[Recently updated: August 31st 2021]
This Data Processing Agreement (“DPA”) is an integral part of the Service Agreement executed between Namogoo and the Client (“Agreement”). Capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. This DPA sets forth the Parties’ responsibilities and obligations regarding the Processing of Personal Data or Personal Information during the course of the engagement between the Parties.
1.1 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.2 “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Personal Information”, “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean “Personal Information” for the purpose of this DPA.
1.3 “Client Data” means any and all Personal Data associated with Client’s end-users and Processed in connection with the provision of the Services by Namogoo under Agreement.
1.4 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, EU Data Protection Law and the CCPA, including, where applicable, Israeli Privacy Protection Regulations (Data Security) 5777-2017Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), all as may be amended or superseded from time to time.
1.5 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725;(iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iii) any legislation replacing or updating any of the foregoing.
1.6 “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Namogoo pursuant to the Agreement, including by way of access, and may include, inter alia, unique ID, cookies, etc.
1.7 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other Party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
1.8 “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
2. RELATIONSHIP OF THE PARTIES
2.1 The Parties acknowledge that in relation to all Client Data, as between the Parties, the Client is the Controller of Client Data and Namogoo, in providing the Service, is acting as a Processor on behalf of Client. For the purpose of the CCPA (and to the extent applicable), the Client is the Business, and Namogoo is the Service Provider.
2.3 The purpose, subject matter, and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.
3.1 The Client represent and warrant that: (i) its Processing instructions shall comply with applicable Data Protection Law; (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Dataand all applicable CCPA provisions; and (iii) if required, the Client will obtain end user consent to any Processing by Namogoo on behalf of the Client and the Client shall add any disclosures required subject to Data Protection Laws regarding the Processing of Personal Data by Namogoo on the Client’s behalf.
3.2 Namogoo represents and warrants that it (i) shall process Personal Data only under the Client’s instructions, and as set forth under Article 28(3) of the GDPR. Namogoo will process the Personal Data on behalf of Client, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Client’s written instructions including the Agreement and this DPA; (ii) in the event the Namogoo is required under applicable laws to Process Client Data other than as instructed by Client, Namogoo shall make its best efforts to inform Client of such requirement prior to Processing such Client Data unless prohibited under applicable law; and (iii) the Client shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Personal Data as set out herein, including providing Data Subjects with necessary privacy notices. Such notice may be by displaying a cookie notice or through the privacy notice, all as required by applicable Data Protection Laws.
3.3 Namogoo will make available to the Client all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the EU Data Protection Law, and shall make them available to the Clients upon request.
4. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
4.1 It is agreed that where Namogoo receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by it, where relevant, Namogoo will direct the Data Subject or the applicable authority to the Client in order to enable the Client to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
4.2 Where applicable, Namogoo shall assist the Client to ensure that Personal Data Processed is accurate and up to date by informing the Client without delay if Namogoo becomes aware that the Personal Data it is processing is inaccurate or has become outdated.
5. NAMOGOOS’S PERSONNEL
5.1 Namogoo shall take reasonable steps to ensure (i) the reliability of its staff and any other person acting under its supervision who may come into contact with or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) ensure that such personnel is aware of their responsibilities under this DPA and any Data Protection Laws.
6. NO SALE OF PERSONAL DATA
6.1 It is hereby agreed that any disclosure of Personal Data between the Parties is done solely in order to fulfill a Business Purpose. Therefore, Such Processing of Personal Data shall not be considered a “Sell” under the CCPA.
7.1 Client acknowledges that Namogoo may transfer Personal Data to and otherwise interact with third-Party data Processors (the “Sub-Processor”). The Client hereby authorizes Namogoo to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Namogoo may continue to use those Sub-Processors already engaged by Namogoo, as listed in ANNEX III, and Namogoo may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30 days prior notice to the Client. In case the Client has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Client. In the event the Client objects, its sole remedy is to terminate the Agreement.
7.2 Namogoo shall, where it engages any Sub-Processor, impose, through a legally binding contract between Namogoo and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Namogoo shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law. Namogoo shall, upon written request by the Client, provide such Sub-Processor’s contract and any subsequent amendments. To the extent necessary to protect a business secret or other confidential information, including Personal Data, as shall be determined by Namogoo’s sole discretion, Namogoo may redact the text of the contract prior to sharing the copy with the Client.
7.3 Namogoo shall remain fully responsible for the performance of the Sub-Processor’s obligations in accordance with its contract. Namogoo shall notify the Client of any failure by the Sub-Processor to fulfill its contractual obligations.
8. TECHNICAL AND ORGANIZATION MEASURES
8.1 Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Namogoo shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Technical and organizational measures implemented by Namogoo (including any relevant certifications) to ensure an appropriate level of security.
8.2 Upon Client request and subject to Namogoo shall provide with Namogoo’s ISO27001 certification.
8.3 The security measures are further detailed in ANNEX II.
9. SECURITY INCIDIENT
9.1 Namogoo will notify Client upon becoming aware of any confirmed Security Incident involving Client Data in Namogoo’s possession or control, as determined by Namogoo in its sole discretion. Namogoo will, in connection with any Security Incident affecting Client Data: (i) take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Client and provide Client with needed assistance and information as it may reasonably require in connection with the Security Incident; (iii) notify Client in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; and (iv) keep the Client informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Client and assist the Client, in the Client’s expense, with the Client’s obligation to notify affected individuals in the case of Security Incident.
9.2 Namogoo’s notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Namogoo of any fault or liability with respect to the Security Incident.
10. DATA AUDIT RIGHTS
10.1 Namogoo shall respond to inquiries from the Client regarding the Processing of Personal Data in accordance with this DPA, and shall make available to the Client all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.
10.2 Namogoo shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Security Incident, to a reputable auditor nominated by Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third Parties). Namogoo may object to an auditor appointed by Client in the event Namogoo reasonably believes the auditor is not suitably qualified or independent, is a competitor of Namogoo, or otherwise unsuitable (“Objection Notice”). The Client will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Namogoo. The Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall), over the course of such Audit, avoid causing any damage, injury, or disruption to Namogoo’s premises, equipment, personnel, and business. Any and all conclusions of such an Audit shall be confidential and reported back to Namogoo immediately.
10.3 Any information obtained under this Section 10 shall be deemed Confidential Information and are subject to the confidentiality obligations set forth in the Agreement.
11. DATA TRANSFER
11.1 The Client acknowledges and agrees that in order to be provided with the Services the Parties shall transfer and Namogoo may access and Process the Personal Data from territories which are not part of the EEA. In the event the Processing includes transferring of Personal Data to a country that has not received the adequacy decision from the European Commission (“Approved Country”) or is not exempt under Article 49 of the GDPR (collectively “Restricted Transfer”), the following shall apply:
11.1.1 In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Namogoo shall be deemed as the Data Importer and the Client shall be deemed as the Data Exporter.
11.1.2 The purpose and description of the transfer shall be detailed in ANNEX I
11.2 The Client further agrees that where Namogoo engages a Sub-Processor, in accordance with Section 7 above for carrying out specific processing activities (on behalf of the Client) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, Namogoo and the Sub-Processor can ensure compliance with Chapter V of GDPR by using Standard Contractual Clauses in which event Namogoo shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Namogoo and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
11.3 Namogoo agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Subject to Clause 13 of the Standard Contractual Clauses, the jurisdiction of the competent supervisory authority shall be either in the jurisdiction of the lead supervisory authority or the EU representative or an EU establishment. Further, subject to Clause 17 the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the Client is established. Notwithstanding the above, subject to Clause 18 the Data Subject may also bring legal proceedings against the Parties before the courts of the Member State in which he/she has his/her habitual residence.
12.1 In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
13 TERM & TERMINATION
13.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Client shall be entitled to suspend the Processing of Client Data in the event Namogoo is in breach of Data Protection Laws, this DPA or a binding decision of a competent court or the competent supervisory authority.
13.2 Namogoo shall be entitled to terminate this DPA or terminate the Processing of Client Data in the event the Processing of Personal Data under the Client’s instructions or this DPA infringe applicable legal requirements. Such termination shall be subject to informing the Client and the Client insists on compliance with the instructions.
13.3 At the written request of the Client, following termination of this DPA and unless applicable law or regulatory requires the storage of the Client’s Personal Data, Namogoo shall delete all Client’s Personal Data processed on behalf of the Client and certify to the Client that it has done so, or return all the Client’s Personal Data to the Client and delete existing copies,. Until the data is deleted or returned, Namogoo shall continue to ensure compliance with this DPA.
DETAILS OF PROCESSING AND TRANSFERRING OF CLIENT PERSONAL DATA
This Schedule I includes certain details of the Processing of Client Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the Standard Contractual Clauses.
Categories of data subjects whose Personal Data is processed or transferred:
Client’s end users who interact with the Client’s website
Categories of Personal Data processed and transferred:
Depending on the Services obtained by the Client (i.e., IBP, CHP, etc.) the following categories may be applicable:
- IP Address
- Website interaction data (e.g. browsing behavior, click-events, page-calls)
- Contact Information
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, for instance strict purpose limitations, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing and transferring:
Depending on the Services obtained by the Client: CHP – Security and fraud deduction; or IBP- optimization.
Purpose(s) for which the Personal Data is processed or transferred on behalf of the controller:
Providing the Services
Duration of the processing:
For the duration of the Services according to the Agreement.
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing.
The sub-processors are hosting services/storage providers. All of the above is applicable to the sub-processors.
TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Physical Access Control
Namogoo ensures the protection of unwanted and unauthorized physical access to its servers and facilities where it stores the Information. Namogoo has chosen the reputable Snowflake as its main cloud data lake provider. The Information collected by Namogoo is stored in Snowflake’s data servers, which are protected by industry best standards including PCI DCS and ISO 27001. Further, Namogoo secures the physical access to its offices using a passcode to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access Namogoo’s offices. Namogoo’s offices all have fire and smoke alarms in place. All data backups are stored in data safes protected from fire and water.
System Access Control
The access to Namogoo’s databases is highly restricted, based on protections implemented in order to ensure that only authorized personnel can access the database. Namogoo implements appropriate safeguards related to remote access and wireless computing capabilities. The systems are protected and access is limited solely to authorized employees with a designated password. Employees are assigned users with private passwords that allow strict access or use of Information, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of the access to the Information, the passwords used to gain access and as well as real-time authentication protocols. Namogoo uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
Data Access Control
User authentication measures have been put in place in order to ensure that access to the Information is restricted solely to those the employees who have been given permission to access it and to ensure that the Information is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Employees are educated and tested with regards to security of the Information. Any access to Information, as well as any action performed involving the use of Information requires a valid password and username, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by Namogoo. Furthermore, Namogoo conducts ongoing reviews of the employees who have been given authorization to access the Information, in order to assess whether such access is still required. Namogoo revokes access immediately upon termination of the employment or for any other reason for which Namogoo believes such access authorizations are redundant.
Organizational and Operational Security
Namogoo invests resources in an ongoing manner to ensure that Namogoo’s security policies and practices are being complied with, including continuously providing employees with training in connection with such security policies and practices. Namogoo strives to raise awareness regarding the risks involved in the processing of Information. In addition, Namogoo implements applicable safeguards for its hardware and software, including the installation of firewalls and anti-virus software on applicable Namogoo property in order to protect against malicious software as well as any intrusions to Namogoo’s systems.
All transfers of Information between the Client’s side and the Namogoos’ servers are protected by the use of encryption safeguards prior to the transfer of any Information. Backup files are checked with checksums daily and stored on a local disk. In order to minimize the risk of Personal Data being accessed by unauthorized third Parties during an electronic transmission, Namogoo has implemented applicable safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data.
On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of Personal Data from Switzerland to the U.S. Namogoo ensures any data transfer is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer as well as contractually sign a Data Processing Agreement which incorporate the Standard Contractual Clauses which remain a valid data export mechanism and which automatically apply in accordance with our Data Processing Agreement.
Personal Data is retained for as long as needed for us to provide our services or as required under applicable laws.
Prior to Namogoo’s engagement with third party contractors, Namogoo undertakes diligence reviews of such third party contractors, including by conducting a risk assessment with respect to their security policies and practices. Third party contractors may solely access the Information as explicitly instructed by Namogoo. Furthermore, Namogoo ensures that all its engagements with third party contractors include effective rights of control with respect to any Personal Data processed on behalf of Namogoo and the destruction of Personal Data following termination of an engagement with third Parties. In addition, to the extent applicable, Namogoo’s partners are required to execute an applicable Data Processing Agreement (to the extent they are processing any Personal Data on behalf of Namogoo).
Namogoo maintains backup policies and associated measures which include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Namogoo’s servers include an automated backup procedure. Periodical checks are performed to determine that the backup has occurred. Namogoo also conducts regular controls of the condition and labelling of data storage devices for data security. Namogoo ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.
Namogoo Implements encryption at rest of customer data as well as encryption in transit of all communication between client and service, as well as communication between elements in the services. In some cases, encryption is based on underline cloud provider services. Encryption between Namogoo customers and the Namogoo application is enabled using a minimum HTTPS TLS 1.2 authenticated tunnel
External penetration test is performed on an annual basis. The penetration tests include, but are not limited to, testing procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable third party vendor. In addition, Namogoo conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans are performed using external tools, in order to detect potential security breaches.
|Fastly Inc.||475 Brannan St. #300. San Francisco, CA 94107||CDN|
|Microsoft Corporation (Microsoft Azure )||475 Brannan St. #300. San Francisco, CA 94107||Storage|
|Amazon Web Services, Inc.||410 Terry Avenue North, Seattle, WA||Storage|
|Snowflake, Inc.||Snowflake Computing Netherlands B.V.||Storage|