This Data Processing Agreement (DPA) is made between Nexl Pty Ltd (ABN 35 629 542 043) (we, us or our) and you, the individual or entity that is entered into our Terms and Conditions with us (you or your), together the Parties and each a Party. Where specified in the Terms and Conditions, this DPA is incorporated into and supplements the Terms and Conditions.
A.
The Parties have entered into the Terms and Conditions for the provision of Services by us to you.
B.
In the processing of Customer Personal Data in connection with the Terms and Conditions, each Party will perform the role/s set out in Annex 1, Part A.
C.
The Parties would like to implement this DPA to set out each Party’s rights and obligations in connection with the Processing of Customer Personal Data under the Terms and Conditions.
1.1
This DPA will commence on the date the Terms and Conditions are executed between the Parties and will continue for as long as the Terms and Conditions remain in effect, or the Processor retains any of the Customer Personal Data in its possession or control (whichever is the longer) (Term).
2.1
The Processor agrees to not process Customer Personal Data other than on the Controller’s documented instructions.
2.2
The Controller instructs the Processor to process Personal Data in accordance with this DPA (including in accordance with Annex 1).
2.3
Where and to the extent the Processor is also acting as a Controller (as set out in the roles of the Parties in Annex 1 Part A), it agrees to process the Customer Personal Data in accordance with Applicable Data Protection Laws, and to the extent applicable, clause 12 of this DPA.
3.1
In your use of the Services and your instructions to us, you agree to comply with all Applicable Data Protection Laws.
3.2
You agree that you are solely responsible for:
3.3
You agree to inform us without undue delay if you are not able to comply with your responsibilities under this clause 3 or Applicable Data Protection Laws.
4.1
The Processor agrees to take reasonable steps to ensure the reliability of any of the Contracted Processor’s Personnel who may have access to the Customer Personal Data, ensuring in each case that:
5.1
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees to implement appropriate technical and organisational measures in relation to the Customer Personal Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Laws, and as further particularised in Annex 2.
5.2
In assessing the appropriate level of security, the Processor agrees to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
6.1
The Controller authorises the Processor’s engagement of the Sub–Processors already engaged by the Processor at the date of this DPA, as set out in Annex 2.
6.2
Where the Processor wishes to engage a new Sub-Processor, the Processor agrees to provide written notice to the Controller of the details of the engagement of the Sub-Processor at least 14 days’ prior to engaging the new Sub-Processor (including details of the processing it will perform). The Controller may object in writing to the Processor’s appointment of a new Sub-Processor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, the Processor may, at its election:
6.3
The Controller agrees that the remedies described above in clauses 6.2(1)–(3) are the only remedies available to the Controller if it objects to any proposed Sub-Processor by the Processor.
6.4
Where the Processor engages a Sub-Processor to process Customer Personal Data, the Processor agrees to enter into a written agreement with the Sub-Processor containing data protection obligations no less protective that those in this DPA with respect to the Customer Personal Data (including in relation to Restricted Transfers), and to remain responsible to the Controller for the performance of such Sub-Processor’s data protection obligations under such terms.
7.1
Taking into account the nature of the Processing, the Processor agrees to assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws.
7.2
The Processor agrees to:
8.1
The Processor agrees to notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2
The Processor agrees to co-operate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8.3
If the Controller decides to notify a Supervisory Authority, Data Subjects or the public of a Customer Personal Data Breach, the Controller agrees to provide the Processor with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under the GDPR), allow the Processor an opportunity to provide any clarifications or corrections to those notices.
The Processor agrees to provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law (to the extent the Controller does not otherwise have access to the relevant information and such information is in the Processor’s control).
Subject to this clause 10, and subject to any document retention requirements at law, the Processor agrees to promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data (Cessation Date), delete and procure the deletion of all copies of those Customer Personal Data.
11.1
Subject to this clause 11, where required by law, the Processor shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Customer Personal Data by the Contracted Processors.
11.2
Where clause 11.1 applies, any audit (or inspection):
11.3
Information and audit rights of the Controller only arise under section 11.1 to the extent that the Terms and Conditions do not otherwise give it information and audit rights meeting the relevant requirements of Applicable Data Protection Law.
12.1
The Parties agree that where the transfer of Customer Personal Data between the Parties is a Restricted Transfer it will be subject to the relevant SCCs, which shall be deemed to be incorporated into this DPA and form part of this DPA, subject to Annex 1 Part C, and are considered an appropriate safeguard.
12.2
In relation to Restricted Transfers of Customer Personal Data protected by the UK GDPR, the EU SCCs will also apply in accordance with clause 12.1 above, which shall be amended to the extent necessary so that:
Despite anything to the contrary in the Terms and Conditions or this DPA, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this DPA is subject to the exclusions and limitations of Liability set out in the Terms and Conditions.
14.1
Each Party agrees that a failure or inability to comply with the terms of this DPA and/or the Applicable Data Protection Laws constitutes a material breach of the Terms and Conditions. In such event, the Controller may, without penalty:
14.2
In the case of such suspension or termination, the Processor shall provide a prompt pro–rata refund of all sums paid in advance under the Terms and Conditions which relate to the period of suspension or the period after the date of termination (as applicable).
14.3
Notwithstanding the expiry or termination of this DPA, this DPA will remain in effect until, and will terminate automatically upon, deletion by the Processor of all Customer Personal Data covered by this DPA, in accordance with this DPA.
15.1
Amendment: Other than as expressly permitted under this DPA and to the extent permitted by law, this DPA may only be amended by written instrument executed by the Parties.
15.2
Assignment: A Party must not assign or deal with the whole or any part of its rights or obligations under this DPA without the prior written consent of the other Party (such consent not to be unreasonably withheld).
15.3
Confidentiality: Each Party agrees to keep this DPA and any information it receives about the other Party and its business in connection with this DPA (Confidential Information) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
15.4
Contracts (Rights of Third Parties) Act 1999: Notwithstanding any other provision of this DPA, nothing in this DPA confers or is intended to confer any right to enforce any of its terms on any person who is not a party to it.
15.5
Counterparts: This DPA may be executed in any number of counterparts that together will form one instrument.
15.6
Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties, the SCCs shall prevail, then the Annexes, followed by this DPA and then the Terms and Conditions.
15.7
Governing law and disputes: This DPA is governed by the laws of New South Wales, Australia. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in New South Wales, Australia and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.
15.8
Notices: Any notice given under this DPA must be in writing addressed to the relevant address last notified by the recipient to the Parties. Any notice may be sent by standard post or email, and will be deemed to have been served on the expiry of 48 hours in the case of post, or at the time of transmission in the case of transmission by email.
15.9
Severance: If a provision of this DPA is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this DPA without affecting the validity or enforceability of the remainder of that provision or the other provisions in this DPA.
16.1
In this DPA, unless the context otherwise requires, all terms have the meanings given to them in the Appendices and Annexures, and:
Applicable Data Protection Law means the laws and regulations applicable to the processing of Personal Data by the Parties in connection with the Terms and Conditions, including:
Contracted Processor means the Processor or a Sub-Processor.
Controller means the Party specified in the Party Details of Annex 1 as the Controller that performs the role of a Controller as that term is defined under the EU GDPR, or UK GDPR, as applicable.
Customer Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Controller in connection with the Terms and Conditions (and where the Processor is also acting as a Controller, any Personal Data it processes in connection with the Terms and Conditions).
Data Subject means any individual person that is identified or identifiable by way of Personal Data.
DPA means this Data Processing Agreement and all Annexes attached to it.
EEA means the European Economic Area.
EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
Liability means any expense, cost, liability, loss, damage, claim, notice, entitlement, investigation, demand, proceeding or judgment (whether under statute, contract, equity, tort (including negligence), misrepresentation, restitution, indemnity or otherwise), howsoever arising, whether direct or indirect and/or whether present, unascertained, future or contingent and whether involving a third party or a Party to this DPA or otherwise.
Terms and Conditions means the terms and conditions entered into between the Parties for the provision of our software as a service product, Nexl, to you.
Personnel means in respect of a Contracted Processor, any of its employees, consultants, and subcontractors.
Processor means the Party specified in the Party Details in Annex 1 as a Processor that performs the role of a Processor as that term is defined under the EU GDPR, or UK GDPR, as applicable.
Restricted Transfer means:
SCCs means:
as may be amended, superseded or replaced from time to time.
Services means the services the subject of the Terms and Conditions.
Sub-Processor means any person appointed by or on behalf of the Processor to process Customer Personal Data on behalf of the Controller in connection with the Terms and Conditions.
UK GDPR means the Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
16.2
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the EU GDPR or UK GDPR, as applicable.
16.3
The terms, “Data Exporter” and “Data Importer” shall have the same meaning as in the SCCs.
16.4
The word include shall be construed to mean include without limitation.
Data Importer
Name: Nexl Pty Ltd (ABN 35 629 542 043)
Address: Level 2/23 Foster Street, Surry Hills, NSW 2010, Australia
Email: support@nexl.io
Key Contact Key contact person’s contact details and role: Gillian Hood, DPM, gillian@nexl.io
Role: Where you provide personal data to us to sign up to our Services, we are acting as a Controller. Where you input personal data into the Services and we process it on your behalf, we are acting as a Processor. Where we are acting as you Processor, you are the Controller.
Data Exporter
Name: The individual or entity identified in the Terms and Conditions or an applicable Order as our customer.
Address: Your address as specified in the Terms and Conditions or an applicable Order.
Email: Your email address as specified in the Terms and Conditions or an applicable Order.
Key Contact Key contact person’s contact details and role: As specified in the Terms and Conditions or an applicable Order.
Role: Where you provide personal data to us to sign up to our Services, we are acting as a Controller. Where you input personal data into the Services and we process it on your behalf, we are acting as your Processor and you are the Controller.
Personal Data Transferred
Special Categories of Personal Data and criminal convictions and offences
We do not actively request special categories of data or data relating to criminal convictions and offences from you, however you may input special categories of data or details about criminal convictions and offences into the Services about your clients
Relevant Data Subjects
Frequency of the transfer
Continuous
Nature of the transfer
As specified in the Terms and Conditions, this DPA and as instructed by you (if applicable), including without limitation:
Purpose of processing
The purpose of the transfer and processing are as specified in the Terms and Conditions and this DPA.
Duration of the Processing
The term of the Terms and Conditions and for a period of 30 days after termination or expiry of the Terms and Conditions.
Office of the Australian Information Commissioner (OAIC)
Office of the Australian Information Commissioner (OAIC)
Module
Module in operation
Clause 7 (Docking Clause)
Clause 11 (Option)
Clause 9a (Prior Authorisation or General Authorisation
Clause 9a (Time period)
Is personal data received from the Importer combined with personal data collected by the Exporter?
1
Yes
Incorporated
Not incorporated
2
Yes
Incorporated
Not incorporated
General authorisation
14 Days
3
No
Not applicable
Not applicable
Not applicable
Not applicable
4
No
Not applicable
Not applicable
Not applicable
Clause 17 (Governing Law)
The governing law for the purposes of clause 17 shall be the (i) the laws of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; (ii) the laws of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR; or (iii) the laws of Australia, in all other circumstances.
Clause 18 (Choice of forum and jurisdiction)
The choice of forum and jurisdiction for the purposes of clause 18 shall be (i) the courts of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; (ii) the courts of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR; or (iii) the courts of Australia, in all other circumstances.
i.
Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii.
Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
iii.
Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All Nexl employees undergo an internal background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Nexl employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Nexl products. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Sub-Processor
Purpose
Location
Privacy Information
Safeguard for Transfer
Amazon Web Services (AWS)
Data hosting
Ireland
EEA
DigitalOcean
Private cloud provider
Canada
Germany
Netherlands
EEA
SCCs
Heroku
(a Salesforce company)
Secondary infrastructure
USA
SCCs, Binding Corporate Rules
Intercom
Customer support
Australia
Ireland
UK
USA
SCCs
Microsoft
Email, communications, and automation
Australia
USA
SCCs
Rollbar
Error logging & tracking
USA
SCCs
Sendgrid
(a Twilio company)
Email notification provider
USA
Office of the Australian Information Commissioner (OAIC)
SCCs