Skip to main content

Data Processing Agreement

 

Effective Date: 15.10.2024

This Data Processing Agreement (“DPA”) is entered into as part of and made pursuant to, the Narify Terms of Service or other agreement executed between Narify and Customer regarding Narify’s provision of the Narify Platform and related Services (the “Agreement”). This DPA applies to Narify’s Processing of Personal Data under the Agreement.

Customer enters into this DPA on behalf the company represented by the signatory party (deemed to be empowered), including on behalf of any Affiliates to the extent such Affiliates are included in the scope of the Agreement.

This DPA shall become legally binding upon Customer’s electronic signature of the Agreement.

1 PURPOSE

1.1 Customer and Narify have agreed that Narify shall provide access to the Narify Platform and related Services for Customer within the scope agreed in the Agreement.

1.2 The agreed Services includes processing of personal data by Narify on behalf of Customer.

1.3 The purpose of this DPA is to set out the terms and conditions governing such processing, first and foremost to ensure compliance with the requirements set by the GDPR as defined herein, and any other applicable data protection legislation.

1.4 In the event of any discrepancy between this DPA document, the main body of the Agreement, and any of the Exhibits and appendices, the terms of this document shall prevail. In the event of inconsistencies between this DPA and the Agreement, this DPA shall prevail regarding the subject matter herein.

2 TERM AND TERMINATION OF THIS DPA

2.1 This DPA shall become effective upon signing by both Parties.

2.2 This DPA shall remain in force during the validity of the Agreement and thereafter for as long as necessary to finalize the agreed processing of personal data.

2.3 Any and all processing of personal data hereunder shall be in compliance with GDPR.

3 DEFINITIONS

3.1 The definitions set out in the Agreement is applicable to this DPA, unless otherwise clearly stated herein.

3.2 The terms “personal data”, “personal information,” “data subject”, “personal data breach”, “processing”, “Controller”, “Processor” and “supervisory authority” as used in this DPA have the meanings given in GDPR and the derived applicable Privacy and Security Laws.

3.3 The term “Controller” shall mean Customer.

3.4 The term “Processor” shall mean Narify.

3.5 “GDPR” means EU General Data Protection Regulation (679/2016) concerning the processing of personal data.

3.6 “Privacy and Security Laws” means:

3.6.1 all applicable national, international, federal, state, provincial, and local laws, rules, regulations, directives, and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality, and/or security of personal data, including, but not limited to, the GDPR; and
3.6.2 all applicable industry standards or rules required to followed by Customer concerning the privacy, confidentiality, and/or security of personal data.

3.7 “Sell” or “Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, personal data to another business or a third party for monetary or other valuable consideration.

3.8 “Sub-Processors” means third parties authorized under this DPA to have logical access to and process personal data in order to provide parts of the Services. The term Sub-Processor is equated with the term Processor under applicable Privacy and Security Laws and shall be interpreted herein accordingly.

3.9 “Parties” means Narify and Customer collectively and “Party” means Narify or Customer individually.

4 PROCESSING OF PERSONAL DATA

4.1 In terms of the GDPR, Customer is the Controller, and Narify is the data Processor, of personal data processed within the scope of this DPA.

4.2 The Controller shall be responsible for its instructions to the Processor and the legality of the personal data processing in accordance with applicable data protection legislation (cf. GDPR Article 24).

4.3 In its capacity as Processor, Narify shall process personal data only to fulfil its obligations under the Agreement or as otherwise mandated by law, and in compliance with documented instructions by Customer. Such processing shall be carried out in accordance with the Agreement, this DPA, documented instructions by Customer, and applicable data protection legislation.

4.4 The subject-matter and details of the processing of personal data by Narify are described in the Agreement. The types of personal data and categories of data subjects processed in the services have been defined in the form specifying the processing operations, Annex 1.

4.5 Narify shall immediately inform Customer if instructions given by the data Controller, in the opinion of Narify, contravene the GDPR or the applicable EU or Member State data protection provisions.

5 RIGHTS OF DATA SUBJECTS

5.1 Taking into account the nature of the processing, Narify shall assist Customer in its obligation to assist Customer by appropriate technical and organizational measures in the fulfilment of its obligations as the Controller to respond to data subject requests relating to their exercise of their rights under the GDPR. Such requests may relate to the data subjects’ rights of access, correction, deletion or objection in connection with the processing of their personal data. In this respect, Narify shall provide assistance only upon request by Customer. Any request directed to Narify by a data subject shall be referred by Narify to Customer without delay.

6 NARIFY PERSONNEL

6.1 Narify shall ensure that personnel engaged on Narify’s behalf in the processing of personal data hereunder are informed of the confidential nature of the personal data, have received appropriate training on their responsibilities and have executed written confidentiality agreements with respect to such personal data, and only processes such personal data on instructions from Customer and Narify, unless required to do so by applicable mandatory Privacy and Security Laws. Narify shall ensure that such confidentiality obligations survive the termination of such personnel’s engagement with Narify.

6.2 Narify shall ensure that Narify’s access to personal data is limited to those personnel performing Services in accordance with the Agreement.

7 SUB-PROCESSORS

7.1 Narify is provided with general authorization by Customer for the engagement of sub-Processors, in compliance with GDPR Clause 28. Narify shall inform Customer in writing of any intended changes concerning the addition or replacement of sub-Processors at least 2 weeks in advance, thereby giving the Customer the opportunity to object to such changes prior to the engagement of the concerned sub-Processor(s). Such notification shall include information about the replaced and new sub-Processor’s processing activities, name and place of business. The list of sub-Processors authorized by Customer are set out in Annex 3.

7.2 Narify shall ensure that sub-Processors are bound by a written agreement which require them to provide at least the level of data protection required from Narify under the DPA. Narify will evaluate the security, privacy and confidentiality practices of a sub-Processor prior to selection. Sub-Processors may have security certifications that evidence their use of appropriate security measures. If not, Narify will regularly evaluate each sub-Processor’s security practices as they relate to data handling.

7.3 Where a sub-Processor fails to fulfill its data protection obligation, Narify shall remain fully liable to Customer for the performance of that sub-Processor’s obligations. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in GDPR Articles 79 and 82 – against the data Controller and the data Processor, including the sub-Processor.

7.4 In case Customer objects to the use of a specific sub-Processor, the Parties shall enter into good faith negotiations on how to resolve the issue. In case the negotiations do not solve the issue, and Customer or a Controller opposes Narify’s use of a specific sub-Processor, Customer shall be entitled to terminate the relevant Agreements or in whole or in part with immediate effect or upon reasonable notice defined by Customer.

7.5 Emergency Replacement. Narify may change a sub-Processor where the reason for the change is outside of Narify’s reasonable control. In this case, Narify will inform Customer of the replacement sub-Processor as soon as possible. Customer and customer retain their right to object to a replacement sub-Processor.

8 PROCESSING TAKING PLACE OUTSIDE EU/EEA

8.1 Narify may not transfer or process personal data outside the EU/EEA, without the prior written authorization of Customer.

8.2 In case such transfers or processing take place, (i) where the recipient is located in the EU/EEA, Narify ensures that a similar legal safeguard approved by the GDPR, will apply to such transfer or processing, or (ii) where the recipient is located outside the EU/EEA, Narify and Customer shall enter into the Processor-Processor module as required thereby.

9 SECURITY

9.1 Narify shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, cf GDPR Article 32. This shall include at least measures to:

9.1.1 implement and maintain technical and organizational measures for safeguarding the confidentiality, integrity, availability and resilience of systems and services processing personal data;
9.1.2 restore the availability and access to personal data in a timely manner in the event of an incident;
9.1.3 regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing; and
9.1.4 pseudonymize and/or encrypt personal data (if and to the extent agreed).

9.2 Further information about the technical and organizational security measures implemented by Narify are set out in Annex 2.

9.3 Third-Party Certifications and Audits.
Narify shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for audits by Customer or a third-party auditor mandated by Customer. Narify shall be given at least fourteen (14) days’ notice before an audit or inspection. Any audit or inspection shall be carried out in a time and cost-efficient manner, without unnecessary disturbance to Narify’s daily operations, in a way that respects Narify’s confidentiality obligations towards other customers and/or third parties.

9.4 Narify may also provide Customer with an audit report by a third-party auditor.

10 PERSONAL DATA BREACH AND COOPERATION WITH THE SUPERVISION AUTHORITY

10.1 Narify shall notify Customer without delay and in any case within 72 hours after becoming aware of a personal data breach relating to personal data. Such notification shall at least:

10.1.1 Provide the name and contact details where more information can be obtained; and
10.1.2 Describe the measures taken or proposed to be taken to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.

10.2 On request by a competent data protection supervisory authority, Narify shall cooperate with the supervisory authority in the performance of its tasks, and shall comply with decisions by the supervisory authority on security measures required to comply with the Security and Privacy Laws. On request by Customer, Narify shall assist Customer in the fulfilment of the Customer’s obligations to carry out a data protection impact assessment, including when required in the Customer’s prior consultation with the supervisory authority.

11 DELETION OR RETURNING OF CUSTOMER DATA

11.1 Upon termination or expiry of the Agreement or upon cessation of Narify’s processing of personal data for Customer, Narify shall, in accordance with Customer’s instructions, either return or destroy all data that includes personal data processed for Customer.

12 DAMAGES

12.1 Within the framework of the Agreement, Narify shall compensate Customer for direct damages incurred by Customer, including third party claims by a data subject or a supervisory authority against Customer, as a result of fault or negligence by Narify, or by a sub-Processor of Narify, in the processing of personal data in breach of the Agreement, including this DPA, or Privacy and Security Laws.

13 APPLICABLE LAW AND DISPUTE RESOLUTION

13.1 The DPA is interpreted, construed and governed in accordance with the applicable law set out in the relevant Agreement.

13.2 Any disputes concerning the interpretation or application of the DPA shall be settled in accordance with the provisions on dispute resolution included in the relevant Agreement.

Annex 1: Processing specification form
Annex 2: Technical and organizational security measures
Annex 3: Subprocessors
Annex 4: Instructions pertaining to the use of personal data

Annex 1: Processing specification form

 

1.1 The purpose of the data Processor’s processing of personal data on behalf of the data Controller is:

For Narify to provide the Narify Platform and related Services as set out in the Agreement

1.2. The data Processor’s processing of personal data on behalf of the data Controller shall mainly pertain to (the nature of the processing):

For Narify to facilitate that the Customer, including to facilitate that the Users are enabled with the necessary access, including by provision of access to the Narify Platform and related Services.

1.3. The processing includes the following types of personal data about data subjects:

Customer may submit personal data to Narify in order to benefit from the Services, the extent of which is determined and controlled by Customer’s sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Personal information, such as name, title, business address, mobile numbers and email address
  • IT management details, such as details of equipment in use in relation to the Services, including technical identifiers, user- name, location, contact details, communication data and relevant metadata
  • Security details such as security log information
  • Connection data
  • Localization data 

1.4 Categories of Data Subjects
Customer may provide Narify to Narify in order to benefit from the Services, to the extent of which is determined and controlled by Customer at its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Client to use the Services.

Annex 2: Technical and organizational security measures

 

Narify has implemented the following security measures to ensure compliance with GDPR, including;

  • Encryption of sensitive data
  • Secure authentication with WorkOS with MFA on request
  • Secure backup

Annex 3: Subprocessors

 

On commencement of the Agreement, the Customer authorizes the engagement of the following sub-Processors of Narify:

Subprocessors

On the commencement of the Agreement, the Customer has authorized the use of the abovementioned sub-Processors for the processing described for that party. Narify shall not be entitled – without the data Controller’s explicit written authorization – to engage a sub-Processor for a ‘different’ processing than the one which has been agreed upon.

Any amendments to the above list of sub-Processors will be announced at the Narify Platform in due time in advance of such amendments entering into force, accompanied with a notification to the Customer. The Customer’s continued use of the Narify Platform and related Services thereafter will be deemed as Customer’s consent to said amendments.

Annex 4: Instructions pertaining to the use of personal data

 

4.1. The subject of/instruction for the processing

The data Processor’s processing of personal data on behalf of the data Controller shall be carried out by the data Processor performing the following: Provision of the Narify Platform and related Services as further specified in the Agreement.

4.2. Security of processing

The data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security.

The data Processor shall however – in any event and at a minimum – implement the measures to meet the requirements for processing as set out by GDPR.

4.3. Assistance to the data Controller

The data Processor shall insofar as this is possible assist the data Controller in implementing the technical and organizational measures as requested by Customer from time to time.

4.4. Storage period/erasure procedures

Personal data is stored for the duration of the Agreement, or the deletion of specific Users, after which the personal data is automatically erased by the data Processor.

Upon termination of the provision of personal data processing services, the data Processor shall either delete or return the personal data in accordance with appropriate instructions by Customer.

4.5. Processing location

Processing of the personal data under the Clauses cannot be performed at other locations than the locations as set out in Annex 3 of this DPA without the data Controller’s prior written consent.

4.6. Instruction on the transfer of personal data to third countries

Ref clause 4.5 above