[Recently updated: February, 21st 2021]
This Data Processing Agreement (“DPA”) is an integral part of the Service Agreement executed between Namogoo and the Client (“Agreement”). Definitions used herein shall have the same meaning as defined in the Agreement.
This DPA shall apply only to the extent that: EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the Agreement, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (the “EEA”); or (b) the Personal Data relates to Data Subjects who are located in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party; or (c) The Personal Data relates to California Consumers, as defined below.
1.1 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations including, where applicable, EU Data Protection Law and the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq. (“CCPA”), as may be amended or superseded from time to time.
1.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA.
1.3 “Client Data” means any and all Personal Data associated with Client’s visitors or end-users and Processed in connection with the provision of the Services by Namogoo under Agreement.
1.4 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
1.5 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
1.6 Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Namogoo pursuant to the Agreement, including by way of access, and may include, inter alia, unique ID, cookies, etc.
2. RELATIONSHIP OF THE PARTIES
2.2. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1 attached hereto.
3.1 The parties represent and warrant that they comply with applicable Data Protection Laws, the Client further represents and warrants will comply with EU Data Protection Law, specifically with regards to the lawful basis principle for Processing Personal Data.
3.2 Namogoo represents and warrants that it shall process Personal Data only under the Client’s instructions, and as set forth under Article 28(3) of the GDPR. Namogoo will process the Personal Data on behalf of Client, solely for the purpose of providing the Services and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Client’s written instructions including the Agreement and this DPA. Notwithstanding the above, in the event the Namogoo is required under applicable laws to Process Client Data other than as instructed by Client, Namogoo shall make its best efforts to inform Client of such requirement prior to Processing such Client Data, unless prohibited under applicable law.
3.3 Namogoo will make available to Client all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the EU Data Protection Law, and shall make them available to the Clients upon request.
3.5 Notwithstanding the above, in the event the Client is an Israeli based corporation the Israeli Privacy Protection Regulations (Data Security) 5777-2017 and related regulations shall apply. The parties hereby undertakes that they comply with the aforesaid regulations.
4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
As between the parties, Client undertakes, accepts and agrees that Namogoo and the Data Subject do not have a direct relationship. Client shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Personal Data as set out herein, including providing Data Subjects with necessary privacy notices. Such notice may be by displaying a cookie notice or through the privacy notice, all as required by applicable Data Protection Laws.
5. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where Namogoo receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by it, where relevant, Namogoo will direct the Data Subject or the applicable authority to the Client in order to enable the Client to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
6. NO SALE OF PERSONAL DATA
It is hereby agreed that any disclosure of Personal Data between the parties is done solely in order to fulfill a Business Purpose, such Processing of Personal Data shall not be considered as a “Sell” under the CCPA.
Client acknowledges that Namogoo may transfer Personal Data to and otherwise interact with third party data processors (the “Sub-Processor”). Client hereby, authorizes Namogoo to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Namogoo may continue to use those Sub-Processors already engaged by Namogoo and Namogoo may engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies Client of its intention to do so. Namogoo shall, where it engages any Sub-Processor, impose, through a legally binding contract between Namogoo and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. Namogoo shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Law.
8. TECHNICAL AND ORGANIZATION MEASURES
Namogoo hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect Client Data as required under Data Protection Laws, taking into account the state of art and cost of implementation, in order to ensure lawful processing of Client Data and safeguard Client Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. Technical and organizational security measures implemented by the data importer are as set out in Namogoo’s Security Policy- www.namogoo.com/security which Client can review online.
9. SECURITY INCIDIENT
Namogoo will notify Client upon becoming aware of any confirmed Security Incident involving Client Data in Namogoo’s possession or control. Namogoo’s notification regarding, or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Namogoo of any fault or liability with respect to the Security Incident. Namogoo will, in connection with any Security Incident affecting Client Data: (i) quickly and without delay, take needed steps to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Client and provide Client with needed assistance and information as it may reasonably require in connection with the Security Incident; and (iii) notify Client in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
10. DATA AUDIT RIGHTS
Namogoo shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Namogoo may object to an auditor appointed by Client in the event Namogoo reasonably believes the auditor is not suitably qualified or independent, is a competitor of Namogoo or otherwise unsuitable (“Objection Notice”). Client will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Namogoo. The Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Namogoo’s premises, equipment, personnel and business. Any and all conclusions of such an Audit shall be confidential and reported back to Namogoo immediately.
11. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA or to a country that the European Commission does not provide adequate protection for Personal Data. In the event the parties have agreed to transfer Personal Data outside the EEA, such transfer shall be pursuant to EU Commission Decision 2010/87/EU, which are incorporated herein by reference (“Standard Contractual Clauses” or “SCC”). For the purpose of the Standard Contractual Clauses, the Client shall be the data exporter and Namogoo shall be the data importer, developer and operator of analytic and security platform; The parties contact information shall be as set out in the Agreement; The Data Subjects are as set in Schedule A attached; The categories of Personal Data are as set in Schedule A attached; The processing operations include processing of data subject’s IP and Unique ID; Technical and organizational security measures implemented by the data importer are as set out in Namogoo’s Security Policy- www.namogoo.com/security which Client can review online.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data:
Processing shall be carried out in connection with the provision of the Services. The duration shall be for the duration of the Term as defined in the Agreement or as requested by the Client.
The nature and purpose of the Processing of Personal Data:
To provide the Services to the Client.
The types of Personal Data and Special Categories of Personal Data Processed:
The categories of Data Subjects to whom the Personal Data or Special Categories of Personal Data relates: