DPA-TOP-MEDIA
DPA-DSP
Last Update: September 10, 2024
Data Processing Addendum
This Data Protection Addendum (“DPA”or “Addendum”) is a supplement to the agreement ("Agreement") between Client and the Nativex entities ("Nativex") for the promotion of Client's products or services. This DPA is an integral part of the Agreement and shall be effective as of the date of execution of the Agreement. In the event of any inconsistency between this DPA and the Agreement and in relation to Personal Data, this DPA shall prevail. The terms in quotation marks in this DPA and terms not defined herein shall have the same meaning as in the Agreement and/or the data protection provisions.
PLEASE NOTE THAT THE ORIGINAL THE EUROPEAN DATA PROTECTION ADDENDUM (“EUROPEAN ADDENDUM”), CALIFORNIA CONSUMER PRIVACY ACT ADDENDUM (“CCPA ADDENDUM”) AND PERSONAL DATA PROTECTION ADDENDUM FOR MAINLAND CHINA (CHINESE PIPL ADDENDUM) CONTAINED IN THIS PAGE HAVE BEEN SUPERSEDED BY THIS DPA, AND THE TERMS OF THIS DPA SHALL PREVAIL REGARDLESS OF THE APPLICABLE DATA PROTECTION LAWS GOVERNING THE PROCESSING OF PERSONAL DATA BY THE PARTIES UNDER THE AGREEMENT,FROM AND AFTER September 10, 2024].
1. Definition.
For purposes of this DPA, the following definitions apply:
“Applicable Data Protection Law” means all applicable laws and regulations, including without limitation international, federal, national and state privacy, data security, and data protection laws and regulations (including without limitation, where applicable, European/UK Data Protection Law, LGPD, Russian Data Protection Law,COPPA, China Data Protection Law, VCDPA, CDPA, CPA, UCPA and CCPA).
“CCPA” means the California Consumer Privacy Act, effective on January 1, 2020, and the California Privacy Rights Act, effective on January 1, 2023, as amended, including without limitation any and all applicable implementing regulations.
“CDPA” means the Connecticut Data Protection Act, effective on July 1, 2023, as amended, including without limitation any and all applicable implementing regulations.
“CPA” means the Colorado Privacy Act, effective on July 1, 2023, as amended, including without limitation any and all applicable implementing regulations.
“VCDPA” means Virginia Consumer Data Protection Act, effective on July 1, 2023, as amended, including without limitation any and all applicable implementing regulations.
“UCPA” means the Utah Consumer Privacy Act, effective on December 31, 2023, as amended, including without limitation any and all applicable
implementing regulations.
"COPPA" means the Children’s Online Privacy Protection Rule (“COPPA”) formulated by the Federal Trade Commission of the United
States.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data as defined in the European/UK Data
Protection Law VCDPA, CPA, CDPA and UCPA. Where the China Data Protection Law applies, Controller means the Personal Data handler
(“个人信息处理者”); where the CCPA applies, Controller means the Business.
“China Data Protection Law” means (1) the Personal Data Protection Law, (2) the Data Security Law, (3) the Cyber Security Law and (4) any and all applicable laws
and regulations related to the protection of Personal Data, of the People’s Republic of China; in each case as may be amended or
superseded from time to time.
“Data Exporter” means the party who transfers Personal Data to Data Importer pursuant to a Restricted Transfer.
“Data Importer” means the party who receives Personal Data from Data Exporter pursuant to a Restricted Transfer.
“Destroy” means to burn, pulverize, or shred papers, or to destroy or erase electronic files or media, so that all such information cannot be
read or reconstructed.
“EEA” means the European Economic Area.
“Russian Data Protection Law” means (1) the Law on Information, Information Technology and Information Protection (Decree No. 149); (2) the Law of the Russian Federation on Personal Data (Decree No. 152); (3) the Law on Amendments to the Series of Laws of the Russian Federation "On Further Clarification of the Regulation of Processing of Personal Data on the Internet" (Decree No. 242); and (4) any and all applicable national laws and regulations made under or pursuant to (1), (2) and (3); in each case, as may be amended or superseded from time to time.
“European/UK Data Protection Law” means: (1) the EU General Data Protection Regulation 2016/679 (“EU GDPR”); (2) the EU e-Privacy Directive (Directive 2002/58/EC); (3) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the
United Kingdom's (“UK”) European Union (Withdrawal) Act 2018 (the “UK GDPR”); (4) the Swiss Federal Act on Data Protection 1992 (“Swiss DPA”); and (5) any and all applicable national laws made under or pursuant to (1), (2), (3) and (4); in each case as may be amended or
superseded from time to time.
“LGPD” means the Lei Geral de Proteção de Dados (Law No. 13.709/2018), as amended, including without limitation any and all
applicable implementing regulations.
Nativex Privacy Policy means the privacy policy available at Nativex's official website: https://www.nativex.com/en/privacy, as may be updated from time to
time.
“Personal Data” means any information relating to an identified or identifiable natural person, or that relates to, describes, is reasonably capable of
being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household. The term Personal
Data shall include (but not be limited to) names, postal addresses, e-mail addresses, social security numbers, driver's license or
identification card numbers, account numbers, credit card or debit card numbers, medical information, device identifiers, Internet Protocol
addresses; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology, unique pseudonyms, user aliases, telephone numbers, any
other persistent identifiers that can be used to recognize a consumer, a family, or a device that are linked to an individual or family, over
time and across different services, or other forms of persistent or probabilistic identifiers that can be used to identify a particular
individual or device, and any other information which is deemed “Personal Data” or “Personal Data” under Applicable Data
Protection Law. For the avoidance of doubt, Personal Data includes, where relevant, special or sensitive categories of data under Applicable
Data Protection Law.
“Process” means to perform any operation upon Personal Data, whether manually or by automatic means, including but not limited to collection,
recording, sorting or organization, structuring, accessing, storage, adaptation or alteration, retrieval, consultation, use, transfer,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means an entity that Processes Personal Data on behalf of the Controller as defined in the European/UK Data Protection Law VCDPA, CPA,
CDPA and UCPA. Where the China Data Protection Law applies, Processor means an entity that the Controller(s) entrust to Process Personal Data on
behalf thereof; where the CCPA applies, Processor means the Service Provider or Contractor as defined in the CCPA.
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to
an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any
other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the
Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for
Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable); (iv) where the China Data Protection
Law applies, a transfer of Personal Data from the People's Republic of China to a country/region outside of the People's Republic of China ; and
(v) where another Applicable Data Protection Law applies, a cross-border transfer of Personal Data from that jurisdiction to any other country
which is not based on adequacy regulations pursuant to that Applicable Data Protection Law.
“SCCs” means (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission’s Implementing
Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation
(EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR,
including the International Data Transfer Agreement (VERSION A1.0, in force 21 March 2022) issued by the UK Information Commissioner and the EU
SCCs to which the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (VERSION B1.0, in force 21 March 2022)
issued by the UK Information Commissioner is appended (“UK SCCs”); and (iii) where another Applicable Data Protection Law applies, the Standard Contractual Clauses or other appropriate cross-border
transfer mechanisms approved by an appropriate data protection authority or similar body that is adopted or permitted under that Applicable Data
Protection Law.
“Business Correspondence” means communications between representatives of the Parties necessary to fulfill the Agreement, Client's representatives visiting the Nativex Platform/Website, logging into the Nativex Software System, Client's making payments to Nativex, and Nativex sending direct marketing emails to Client's representatives via email about relevant products or services.
"Affiliates" means with respect to a party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with
such party.
Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.
2. Data protection.
2.1 Relationship of the Parties. With respect to the Personal Data to which the Parties have access as a result of the performance of the Agreement, when conducting Business Correspondence, each party is an independent Controller of Personal Data. The aforementioned data processing is detailed in ANNEX 1.
2.2. Rights and responsibilities
2.2.1. When conducting Business Correspondence, Client warrants that, if the Client is a legal entity, it has provided appropriate notice to and obtained valid consent from its employees who are in direct contact with Nativex's business representatives or who have accessed the Nativex's platform/website and, if the Client is a natural person, the Client itself agrees to the following: Nativex and/or its affiliates may, in accordance with Nativex's Privacy Policy to store Personal Data of the Client itself or the Client's employees, to send direct marketing emails about products or services to the Client itself or the Client's employees via email. Client shall provide Nativex with a record of all employee consents upon Nativex's request and shall notify Nativex in writing within 24 hours of receiving a refusal of consent or withdrawal of consent from an employee.
2.2.2. Client shall not, by its acts or omissions, cause Nativex to violate Applicable Data Protection Laws, the content of the notice provided to the data subject and the scope of the consent to use the data obtained from the data subject in connection with the processing of personal data shared pursuant to this DPA.
2.3. Confidentiality of Processing. Client shall keep strictly confidential all of the Processing of Personal Data in accordance with the confidentiality provisions of the Agreement. Client shall ensure that any person that it authorizes to Process the Data (including Client’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Client shall ensure that only Authorized Persons will have access to, and Process, the Data, and that such access and Processing shall be limited to the extent strictly necessary to achieve the purposes as described in this DPA. Client accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorized Person. Nativex shall have the right to require Client to provide the documented list of Authorized Persons.
2.4. Security. Client shall implement and maintain reasonable and appropriate physical, technical and organizational measures to ensure the ongoing integrity, confidentiality and availability of Personal Data, and the resilience of systems and services Processing Personal Data, as appropriate to the nature and scope of Client's activities and services, and in accordance with Applicable Data Protection Law. Such measures will include without limitation: (1) protecting the Personal Data from accidental or unlawful (a) destruction, and/or (b) loss, alteration, or unauthorized disclosure or access (a "Security Incident"); (2) all the controls provided in ANNEX 2; and (3) the measures required pursuant to Article 32 of the EU GDPR or the UK GDPR, if applicable. Client will implement and maintain comprehensive and written privacy and information security policies and procedures and provide such documents: (a) upon written request, to Nativex and (b) at appropriate intervals (including prior to Processing any Data), to Authorized Persons that will Process the Data. Client shall also provide reasonable assistance in order for Nativex to comply with the obligations related to the security of Processing under Applicable Data Protection Law.
2.5. Cooperation and Individuals' Rights. When acting as the Controller of Personal Data, each party shall be independently responsible for the fulfilment of requests from subjects of Personal Data regarding their rights to Personal Data, and the other party shall provide appropriate assistance and support when necessary.
2.6. Security Incidents. Both parties shall assist each other in fulfilling its obligations under Applicable Data Protection Law in relation to Personal Data breach notifications.
2.7. Deletion of Data. After the Purposes of the Agreement are achieved or otherwise become unachievable separately, each party shall immediately Destroy all Personal Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for Processing) immediately. This provision shall not apply to the extent that such party is required by any applicable law to retain some or all of the Data, in which event Client shall isolate and protect the Personal Data from any further Processing except to the extent required by such law until deletion is possible.
2.8. Indemnity. Client shall indemnify Nativex from and against all claims (including claims filed by a third party against Nativex), loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage”) suffered or incurred by Nativex as a result of Client's breach of the data protection provisions set out in this DPA.
3. Restricted Transfer.
3.1. Personal Data protected by the China Data Protection Law. Where the China Data Protection Law applies and if any transfer of Personal Data under the Agreement is a Restricted Transfer, the Parties shall comply with the relevant provisions of the China Data Protection Law with respect to the export of personal information, including but not limited to conducting data export security assessments (if required), signing standard contracts, and taking reasonable organizational and technical measures to safeguard exported data, where (1) the Data Importer shall use its best efforts to assist the Data Exporter in complying with the requirements of the China Data Protection Law (including but not limited to obtaining any governmental permits, assessment, approval, signing a separate standard data transfer agreement, or completing other formalities); and (2) if the Data Exporter, in its sole and absolute discretion, believes that one or more of the requirements of the China Data Protection Law have not been met, the Data Exporter may withhold or suspend the transfer of personal information to the Data Importer. For the avoidance of ambiguity, if the Client constitutes the Controller of the Personal Information in respect of the Restricted Transfer and Nativex is entrusted by the Client to implement such Restricted Transfer, Client shall perform the obligations relating to the Data Exit under the China Data Protection Law as described above in respect of the Restricted Transfer and Nativex will provide the necessary assistance to Client if reasonably requested by the Client.
3.2. Personal Data protected by the Russian Data Protection Laws. Where the Russian Data Protection Law applies, if any transfer of Personal Data from the Client to Nativex is a Restricted Transfer, the Client shall firstly store such Personal Data on a local server in Russia and make Restricted Transfers to Nativex in compliance with the Russian Data Protection Law. In addition to the foregoing f required by the Russian Data Protection Law, the Client shall obtain written consent of the individuals for such Restricted Transfers.
3.3. Standard Contractual Clauses. The parties agree that when the transfer of Personal Data under the Agreement(s) is a Restricted Transfer, the SCCs will be incorporated into this Addendum by this reference, with each Data Exporter and Data Importer being deemed to have entered into the SCCs in its own name and on its own behalf as follows:
3.3.1.In relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows: (1)when conducting Business
Correspondence, MODULE ONE (Controller to Controller) shall apply;(2)in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the
law of Netherlands ; (3)in Clause 18(b), disputes shall be resolved before the Dutch courts; (4)Annex I and Annex II of the EU SCCs shall be
deemed completed with the information set out in ANNEX 1 and ANNEX 2 to this Addendum.
3.3.2.In relation to Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows: (1)the International Data Transfer
Agreement (VERSION A1.0, in force 21 March 2022, the "IDTA”) issued by the UK Information Commissioner shall be deemed to have been
entered into; (2)Table 1-4, Part 1 of the IDTA shall be deemed completed as specified below - A.UK country's law that governs the IDTA
shall be England and Wales; B.Primary place for legal claims to be made by the parties to the IDTA shall be England and Wales; C.The Linked
Agreement is the Agreement D.UK GDPR applies to the Data Exporter; E.The parties to the IDTA can end the IDTA before the end of its term by
serving one months' written notice; F.The parties to the IDTA that may end the IDTA when the Approved IDTA changes shall be Data Importer;
G.If the information of the below items is updated in the Linked Agreement (as defined in the IDTA) referred to, the following information in
the IDTA will update automatically: a.The categories of the transferred Personal Data; b.The categories of special category and criminal records
data; c.The Data Subject of the transferred Personal Data; d.The purposes for which the Data Importer may Process the transferred Personal Data;
e.The security requirements. (3)Unless explicitly specified in point A to F above, Table 1-3 shall be deemed completed with the information set
out in Schedule 1 to this Addendum; (4)Table 4 shall be deemed completed with the information set out in Schedule 2 to this Addendum.
3.3.3.In relation to Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 3.3.1 of this Addendum amended as
follows: (1)references to "Regulation (EU) 2016/679" in the EU SCCs will be deemed to refer to the Swiss DPA; (2)references to specific
articles of "Regulation (EU) 2016/679" will be deemed replaced with the equivalent article or section of the Swiss DPA; (3)references to
“EU," "Union,” and "Member State” will be deemed replaced with "Switzerland”; (4)references to
the"competent supervisory authority" are replaced with the "Swiss Federal Data Protection Information Commissioner"; and (5)in Clause
18(b), disputes shall be resolved before the competent courts of Switzerland.
3.3.4. In relation to Data that is protected by another Applicable Data Protection Law, the Data Exporter and the Data Importer agree that such SCCs shall automatically apply to the transfer of Data from the Data Exporter to the Data Importer and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
3.4. Data Importer shall not participate in (nor permit any (sub) processor to participate in) any other Restricted Transfers of Personal Data under or related to the performance of the Agreement(s) (whether as an exporter or an importer of the Personal Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law.
3.5. If there is any conflict between this Addendum and the SCCs, the SCCs will prevail.
3.6. Each Data Importer shall have in place and maintain in accordance with good industry practice measures to protect the Data from interception (including in transit from Data Exporter to the Data Importer and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept data and encryption of the Data while in transit to deny attackers the ability to read the Data.
Appendix
ANNEX I
DESCRIPTION OF DATA PROCESSING ACTIVITIES (IN THE CASE OF CLIENT TRANSFERS PERSONAL DATA TO NATIVEX)
A.LIST OF PARTIES
Data exporter: Client
Address: As specified in the Agreement
Contact person's name, position and contact details: As specified in the Agreement
Role (Controller/Processor): Controller
Data importer: Nativex
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement
Role (Controller/Processor): Controller
B.DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Client (if Client is a natural person) or Client's employees who
have had direct contact with Nativex's commercial representatives or who have accessed Nativex's platform/website.
Categories of personal data transferred:
[Name, work unit, position, telephone number, email address, WeChat account, city of residence
If Client is a natural person, includes Client's personal identity card/passport/driving licence/other licence number or scanned copy, and Client's debit or credit card or other payment account information
The username and password, IP address used by Client or its employees to access Nativex's Platform/Website ]
Sensitive data transferred: [The username and password, IP address used by Client or its employees to access Nativex's Platform/Website, the Client's personal ID/passport/driving licence/other licence number or scanned copy, the Client's debit or credit card or other payment account information.
(1) In order to maintain the confidentiality, integrity and availability of data, Nativex adopts cryptography and IP whitelisting to ensure the confidentiality of data; adopts cryptography, checksum technology, TLS and SSH protocols to guarantee the integrity of data; and adopts redundancy of key links to ensure the availability of data; (2) In order to ensure the security of data transmission endpoints, Nativex encrypts sensitive data and ciphertexts are stored in the database, and SMTP/POP protocols and SSL protocols are used to deploy secure proxy gateways between terminals and application servers; (3) to ensure the security of the transmission channel, Nativex adopts security measures for the proxy server to the terminals, the proxy server to the Internet, and the proxy server to the proxy server; (4) Nativex strengthens the access control of data transmission in terms of identity authentication, privilege restriction, port opening control to strengthen the access control of data transmission.]
The frequency of the transfer(e.g. whether the data is transferred on a one-off or continuous basis):continuous during the whole term of the
Agreement.
Nature of the processing:Personal Data will be subject to automated and manual processing operations by Nativex, including
collection, use, storage and erasure.
Purpose(s) of the data transfer and further processing: to conduct Business
Correspondence.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine
that period: At the option and request of the Client and where technically feasible, Nativex shall delete or return all Personal Information to
the Customer upon expiry or termination of the Agreement, unless the laws of the United Kingdom, the European Union or its member states require
Personal Information to be retained beyond that period.
Whether and when the Data Importer can make further transfers of Personal Data (only when an IDTA is signed): the Data Importer may make transfers in accordance with Article 16.1 (Transfer of Data) of the IDTA and for the purposes of processing agreed in Article 2.2.1 of this Addendum.
Reviewing date of a transfer (only when IDTA is signed): the parties must review the security requirements at least every time there is a change to the transferred data, the purpose, the Data Importer 's information, the TRA or the risk assessment.
C.COMPETENT SUPERVISORY AUTHORITY
For Personal Data protected under the EU GDPR: the competent supervisory authority/ies are as provided in Clause 13 of the EU GDPR
For Personal Data protected under the Swiss DPA: Federal Data Protection and Information Commissioner (FDPIC)
For Personal Data protected under the UK GDPR: Information Commissioner's Office
DESCRIPTION OF DATA PROCESSING ACTIVITIES (IN THE CASE OF NATIVEX TRANSFERS PERSONAL DATA TO CLIENT OR CLIENT'S DESIGNATED THIRD PARTY)
A.LIST OF PARTIES
Data exporter: Nativex
Address: As specified in the Agreement
Contact person's name, position and contact details: As specified in the Agreement
Role (controller/processor): Controller
Data importer: Client
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement
Role (controller/processor): Controller
B.DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: [Client's employees who have had direct contact with Nativex's commercial representatives ]
Categories of personal data transferred:
[ Name, position, email address, contact address]
Sensitive data transferred: No sensitive data will be transferred
The frequency of the transfer(e.g. whether the data is
transferred on a one-off or continuous basis):continuous during the whole term of the Agreement.
Nature of the processing:Personal
Data will be subject to automated and manual processing operations by Nativex, including collection, use, storage and erasure.
Purpose(s)
of the data transfer and further processing: to conduct Business Correspondence.
The period for which the personal data will be
retained, or, if that is not possible, the criteria used to determine that period: At the option and request of the Client and where technically
feasible, Nativex shall delete or return all Personal Information to the Customer upon expiry or termination of the Agreement, unless the laws
of the United Kingdom, the European Union or its member states require Personal Information to be retained beyond that period.
Whether and when the Data Importer can make further transfers of Personal Data (only when an IDTA is signed): the Data Importer may make transfers in accordance with Article 16.1 (Transfer of Data) of the IDTA and for the purposes of processing agreed in Article 2.2.1 of this DPA.
Reviewing date of a transfer (only when IDTA is signed): the parties must review the security requirements at least every time there is a change to the transferred data, the purpose, the Data Importer 's information, the TRA or the risk assessment.
C.COMPETENT SUPERVISORY AUTHORITY
For Personal Data protected under the EU GDPR: the competent supervisory authority/ies are as provided in Clause 13 of the EU GDPR
For Personal Data protected under the Swiss DPA: Federal Data Protection and Information Commissioner (FDPIC)
For Personal Data protected under the UK GDPR: Information Commissioner's Office
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
IN THE CASE OF CLIENT TRANSFERS PERSONAL DATA TO NATIVEX
Nativex has implemented physical, technical and administrative security measures for the Services that comply with applicable laws and industry standards. For example, Nativex uses firewalls, encryption technology and other automated software designed to protect against fraud and identity theft; Nativex’s data is only stored in centers that provide high-level security for individuals’ information. Physical access is strictly controlled both at the perimeter and at building ingress points by our staff utilizing video surveillance and other electronic means.
Nativex also protects individual’s privacy by seeking to minimize the amount of sensitive data that it stores on its servers.
Nativex also seeks appropriate contractual protection from its partners regarding their treatment of individual data.
Nativex also has completed the ISO27001 audit and has received the SOC2 Type1 and SOC3 audit reports which provide detailed information and assurances about its security, availability, processing integrity, confidentiality and privacy controls, based on its compliance with the Trust Services Criteria (“TSC”) of the American Institute of Certified Public Accountants (AICPA).
IN THE CASE OF NATIVEX TRANSFERS PERSONAL DATA TO CLIENT OR CLIENT'S DESIGNATED THIRD PARTY
The following is a description of the technical and organisational measures, which must be implemented by Client as a minimum, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural person:
Client shall implement strict security measures in order to prevent unauthorised access, use, disclosure or destruction of the individual's Personal Data. Client shall implement physical, technical, and administrative measures that comply with relevant laws and industry standards. For example, Client shall use firewalls, encryption technology, and other automated software designed to prevent fraud and identity theft; and Client store information only on equipment and in locations that provide a high level of protection. Client shall strictly monitor data access that occurs at the perimeter and at building entrances through video and other electronic surveillance. Client requires to establish dedicated security team, security management system, and data security processes to safeguard your Personal Data. Client shall adopt a strict data use and access system to ensure that only authorised personnel have access to Client's Personal Data, and conduct security audits of data and technology at appropriate times. Client shall formulate an emergency response plan and immediately activates the emergency response plan in the event of a personal information security incident, and endeavour to prevent the impact and consequences of such security incident from expanding. In the event of a personal information security incident (leakage, loss, etc.), Client shall promptly notify Nativex, individuals, and authorised authorities in accordance with the requirements of laws and regulations. Client shall minimize the storage of sensitive information on Client's servers to protect privacy. Client will also contractually require its partners to protect personal data.