Actioner Data Processing Agreement (DPA)

Actioner Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between Nova Era Labs, Inc., a corporation having its principal place of business at 520 Catalina Isles Circle, Venice, FL, 34292 (the “Data Processor” or “Nova Era Labs” or “Actioner”) and the customer that subscribes to the Actioner services (the “Customer”) (together as “Parties”).

WHEREAS

(A) The Customer acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

1. Definitions

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

  • "Agreement" means this Data Processing Agreement and all Schedules;
  • "Customer Configuration Data" means any configuration or personal data that is required by Actioner to be functional for the Customer, such as (a) application sub-configurations like workflows, documents or functions, (b) credentials, connections and integrations with the third party providers, (c) identity and access management related personal data;
  • Customer Account Data” means personal data that relates to Customer’s relationship with the Processor, including the names or contact information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account;
  • Customer Usage Data”  means data processed by Processor for the purposes of transmitting or processing Customer Configuration Data. Customer Usage Data includes data used to be processed within the Services, such as (a) inputs, requests and form data provided by the end users or clients of Customer, (b) any data that is programmatically, periodically or automatically received through an integration of the Customer, (c) any content stored as a result of processing a Customer Configuration Data, (d) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse;
  • Customer Data” means the union of Customer Configuration Data, Customer Account Data and Customer Usage Data;
  • "Contracted Processor" means a Subprocessor;
  • "Data Protection Laws" means all applicable data protection and privacy laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including, as they may apply: (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018; (iii) U.S. legislation (e.g., the California Consumer Privacy Act and the California Privacy Rights Act); and (iv) any other laws that may be applicable.
  • "EEA" means the European Economic Area;
  • EU Standard Contractual Clauses” or “SCCs” or “Clauses” means the terms available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council 4 June.
  • "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
  • "GDPR" means EU General Data Protection Regulation 2016/679;
  • "Data Transfer" means: some text
    • a transfer of Customer Data from the Customer to a Contracted Processor; or
    • an onward transfer of Customer Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
      in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
  • "Service(s)" means the Actioner software-as-a-service product provided by Nova Era Labs, Inc.
  • "Subprocessor" means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
  • "Integration" means the establishment by the Customer of any configuration or connection aimed at facilitating Processor's access to Customer Data for the purpose of accessing a product, service, or solution.

1.2. The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Data

Nova Era Labs will process the Personal Data solely for the purposes of providing the Service and in accordance with Customer’s instructions as outlined in the Agreement, or as otherwise documented by Customer, in either event only as permitted by applicable Data Protection Laws.

Unless prohibited by applicable law, Nova Era Labs will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Nova Era Labs will be entitled to suspend performance of such instruction without liability to Nova Era Labs, until Customer confirms in writing that such instruction is valid under the Data Protection Laws. Any additional instructions regarding the manner in which Nova Era Labs Processes the Personal Data will require prior written agreement between Nova Era Labs and Customer.

Nova Era Labs will not disclose Customer Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Nova Era Labs receives a binding order from a law enforcement agency for Personal Data, Nova Era Labs will notify Customer of the request it has received so long as Nova Era Labs is not legally prohibited from doing so.

Nova Era Labs will ensure that individuals with access to or involved in the Processing of Customer Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.

Where Nova Era Labs acts as Customer’s Service Provider, Nova Era Labs shall not: (i) sell or share Customer Data; (ii) collect, retain, use, or disclose Customer Data (a) for any purpose other than providing the Service specified in the Agreement and this Addendum or (b) outside of the direct business relationship between Nova Era Labs and Customer; or (iii) combine this Customer Data with personal Data that Nova Era Labs obtains from other sources except as permitted by applicable Data Protection Laws. Nova Era Labs certifies that it understands the prohibitions outlined in this Section and will comply with them.

The duration of the Processing, the nature and specific purposes of the Processing, the types of Personal Data Processed, and categories of Data Subjects under this Addendum are further specified in the Annexes to this Addendum and, on a more general level, in the Agreement.

3. Processor Personnel

Nova Era Labs shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

Customer agrees that Nova Era Labs may engage third parties providers as “Subprocessors” and hereby authorizes Nova Era Labs to engage such Subprocessors in the provision of the Service. Nova Era Labs will restrict the Processing activities performed by Subprocessors to only what is necessary to accomplish the purposes of the Agreement. Nova Era Labs will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Agreement, and Processor will remain responsible for the Subprocessors’ compliance with the obligations under this Agreement.

Nova Era Labs maintains a list of all Subprocessors at https://trust.actioner.com. Processor may amend the list of Subprocessors by adding or replacing Subprocessors at any time and will use commercially reasonable efforts to provide Customer with fifteen (15) days’ advance notice of any updates so long as Customer subscribes to Nova Era Labs’s notification list. Customer will be entitled to object to a new Subprocessor by notifying Nova Era Labs in writing the reasons of its objection. Nova Era Labs will work in good faith to address the Customer’s objections. If Nova Era Labs is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Agreement, as specified in the Agreement.

6. Data Subject Rights

6.1. Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2. Processor shall:

6.2.1. promptly notify Customer if it receives a request from a Data Subject under any

Data Protection Law in respect of Customer Data; and

6.2.2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1. Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2. Processor shall cooperate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or Return of Customer Data

Nova Era Labs will, in accordance with Section 3 (Duration of the Processing) of Annex I (Details of Processing) of this Addendum, delete or return to Customer any Customer Data stored within the Services.

9.1. Extension of Addendum. Upon termination of the Agreement, Nova Era Labs may retain Customer Data in storage for the time periods set forth in Annex I of this Addendum, provided that Processor will ensure that Customer Data (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement and Applicable Data Protection Law.

9.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 9, Nova Era Labs may retain Customer Data, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Data remains protected in accordance with the terms of the Agreement, this Addendum and Applicable Data Protection Law.

10. Audit Rights

Customer and Nova Era Labs acknowledge that Customer must be able to assess Nova Era Labs’s compliance with its obligations under Applicable Data Protection Law and this Agreement, insofar as Nova Era Labs is acting as a processor on behalf of Customer.

10.1 Actioner’s Audit Program. Nova Era Labs uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. Such audits are performed at least once annually at Processor’s expense by independent third-party security professionals at Nova Era Labs’s selection and result in the generation of a confidential audit report (“Audit Report”).

10.2 Customer Audit. Nova Era Labs agrees to make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Nova Era Labs’s compliance with its data protection obligations as specified in this Agreement by: (i) submitting a security assessment questionnaire to Nova Era Labs; and (ii) if Customer is not satisfied with Nova Era Labs’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Nova Era Labs’s information security experts upon a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Nova Era Labs’s normal business operations and subject always to Nova Era Labs’s agreement on scope and timings. The Customer may perform the audit described above either by itself or through a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Nova Era Labs under this Section 10 will be deemed Nova Era Labs Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Nova Era Labs will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable time frame.

11. Data Transfer

Nova Era Labs shall transfer Customer Data between jurisdictions as a Data Processor in accordance with applicable Data Protection Laws.

i. Transfers of Customer Data Outside the EEA.

  1. Transfers to countries that offer adequate levels of data protection. Customer Data may be transferred from EEA to other jurisdictions where such jurisdictions are deemed to provide an adequate level of data protection under applicable Data Protection Laws.
  2. Transfers to other third countries. If the Processing of Customer Data includes transfers from EEA/EU Member States to countries outside the EEA/EU which have not been deemed adequate under applicable Data Protection Laws, the parties’ EU Standard Contractual Clauses are hereby incorporated into and form part of this Addendum. The Parties agree to include the optional Clause 7 (Docking clause) to the EU SCCs incorporated into this Addendum. With regards to clauses 8 to 18 of the EU SCCs, the different modules and options will apply as follows:some text
    1. Module Two or Three shall apply, in accordance with the Roles.
    2. The Option within Clause 11(a) of the EU SCCs, providing for the optional use of an independent dispute resolution body, is not selected.
    3. The Options and information required for Clauses 17 and 18 of the EU SCCs, covering governing law and jurisdiction, are outlined in Section 13 of this Addendum.
    4. Option 2 within Clause 9(a) of the EU SCCs, covering authorization for sub-processors, is selected, as discussed within Section 5 of this Addendum

ii. Transfers of Customer Data Outside Switzerland. If Customer Data is transferred from Switzerland in a manner that would trigger obligations under the Federal Act on Data Protection of Switzerland (“FADP”), the EU SCCs shall apply to such transfers and shall be deemed to be modified in a manner to that incorporates relevant references and definitions that would render such EU SCCs an adequate tool for such transfers under the FADP.

iii. Transfers of Customer Data Outside the UK. If Customer Data is transferred in a manner that would trigger obligations under UK GDPR, the parties agree (i) that Annex IV shall apply.

iv. Annexes. This Addendum and its Annexes, together with the Agreement, including as relevant applicable Clauses, serve as a binding contract that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Customer Data and categories of data subjects as well as the obligations and rights of the Controller. Nova Era Labs may execute relevant contractual addenda, including as relevant the EU SCCs (Module 3) with any relevant Subprocessor (as hereinafter defined, including Affiliates). Unless Nova Era Labs notifies Customer to the contrary, if the European Commission subsequently amends the EU SCCs at a later date, such amended terms will supersede and replace any EU SCCs executed between the parties.

v. Alternative Data Export Solution. The parties agree that the data export solutions identified in this Section 11 will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of Customer Data (as recognized under applicable Data Protection Laws), in which event, Customer shall reasonably cooperate with Nova Era Labs to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which Customer Data is transferred under this Addendum).

12. General Terms

12.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  1. disclosure is required by law;
  2. the relevant information is already in the public domain.

12.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

13. Governing Law and Jurisdiction

This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws. For the purposes of Clauses 17 and 18 of the EU SCCs, where applicable, to the extent that the governing law and jurisdiction provisions in the Agreement do not meet the requirements of the EU SCCs, the parties select Option 2 of Clause 17, and agree that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established; where such law does not allow for third-party beneficiary rights, the EU SCCs shall be governed by the laws of the country of Ireland. Pursuant to Clause 18, any dispute between the Parties arising from the EU SCCs shall be resolved by the courts of Ireland, and the Parties submit themselves to such jurisdiction. For the purposes of Clause 13 of the EU SCCs, the Supervisory Authority shall be the data exporter’s applicable Supervisory Authority. Data exporter shall notify data importer of the applicable Supervisory Authority by email at legal@actioner.com and shall provide any necessary updates without undue delay.

14. Customer Instructions

Customer appoints Nova Era Labs as a processor to process Customer Data on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Actioner’s Acceptable Use Policy, the current version of which is available at https://trust.actioner.com and Actioner Terms of Use, the current version of which is available at https://actioner.com/terms-conditions, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between Customer and Nova Era Labs (“Permitted Purposes”).

14.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Nova Era Labs is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Nova Era Labs’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Nova Era Labs’s processing of Customer Data, when done in accordance with Customer’s instructions, will not cause Nova Era Labs to violate any applicable law or regulation, including Applicable Data Protection Law. Nova Era Labs will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.

14.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to in writing between Customer and Nova Era Labs, including any additional fees that may be payable by Customer to Nova Era Labs for carrying out such additional instructions.

ANNEX I: Details of Processing

1. Nature and Purpose of the Processing

Actioner will process personal data as necessary to provide the Services under the Agreement. Actioner does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

Actioner will process Customer Data as a processor in accordance with Customer’s instructions as set forth in Section 14(Customer Instructions) of this Addendum.

1.1. Actioner as a Controller of Customer Account Data. Customer and Actioner acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and Actioner is an independent controller, not a joint controller with Customer. Actioner will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Actioner’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with Actioner’s legal or regulatory obligation to retain Subscriber Records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Actioner Privacy Policy.

1.2. Actioner as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Actioner is an independent controller, not a joint controller with Customer. Actioner will process Customer Usage Data as a controller in order to carry out the necessary functions as a software-as-a-service, such as: (a) Actioner’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Actioner Privacy Notice.

2. Processing Activities

2.1 Customer Configuration Data. Personal data contained in Customer Data will be subject to the following basic processing activities:

(a) the provision of programmable communication products and services, primarily offered in the form of application programming interfaces, to Customer, including transmittal to or from Customer’s software applications or; services and designated third parties as directed by Customer, from or to the publicly-switched telephone network or by way of other communications networks. Storage of personal data on Actioner’s network;

(b) the provision of products and services which allow the transmission and delivery of email communications on behalf of Customer to its recipients. Actioner will also provide Customer with analytic reports regarding the email communications it sends on Customer's behalf. Storage of personal data on Actioner’s network; and

(c) the provision of products and services which allows Customer to integrate, manage and control its data relating to end users. Storage of personal data on Actioner’s network.

2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.

2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.

3. Duration of the Processing

The period for which personal data will be retained and the criteria used to determine that period is as follows:

3.1. Customer Configuration Data. Prior to the termination of the Agreement, (x) Processor will process stored Customer Configuration Data for the Permitted Purposes until Customer elects to delete such Customer Configuration Data via the Service and (y) Customer agrees that it is solely responsible for deleting Customer Configuration Data via the Services. Upon termination of the Agreement, Processor will (i) provide Customer three (3) days after the termination effective date to obtain a copy of any stored Customer Configuration Data via the Services; (ii) automatically delete any stored Customer Configuration Data ten (10) days after the termination effective date; and (iii) automatically delete any stored Customer Configuration Data on Processor’s back-up systems sixty (60) days after the termination effective date. Any Customer Configuration Data archived on Processor’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.

3.2. Customer Account Data. Processor will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Processor’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Processor’s Privacy Policy.

3.3. Customer Usage Data. Processor will automatically delete any stored Customer Usage Data sixty (60) days after the data is produced.

4. Categories of Data Subjects

4.1. Customer Configuration Data. Any configuration or personal data that is required by Actioner to be functional for the Customer, such as (a) application sub-configurations like workflows, documents or functions, (b) credentials, connections and integrations with the third party providers, (c) identity and access management related personal data.

4.2. Customer Account Data. Personal data that relates to Customer’s relationship with the Processor, including the names or contact information of individuals authorized by Customer to access Customer’s account, Customer’s employees and individuals authorized by Customer to access Customer’s Actioner account or make use of the Identity Provider Services, and billing information of individuals that Customer has associated with its account.

4.3. Customer Usage Data. Data processed by Actioner for the purposes of transmitting or processing Customer Configuration Data. Customer Usage Data includes data used to be processed within the Services, such as (a) inputs, requests and form data provided by the end users or clients of Customer, (b) any data that is programmatically, periodically or automatically received through an integration of the Customer, (c) any content stored as a result of processing a Customer Configuration Data, (d) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.

5. Categories of Customer Data

Actioner processes personal data contained in Customer Account Data, Customer Configuration Data, and Customer Usage Data.

6. Sensitive Data or Special Categories of Data

6.1. Customer Configuration Data. API Keys, passwords or temporary credentials are processed if Customer establishes an integration or a connection with a third party provider, product or service.

6.2. Customer Account Data does not contain Sensitive Data.

6.3. Customer Usage Data. Sensitive data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the interactions with the Services through Actioner clients or integrations. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process any Sensitive Data via the Services.

ANNEX II: Technical and Organizational Security Measures

Where applicable, this Annex II will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.

You can contact with the Actioner Security Team via security@actioner.com for inquiries, complaints, and disputes via the privacy practices that are posted on this page