, Nasuni shall assist the Customer by appropriate technical and organizational measures, insofar as this is commercially reasonable, for the fulfilment of the Customer’s obligation to respond to the Data Subject Request under Data Protection Laws. In addition, to the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Nasuni shall, upon the Customer’s request, use commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent Nasuni is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws.
(b) Upon the Customer’s request, Nasuni shall provide the Customer with reasonable cooperation and assistance to help the Customer fulfill its obligations (if applicable) under applicable Data Protections Laws with respect to carrying out a data impact assessment related to the Customer’s use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to Nasuni. Nasuni will provide reasonable assistance to the Customer in the cooperation or prior consultations with Regulators taking into account the nature of the Processing.
(c) The Customer shall be responsible for any costs arising from Nasuni’s provision of such assistance, under this Section 15.
16. Information Obligations and Incident Management
(a) If Nasuni becomes aware of an incident that materially adversely affects the Processing of the Personal Data that is the subject of the Agreement, it shall promptly notify the Customer about the incident, shall provide commercially reasonable cooperation to the Customer, and (to the extent such incident was caused by Nasuni’s negligent acts or omissions) shall take commercially reasonable steps designed to remediate the incident, if applicable, to the extent that remediation is within Nasuni’s control. The obligations of this Section 16(a) do not apply to incidents that are caused by the Customer, Authorized Users, and/or any products and services other than Nasuni’s.
(b) The term “incident” used in Section 16(a) shall mean in any case:
(i) a government investigation into or seizure of the Personal Data held by Nasuni or a sub-
processor, or a specific indication that such an investigation or seizure is imminent; or
(ii) any breach of the security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
(c) Nasuni shall maintain written records and procedures to enable it to promptly respond to the Customer about an incident. Where the incident is reasonably likely to require a data breach notification by the Customer under applicable Data Protection Laws, Nasuni shall implement its written procedures in such a way that it is able to notify the Customer in the time frame required by the applicable Data Protection Laws after becoming aware of such an incident.
17. Miscellaneous
(a) The liability of each party and its respective Affiliates’, taken together in the aggregate, arising out of or relating to this Addendum shall be subject to the section(s) of the Agreement governing limitations of liability, and any reference in such section(s) to the liability of a party means the aggregate liability of that party (and all of its Affiliates) to the other party (and all of its Affiliates) under the Agreement and all Data Processing Addendums together.
(b) This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes and claims) shall be governed by and construed in accordance with the laws applicable to the Agreement of which this Addendum forms a part.
(c) This Addendum shall automatically terminate on the expiration or earlier termination of the Agreement.
(d) This Addendum is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the Addendum will be effective unless in writing and signed by an authorized signatory of each party. This Addendum may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this Addendum. Each party represents and warrants to the other that the execution and delivery of this Addendum, and the performance of such party’s obligations hereunder, have been duly authorized and that this Addendum is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
IN WITNESS WHEREOF, the parties have caused this Addendum to be executed by their duly authorized representatives as of the last date written below.
NASUNI CORPORATION CUSTOMER:
By:________________________________ By:__________________________________ Name:_____________________________ Name:_______________________________ Title:______________________________ Title:________________________________ Date:______________________________ Date:________________________________
Schedule 1
A. List of Parties
| Data importer | |
| Name, Address, Contact Person, Role of Contact Person and Contact Person Contact details | Nasuni Corporation One Marina Park Drive, 6th Floor Boston, MA 02210 Annie Bourne Chief Commercial and Compliance Counsel [email protected] |
| Activities relevant to the data transferred under the IDTA | Provision of the Services. |
| Role | Processor |
| Data exporter | |
| Name, Address, Contact Person, Role of Contact Person and Contact Person Contact details | |
| Activities relevant to the data transferred under the IDTA | Use of the Services provided by Nasuni. |
| Role | Controller |
B. Description of Transfer
| Categories of data subjects whose personal data is transferred | Authorized Users of the Services, as well as any other data subjects whose personal data may be included in Customer Data to which the Customer provides Nasuni access in order to provide the Services. |
| Categories of personal data transferred | Personal Data includes business contact and related information of Authorized Users and any personal data that may be included in Customer Data to which the Customer provides Nasuni access in order to provide the Services. |
| Sensitive data transferred | None, subject to the prior section. |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Personal data is transferred on a continuous basis in accordance with the instructions of the Customer, for the Term of each Agreement (as defined in the DPA). |
| Nature of the processing | Personal Data will be subject to Processing, which may include without limitation collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing Services to data exporter in accordance with the terms of the Agreement. |
| Purpose(s) of the data transfer and further processing | The transfer of Personal Data enables Nasuni to provide the Services under the Agreement. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | The duration of the Processing under this DPA shall continue as long as Nasuni carries out Personal Data Processing operations on behalf of Customer or until the termination of the Agreement (and all Personal Data has been destroyed or deleted in accordance with Section 14 of the Addendum). |
| For transfers to (sub-) processors, subject matter, nature and duration of the processing | As set out in Section 13 of the DPA. |
C. Technical and organizational measures
| Technical and organizational measures implemented by the Data Importer | Technical and organizational security measures are set out at https://www.nasuni.com/legal/technical-and-organizational-measures-of-security-toms-for-nasuni-file-data-platform/ Technical and organizational measures by which Nasuni will provide assistance to the Customer in responding to data subjects’ requests are set out at https://www.nasuni.com/legal/ and https://www.nasuni.com/legal/privacy/#yourrights |
D. Additional Matters
To the extent any Processing of Personal Data by Nasuni under the DPA takes place in any country outside the UK or the EEA (except if in an Adequate Country) this Schedule 1 shall apply to the Services and be incorporated into and form part of the Addendum.
For the purpose of clause 9(a) of the SCCs, OPTION 2 shall apply with notification time period of 10 days. For the purpose of clause 13(a) and Annex I.C. the SCCs, if the Data Exporter is established in an EU Member State or has appointed a representative pursuant to Article 27(1) GDPR (which shall in each case be indicated in the details set out at the head of the Addendum) then the competent supervisory authority shall be that of the country where the Data Exporter is established or where it has appointed such representative. Otherwise if the Data Exporter is not established in an EU Member State and has not appointed a representative but the GDPR applies, the competent supervisory authority for the purpose of Clause 13 Standard Contractual Clauses shall be identified at the head of the DPA.
For the purpose of clause 17 of the SCCs, OPTION 2 shall apply and the agreed law shall be the law of the country identified in the details set out at the head of this Addendum. For the purpose of clause 18(b) of the SCCs, the parties agree to the courts of the same country. The optional clause 7 of the SCCS (docking clause) shall be included.
Without prejudice to the Standard Contractual Clauses or the IDTA, these additional terms set out the Parties’ interpretation of their obligations under specific terms of the Standard Contractual Clauses and, where applicable, the IDTA. Where a Party complies with the interpretations set out in this Schedule 1, that Party shall be deemed by the other Party to have complied with its commitments under the Standard Contractual Clauses and the IDTA:
(a) Appointment of new sub-processors: Pursuant to 9(a) of the Standard Contractual Clauses, Data Exporter acknowledges and expressly agrees that Data Importer will appoint sub-processors in accordance with Section 13 of this Addendum.
(b) Notification of new sub-processors and Objection Right for new sub- processors: Pursuant to 9(a) of the SCCs, Data Exporter acknowledges and expressly agrees that Data Importer may engage new sub-processors as described in Section 13 of this Addendum.
(c) Copies of sub-processor agreements: The Parties agree that the requirement for copies of the sub-processor agreements for the purpose of audit or inspection (pursuant to 9(c) of the SCCs) may be met by way of the audit and records provisions at Section 11(c) of this Addendum.
(d) Audit and Records: Data Exporter acknowledges and agrees (unless otherwise required by law) that it exercises its audit right under Clause 8.9(c) of the SCCs by instructing Data Importer to comply with the audit measures described in Section 11(c) of this Addendum.
(e) Obligation after the termination of personal data-processing services: Data Exporter agrees that the Data Importer may fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services under Clause 8.5 of the SCCs by complying with the measures described in Section 14 of this Addendum.
E. Supplementary Clauses
1. Non-receipt of directives under FISA Section 702 representation:
Nasuni represents and warrants that, as of the date of this contract, it has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the European Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”).
2. FISA Section 702 ineligibility representation:
Nasuni represents that to the best of Nasuni’s knowledge, it is not eligible to be required to provide information, facilities, or assistance of any type under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) because:
(a) No court has found Nasuni to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C§ 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
(b) If Nasuni were to be found eligible for Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to Upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the Schrems II judgment.
Nasuni will promptly notify the Data Exporter if the circumstances in this clause 2 change.
3. Court-review safeguard:
Nasuni shall promptly assess, and use all reasonable legal mechanisms to challenge, any demands for data access through national security processes it receives in relation to data exporter’s data as well as any non-disclosure provisions attached thereto.
To the extent available Nasuni will seek interim measures to suspend the effects of any such order or demand until a court has finally decided that it is lawful and effective. For the avoidance of doubt, Nasuni shall not disclose the personal data requested until required to do so under the applicable procedural rules and will provide only the minimum amount of information permissible when responding to such order, based on a reasonable interpretation of that order.
In the event such an order or demand is received, Nasuni shall, as far as is lawfully practicable: inform the requesting public authority of the incompatibility of any such order with the safeguards comprised in the Clauses and the resulting conflict of obligations on Nasuni; and simultaneously and as soon as reasonably possible, notify the data exporter and/or competent supervisory authority within the EEA or UK of the order.
4. EO 12333 non-cooperation:
Nasuni represents that to the best of Nasuni’s knowledge, it is not required to take any action pursuant to U.S. Executive Order 12333.
5. Notice of non-compliance:
Nasuni shall promptly notify the data exporter if Nasuni can no longer comply with the Standard Contractual Clauses and shall do so as far as practicable in advance to the receipt of personal data from the data exporter. Such notification shall take place without undue delay and within 72 hours of Nasuni determining that it can no longer (or will no longer be able to) comply. Under such circumstances (including, for the avoidance of doubt, where Nasuni is able to identify ahead of their implementation, any legal or policy developments which may lead to an inability to comply with obligations under the EU SCCs or UK SCCs) the data exporter hereby authorizes Nasuni to promptly secure or return, or delete or securely encrypt, all relevant personal data, without the need for further instructions from the data exporter.
6. Further reassurance:
Nasuni:
(a) Certifies that it has not purposefully created back doors or similar programming that could be used to access its systems and/or personal data; not purposefully created or changed its business processes in a manner which facilitates access to personal data or systems; and that national law or government policy does not require it to create or maintain back doors or to facilitate access to personal data or systems or for Nasuni to be in possession of or to hand over encryption keys in respect of personal data transferred under the Clauses; and
(b) Shall provide all assistance reasonably requested by the data exporter to support data subjects in exercising their rights and the data exporter shall provide all information, cooperation and assistance reasonable required by Nasuni to do so.