Join
Contact

This Data Processing Addendum (“Addendum”) amends and forms part of the SaaS Terms between Novi, Inc. (“Provider”) and Client (the “Agreement”). Provider and Client are individually referred to as a Party and collectively as the Parties. In the event of a conflict between the Agreement and this Addendum, the more stringent terms shall govern. All capitalized terms not specifically defined in this Addendum shall be read to have the meaning given to those terms in the Agreement.

This Data Processing Addendum (“Addendum”) amends and forms part of the SaaS Terms between Novi, Inc. (“Provider”) and Client (the “Agreement”). Provider and Client are individually referred to as a Party and collectively as the Parties. In the event of a conflict between the Agreement and this Addendum, the more stringent terms shall govern. All capitalized terms not specifically defined in this Addendum shall be read to have the meaning given to those terms in the Agreement.

1. Definitions

  • 1.1    “Applicable Data Protection Law(s)” means all international, federal, state, local, and provincial data privacy and security laws and regulations applicable to the Processing of Personal Information, inclusive of all applicable implementing regulations, as adopted.
  • 1.2    “Data Security Incident” means actual unauthorized access to, destruction of, loss of, alteration of, exfiltration of, theft of, or disclosure of Client Personal Information transmitted, collected, stored, controlled, or otherwise in the possession or control of Provider.
  • 1.3    “Data Subject” shall have the same meaning as “data subject”, “consumer”, or similar terms used under any Applicable Data Protection Laws.
  • 1.4    “De-identified Data” shall have the same meaning as “de-identified”, “deidentified”, “anonymized”, “pseudonymous”, and any similar terms used under Applicable Data Protection Laws.
  • 1.5    “Controller” shall have the same meaning as “controller”, “business” or similar terms used under any Applicable Data Protection Laws.
  • 1.6    “EU-SCCs” has the meaning set forth in Section 8.2.1.
  • 1.7    “GDPR” means the EU General Data Protection Regulation 2016/679 with respect to Data Subjects in the European Economic Area.
  • 1.8    “Personal Information” shall have the same meaning as “personal information”, “personal data”, or similarly defined terms and phrases under Applicable Data Protection Laws. 
  • 1.9    “Process,” “Processed,” or “Processing” shall also have the same meaning as those terms are defined under Applicable Data Protection Laws.
  • 1.10    “Processor” shall have the same meaning as “processor”, “service provider”, or “contractor” under any Applicable Data Protection Laws.
  • 1.11    “Sale”, “Sell”, and “Share” shall have the same meaning as “sale”, “sell”, and “share” under any Applicable Data Protection Laws.
  • 1.12    “Services” shall mean the services provided by Provider to Client pursuant to the Agreement.
  • 1.13    “Sub-Processor” means any person (including any third party, but excluding an employee of Provider) appointed on behalf of Provider to Process Personal Information.

2. Roles of the Parties

  • 2.1    In the course of providing Services to Client, Provider may be asked from time to time by Client, or on Client’s behalf, to Process Client Personal Information. Personal Information may be provided to Provider from Client, Client’s members, affiliates or partners, or other third parties on Client’s behalf for the limited and specific purposes set forth in the Agreement.  
  • 2.2    The Parties acknowledge and agree that Client will operate as a Controller for Personal Information provided or made available to Provider under the Agreement, and Provider will operate as a Processor, unless otherwise agreed to between the Parties. Client is and will at all relevant times remain duly and effectively authorized to give instructions to Provider concerning the Processing of Personal Information pursuant to the Agreement. Provider expressly agrees to follow the instructions of Client when Processing Personal Information.

3. Applicable Data Protection Law Compliance 

  • 3.1 Provider agrees to comply with all Applicable Data Protection Laws as it relates to its Processing of Personal Information under the Agreement. Provider must promptly notify Clien of its inability to no longer meet its obligations under Applicable Data Protection Laws.
  • 3.2 Client shall have the right to take reasonable and appropriate steps to ensure that Provider and any Sub-Processor is Processing Personal Information consistent with Applicable Data Protection Laws and the Agreement. Upon reasonable written notice, Client shall be permitted to take reasonable and appropriate steps to stop and remediate any unauthorized or unlawful Processing of Personal Information. Provider shall immediately notify Client in the event Provider considers an instruction from Client to infringe upon any Applicable Data Protection Laws

4. Proceessing of Personal Information

  • 4.1 Provider shall only Process Personal Information for the purpose of carrying out the Services set forth in the Agreement and as otherwise permitted under Applicable Data Protection Laws. The subject-matter of the Processing of Personal Information is the performance of the Services set forth in the Agreement. The duration of the Processing is for the term of the Agreement. The nature and purpose of the Processing includes performing the Services under the Agreement. The types of Data Subjects whose Personal Information may be Processed are set forth in the Agreement.
  • 4.2 The Parties agree that any transfer, disclosure, or making available of Personal Information by Client to Provider under the Agreement and this Addendum is not intended to be a Sale or Sharing of Personal Information. Provider is prohibited from Selling or Sharing Personal Information it receives or has access to under the Agreement and this Addendum. Provider is further prohibited from retaining, using, disclosing, sharing, or otherwise Processing Personal Information it receives from Client for any purpose other than to perform the Services and to carry out the purposes set forth in the Agreement. Provider is further prohibited from retaining, using, disclosing, or sharing Personal Information beyond the business relationship between Provider and Client.
  • 4.3 Provider is prohibited from combining any Personal Information it receives or has access to under the Agreement with any other Personal Information received from third-party sources, or that is collects directly from individuals. Not withstanding this restriction, Provider may combine Personal Information with other forms of Personal Information if Provider is required to do so in order to perform the Services under the Agreement.
  • 4.4 To the extent Provider Processes Deidentified Data, Provider expressly agrees to comply with all Applicable Data Protection Laws as it relates to maintaining Deidentified Data in accordance with Applicable Data Protection Laws.
  • 4.5 At Client’s direction, Provider agrees to delete or return all Personal Information to Clientrequested after the provision of the Services is complete, unless retention of said Personal Information is required under applicable law, including but not limited to Applicable Data Protection Laws.

5. Sub-Processors

  • 5.1 Provider may engage Sub-Processors in connection with the provision of the Services, including but not limited to for the Processing of Personal Information.Where reasonably feasible and materially necessary, Provider shall enter into an agreement witheach Sub-Processor containing obligations no less protective than those in this Addendum.

6. Personal

  • 6.1 Provider agrees to take all reasonable steps to ensure that persons authorized to Process Personal Information under the Agreement and this Addendum: (i) are bound by appropriate contractual obligations or are under appropriate obligations of confidentiality; and (ii) Process Personal Information only upon the instructions of Client, unless otherwise required under Applicable Data Protection Laws.

7. Security Measures

  • 7.1 Provider shall implement and maintain appropriate and reasonable administrative, technical, physical, and organizational safeguards appropriate to the sensitivity of the Personal Information being Processed under the Agreement and this Addendum.

8. International Data Transfers

  • 8.1 Data Transfer Obligations. Provider may access and Process Personal Information on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Information may be transferred to and Processed in the United States and to other jurisdictions where Provider’s Sub-Processors have operations. Wherever Personal Information is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
  • 8.2 EEA Transfers. If Client transfers Personal Information originating in the European Economic Arena (EEA) to Provider in a country that has not been found to provide an adequate level of protection under Applicable Data Protection Laws, the Parties agree that the transfer shall be governed by the SCC’s promulgated by Commission Implementing Decision (EU) 2021/914, Module Two (Transfer Controller to Processor), as can be found at be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (“EU-SCCs”), subject to the following modifications:
    • 8.2.1 Client is the “data exporter” and Provider is the “data importer”;
    • 8.2.2 the Module Two terms apply to the extent the Provider is also is a Controller and the Module Three terms apply to the extent the Client is a Processor;
    • 8.2.3 in Clause 7, the optional docking clause applies;
    • 8.2.4 in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA;
    • 8.2.5 in Clause 11, the optional language is deleted;
    • 8.2.6 in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the EU-SCCs will be determined in accordance with the governing law section in the Agreement, or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles);
    • 8.2.7 the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in this DPA;
    • 8.2.8 the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and
    • 8.2.9 if and to the extent the EU-SCCs conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.

9. Data Security Incident

  • 9.1 In the event of a Data Security Incident, Provider shall notify Client within a reasonable period of time of the discovery of such incident. In any such notification, Provider shall provide Client with sufficient information, as available at the time of notification, to reasonably assist Client in assessing the Data Security Incident. Provider will promptly notify Client of any third-party legal process relating to a Data Security Incident of which Provider is aware (or in accordance with Applicable Data Protection Laws or other applicable legal obligation (e.g., statute, court order, contract).

10. Data Protection Impact Assessment

  • 10.1 Upon reasonable written request, Provider shall provide full and prompt cooperation with and assistance to Client with respect to any legal obligation in connection with Processing of Personal Information, including but not limited to, Client’s undertaking of any data protection impact assessments as required under the Applicable Data Protection Laws.

11. Data Subject Requests

  • 11.1 Provider agrees to reasonably cooperate with Client to respond to any request by a Data Subject concerning Personal Information, as required by Applicable Data Protection Laws.