Data Protection Addendum
Effective as of December 14, 2022
To see the prior Data Protection Addendum, click here.
This Data Protection Addendum is referred to and forms an integral part of, the NextRoll Terms of Service and any applicable Service Addenda between NextRoll, Inc for and on behalf of itself and NextRoll Limited, ("NextRoll") and Customer. It is effective upon acceptance of the Terms of Service.
Where Applicable Data Protection Law protects the personal data processed under the Agreement, Customers may enter this Data Protection Addendum (which incorporates the Standard Contractual Clauses): (i) to protect the personal data in accordance with the requirements of Applicable Data Protection Law; and (ii) to provide appropriate safeguards with respect to Restricted Transfers of personal data outside of the European Territories.
This Data Protection Addendum reflects the Parties’ agreement with respect to the terms governing the processing of personal data under the Agreement.
1. DEFINITIONS
In this Data Protection Addendum, the following terms shall have the following meanings:
-
"controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in the Applicable Data Protection Law;
-
"Customer CRM Data" means any clear (i.e., plain text, unhashed) email addresses, names, titles, contact history, order history, or other CRM data about End Users that is provided by Customer, obtained through third party integrations with the services, or obtained by NextRoll on Customer’s behalf in connection with the services. Customer CRM Data does not include Service Data or Performance Reports. (This is the definition set forth in NextRoll’s Terms of Service “Terms of Service”.)
-
“Customer Personal Data” refers to Personal Data that is contained within the Customer CRM Data and Service Data;
-
"Applicable Data Protection Law" means any then-effective applicable laws, rules, and regulations pertaining to privacy, data processing and use, data protection, data security, or confidentiality, including, without limitation, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); the EU e-Privacy Directive (Directive 2002/58/EC); the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder (“CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act and related regulations (“CPA”); the Utah Consumer Privacy Act (“UCPA”); and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”).
-
“Personal Data” means data constituting “personal data,” “personal information,” or analogous terms as defined in Applicable Data Protection Law;
-
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
-
"Service Data" means data that is collected by NextRoll from End Users using Technology on Customer Sites, including any data obtained from third-parties while providing the services. Service Data does not include Customer CRM Data. If Customer opts-in to cross-device or uses the RollWorks ABM services authorizing NextRoll to hash End User email addresses from Customer Sites, such hashed End User email addresses will constitute Service Data. (This is the definition set forth in the Terms of Service).
-
"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022 ("UK SCCs").
Any other capitalized terms not defined in this Data Protection Addendum shall have the meaning given to them in the Agreement.
2. RELATIONSHIP OF THE PARTIES
The Customer (the “controller”) appoints NextRoll as a processor to process the Customer CRM Data, as further described in Annex I.
Each party is a data controller as to the data comprising the Service Data, to the extent such Service Data is under its respective custody or control, provided that the foregoing is not intended to alter, modify or limit either party’s (a) obligations with respect to notices, permissions and consents related to such Service Data, as may be further set forth in the Terms of Service, (b) rights to access, use, own or modify such Service Data, as likewise may be set forth in the Terms of Service, or (c) joint controllership obligations that may be imposed by law, such as with regard to obtaining consent for purposes of Applicable Data Protection Law.
3. PROHIBITED DATA
Customer shall not disclose any special categories of personal data (as defined in Applicable Data Protection Law) to NextRoll for processing.
4. PURPOSE LIMITATION
NextRoll shall process Customer CRM Data as a processor for the purposes described in Annex I in order to perform its obligations under the Agreement, in compliance with Applicable Data Protection Law, and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall NextRoll process the Customer CRM Data for its own purposes or those of any third party. NextRoll shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.
5. RESTRICTED TRANSFERS
5.1. The parties agree that when the transfer of Customer Personal Data from Customer to NextRoll is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as set forth in this clause 5.
5.2. In relation to the Service Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Module One will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Protection Addendum; and
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Protection Addendum.
5.3. In relation to the Customer CRM Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Module Two will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in clause 8.3 of this Data Protection Addendum;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Protection Addendum; and
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Protection Addendum.
5.4. In relation to Customer CRM Data and Service Data that is protected by the UK GDPR, the UK SCCs will apply and will be deemed executed between the Customer and NextRoll, with the Tables in the UK SCCs completed as follows:
- Table 1: the Parties’ details shall be the Parties as set forth in Annex I.A to this Data Protection Addendum, and their affiliates to the extent any of them is involved in such a transfer. The Key Contact for each Party shall be the contacts set forth in Annex I.A to this Data Protection Addendum.
- Table 2: The Approved EU Standard Contractual Clauses referenced in Table 2 shall be the EU SCCs, completed as set out above in clauses 5.2 (for transfers involving Service Data) or 5.3 (for transfers involving Customer CRM Data) of this Data Protection Addendum, depending on the type of data transferred.
- Table 3: Annexes IA, IB, and II shall be set forth in Annexes I and II to this Data Protection Addendum. Annex III is inapplicable.
- Table 4: NextRoll may end the UK SCCs as set out in Section 19 of the UK SCCs.
5.5. To the extent that any provision of this Data Protection Addendum or the Agreement contradicts, directly or indirectly, with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6. CONFIDENTIALITY OF PROCESSING
NextRoll shall ensure that any person that it authorises to process the Customer Personal Data (including NextRoll's staff, agents and subprocessors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Customer Personal Data who is not under such a duty of confidentiality. NextRoll shall ensure that all Authorised Persons process the Customer Personal Data only as necessary for the Permitted Purpose.
7. SECURITY
NextRoll shall implement appropriate technical and organisational measures to protect the Customer Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
At a minimum, such measures shall include the measures identified in Annex II.
8. SUBPROCESSING
8.1. This clause 8 applies only with respect to NextRoll’s processing of Customer CRM Data and not to NextRoll’s processing of Service Data.
8.2. Customer consents to NextRoll’s use of the subprocessors identified at the URL https://www.nextroll.com/terms/data-protection/subprocessors ("Subprocessor Page") to process Customer CRM Data.
8.3. Customer consents to NextRoll engaging additional or replacement third party subprocessors to process the Customer CRM Data provided that: (i) NextRoll updates its Subprocessor Page with details of any proposed change in subprocessors at least fourteen 14 days in advance of appointing or replacing a subprocessor (Customer can subscribe to the RSS feed for the Subprocessor Page to be automatically notified of any such changes); (ii) NextRoll imposes data protection terms on any subprocessor it appoints that protect the Customer CRM Data, in substance, to the same standard provided for by this Data Protection Addendum; and (iii) NextRoll remains fully liable for any breach of this clause that is caused by an act, error or omission of its subprocessor.
8.4. If Customer objects to NextRoll’s appointment of an additional or replacement subprocessor on reasonable grounds relating to the protection of the Customer CRM Data, then either NextRoll will not appoint the subprocessor or, if this is not possible, Customer may elect to suspend or terminate the impacted Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
9. ASSISTANCE TO CUSTOMER
9.1. NextRoll shall assist Customer in meeting Customer’s obligations under Applicable Data Protection Law, to the extent required by such Applicable Data Protection Law.
9.2. If NextRoll believes or becomes aware that its processing of Customer CRM Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer and NextRoll shall provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.
9.3. Data Subject Requests.
- With regard to Customer CRM Data, NextRoll shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in connection with Customer CRM Data; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer CRM Data. In the event that any such request, correspondence, enquiry or complaint is made directly to NextRoll, NextRoll shall promptly inform Customer providing full details of the same.
- With regard to Service Data, NextRoll shall respond to requests by data subjects as provided under Applicable Data Protection Law, and where relevant, Customer shall provide assistance to NextRoll in connection with such response.
10. SECURITY INCIDENTS
Upon becoming aware of a confirmed Security Incident, NextRoll shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. NextRoll shall further take all such measures and actions as are necessary to remedy or mitigate the effects of a confirmed Security Incident and shall keep Customer informed of all developments in connection with the confirmed Security Incident.
11. DELETION OR RETURN OF DATA
Upon termination or expiry of the Agreement, NextRoll shall destroy all Customer CRM Data (including all copies of the Customer CRM Data) in its possession or control (including any Customer CRM Data subcontracted to a third party for processing) at the Customer’s request or in accordance with the NextRoll’s data retention policy set out at https://www.nextroll.com/privacy. This requirement shall not apply to the extent that NextRoll is required by any applicable law to retain some or all of the Customer CRM Data, in which event NextRoll shall isolate and protect the Customer CRM Data from any further processing except to the extent required by such law until deletion is possible.
NextRoll may retain Service Data in accordance with its retention and deletion policies.
12. AUDIT
12.1. With respect to NextRoll’s processing of Service Data, NextRoll shall make available to Customer upon request documentation sufficient to demonstrate NextRoll’s compliance with this Data Protection Addendum and/or Applicable Data Protection Law.
12.2. With respect to NextRoll’s processing of Customer CRM Data, NextRoll shall permit Customer (or its appointed third party auditors) to audit NextRoll's compliance with this Data Protection Addendum, and shall make available to Customer all information, systems and staff necessary for Customer (or its third party auditors) to conduct such audit. NextRoll acknowledges that Customer (or its third party auditors) may enter premises owned or controlled by NextRoll only for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to NextRoll’s operations. Customer will not exercise its audit rights (including submitting written audit questions to NextRoll) more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes a further audit is necessary due to a confirmed Security Incident suffered by NextRoll. Customer shall be solely responsible for the costs of any such audit, and NextRoll shall be permitted to charge Customer for the support it provides in connection with any such audit at its then-current professional services day rates.
12.3. Customer acknowledges that NextRoll is regularly audited against SOC 2 standards by independent third auditors. Upon request, NextRoll shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement.
12.4. The Customer agrees that, if and to the extent that it elects to conduct an audit with respect to NextRoll’s processing of Customer CRM Data under Clause 8.9 of Module 2 of the Standard Contractual Clauses, such audit shall be conducted in accordance with the requirements of this Clause 13.2 - 13.4.
ANNEX I
DATA PROCESSING DESCRIPTION
This Annex I forms part of the Data Protection Addendum and describes the processing that NextRoll will perform on behalf of the Customer.
A. List of parties
Customer(s) / Data exporter(s):
Controller (for Service Data)
NextRoll(s) / Data importer(s)
Controller (for Service Data)
В. Description of transfer
- Data subjects who are prospective and existing customers of the Customer ("Customer Data Subjects")
- Data subjects who are employees or staff members of the Customer ("Employee Data Subjects")
- Data subjects who view Customer websites where NextRoll pixel is placed (“Customer End Users”)
- Customer Data Subjects: contact information and any other affiliated contact information (e.g,. email address, name, address, phone number, company name, job title) about End Users that is provided by Customer (as data exporter) to NextRoll (as data importer), obtained through third party integrations with the services Customer allows, or obtained by NextRoll on Customer’s behalf in connection with the services.
- Employee Data Subjects: email address and IP address.
- Customer End Users: device and browsing behavior information on Customers’ sites collected by the NextRoll pixel (e.g., cookies, device information, IP address, non-precise location data, browser data, ad pixel data) and, if permitted by Customer, hashed email addresses as entered on the Customer Site by the Customer End Users.
- None.
- Continuous basis for the duration of the Agreement.
- The provision of digital marketing services pursuant to the Agreement.
The digital marketing services provided by NextRoll will include processing of Customer CRM Data on behalf of the Customer for the following purposes:
- Sending of targeted emails to Customer Data Subjects at the Customer's request.
- Matching Customer Data Subjects' personal data with NextRoll Service Data and third party advertising partners’ online data in order to recognise Customer Data Subjects when they visit third party publisher websites in order to bid on, and serve them, targeted advertising on behalf of the Customer, and to supplement Customer’s CRM Data with identified browsing behavior on Customers’ sites and interaction with Customers’ direct marketing.
- Reporting to the Customer on impact of email and online advertising campaigns to Customer Data Subjects;
- Using emails belonging to Employee Data Subjects as login details to access NextRoll’s digital marketing platform.
Service Data may also be processed in NextRoll’s capacity as a data controller to provide and improve its services for all customers, including for ad targeting, reporting, insights, and analytics (for the purpose of creating Performance Reports), and ad selection.
- If either Customer or NextRoll explicitly terminates the NextRoll services in accordance with the Agreement, NextRoll will delete Customer CRM Data within 90 days from the termination date.
- If a Customer’s account has been suspended for 90 days or more, the Customer CRM Data will be deleted.
- When a Customer has not logged in to their NextRoll account in the past 365 days and there has been no product usage in the past 30 days and no media spend has occurred in the past 30 days, the Customer CRM Data will be deleted when the 366th day of no login activity occurs for the account.
- As a data controller for Service Data, NextRoll will retain Service Data in accordance with its data retention policies.
C. Competent supervisory authority
ANNEX II
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
In the design process, NextRoll aims to minimize the collection and use of Customer Personal Data whenever possible.
Where Customer Personal Data is used it will be pseudonymised using aggregation, de-identification or hashing unless the raw data is required for a legitimate business purpose. If the actual data is required it will be encrypted using current encryption standards.
NextRoll’s systems are designed to be highly available and take advantage of scalable and distributed architectures spanning multiple geographic locations in AWS.
NextRoll maintains system monitoring and a 24/7 operations center to deal with operational issues.
NextRoll has created and regularly tests disaster recovery plans. These plans include specifics of how to recover the services and have specified recovery point and time objectives as well as specific response and reporting processes for incidents that involve personal data.
NextRoll conducts an SOC 2 Type 2 audit annually.
NextRoll maintains a continuous compliance program where security controls and processes are automatically monitored, and anomalies are reported for remediation.
Additionally, NextRoll conducts vulnerability scanning, maintains an ongoing bug bounty program and conducts a penetration test using a third party every six months. Technologies such as cloud security posture management (CSPM) and asset management (CMDB) continuously perform asset discovery, assess their posture, and prioritise the findings based on the risk they pose.
For each of the AdRoll and RollWorks applications, NextRoll maintains a central authentication and authorization service that supports single sign on (SSO) and multifactor authentication (MFA). Access controls are enforced based on the role the user was assigned in the application realm.
For NextRoll’s business applications including remote access, NextRoll uses a third party SaaS SSO solution which mandates MFA for all NextRoll users. Role-based access controls (RBAC) are also in place.
NextRoll’s applications, systems and network services create detailed logging including but not limited to: login success and failure, user creation, permissions change, data access, fraudulent transactions, and attempted attacks.
Events are forwarded to a central write only repository and are analysed to identify potential security issues. The security information and event management solution (SIEM) normalises the logs and applies threat intelligence to identify indicators of compromise (IoC).
NextRoll maintains a number of security products that provide specific security alerting based on conditional and anomaly monitoring rules. These are provided and continuously updated by vendors, together with internally developed rules.
NextRoll stores and deploys standard system configurations. These images are scanned using tools that determine that the systems are configured using recommended best practices and do not contain serious vulnerabilities.
File integrity monitoring (FIM) capability is in place and reports changes to the CSPM. Together with the CMDB solution, NextRoll is able to identify deviations of standard configurations.
NextRoll has a holistic security program that manages risk posed by users, data, systems and vendors through the entire lifecycle. This includes the following:
- Users are created with permissions appropriate to their role, sign up to confidentiality agreements and are trained on security and privacy policies and best practices. User access is tied to employment status so accounts and rights are revoked automatically on termination
- Users are required to utilize MFA and secure remote access technologies to access resources with a zero-trust approach.
- Devices have standardized controls and builds.
- Devices are protected against malware by a corporate solution that is centrally managed and integrated in the continuous security monitoring capabilities.
- Non-corporate devices (BYOD) have conditional access to resources based on the zero-trust architecture depending on the risk score they pose, and the minimum risk score needed to access resources.
- Vendors are vetted to ensure that they do not create unacceptable risks.
- A corporate endpoint security standard is maintained and specifies the minimum version of critical software. Systems are updated regularly.
- Permissions are reviewed and removed on a regular basis.
- Systems are wiped at the end of their lifespan.
NextRoll bases its security program on NIST CSF and uses this to report status to the security and compliance committee.
NextRoll both audits its own processes and products and conducts an annual SOC 2 Type 2 audit using an external auditor.
CSPM and CMDB technologies also provide benchmarks based on best practices and recognized security frameworks.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the Customer (and, for transfers from a processor to a sub-processor, to the data exporter).