Latest version: DPA vSeptember22 Nexthink 110.8
This Cloud Data Processing Addendum (“DPA”) supplements the Agreement by and between Customer and Nexthink for the sole purpose of reflecting the Parties’ agreement with regard to the processing of personal data by Nexthink and the requirements of relevant privacy and data protection laws.
WHEREAS the Parties (or their respective Affiliates) have entered into a Master Services Agreement or similar agreement (the “Agreement”), for the provision of the Nexthink Cloud Services (the “Services”);
WHEREAS in connection with such services, Nexthink and its Affiliates will Process certain Personal Data on behalf of Customer;
THEREFORE, the Parties agree to enter into the terms of this DPA, in furtherance of, and without relieving, removing or replacing, a Party’s obligations or rights under the Data Protection Laws.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.;
“Data Protection Laws” means the relevant data protection and data privacy laws, rules and regulations to which Nexthink’s Processing of Personal Data within the Services (for Customer) is subject, specifically Swiss Data Protection Act, the GPDR and the CCPA;
“GDPR” means the EU General Data Protection Regulation 2016/679, including as incorporated into UK law;
“Nexthink Data Processing Schedule” means the schedule of processing found at the Nexthink Site as may be amended from time to time and the most current version of which is annexed hereto;
“Nexthink Site” means Nexthink’s public site and/ or Trust Center and/or community site;
“Standard Contractual Clauses” means standard contractual clauses for international transfer approved by the European Commission, UK ICO or Swiss FDPIC, as applicable.
The following terms shall have the meaning as set forth in the GDPR, and cognate terms shall be constructed accordingly: “Data Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor”, “Process”, and “Supervisory Authority”. Capitalized Terms, not defined herein, shall have the meanings ascribed thereto in the Agreement.
2. Relationship between the Parties and Nature of Processing
(i) Where Nexthink, including its Affiliates, Processes any Personal Data on the Customer’s behalf when performing its obligations under the Agreement, the Customer is the Controller and Nexthink is the Processor for the purposes of the Data Protection Laws.
(ii) The Nexthink Data Processing Schedule sets forth the agreed subject matter of the Processing, the nature and purpose of Processing, the duration of the processing, the types of Personal Data and categories of data subject and any direct sub-processors, memorializing the instructions required by Section 4.
(iii) Without prejudice to the generality of this Section 2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful and permitted Processing of the Personal Data by Nexthink, for the duration and purposes of the Agreement so that Nexthink may lawfully and with sufficient permission Process the Personal Data in accordance with the Agreement on the Customer’s behalf.
(i) Each Party shall ensure that it has in place appropriate technical and organizational measures, to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach, having regard to the state of technological development and the cost of implementing any measures.
(ii) Without limiting the foregoing, the Parties may agree specific technical and organizational measures in an Information Security Addendum (“ISA”), which shall form part of the Agreement or which shall be made available at the Nexthink Site, as may be applicable to Customer. Nexthink applies its technical and organizational measures to Nexthink’s entire customer base receiving the same Services. Nexthink may change the measures at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.
(i) Nexthink will Process the Personal Data only in accordance with documented instructions from Customer. The Agreement (including this DPA) constitutes such documented initial instructions, and Customer may provide further instructions during the performance of the Services. Nexthink will use reasonable efforts to follow any other Customer instructions, as long as they are required by Data Protection Laws, technically feasible and do not require changes to the performance of the Services. If any of the aforementioned exceptions apply, or Nexthink otherwise cannot comply with an instruction or is of the opinion that an instruction infringes Data Protection Laws, Nexthink will promptly notify Customer.
(ii) Where Nexthink is relying on Data Protection Laws as the basis for Processing the Personal Data, Nexthink shall promptly notify the Customer of this before performing the Processing required by the Data Protection Laws unless those applicable laws prohibit Nexthink from so notifying the Customer.
(iii) For the avoidance of doubt and without limiting any restrictions set forth herein, Nexthink must not use any Personal Data for any direct or indirect marketing purposes.
To Process the Personal Data, Nexthink and its sub-processors shall only grant access to authorized personnel who have committed themselves to confidentiality.
(i) Taking into account the nature of the Processing and the information available to Nexthink, Nexthink shall provide reasonable assistance to the Customer in ensuring compliance with its obligations under the Data Protection Laws with respect to data protection impact assessments, transfer impact assessments, Personal Data Breach notifications and consultations with Supervisory Authorities or regulators.
(ii) Nexthink shall assist the Customer in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing hereunder. Nexthink shall notify the Customer without undue delay in writing of any request Nexthink has received from a Data Subject. Nexthink shall not respond to the request itself, unless authorized to do so by the Customer.
7. Personal Data Breach Notification
(i) Without limiting the requirements of an effective ISA, at a minimum, Nexthink shall notify the Customer in accordance with Data Protection Laws, and in any case without undue delay, on becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer. Such notification shall not be interpreted or construed as an admission of fault or liability by Nexthink.
(ii) Nexthink shall cooperate with the Customer as necessary to mitigate or remediate the Personal Data Breach.
(iii) Nexthink shall cooperate with the Customer and take such commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of any such Personal Data Breach under the applicable Data Protection Laws. To the extent that Customer has additional rights or obligations under the Agreement or an effective ISA, consistent with Data Protection Laws, then terms of these shall not limit the scope or effectiveness of such corollary provisions.
8. Data Deletion
On the written instructions of the Customer, and insofar as is reasonable (or then maintained by Nexthink), Nexthink shall return the Personal Data to the Customer in a structured, commonly used and machine-readable format within 30 days following the expiration or termination of the Agreement. In the event that no such instruction has been given, Nexthink shall delete the Personal Data and any copies thereof at the end of the Agreement, except for Personal Data that Nexthink is required to store pursuant to applicable law and/or automated routine back-ups of customer data that may include Personal Data; such backups may be retained in accordance with the retention policy of Nexthink, provided that Personal Data therein remains subject to the obligations contained in this DPA.
Nexthink shall maintain complete and accurate records and information to demonstrate its compliance with this DPA. Without limiting the requirements of an effective ISA, at a minimum, Nexthink shall regularly assess, at least once a year, the conformity and adequacy of its technical and organizational security measures and be in a position to demonstrate their actual implementation and effectiveness, as well as its compliance with its own security policies, by submitting its IT system to regular tests and audits performed by independent auditors. Subject to the terms of the Agreement, during the term of the Agreement and upon Customer’s reasonable prior written request, no more than once annually, Nexthink shall provide Customer with those non-confidential portions of any audit reports prepared by, and authorized for disclosure by, Nexthink’s independent auditors.
(i) To the extent applicable to the Services used by Customer, the Customer consents to Nexthink’s appointment of the sub-processors listed in the Nexthink Data Processing Schedule to Process the Personal Data under this DPA and the Agreement. The Customer confirms it has given Nexthink prior written general authorization to amend the Nexthink Data Processing Schedule in accordance herewith.
(ii) Nexthink confirms that it has entered into, or will enter into as the case may be, written agreements with its sub-processors that are substantially similar to the terms set out in this DPA. As between the Customer and Nexthink, Nexthink shall remain fully liable for all acts or omissions of any third-party sub-processor appointed by it pursuant to this DPA.
(iii) Where Nexthink intends to amend the Nexthink Data Processing Schedule, Nexthink will provide no less than thirty (30) days’ prior email notice of the appointment of any new sub-processor to the Customer. In the event the Customer raises an objection based on reasonable grounds relating to data protection to such new sub-processor, Nexthink will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening the Customer. If Nexthink is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable order form(s) with respect only to those Services which cannot be provided by without the use of the objected-to new sub-processor by providing written notice to Nexthink.
11. International Data Transfers
(i) Where required by Data Protection Laws, Nexthink agrees to enter into Standard Contractual Clauses or any equivalent agreement with Customer or other relevant entity or to provide other appropriate safeguards in order to legalize the transfer of Personal Data to a third country.
(ii) Where Nexthink engages a sub-processor in accordance with Section 10 or its Affiliates, and such engagement involves an international transfer of Personal Data, Nexthink shall take such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.
12. Data Access by Third-Country Authorities
(i) In the event that Nexthink receives a legally binding request by a public authority under the laws of a third country or if Nexthink becomes aware of any direct access to the Personal Data by a public authority of a third country, Nexthink shall notify the Customer without undue delay. Such notification shall include all information about the request or data access available to Nexthink.
(ii) In the case that Nexthink is prohibited from notifying the Customer, Nexthink agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information to the Customer and as soon as possible. Nexthink agrees to document its efforts in order to be able to demonstrate them upon request of the Customer.
(iii) Nexthink shall document its internal process for addressing such requests and direct data access in a written policy and make the policy available to the Customer.
13. California Consumer Privacy Act
To the extent that Customer Data comprises Personal Data, it is hereby acknowledged that Nexthink is acting as a “Service Provider” (pursuant to CCPA) on behalf of Customer. Nexthink shall: (i) process the Customer Data that is Personal Data only on Customer's instructions (including in accordance with the Agreement and this DPA) the Data Protection Law and/or such other Applicable Laws binding on Nexthink; (ii) take appropriate technical, organizational and security measures against unauthorized access to or unauthorized alteration, disclosure, destruction or loss of such Personal Data, (iii) take reasonable steps to ensure that employees and/or subcontractors used by Nexthink to provide the Services are aware of and are suitably instructed in such technical, organizational and security measures, (iv) unless prevented by applicable law, promptly refer to Customer any requests, notices or other communication from data subjects or a data protection authority, and (v) not “sell” any Personal Data, as that term, and its cognates, are defined under the CCPA.