NOODL END USER LICENSE AGREEMENT & TERMS OF SERVICE

DATA PROCESSING ADDENDUM (v.1.1)

This Data Processing Addendum (“DPA”) is an agreement between Noodl and Customer and supplements the Noodl End User License & Terms of Service and one or more Orders (“Agreement”). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement.

‍

DEFINITIONS

In this DPA, the following definitions apply: 

 “Data Protection Law” means all applicable current data protection and privacy legislation to the extent binding on the parties, and as may be updated or amended from time to time, and which may include, without limitation, (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10), and as supplemented by section 205(4)), of the UK Data Protection Act of 2018 ("UK GDPR"); (ii) any national implementing laws (including laws implementing the EU GDPR or UK GDPR), and associated regulations and secondary legislation; and (iii) any other applicable national, provincial, federal, state, and/or local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation.

 “Data Subject” will have the meaning given to it in the Data Protection Law.

 “Personal Data” means “personal data”, as that term is defined in the Data Protection Law, that is uploaded to, generated by or transmitted via the Noodl Solution under Customer’s Noodl accounts for processing as described herein.

“Standard Contractual Clauses” or "SCCs" means, as applicable, either (a) the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-ex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and/or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time ("EU SCCs"); or (b) the annex found in the European Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at https://op.europa.eu/en/publication-detail/-/publication/473b885b-31d6-4f3b-a10f-01152e62be6e/ as adapted for the UK, or such alternative contractual arrangement or clauses approved by the UK Information Commissioner’s Office and entered into by the parties, from time to time ("UK SCCs").

“Sub-processor” means any data processor other than Noodl who have been instructed to process data on behalf of the Customer by Noodl.

‍

DATA PROTECTION

1. 1. Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Law.
2. ‍
3. 2. This DPA applies to Personal Data processed by Noodl for Customer, if any. In this context, Noodl may act as “processor” to Customer, who may act either as “controller” or “processor” (as those terms are defined in Data Protection Law) with respect to Personal Data. 
4. ‍
5. 3. Details of Data Processing (Annex 1 and Annex 2 to the EU SCCs and/or Appendix 1 and Appendix 2 to the UK SCCs, if and as applicable):

Data Exporter: the Customer, as the party sending Content, some of which may contain Personal Data, to Noodl for Noodl's processing in furtherance of provision of the Noodl Solution.

Data Importer: Noodl as a conduit of Content transmitted through the use of the Noodl Service, some of which may contain Personal Data.

Subject matter: the subject matter of the data processing under this DPA is the data and content as described below. 

Purpose: the provision of the Noodl Solution initiated by Customer from time to time. 

Nature of the processing: provision of Noodl Services as described in the Agreement and initiated by Customer from time to time. 

Categories of Data Subjects: the Data Subjects may include Customer's end users, visitors, guests employees and staff, and any others whose Personal Data is captured in Content.Description of Processing: in addition to Personal Data incidentally captured and processed as Content in the Noodl Service ("Captured Personal Data"), Noodl collects and processes the following as a necessary step in providing the Noodl Service, all or some of which may or may not be personally identifying or identifiable information:

• IP addresses
• authorized user login credentials
• names
• physical and email addresses, phone numbers
• job role/title
• education levels and institutes
• social media links/accounts
  

Content transmitted through the use of the Noodl Service may, unbeknownst to Noodl, contain Personal Data. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent of such data the Customer elects to store, as data controller).

Special Categories of Data: the parties do not anticipate or knowingly enact the transfer of special categories of data, but such data may be included in Captured Personal Data.

Duration of processing: during the term of the Customer’s subscription and for 90 days thereafter.

Processing operations: as described in this DPA, including Annex 1.

1. ‍
2. 4. Customer will ensure and warrants that it has all necessary and appropriate consents and notices, in any form required by Data Protection Law, in place to enable lawful transfer of the Personal Data to Noodl for the duration and purposes of the Agreement.
3. ‍
4. 5. Customer will ensure and warrants that where Personal Data is transferred outside the European Economic Area (“EEA”) or outside the UK, as part of Customer’s use or deployment of the Noodl Solution, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to Noodl’s obligation in section 9.5 below with respect to Noodl sub-processors, and section 11 below with respect to the Standard Contractual Clauses if applicable, Customer acknowledges that Customer is solely responsible for ensuring that Personal Data is transferred out of the EEA or the UK in full compliance with the Data Protection Law.
5. ‍
6. 6. Customer will ensure and warrants that Customer utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law. 
7. ‍
8. 7. Customer confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Customer is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.
9. ‍
10. 8. Customer undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by the Customer.
11. ‍
12. 9. Noodl will, in relation to any Personal Data processed in connection with the provision of the Noodl Service:

1.       9.1 process that Personal Data only on the written instructions of Customer and as set forth in the Agreement except to the extent Noodl is required to process data by applicable law. Where Noodl is relying on applicable law as the basis for processing Personal Data, Noodl will without undue delay notify Customer unless applicable law prohibits Noodl from so notifying Customer;
2.      9.2 not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Noodl Solution, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);
3.      9.3 ensure that it has in place appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
4.     9.4 ensure that all Noodl personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
5.      9.5 ensure that where Sub-processors are used outside the EEA or the UK such that Personal Data is transferred outside the EEA or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;
6.       9.6 maintain records of processing activities carried out on behalf of Customer as required by Data Protection Law;
7.       9.7 assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
8.       9.8 notify Customer without undue delay on becoming aware of a Personal Data security incident. Noodl is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorized access to Personal Data or any of Noodl’s equipment or facilities storing Personal Data. Such incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. Noodl’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by Noodl of any fault or liability of Noodl with respect to the incident; and
9.       9.9 at the written direction of Customer, delete Personal Data to the extent Noodl is capable of doing so via its standard retrieval and delete mechanism, unless required by applicable law to store the Personal Data.

1. ‍
2. 10. Customer will immediately notify Noodl if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to Noodl for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.
3. ‍
4. 11. The parties agree that (a) the EU SCCs apply if Personal Data from the EEA is transferred via use of the Noodl Solution to Noodl in a country that is outside of the EEA, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection, and (b) the UK SCCs apply if Personal Data from the UK is transferred via use of the Noodl Solution to Noodl in a country that is outside of the UK, and such transfer is not to a country that the UK Secretary of State considers to provide an adequate level of protection (such outbound transfers of Personal Data from the EU or the UK, each an "EU/UK Outbound Transfer"). If no EU/UK Outbound Transfer occurs, the SCCs and this section 11 will not apply. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses, Noodl is acting in the capacity of a Data Importer and Customer is the Data Exporter (notwithstanding that Customer may be located outside of the EEA/UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures Noodl has implemented, as required to be disclosed in the Standard Contractual Clauses. 
5. ‍
6. 12. The parties further agree that for all EU/UK Outbound Transfers, the governing law of the Standard Contractual Clauses entered into by Noodl and the Customer will be: (a) the laws of Sweden, if the Customer is established in the EEA, or (b) the laws of the UK, if the Customer is located in the UK. If any inconsistency arises between this section 12 and any other provision for the governing law of the Standard Contractual Clauses entered into between Customer and Noodl, this section 12 will take precedence.
7. ‍
8. 13. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing Noodl to comply with the audit measures described in Annex 1 to this DPA.
9. ‍
10. 14. Noodl represents and warrants that it has not received any order, request, or other communication from a governmental body for the disclosure of Personal Data and it shall:

1.       14.1 if it receives such order, request, or other communication, attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Noodl may provide Customer’s basic contact information to the relevant body. If compelled to disclose Customer Data to a governmental body, then Noodl will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Noodl is legally prohibited from doing so;
2.       14.2 publish a transparency report or provide information to Customer on request regarding: (a) the number of orders, requests, or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests, and communications; and
3.       14.3 notify Customer if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.

1. ‍
2. 15. Customer agrees that Noodl may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The Noodl website https://www.noodl.net/third-party-applications lists Sub-processors that are currently engaged by Noodl to deliver the Noodl Service. (Such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable.) At least 10 business days before Noodl engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Customer, Noodl will endeavor to update the applicable website and provide Customer notice of that update as per the means specified for notices in the Agreement. If Customer objects to a new Sub-processor, Customer must notify Noodl in writing within ten days of Customer’s notice of the change (without prejudice to any termination rights Customer has under the Agreement), after which time Customer shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such notice. If Customer objects to a new Sub-processor, Noodl may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of any Sub-processor; or (c) terminate the Customer's subscription on thirty days written notice.
3. ‍
4. 16. Noodl may propose revisions to this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Customer and Noodl will negotiate such changes in good faith as soon as reasonably practicable. The parties agree that if any new versions or revisions to the EU SCCs are approved by the European Commission, or if any new versions or revisions to the UK SCCs are adopted by the UK, such that the implementation of the Standard Contractual Clauses in this DPA no longer applies or is no longer appropriate, the parties shall work together to enter into the new standard contractual clauses as applicable as soon as reasonably practicable.
5. ‍
6. 17. Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.
7. ‍
8. 18. California Consumer Privacy Act (CCPA) Notice: as a “Service Provider” (as that term is defined in the CCPA), Noodl will process California personal data that is subject to the CCPA strictly for the purpose of providing to Customer the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose.

‍

‍

Annex 1: Technical and Organizational Security Measures

DPA ANNEX 1: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (Annex II/Appendix 2 to the Standard Contractual Clauses if and as applicable)

‍

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing: Noodl hosts its Service with AWS and/or applicable affiliates. Additionally, Noodl maintains contractual relationships with vendors in order to provide the Service. Noodl relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: Noodl hosts its product infrastructure with multi-tenant, outsourced infrastructure provider Amazon Web Services Inc. The physical and environmental security controls are audited for SOC 2 Type II (https://aws.amazon.com/compliance/soc-faqs/) and ISO 27001 (https://aws.amazon.com/compliance/iso-27001-faqs/) compliance, among other certifications.

Authentication: Noodl has implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Noodl’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

ii) Preventing Unauthorized Product Use

Noodl implements industry standard access controls capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Static code analysis: Security reviews of code stored in Noodl’s source code repositories is performed, checking for identifiable software flaws, and known vulnerabilities. 

iii) Limitations of Privilege & Authorization Requirements

Product access: A subset of Noodl’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged.

Staff: All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

‍

b) Transmission Control

In-transit: Noodl makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Noodl’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Noodl stores user passwords following policies that follow industry standard practices for security and ensure that all passwords are never stored in plain text formats.

‍

c) Input Control

Detection: Noodl designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Noodl personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Noodl maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Noodl will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. As Noodl’s service is designed to be available across many regions simultaneously, the availability offered is much higher than the underlying infrastructure provider in any single region.  The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Noodl’s products are designed to ensure redundancy and continuity in spite of failures. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Noodl operations in maintaining and updating the product applications and backend without downtime. 

‍

e) Transparency

Upon written request, Noodl shall supply (on a confidential basis) a summary copy of its most current audit or self-certification report(s) to Customer. In addition, Noodl shall respond to all reasonable requests for information made by Customer to confirm Noodl’s compliance with this DPA, by making additional information available regarding its information security program upon Customer’s written request, provided that Customer shall not exercise this right more than once per calendar year.

‍

f) Back Doors

Noodl has not purposefully created back doors or similar programming that could be used to access the system and/or personal data. Noodl has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems.

(end of DPA)

‍