This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and Novity, Inc. (“Novity”) and applies to the extent that (i) Novity processes Personal Data on behalf of Customer in the course of providing Services, and (ii) the Agreement expressly incorporates this DPA by reference. This DPA does not apply where Novity is the Controller. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
- “Agreement” means the agreement and/or terms of service between Customer and Novity for the provision of the Services to Customer.
- “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
- “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement.
- “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Novity in connection with the provision of the Services under the Agreement.
- “Personal Data Breach” means a breach of security in the provision of the Services resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Processor” means an entity that processes Personal Data on behalf of a Controller.
- "Services” means any Services provided by Novity to Customer pursuant to the Agreement.
- "Sub-processor” means any third party Processor engaged by Novity that processes Personal Data pursuant to the Agreement.
- Role of the Parties. As between Novity and Customer, Novity will process Personal Data under the Agreement only as a Processor acting on behalf of the Customer. Customer is the Controller with respect to all such Personal Data.
- Customer Processing of Personal Data. Customer will, in its use of the Services, comply with its obligations under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Novity. Customer represents that it has all rights and authorizations and has provided/obtained all legally required notices/consents necessary for Novity to process Personal Data pursuant to the Agreement.
- Novity Processing of Personal Data.
2.3.1 Novity will comply with Data Protection Laws applicable to its provision of the Services, and will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that the Agreement is its complete and final instructions to
2.3.2 Novity in relation to the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Novity and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to Novity for carrying out such instructions. Upon notice in writing, Customer may terminate the Agreement if Novity declines to follow Customer’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in the Agreement, to the extent such instructions are necessary to enable Customer to comply with Data Protection Laws.
2.3.3 Without limiting the generality of the foregoing, to the extent the California Consumer Privacy Act of 2018, as amended, Cal. Civ. Code § 1798.100 et.seq. (“CCPA”), applies to any Personal Data, such Personal Data will be disclosed by Customer to Novity for a ‘business purpose’ and Novity will act as Customer’s ‘service provider’, as such terms are defined under CCPA. Novity will not sell, rent, lease, release, retain, use or disclose Personal Data for a commercial purpose other than for the specific purpose of providing the Services, as further described in the Agreement, or as otherwise permitted by the CCPA.
- Processing of Personal Data Details.
2.4.1 Subject matter. The subject matter of the processing under the Agreement is the Personal Data.
2.4.2 Duration. The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement and will extend for the duration of the Agreement.
2.4.3 Purpose. The purpose of the processing under the Agreement is the provision of the Services by Novity to Customer as specified in the Agreement.
2.4.4 Nature of the processing. Novity and/or its Sub-processors are providing Services or fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by Novity and/or its Sub-processors on systems that may contain Personal Data.
2.4.5 Categories of data subjects. Customer determines the data subjects which may include Customer’s end users, employees, contractors, suppliers, and other third parties.
2.4.6 Categories of data. Novity receives and processes the following Personal Data from Customer and/or its authorized users:
First and Last Names
Telephone numbers (at user’s discretion)
GPS coordinates (at user’s discretion)
Device ID information
- Use of Sub-Processors. Novity engages Sub-processors to provide certain services on its behalf. Customer consents to Novity engaging Sub-processors to process Personal Data under the Agreement. Novity will be responsible for any acts, errors, or omissions of its Sub-processors that cause Novity to breach any of Novity’s obligations under this DPA.
- Obligations. Novity will enter into an agreement with each Sub-processor that obligates the Sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the DPA, and at a minimum, at the level of data protection required by Data Protection Laws (to the extent applicable to the services provided by the Sub-processor).
- Notice. A list of Novity Sub-processors is posted at https://www.novity.us/ subprocessors
- Changes to Sub-processors. Novity agrees (i) to provide prior notice to Customer of any new engagement of a Sub-processor to process Personal Data if the Customer has subscribed to receive notification via the mechanisms that Novity provides for the specific Service; and (ii) if Customer objects to a new Sub-processor on reasonable data protection grounds within ten (10) days of receiving the notice, to discuss with Customer those concerns in good faith with a view to achieving resolution.
4. SECURITY MEASURES.
- Security Measures by Novity. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Personal Data and Processing activities, Novity will implement and maintain appropriate physical, technical and organizational security measures to protect against Personal Data Breaches and to preserve the security, accuracy and confidentiality of Personal Data processed by Novity on behalf of Customer in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. Novity may update or modify the Security Measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Services purchased by the Customer.
- Security Measures by Customer. Customer is responsible for using and configuring the Services in a manner that enables Customer to comply with Data Protection Laws, including implementing appropriate technical and organizational measures.
- Personnel. Novity restricts its personnel from processing Personal Data without authorization (unless required to do so by applicable law) and will ensure that any person authorized by Novity to process Personal Data is subject to an obligation of confidentiality.
- Prohibited Data. Customer acknowledges and agrees that the Services are not intended to process special category or highly sensitive Personal Data (such as an individual’s financial or health information, race or ethnicity, etc.) and Customer shall not enter any such data into the Services or an associated application.
5. PERSONAL DATA BREACH RESPONSE.
Upon becoming aware of a Personal Data Breach, Novity will investigate the cause of the incident, notify Customer promptly and without undue delay and will provide non-privileged, non-confidential, non-proprietary information relating to the Personal Data Breach as reasonably requested by Customer. Novity will use reasonable efforts to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
6. AUDIT REPORTS.
Novity audits its compliance against data protection and information security standards on a regular basis. Upon Customer's written request, and subject to obligations of confidentiality, within thirty (30) business days of such a request and no more than once per calendar year, Novity will make available to Customer a summary of its most recent relevant audit report and/or other documentation reasonably required by Customer which Novity makes generally available to its customers, so that Customer can verify Novity's compliance with this DPA.
7. DATA TRANSFERS AND EXPORTS.
- Data Transfers. Novity may transfer and process Personal Data to and in other locations around the world where Novity or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
- Data Transfers from the EEA, UK and Switzerland. The parties acknowledge that Novity transfers data to third countries pursuant to the Standard Contractual Clauses attached hereto.
- Standard Contractual Clauses. This DPA hereby incorporates by reference the Standard Contractual Clauses (“SCCs”) for data controller to data processor transfers approved by the European Commission pursuant to the GDPR, and which are attached to this Agreement as Schedule 1. The Parties agree that the SCCs will apply to Personal Data that is transferred from the EEA, UK and Switzerland to outside of these geographies, and specifically, either directly or via onward transfer, to the United States. Data Controller/Customer‘s and Data Processor/Novity’s execution of the Agreement shall be deemed their execution of this DPA and the SCCs, and they thereby acknowledge that (i) Data Controller is the “data exporter” and Data Processor is the “data importer,” and (ii) Schedule 1 and the attachments and annexes thereto constitute the SCCs applicable to Personal Data under the Agreement.
8. DELETION OF DATA.
Within no more than 90 days following expiration or termination of the Agreement, Novity will delete or (if requested by Customer and required by law) return to Customer all Personal Data in Novity’s possession as set forth in the Agreement except to the extent Novity is required by applicable law to retain some or all of the Personal Data (in which case Novity will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to that retained Personal Data.
- Data Protection Requests. If Novity receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Laws, where Novity is able to associate the data subject with Customer, Novity will promptly redirect the request to the Customer. In such case, Novity will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Novity is required to respond to such a request, Novity will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- Customer Requests. Novity will reasonably cooperate with Customer, at Customer's expense, to permit Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. Customer shall first use reasonable endeavors to access the relevant Personal Data in their use of the Services, to facilitate their response.
- DPIAs and Prior Consultations. To the extent required by Data Protection Laws, Novity will, upon reasonable notice and at Customer's expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with data protection authorities.
- Legal Disclosure Requests. If Novity receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, it will notify all pertinent parties of such action (a) that as between the parties, the Personal Data requested is Customer’s sole property, and (b) Customer is solely responsible for the disposition of such Personal Data including in response to such request. Where legally permissible, Novity will promptly notify Customer and provide Customer with a copy of the request.
- Relationship with Agreement. Any claims brought under this DPA against Novity will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
- Conflicts. In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail. The SCCs shall prevail over the body of this DPA in the event of a conflict.
- Modification and Supplementation. Novity may modify the terms of this DPA as provided in the Agreement, in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Laws, or (iii) to implement or adhere to updated standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be made or permitted under Data Protection Laws. Supplemental terms may be added as an Annex or Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Laws of specific jurisdictions. Novity will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on Novity’s website if not specified in the Agreement.