DATA PROCESSING AGREEMENT
This data processing agreement ("Agreement”), including Annexes 1 and 2, form part of the Privacy Policy in effect between NextArrow, LLC (“Service Provider”) and you (“Company”) (each individually a Party and collectively the “Parties”).
Definitions
The following terms shall have the following meanings.
a. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with a Party.
b. “Controller” means the Party or Parties to this Agreement that determine(s) the purposes and means of the Processing of Personal Data.
c. “Controller Personal Data” means any Personal Data Processed by a Party under the Agreement in its capacity as a Controller.
d. “Data Protection Law(s)” means all laws and regulations applicable to the Processing of Company Personal Data under the Agreement, including, as applicable, the laws and regulations of the United States, the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including as applicable the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”) and the Brazilian General Data Protection Law (the Lei Geral de Proteção de Dados).
e. “Data Subject” means an identified or identifiable natural person.
f. “Personal Data” shall mean “personal data,” “personal information,” or equivalents as defined in applicable Data Protection Laws. In the absence of applicable Data Protection Laws, “Personal Data” shall mean any information relating, directly or indirectly, to an identified or identifiable natural person.
g. “Process,” “Processes,” “Processing,” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, accessing, releasing, disclosing, making available, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise, aligning or combining, restricting, erasing or destroying.
h. “Processor” means a Party to this Agreement that Processes Personal Data on behalf of Company or Company Affiliates. The term Processor as used herein is equivalent to the term “Processor” as used in the GDPR, and the term “Service Provider” as used in the CCPA.
i. “Sub-processor” means a Processor engaged by a Processor, including NextArrow, to Process Company Personal Data."
j. “Company Data Subject” means the Data Subject whose Company Personal Data is, or will be, Processed.
k. “Company Personal Data” means Company Data Subject Personal Data that is Processed by NextArrow for the purposes described in Annex 1 to this Agreement. For purposes of this Agreement, Company Personal Data does not include the name and contact information of those Company employees who are responsible for interacting with NextArrow, and any Personal Data incidentally received by NextArrow as a result of those interactions.
1. General Terms
1.1. Roles of Parties. The Parties acknowledge and agree that Company is Controller of the Company Personal Data, and that NextArrow is a Processor of such Personal Data.
1.2. Overview of Company Personal Data Processing. NextArrow shall Process Company Personal Data as indicated in Annex 1. The Parties acknowledge and agree that Annex 1 reflects Company’s written instructions regarding the Processing of Company Personal.
1.3. Cross border transfer. If NextArrow’s Processing of Personal Data involves the transfer of Personal Data of Company Data Subjects in the EEA, United Kingdom and/or Switzerland to a country or territory outside of those regions, the parties hereby incorporate, and agree to comply with, the Standard Contractual Clauses of June 4, 2021 (“SCCs”) approved by the European Commission, Module 2. In such case,
1.3.1. The parties will complete Annex 1, and agree to Annex 2, of this Agreement in lieu of the Annexes to the SCCs.
1.3.2. The competent supervisory authority for purposes of the SCCs is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
1.3.3. The Parties represent that they do not believe the laws and practices in any country to which Company Personal Data is transferred will prevent NextArrow from fulfilling its obligations under this Agreement or the SCCs.
1.4. Compliance with laws. NextArrow shall comply with applicable laws, rules, self-regulatory requirements, and regulations, including Data Protection Laws, in connection with its Processing of Company Personal Data.
1.5. Limitations and Prohibitions.
1.5.1. NextArrow shall only Process Company Personal Data for the purpose of performing its obligations, and may not use Company Personal Data for any other purpose unless otherwise agreed by the Parties in writing.
1.5.2. NextArrow shall (1) limit access to Company Personal Data to only those employees or agents that require access to perform their roles and responsibilities, and (2) under no circumstances rent, sell or disclose Company Personal Data, except as otherwise allowed under this Agreement.
1.5.3. NextArrow will not combine Company Personal Data with data from any other source, company, organization or entity, unless necessary to perform its obligations. NextArrow will not copy or reproduce Company Personal Data for its own purposes or those of any Sub-processor or other third party.
1.6. Data Security. NextArrow will maintain appropriate measures to protect the integrity, security and confidentiality of all Company Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include at a minimum those set forth in Annex 2 to this Agreement.
1.7. Data Retention and Deletion
1.7.1. Unless otherwise required by law, NextArrow shall, and shall require any Sub-processor to, destroy or return to Company (at Company’s election) all Company Personal Data in its/their possession, custody and control: (a) upon termination or expiration of the Agreement; (b) upon the winding down or insolvency of the company’s business; (c) once no longer necessary to perform its obligations under the Agreement; or (d) upon request by Company. If NextArrow, or any Sub-processor of NextArrow, is prevented from deleting or destroying any Company Personal Data in these circumstances by applicable law, it shall notify Company in writing and delete or destroy such Company Personal Data once it is no longer prevented from doing so by applicable law. At Company’s request, NextArrow shall provide Company with a written log evidencing the destruction and any retention of Company Personal Data. NextArrow cannot meet the requirements of this paragraph by anonymizing or aggregating Company Personal Data in lieu of destruction or return of such data to Company.
1.8. Data Security Incidents
1.8.1. Notice to Company. NextArrow shall notify Company without undue delay, and, where feasible, not later than seventy-two (72) hours after discovery of an actual or suspected unauthorized access to, or acquisition or disclosure of, Company Personal Data, or other actual or suspected breach of security or confidentiality with respect to Company Personal Data in the possession or control of NextArrow, its representatives, and/or any Sub-processor of NextArrow (a “Data Security Incident”). Such notice shall be sent to the Company persons or team designated to receive such notices.
1.8.2. Third Party Notices. If a Data Security Incident requires notice to any regulator, Data Subject or other third party: (1) NextArrow shall assist Company to provide such notifications if requested by Company; (2) Company shall have sole control over the content, timing and method of distribution of any needed notice, unless otherwise required by applicable law; (2) NextArrow may notify the affected parties only upon Company’s prior written approval and instructions, unless otherwise required by applicable law (in which case NextArrow shall provide Company with a copy of such notice as soon as possible and in all events prior to providing such notice to any regulator, Data Subject or other third party, unless otherwise required by law).
1.8.3. Notice requirements. The notice to Company required under Paragraph 1.8.1 shall include:
(i) a description of the Data Security Incident, including the location, date and time the Data Security Incident occurred and the location, date and time the Data Security Incident was discovered;
(ii) a description of the steps NextArrow has taken, or plans to take, to investigate the Data Security Incident;
(iii) an overview of the affected Company Personal Data, including the types of Company Personal Data and whether the Company Personal Data was encrypted or redacted;
(iv) the number of affected Company Data Subjects and the city, state (if applicable) and country of the Data Subjects;
(v) the expected consequences of the Data Security Incident; and a description of the measures NextArrow has taken, or plans to take, to mitigate such consequences.
2. Processor Terms
2.1. Compliance with Company instructions. NextArrow shall only process Company Personal Data pursuant to Company’s written instructions, unless applicable Data Protection Laws require additional processing of Company Personal Data, or prohibit NextArrow’s compliance with such written instructions. In such cases, NextArrow will notify Company of that requirement or prohibition in advance of additional processing, unless prohibited by law from doing so. NextArrow shall respond promptly to inquiries from Company regarding the Processing of Company Personal Data in compliance with this Agreement and Company’s written instructions regarding Processing of Company Personal Data.
2.2. Assistance to demonstrate compliance with laws. NextArrow shall reasonably assist Company to demonstrate compliance with applicable Data Protection Laws, including by responding promptly and adequately to inquiries from Company regarding such compliance.
2.3. Requests or Demands from Governmental or Regulatory Bodies. NextArrow shall inform Company as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over NextArrow or Company relating to NextArrow’s Processing of Company Personal Data, and shall fully cooperate with Company in connection with any response to such request or demand.
2.4. Data Subject Rights. NextArrow shall promptly notify Company of any request by a Company Data Subject to exercise their rights under applicable Data Protection Laws, and reasonably assist Company to fulfill such request. NextArrow shall not respond to such requests, unless instructed by Company to do so.
2.5. Assistance to Company. NextArrow will provide reasonable assistance to Company as necessary for Company to comply with applicable Data Protection Laws, which may include assistance relating to: (a) performance of data protection impact assessments; and (b) keeping Company Personal Data accurate and up-to-date.
2.6. Sub-processors
2.6.1. Permitted Sub-processors. Company and NextArrow agree that NextArrow may engage any Sub-processor to Process Company Personal Data identified in Annex 1 to this Agreement. In the event NextArrow seeks to engage a Sub-processor not identified in Annex 1, NextArrow shall notify Company of its intent to engage such Sub-processor, and the purposes for which it will process Company Personal Data, at least 30 days prior to any Processing of Company Personal Data by the Sub-processor. If Company does not object to such engagement, Company will be deemed to have approved such engagement.
2.6.2. Sub-processor obligations. NextArrow will not permit any Sub-processor to Process Company Personal Data, unless NextArrow and the Sub-processor have entered into an agreement that imposes obligations on the Sub-processor that are no less restrictive and at least equally protective of Company Personal Data than those imposed on NextArrow under this Agreement. Company may request a copy of such agreement between NextArrow and any Sub-processor, and may withhold consent to the use of such Sub-Processor if NextArrow does not provide such agreement or such agreement does not contain sufficient protection of Company Personal Data. NextArrow may redact such agreement prior to sharing with Company to the extent necessary to protect its trade secrets or confidential information.
2.6.3. Sub-processor compliance with Data Protection Laws. NextArrow is responsible for ensuring the compliance of Sub-processors with applicable Data Protection Laws, and with NextArrow’s agreements with Sub-processors consistent with Section
3. Miscellaneous
3.1. Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, NextArrow Processes or retains Company Personal Data.
3.2. Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.
3.3. Non-compliance: NextArrow shall promptly inform Company if it is unable to comply with this Agreement. If NextArrow cannot comply within a reasonable period of time, or the NextArrow is in substantial or persistent breach of this Agreement or its obligations under this Agreement, Company shall be entitled to terminate the Agreement insofar as it concerns processing of Company Personal Data.
3.4. Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.
Annex 1 - Overview of Company Personal Data Processing
1 The countries of the EEA are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
2 Excluding the name and contact information of those Company employees who are responsible for interacting with Company in connection with its performance of its obligations under the Agreement.
Annex 2 - Organizational/Administrative, Physical and Technical Measures
1. Organizational/Administrative Security Measures: NextArrow has implemented, and will maintain and update as appropriate throughout its Processing of Company Personal Data:
1.1. A written and comprehensive information security program in compliance with applicable data protection laws.
1.2. A data loss prevention program that reflects reasonable policies or procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft, which shall include at a minimum:
1.2.1. appropriate policies and technological controls designed to prevent loss of Company Personal Data; and
1.2.2. a disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Company Personal Data as well as security needs for back-up sites and alternate communication networks.
1.3. Policies and procedures to limit access to Company Personal Data to those who require such access to perform their roles and responsibilities in connection with the Agreement, including regular updates to such access based on changes to NextArrow’s personnel, policies or procedures.
1.4. Procedures to verify all access rights through effective authentication methods.
1.5. A government agency data access policy that refuses government access to data, except where such access is required by law, or where there is imminent risk of serious harm to individuals.
1.6. Policies and procedures for assessing legal basis for, and responding to, government agency requests for data.
1.7. Specific training of personnel responsible for managing government agency requests for access to data, which may include requirements under applicable Data Protection Laws.
1.8. Processes to document and record government agency requests for data, the response provided, and the government authorities involved.
1.9. Procedures to notify Company about any request or requirement for government agency access to data, unless legally prohibited.
2. Physical Security Measures
2.1. NextArrow has implemented, and will maintain and update as appropriate throughout its Processing of Company Personal Data, appropriate physical security measures for any facility used to Process Company Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.
3. Technical Security Measures: NextArrow shall throughout its Processing of Company Personal Data:
3.1. perform vulnerability scanning and assessments on applications and infrastructure used to Process Company Personal Data.
3.2. secure its computer networks using multiple layers of access controls to protect against unauthorized access.
3.3. restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
3.4. identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files.
3.5. use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that Process Company Personal Data.
3.6. encrypt Company Personal Data in transit.
3.7. encrypt Company Personal Data at rest and solely manage and secure all encryption keys (i.e., no other third party shall have access to these encryption keys, including Sub-processors).