Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) forms part of the Master services agreement (“Master Agreement”) between NTH and the Company and is subject to the Master Agreement.

For the purposes of this DPA:

• If the Company acts as a Data Controller, then NTH acts as a Data Processor.
• If the Company acts as a Data Processor sending data to NTH, then NTH acts as a Sub-Processor.
• If NTH acts as a Data Processor sending data to the Company, then the Company acts as a Sub-Processor.

References to “Controller,” “Processor,” and “Sub-Processor” throughout this DPA shall be interpreted in accordance with the roles established in this section, as applicable in the context of the data processing activities undertaken under the Master Agreement.

1. Definitions

Data Provider – is the party that transfers Personal Data to the Data Recipient for processing under the terms of this Data Processing Agreement (DPA). The Data Provider may act as a Data Controller or a Data Processor, depending on the circumstances, and is responsible for ensuring that the processing of Personal Data complies with applicable data protection laws.

Data Recipient – is the party that receives Personal Data from the Data Provider for processing under this DPA. The Data Recipient is responsible for processing the Personal Data in accordance with the instructions of the Data Provider and in compliance with applicable data protection laws. The Data Recipient may act as a Data Processor or Sub-Processor depending on the relationship with the Data Provider.

All other terms used in this DPA have the same definitions as provided in the General Data Protection Regulation (GDPR).

2. Compliance with Applicable Data Protection Laws

Both NTH and the Company shall at all times comply with their respective obligations under applicable Data Protection Laws, including the GDPR, and shall ensure that their employees, agents, and sub-processors adhere to such provisions.

3. Details and Scope of the Processing

(a) The processing of Personal Data under this DPA shall be conducted as described in Appendix 1, and in accordance with Article 28(3) of the GDPR. The parties may amend these details periodically, as required to comply with legal or operational requirements.

(b) Data Recipient shall only process Personal Data for the following purposes: (i) To fulfill its obligations under the Master Agreement; and (ii) In accordance with the Data Controller’s documented instructions, as set out in this DPA or otherwise communicated (e.g., orders, service descriptions, support tickets, emails, APIs, control panels).

(c) If the Data Recipient reasonably believes that an instruction from the Data Controller or Data Provider violates the Master Agreement, the GDPR, or other applicable data protection laws, it shall promptly notify the Data Provider. Data Recipient may suspend the implementation of such instructions until the parties resolve the matter.

(d) Company Responsibility:

Whether acting as a Data Controller or Data Sub-Processor, the Company is responsible for the utilization and management of personal data transmitted or processed through the Services. This responsibility includes, but is not limited to:

    (i) Verifying recipient information (e.g., phone numbers, addresses) to ensure correctness;

    (ii) Notifying recipients about the potential security risks of transmitting personal data   through insecure methods (e.g., email, messaging), where applicable;

    (iii) Limiting the type or amount of personal data transmitted to what is strictly necessary; and

    (iv) Encrypting personal data during transmission, where appropriate or required by law.

(e) NTH’s Role as Processor:

Notwithstanding any other provisions, when processing personal data related to communication services (e.g., SMS and other messages and communications, email, voice, and other media) regardless of whether Company acts as a controller or processor, NTH always acts as a processor, and not as an independent or joint controller. NTH provides its communications services and carries out its necessary functions and business as a communication services provider, including necessary measures to prevent spam and fraud and control, security, and maintenance of its network, management of its business and compliance functions consistent with its obligations under applicable laws.

4. Obligations of Data Provider and Data Recipient

(a) The Data Provider transfers Personal Data to the Data Recipient for processing. The Data Recipient shall process Personal Data only as instructed by the Data Provider and in accordance with the terms of this DPA and applicable data protection laws.

(b) NTH shall designate a Data Protection Officer (DPO) or other responsible personnel to assist the Company with inquiries from data subjects or regulators. Such assistance may be requested through email provided in the document DPA acceptance.

(c) Company shall designate a Data Protection Officer (DPO) or other responsible personnel to assist NTH with inquiries from data subjects or regulators. Such assistance may be requested through email provided in the document DPA acceptance.

(c) The Data Provider warrants that:

(i) It has a legal basis for processing Personal Data as required by applicable data protection laws.

(ii) It has obtained the necessary consents, rights, and permissions to transfer Personal Data to the Data Recipient and allow the Data Recipient to process it as per the DPA and Master Agreement.

(iii) It will inform its Data Subjects about the use of processors, where required by law.

(iv) It will respond promptly to data subject inquiries and provide necessary instructions to the Data Provider for data subject rights fulfillment.

5. Confidentiality

The Parties shall ensure that all personnel authorized to process Personal Data are bound by confidentiality agreements or statutory confidentiality obligations and are appropriately trained in data protection compliance.

6. Technical and Organizational Measures

(a) NTH shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data in accordance with Appendix 2 and Article 32 of the GDPR. These measures shall include encryption, access control, incident response procedures, and regular security assessments.

(b) The Company shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data in accordance with Measures set out in the document DPA Acceptance and Article 32 of the GDPR. These measures shall include encryption, access control, incident response procedures, and regular security assessments.

(c) Upon request and at the Data Provider’s expense, Data Recipient shall assist the Data Provider in complying with its security obligations under Article 32.

7. Data Subject Requests

If the Data Recipient receives a data subject request directly, it shall notify the Data Provider and provide reasonable assistance to enable the Data Provider to comply with its obligations under applicable data protection laws

8. Personal Data Breaches

The Data Recipient shall notify the Data Provider without undue delay upon becoming aware of a personal data breach affecting the Personal Data provided by the Data Provider. Taking into account the nature of the processing and the information available, the Data Recipient shall use commercially reasonable efforts to provide the Data Provider with sufficient information to enable the Data Provider, at its own cost, to fulfill any obligations to report or inform regulatory authorities, data subjects, or other relevant entities, as required under applicable data protection laws

9. Audits

(a) Data Recipient shall, upon reasonable request, provide the Data Provider with information demonstrating compliance with this DPA.

(b) The Data Provider may conduct an audit of Data Recipient’s data processing activities, provided it gives reasonable notice and ensures that such an audit does not disrupt Data Recipient’s business operations. Data Recipient shall cooperate with such audits, subject to confidentiality.

(c) Audits may be requested if Data Recipient has not provided sufficient evidence of its compliance or where required by law.

10. Sub-Processing

(a) The Data Provider authorizes the Data Recipient to appoint sub-processors as necessary to fulfill its contractual obligations, in accordance with this DPA and the Master Agreement.

(b) The Data Provider hereby provides a general written authorization to the Data Recipient to engage subcontractors for the processing of personal data to the extent necessary to fulfil its contractual obligations under the Agreement. Given that information about further subprocessors in terms of partners is a business secret, the disclosure of which could endanger the business of the Parties, and given that the subject of the Masters Agreement is a dynamic business that often requires changes to subprocessors in order to establish and optimize traffic routes or to establish, optimize and maintain the provision of services, Data Recipient will not give to the Data Provider or demand from it approval for the use of individual subprocessors, instead the Data Recipient hereby gives the Data Provider general approval for the use of subprocessors for the purpose of executing, optimizing and maintaining the execution of the subject of the contract.

(c) Data Provider shall take reasonable measures to ensure that sub-processing agreements provide at least the same level of protection as this DPA and meet the requirements of GDPR Article 28(3).

11. International Data Transfers

If the processing of personal data includes transfers Personal Data to sub-processors located outside the European Economic Area (EEA) in countries without adequate data protection laws, the parties shall enter into Standard Contractual Clauses or another lawful transfer mechanism as required under applicable laws.

12. Deletion or Return of Personal Data

Upon termination or expiration of the Master Agreement, the Data Recipient shall delete or return all Personal Data to the Data Provider, unless a legal obligation requires retention.

13. Indemnity

The Parties agrees to indemnify and defend each other against any claims, actions, suits, proceedings, damages, liabilities, costs or expenses incurred due to any of the following:

(i) A Party’s failure to comply with its obligations under this DPA, including any breaches of data protection laws, including the GDPR, or any regulatory action or enforcement regarding the processing of Personal Data.

(ii) Any act, omission, negligence, error, or breach of duty by the indemnifying Party or its employees, agents, subcontractors, or other representatives, in the performance of its obligations under this DPA.

(iii) A Party’s failure to implement and maintain adequate technical and organizational measures to protect the Personal Data, as required under applicable data protection laws, and any resulting data breach or unauthorized access to Personal Data.

The indemnity obligation does not apply where the Claims arise from the sole fault or negligence of the Indemnified Party or from its failure to follow reasonable instructions or recommendations from the indemnifying Party in relation to the processing of Personal Data.

14. Termination

This DPA shall automatically terminate upon the expiration or termination of the Master Agreement, unless otherwise agreed by the parties.

15. Miscellaneous

If any provision of this DPA is deemed invalid, the remainder of the DPA shall remain in full force. Invalid provisions shall be amended to reflect the parties’ intent as closely as possible.

16. Amendments to the Data Processing Agreement

Any modifications to this DPA must be documented in a separate appendix and agreed to by both parties.

17. Governing Law and Jurisdiction

This DPA shall be governed by the same laws and jurisdiction as stipulated in the Master Agreement. If the Master Agreement does not fall under the GDPR, the laws of the EU country where the Data Controller or Processor is established shall apply.

By accepting this DPA, the Company agrees to the terms and conditions stated herein.