LIBNOVA Data Processing Agreement Addendum for Cloud Services
Version: 2023.01.30
This Data Processing Addendum (“Agreement”) supplements the LIBNOVA Service Agreement, as updated from time to time between Customer and LIBNOVA, or other agreement between the Customer and LIBNOVA governing Customer’s use of the Service Offerings (the “Service Agreement”).
This Agreement is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and LIBNOVA, SL (“LIBNOVA”). Unless otherwise defined in this Agreement or in the Service Agreement, all capitalized terms used in this Agreement will have the meanings given to them in Section 17 of this Agreement.
1. Data Processing
1.1 Scope and Roles
This Agreement applies when Customer Data is processed by LIBNOVA. In this context, LIBNOVA will act as the processor to the Customer, who can act either as controller or processor of Customer Data.
1.2 Customer Controls
The Customer can use the Service Controls to assist them with their obligations under Applicable Data Protection Law, including their obligations to respond to requests from data subjects. Taking into account the nature of the processing, the Customer agrees that it is unlikely that LIBNOVA would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if LIBNOVA becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform the Customer without undue delay.
LIBNOVA will cooperate with the Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing the Service Controls that the Customer can use to erase or rectify Customer Data.
1.3 Details of Data Processing
1.3.1 Subject matter
The subject matter of the data processing under this Agreement is Customer Data.
1.3.2 Duration
As between LIBNOVA and the Customer, the duration of the data processing under this Agreement is determined by the Customer and the LIBNOVA Service Agreement or other agreements that may be in place.
1.3.3 Purpose
The purpose of the data processing under this Agreement is the provision and execution of the Services initiated by the Customer when using the LIBNOVA Cloud platform.
1.3.4 Nature of the processing
Any of the Services as provided by the LIBNOVA Cloud platform or any of its components and related Services, as described in the Documentation and initiated by the Customer.
1.3.5 Type of Customer Data
The Customer Data uploaded or ingested to the Services under the Customer’s LIBNOVA accounts or sub-accounts created to deliver the Services.
1.3.6 Categories of data subjects
The data subjects could include Customer’s employees, suppliers, or 3rd parties.
1.4 Compliance with the Laws
Each party will comply with all the Laws, rules, and regulations applicable to it and binding on it in the performance of this Agreement, including the Applicable Data Protection Law.
2. Customer Instructions
The parties agree that this Agreement, the Product Documentation, API Guides, Technical Notes, Training Materials or any other documentation made available by LIBNOVA for the Services constitute Customer’s documented instructions regarding LIBNOVA’s processing of Customer Data (“Documented Instructions”).
LIBNOVA will process Customer Data only in accordance with Documented Instructions (which if the Customer is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require a prior written agreement between LIBNOVA and the Customer, including the agreement on any additional fees payable by the Customer to LIBNOVA for carrying out such instructions.
The Customer is entitled to terminate this Agreement and the Service Agreement if LIBNOVA declines to follow instructions requested by the Customer that are outside the scope of, or changed from, those given or agreed to be given in this Agreement.
Taking into account the nature of the processing, the Customer agrees that it is unlikely LIBNOVA can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. If LIBNOVA forms such an opinion, it will immediately inform the Customer, in which case, the Customer is entitled to withdraw or modify their Documented Instructions.
3. Confidentiality of Customer Data
LIBNOVA will not access, use, or disclose to any third party any Customer Data except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).
If a governmental body sends LIBNOVA a demand for Customer Data, LIBNOVA will attempt to redirect the governmental body to request that data directly from the Customer. As part of this effort, LIBNOVA may provide the Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then LIBNOVA will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedies unless LIBNOVA is legally prohibited from doing so.
4. Confidentiality Obligations of LIBNOVA Personnel
LIBNOVA restricts its personnel from processing Customer Data without authorization by LIBNOVA as described in the LIBNOVA Security Standards. LIBNOVA imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection, and data security.
5. Security of Data Processing
5.1 Security Standards
LIBNOVA has implemented and will maintain the technical and organizational measures for the LIBNOVA Platform as described in the LIBNOVA Security Standards and this Section.
In particular, LIBNOVA has implemented and will maintain the following technical and organizational measures: (a) security of the LIBNOVA Network as set out in Section 1.1 of the LIBNOVA Security Standards; (b) physical security of the facilities as set out in Section 1.2 of the LIBNOVA Security Standards; (c) measures to control access rights for LIBNOVA employees and contractors to the LIBNOVA Platform as set out in Section 1.1 of the LIBNOVA Security Standards; and (d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by LIBNOVA as described in Section 2 of the LIBNOVA Security Standards.
5.2 Organizational Measures to Protect Customer Data
LIBNOVA provides technical and organizational measures to protect Customer Data including at-rest and in-transit data encryption; measures to ensure ongoing confidentiality, integrity, availability, and resilience of the processing systems and services that are operated by the Customer; processes to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident, and processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by LIBNOVA.
Additionally, the Customer can elect to implement technical and organizational measures to protect Customer Data. Such technical and organizational measures include encryption to ensure an appropriate level of security; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services that are operated by Customer; measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident, and processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.
6. Sub-Processing
6.1 Authorized Sub-Processors
The Customer provides general authorization to LIBNOVA’s use of sub-processors to provide processing activities on Customer Data on behalf of the Customer (“Sub-Processors”) in accordance with this Section.
The current Sub-Processors are:
Amazon Web Services, Inc
OVH Groupe SAS
Voxility GmbH
At least 60 days before LIBNOVA engages with a new Sub-Processor, LIBNOVA will update this Agreement and provide the Customer with a mechanism to obtain notice of that update. To object to a Sub-Processor, the Customer can: (i) terminate the Service Agreement pursuant to their terms, or (ii) cease using the Service for which LIBNOVA has engaged the Sub-Processor;
6.2 Sub-Processor Obligations
Where LIBNOVA authorizes a Sub-Processor as described in Section 6.1: (i) LIBNOVA will restrict the Sub-Processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and LIBNOVA will prohibit the Sub-Processor from accessing Customer Data for any other purpose; (ii) LIBNOVA will enter into a written agreement with the Sub-Processor and, to the extent that the Sub-Processor performs the same data processing services provided by LIBNOVA under this Agreement, LIBNOVA will impose on the Sub-Processor the same contractual obligations that LIBNOVA has under this Agreement; and (iii) LIBNOVA will remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Sub-Processor that cause LIBNOVA to breach any of LIBNOVA’s obligations under this Agreement.
7. LIBNOVA Assistance with Data Subject Requests
Taking into account the nature of the processing, LIBNOVA will assist the Customer in fulfilling the Customer’s obligations to respond to data subjects’ requests under Applicable Data Protection Law. If a data subject makes a request to LIBNOVA, LIBNOVA will promptly forward such request to the Customer once LIBNOVA has identified that the request is from a data subject for whom the Customer is responsible.
The Customer, acting on its behalf - and on behalf of their controllers when the Customer is acting as a processor, authorises LIBNOVA to respond to any data subject who makes a request to LIBNOVA, to confirm that LIBNOVA has forwarded the request to the Customer.
The parties agree that the Customer’s use of the Service Controls and LIBNOVA forwarding data subjects’ requests to the Customer in accordance with this section represent the scope and extent of the Customer’s required assistance.
8. Optional Security Features
LIBNOVA makes available many Controls that the Customer can elect to use. The Customer is responsible for (a) implementing the protecting measures as appropriate, (b) properly configuring the Services, (c) maintaining accounts up to date, rotating passwords, prevent 3rd party use of them, setting and defining access restriction policies to internal and external users, enable or disable access to metadata and (d) taking such steps as the Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes the use of additional encryption technology to protect Customer Data from unauthorized access and measures to control access rights to Customer Data.
9. Security Incident Notification
9.1 Security Incident
LIBNOVA will (a) notify the Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
9.2 LIBNOVA Assistance
To enable the Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), LIBNOVA will cooperate with and assist the Customer by including in the notification under Section 9.1(a) such information about the Security Incident as LIBNOVA is able to disclose to the Customer, taking into account the nature of the processing, the information available to LIBNOVA, and any restrictions on disclosing the information, such as confidentiality.
Taking into account the nature of the processing, the Customer agrees that it is best able to determine the likely consequences of a Security Incident.
9.3 Unsuccessful Security Incidents
The Customer agrees that: (i) an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of LIBNOVA’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents; and (ii) LIBNOVA’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgment by LIBNOVA of any fault or liability of LIBNOVA with respect to the Security Incident.
9.4 Communication
Notification(s) of Security Incidents, if any, will be delivered to one or more of the Customer’s Designated Support Contacts by via email. It is the Customer’s sole responsibility to ensure the Customer’s administrators maintain accurate contact information on the LIBNOVA management console and secure transmission at all times.
10. LIBNOVA Certifications and Audits
10.1 LIBNOVA ISO-Certification
In addition to the information contained in this Agreement, upon the Customer’s request, and provided that the parties have an applicable NDA in place, LIBNOVA will make available the following documents and information: (i) the certificates issued for the ISO 27001 certification, the ISO 27017 certification, and the ISO 27018 certification (or the certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001, ISO 27017 and ISO 27018).
10.2 LIBNOVA Audits
LIBNOVA uses external auditors to verify the adequacy of its security measures. This audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third-party professionals at LIBNOVA’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be LIBNOVA’s Confidential Information.
10.3 Audit Reports
At the Customer’s written request, and provided that the parties have an applicable NDA in place, LIBNOVA will provide the Customer with a copy of the Report so that the Customer can reasonably verify LIBNOVA’s compliance with its obligations under this Agreement.
10.4 Privacy Impact Assessment and Prior Consultation
Taking into account the nature of the processing and the information available to LIBNOVA, LIBNOVA will assist the Customer in complying with the Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information LIBNOVA makes available under this Section 10.
11. Customer Audits
If the Customer chooses to conduct any audit, including any inspection, they have the right to request or mandate on their own behalf, and on behalf of their controllers when the Customer is acting as a processor, under Applicable Data Protection Law or the Standard Contractual Clauses, by instructing LIBNOVA to carry out the audit described in Section 10.
If the Customer wishes to change this instruction regarding the audit, then the Customer has the right to request a change to this instruction by sending LIBNOVA written notice as provided for in the Service Agreement. If LIBNOVA declines to follow any instruction requested by the Customer regarding audits, including inspections, the Customer is entitled to terminate the Service Agreement in accordance with its terms.
12. Transfers of Personal Data
12.1 Regions
The Customer can specify the location(s) where Customer Data will be processed within the LIBNOVA Platform (each a “Region”), including Regions in the EEA. Once the Customer has made their choice, LIBNOVA will not transfer Customer Data from the Customer’s selected Region(s), except as necessary to provide the Services initiated by the Customer, or as necessary to comply with the law or valid and binding order of a governmental body.
12.2 Application of Standard Contractual Clauses
Subject to Section 12.3, the Standard Contractual Clauses will only apply to Customer Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country (each a “Data Transfer”).
12.2.1 Controller to Processor clauses
When the Customer is acting as a controller, the Controller-to-Processor Clauses will apply to a Data Transfer.
12.2.2 When Customer is acting as a processor
When the Customer is acting as a processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, the Customer agrees that it is unlikely that LIBNOVA will know the identity of the Customer’s controllers because LIBNOVA has no direct relationship with the Customer’s controllers and therefore, the Customer will fulfill LIBNOVA’s obligations to the Customer’s controllers under the Processor-to-Processor Clauses.
12.3 Alternative Transfer Mechanism
The Standard Contractual Clauses will not apply to a Data Transfer if LIBNOVA has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.
13. Termination of the Agreement
This Agreement will continue in force until the termination of the Service Agreement (the “Termination Date”).
14. Return or Deletion of Customer Data
At any time up to the Termination Date, and for a maximum of 180 days following the Termination Date, subject to the terms and conditions of the Service Agreement, LIBNOVA will delete Customer Data when the Customer uses the Service Controls to request such deletion. Not later than the end of this 180-day period, the Customer will close all LIBNOVA accounts containing Customer Data.
15. Duties to Inform
Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by LIBNOVA, LIBNOVA will inform the Customer without undue delay. LIBNOVA will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is the Customer’s property and area of responsibility and that Customer Data is at the Customer’s sole disposition.
16. Entire Agreement Conflict
This Agreement incorporates the Standard Contractual Clauses by reference. Except as amended by this Agreement, the Service Agreement will remain in full force and effect. If there is a conflict between the Service Agreement and this Agreement, the terms of this Agreement will control. Nothing in this document varies or modifies the Standard Contractual Clauses.
17. Definitions
Unless otherwise defined in the Service Agreement, all capitalized terms used in this Agreement will have the meanings given to them below
“Applicable Data Protection Law” means all Laws and regulations applicable to and binding on the processing of Customer Data by a party, including, as applicable, the GDPR and the UK Data Protection Act 2018.
“LIBNOVA Network” or "LIBNOVA Platform" means LIBNOVA’s data center facilities or rented facilities, servers, networking equipment, and host software systems (for example LIBSAFE or LABDRIVE) that are within LIBNOVA’s control and are used to provide the Services.
“LIBNOVA Security Standards” means the security standards attached to the Agreement, or if none are attached to the Service Agreement, attached to this Agreement as Annex 1.
“Binding Corporate Rules” has the meaning given to it in the GDPR.
“Controller” has the meaning given to it in the GDPR.
“Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Customer Data” means the “personal data” (as defined in Applicable Data Protection Law) that is uploaded, ingested, or generated in or to the Services under Customer’s LIBNOVA accounts, subaccounts, or allowed 3rd parties.
“Documentation” means the then-current documentation for the Services located at docs.libnova.com (and any successor locations designated by LIBNOVA).
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“Processor” has the meaning given to it in the GDPR.
“Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Region” has the meaning given to it in Section 12.1 of this Agreement.
“Security Incident” means a breach of LIBNOVA security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
“Service Controls” means the controls, including security features and functionalities, that the Services provide as described in the Documentation.
“Standard Contractual Clauses” means (i) the Controller-to-Processor Clauses, or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Sections 12.2.1 and 12.2.2.
“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
Annex 1 - LIBNOVA Security Standards
Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Service Agreement.
1. Information Security Program
LIBNOVA will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the LIBNOVA Network, and (c) minimize security risks, including through risk assessment and regular testing. LIBNOVA will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
1.1 Network Security
The LIBNOVA Network will be electronically accessible to employees, contractors, and any other person as necessary to provide the Services. LIBNOVA will maintain access controls and policies to manage what access is allowed to the LIBNOVA Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. LIBNOVA will maintain corrective action and incident response plans to respond to potential security threats.
1.2 Physical Security
1.2.1 Physical Access Controls
Physical components of the LIBNOVA Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities. Passage through the physical barriers at the Facilities requires either electronic access control validation (for example, card access systems, etc.) or validation by human security personnel (for example, contract or in-house security guard service, receptionist, etc.). Employees and certain contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors and any other contractors are required to sign in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor or contractor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
1.2.2 Limited Employee and Contractor Access
LIBNOVA provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to them, the access privileges are promptly revoked.
2. Continued Evaluation
LIBNOVA will conduct periodic reviews of the security of its LIBNOVA Network and the adequacy of its information security program as measured against industry security standards and its policies and procedures. LIBNOVA will continually evaluate the security of its LIBNOVA Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
Last updated