Data Processing Agreement

This Data Processing Agreement (“DPA”) forms a part of the Master Services Agreement or the Terms and Conditions of Service and Use, as applicable (hereinafter referred to as the “Agreement”) and is entered into by and between NUSO LLC (“NUSO” on its own behalf and on behalf of each NUSO Affiliate) and Customer as provided in the Agreement (“Customer” on its own behalf on and behalf of each Affiliate of Customer, also referred to as “Customer Group Companies”) (each a “Party” and collectively the “Parties”).

The terms used in this DPA shall have the meanings set forth herein. Terms not otherwise defined herein shall have the meaning given to them in the Agreement, unless such term has a specific meaning under Data Protection Law (as defined below), in which case the definition under Data Protection Law shall control. Except as modified herein, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

  1. Definitions
    1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
      2. “Applicable Law” means any applicable law, whether or not a Data Protection Law, with respect to Personal Information or the Parties.
      3. “Controller” shall have the meaning ascribed to it by Data Protection Law or, if there is no such definition in Data Protection Law, it means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.
      4. “Data Protection Law” means state and international comprehensive data protection laws, including, but not limited to (a) the European Union (“EU”) General Data Protection Regulation (“GDPR”), European Economic Area (“EEA”) laws, and EU Member State laws with respect to Personal Information and equivalent requirements/regulation/guidance, including the equivalent requirements in the United Kingdom, the Data Protection Act 2018 (“UK Data Protection Law”); (b) the California Consumer Privacy Act Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act of 2020, Cal. Civil Code § 1798.100 et seq. (collectively, “CCPA”), and similar or other state data protection laws, including, but not limited to, Colorado, Connecticut, Virginia, and Utah, applicable upon their effective dates; (c) other applicable, comprehensive data protection laws with respect to any Personal Information Processed under the Agreement, including, but not limited to, the laws of Brazil, South Africa, and Switzerland. Unless specifically described in this DPA, Data Protection Law shall NOT include laws or requirements for non-comprehensive, industry-specific categories of Personal Information (e.g. Personal Information regulated by Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach Bliley Act (“GLBA”), or the Payment Card Industry Standards (“PCI”)).
      5. “Data Subject” means any identified or identifiable natural person as defined by Data Protection Law.
      6. “EU Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
      7. “Personal Information” means any Personal Information, as defined by the applicable Data Protection Law (also known as Personal Data or Personally Identifiable Information (“PII”)) and including any sensitive or special categories of data that is Processed under or in connection with this Agreement.
      8. “Process” (including “process,” “processing,” and associated terms) means any operation or set of operations which is performed upon Personal Information or sets of Personal Information whether or not accomplished by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and as defined by Applicable Law.
      9. “Processor” shall have the meaning ascribed to it by Data Protection Law or, if there is no such definition in Data Protection Law, it means a natural or legal person, public authority, agency or other body which Processes Personal Information on behalf of the Controller.
      10. “SCCs” means the EU Standard Contractual Clauses and the UK Addendum collectively.
      11. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.
      12. “Subprocessor” means any person (including any third party, but excluding personnel of NUSO) appointed by or on behalf of NUSO to Process Personal Information in connection with the Agreement.
      13. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom’s Information Commissioner and laid before Parliament in accordance with s119A of the UK Data Protection Law on 28 January 2022, as currently set out at  https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf
    2. The other capitalized and non-capitalized terms used in the DPA shall have the same meaning as in Data Protection Law, and their cognate terms shall be construed accordingly.
  2. Roles of the Parties
    1. The Parties agree that, for the purpose of Data Protection Law, Customer is the Controller and NUSO is the Processor in relation to the Processing of Personal Information and that such terms will have the meanings accorded to them pursuant to applicable Data Protection Law.
    2. Where Data Protection Law does not specifically utilize the terms Controller and Processor, the Parties shall be defined by the roles aligning with the cognate terms for Controller and Processor under the particular, applicable Data Protection Law.
    3. For purposes of this DPA, where Customer acts as Processor for another Controller, it shall in relation to NUSO be deemed as an independent Controller with the respective Controller rights and obligations under this DPA.
    4. Customer shall act as a single point of contact for all Affiliates and/or all other Controllers for which it is a Processor as described in Section 2.3 (“Other Controllers”). In such circumstances, Customer shall obtain all relevant authorizations, consents, and/or permissions from such Other Controllers where required. When NUSO informs or gives notice to Customer, such information or notice is deemed to be received by those Other Controllers, and Customer shall be responsible for forwarding such information or notice to the Other Controllers.
  3. Mutual Assurance of Compliance
    1. Each Party acknowledges and confirms that it will observe all applicable requirements of Data Protection Law and the terms of this DPA in relation to its Processing of Personal Information and shall provide the same level of privacy protection as required by Data Protection Laws.
    2. Customer and NUSO shall be separately responsible for conforming with such statutory data protection provisions as are applicable to each of them, and nothing in the DPA shall relieve a Party of its own statutory obligations.
  4. Obligations of NUSO
    1. NUSO shall:
      1. Process Personal Information only on documented instructions from Customer (as reflected in the Agreement or other written or verbal communication);
      2. Inform Customer if, in its opinion, an instruction given by Customer infringes on an applicable Data Protection Law;
      3. Inform Customer if it (i) is unable to comply with Customer’s instructions; (ii) is unable to meet its obligations under the Agreement or this DPA; or (iii) is unable to comply with Data Protection Laws;
      4. Ensure that persons authorized to Process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      5. Review and implement updates or guidance with respect to new Data Protection Law that are applicable to the Agreement; and
      6. Make available to Customer upon written request, information to demonstrate NUSO’s compliance with its obligations under the Agreement.
    2. For Personal Information subject to the CCPA, NUSO shall:
      1. Not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, including retaining, using, or disclosing it for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted under Data Protection Laws;
      2. Not “sell” or “share” Personal Information, as those terms are defined under the CCPA;
      3. Not combine Personal Information it receives from Customer with Personal Information received from other sources unless permitted by Data Protection Laws;
      4. To the extent required by Data Protection Laws, certify it understands these restrictions and obligations and will comply with them.
    3. With regard to any assistance required under this DPA, the SCCs or other Data Protection Law, NUSO agrees to offer reasonable assistance only the degree to which Customer cannot utilize the self-service options available within the particular NUSO product or services. Any assistance beyond that which is reasonable, taking into account the nature of the Processing and information available to NUSO, shall be at Customers sole expense.
    4. NUSO shall notify Customer of any request it receives from a Data Subject. NUSO shall not respond to such request unless authorized to do so by Customer or otherwise required by law. Upon Customer’s reasonable written request, and the degree to which Customer is unable to fulfill a request without the assistance of NUSO, NUSO shall provide Customer with reasonable cooperation and assistance to enable a response to Data Subject’s request.
    5. If NUSO receives a legally binding request or inquiry from a public authority or regulator for disclosure of Personal Information, it shall inform Customer of such request, unless prohibited by law. NUSO agrees to provide Customer with reasonable assistance regarding such request, taking into account the nature of the Processing and information available to NUSO.
    6. Customer consents to NUSO engaging Subprocessors to Process Personal Information solely for the purpose of performance under the Agreement. Where NUSO engages a Subprocessor for carrying out specific Processing activities as a part of performance under the Agreement, data protection obligations no less strict than those set out in this DPA shall be imposed on such Subprocessor by way of contract or other legal mechanism.
    7. A list of Subprocessors that may assist NUSO in Processing Personal Information subject to this DPA is provided in Exhibit 3. NUSO will not use additional Subprocessors to Process Personal Information without first providing at least thirty (30) days’ notice to Customer. Customer’s consent shall be deemed given if it does not object in writing within thirty (30) days after receipt of this prior notice.
  5. Obligations of Customer
    1. Customer shall inform NUSO without undue delay and comprehensively about any errors or irregularities, including potential violation of Data Protection Law, related to the Processing of Personal Information detected during the course of the Agreement.
    2. Where required by Data Protection Law, Customer is solely responsible for fulfilling its own notification duties towards a regulator or other authority, including, but not limited to, maintenance of its own record of Processing activity with regard to the Processing under this DPA and the Agreement.
    3. Customer is solely responsible for providing any notices required by Data Protection Law to, and receiving any consents and authorizations required by Data Protection Law from, Data Subjects whose Personal Information is provided by Customer to NUSO.
    4. Customer will ensure the information required to be provided to Data Subjects pursuant to Data Protection Law is made available to relevant Data Subjects in relation to the Processing by NUSO, and the information is in a concise, transparent, intelligible, and easily accessible form, using clear and plain language as required by Data Protection Law. This requirement shall not reduce NUSO’s own obligation to maintain a compliant data privacy notice where required by Data Protection Law, but the existence of a privacy notice from NUSO shall not reduce or replace Customer’s obligation as stated herein.
    5. Customer will not provide NUSO with data regulated by a specific law, other than those addressed by this DPA, without first providing NUSO notice and allowing the Parties to determine if specific, additional contractual terms are needed.
    6. Customer acknowledges, confirms, and represents that, to the extent that it Processes Personal Information:
      1. All Personal Information collected or sourced by it or on its behalf for Processing in connection with this DPA or which is otherwise provided or made available to NUSO shall have been collected or otherwise obtained in compliance with Data Protection Law; and
      2. All instructions given by Customer in respect of the Personal Information shall be in accordance with Data Protection Law.
    7. If Customer receives any complaint, notice, or communication from a regulatory authority which relates to NUSO’s: (i) Processing of the Personal Information; or (ii) potential failure to comply with Data Protection Law, the Customer shall, to the extent permitted by law, promptly forward the complaint, notice, or communication to NUSO and provide NUSO with reasonable cooperation and assistance.
  6. Security and Audit
    1. Taking into account industry standards, the costs associated with those industry standards, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, NUSO shall, in relation to the Personal Information Processed pursuant to the Agreement, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk as outlined in Annex 2. In assessing the appropriate level of security, NUSO shall take account of the risks that are presented by Processing, in particular from a Security Incident (as defined below).
    2. If either Party learns of a Security Incident that could result in a high degree of risk to a Data Subject or reaches the level of required notification as defined in Data Protection Law, that Party shall give notification within a reasonable time to the other Party and the Parties shall cooperatively establish a data breach notification and remediation plan, in compliance with Applicable Law, with the responsibility and cost for such notification and remediation plan being borne according to the Parties’ respective, proportionate responsibility for the Security Incident, subject to any limitation of liability provisions in the Agreement.
    3. A Party’s obligation to report or respond to a Security Incident is not an acknowledgement by that Party of any fault or liability with respect to the Security Incident. The degree to which the Parties have different or separate notification requirements, a Party’s failure to comply with its own notification provisions under Applicable Law and any liabilities arising therefrom will not be attributed to the other Party. While NUSO agrees to good-faith cooperation as described herein, nothing in this Section shall be interpreted to obligate NUSO to cooperate or respond to a Security Incident as directed by Customer. NUSO’s response to a Security Incident is based on its own determination regarding industry standard in such response.
    4. In the event of a Security Incident discovered on NUSO-controlled systems, NUSO will, (i) investigate the Security Incident, (ii) provide Customer with information about the Security Incident (including, where possible, the nature of the Security Incident, Personal Information impacted by the Security Incident, and contact information of an individual at NUSO from whom additional can be obtained), and (iii) take reasonable steps to mitigate the effects of, and to minimize any damage resulting from, the Security Incident.
    5. At Customer’s written request, NUSO will allow, once per year, an audit to verify NUSO’s compliance with obligations under Data Protection Law and this DPA, to be carried out either (a) by an independent third party audit firm bound by a duty of confidentiality selected by Customer and approved by NUSO (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (b) by a competent government authority. Parties will agree in advance to the reasonable scope of the audit. Customer will notify NUSO in writing with a minimum of 30 days prior to any audit being carried out. Customer will bear all costs of the audit unless the audit is in reaction to a Security Incident caused by NUSO. NUSO may satisfy the requirements of this paragraph by producing a copy of an independent, third-party audit conducted within the 12-months preceding the request.
    6. Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
  7. International Transfer of Personal Information and the Standard Contractual Clauses
    1. Customer acknowledges that NUSO is a part of a multinational corporation, which may include Affiliates located in a country that has not been found to provide an adequate level of protection under applicable Data Protection Law.
    2. In respect of Personal Information where the GDPR applies and only to the extent applicable, the Parties agree to comply with Module 2 of the SCCs with Customer as Data Exporter and NUSO as Data Importer with the following:
      1. Clause 7, “Docking Clause,” shall not apply;
      2. Clause 9, Option 2 shall apply and the period for prior notice of Subprocessor changes is thirty (30) business days;
      3. Neither Party has engaged an independent dispute resolution body as described in Clause 11, and, as such, the optional provision shall not apply;
      4. The EU Member State applicable for Option 1 of Clause 17 shall be the EU Member State in which a dispute between the Parties arises, or the EU Member State where a Data Subject brings a particular action;
      5. The EU Member State applicable for Clause 18 shall be the EU Member State in which a dispute between the Parties arises, or the EU Member State where a Data Subject brings a particular action;
      6. Annex I of the EU Standard Contractual Clauses is completed with the information in Exhibit 1 to this DPA; and
      7. Annex II of the EU Standard Contractual Clauses is completed with the information in Exhibit 2 to this DPA.
    3. In respect of Personal Information where the Swiss Federal Act on Data Protection (“FADP”) applies, the Parties agree to comply with the obligations of the EU SCCs, Module Two, subject to the following amendments: (i) references in the EU SCCs to the GDPR shall refer to the FADP; (ii) references to specific Articles of GDPR shall be replaced with the equivalent article of the FADP; (iii) references to “EU”, “Union” and “Member State” shall be replaced with references to Switzerland; (iv) the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with EU SCCs 18(c); and (v) the EU SCCs shall also protect the data of legal persons until the entry into force of the revised FADP.
    4. In respect of Personal Information where UK Data Protection Law applies, the Parties agree to comply with the obligations of the UK Addendum Tables 1 to 4 in Part 1 of the UK International Data Transfer Addendum, which shall be completed respectively with the information set out in Exhibit 1 of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party.”
    5. In cases where there is a conflict between the terms of this DPA and the terms of the SCCs as it pertains to a particular Personal Information transfer, the terms of the applicable SCCs shall control.
    6. With regard to transfer of Personal Information pursuant to the SCCs to the United States (“US”):
      1. NUSO confirms that, as of the effective date of this DPA, it has not received any national security data production orders (e.g., pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“FISA Section 702”) or U.S. Presidential Policy Directive 28);
      2. NUSO will resist, to the extent permitted by Applicable Law, a request under FISA Section 702 for surveillance whereby a targeted account is not uniquely identified;
      3. NUSO will use commercially reasonable legal mechanisms to challenge any demands for data access through the national security process that NUSO receives.
    7. With regard to all international transfers of Personal Information, including, but not limited to the herein referenced SCCs:
      1. At such time as the EU Commission, ICO, an EU Supervisory Authority, or other applicable regulator modifies any of the SCCs or implements new SCCs, such SCCs shall apply upon their effective date. The Parties agree that the references and hyperlinks provided herein may be modified to include the new SCCs upon notice by either Party, without the need for subsequent DPA, unless otherwise required by law.
      2. At such time as a country with applicable Data Protections Law established standard contractual clauses or similar documents that must be executed between the Parties, such clauses shall apply on their effective date. The Parties agree that this DPA may be modified to include the new standard contractual clauses upon notice to either Party, without the need for subsequent agreement, unless otherwise required by law.
      3. For Data Protection Law similar to GDPR requiring agreement for international transfer, but without required standard contractual clauses (e.g. Brazil, South Africa), the Parties agree that this DPA shall provide the required protection and agreement under those Data Protection Law.
  8. Term and Termination
    1. This DPA shall have the same term as the Agreement.
    2. Upon termination, each Party shall be entitled to keep Personal Information only as may be necessary to fulfill any ongoing purposes or requirements of the Agreement. Any Personal Information no longer needed to fulfill ongoing purposes or requirements defined in the Agreement shall be deleted or returned to the Controller within 90 days by the Party Processing such Personal Information, with appropriate exception for deletion where backup copies of Personal Information are logically deleted on a longer schedule.
  9. Miscellaneous
    1. This DPA inures to the benefit of the Parties only and no third party shall have any rights hereunder, except as otherwise stated herein.
    2. When not executed as an addendum to the Agreement, this DPA may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Where executed as an addendum to the Agreement, the signatures on the Agreement shall be sufficient for execution.
    3. A determination that any provision of the DPA is invalid or unenforceable shall not affect the other provisions of the DPA. In such case the invalid or unenforceable provision shall automatically be replaced by a valid and enforceable provision that comes closest to the purpose of the original provision. The same shall apply if the DPA contains an unintended gap.

Exhibit 1

Description of the Processing and Transferring of Personal Information

A. LIST OF PARTIES

Data exporter(s):

Name: Customer

Address: Address on file with Company

Customer’s designated contact person, (name, position and contact details): As provided in the Agreement

Activities relevant to the data transferred under these Clauses: Performance of the Services in accordance with the Agreement

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both Parties.

Role (controller/processor): Controller

Data importer(s):

Name: NUSO LLC

Address: 7777 Bonhomme Ave Suite 1100, Clayton, MO 63105

Contact person’s name, position and contact details: Paul Matte, Chief Operating Officer, paul.matte@nuso.cloud

Activities relevant to the data transferred under these Clauses: Performance of the Services in accordance with the Agreement

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both parties.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Information is transferred:

  • Customer’s employees and authorized users who use the Services in connection with the business of the Customer
  • Any other individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer’s use of the Services

Categories of Personal Information transferred:

  • Customer Service Account Data which may comprise any of the following: name; telephone number; email address; physical address; title; role; profile information; application settings, login credentials (user ID, log in, account, passwords)
  • Usage data which may comprise any of the following: device information (such as IP address, ISP, device and operating system type, operations system and client version, client version, type of microphone or speakers, connection type and related information, etc.); connection type and related information (e.g., connected over WiFi); system logs, including usage logs, backend logs, client logs; cookie identifiers; communications metadata, including Call Detail Records (CDRs) and traffic data
  • User generated content which may comprise any of the following: participants’ names or phone numbers; chat messages; text of inbound and outbound faxes; voicemails; text of inbound and outbound SMS/MMS; meetings notes; audio/video streams in transit; meeting or call recordings; content of contact center interactions (e.g., emails, social media posts, call recordings, chat, etc.); transcriptions of recorded calls or meetings; summaries of recorded calls or meetings; meeting history; shared files, pictures, and links; message attachments, such as notes, tasks, events, code snippets, and .gifs; folder creations; search history; online presence and status messages; user feedback
  • Any other type of Personal Information as needed for the performance of the Services

Sensitive information transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

  • The Services are not designed to recognize and/or classify data as special categories of data or sensitive data (as defined in applicable Data Protection Laws), nor as Personal Information concerning children or minors, or related to criminal convictions and offenses. Insofar as Customer collects or processes special categories of Personal Information, Customer undertakes to process this category of Personal Data lawfully, and in particular to rely on a valid legal basis in accordance with applicable Data Protection Laws.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  • Aside from the Customer Service Account Data, the transfer of personal information that can be associated with an individual employee of Customer would occur on a one-off basis, and only when required to assist that employee with troubleshooting or the quality of the Services being delivered pursuant to the Agreement.

Nature of the processing:

  • NUSO processes Customer Personal Information for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, which may include collection, storage, transmission, recording, transcription, publishing, displaying; retrieval; consultation; combination; structuring; adaptation.

Purpose(s) of the data transfer and further processing:

  • To provide the Services as described in the Agreement.

The period for which the Personal Information will be retained, or, if that is not possible, the criteria used to determine that period

  • The length of the Agreement; or
  • The above categories of data will not be stored for longer than necessary for the legally permissible purpose(s) for which they were collected and as required under applicable retention policies and/or in accordance with applicable law.

For transfers to sub-processors, also specify subject matter, nature and duration of the processing:

  • Personal Information shared with sub-processors, would occur on a one-off basis, to provide technical support and quality control associated with the Services described in the Agreement.
  • In the majority of instances where a sub-processor would receive Personal Information associated with a Customer’s employee, that employee would be participating in a conversation with the sub-processor regarding the Services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

  • The Supervisory Authority with jurisdiction based on a particular Data Subject’s location and/or the jurisdiction where a dispute arises between the Parties.

Exhibit 2

Technical and Organizational Measures Ensuring the Security of Data

See https://nuso.cloud/privacy-policy/ for information and details regarding security measures implemented by NUSO.

Exhibit 3

Subprocessors

NUSO may use our affiliates or the following third-party Subprocessors to support processing activities on behalf of our Customers in accordance with our Data Processing Agreement and Data Protection Laws.

The current list of Subprocessors is below: