Data Processing Amendment
Effective May 25, 2018
Capitalized terms that are not defined in this Data Processing Amendment have the meaning set forth in our Terms of Service.
Nudge makes every effort to protect process data in accordance with the EU Data Protection Regulation (“GDPR”), the US Health Insurance Portability and Accountability Act (“HIPAA”), and applicable US laws governing the processing of personal data.
Nudge has undertaken to self-certify under, and adhere to the EU-US Privacy Shield Principles (“Privacy Shield”).
This Data Processing Amendment (“DPA”) amends and supplements our Terms of Service and requires no further action on your part.
2.1 You acknowledge and agree that your continued use of the Services, following any modification of this DPA, shall signify your assent to, and acceptance of, such amended terms.
2.2 If you do not agree to the terms of this DPA, you may request to cancel your account and discontinue the use of the Services.
3. Additional Definitions
The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Consent” and “Data Concerning Health” shall have the definitions given these terms by the GDPR.
“Content” means any information published, uploaded to, made available through, or appearing on the Services, including without limitation, data, text, graphics, photos, videos, charts, or location information.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data between Nudge and the Customer.
“Incident” means any request or complaint relating to an individual’s rights under the GDPR, government action, investigation or data seizure by government officials, (iii) any breach resulting in the unlawful or unauthorized disclosure, destruction, or loss of personal data of data subjects.
“Security Measures” means the technical and organizational security measures set out in our Security Policy.
“Sub-Processor” means any third parties, vendors, or independent contractors engaged to provide services related to the Nudge Services that require the processing of Customer Controlled Data.
“Customer Controlled Data” means personal data processed on the Customer’s behalf by Nudge as a part of the Services.
4. Scope and Applicability
This DPA only applies to you and your organization if you or your End Users are Data Subjects located in, or subject to the laws of the EU. Nudge shall not be responsible for personal data you have processed directly through third party services separately from and outside of the Services.
In accordance the definitions set forth in the GDPR, Customer is the data Controller and Nudge is the data Processor for the purposes of this Agreement.
5.1 Personal Data shall remain the property of the disclosing party.
5.2 The Parties agree that each party shall preserve the confidentiality of the other Party’s Personal Data.
5.3 Each Party is obliged to, and responsible for, complying with all relevant Data Protection Laws in all relevant jurisdictions with respect to the Personal Data of the other party.
5.4 As Nudge is certified under the EU-US Privacy Shield Framework, a transfer mechanism deemed to be adequate for the purposes of the GDPR, Customer may legally transfer personal data from the EU to Nudge.
6. Nudge Responsibilities As Processor
Nudge agrees to only process Customer Controlled Data in accordance with the scope of the Agreement, and for the purposes of delivering the Services as mutually agreed upon with Customer.
6.1 Nudge provides controls within registered accounts managed by authorized Representatives allowing you to configure and export Personal Data, including Data Concerning Health from the Services. Nudge agrees to process data exports as configured by you, and reserves the right to restrict or cease continued processing if we suspect Personal Data is not being handled in compliance with applicable Data Protection Laws.
6.2 Customer shall be responsible for ensuring that the processing of Customer Controlled Data in accordance with your instructions will not result in the breach of any Data Protections Laws, rules or regulations by either Party.
6.3 Additional instructions you provide for processing Customer Controlled Data which we deem outside of the scope of this DPA require prior written agreement between the Parties, including agreed upon payment terms.
7.1 Nudge shall maintain appropriate technical and organizational Security Measures to protect Customer Controlled Data from security-related Incidents. We preserve the security and confidentiality of your data in accordance with the security standards described by our Security Measures.
7.2 Customer agrees that it is responsible for reviewing all Security Measures made available by Nudge and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that Nudge may update or modify the Security Measures from time to time provided that such updates to not degrade the overall security of the Services.
Customer agrees that Nudge may engage Sub-Processors to process customer data on Customer’s behalf. Nudge shall maintain an updated list of third parties authorized by Customer for review in our list of authorized Sub-Processors.
9. Customer Responsibilities As Controller
9.1 Customer warrants that it has properly secured all rights necessary, including any necessary Consents from Data Subjects, to transfer all Personal Data that has been provided to Nudge for Processing in accordance with the Services.
9.2 Customer agrees to fulfill its obligations under the GDPR to implement and maintain appropriate data privacy and security measures in accordance with this DPA.
9.3 Should Customer become aware of the revocation of such Consent by any Data Subject, Customer is responsible for informing Nudge and providing new instructions for the agreed to Processing of that Data Subject’s information.
9.4 Once we have acknowledged receipt of new instructions Nudge agrees to adhere to Customer’s instructions to the extent that the instructions are within reasonable scope, and the implementation of such instructions is determined by Nudge to be technically possible.
9.5 Customer acknowledges that in its role as Controller it is responsible for determining the lawfulness of Processing, performing any required data protection impact assessments or equivalent due diligence activities, and accounting to regulators, Nudge, and Data Subjects as needed.
9.6 Customer agrees to make reasonable efforts to restrict any registration or use of the Services by Data Subjects under the age of 16, and to verify parental consent when data is collected on participating Data Subjects under the age of 16.
9.7 Customer must provide relevant privacy notices as may be required in Customer’s jurisdiction.
9.8 Customer agrees that it shall fulfill its obligations under the GDPR by responding to requests from individuals regarding the processing of their data including requests for deletion, modification, or exportation.
9.9 If Customer becomes aware of any data incident, Customer shall notify all affected Data Subjects, and relevant authorities of the nature and scope of the incident as may be required by law in your jurisdiction.
10. Reasonable Assistance
10.2 Nudge agrees to aid Customers in fulfilling their obligations under the GDPR with regards to the exercise of rights afforded to individual Data Subjects who make requests with regards to Customer Controlled Data insofar as Nudge, in its sole discretion, deems it reasonably commercially possible.
Nudge performs annual audits of its systems and procedures to ensure adherence with HIPAA and the GDPR. Annual audits may be performed either internally, or by independent third parties.
11.1 Customer may exercise any applicable rights to request an audit by instructing Nudge to conduct the audit described above. You agree that you may be required to execute a non-disclosure agreement with Nudge prior to receiving any report of the outcome of any requested audit. To request such an audit or inspection of Nudge systems and procedures, please submit an email request here.
12. Data Subject Requests
12.1 Data Subjects may at any time request to have their accounts and all associated data (personal or otherwise) permanently deleted from the Services.
12.2 Data Subjects may also request changes to inaccurate Personal Data, or request copies of their data that is being processed by Nudge. Customers may also submit such requests on the behalf of their Data Subjects.
12.3 Nudge agrees to respond to, and process all such requests to the extent that they are reasonable in scope and technically possible. To submit requests submit the details to our support team via email. Nudge may require you to confirm your identity before processing your request.
13. Incident Management
Nudge and Customer mutually agree to notify the other without undue delay when becoming aware of any data incident that may impact the secure processing of Personal Data.
13.1 Each Party agrees to provide reasonable cooperation in order to enable an appropriate investigation into the incident, and the formulation and execution of an appropriate response plan.
13.2 Each Party agrees to maintain written procedures that enable prompt and appropriate incident response.
13.3 Any notification of Incident or breach as described in this section shall be made without undue delay to email@example.com, and shall include the name and contact details for the best point of contact to provide further accurate and detailed information as to the nature and scope of the Incident.
14. Liability and Indemnity
Each Party indemnifies the other and holds them harmless against all claims, actions, losses, damages and expenses incurred by the indemnified Party and arising directly or indirectly out of, or in connection with, a breach of this DPA.
We are here for you if you have any questions or concerns about the protection of your data, or the terms of this DPA. Send any questions to our team at firstname.lastname@example.org.