DATA PROCESSING AGREEMENT
This Data Processing Addendum (“DPA”) is an integral part of the Service Agreement executed between Namogoo and the Client (“Agreement”). Definitions used herein shall have the same meaning as defined in the Agreement.
This DPA shall apply only to the extent that: EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the Agreement, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (the “EEA”); or (b) the Personal Data relates to Data Subjects who are located in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party; or (c) The Personal Data relates to California Consumers, as defined below.
As between the parties, Client undertakes, accepts and agrees that Namogoo and the Data Subject do not have a direct relationship. Client shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Personal Data as set out herein, including providing Data Subjects with necessary privacy notices. Such notice may be by displaying a cookie notice or through the privacy notice, all as required by applicable Data Protection Laws.
It is agreed that where Namogoo receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by it, where relevant, Namogoo will direct the Data Subject or the applicable authority to the Client in order to enable the Client to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
It is hereby agreed that any disclosure of Personal Data between the parties is done solely in order to fulfill a Business Purpose, such Processing of Personal Data shall not be considered as a “Sell” under the CCPA.
Client acknowledges that Namogoo may transfer Personal Data to and otherwise interact with third party data processors (the “Sub-Processor”). Client hereby, authorizes Namogoo to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Namogoo may continue to use those Sub-Processors already engaged by Namogoo and Namogoo may engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies Client of its intention to do so. Namogoo shall, where it engages any Sub-Processor, impose, through a legally binding contract between Namogoo and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Namogoo shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.
Namogoo hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect Client Data as required under Data Protection Laws, taking into account the state of art and cost of implementation, in order to ensure lawful processing of Client Data and safeguard Client Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. Technical and organizational security measures implemented by the data importer are as set out in Namogoo’s Security Policy- www.namogoo.com/security which Client can review online.
Namogoo will notify Client upon becoming aware of any confirmed Security Incident involving Client Data in Namogoo’s possession or control. Namogoo’s notification regarding, or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Namogoo of any fault or liability with respect to the Security Incident. Namogoo will, in connection with any Security Incident affecting Client Data: (i) quickly and without delay, take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Client and provide Client with needed assistance and information as it may reasonably require in connection with the Security Incident; and (iii) notify Client in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
Namogoo shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Namogoo may object to an auditor appointed by Client in the event Namogoo reasonably believes the auditor is not suitably qualified or independent, is a competitor of Namogoo or otherwise unsuitable (“Objection Notice”). Client will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Namogoo. The Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Namogoo’s premises, equipment, personnel and business. Any and all conclusions of such an Audit shall be confidential and reported back to Namogoo immediately.
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA or to a country that the European Commission has decided provides adequate protection for Personal Data. In the event the parties have agreed to transfer Personal Data outside the EEA, such transfer shall be pursuant to EU Commission Decision 2010/87/EU, which are incorporated herein by reference (“Standard Contractual Clauses” or “SCC”). For the purpose of the Standard Contractual Clauses, the Client shall be the data exporter and Namogoo shall be the data importer, developer and operator of analytic and security platform; The parties contact information shall be as set out in the Agreement; The Data Subjects are as set in Schedule A attached; The categories of Personal Data are as set in Schedule A attached; The processing operations include processing of data subject’s IP and Unique ID; Technical and organizational security measures implemented by the data importer are as set out in Namogoo’s Security Policy- www.namogoo.com/security which Client can review online.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data:
Processing shall be carried out in connection with the provision of the Services. The duration shall be for the duration of the Term as defined in the Agreement or as requested by the Client.
The nature and purpose of the Processing of Personal Data:
To provide the Services to the Client.
The types of Personal Data and Special Categories of Personal Data Processed:
The categories of Data Subjects to whom the Personal Data or Special Categories of Personal Data relates: