Data Processing Agreement

This data processing agreement (“DPA”) forms an integral part of the master services agreement (the “Agreement”) between Nolea Technology, Ltd. (“Nolea”) and the Customer. Nolea and the Customer shall hereafter be collectively known as the “Parties” and each individually known as a “Party”. This DPA supersedes and replaces any existing data processing terms in place between the Parties relating to the processing of personal data. To the extent that any of the terms or conditions contained in this DPA may contradict or conflict with any of the terms or conditions of the Agreement, it is expressly understood and agreed that the terms of this DPA shall take precedence.

This DPA comprises two parts:

Part 1 applies when Nolea acts as a Data Processor
Part 2 applies when Nolea acts as a Data Controllers

Nolea may amend this DPA if the change is required to comply with applicable data protection law, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) unlawfully expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process personal data; or (ii) have a material adverse impact on Customer, as reasonably determined by Nolea. If Nolea intends to change this DPA in terms of this section, and such change will have a material adverse impact on Customer, as reasonably determined by Nolea, then Nolea will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. If Customer does not acknowledge such notification or return a signed copy to signify its acceptance to the DPA within 30 days of receiving the notice, Nolea will continue its relationship with Customer on the basis that the DPA is incorporated into its Agreement with Customer.

Any claims brought under this DPA will be subject to the terms and conditions of Agreement, including the exclusions and limitations set forth in the Agreement.

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the law selected in the choice of laws clause in the Agreement, or if no law is selected, the laws of England and Wales, and the Parties irrevocably agree that the courts of England and Wales shall have sole exclusive jurisdiction and venue to settle any such dispute or claim, save that the provisions of the C-P SCCs and C-C SCCs (each as defined below) (together the “SCCs”), as applicable, shall be governed by and interpreted in accordance with the laws of England and Wales and the Parties irrevocably agree that the courts of that jurisdiction shall have exclusive jurisdiction to settle any dispute or claim arising from or in relation to the SCCs.

Part 1

Definitions. Capitalised terms used in this Part 1 of this DPA but not defined in this DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”), the UK GDPR (as defined below) and in the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100 et seq and 11 CCR §999.300) (“CCPA”) (as applicable). In addition, the following capitalised terms have the following meanings:
“C-P SCCs” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time; and
“Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
For clarity, any reference made to clauses within this DPA are specific references to the clauses set out in the aforementioned EU Commission Standard Contractual Clauses or UK GDPR International Data Transfer Addendum.
Scope. Sections 3 to 6 of this Part 1 apply only if and to the extent that Nolea acts as a Data Processor to Process Personal Data that Nolea receives from the Customer, where the Customer is a Data Controller subject to: (a) GDPR; and/or (b) the GDPR as it forms part of the laws of the United Kingdom (“UK”) as retained EU law (as defined in the European Union (Withdrawal) Act 2018), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and any further UK laws addressing data transfers from the UK (collectively, “UK GDPR”) with respect to the Personal Data that Nolea Processes. Section 7 of this Part 1 applies only if and to the extent that Nolea acts as a “service provider” to Process Personal Information that Nolea receives from the Customer, where the Customer is a Business subject to the CCPA.
C-P SCCs. To the extent that Nolea Processes Personal Data in a Third Country as a Data Processor and is acting as data importer, Nolea will comply with the data importer’s obligations set out in the C-P SCCs, which are hereby incorporated into and form part of this DPA; the Customer will comply with the data exporter’s obligations in such C-P SCCs, and:
1. if applicable, for the purposes of Part 1 of such C-P SCCs, the relevant Addendum EU SCCs (as such term is defined in the applicable C-P SCCs) are the standard contractual clauses for the transfer of Personal Data to Third Countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2) as incorporated into this DPA by virtue of this paragraph 3;
2. if applicable, for the purposes of (i) Clause 9(a) of the C-P SCCs, option 2 (General Written Authorisation) is deemed to be selected and the notice period shall be 10 days; (ii) Clause 11(a) of such C-P SCCs, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C., the competent Supervisory Authority is as set out in paragraph 3.5.5 below;
3. if applicable, for the purposes of (i) Clause 17, Option 1 is deemed selected and the governing law shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland; and (ii) Clause 18 of the C-P SCCs, the competent court shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland;
4. if applicable, for the purposes of Part 1 of the C-P SCCs, Nolea as the data importer may terminate the C-P SCCs pursuant to Section 19 of such C-P SCCs;
5. for the purposes of Annex I or Part 1 (as relevant) of such C-P SCCs the signature(s) (in any form) given in connection with the execution of this DPA by a party and the dates of such signature(s) shall apply as the dated signature required from the party, and:
  1. Start Date: the date of this DPA.
  2. Data Exporter: Customer.
    Activities relevant to the data transferred under the C-P SCCs: an organisation using Nolea’s services which involves Nolea Processing Personal Data received from the Customer.
    Role: Controller.
  3. Data Importer: Nolea.
    Activities relevant to the data transferred under the C-P SCCs: Developer, operator and provider of the Nolea services which involve Nolea Processing Personal Data received from the Customer.
    Role: Processor.
  4. Description of Transfer:
    Categories of Data Subjects whose Personal Data is transferred: healthcare professionals requested by the Customer (“Contacts”).
    Categories of Personal Data transferred: Healthcare contact information (e.g. Name, email, phone number, job title and job affiliation).
    Sensitive data transferred: None.
    The frequency of the transfer: on a continuous basis.
    Nature of the Processing: recording, storage, consultation, use, disclosure by transmission and erasure.
    Purpose(s) of the data transfer and further Processing: the provision of Nolea’s services.
    The period for which the Personal Data will be retained: the period of the Agreement. Nolea shall be entitled to maintain Personal Data following the termination of the main agreement for statistical and/or financial purposes provided that Nolea maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal Data.
    Transfers to (sub-) processors: As above.
  5. Competent Supervisory Authority: the data protection authority in the EU member state in which the Customer is established, or the Customer’s lead Supervisory Authority for GDPR purposes. If the Customer is not established in any EU member state, then the Supervisory Authority of the EU member state in which the Customer’s EU representative pursuant to Article 27 of the GDPR is located;
6. for the purposes of Annex II or Part 1 (as relevant) of such C-P SCCs, the technical and organisational security measures set out in Schedule 1 (Technical and Organisational Security Measures) to this DPA will apply;
7. for the purposes of Annex III of such C-P SCCs, the list of authorised sub-processors is set out here; and
8. if Nolea’s assistance to the Customer under Clause 10 of the C-P SCCs entails material costs, expenses or resources to Nolea, then the Parties shall first discuss and agree on the fees payable to Nolea for such assistance.
Audits. Not more than once per annum, Nolea shall allow for and contribute to audits conducted under Clause 8.9 of the C-P SCCs, including carrying out inspections on Nolea’s business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Nolea of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections in order to establish Nolea’s compliance with this Part 1 and the provisions of the GDPR as regards the Personal Data that Nolea Processes as a Data Processor on behalf of Customer. If such audits entail material costs or expenses to Nolea, the Parties shall first come to agreement on Customer reimbursing Nolea for such costs and expenses.
Legal basis. The Customer may only use the Nolea Service to Process Personal Data pursuant to a recognised and applicable lawful basis under the GDPR or UK GDPR. The Customer shall provide Nolea only with instructions that are lawful under the GDPR or UK GDPR and would not cause Nolea to breach the GDPR or UK GDPR. Nolea shall Process Personal Data only on documented instructions from Customer. Customer may give such instructions throughout Term of the Agreement. Nolea shall immediately inform Customer if it is unable to follow those instructions.
Security Measures. In this Section, “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Nolea’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Nolea’s business activities.
1. Nolea represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, or Processed by Nolea in connection with this Part 1, and (ii) to protect such data from Personal Data Breach incidents, as more fully described in Schedule 1 (Technical and Organisational Security Measures).
2. The Security Measures are subject to technical progress and development and Nolea may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by the Customer.
3. Nolea shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision which has access to, and Processes, Personal Data. Nolea shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Data Breach Notice.
1. In the event of a data breach, the Processor shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Controller of the personal data breach. The notification shall include, at least:
  1. description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  2. the name and contact details of the Data Protection Officer or other contact point where more information can be obtained.
  3. a description of the likely consequences of the personal data breach
  4. a description of the measures taken or proposed to be taken by the processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  5. provide all reasonable cooperation, assistance, and information to Customer to enable it to conduct an assessment of the impact of any current or envisaged Processing operations on the protection of the Personal Data and the rights of Data Subjects (in accordance with Art. 28 (3) (e) of the GDPR).
  6. The Processor shall also assist the controller in the documentation of any personal data breaches, including for the purposes of demonstrating compliance with the GDPR.
CCPA.
1. In its capacity as a Service Provider, Nolea is prohibited from retaining, using or disclosing Customer’s Personal Information: (a) For any purpose other than those as set out in the Agreement and specifically to search the Nolea database for information about a Contact (as defined above) at the Customer’s request, or as otherwise permitted under 11 CCR §999.314(c); (b) by way of Selling or sharing Customer’s Personal Information; and (c) by way of retaining, using or disclosing the Customer’s Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). Nolea certifies that it understands the restriction specified in the preceding subsection and will comply with it.
2. In its capacity as a Service Provider (as provided by CPRA) Nolea shall: (a) grant Customer the right to take reasonable and appropriate steps to help ensure that Nolea uses Personal Data in a manner consistent with Customer’s obligations under the CPPA (as amended); (b) notify Customer if Nolea determines that it can no longer meet its obligations under the CPRA; and (c) grant Customer the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data. To the extent required by the CPRA, Nolea shall inform the Customer of any consumer requests made pursuant to the CPRA that they must comply with and shall provide all information necessary for Supplier to comply with such request.
3. Nolea is prohibited from combining Personal Data provided by the Customer with personal data that it received from another person or entity or collects from its own interaction with the data subject. Nolea can combine such data if (i) Nolea combines personal data to perform any business purpose defined by the Attorney General in its regulations, adopted pursuant to paragraph (10) of subdivision (a) of Cal. Civ. Code § 1798.185; excepting combining of Personal Data of opted-out individuals that Nolea received from the Customer (ii) Nolea may combine personal data if Customer or its employee (end user) has opted-in sharing data in accordance with the Nolea’s Community Program terms Nolea’s Community Terms of Use and Nolea’s Code of Conduct.
FADP. The SCC will apply to Personal Data transfers subject to Swiss Federal Act on Data Protection (“FADP”), provided the following modifications will apply:

references to GDPR shall be interpreted as references to FADP and the equivalent articles thereof;
references to EU, Union, Member State, EU law and Member State Law shall be interpreted as references to Switzerland and Swiss law;
references to competent supervisory authority and competent court shall be interpreted as references to Swiss Federal Data Protection and Information Commissioner and competent Swiss courts;
SSC shall be governed by the laws of Switzerland.

Part 2

Definitions.
“Nolea’s Processing” means Personal Data that Nolea provides to the Customer to drive Customer’s sales, recruitment, marketing business intelligence and fraud prevention initiatives by providing Customers with relevant and up-to-date business contact information to facilitate interactions between Customer and its potential customers and prospective candidates.
“C-C SCCs” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 1 (Controller to Controller); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.
Capitalised terms used in this Part 2 of this DPA but not defined in this DPA or in the Agreement have the meaning ascribed to them in the GDPR or UK GDPR (as applicable).
Scope. This Part 2 applies only if and to the extent that Nolea’s Processing renders Nolea a Data Controller subject to the territorial scope provisions of the GDPR or the UK GDPR- it is clarified that each party is an independent Controller liable for its own processing activities.
C-C SCCs. To the extent Nolea Processes Personal Data in a Third Country as a Data Controller and is acting as a data importer, Nolea will comply with the data exporter’s obligations set out in the C-C SCCs, which are hereby incorporated into and form part of this DPA, and:
1. if applicable, for the purposes of Part 1 of such C-C SCCs, the relevant Addendum EU SCCs (as such term is defined in the applicable C-C SCCs) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 1) as incorporated into this DPA by virtue of this paragraph 3;
2. if applicable, for the purposes of Clause 11(a) of such C-C SCCs, the optional wording in relation to independent dispute resolution is deemed to be omitted;
3. if applicable, for the purposes of (i) Clause 17, Clause 18 and Annex I.C. of the C-C SCCs, the governing law shall be the EU member state in which the Customer is established, or, if the Customer is not established in any EU member state, then the law of the Republic of Ireland and the competent court shall be the courts of the EU member state’s town in which the Customer is established, or, if the Customer is not established in any EU member state, then the courts of Dublin, Ireland; and the competent supervisory authority shall be as set out in paragraph 3.5.1.4.8 below;
4. if applicable, for the purposes of Part 1 of the C-C SCCs, neither party may terminate the C-C SCCs pursuant to Clause 16 of such C-C SCCs; and
5. for the purposes of Annex I.A., Annex I.B or Part 1 (as relevant) of such C-C SCCs, the signatures(s) (in any form) given in connection with the execution of this DPA by a party and the dates of such signature(s) shall apply as the dated signature required from the party, and:
  1. Start Date: the date of this DPA.
  2. Data Importer: Customer.
    Activities relevant to the data transferred under the C-C SCCs: an organisation seeking Personal Data to drive its sales, recruitment, and marketing initiatives with relevant and up-to-date healthcare contact information to facilitate interactions between it and its potential customers and prospective candidates.
    Role: Controller.
Data Exporter: Nolea.
1. Activities relevant to the data transferred under the C-C SCCs: Developer, operator, and provider of the Nolea services which involve Nolea’s Processing.
2. Role: Controller.
Description of Transfer:
1. Categories of Data Subjects whose Personal Data is transferred: healthcare professionals requested by the Customer (“Contacts”).
2. Categories of Personal Data transferred: as described in https://nolea.gitbook.io/knowledgebase/legal/categories-of-personal-data-transferred .
3. Sensitive data transferred: None.
4. The frequency of the transfer: on a continuous basis upon request.
5. Nature of the Processing: disclosure by transmission.
6. Purpose(s) of the data transfer and further Processing: driving data importer’s sales, recruitment, and marketing initiatives with relevant and up-to-date healthcare contact information to facilitate interactions between it and its potential customers and prospective candidates.
7. The period for which the Personal Data will be retained: so long as required for Customer’s business needs.
8. Competent Supervisory Authority: Data Protection Commissioner of the Republic of Ireland.
For the purposes of Annex II or Part 1 (as relevant) of such C-C SCCs, the security measures are as per data importer’s information security policy, as more fully described in Schedule 1 (Technical and Organizational Security Measures).

Schedule 1

Technical and Organisational Security Measures

Security Policies and Procedures. Nolea maintains and implements security policies and procedures designed to ensure employees and contractors Process Personal Data in accordance with the SCCs.
Intrusion Prevention. Nolea ensures that its security infrastructure is consistent with leading industry standards for virus protection, firewalls, and intrusion prevention technologies to prevent any unauthorised access or compromise of Nolea’s network, systems, servers, and applications from unauthorised access.
Security Awareness Training. Nolea implements and maintains security awareness training regarding the handling and securing of confidential information and sensitive information such as Personal Data consistent with applicable law.
Physical Access Controls. Nolea has established limits on physical access to information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centres and offices is limited to authorised individuals.
Logical Access Controls. Nolea ensures proper user authentication for all employees and contractors with access to Personal Data, including, without limitation, by assigning each employee/contractor unique access credentials for access to any system on which Personal Data Processed by Nolea in accordance with this DPA can be accessed and prohibiting employees/contractors from sharing such access credentials. Nolea restricts and tracks access to Personal Data Processed by Nolea in accordance with this DPA to only those employees/contractors whose access is necessary to perform the services. Nolea implements and maintains logging and monitoring technology to help detect and prevent unauthorised access attempts to networks and production systems. Nolea conducts periodic reviews of changes affecting systems’ handling authentication, authorisation, and auditing, and privileged access to production systems. Nolea shall ensure that upon termination of any employee/contractor, the terminated employee’s access to any Personal Data Processed by Nolea in accordance with this DPA on Nolea’s systems will be immediately revoked.
Environmental Access Controls. Nolea implements and maintains appropriate and reasonable environmental controls for data centres, such as air temperature and humidity controls, and appropriate protections against power failures.
Disaster Recovery and Back-up Controls. Nolea maintains: (i) periodic backups of production file systems and databases according to a defined schedule; and (ii) a formal disaster recovery plan for the production data centre and conduct regular testing on the effectiveness of such plan.
Business Continuity and Cyber Incident Response Plan. Nolea maintains business continuity and incident response plans to manage and minimise the effects of unplanned events (cyber, physical, or natural) (“Incident Response Plans”) that include procedures to be followed in the event of an actual or potential security breach or business interruption and which have a stated goal of resumption of routine services within thirty-six (36) hours of such an event. The Incident Response Plans shall require record keeping of root cause analysis and remediation efforts.
Storage and Transmission Security. Nolea secures the transmission of all Personal Data processed by Nolea in accordance with this DPA and encrypts such data as per the following: (i) In Transit: Public network traffic encrypted using SSL/TLS v1.2 or v1.3. Other low versions of TLS are disabled; and (ii) At Rest: Databases and servers encrypted at rest using AES-256 algorithm. Laptop devices are encrypted at rest using XTS-AES-256/ AES-256 algorithm. Internal service keys are stored in Vault and encryption keys used for encryption at rest are stored in AWS KMS.
Internal Audits. Nolea regularly conducts internal security audits and shall contract annually for external security assessments and penetration tests of Nolea systems including, without limitation, cloud architecture, business processes and procedures, access controls and encryption measures.
Risk Identification and Assessment. Nolea implements and maintains a risk assessment program to help identify foreseeable internal and external risks to its information resources and to determine if existing controls, policies, and procedures are adequate.
Vendor and Services Providers. Prior to engaging new third-party contractors, service providers or vendors who will have access to Personal Data Processed by Nolea in accordance with this DPA (collectively, “Vendors”), Nolea shall conduct a risk assessment on Vendor’s data security practices. Nolea shall conduct periodic Vendor reviews to ensure compliance with the terms of the SCCs.
Change and Configuration Management. Nolea implements and maintains policies and procedures for managing changes to production systems, applications, and databases, including without limitation, processes for documenting testing and approval of changes into production, security patching, and authentication.
Certifications. Nolea maintains the following third-party certifications: Cyber Essentials, Cyber Essentials Plus, ISO 27001 (certification preparation in progress for audit Q1 2025), and other certifications as appropriate.

For transfers from Data Processor to sub-processors, the specific technical and organisational measures to be taken by the sub-processor to be able to assist the Data Controller are as set out above.

PreviousNolea Privacy Policy NextCode of Conduct

Last updated 6 months ago