This Data Protection Addendum (hereinafter referred to as the “Addendum”) is hereby entered into by and between Novarise R&D Ltd. (referred to as “Novarise”) and the Customer who agrees to the terms of this Addendum (hereinafter referred to as the “Customer”).
This Addendum shall become effective as of the Addendum Effective Date (as defined below) and shall supersede any previously applicable data protection addendum.
By accepting this Addendum on behalf of the Customer/Affiliate, you affirm and warrant the following:
- You have read and comprehended this Addendum.
- You possess full legal authority to bind yourself or the relevant entity to these Terms.
- You, on behalf of the party you are representing, agree to the terms outlined in this Addendum.
If you lack the legal authority to bind the Customer, kindly refrain from proceeding with the “Sign/Accept/Opt IN” action.
Terms Defined by the General Data Protection Regulation (GDPR):
- “Addendum Effective Date” refers to the date when the Customer clicked to accept or opt-in to this Addendum.
- “Adequate Country” designates a country that the European Commission deems as adequate under Article 25(6) of Directive 95/46/EC or Article 45 of the GDPR.
- “Data Subject” pertains to the identifiable individual who is the subject of Personal Data.
- “Personal Data” encompasses any information within the Customer Data relating to an identified or identifiable natural person. An identifiable individual is someone who can be directly or indirectly identified, particularly through an identification number or specific factors related to their physical, physiological, mental, economic, cultural, or social identity.
- “Processing” is as defined by the applicable EU Data Protection Law, and the terms “process,” “processes,” and “processed” shall be interpreted accordingly.
- “Data Controller” designates the party responsible for determining the purposes and methods of processing Personal Data.
- “Data Processor” signifies the party that processes Personal Data on behalf of, or under the instruction of, the Data Controller.
- “Data Transfer Mechanism” represents an alternative solution for lawful export of Customer Data (as recognized under EU Data Protection Law) from the EEA.
- “Data Protection Laws” for a party encompass all relevant privacy, data protection, information security-related, and other regulations applicable to that party, including, where applicable, EU Data Protection Law.
- “Data Protection Authority” denotes the competent body in the jurisdiction responsible for enforcing applicable Data Protection Law.
- “EEA” refers to the European Economic Area, United Kingdom, and Switzerland.
- “EU Data Protection Law” includes:
- a. Prior to May 25th, 2018, European Union Directive 95/46/EC; and b. On and after May 25th, 2018, European Union Regulation 2016/679 (“GDPR”).
- References to “written instructions” and related terms encompass the Data Controller’s instructions for the Processing of Customer Data, including:
- a. The terms of the Agreement and this Addendum, b. Processing facilitated by Data Controller through the Service, and c. Other reasonable written instructions from Data Controller, consistent with the Agreement’s terms.
- “Model Contracts” refers to the Standard Contractual Clauses for Processors approved by the European Commission under Decision 2010/87/EU in the form accessible in the Novarise Workspace.
- “Security Incident” denotes any unauthorized or unlawful confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data within Data Processor’s control.
- “Subprocessor” stands for any Third Party engaged by Data Processor or its affiliates to process Customer Data according to the Agreement or this Addendum.
- “Third Party” encompasses any natural or legal person, public authority, agency, or any other entity aside from the Data Subject, Data Controller, Data Processor, Subprocessors, or individuals authorized by the Data Controller or Data Processor to process data directly under their authority.
Other capitalized terms not defined herein carry the meanings specified in the Agreement.
Terms Defined by Novarise with Respect to GDPR:
- “Data Subjects” are defined to encompass the individuals about whom data is provided to Novarise via the Services by the Customer (or under the Customer’s direction).
- “Details of Processing Subject Matter” refers to the subject matter of the data processing governed by this Addendum, which is the Customer Data.
- “Duration of the Processing” signifies the duration of data processing governed by this Addendum. It spans from the commencement of the Agreement until the Agreement’s termination, along with the period from the Agreement’s expiration to the deletion of all Customer Data by Novarise, following the Addendum’s terms.
- “Nature and Purpose of the Processing” outlines the purpose of the Processing within the scope of this Addendum. This purpose involves providing the Service to the Customer and fulfilling Novarise’s obligations under the Agreement (including this Addendum), or as otherwise mutually agreed upon by the parties.
- “Categories of Data” entail data related to individuals provided to Novarise during Customer sign-up, login, product usage, website interaction, and engagement with advertisements.
- “Security Measures” are the measures that Novarise commits to implementing. These measures are commercially reasonable technical and organizational safeguards intended to prevent unauthorized access, use, alteration, or disclosure of the Service or Customer Data.
- This Addendum is an integral component of the Agreement. Except as explicitly outlined in this Addendum, the Agreement remains unaltered and fully effective. In cases of conflict between this Addendum and the Agreement, this Addendum shall prevail in connection with the Processing of Customer’s Personal Data.
- All actions under this Addendum, including but not limited to Customer Data Processing, remain subject to the applicable liability limitations specified in the Agreement.
- This Addendum shall be governed by and construed according to the governing law and jurisdiction provisions in the Agreement, unless otherwise stipulated by applicable Data Protection Laws.
- This Addendum and the Model Contracts shall automatically terminate upon the expiration or termination of the Agreement.
4. Scope and applicability of this addendum:
- This regulation applies to the processing of personal data concerning the activities of the establishment of a Controller or a Processor in the EU.
- This Addendum is applicable where and to the extent that Novarise processes Customer Data originating from the EEA or otherwise subject to EU Data Protection Law on behalf of the Customer while providing the Service as per the Agreement.
5. Role and scope of the processing:
- In this Addendum, Customer assumes the role of the Data Controller, while Novarise acts as the Data Processor. Both Customer and Novarise are obliged to adhere to the relevant Data Protection Laws in fulfilling their responsibilities as outlined within this Addendum.
- The ownership rights to Customer Data, as stated in the Agreement, remain vested with the Customer. Except when explicitly authorized in writing by Customer or as directed by Customer, Novarise holds no direct or indirect rights to sell, rent, lease, merge, display, modify, perform, transfer, or reveal the Customer Data or any derivative works thereof. Novarise shall conduct its actions strictly in accordance with Customer’s instructions concerning Customer Data Processing, except as restricted by applicable Data Protection Laws.
- Any supplementary instructions that deviate from the Agreement’s scope necessitate prior written consent from both parties, including agreement on any extra fees payable by the Customer.
- Notwithstanding the above, Customer acknowledges that Novarise has the right to utilize Aggregated Anonymous Data, as described in the Agreement Section 4.4.
- Novarise is prohibited from disclosing Customer Data to any Third Party, except in accordance with Customer’s directives or when compelled to do so by legal obligations. Prior to any such mandatory disclosure, Novarise is obligated to inform Customer in writing, to the extent permitted by Data Protection Laws.
- It is clarified that this Addendum does not restrict Novarise from transmitting Customer Data (including Personal Data) as instructed by the Customer through the Service.
- Novarise’s obligations, as stipulated in this Addendum, extend to its employees, agents, and Subprocessors who may access Personal Data.
- The Customer grants Novarise the authorization to engage Subprocessors (including cloud infrastructure providers) for Personal Data Processing, under the condition that Novarise:
- Establishes a written agreement with each Subprocessor that enforces data protection obligations akin to those outlined in this Addendum; and
- Remains accountable for adhering to the obligations specified in this Addendum, as well as for any actions or omissions of the Subprocessor that lead to Novarise’s violation of its obligations.
- Information concerning Subprocessors, including their roles and locations, is accessible upon request and may be updated by Novarise periodically, in line with this Addendum.
- Novarise is obligated to institute and sustain suitable technical and organizational security measures, adhering to Novarise’s security standards, to safeguard Personal Data against Security Incidents and maintain its confidentiality and security.
- Customer bears the responsibility of reviewing the data security-related information made available by Novarise. Customer must independently assess whether the Service aligns with its requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures may evolve with technological advancements, and Novarise may update or modify them, provided such updates do not compromise the overall security of the Service.
- Novarise is to ensure that any individual authorized by the Customer to process Personal Data (including staff, agents, and Subprocessors) is held by an appropriate contractual or statutory obligation of confidentiality.
8. Onward transfer:
- Subject to compliance with this Section 8, Novarise may store and process Customer Data globally, in locations where Novarise, its affiliates, or Subprocessors conduct data processing operations.
- In instances where Novarise processes Personal Data protected by GDPR and/or originating from the EEA in a country outside the EEA not designated as an Adequate Country, the parties shall execute the Model Contracts.
- The parties acknowledge Novarise as the “data importer” and Customer as the “data exporter” under the Model Contracts (despite Customer’s potential location outside the EEA).
- Should Novarise opt for an Alternative Transfer Mechanism, the data export solution stated in Section 8.B will not apply. In such cases, the Alternative Transfer Mechanism will take precedence, but only to the extent it encompasses the territories to which Personal Data is transferred.
9. Regulatory compliance:
- At the request and expense of the Customer, Novarise will reasonably assist the Customer as required to fulfill its obligations to regulatory authorities, including Data Protection Authorities.
- Novarise will provide reasonable assistance to the Customer (at the Customer’s cost) in addressing individuals’ requests related to their data access, rectification, erasure, restriction, portability, and objection rights. Should such requests be directed to Novarise, Novarise shall not respond independently without the prior authorization of the Customer, except when mandated by Data Protection Laws.
10. Reviews of data processing:
- Upon the Customer’s request, Novarise will offer written responses to all reasonable inquiries relevant to the Processing of Personal Data under this Addendum. These responses may include answers to security and audit questionnaires, but solely to the extent necessary for verifying Novarise’s adherence to this Addendum.
- Novarise will provide this information within thirty (30) days of the Customer’s written request, unless a shorter notice period is demanded by the Customer’s regulatory authorities.
- Except when explicitly required by Data Protection Laws, reviews under this Section 10 will:
- Be carried out no more frequently than once per year during Novarise’s standard business hours, without disruption to regular business operations.
- Adhere to Novarise’s reasonable confidentiality and security limitations.
- Be conducted at the Customer’s expense.
- Not extend to any information, systems, or facilities pertaining to Novarise’s other customers or Third Party infrastructure providers.
- Any data shared by Novarise under this Section 10 is to be regarded as Novarise’s Confidential Information, as defined in the Agreement.
11. Return or deletion of Data:
- Within ninety (90) days following a request from the Customer upon termination or expiration of the Agreement, Novarise will delete or return, as per the Customer’s choice, all Personal Data from Novarise’s systems. After a reasonable period following deletion, upon Customer’s request, Novarise will furnish written confirmation of fulfillment of its data deletion or destruction obligations.
- However, the Customer acknowledges that Novarise may be obligated to retain Customer Data as required by Data Protection Laws. Such retained data will remain subject to the provisions of this Addendum.
12. Additional security:
- Upon confirming a Security Incident, Novarise will promptly notify the Customer, in line with the Security Measures. Nevertheless, Novarise is not obliged to provide such notice if Data Protection Laws prohibit it, and Novarise may delay such notice as necessitated by law enforcement and/or in light of Novarise’s need to investigate or address the issue before giving notice.
- Each notice of a Security Incident will include:
- The extent to which Personal Data has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the incident.
- A description of the incident, including its date and the date of discovery, if known.
- The known scope of the incident.
- A description of Novarise’s response to the incident, including mitigation steps to reduce harm.
- Novarise will take reasonable actions to mitigate the adverse effects of the Security Incident and prevent further unauthorized access or disclosure.
13. Changes to subprocessors
When any new Subprocessor is engaged, Novarise will, at least a week before the new Subprocessor processes any Customer Data, inform Customer of the engagement by sending an email or via the in-app notification.
14. Further cooperation:
- Where and when required by Data Protection Laws, Novarise will provide the relevant Data Protection Authorities with information related to Novarise’s Processing of Personal Data. Novarise further agrees that it will maintain such required registrations and where necessary renew them during the term of this Addendum. Any changes to Novarise’s status in this respect shall be notified to Customer immediately either via email or in-app notifications.
- To the extent Novarise is required under Data Protection Laws, Novarise shall (at Customer’s expense) provide reasonably requested information regarding the Service or prior consultations with Data Protection Authorities to enable Customer to carry out data protection impact assessments. Novarise