This Data Processing Addendum (“DPA”) is made by and between NOC Solutions (“NOC) and the customer entity (“Customer”) that is a party to the Agreement (collectively, the “Parties”), as may be required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (hereinafter the “CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Protection Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and any other applicable data protection or privacy law (together “Applicable Privacy Laws”). This addendum governs matters of data protection with respect to Personal Information between the Parties, amending the Agreement with respect to such data protection and privacy matters, and will remain in force for the duration of the Agreement. Capitalized terms not otherwise defined herein, shall take the meaning ascribed to them by Applicable Privacy Laws. The terms of this DPA will apply only to the extent that they are required under Applicable Privacy Laws.

1. “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

2. “Agreement” means NOC’s Standard Terms of Use, or other written or electronic agreement, which governs the provision of the Service to Customer, as such terms or agreement may be updated from time to time.

3. “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.

4. “Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Personal Information under the Agreement.

5. “Personal Information” means any information relating to an identified or identifiable natural person, including without limitation any information which is defined under Applicable Privacy Laws as personal, provided by or on behalf of Customer. Customer is a Controller (or a Business) of Personal Information governed by Applicable Privacy Laws. NOC is a Processor of Customer (or a Service Provider, Holder, etc.)

6. NOC will Process Personal Information only pursuant to Customer’s documented instructions, which may include the Agreement, any other agreement between the Parties with respect to the provision of the NOC’s services to Customer, and any other instructions communicated in writing directly to NOC. NOC may also Process Personal Information where required by applicable laws to which NOC is subject, in which case NOC shall inform Customer of that legal requirement before the relevant Processing of that Personal Information, unless prohibited from doing so by law. For the purpose of CCPA and Applicable Privacy Laws, NOC does not sell or share, retain, use or disclose Customer Personal Information outside of the business relationship with Customer or for any other purpose than is stated in the Agreement.

7. Customer instructs NOC to Process the Personal Information for the following purposes: (i) providing the NOC services to Customer; and (ii) compliance with other reasonable and lawful instructions provided by Customer where such instructions are consistent with any service agreement, including without limitation the Agreement. Customer is responsible for complying with its requirements as Controller under Applicable Privacy Laws, including but not limited to transparency and lawfulness requirements for the collection and use of the Personal Information, including obtaining necessary consents and authorizations.

8. NOC may only Process the types of Personal Information, relating to such categories of Data Subjects, as are detailed in a service Agreement, including without limitation the Agreement.

9. NOC’s personnel engaged in Processing Personal Information are and will remain committed to confidentiality. NOC takes not less than industry-appropriate technical and organizational measures to ensure the security of its Processing of Personal Information.

10. Where required under applicable law, NOC will maintain an updated list of its sub processors, which will be made available to Customer upon the request of the Customer, and Customer shall have the right to object, on reasoned grounds, to any sub processor within thirty (30) days of becoming aware of such sub processor’s processing. In the event that Customer, acting reasonably and in good faith, objects to such processing, then the Customer may terminate those services undertaken by NOC that require the use of said sub processor. NOC shall ensure that the arrangement between NOC and each sub-processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Information being Processed hereunder as those set out in this DPA.

11. NOC will assist Customer in responding to requests for exercising Data Subjects’ rights. NOC will inform Customer promptly if it receives such a request, and in any event within 72 hours of receiving the request, and will not take any other action without Customer’s authorization. NOC will likewise assist Customer with its obligations pursuant to Applicable Privacy Laws, including also data security, data protection impact assessments, and breach notifications. NOC will inform Customer without delay if NOC experiences or suspects a Personal Information Breach, and will provide full details to Customer.

12. Deletion or return on termination. Upon termination or expiration of this DPA, NOC shall take reasonable measures to provide tools for Customer to delete or return to Customer all Personal Information (including copies) in its possession or control, except that this requirement shall not apply to the extent NOC is required by applicable law or industry rules to retain some or all of the Personal Information, or as to Personal Information it has archived on back-up systems, which Personal Information NOC shall securely isolate, protect from any further processing and eventually delete in accordance with NOC’s deletion policies, except to the extent required by applicable law or on the recommendation of NOC’s legal counsel.

13. NOC will make available all information necessary to demonstrate compliance with Applicable Privacy Laws. NOC will reasonably allow for and contribute to audits and inspection in this regard. In the event that the NOCs obligations in relation to audits, regulatory inquiries, or financial reviews exceed the standard level of compliance and assistance typically required in the industry, whether due to heightened regulatory scrutiny, extraordinary audit requests, or other atypical demands arising from the Customer’s use of the NOC services, the Customer agrees to compensate NOC for the additional time, resources, and expenses incurred. The fees for such assistance shall be reasonable based on the time and resources expended by NOC.

14. NOC may assign its respective rights and obligations hereunder where such assignment is by way of merger or acquisition of all or substantially all NOC’s equity or assets, or change of control.

15. Limitation of Liability. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall, to the greatest extent permitted under law, be subject to the exclusions of liability set forth in the Agreement. Any claims made against NOC or its Affiliates under or in connection with this DPA shall be brought solely by the Customer entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

16. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives. The choice of law and jurisdiction governing this agreement will be the same as those governing the applicable Agreement, unless required otherwise by applicable Data Protection laws.

17. This DPA shall remain in effect for as long as NOC carries out Personal Information processing operations on behalf of Customer or until termination of the Agreement (and all Personal Information has been returned or deleted in accordance with Section 12 above).

18. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the NOC service.

19. In the event of any conflict or inconsistency, the provisions of the following documents (in order of precedence) shall prevail: (i) this DPA; (ii) the Agreement.

20. Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.

21. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

22. NOC’s Data Protection personnel may be contacted at [email protected].

23. Details of Processing:

    • Nature, purpose and subject matter of the Processing: NOC provides a text message service, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the Personal Information. Personal Information will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:

      1. Storage and other processing necessary to provide, maintain and improve the services provided to Customer pursuant to the Agreement; and/or

      2. Disclosure in accordance with the Agreement and/or as compelled by applicable law

    • Categories of Data Subjects: Customer users or end consumers.

    • Types of Personal Information: Customer may upload, submit, or otherwise provide certain Personal Information to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:

      1. Customers: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility).

      2. Contacts: Identification and contact data.

    • Frequency of the transfer. Continuous.