We know our customers are subject to various data privacy laws around the globe, including the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in California, and others. Here’s what you need to know about Novi AMS as your SaaS provider.

1. Is Novi AMS a Processor or Controller Under Applicable Data Privacy Laws?

Both. For the purposes of this document, a “controller” is the entity that determines the purposes and means of processing personal data. A “processor” is the entity that acts on behalf of, and under the instructions of a controller processes personal data. Controller shall also include “business” under the CCPA, and processor shall include “service provider” under the CCPA.

Novi AMS is a processor as it relates to the delivery of its services. Novi AMS may operate as an independent controller for other processing activities, including but not limited to for the purposes of providing our products and services, monitoring and preventing fraud, complying with legal or regulatory obligations, and analyzing, developing, and improving our products and services. Ultimately, determining data privacy compliance is our customers’ obligation. But we want to help.

In addition to having a Data Processing Addendum that outlines Novi’s obligations as a processor, here are some additional ways Novi AMS supports our customers in their data privacy compliance journey:

• Only processing personal data according to the controller's instructions
  Novi only processes data on behalf of its customers. We do not sell customer data or de-identify customer data for purposes other than those outlined in our Terms of Service.
• Vetting subprocessors
  When Novi uses sub-processors such as a cloud services provider, we choose providers that understand and can comply with relevant data privacy regimes, such as Microsoft Azure.
• Technical and organizational measures to secure personal data
  Novi has implemented a multi-level security plan to secure our systems & protect your personal data. Personal data is always encrypted in transit and is never shared outside of individuals authorized by association staff. Novi's platform is PCI compliant for all financial transactions, as personal information such as credit card numbers never touch Novi servers. Novi voluntarily submits to regularly scheduled penetration testing and security reviews of our systems organized by Intuit. In addition, Novi regularly monitors its systems for any suspicious activities and can react proactively to any identified threats. Learn more about Novi's security measures.
• Data breach notification
  Novi has formal incident detection and response procedures. If we confirm that unauthorized access has occurred to their data, we will notify customers quickly.
• DPIAs & Responses
  Novi will help customers with their obligation to perform Data Protection Impact Assessments (DPIA) and respond to relevant authorities.

• Data Access and Portability: Novi AMS includes tools to help you manage data access requests and export personal data when required. This allows you to respond to data subjects’ requests to access or transfer their information.
• Data Minimization and Security: We follow industry-standard security practices to protect your data, including encryption and regular security assessments. We also provide features that allow you to control and limit data collection, helping with data minimization.
• Data Processing Agreement: If you are a Novi customer, you can view a copy of our Data Processing Agreement (“DPA”) here.

2. Your Responsibilities as a Novi AMS Customer

While Novi AMS provides a secure platform with privacy-supporting features, your organization has additional responsibilities to ensure compliance:

1. Data Collection and Consent: Obtain explicit consent from individuals as required by law before collecting their personal data, especially if your website uses tracking technologies like cookies. Be transparent about data collection practices and explain how the data will be used.
2. Responding to Data Requests: Your organization should be prepared to respond promptly to these requests, using Novi AMS tools where possible.
3. Data Breach Response: You are required to comply with applicable legal requirements around data breaches. We recommend you develop an internal process to detect and respond to data breaches and work with Novi AMS support if assistance is needed.
4. Working with Legal and Privacy Experts: Data privacy compliance can be complex and nuanced. We recommend consulting with legal or privacy experts to understand your organization’s specific requirements and responsibilities.

3. Disclaimer

Novi AMS provides tools and best practices to assist with data privacy compliance, but we are not privacy consultants. Your organization is responsible for data privacy compliance, and we recommend consulting legal professionals for specific guidance.