Data Protection Addendum

This Data Protection Addendum (“DPA“) is entered into as of the date of the last signature below, (“Effective Date”), by and between the Customer (“Customer”) and Nintex Global Ltd. and its Affiliates (collectively, “Company”).

 

Last Updated: September 3, 2021

 

RECITALS:

(A) Company provides to Customer certain services (collectively, the “Services“) pursuant to an agreement between the parties (“Main Agreement“). In connection with the Services, the parties anticipate that Company may process certain Personal Data in respect of which the Customer or any member of a Customer Group may be a controller of that data under applicable EU Data Protection Laws.

(B) The parties agree to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws.

 

1. Definitions

1.1 The following definitions are used in this DPA:

(a) “Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data;

(b) “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);

(c) “Company Group” means Company and any of its Affiliates;

(d) “Customer” means the entity that executed the Main Agreement together with its Affiliates which have signed Order Forms and who, or a member of whose Customer Group, is a data controller of Personal Data under EU Data Protection laws;

(e) “Customer Group” means a Customer and any of its Affiliates established and/or doing business in the EEA, or the United Kingdom;

(f) “Data Subject Request” means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of its Personal Data;

(g) “EU Data Protection Laws” means the laws and regulations of the European Union, the European Economic Area and their member states that apply to the processing of Personal Data, including the General Data Protection Regulation 2016/679 (“GDPR”) as amended and replaced from time to time;

(h) “Model Clauses” means the model clauses approved by the European Commission for the transfer of personal data to processors established in third countries, which are set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 and at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 and which along with the Appendices to the Model Clauses included in Schedule 1 to this DPA, form a part of this DPA;

(i) “Personal Data” means all data which is defined as ‘personal data’ under EU Data Protection Laws and which is provided by Customer to Company (directly or indirectly), and accessed or otherwise processed by Company as a data processor as part of its provision of the Services to Customer and to which EU Data Protection Laws apply from time to time; and

(j) “controller“, “data subject“, “processor” and “supervisory authority” shall have the meanings ascribed to them in EU Data Protection Laws.

(k) “sub-processor” means any entity engaged by the processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the controller.

1.2 An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

 

2. Status of the parties

2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described below:

(a) Subject Matter of the Processing: Company’s provision of the Services to Customer.

(b) Nature and Purpose of the Processing: The collection, analysis, storage, duplication, deletion and disclosure as necessary to provide the Services and as may be further instructed by Company in writing.

(c) Duration of Processing: The Company will process the Personal Data for the duration of the Main Agreement, or until the data upon which processing is performed is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable), unless otherwise agreed between the parties in writing.

(d) Types of Data: Data relating to individuals provided to Company via the Services, by (or at the direction of) Customer or Customer Group, which may include but are not limited to administrative data such as full name, business email address, and IP address.

(e) Categories of Data Subjects: Data subjects are determined by the Customer’s use of the Services in its sole discretion, and may include customers, employees, suppliers and end users about whom data is provided to Company via the Services by (or at the direction of) Customer or Customer Group.

2.2 Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with EU Data Protection Laws. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the data controller and Company is the data processor, and accordingly Company agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.

2.4 The individual identified on the front page of this DPA is authorised to respond from time to time to enquiries regarding the Personal Data on behalf of that party and each party shall deal with such enquiries promptly. Each party shall notify the other of any change in the identity of the authorised person.

 

3. Company obligations

3.1 With respect to all Personal Data, Company shall:

(a) only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, and (ii) Customer’s reasonable written instructions where the instructions are consistent with the Main Agreement;

(b) as soon as reasonably practicable upon becoming aware, inform Customer if, in Company’s opinion, any instructions provided by Customer under clause 1(a) infringe the GDPR;

(c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 1;

(d) take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality;

(e) as soon as reasonably practicable upon becoming aware, notify Customer of any actual incident of unauthorised or accidental disclosure of or access to any Personal Data (a “Security Breach“), and take reasonable steps to remediate the Security Breach to the extent that remediation is reasonably within Company’s control;

(f) promptly provide Customer with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in Company’s possession concerning such Security Breach insofar as it affects Customer and/or any member of a Customer Group

(g) not make any public announcement about a Security Breach without the prior written consent of Customer, unless required by applicable law;

(h) promptly notify Customer if Company receives a Data Subject Request. Company shall not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to Company. Upon Customer’s request, Company shall provide reasonable assistance to Customer to facilitate Customer responding to a Data Subject Request within the deadlines set out under EU Data Protection Laws;

(i) other than to the extent required to comply with applicable law, as soon as reasonably practicable following termination or expiry of the Main Agreement or completion of the Service, Company will delete all Personal Data (including copies thereof) processed pursuant to this DPA;

(j) provide such assistance to Customer as Customer requests in relation to Customer’s obligations under EU Data Protection Laws with respect to:

(i) data protection impact assessments (as such term is defined in the GDPR);

(ii) notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and

(iii) Customer’s compliance with its obligations under the GDPR with respect to the security of processing.

 

4. Sub-processing

4.1 Customer grants a general authorization: (a) to Company to appoint other members of the Company Group as sub-processors, and (b) to Company and other members of the Company Group to appoint sub-processors in respect of the sub-processing activities in accordance with this section. Company has entered into a written agreement with each sub-processor containing data protection obligations not less protective than those imposed on the Company in this DPA. Where a sub-processor fails to fulfil its duty Company will be liable for the acts and omissions of its sub-processors to the same extent Company would be liable if performing the services of each sub-processor directly under the terms of this DPA, except as otherwise set forth in the Main Agreement.

4.2 Company will maintain a list of sub-processors, if any, and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data.

4.3 If Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Company of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. Company may choose to: (i) not use the sub-processor or (ii) take the corrective steps requested by Customer in its objection to the use of the sub-processor. If none of these options are reasonably possible within thirty (30) days, and Customer continues to object for a legitimate reason, then either party may terminate the applicable services or the Main Agreement. If Customer does not provide an objection within ten (10) days, Customer will be deemed to have consented to the sub-processor and waived its right to object.

 

5. Audit and records

Company shall, in accordance with EU Data Protection Laws make available to Customer such information in Company’s possession or control, if any, and provide all assistance in connection with audits of Company’s premises, systems and documentation as Customer may reasonably request with a view to demonstrating Company’s compliance with the obligations of data processors under EU Data Protection Law in relation to its processing of Personal Data. Customer will give Company written notice of at least thirty (30) days of any audit or inspection and must be subject to reasonable confidentiality procedures. The frequency, time frame and scope of any audit will be mutually agreed upon between the parties acting reasonably and in good faith. Customer audits will be limited to remote audits to the extent possible. If an on-site audit is mandatory it will not exceed one day.

 

6. Data transfers

6.1 Customer acknowledges and accepts that the provision of the Services under the Main Agreement may require the processing of Personal Data by Company or sub-processors in countries outside the EEA.

6.2 For Personal Data that is subject to Data Protection Laws, to the extent any processing of Personal Data by Company takes place in any country outside the EEA that is not recognized by the European Commission as an Adequate Country, the parties agree that the Model Clauses will apply in respect of that transfer and processing, and Company will comply with the obligations of the ‘data importer’ in the standard contractual clauses and Customer will comply with the obligations of the ‘data exporter’.

6.3 If, in the performance of this DPA and/or the Main Agreement, Company transfers any Personal Data to a sub-processor located, or permits processing of any Personal Data by a sub-processor in a country outside of the EEA that is not an Adequate Country (without prejudice to clause 4), Company shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing and which is approved in writing by Customer before the non-EEA processing is in place, such as:

(a) the requirement for Company to execute or procure that the sub-processor execute the Customer’s Model Clauses; or

(b) the existence of any other specifically approved safeguard for data transfers (as recognised under EU Data Protection Laws) and/or a European Commission finding of adequacy.

6.4 To the extent consistent with the Model Clauses, the following term shall apply to the Model Clauses:

Company may appoint sub-processors as set out, and subject to the requirements of, clauses 4 and 6.4 of this DPA.

 

7. General

7.1 This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement, which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

7.2 Without prejudice to clause 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Model Clauses, this DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Main Agreement and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Main Agreement in respect of any claim or matter arising under this DPA.

7.3 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.

 
 

APPENDIX 1

to the Model Clauses

1. This Appendix forms part of the Model Clauses.

Data exporter

The data exporter is the Customer who concluded the Main Agreement

Data importer

The data importer is Nintex and its Affiliates and sub-processors who provide the Services.

Data subjects

The Personal Data transferred concern the following categories of data subjects:

The data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: employees, contractors, business partners or other individuals.

Categories of data

The Personal Data transferred may include but is not limited to:

The data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to: name, title, position, employer, phone number, email, time zone, ID data, system access, professional life data, personal life data, connection data, localization data.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

The data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

The performance of the Services as set out in the Main Agreement and Order Form.

 
 

APPENDIX 2

to the Model Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data processed by the Nintex Services, as described in the Nintex Global Product Sheet.

 
 

ANNEX 1

Security Measures

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data processed by the Nintex Services, as described in the Nintex Global Product Sheet.