This Data Processing Addendum (“Addendum”) is by and between the customer that electronically accepts or otherwise agrees or opts-in to this DPA (“Customer”), and Nook Technologies, Inc., a Canadian corporation (“Nook”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by Nook to Customer.
Whereas, Customer or its employees, agents, consultants or contractors (collectively, “Customer Personnel”) shall provide Nook with access to Personal Data in connection with certain services performed by Nook for or on behalf of Customer pursuant to the Master Agreement; and
Whereas, Customer requires that Nook preserve and maintain the privacy, confidentiality and security of such Personal Data.
Now therefore, in consideration of the mutual covenants and agreements in this Addendum and the Master Agreement and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Customer and Nook agree as follows:
- (B) “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
- (C) “Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
- (D) “Data Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
- (E) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
- (F) “Instructions” means this Addendum and any further written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data
- (G) “Notification Related Costs” means Customer’s and its affiliates’ internal and external costs associated with investigating, addressing and responding to a Personal Data Breach, including but not limited to: (i) preparation and mailing or other transmission of any notifications or other communications to customers, potential customers, clients, employees, agents or others as Customer deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Personal Data Breach (e.g., customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, accounting, consulting and forensic expert fees and expenses associated with the Customer’s and its affiliates’ investigation of and response to such Personal Data Breach; and (v) costs for commercially reasonable credit monitoring, identity protection services or similar services that Customer determines are advisable under the circumstances.
- (H) “Personal Data” means any information relating to an identified or identifiable natural person Processed by Nook in accordance with Customer’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- (I) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- (J) “Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- (K) “Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.
II. Roles and Responsibilities of the Parties
- (A) The Parties acknowledge and agree that Customer is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and Nook is acting as a Data Processor on behalf and under the Instructions of Customer.
- (B) Any Personal Data will at all times be and remain the sole property of Customer and Nook will not have or obtain any rights therein.
III. Obligation of Nook
Nook agrees and warrants to:
- (A) Process Personal Data disclosed to it by Customer only on behalf of and in accordance with the Instructions of the Data Controller and Annex  of this Addendum, unless Nook is otherwise required by Applicable Law, in which case Nook shall inform Customer of that legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by law on important grounds of public interest. Nook shall immediately inform Customer if, in Nook’s opinion, an Instruction provided infringes Applicable Law.
- (B) Hold in strict confidence (i) the existence and terms of the Master Agreement (including this Addendum), and any related agreement, and (ii) any and all Personal Data.
- (C) Ensure that any person authorized by Nook to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.
- (D) Not transfer Personal Data outside the country from which Customer or its Personnel originally delivered to Nook, or from which Nook otherwise accessed or obtained such Personal Data or, if it was originally delivered to a location inside the European Economic Area (“EEA”) or Switzerland, outside the EEA or Switzerland), for Processing without the explicit written consent of Customer (where such consent is deemed to have been granted in respect of the jurisdictions listed in Annex 1). Nook shall enter into any written agreements as are necessary (in Customer’s reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from Nook.
- (E) Inform Customer promptly and without undue delay of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Customer in writing to do so. Taking into account the nature of the Processing of Personal Data, Nook shall assist Customer, by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data.
- (F) Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of Nook. Customer may, if it so chooses, seek a protective order. Nook shall reasonably cooperate with Customer in such defence.
- (G) Provide reasonable assistance to Customer, at Customer’s cost, in complying with Customer’s obligations under Applicable Law.
- (H) Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by Nook or to supervisory authorities upon request. Such records must contain at least: (i) the name and contact details of Nook; (ii) the categories of Processing activities carried out under this Addendum; (iii) information on data transfers to a third country or a third party, where applicable; and (iv) a general description of the Data Security Measures implemented to protect Personal Data Processed under this Addendum.
- (A) Nook shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless Customer has authorized Nook to do so in writing. Where Nook, with the consent of Customer, provides access to Personal Data to a third party, Nook shall enter into a written agreement with each such third party that imposes obligations on the third party that are the same as those imposed on Nook under this Addendum. Nook shall only retain third parties that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data.
V. Compliance with Applicable Laws
- (A) Nook shall comply with all Applicable Laws.
- (B) Nook represents and warrants that no Applicable Law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim prohibits Nook from fulfilling its obligations under this Addendum.
- (C) Nook shall in good faith negotiate any further data Processing agreement reasonably requested by Customer for purposes of compliance with the Applicable Law. In case of any conflict between this Addendum and the Master Agreement, this Addendum shall prevail with regard to the Processing of Personal Data covered by it.
VI. Data Security
- (A) Nook shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Law including, but not limited to, the Data Security Measures described in Annex 2 of this Addendum. Nook’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
- The pseudonymisation and encryption of the Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures adopted pursuant to this provision for ensuring the security of the Processing.
- Nook shall adopt all reasonable recommendations Customer may make concerning Data Security Measures, programs and procedures to ensure ongoing compliance with this Addendum provided, however, that any material changes to Customer’s requirements shall be Processed through the Change Control Procedures.
- (B) Nook shall supervise Nook personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. Nook shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to all Nook personnel who have access to Personal Data.
- (C) Promptly upon the expiration or earlier termination of the Master Agreement, or such earlier time as Customer requests, Nook shall return to Customer or its designee, or at Customer’s request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Customer (which decision shall be based solely on Customer’s written statement), each and every original and copy in every media of all Personal Data in Nook’s, its affiliates’ or their respective subcontractors’ possession, custody or control. Promptly following any return or alternate action taken to comply with this Clause VI(C), Nook shall provide to Customer a completed certificate certifying that such return or alternate action occurred. In the event applicable law does not permit Nook to comply with the delivery or destruction of the Personal Data, Nook warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum.
VII. Data Breach Notification
- (A) Nook shall immediately inform Customer in writing of any Personal Data Breach of which Nook becomes aware, but in no case longer than twenty four (24) hours after it becomes aware of the Personal Data Breach. The notification to Customer shall include all available information regarding such Personal Data Breach, including information on:
- The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
- The likely consequences of the Personal Data Breach; and
- The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Nook shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. Nook shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR. The content of any filings, communications, notices, press releases or reports related to any Personal Data Breach must be approved by Customer prior to any publication or communication thereof. Nook shall be responsible for the costs and expenses associated with the performance of its obligations described in this paragraph, unless the Personal Data Breach is caused by the acts or omissions of Customer or its affiliates.
- (B) In the event of a Personal Data Breach involving Personal Data in Nook’s possession, custody or control or for which Nook is otherwise responsible, Nook shall reimburse Customer on demand for all commercially reasonable Notification Related Costs incurred by Customer arising out of or in connection with any such Personal Data Breach.
Nook shall on written request (but not more than once per year, other than in the event of a breach) make available to Customer all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior written request by Customer (provided that it shall be not more than once per year other than in the event of a breach), Nook agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports and all information necessary to demonstrate Nook’s compliance with the obligations laid down in this Addendum; and (b) confirmation that the audit has not revealed any material vulnerability in Nook’s systems, or to the extent that any such vulnerability was detected, that Nook has fully remedied such vulnerability. Nook’s failure to comply with this obligation shall entitle Customer to suspend the Processing of Personal Data Processed by Nook, and to terminate any further Processing of Personal Data, this Addendum and/or the Master Agreement, if doing so is required to comply with Applicable Law.
IX. Injunctive Relief
Nook agrees that any Processing of Personal Data in violation of this Addendum, Customer’s Instructions or any Applicable Law, or the occurrence of any Personal Data Breach, will cause immediate and irreparable harm to Customer for which money damages will not constitute an adequate remedy. Therefore, Nook agrees that Customer may seek and be granted specific performance and injunctive or other equitable relief for any such violation or incident, in addition to its remedies at law, without proof of actual damages.
Nook agrees to indemnify and hold Customer harmless from and against any direct damages, fines, costs or expenses that it may incur or that arise out of or in connection with a third party claim relating to any violation of this Addendum.
XI. Governing Law
To the extent required by Applicable Law, this Addendum shall be governed by the law of Quebec, Canada. In all other cases, this Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.
Annex 1: Scope of the data processing
This Annex forms part of the Data Processing Addendum between Customer and Nook.
The Processing of Personal Data concerns the following categories of Data Subjects:
- Customer users
The Processing concerns the following categories of Personal Data:
- Customer users login information and usage within the Nook platform
The Processing concerns the following categories of Sensitive Data:
- Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
The Processing concerns the following categories of data Processing activities (i.e., purposes of Processing):
- Purpose of processing Customer user login and Nook platform solely to provide the Nook services.
Nook uses the following Sub-Processors:
- AWS, Google Cloud, Atlas MongoDB
Nook may transfer and process personal information to and in the following jurisdictions outside of the EU:
- Canada, United States
Annex 2: Data security measures
This Annex forms part of the Data Processing Addendum between Customer and Nook. Taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the Processing, Nook agrees to implement the following Data Security Measures:
I. Physical Access Control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, including:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Security staff, janitors;
- Surveillance facilities, video/CCTV monitor, alarm system;
- Securing decentralized data Processing equipment and personal computers.
II. Logical Access Control
Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons, including:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, change of password);
- Automatic blocking (e.g., password or timeout);
- Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
- Creation of one master record per user, user master data procedures, per data Processing environment;
- Encryption and Pseudonymisation.
III. Data Access Control
Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access personal data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure;
- Encryption and Pseudonymisation.
IV. Disclosure Control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, including:
- Transport security;
- Encryption and Pseudonymisation.
V. Entry Control
Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data Processing systems, including:
- Logging and reporting systems;
- Audit trails and documentation.
VI. Control of Instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the Instructions of the Controller, including:
- Unambiguous wording of the contract;
- Formal commissioning (request form);
- Criteria for selecting the Processor.
VII. Availability Control
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical), including:
- Backup procedures;
- Mirroring of hard disks;
- Uninterruptible power supply;
- Remote storage;
- Anti-virus/firewall systems;
- Disaster recovery plan.
VIII. Separation Control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately, including:
- Separation of databases;
- “Internal client” concept / limitation of use;
- Segregation of functions (production/testing);
- Procedures for storage, amendment, deletion, transmission of data for different purposes.