Data Processing Addendum

nice elevateai data processing addendum last updated august 12, 2022 this data processing addendum (“ dpa ”) is incorporated into the terms between you (also, “ customer ”) and nice and reflects the parties’ agreement with regard to the processing of data (as these terms are defined below) you agree to this dpa by clicking on "accept" to the terms when you create or otherwise register for your account, and you are confirming your acceptance each time you use elevateai thereafter by clicking “accept” to the terms when you access elevate ai for the first time, you affirm that you are authorized by your organization, such as your business or employer, to bind such organization to the dpa this dpa consists of the main body of the dpa and appendices i iii data processing terms 1\ definitions " controller ", " processor ", " data subject ", " personal data " and " processing " (and " process ") shall have the meanings given in eu/uk data protection law “ affiliate ” means an entity which is controlling, controlled by or under common control with a party for purposes of this definition, "control" means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of voting securities, by contract or otherwise " applicable data protection law " means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, eu/uk data protection law " customer " means the party which entered into the terms, or an affiliate thereof, and signatory to this dpa " data " has the meaning given to it in clause 2 1 " dpa " means this data processing addendum " eu/uk data protection law " means (i) regulation 2016/679 of the european parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (general data protection regulation) (the " eu gdpr "); (ii) the eu gdpr as saved into united kingdom law by virtue of section 3 of the united kingdom's european union (withdrawal) act 2018 (the " uk gdpr "); (iii) the eu e privacy directive (directive 2002/58/ec); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time " nice " means nice systems, inc " restricted transfer " means (i) where the eu gdpr applies, a transfer of personal data from the european economic area to a country outside of the european economic area which is not subject to an adequacy determination by the european commission; and (ii) where the uk gdpr applies, a transfer of personal data from the united kingdom to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to section 17a of the united kingdom data protection act 2018 " security incident " has the meaning given to it in clause 2 8 “ self service tools ” means functionality which may be made available by nice in the software licensed or made available to customer which permits customer to comply with controller obligations under applicable data protection law relevant to customer’s use of the services " services " means the services provided by nice to customer under or in connection with the terms " agreement " has the meaning ascribed to it in the nice elevateai terms of use nice elevateai terms of use standard contractual clauses " means (i) where the eu gdpr applies, the contractual clauses annexed to the european commission's implementing decision 2021/914 of 4 june 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to regulation (eu) 2016/679 of the european parliament and of the council (" eu sccs "); and (ii) where the uk gdpr applies, standard data protection clauses adopted pursuant to or permitted under article 46 of the uk gdpr (" uk sccs ") “ toms ” means the security provisions set out in the agreement, and as applicable the technical and organizations measures set out as an appendix to this dpa, in each case as relates to the applicable services detailed therein if so limited 2\ processing of data 2 1 relationship of the parties customer (the controller) appoints nice as a processor to process the personal data that is the subject of the agreement and as further described in appendix i (the " data ") 2 2 prohibited data customer shall not disclose (and shall not permit any data subject to disclose) any sensitive data (special categories) of data or data that imposes specific data security or data protection obligations on nice in addition to or different from those specified in this dpa or the agreement to nice for processing except where and to the extent expressly disclosed in appendix i 2 3 term and termination the term of this dpa, including its appendices, shall continue until all processing of customer’s personal data by nice ceases 2 4 purpose limitation nice shall process the data as a processor as necessary to perform its obligations under the agreement, including for the purposes described in appendix i to this dpa and strictly in accordance with the documented instructions of customer (the " permitted purpose "), except where otherwise required by law(s) that are not incompatible with applicable data protection law in no event shall nice process the data for its own purposes or those of any third party each party is solely responsible for compliance with its respective obligations under applicable data protection law the customer shall comply with all necessary transparency and lawful requirements under applicable data protection law in order to disclose the data to nice for the permitted purposes nice shall immediately inform customer if it becomes aware that customer's processing instructions infringe applicable data protection law (but without obligation to actively monitor customer's compliance with applicable data protection law) if a change in applicable data protection law prevents nice from processing the data as intended by the agreement, customer will immediately stop transmission of the data to nice and the parties will negotiate in good faith changes to the agreement which may include but are not limited to additional services or solutions, if and when made available by nice notwithstanding anything to the contrary, data localization laws in applicable data protection law shall not require nice to change the storage location of any data centres agreed in, or permitted by, the agreement; provided that nice will negotiate in good faith commercially reasonable changes to the storage location 2 5 restricted transfers the parties agree that when the transfer of data from customer to nice is a restricted transfer it shall be subject to the appropriate standard contractual clauses as follows (a) in relation to data that is protected by the eu gdpr, the eu sccs will apply completed as follows i module two will apply; ii in clause 7, the optional docking clause will apply; iii in clause 9, option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in clause 2 10 of this dpa; iv in clause 11, the optional language will not apply; v in clause 17, option 1 will apply, and the eu sccs will be governed by irish law; vi in clause 18(b), disputes shall be resolved before the courts of ireland; vii annex i of the eu sccs shall be deemed completed with the information set out in appendix i to this dpa; and viii annex ii of the eu sccs shall be deemed completed with the toms (b) in relation to data that is protected by the uk gdpr, the uk sccs will apply completed as follows i for so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the european commission’s decision 2010/87/eu of 5 february 2010 (“ prior c2p sccs ”) for transfers of personal data from the united kingdom, the prior c2p sccs shall apply between nice and the customer on the following basis (a) appendix 1 of the uk sccs shall be deemed completed with the information set out under the relevant headings appendix i to this dpa; and (b) appendix 2 of the uk sccs shall be deemed completed with the information set out in the toms; and (c) the optional illustrative indemnification clause will not apply ii where sub clause (b)(i) of this clause above does not apply, but nice and the customer are lawfully permitted to rely on the eu sccs for transfers of personal data from the united kingdom subject to completion of a “uk addendum to the eu standard contractual clauses” (“ uk addendum ”) issued by the information commissioner’s office under s 119a(1) of the data protection act 2018, then (a) the eu sccs, completed as set out above in clause (a) of this clause shall also apply to transfers of such data, subject to sub clause (b) below; (b) the uk addendum shall be deemed executed between the transferring customer and nice, and the eu sccs shall be deemed amended as specified by the uk addendum in respect of the transfer of such data (iii) if neither sub clause (b)(i) or sub clause (b)(ii) of this clause applies, then nice and the customer shall cooperate in good faith to implement appropriate safeguards for transfers of such data as required or permitted by the uk gdpr without undue delay (c) in the event that any provision of this dpa contradicts, directly or indirectly, the standard contractual clauses, the standard contractual clauses shall prevail 2 6 onward transfers nice shall not participate in (nor permit any subprocessor to participate in) any other restricted transfers of data (whether as an exporter or an importer of the data) unless the restricted transfer is made in full compliance with applicable data protection law subject to the provisions in clause 2 9 ( subprocessing ), where a restricted transfer is protected by the uk gdpr the customer authorises nice to enter into uk sccs on its behalf 2 7 confidentiality of processing nice shall ensure that any person that it authorises to process the data (including nice's staff, agents and subprocessors) (an " authorised person ") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the data who is not under such a duty of confidentiality nice shall ensure that all authorised persons process the data only as necessary for the permitted purpose 2 8 security nice shall implement and maintain appropriate technical and organisational measures as set out in the toms to protect the data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a " security incident ") 2 9 updates to security measures the technical and organizational measures are subject to technological progress and advancements as such, nice may implement alternative, adequate measures which meet or exceed the security level of the measures described in the toms 2 10 subprocessing customer consents to nice engaging nice affiliates and third party subprocessors to process the data for the permitted purpose provided that (i) nice maintains an up to date list of its subprocessors that may process personal data; (ii) nice imposes data protection terms on any subprocessor it appoints that protect the data, in substance, to the same standard provided for by this dpa; and (iii) nice remains liable for any breach of this dpa that is caused by an act, error or omission of its subprocessor lists of nice subprocessors are available upon request via customer’s normal contacts for the applicable services or may be published in the documentation portal for the applicable service, and nice shall update them with details of any change in subprocessors at least 10 days' prior to any such change customer may object to nice's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection in such event, nice will either not appoint or replace the subprocessor or, if this is not possible, customer may elect to suspend or terminate the agreement (without prejudice to any fees incurred by customer prior to suspension or termination) 2 11 cooperation and data subjects' rights taking into account the nature of the processing and to the extent a response to a request cannot be achieved using the service's self service tools available to the customer, nice will provide commercially reasonable assistance to the customer (at customer's expense) to (i) fulfil a customer's obligation to respond to data subjects' requests under applicable data protection law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) in relation to any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the data if any such request, correspondence, enquiry or complaint is made directly to nice, nice shall promptly inform customer providing full details of the same 2 12 data protection impact assessment nice shall, which may be subject to reimbursement of nice's then current hourly fees, provide customer with all such reasonable and timely assistance as customer may require in order to conduct a data protection impact assessment in accordance with applicable data protection law 2 13 deletion or return of data upon termination or expiry of the agreement, nice shall destroy all data (including all copies of the data) in its possession or control, except as otherwise stated in the agreement this requirement shall not apply to the extent that nice is required by any applicable law to retain some or all of the data, or to data it has archived on back up systems, in which event nice shall isolate and protect the data from any further processing except to the extent required by such law until deletion is possible 2 14 data records documentation materials that serve as evidence that data was processed in a proper manner consistent with the stipulations of this dpa may be stored by nice after termination of this dpa in accordance with the applicable retention periods 2 15 audit (a) customer may audit nice’s compliance of its obligations under this dpa, at its own expenses by itself or by a certified auditor customer shall provide at least 60 days, prior written notice of its intention of doing so and nice shall make available all information reasonably necessary to demonstrate such compliance, and shall allow for and contribute to audits, including inspections, by customer such audits shall be conducted during regular business hours and customer shall ensure that it does not disrupt the regular operations of nice customer will not exercise its audit rights more than once in any twelve month period (in aggregate with any information rights in the agreement), except (i) if and when required by instruction of a competent data protection authority; (or) if customer believes a further audit is necessary due to a security incident suffered by nice for any audit or right of access exercised under this section, the sccs or any similar right granted by law, nice will not be required to provide information, evidence or access of any kind that includes other customers’ information, and to preserve the rights, confidentiality, security, and data integrity of other customers (b) alternatively at nice's discretion and if available for the applicable service, nice may satisfy its obligations under this clause ( audit ) (and any similar obligations under the standard contractual clauses) by presenting a summary copy of its soc 2 type ii, pci dss, iso 27001, soc 2+hitrust, fedramp or irap audit or certification report(s) to customer, which reports shall be subject to the confidentiality provisions of the agreement (c) customer shall be responsible for all costs and fees, including all reasonable costs and fees for any and all time nice expends for any such audit 2 16 governing law this dpa shall be governed by the laws of same jurisdiction as agreed in the terms appendix i data processing description this appendix i forms part of the dpa and describes the processing that the processor will perform on behalf of the controller a list of parties controller(s) / data exporter(s) \[ identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the european union ] 1\ name as listed on your account address as listed on your account contact person’s name, position and contact details as listed on your account activities relevant to the data transferred under this dpa the services role (controller/processor) controller processor(s) / data importer(s) \[identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection ] 1\ name nice systems, inc address 221 river st , 10th floor, hoboken, nj 07030 contact person’s name, position and contact details for general matters nice’s data protection office at privacy\@nice com mailto\ privacy\@nice com for security matters nice’s information security office at security\@nice com mailto\ security\@nice com activities relevant to the data transferred under this dpa the services role (controller/processor) processor в description of transfer categories of data subjects whose personal data is transferred end users of customer’s services categories of personal data transferred personal categories of data may include personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique ids collected from mobile devices, network carriers or data providers; ip addresses and online behavior and interest data sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures n/a the frequency of the transfer (e g whether the data is transferred on a one off or continuous basis) one off nature of the processing as required to perform the services, and may include but is not limited to organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction purpose(s) of the data transfer and further processing for processing in processor software solutions, support and maintenance, and development, in each case as permitted in the agreement the period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period as detailed in the agreement for transfers to (sub ) processors, also specify subject matter, nature and duration of the processing as permitted by the agreement in particular, transfers to hosting subprocessors may be required for storage and remote data processing, and shall be for a nature and duration as permitted by the agreement c competent supervisory authority identify the competent supervisory authority/ies in accordance (e g in accordance with clause 13 of the eu sccs) ireland data protection commission