Revised: May 1, 2024
This DPA is between Noonlight and Company and applies where, and to the extent that, Noonlight Processes Personal Data that is otherwise subject to Data Protection Law on behalf of Company when providingNoonlight Services under the Master Services Agreement signed separately between Noonlight and Company. All capitalized terms not defined in this DPA shall have the meanings set forth in the separately signed Master Services Agreement.
1. Definitions
1.1 “Agreement” means the Noonlight Master Services Agreement by and between Company and Noonlight for the provision of the Noonlight Services to Company.
1.2 “Controller” means an entity that determines the purposes and means of the Processing of Personal Data and also refers to reasonably equivalent terms under Data Protection Laws including, without limitation, a “business.”
1.3 “Data Protection Laws” means all applicable data protection laws including, but not limited to, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively, “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act and its implementing regulations, the Utah Consumer Privacy Act, Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”), and any other applicable law or regulation related to the protection and Processing of Personal Data that is already in force or that will come into force during the term of this DPA (in each case, as may be amended, superseded or replaced).
1.4 “Group” means any and all Affiliates that are part of an entity's corporate group.
1.5 “Personal Data” means any information reasonably relating to an identified or identifiable natural person. Personal Data includes “sensitive personal data,” “sensitive personal information” or their equivalent terms under Data Protection Laws.
1.6 “Process” (and its derivatives) means any operation or set of operations which is performed on Personal Data.
1.7 “Processor” means an entity that Processes Personal Data on behalf of a Controller and also refers to reasonably equivalent terms under Data Protection Laws including, without limitation, a “service provider.”
1.8 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Company Data.
1.9 “Sub-processor” means any Processor engaged by Noonlight or its Affiliates to assist in fulfilling its obligations with respect to providing the Noonlight Services pursuant to the Agreement or this DPA. Sub-processors may include third-parties or members of the Noonlight Group.
1.1 “Agreement” means the Noonlight Master Services Agreement by and between Company and Noonlight for the provision of the Noonlight Services to Company.
1.2 “Controller” means an entity that determines the purposes and means of the Processing of Personal Data and also refers to reasonably equivalent terms under Data Protection Laws including, without limitation, a “business.”
1.3 “Data Protection Laws” means all applicable data protection laws including, but not limited to, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively, “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act and its implementing regulations, the Utah Consumer Privacy Act, Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”), and any other applicable law or regulation related to the protection and Processing of Personal Data that is already in force or that will come into force during the term of this DPA (in each case, as may be amended, superseded or replaced).
1.4 “Group” means any and all Affiliates that are part of an entity's corporate group.
1.5 “Personal Data” means any information reasonably relating to an identified or identifiable natural person. Personal Data includes “sensitive personal data,” “sensitive personal information” or their equivalent terms under Data Protection Laws.
1.6 “Process” (and its derivatives) means any operation or set of operations which is performed on Personal Data.
1.7 “Processor” means an entity that Processes Personal Data on behalf of a Controller and also refers to reasonably equivalent terms under Data Protection Laws including, without limitation, a “service provider.”
1.8 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Company Data.
1.9 “Sub-processor” means any Processor engaged by Noonlight or its Affiliates to assist in fulfilling its obligations with respect to providing the Noonlight Services pursuant to the Agreement or this DPA. Sub-processors may include third-parties or members of the Noonlight Group.
2.Roles and Scope of Processing
2.1 Role of the Parties. As between Noonlight and Company, except as otherwise provided herein, Company is the Controller of Company Data and Noonlight shall Process Company Data only as a Processor acting on behalf of Company.
2.2 Company Processing of Company Data. Company agrees that (i) it will comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Company Data and any Processing instructions it issues to Noonlight; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary for Noonlight to Process Company Data pursuant to the Agreement and this DPA.
2.3 Noonlight Processing of Company Data. Noonlight will Process, as reasonably determined by Noonlight, Company Data only for the purpose of providing the Noonlight Services and only the types and categories of Company Data that Company permits. The parties agree that Company’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA. Processing Company Data outside the scope of these instructions (if any) will require prior written agreement between Company and Noonlight with additional instructions for Processing.
2.4 Processing Subject to the CCPA. This Section 2.4 shall apply if and only to the extent that any Company Data is subject to the CCPA. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA. Noonlight will not: (a) Sell or Share any Company Data; (b) retain, use, or disclose any Company Data (i) for any purpose other than for the Business Purposes specified in the Agreement, namely for Noonlight to provide services as set forth in the Agreement for the Company’s use, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or (ii) outside of the direct business relationship between Company and Noonlight; or (c) combine Company Data received from, or on behalf of, Customer with Company Data received from or on behalf of any third-party, or collected from Noonlight’s own interaction with data subjects, except to perform any Business Purpose permitted by the CCPA. Noonlight will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Company Data as is required by the CCPA. Either party will notify the other party if it makes a determination that the party can no longer meet its obligations under the CCPA. If and only to the extent that Noonlight notifies Company of unauthorized use of Company Data, including under the foregoing sentence, Company will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use. Nothing in this Section 2.4 shall limit Noonlight’s right to use Company Data as permitted for Processors under Data Protection Laws.
2.5 Usage Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Company acknowledges that Noonlight shall have a perpetual irrevocable right to use and disclose Usage Data and data relating to the operation, support and/or use of the Noonlight Services for the purposes of creating statistics and analytics data for its own legitimate business purposes.
2.1 Role of the Parties. As between Noonlight and Company, except as otherwise provided herein, Company is the Controller of Company Data and Noonlight shall Process Company Data only as a Processor acting on behalf of Company.
2.2 Company Processing of Company Data. Company agrees that (i) it will comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Company Data and any Processing instructions it issues to Noonlight; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary for Noonlight to Process Company Data pursuant to the Agreement and this DPA.
2.3 Noonlight Processing of Company Data. Noonlight will Process, as reasonably determined by Noonlight, Company Data only for the purpose of providing the Noonlight Services and only the types and categories of Company Data that Company permits. The parties agree that Company’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA. Processing Company Data outside the scope of these instructions (if any) will require prior written agreement between Company and Noonlight with additional instructions for Processing.
2.4 Processing Subject to the CCPA. This Section 2.4 shall apply if and only to the extent that any Company Data is subject to the CCPA. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA. Noonlight will not: (a) Sell or Share any Company Data; (b) retain, use, or disclose any Company Data (i) for any purpose other than for the Business Purposes specified in the Agreement, namely for Noonlight to provide services as set forth in the Agreement for the Company’s use, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or (ii) outside of the direct business relationship between Company and Noonlight; or (c) combine Company Data received from, or on behalf of, Customer with Company Data received from or on behalf of any third-party, or collected from Noonlight’s own interaction with data subjects, except to perform any Business Purpose permitted by the CCPA. Noonlight will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Company Data as is required by the CCPA. Either party will notify the other party if it makes a determination that the party can no longer meet its obligations under the CCPA. If and only to the extent that Noonlight notifies Company of unauthorized use of Company Data, including under the foregoing sentence, Company will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use. Nothing in this Section 2.4 shall limit Noonlight’s right to use Company Data as permitted for Processors under Data Protection Laws.
2.5 Usage Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Company acknowledges that Noonlight shall have a perpetual irrevocable right to use and disclose Usage Data and data relating to the operation, support and/or use of the Noonlight Services for the purposes of creating statistics and analytics data for its own legitimate business purposes.
3. Sub-processing
3.1 Authorized Sub-processors. Company agrees that in order to provide the Noonlight Services, Noonlight may engage Sub-processors to Process Company Data. A list of Noonlight’s current authorized Sub-processors is found in Annex B.
3.2 Sub-processor Obligations. Where Noonlight authorizes any Sub-processor:
3.1 Authorized Sub-processors. Company agrees that in order to provide the Noonlight Services, Noonlight may engage Sub-processors to Process Company Data. A list of Noonlight’s current authorized Sub-processors is found in Annex B.
3.2 Sub-processor Obligations. Where Noonlight authorizes any Sub-processor:
a. Noonlight will restrict the Sub-processors’ access to Company Data only to what is necessary to assist Noonlight in providing or maintaining the Noonlight Services, and will prohibit the Sub-processor from accessing Company Data for any other purpose;
b. Noonlight will enter into a written agreement with the Sub-processor imposing data protection and confidentiality terms that require the Sub-processor to protect and keep confidential the Company Data to the standard required by this DPA and by applicable Data Protection Laws; and
c. Noonlight will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Noonlight to breach any of its obligations under this DPA, subject to the applicable limitation of liability in the Agreement.
3.3 Updates to Sub-processors. Noonlight shall notify Company (for which email and/or posting an updated list of Sub-processors on the provided Noonlight portal, which will suffice) if it adds or removes Sub-processors at least ten (10) calendar days prior to any such changes. Company may object in writing to Noonlight’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution.
4. Security Measures and Security Incident Response
4.1 Security Measures. Noonlight has implemented and will maintain appropriate technical and organizational security measures to protect Company Data from Security Incidents and to preserve the security and confidentiality of the Company Data (“Security Measures”). The Security Measures applicable to the Noonlight Services are set forth in Annex A, as updated or replaced from time to time.
4.2 Updates to Security Measures. Company is responsible for reviewing the information made available by Noonlight relating to data security and making an independent determination as to whether the Noonlight Services meet Company's requirements and legal obligations under Data Protection Laws. Company acknowledges that the Security Measures are subject to technical progress and development and that Noonlight may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Noonlight Services provided to Company.
4.3 Personnel. Noonlight restricts its personnel from Processing Company Data without authorization by Noonlight as set forth in the Security Measures and shall ensure that any person who is authorized by Noonlight to Process Company Data is under an appropriate obligation of confidentiality.
4.4 Company Responsibilities. Notwithstanding the above, Company agrees that except as provided by this DPA, Company is responsible for its secure use of the Noonlight Services, including securing its account authentication credentials, protecting the security of Company Data when in transit to and from the Noonlight Services and taking any appropriate steps to securely encrypt or backup any Company Data uploaded to the Noonlight Services.
4.5 Security Incident Response. Upon becoming aware of a Security Incident that affects Company or any data subject, Noonlight will notify Company without undue delay and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Company. Noonlight will also take reasonable steps to mitigate and, where possible, to remedy the effects of any Security Incident.
5. Audit Reports
5.1 Company acknowledges that Noonlight’s hosting service provider, Amazon Web Services (“AWS”), regularly audits the data centers where the data resides against SSAE 18/SOC 1 and SOC 2 and PCI standards. Upon written request, Noonlight shall supply a publicly available copy of audit report(s) from AWS (“Report”) to Company, provided, however, that Company may be required to sign a Non-Disclosure Agreement with AWS or Noonlight to receive such report.
6. Cooperation
6.1 The Noonlight Services provide Company with a number of controls that Company may use to retrieve, correct, delete or restrict Company Data, which Company may use to assist it in connection with its obligations under the Data Protection Laws, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Company is unable to independently access the relevant Company Data within the Noonlight Services, Noonlight shall (at Company's expense) provide reasonable cooperation to assist Company in responding to any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the event that any such request is made directly to Noonlight, Noonlight shall not respond to such communication directly without Company's prior authorization, unless legally compelled to do so or Company fails to respond in a timely manner. If Noonlight is required to respond to such a request, Noonlight will promptly notify Company and provide it with a copy of the request unless legally prohibited from doing so.
Annex A– Technical and organizational security measures to be implemented by Noonlight:
4. Security Measures and Security Incident Response
4.1 Security Measures. Noonlight has implemented and will maintain appropriate technical and organizational security measures to protect Company Data from Security Incidents and to preserve the security and confidentiality of the Company Data (“Security Measures”). The Security Measures applicable to the Noonlight Services are set forth in Annex A, as updated or replaced from time to time.
4.2 Updates to Security Measures. Company is responsible for reviewing the information made available by Noonlight relating to data security and making an independent determination as to whether the Noonlight Services meet Company's requirements and legal obligations under Data Protection Laws. Company acknowledges that the Security Measures are subject to technical progress and development and that Noonlight may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Noonlight Services provided to Company.
4.3 Personnel. Noonlight restricts its personnel from Processing Company Data without authorization by Noonlight as set forth in the Security Measures and shall ensure that any person who is authorized by Noonlight to Process Company Data is under an appropriate obligation of confidentiality.
4.4 Company Responsibilities. Notwithstanding the above, Company agrees that except as provided by this DPA, Company is responsible for its secure use of the Noonlight Services, including securing its account authentication credentials, protecting the security of Company Data when in transit to and from the Noonlight Services and taking any appropriate steps to securely encrypt or backup any Company Data uploaded to the Noonlight Services.
4.5 Security Incident Response. Upon becoming aware of a Security Incident that affects Company or any data subject, Noonlight will notify Company without undue delay and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Company. Noonlight will also take reasonable steps to mitigate and, where possible, to remedy the effects of any Security Incident.
5. Audit Reports
5.1 Company acknowledges that Noonlight’s hosting service provider, Amazon Web Services (“AWS”), regularly audits the data centers where the data resides against SSAE 18/SOC 1 and SOC 2 and PCI standards. Upon written request, Noonlight shall supply a publicly available copy of audit report(s) from AWS (“Report”) to Company, provided, however, that Company may be required to sign a Non-Disclosure Agreement with AWS or Noonlight to receive such report.
6. Cooperation
6.1 The Noonlight Services provide Company with a number of controls that Company may use to retrieve, correct, delete or restrict Company Data, which Company may use to assist it in connection with its obligations under the Data Protection Laws, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Company is unable to independently access the relevant Company Data within the Noonlight Services, Noonlight shall (at Company's expense) provide reasonable cooperation to assist Company in responding to any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the event that any such request is made directly to Noonlight, Noonlight shall not respond to such communication directly without Company's prior authorization, unless legally compelled to do so or Company fails to respond in a timely manner. If Noonlight is required to respond to such a request, Noonlight will promptly notify Company and provide it with a copy of the request unless legally prohibited from doing so.
Annex A– Technical and organizational security measures to be implemented by Noonlight:
- Appointment of one or moreofficers responsible for coordinating and monitoring the information technologyrules and procedures.
- Documented policy and procedures governing employee and vendor use of the information technology system.
- Process to identify and respond to suspected or known Security Incidents.
- Internally, data at rest is secured by roles or group permissions and audited periodically to make sure that people only have access to data that they need to do their jobs and that terminated users accounts are disabled.
- Servers are patched in a timely fashion to make sure that the latest security updates are applied – especially for any outward-facing servers.
- Anti-virus, anti-malware, and anti-ransomware software is run on all endpoint devices, both physical and virtual. These services scan data at rest and in transit.
- Transport Layer Security (TLS) is used wherever applicable for both web and email traffic. Email is also filtered and scanned multiple times coming in and going out.
- All critical data is stored on databases and is backed up at least daily.
- Third-party auditors conduct IT audits annually and review policies and procedures.
- Noonlight practices data minimization, such as by limiting the number of individuals who may access Personal Data.
Annex B– List of Noonlight Sub-processors:
Noonlight uses its Affiliates and a range of third-party Sub-processors to assist it in providing the Noonlight Services (as described in the Agreement). These Sub-processors set out below provide the following services to Noonlight:
Noonlight uses its Affiliates and a range of third-party Sub-processors to assist it in providing the Noonlight Services (as described in the Agreement). These Sub-processors set out below provide the following services to Noonlight:
Entity Name
Nature of Processing
Atlassian (JIRA, Service Desk, Confluence)
Cloud Services – Internal Developer Work Tools
Linear
Cloud Services – Internal Developer Work Tools
Heroku
Cloud Services – Internal Developer Work Tools
MongoDB Atlas
Cloud Services – Database Hosting
ElephantSQL
Cloud Services – Database Hosting
Backupify
Cloud Backup for Microsoft 365
Zoom
Cloud Services – Meetings and Conference Calls
Conga Novatus
Cloud Services – Legal Contract Management
Amazon Web Services
Data Centers
Google
Cloud Services – Document Storage
Cloud Services – Geocoding APIs
Cloud Services – Geocoding APIs
Dropbox
Cloud Services – Document Storage
Microsoft
Microsoft 365 – Enterprise Email, Chat, Video Conferencing and Storage
HubSpot
Cloud Services – Internal Sales/Customer Management
Slack
Cloud Services – Internal Work Tools
Datadog
Cloud Services – Internal IT Log Management
Cloud Services – Internal IT APM
Cloud Services – Internal IT APM
PagerDuty
Cloud Services – Internal IT On-Call Management
Looker
Cloud Services – Business Intelligence Tool
LogRocket
Cloud Services – User Experience Analytics
Cloud Services – Frontend Performance Monitoring
Cloud Services – Frontend Performance Monitoring
Sentry
Cloud Services – Frontend Error Monitoring
Pusher
Cloud Services – Managed WebSockets
Twilio
Cloud Services – SMS / VoIP Services
Pitney Bowes
Cloud Services – Geo APIs
Bandwidth
Cloud Services – SMS / VoIP Services
Acadian Monitoring Services, LLC
Staffing – Monitoring Agent
Viiz, Communications, Inc.
Staffing – Monitoring Agent
QVIS Monitoring LTD
Staffing – Monitoring Agent (United Kingdom & Ireland End Users)
Northern Communication Services, Inc.
Staffing – Monitoring Agent
Chubb Fire & Security Pty Ltd
Staffing – Monitoring Agent
