Data Protection Addendum
Effective as of September 27, 2021
To see the prior Data Protection Addendum, click here.
This Data Protection Addendum is referred to and forms an integral part of, the NextRoll Terms of Service and any applicable Service Addenda (together, the "Agreement"). It is effective upon acceptance of the Terms of Service.
Where Applicable Data Protection Law protects the personal data processed under the Agreement, Customers may enter into this Data Protection Addendum (which incorporates the European Commission’s Standard Contractual Clauses): (i) to protect the personal data in accordance with the requirements of Applicable Data Protection Law; and (ii) to provide appropriate safeguards with respect to Restricted Transfers of personal data outside of the European Territories.
This Data Protection Addendum reflects the Parties’ agreement with respect to the terms governing the processing of personal data under the Agreement.
In this Data Protection Addendum, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data", and "processing" (and "process") and "special categories of personal data" shall have the meanings given in the Applicable Data Protection Law;
- "Applicable Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
- "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
Any other capitalized terms not defined in this Data Protection Addendum shall have the meaning given to them in the Agreement.
2. RELATIONSHIP OF THE PARTIES
The Customer (the "controller") appoints NextRoll as a processor to process the personal data defined as Customer CRM Data in the Terms of Service and as described in Annex I ("Customer Personal Data").
3. PROHIBITED DATA
Customer shall not disclose any special categories of personal data to NextRoll for processing.
4. PURPOSE LIMITATION
NextRoll shall process the Data as a processor for the purposes described in Annex I in order to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall NextRoll process the Customer Personal Data for its own purposes or those of any third party. NextRoll shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.
5. RESTRICTED TRANSFERS
5.1. The parties agree that when the transfer of Customer Personal Data from Customer to NextRoll is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
5.2. In relation to Customer Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Module Two will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 9 of this Data Protection Addendum;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Data Protection Addendum; and
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Data Protection Addendum.
5.3. In relation to Customer Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
- For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 ("Prior C2P SCCs") for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the Customer and NextRoll on the following basis:
- Appendix 1 shall be completed with the relevant information set out in Annex I to this Data Protection Addendum;
- Appendix 2 shall be completed with the relevant information set out in Annex II to this Data Protection Addendum; and
- the optional illustrative indemnification Clause will not apply.
- Where sub-clause (i) above does not apply, but the Customer and NextRoll are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a "UK Addendum to the EU Standard Contractual Clauses" ("UK Addendum") issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
- The EU SCCs, completed as set out above in clause 5.2 of this Data Protection Addendum shall also apply to transfers of such Customer Personal Data, subject to sub-clause (B) below;
- The UK Addendum shall be deemed to form part of this Data Protection Addendum, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Customer Personal Data.
5.4. In the event that any provision of this Data Protection Addendum or the Agreement contradicts, directly or indirectly, with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6. CONFIDENTIALITY OF PROCESSING
NextRoll shall ensure that any person that it authorises to process the Customer Personal Data (including NextRoll's staff, agents and subprocessors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Customer Personal Data who is not under such a duty of confidentiality. NextRoll shall ensure that all Authorised Persons process the Customer Personal Data only as necessary for the Permitted Purpose.
NextRoll shall implement appropriate technical and organisational measures to protect the Customer Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
At a minimum, such measures shall include the measures identified in Annex II.
8.1. Customer consents to NextRoll’s use of the subprocessors identified at the URL https://www.nextroll.com/terms/data-protection/subprocessors ("Subprocessor Page") to process Customer Personal Data.
8.2. Customer consents to NextRoll engaging additional or replacement third party subprocessors to process the Customer Personal Data provided that: (i) NextRoll updates its Subprocessor Page with details of any proposed change in subprocessors at least fourteen 14 days in advance of appointing or replacing a subprocessor (Customer can subscribe to the RSS feed for the Subprocessor Page to be automatically notified of any such changes); (ii) NextRoll imposes data protection terms on any subprocessor it appoints that protect the Customer Personal Data, in substance, to the same standard provided for by this Data Protection Addendum; and (iii) NextRoll remains fully liable for any breach of this clause that is caused by an act, error or omission of its subprocessor.
8.3. If Customer objects to NextRoll’s appointment of an additional or replacement subprocessor pursuant to clause 8.2 on reasonable grounds relating to the protection of the Customer Personal Data, then either NextRoll will not appoint the subprocessor or, if this is not possible, Customer may elect to suspend or terminate the impacted Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
9. COOPERATION AND DATA SUBJECTS' RIGHTS
NextRoll shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) in connection with Customer Personal Data; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to NextRoll, NextRoll shall promptly inform Customer providing full details of the same.
10. DATA PROTECTION IMPACT ASSESSMENT
If NextRoll believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer and NextRoll shall provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.
11. SECURITY INCIDENTS
Upon becoming aware of a confirmed Security Incident, NextRoll shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. NextRoll shall further take all such measures and actions as are necessary to remedy or mitigate the effects of a confirmed Security Incident and shall keep Customer informed of all developments in connection with the confirmed Security Incident.
12. DELETION OR RETURN OF DATA
Upon termination or expiry of the Agreement, NextRoll shall destroy all Customer Personal Data (including all copies of the Customer Personal Data) in its possession or control (including any Customer Personal Data subcontracted to a third party for processing) at the Customer’s request or in accordance with the NextRoll’s data retention policy set out at https://www.nextroll.com/privacy. This requirement shall not apply to the extent that NextRoll is required by any applicable law to retain some or all of the Customer Personal Data, in which event NextRoll shall isolate and protect the Customer Personal Data from any further processing except to the extent required by such law until deletion is possible.
13.1. NextRoll shall permit Customer (or its appointed third party auditors) to audit NextRoll's compliance with this Data Protection Addendum, and shall make available to Customer all information, systems and staff necessary for Customer (or its third party auditors) to conduct such audit. NextRoll acknowledges that Customer (or its third party auditors) may enter premises owned or controlled by NextRoll only for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to NextRoll’s operations. Customer will not exercise its audit rights (including submitting written audit questions to NextRoll) more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes a further audit is necessary due to a confirmed Security Incident suffered by NextRoll. Customer shall be solely responsible for the costs of any such audit, and NextRoll shall be permitted to charge Customer for the support it provides in connection with any such audit at its then-current professional services day rates.
13.2. Customer acknowledges that NextRoll is regularly audited against SOC 2 standards by independent third auditors. Upon request, NextRoll shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement.
13.3. The Customer agrees that, if and to the extent that it elects to conduct an audit under Clause 8.9 of the Standard Contractual Clauses, such audit shall be conducted in accordance with the requirements of this Clause 13.
14. OTHER DATA
14.1. In the course of providing the Services, NextRoll Limited may also process Service Data and Performance Reports. NextRoll Limited determines the purposes and means of the processing of Service Data and Performance Reports (except the extent that any Performance Reports may include Customer Personal Data, including to enable it to better target online advertising and to improve its products and services across all NextRoll customers.
14.2. As such, Customer acknowledges that NextRoll Limited is a controller of such Service Data and Performance Reports, and NextRoll Limited shall process such data strictly in accordance with (and enable data subjects to exercise their rights with respect to such data under): (i) Applicable Data Protection Law, and (ii) its then-current publicly-accessible privacy notice posted on https://www.nextroll.com/privacy.
DATA PROCESSING DESCRIPTION
This Annex I forms part of the Data Protection Addendum and describes the processing that NextRoll will perform on behalf of the Customer.
A. List of parties
Customer(s) / Data exporter(s):
NextRoll(s) / Data importer(s)
В. Description of transfer
- Data subjects who are prospective and existing customers of the Customer ("Customer Data Subjects")
- Data subjects who are employees or staff members of the Customer ("Employee Data Subjects")
- Customer Data Subjects: contact information including email address and any other affiliated contact information provided by the Customer (as data exporter) to NextRoll (as data importer) to perform the Services (e.g., name, address, email, phone number, company name, job title).
- Employee Data Subjects: email address, and IP address if Customer uses AdRoll Email.
- Continuous basis for the duration of the Agreement.
- The provision of digital marketing services pursuant to the Agreement.
The digital marketing services provided by NextRoll will include processing on behalf of the Customer for the following purposes:
- Sending of targeted emails to Customer Data Subjects at the Customer's request.
- Matching Customer Data Subjects' personal data with NextRoll Service Data and third party advertising partners’ online data in order to recognise Customer Data Subjects when they visit third party publisher websites in order to bid on, and serve them, targeted advertising on behalf of the Customer.
- Reporting to the Customer on impact of email and online advertising campaigns to Customer Data Subjects;
- Using emails belonging to Employee Data Subjects as login details to access NextRoll’s digital marketing platform.
- If either Customer or NextRoll explicitly terminates the NextRoll Services in accordance with the Agreement, NextRoll will delete Customer Personal Data within 90 days from the termination date.
- If a Customer’s account has been suspended for 90 days or more, the Customer Personal Data will be deleted.
- When a Customer has not logged in to their NextRoll account in the past 365 days and there has been no product usage in the past 30 days and no media spend has occurred in the past 30 days, the Customer Personal Data will be deleted when the 366th day of no login activity occurs for the account.
C. Competent supervisory authority
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
In the design process, NextRoll aims to minimize the collection and use of Customer Personal Data whenever possible.
Where Customer Personal Data is used it will be pseudonymised using aggregation, de-identification or hashing unless the raw data is required for a legitimate business purpose. If the actual data is required it will be encrypted using current encryption standards.
NextRoll’s systems are designed to be highly available and take advantage of scalable and distributed architectures spanning multiple geographic locations in AWS.
NextRoll maintains system monitoring and a 24/7 operations center to deal with operational issues.
NextRoll has created and regularly tests disaster recovery plans. These plans include specifics of how to recover the services and have specified recovery point and time objectives as well as specific response and reporting processes for incidents that involve personal data.
NextRoll conducts an SOC 2 Type 2 audit annually.
NextRoll maintains a continuous compliance program where security controls and processes are automatically monitored, and anomalies are reported for remediation.
Additionally, NextRoll conducts vulnerability scanning, maintains an ongoing bug bounty program and conducts a penetration test using a third party every six months. Technologies such as cloud security posture management (CSPM) and asset management (CMDB) continuously perform asset discovery, assess their posture, and prioritise the findings based on the risk they pose.
For each of the AdRoll and RollWorks applications, NextRoll maintains a central authentication and authorization service that supports single sign on (SSO) and multifactor authentication (MFA). Access controls are enforced based on the role the user was assigned in the application realm.
For NextRoll’s business applications including remote access, NextRoll uses a third party SaaS SSO solution which mandates MFA for all NextRoll users. Role-based access controls (RBAC) are also in place.
NextRoll’s applications, systems and network services create detailed logging including but not limited to: login success and failure, user creation, permissions change, data access, fraudulent transactions, and attempted attacks.
Events are forwarded to a central write only repository and are analysed to identify potential security issues. The security information and event management solution (SIEM) normalises the logs and applies threat intelligence to identify indicators of compromise (IoC).
NextRoll maintains a number of security products that provide specific security alerting based on conditional and anomaly monitoring rules. These are provided and continuously updated by vendors, together with internally developed rules.
NextRoll stores and deploys standard system configurations. These images are scanned using tools that determine that the systems are configured using recommended best practices and do not contain serious vulnerabilities.
File integrity monitoring (FIM) capability is in place and reports changes to the CSPM. Together with the CMDB solution, NextRoll is able to identify deviations of standard configurations.
NextRoll has a holistic security program that manages risk posed by users, data, systems and vendors through the entire lifecycle. This includes the following:
- Users are created with permissions appropriate to their role, sign up to confidentiality agreements and are trained on security and privacy policies and best practices. User access is tied to employment status so accounts and rights are revoked automatically on termination
- Users are required to utilize MFA and secure remote access technologies to access resources with a zero-trust approach.
- Devices have standardized controls and builds.
- Devices are protected against malware by a corporate solution that is centrally managed and integrated in the continuous security monitoring capabilities.
- Non-corporate devices (BYOD) have conditional access to resources based on the zero-trust architecture depending on the risk score they pose, and the minimum risk score needed to access resources.
- Vendors are vetted to ensure that they do not create unacceptable risks.
- A corporate endpoint security standard is maintained and specifies the minimum version of critical software. Systems are updated regularly.
- Permissions are reviewed and removed on a regular basis.
- Systems are wiped at the end of their lifespan.
NextRoll bases its security program on NIST CSF and uses this to report status to the security and compliance committee.
NextRoll both audits its own processes and products and conducts an annual SOC 2 Type 2 audit using an external auditor.
CSPM and CMDB technologies also provide benchmarks based on best practices and recognized security frameworks.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the Customer (and, for transfers from a processor to a sub-processor, to the data exporter).