This Data Processing Addendum (“DPA”) applies to IXCloud (Numonix)’s Processing of Personal Data provided to IXCloud (Numonix) by Customer as part of IXCloud (Numonix)’s provision of Recording Software, Services, or Software-as-a-Service (“Services”) to Customer. This DPA forms part of the IXCloud Subscription Services Agreement, Terms of Service, End User License Agreement, or other written or electronic agreement (“Agreement”) between Numonix and Customer for the purchase of Services to reflect the parties’ agreement with regard to the Processing of Personal Data.

In the course of providing products and/or services to Customer pursuant to this DPA, IXCloud (Numonix) may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

The terms of this DPA will be effective and replace any previously applicable data processing terms as of the date of execution.

Introduction

1. Customer is a Controller (as applicable partner or end tenant) of certain Personal Data and wishes to appoint IXCloud (Numonix) as a Processor to Process this Personal Data on its behalf.
2. The parties are entering into this DPA to ensure that IXCloud (Numonix) conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.

Definitions

In this DPA, the following terms shall have the following meanings:

“Controller”, “Processor”,” Sub-Processor”, “Data Subject”, “Personal Data” and “Processing” (and “Process”) shall have the meanings given in Applicable Data Protection Law. “Personal Data” shall include “Personal information” as that term is defined under Applicable Data Protection Law.

“Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); (ii) EU Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); (iii) any national legislation made under or pursuant to (i) or (ii) ; (iii) California Consumer Privacy Act,; (iv) any amendments or successor legislation to (i), (ii), (iii), or (v); and (v) any other applicable data protection law, including but not limited to the Data Protection Act 2018, all as updated or superseded from time to time.

“Standard Contractual Clauses” shall mean the standard contractual clauses for the international transfer of Personal Data to third countries set out in the European Commission’s Decision 2021/914 of 4 June 2021 as amended from time to time.

Data Processing

1. Relationship of the Parties. Customer (the Controller) appoints IXCloud (Numonix) as a Processor or (Sub- Processor as applicable) to Process the Personal Data that is the subject matter of the Agreement. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
2. Purpose Limitation. IXCloud (Numonix) shall Process the Personal Data as a Processor only as necessary to perform its obligations under the Agreement, specifically the secure collection and secure storage of Customer communication records in any form, and their encrypted preservation and secured access exclusively for use and analysis only by the Customer and no other party including IXCloud (Numonix), and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose”), except where otherwise required or allowed by Applicable Data Protection Law applicable to IXCloud (Numonix). In no event shall IXCloud (Numonix) Access, Review, Analyze or otherwise Process the Personal Data for its own purposes or those of any third party except as set forth in the Agreement. Other than as otherwise agreed upon by the parties in the Agreement or as otherwise permitted under Applicable Data Protection Law, IXCloud (Numonix) shall not (i) sell the Personal Data, or (ii) retain, use or disclose the Personal Data for any commercial purpose before or after the end of the validity of the commercial license or subscription under which this agreement is entered.
3. International Transfers. Customer acknowledges and agrees that IXCloud (Numonix) may transfer and process Personal Data anywhere in the world where IXCloud (Numonix), its affiliates or its sub-processors maintain data processing operations. IXCloud (Numonix) shall not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the European Economic Area (the “EEA”) or the United Kingdom (the “UK”) unless the Customer provides confirmation of such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission or any applicable UK authority has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed Standard Contractual Clauses. Where required under Applicable Data Protection Law to transfer Personal Data to IXCloud (Numonix) outside of the EEA or the UK, the Customer and IXCloud (Numonix) will be deemed to have entered into Standard Contractual Clauses with Customer as the “data exporter”; IXCloud (Numonix) as the “data importer”. Appendix 1 and Appendix 2 to the Standard Contractual Clauses shall be deemed completed with Appendix 1 and Appendix 2 of this DPA. The date of the Standard Contractual Clauses shall be the date of the Agreement. If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict. Where IXCloud (Numonix) is onward transferring Personal Data outside of the EEA or the UK under Standard Contractual Clauses, Customer authorizes IXCloud (Numonix) to enter into the Standard Contractual Clauses for the benefit of Customer.
4. Confidentiality of Processing. Numonix shall ensure that any person that it authorizes to Process the Personal Data (including Numonix’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to access, review or Process the Personal Data who is not under such a duty of confidentiality. Numonix shall ensure that all Authorized Persons Process the Personal Data only as necessary for the Permitted Purpose.
5. Security. Numonix shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate:
   1. the mandatory encryption on receipt of all stored Customer records containing Personal Data using keys exclusively assigned to the Customer;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services.
   3. the ability to restore the availability and access to the encrypted storage object containing Personal Data in a timely manner in the event of a physical or technical incident;
   4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
6. Sub-processing. Whilst not a normal component of IXCloud (Numonix) product offering, on request the Customer may authorize the engagement of IXCloud (Numonix)’s affiliates as Sub- processing. Customer consents to IXCloud (Numonix) engaging third party Sub-processing to Process the Personal Data provided that: (i) IXCloud (Numonix) maintains an up-to-date list of its Sub-processing available upon request which it shall update with details of any change in Sub-processing at least 10 days’ prior to any such change; (ii) Numonix imposes data protection terms on any Sub-processing it appoints that protect the Personal Data to substantially similar terms to the terms of this DPA; and (iii) Numonix remains fully responsible for any breach of this DPA that is caused by an act, error or omission of its Sub-processing. Customer may object to Numonix’s appointment or replacement of a third-party Sub-processing within thirty (30) days of the update to the list of Sub-processing, provided such objection is on reasonable grounds relating to the protection of the Personal Data. In such event, Numonix will either not appoint or replace the Sub-processing or, if this is not possible, Customer may suspend or terminate this DPA.
7. Limitations: Please Note – Where Controller is a partner using licensed IXCloud (Numonix) components that do not include storage or access components or where stored communications are not retained within an IXCloud (Numonix) component this Numonix DPA may not be fully relevant in terms of Customer legal Data Privacy obligations. This should be addressed directly with the partner to ensure.
8. Cooperation and Data Subjects’ Rights. IXCloud (Numonix) by design ensures that a Customer as data Controller retains full accountability for Personal Data within its encrypted content. That said Numonix shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, enquiry or complaint is made directly to IXCloud (Numonix), Numonix shall promptly inform Customer providing details of the same.
9. Data Protection Impact Assessment. If Numonix believes or becomes aware that its Sub-Processing, Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
10. Security Incidents. Upon becoming aware of a Security Incident, Numonix shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Numonix shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
11. Deletion or Return of Data. Contractually after termination or expiration of the IXCloud (Numonix license) to which this Agreement forms an addendum Numonix shall within 15 days destroy all stored Data (including all copies of all Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for Processing). This requirement shall not apply to the extent that Numonix is required by any UK, EU (or any EU Member State) law to retain some or all of the Personal Data for which the Customer is “Controller”, in which event IXCloud (Numonix) shall isolate and protect the stored Customer records that may contain Personal Data from any further Processing to the extent required by such law.
12. Audit. Numonix shall permit upon Customer’s written request, when Customer has reasonable cause to believe Numonix is in non- compliance with its obligations under this DPA, the Customer’s auditor (the “Auditor”) to audit Numonix’s compliance with this DPA and shall make available to the Auditor all information, systems and staff necessary for the Auditor to conduct such audit. Numonix acknowledges that the Auditor may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Numonix’s operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by IXCloud (Numonix).

IXCloud (Numonix) and Customer have caused this Agreement to be executed by their duly authorized representatives as of the Effective Date.

Appdendix 1

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Processing operations

The Personal Data transferred will be subject to the following basic processing activities (please specify):

• Aggregation and processing by IXCloud (Numonix) products and services for use by the data exporter in its normal business activities.

Data exporter is (i) Customer which is subject to the data protection laws and regulations of the EU, the EEA and/or their member states, Switzerland and/or the UK and, (ii) its Affiliates (as defined in the Agreement).

Data importer

The data importer is (please specify briefly activities relevant to the transfer):IXCloud (Numonix) is a provider of recording software and Software-as-a-Service subscription services which may process Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement.

Data subjects

The Personal Data transferred concern the following categories of data subjects (please specify):

Data exporter may submit Personal Data to data importer through Services, as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Prospects, customers, business partners and vendors of data exporter (who are natural persons)
• Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
• Employees of data exporter (who are natural persons), that make calls to landlines and mobiles and that are included in the call recording policy
• Data exporter’s Users authorized by data exporter to use IXCloud (Numonix)’s products and/or services (who are natural persons)

Categories of data

The Personal Data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to the data importer through Services, as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• First and last name
• Title/Position
• Contact information (company, email, phone, physical business address)
• Network data (including source and destination IP addresses and domains, approximate geolocation based on IP lookup, network traffic flows, communications metadata, machine names, and unique device identifiers)
• User and endpoint behavior (including user account activity & metadata, applications executed on endpoints, and accessed URLs)
• Application logs (including firewall logs, DHCP/DNS logs, intrusion detection logs, malware logs, cloud service logs, proxy logs, file access logs)
• Other relevant machine data which the data exporter elects to send to the data importer for processing.

Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

• The data importer does not intentionally collect or process any special categories of data. However, the data exporter may submit special categories of data to the data importer through encrypted Services, as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion.

Appendix 2

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Appendix 3

Additional clauses

The parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Model Clauses shall be carried out in accordance with the Section 11 of this DPA.

The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Model Clauses shall be provided by the data importer to the data exporter only upon data exporter’s request.

The parties agree that data exporter’s consent for sub-processing as set forth in Section 6 of this DPA shall be deemed consent for the purposes of the Model Clauses.

Hopefully that has clarified things for you and as was previously mentioned if there is something that you aren’t sure whether you need or not it’s usually safer to leave cookies enabled in case it does interact with one of the features you use on our site. This cookies policy applies to both public and subscriber sections of the https://numonix.io site and any of its white labels.  However, if you are still looking for more information, you can contact us through one of our preferred contact methods: By visiting this link: https://numonix.io/contact