Last Updated: May 25, 2023
Data Protection Addendum
This Data Protection Addendum (“Addendum”) is entered into by and between Nami ML Inc., a Delaware corporation (“Nami”), and Customer effective as of the later date of each party’s signature below. This Addendum applies to Nami’s Processing of User Personal Data under the agreement executed between Nami and Customer for Nami’s provision of the Services (the “Agreement”).
For purposes of this Addendum, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
“CCPA” means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100, as amended by the California Privacy Rights Act, and implementing regulations.
“Controller” means a controller, business, or an equivalent term under Data Protection Laws.
“User Personal Data” means any User Data (as defined in the Agreement) that is Personal Data. For purposes of this Addendum, User Personal Data does not include personal information of employees or other representatives of User with whom Nami has a direct business relationship.
“Data Protection Laws” means any applicable international, national, federal, state, local, municipal, or territorial law, regulation, rule, guideline, guidance, or industry standard concerning or relating to data privacy, security, or breach notification, including, but not limited to, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the GDPR, the Mexican Federal Data Protection Law, the Utah Consumer Privacy Act, the UK GDPR, the Virginia Consumer Data Protection Act, and any other applicable state privacy law.
“Data Subject” means the definition of a data subject, consumer, or an equivalent term under Data Protection Laws.
“EU Data Protection Law” means European Union Regulation 2016/679 (“GDPR”) and any national legislation implementing GDPR, as amended from time to time.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means processor, service provider, or an equivalent term under Data Protection Laws.
“Personal Data” means (i) information that identifies or reasonably could identify a natural person; or (ii) information that constitutes personal data, personal information, personally identifiable information, nonpublic personal information, personal health information, or an equivalent term under Data Protection Laws.
“Security Incident” means any confirmed unauthorized access, disclosure, misappropriation, theft, loss, acquisition, use, modification, or altering the availability of Personal Data. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
“Subprocessor” means any third party authorized by Nami or its Affiliates to Process any User Personal Data.
“Third Party Subprocessor” means any Subprocessor who is not an Affiliate of Nami.
3. General; Termination
This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall govern.
Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
This Addendum will automatically terminate upon expiration or termination of the Agreement.
4. Scope of this Addendum
This Addendum applies to Nami’s Processing of User Personal Data under the Agreement.
5. Role and Scope of the Processing
The parties acknowledge and agree that with regard to the Processing of User Personal Data, Nami is the Processor and Customer is the Controller. Nami will Process User Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs Nami to Process User Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by Nami as constituting instructions for purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes Nami to Process User Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement. Nami will not (a) sell User Personal Data; or (b) retain, use or disclose any User Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the User Personal Data for a commercial purpose other than providing the Services.
Customer is solely responsible for its compliance with all Data Protection Laws applicable to it. Customer represents and warrants that it has obtained all necessary consents, licenses, and permissions, if any, required from Data Subjects and any third parties, and as required by Data Protection Laws.
Customer specifically authorizes Nami to use its Affiliates as Subprocessors, and generally authorizes Nami to engage Third Party Subprocessors to Process User Personal Data. Nami:
· shall enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and
· remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Nami to breach any of its obligations under this Addendum.
A list of Nami’s Subprocessors, including their functions and locations, is available at https://www.namiml.com/legal/subprocessors/ or such other website as Nami may designate (“Subprocessor Page”), and may be updated by Nami from time to time in accordance with this Addendum.
When any new Third Party Subprocessor is engaged, Nami will notify Customer of the engagement, which notice may be given by updating the Subprocessor Page. Nami will give such notice at least ten (10) calendar days before the new Subprocessor Processes any User Personal Data, except that if Nami reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the User Personal Data or avoid material disruption to the Services, Nami will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Nami in writing that Customer objects to Nami’s appointment of a new Third Party Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.
Nami shall implement and maintain technical and organizational security measures designed to protect User Personal Data from Security Incidents and to preserve the security and confidentiality of the User Personal Data, in accordance with Nami’s security standards referenced in the Agreement (“Security Measures”).
Customer is responsible for reviewing the information made available by Nami relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease Nami’s obligations as compared to those reflected in such terms as of the Effective Date).
Upon becoming aware of a confirmed Security Incident, Nami shall notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Nami’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. Nami’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Nami of any fault or liability with respect to the Security Incident, nor that there has been a “breach” as defined by Data Protection Laws.
Customer agrees that it is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the User Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (c) securing Customer’s systems and devices that it uses with the Services.
8. Data Subject Requests
Nami shall upon Customer’s request (and at Customer’s expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Nami receives a request from a Data Subject in relation to their User Personal Data, Nami will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
9. Cross-Border Transfers
To the extent that User Personal Data is transferred under the Agreement from the European Economic Area or the United Kingdom to a country that has not received an adequacy determination from the EU Commission (or the Information Commissioner’s Office in the case of transfers from the United Kingdom), including transfers to the United States, the parties agree that they will use, together or individually, any necessary transfer mechanisms such as the Standard Contractual Clauses or the EU-US Data Privacy Framework. To the extent the Standard Contractual Clauses are used, the parties agree as follows:
· Customer will act as the data exporter and (b) Nami will act as the data importer;
· for purposes of Appendix 1 to the Standard Contractual Clauses, the Data Subjects, categories of data, and the processing operations shall be as set forth in the Agreement and DPA;
· for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;
· upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the Subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and data importer may remove or redact all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand;
· the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with the terms of the Agreement and this DPA;
· Customer’s authorizations in Section 6 of this Addendum (Subprocessing) will constitute Customer’s prior written consent to the subcontracting by Nami of the Processing of User Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses;
· Certification of deletion of User Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer’s request; and
· the Standard Contractual Clauses shall automatically terminate once the User Personal Data transfer governed thereby becomes lawful under Chapter V of the GDPR in the absence of such Standard Contractual Clauses on any other basis
10. Data Protection Impact Assessment and Prior Consultation
Nami will reasonably cooperate with Customer with respect to any data protection assessment, data protection impact assessment, privacy risk assessment, or equivalent requirement under Data Protection Laws.