Customer Data Processing Agreement

Effective May 2022. Version 1.0

Introduction

This Data Processing Agreement, including its annexes, (“DPA”) supplements and forms part of the Nextworld Master Service Agreement (“Agreement”). This DPA applies where and to the extent that Nextworld Processes Personal Data on behalf of Customer in the course of providing the Services pursuant to the applicable Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Affiliates, if and to the extent Nextworld Processes Personal Data on behalf of such Affiliates.

1. Definitions

For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

• “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Nextworld respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
• ‍“CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
• ‍“Data Protection Laws" means with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Laws, California Consumer Privacy Act (CCPA), Safeguard Rule under the Gramm-Leach-Bliley Act and the any other national, state, provincial, or local privacy and data protection laws, rules, and regulations in effect on or after the effective date of the Agreement.
• ‍“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
• ‍"EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision.
• ‍“European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time, (“GDPR”) and any other data protection laws of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent it applies to Nextworld’s Processing of Personal Data under the Agreement.
• ‍“Personal Data” means any information provided to Nextworld by or on behalf of Customer for the provision of the Services that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Data Protection Laws. For purposes of this DPA, Personal Data does not include personal data of representatives of Customer with whom Nextworld has business relationships independent of the Services.
• ‍“Security Incident” means an actual or suspected breach of Nextworld’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Nextworld’s possession, custody or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
• ‍“Services” means the services that Nextworld has agreed to provide to Customer under the Agreement.
• ‍“Standard Contractual Clauses” or "SCCs" means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• ‍"SCCs (Controller-to-Processor)" means the terms at https://www.nextw.com/controller-processor-standard-contractual-clauses.
• ‍"SCCs (Processor-to-Processor)" means the terms at https://www.nextw.com/processor-processor-standard-contractual-clauses.
• ‍“Subprocessor” means any third party or Nextworld Affiliate appointed by Nextworld to Process Personal Data on behalf of Customer.
• ‍“Usage Data” means technical logs, account and login data, data, and learnings about Customer’s use of the Services.

2. Duration and Scope of DPA

This DPA will, notwithstanding the expiration or termination of the Agreement, remain in effect, and automatically expire, once Nextworld ceases Processing Personal Data.

Annex 1 (EU Annex) to this DPA applies solely to Personal Data or the Processing thereof subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA applies solely to Personal Data or the Processing thereof subject to the CCPA.

3. Processing of Personal Data

Nextworld will Process Personal Data only in accordance with Customer’s documented instructions. By entering into this DPA, Customer instructs Nextworld to process Personal Data to provide the Services. Customer acknowledges and agrees that such instruction authorizes Nextworld to process Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; (c) pursuant to any other written instructions given by Customer and acknowledged in writing by Nextworld as constituting instructions for purposes of this DPA; and (d) as reasonably necessary for the proper management and administration of Nextworld’s business.

4. Confidentiality

Nextworld shall take reasonable steps to ensure that personnel that Process Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security

1. Nextworld will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of, or access to Personal Data. These technical and organizational measures are described in Annex 3 of this DPA.
2. If Nextworld becomes aware of a confirmed Security Incident, Nextworld will (a) notify Customer of the Security Incident within forty-eight (48) hours of confirmation of the Security Incident and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm and prevent a recurrence. Notifications made pursuant to this Section 5.2 will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Nextworld recommends Customer take to address the Security Incident. Nextworld’s notification of or response to a Security Incident under this Section 5.2 will not be construed as an acknowledgement by Nextworld of any fault or liability with respect to the Security Incident.

6. Subprocessing

Customer specifically authorizes Nextworld to use its Affiliates as Subprocessors and generally authorizes Nextworld to engage Subprocessors to Process Personal Data. Nextworld will (a) enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to this DPA, and (b) remain liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Nextworld to breach any of its obligations under this DPA.

A list of Nextworld’s Subprocessors, including their functions and locations, is available on the Nextworld Trust Center or such other website as Nextworld may designate (“Subprocessor Page”), and may be updated by Nextworld from time to time in accordance with this DPA. Customers and Partners are encouraged to subscribe to notifications of new Subprocessors ("Subprocessor Notifications"). If Customer or Partner objects to a new Subprocessor, they must notify Nextworld at compliance@nextworld.net within 10 business days of Nextworld posting the notification. Nextworld will address the objection in accordance with the Data Processing Agreement.

When any new Subprocessor is engaged, Nextworld will, at least ten (10) calendar days before the new Subprocessor Processes any Personal Data, notify Customer of the engagement, which notice may be given by updating the Subprocessor Page. Notwithstanding the foregoing, Nextworld may engage a new Subprocessor without prior notice to Customer if Nextworld reasonably believes such engagement is necessary to protect the confidentiality, integrity or availability of the Personal Data or avoid material disruption to the Services, provided that Nextworld will notify Customer of such engagement as soon as reasonably practicable. If, within five (5) calendar days of such notice, Customer notifies Nextworld in writing that Customer objects to Nextworld appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved.

7. Data Subject Rights

Taking into account the nature of the Processing, Nextworld shall provide such assistance as Customer reasonably requests, insofar as this is possible, to help Customer comply with its obligations under Data Protection Laws to effectively respond to requests from individuals to exercise their rights under Data Protection Laws relating to Personal Data.

Nextworld shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Personal Data. As between Nextworld and Customer, Customer shall be responsible for responding to any such request.

8. Customer Responsibilities

Customer agrees that, without limitation of Nextworld’s obligations under Section 5 of this DPA (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Nextworld uses to provide the Services; and (d) backing up Personal Data. Customer is solely responsible for evaluating for itself whether the Services and Nextworld’s commitments under this DPA will meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws or other laws.

Customer represents and warrants to Nextworld that (a) Customer has established or ensured that another party has established a legal basis for Nextworld’s Processing of Personal Data contemplated by this DPA; (b) all notices have been given to, and consents and rights have been obtained from, the relevant Data Subjects and any other party as may be required by Data Protection Laws and any other laws for such Processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), any biometric information, any special categories of personal data (as defined under GDPR), or any payment card information subject to the Payment Card Industry Data Security Standard (other than any Customer payment card information used to pay for the Services).

9. Deletion or Return of Personal Data

Subject to this Section 9, Nextworld shall promptly upon Customer’s request or in any event as soon as practicable after the effective date of termination or expiration of the Agreement delete all Personal Data from Nextworld’s systems. Nextworld may retain Personal Data to the extent required by applicable law, which data will remain subject to the requirements of this DPA.

10. General Terms

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Any liabilities arising in respect of this DPA are subject to the limitations of liability under the Agreement.

‍

Annex 1—EU Annex

1. Definitions; Processing of Personal Data

Definitions. As used in this Annex 1, the terms “controller,” “processor,” and “supervisory authority” shall have the meanings given in the GDPR and “Personal Data” shall mean any Personal Data (as defined in the DPA) that constitutes “personal data” under the GDPR.

Roles and Regulatory Compliance of the Parties; Authorization. The parties acknowledge and agree that with regard to the Processing of Personal Data under the Agreement: (a) Customer is a controller and Nextworld is a processor of that Personal Data under European Data Protection Laws; or (b) Customer is a processor of that Personal Data under European Data Protection Laws, in which case Customer appoints Nextworld as Customer’s sub-processor, which shall not change the obligations of either Customer or Nextworld under this DPA, as Nextworld will remain a processor with respect to the Customer in such event. Each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the Processing of that Personal Data. To the extent that Usage Data contains information that constitutes “personal data” under the GDPR, Nextworld is the controller with respect to such data and will process Usage Data in accordance with its Privacy Policy.

Nextworld’s Compliance with Instructions. Nextworld will only Process Personal Data in accordance with Customer’s instructions described in Section 3 of the DPA (Processing of Personal Data) unless Processing is required by European Data Protection Laws, in which case Nextworld shall to the extent permitted by European Data Protection Laws inform Customer in writing of that legal requirement before Processing Personal Data.

Subject Matter and Details of Processing. The parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is Nextworld’s provision of the Services; (b) the duration of the Processing is from Nextworld’s receipt of Personal Data until deletion of all Personal Data by Nextworld in accordance with the Agreement and the DPA; (c) the nature and purpose of the Processing is to provide the Services as described in the Agreement; (d) the Data Subjects to whom the Processing pertains are Customer’s personnel, clients, suppliers, vendors, business partners, and other third parties; and (e) the categories of Personal Data are as is contemplated or related to the Processing described in the Agreement.

Security

Nextworld will (taking into account the nature of the processing of Personal Data and the information available to Nextworld) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining appropriate technical and organizational measures to ensure a level of security appropriate to the risk; (b) complying with the terms of Section 5 of the DPA (Security); and (c) complying with this Annex 1.

Data Protection Impact Assessment and Prior Consultation

Nextworld will (taking into account the nature of the processing and the information available to Nextworld) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by: (a) making available documentation describing relevant aspects of Nextworld’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement including this DPA.

International Data Transfer

Data Processing Locations. Nextworld may, subject to Section 4.b of this Annex 1 (Transfers From the EEA or UK), Customer authorizes Nextworld and its Subprocessors to transfer Personal Data to the United States or anywhere Nextworld or its Subprocessors operate. Additionally, for purposes of providing Services including technical support, updates, upgrades and fixes, Customer Data may be accessed from any location where Nextworld and Affiliates are located.

Transfers From the EEA or UK. If Personal Data is to be transferred out of the EEA or the United Kingdom to provide Services from a country not deemed by the European Commission to have adequate data protection, the transfer will be governed by the SCCs (Controller-to-Processor) and/or SCCs (Processor-to-Processor), and the IDTA for transfers from the UK to the US. The IDTA terms are incorporated in the SCCs.

Relevant Records and Audit Rights

Upon Customer's request, Nextworld shall promptly make available to Customer on request all information reasonably necessary to demonstrate compliance with this DPA. In addition to any audit rights granted pursuant to the Agreement, Nextworld shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”) of any premises where the Processing of Personal Data takes place in order to assess compliance with this DPA, and shall provide reasonable access to the Mandated Auditor to inspect, audit, and copy any relevant records, processes, and systems documents in order that Customer may satisfy itself that the provisions of this DPA are being complied with.

To request an audit, Customer must submit a detailed proposed audit plan to Nextworld at least two weeks in advance of the proposed audit date and any Mandated Auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof.

If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Nextworld has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures. Any information provided by Nextworld under this Section 5 constitutes Nextworld’s confidential information under the Agreement.

The audit must be conducted during regular business hours, subject to the agreed final audit plan and Nextworld’s safety, security or other relevant policies, and may not unreasonably interfere with Nextworld business activities.

Customer will promptly notify Nextworld of any non-compliance discovered during the course of an audit and provide Nextworld any audit reports generated in connection with any audit under this Section 5, unless prohibited by Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

Any audits are at Customer’s expense. Customer shall reimburse Nextworld for any time expended by Nextworld or its Subprocessors in connection with any audits or inspections under this Section 5, at Nextworld’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any Mandated Auditor to execute any such audit. Nothing in this DPA shall be construed to require Nextworld to furnish more information about its Subprocessors in a connection with such audits than such Subprocessors make generally available to their customers.

Annex 2—California Annex

Definitions; Processing of Personal Data

Definitions. As used in this Annex 2, the terms “business,” “service provider,” and “sell” shall have the meanings given in the CCPA and “Personal Data” shall mean any Personal Data (as defined in the DPA) that constitutes “personal information” under the CCPA.

Roles and Regulatory Compliance of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data under the Agreement Nextworld is a service provider. To the extent that Usage Data contains information that constitutes “personal information” under the CCPA, Nextworld is the business with respect to such data and will process Usage Data in accordance with its Privacy Policy.

Processing by Service Provider. Nextworld will not (a) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by CCPA, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services; (b) sell any Personal Data; or (c) retain, use or disclose the Personal Data outside of the direct business relationship between Nextworld and Customer. Nextworld hereby certifies that it understands its obligations under this Section 2 and will comply with them. The parties acknowledge and agree that the Processing of Personal Data authorized by Customer’s instructions described in Section 3 of the DPA (Processing of Personal Data) is integral to and encompassed by Nextworld’s provision of the Services and the direct business relationship between the parties.

No Consideration. The parties acknowledge and agree that Nextworld’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

Annex 3—Data Protection and Security Measures

As of the Agreement Effective Date, Nextworld will implement and maintain these data protection and security measures.

1. Asset Management

1.1. Nextworld maintains asset management policies and procedures to maintain accurate inventory and establishes ownership of assets.

1.2. Nextworld maintains an acceptable use policy for all information and physical assets that must be acknowledged by personnel.

2. Business Continuity and Disaster Recovery

2.1. Nextworld maintains business continuity plans and system resiliency policies to enable adequate response to and recovery from business interruptions impacting services provided to the Customer.

2.2. Nextworld tests the business continuity and disaster recovery plan at least annually.

2.3. Nextworld replicates data across multiple locations to assist in recovery operations.

3. Data Protection

3.1. Nextworld maintains policies and procedures for the classification, protection, and handling of data in accordance with applicable laws, regulations, standards and risk level. These policies are reviewed at least annually.

3.2. Nextworld has implemented practices that encrypts Customer Data in transit and at rest when stored in Nextworld systems.

3.3. Nextworld limits access to infrastructure that stores and processes Customer Data to personnel with job duties that require access. Customers control and grant access to their tenant.

3.4. Nextworld maintains measures to segregate Customer Data from other data.

3.5. Nextworld personnel have been trained on data protection policies and procedures.

3.6. Nextworld maintains policies and procedures to permanently delete, destroy, and render unrecoverable all Customer Data upon termination of the Agreement. Nextworld ensures third-party infrastructure and data center provider adheres to NIST 800-88.

4. Identity and Access Management

4.1. Nextworld maintains identity and access management policies and procedures that implements the principles of least privilege. These policies are reviewed at least annually.

4.2. Nextworld maintains authentication and authorization procedures that ensure unique user IDs, complex passwords, and multi-factor authentication. Personnel are assigned roles in systems that process Customer Data using defined roles based on authorized personnels’ job responsibilities and a need to know basis.

4.3. Nextworld maintains a policy for personnel to maintain exclusive control of their user ID and password. User IDs and passwords must not be shared with other personnel or stored in a clear text format in a location where unauthorized persons might discover user IDs and passwords.

4.4. Nextworld requires personnel to immediately change any passwords that provide access to Nextworld systems if the credentials are suspected or known to have been compromised by disclosure to unauthorized persons.

4.5. Nextworld conducts quarterly reviews of personnel access to systems that store and process Customer Data.

4.6. Nextworld maintains procedures to terminate personnel access to systems within one (1) business day of termination of employment.

5. Incident Response

5.1. Nextworld maintains incident response policies and plans to detect and respond to suspected or confirmed breach of security.

5.2. Nextworld maintains procedures for notifying Customer of a confirmed breach of Customer Data within 48 hours. Customers will be informed of, to the extent possible, the details of the incident, steps taken to mitigate the risks and the steps we recommend the Customer to take to address the incident.

5.3. Nextworld conducts exercises of the incident response plan at least once a year.

6. Personnel Management

6.1. Nextworld maintains policies and procedures for ensuring the integrity and reliability of personnel hired who have access to Customer Data. Nextworld hiring process includes pre-employment criminal background checks on personnel.

6.2. Nextworld personnel are required to complete security training upon hire and annually thereafter.

6.3. Nextworld personnel are required to sign a Confidentiality Agreement to protect Customer Data upon hire.

7. Security Operations

7.1. Nextworld maintains information security policies and procedures to implement security measures that comply with appropriate legislation and industry best practices.

7.2. Nextworld has implemented firewalls to monitor and restrict inbound and outbound traffic.

7.3. Nextworld maintains policies and procedures to identify and remediate vulnerabilities in systems that store and process Customer Data.

7.4. Nextworld contracts a third-party to conduct an annual penetration test of Nextworld systems that store and process Customer Data.

7.5. Nextworld has implemented procedures and tools to continuously scan systems for vulnerabilities and remediate findings based on the risk they pose to Customer Data. Nextworld follows industry standards (such as CVSS, OWASP, SANS, etc.) to prioritize vulnerabilities based on risk criticality.

7.6. Nextworld maintains procedures to provide, maintain, and support the Licensed Products with updates, upgrades, and fixes so that the Licensed Products remain secure and deliver the agreed upon functionality.

8. Third-Party Management

8.1. Nextworld maintains policies and procedures to evaluate third parties with access to Customer Data. Nextworld assesses the security and data protection practices of these third parties to ensure they provide a level of security and protection appropriate to their access to Customer Data and scope of services they provide.

8.2. Nextworld requires confidentiality or non-disclosure agreements to be in place with third parties with access to Customer Data.

‍