Data processing agreement.
This Data Processing Agreement (DPA) forms Appendix 1 to the NV Play End User Licence Agreement (EULA) and is incorporated into the EULA by reference.
Background
This Data Processing Agreement sets out the provisions that will govern all processing of Personal Data by the parties in connection with the General Terms and any Engagement Agreement (the Agreement). Its provisions amend and supplement the Agreement, and will take precedence over the Agreement unless expressly stated otherwise. Terms that are defined in the Agreement will have the same meaning when used in this Data Processing Agreement unless the context dictates otherwise.
-
Introduction
- This Data Processor Agreement regulates NV Play’s (the Data Processor) processing of personal data on behalf of the Client (the Data Controller) and is attached as an addendum to the Agreement in which the parties have agreed to the Data Processor’s delivery of Software and/or Services to the Data Controller through various Engagement Agreements (the Agreed Deliverables).
- NV Play may be an independent Data Controller for some personal data relating to the Client or its Users, where there is a legitimate interest in it being so. Examples of a legitimate interest may include enabling billing and account management of a commercial relationship, user administration and authentication, analysis of operational usage or performance data to ensure optimal service delivery, statistical analysis of aggregate data for research & development of new analysis models and algorithms, including AI-enabled or machine learning-assisted models and features, internal reporting and modelling, or any other legitimate business purposes. When NV Play processes personal data as a Data Controller, the Client acknowledges and confirms that this Data Protection Agreement does not create a joint-controller relationship between the parties.
-
Legislation
- This Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation within the primary territory of the Data Controller’s operations (the “Applicable Law”), including in particular the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
-
Processing of Personal Data
- The purpose of the processing is the provision of the Agreed Deliverables to the Data Controller by the Data Processor.
- In connection with the Data Processor’s delivery of the Agreed Deliverables to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
- ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, Article 4 (1) (the ”Personal Data”). The Data Processor only performs processing activities that are necessary and relevant to deliver the Agreed Deliverables, except as required to comply with a legal obligation to which the Data Processor is subject. The categories, types and nature of Personal Data processed by the Data Processor on behalf of the Data Controller are described in Schedule 1 to this Appendum. The parties shall update Schedule 1 whenever changes occur that necessitates that it be updated.
- The Data Processor shall maintain a register of processing activities in accordance with GDPR, Article 30, except where the exceptions defined in Article 30 (5) are satisfied.
-
Instruction
- The Data Processor may only act and process the Personal Data in accordance with a documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Agreed Deliverables. Subject to the terms of this Data Processor Agreement and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.
- The Data Controller guarantees to process Personal Data in accordance with the requirements of Applicable Law, and that the Data Controller’s Instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
- The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed not to violate Applicable Law or are appropriately modified.
-
The Data Processor’s Obligations
- Confidentiality:
- The Data Processor shall treat all the Personal Data as confidential information.
- The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processing Agreement with strict confidentiality.
- Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Agreed Deliverables by the Data Processor under this Data Processor Agreement.
- The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
- The Data Processor shall implement the appropriate technical and organizational measures as set out in this Data Processing Agreement and in the Applicable Law, including in accordance with GDPR, Article 32. The security measures are detailed in Appendix 1, Schedule 2 of this Agreement and are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security. The Data Processor shall provide documentation of the Data Processor’s security measures if requested by the Data Controller in writing.
- If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, Article 35, along with any prior consultation in accordance with GDPR, Article 36. Where assistance is necessary, requests will take the form of a written request by the Data Controller to the Data Processor, detailing the assistance required from the Data Processor and nature of the response requested.
- Rights of the Data Subjects:
- If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
- If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
- Personal Data breaches:
- The Data Processor shall give notice in writing to the Data Controller, in the manner prescribed by clause 22.3 (a) or (b) of the General Terms and for the attention of the persons named in clause 22.2 (a), within 36 hours of first becoming aware, if a breach occurs that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a Personal Data Breach).
- The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
- Upon becoming aware of any suspected or actual Personal Data Breach, the Data Processor shall provide such assistance and co-operation as the Data Controller may require in order to support any and all related investigations, mitigation and remediation of each Personal Data Breach. In such circumstances, the Data Processor shall provide the Data Controller with as many details as are known by the Contractor at that time (including without limitation (i) the nature and scope of the Personal Data Breach, the categories and numbers of data subjects concerned and the categories and number of personal data records concerned; (ii) the name and contact details of the Data Processor’s data protection officer or other relevant contact from whom more information may be obtained; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach) and the Data Processor shall regularly update the Data Controller thereafter setting out such further details as may be reasonably requested by the Data Controller.
- Documentation of compliance and Audit Rights:
- Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
- The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
- The Data Processor is given general authorisation to transfer Personal Data to countries outside the jurisdiction of the Applicable Law for the sole purpose of meeting the Agreed Deliverables, including countries outside of the European Economic Area (EEA) where the Data Processor is subject to GDPR. In respect of transfers to outside of the EEA, the Data Processor will restrict transfers to where the receiving country is subject to an EU Commission adequacy decision (specifically including New Zealand), where the transfer is subject to appropriate safeguards in accordance with the Applicable Law (which may include, without limitation, Standard Contractual Clauses).
- The Data Controller acknowledges and accepts that access to and use of the Agreed Deliverables by its authorised users may occur outside the EEA and, in such circumstances, Personal Data may be viewed outside the EEA by the relevant user.
- Confidentiality:
-
Sub-Processors
- The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, with such appointments being subject to New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.6.3.
- The Data Controller acknowledges and accepts that the Data Processor engages Microsoft Corporation (Microsoft) as a primary Sub-Processor to provide core online services required to deliver the Agreed Deliverables, specifically including SQL Azure, App Service, Storage, Application Insights (each of which forms part of the Microsoft Azure Core Services) and related Microsoft cloud services. These sub-processing services are provided to the Data Processor subject to the following terms (together, the Microsoft Terms):
Microsoft Product Terms:
https://www.microsoft.com/licensing/terms/welcome/WelcomePage?programMoniker=MOSAMicrosoft Products and Services Data Protection Addendum (DPA):
The Data Controller and the Data Processor accept that these terms are substantially similar to the standards set forth in this Data Processing Agreement, and agree that where in conflict the Microsoft Terms will apply in respect to any Sub-Processing provided by Microsoft in relation to the delivery of the Agreed Deliverables.
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPAWhere NV Play uses AI-enabled infrastructure, analytics, support, security, development or productivity tools that process Personal Data on NV Play's behalf, those providers will be treated as Sub-Processors under this Data Processing Agreement.
- New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor. In the event the Data Controller objects to a new Sub-Processor on reasonable data protection grounds, the Data Processor will discuss these objections with the Data Controller in good faith with a view to achieving resolution.
- The Data Processor will enter into an agreement with each Sub-Processor that obligates the Sub-Processor to process the Personal Data in a manner substantially similar to the standards set forth in this Data Processing Agreement, and at a minimum, at the level of data protection required by the Applicable Law (to the extent applicable to the services provided by the Sub-Processor).
- The Data Processor shall carry out appropriate due diligence on each of its Sub-Processors prior to their appointment and shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law.
- Subject to 6.2, the Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
- The Data Processor will maintain a list of Sub-Processors that may process Personal Data, a copy of which will be provided to the Data Controller on receipt of a written request.
-
Remuneration and costs
- The Data Controller agrees it shall remunerate the Data Processor on a time and materials basis to meet its obligations under section 5.4, 5.5, 5.6 and 5.7 of this Data Processor Agreement. Such co-operation and assistance will be charged at the Data Processor’s prevailing rates at the time of the request.
- The Data Processor is entitled to remuneration on a time and material basis to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Agreed Deliverables due to the change in the Instruction.
- The Data Processor is exempted from liability for non-performance with delivery of the Agreed Deliverables if the performance of these obligations would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can realistically & reliably be implemented; and (iii) in the period of time until the agreement defining the Agreed Deliverables is varied or otherwise changed to reflect the new Instruction and commercial terms thereof.
-
Limitation of liability
- The total aggregate liability to the Data Controller, of whatever nature, whether in contract, tort or otherwise, of the Data Processorfor any losses whatsoever and howsoever caused arising from or in any way connected with the provision of the Agreed Deliverables shall be subject to Section 11 of the General Terms.
- Nothing in this Data Processing Agreement relieves the Data Processor of its own direct responsibilities and liabilities under the GDPR or other Applicable Laws.
-
Duration
- The Data Processor Agreement shall remain in force while the Agreement is in force, and will survive termination or expiration should the Data Processor continue to store or process Personal Data.
-
Data Protection Officer
- The Data Processor will appoint a Data Protection Officer where such appointment is required by the Applicable Law.
-
Termination
- Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data, except as expressly provided for in the Agreement (specifically including clause 13.2 of the Agreement), and to the extent the Data Processor is required by Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Data Processing Agreement will continue to apply to any retained Personal Data.
-
Governing Law and Jurisdiction
- This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of New Zealand.
- The parties irrevocably agree that the courts, tribunals and any competent regulators of New Zealand shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement or its subject matter or formation (including non-contractual disputes or claims).
-
Severance
- Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
- amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
- construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
SCHEDULE 1
Data being processed
Background
NV Play is a comprehensive sports technology platform, primarily focussed on the sport of cricket, specifically designed to meet the needs of governing and organisational bodies. Its primary purpose is to a) capture and analyse match outcomes & results to drive both engagement and performance, and b) provide platforms & tools to support the underlying competition structure & formats of the game.
In order to deliver this purpose, and meet the Agreed Deliverables, may involve the Processing of Personal Data about any or all of the following Data Subjects:
- Players
- Officials (including Umpires, Coaches, Scorers, Referees, Analysts, Administrators)
- Users of the Software
- Individuals who use NV Play Software or Services in a personal capacity (including supporters and other end users)
Types of Personal Data Processed
Depending on the Client's usage of the Software, any or all of the following types of Personal Data may be processed in order to meet the Agreed Deliverables:
- Players: full name, gender, player type & roles, playing status, club memberships, match & team participation, match performance, career performance, video or photographic footage
- Consented Player data: address, email address, phone number, social media account names, profile picture, date of birth (and, where the Player is under the relevant age of consent, these details of a parent and/or guardian), in each case as determined by the Data Controller and collected and processed in accordance with Applicable Data Protection Laws.
- Officials: full name, organisation, roles, match participation
- Users: full name, email address, user/login name, organisation, role, IP address, system usage
- Individual end users: full name, email address, user/login name, subscription or account details, marketing and communication preferences, IP address, device and browser information, system and feature usage
No Sensitive Personal Data, as defined in GDPR Article 9(1) (or any equivalent concept of special categories of data or sensitive information under Applicable Data Protection Laws), will be collected or Processed by the Data Processor without specific Instruction in writing from the Data Controller, subject to the Data Processor’s obligations under GDPR Article 9(2) and any equivalent provisions of Applicable Data Protection Laws.
Other Types of Data Processed
In addition to the above listed Personal Data, any or all of the following addition types of data may be Processed in order to meet the Agreed Deliverables.
- Platform usage metrics to optimise scale & performance
- Automated error reporting to assist with diagnosis & remedy of issues
- Website and app usage analytics to provide insights to usage patterns & optimal workflows, including browser and device information
- Commercial information in relation to the billing of services & contract administration
- Participation & demographic data to support the development & delivery of amateur & professional sporting programmes
- AI-enabled analysis outputs, machine learning-assisted insights, model performance data and derived analytical data generated through use of the Software or Services, where processed in order to meet the Agreed Deliverables.
SCHEDULE 2
Technical and Organisational Security Overview
As part of our DPA, we publish a Technical and Organisational Security Overview describing how we protect “Confidential Data” (including personal information and commercially sensitive content).
It outlines our:
- infrastructure and physical security controls;
- access management, authentication and logging;
- encryption and backup strategy; and
- approach to updates and operational security.
You can request a copy of our Technical and Organisational Security Overview by emailing support@nvplay.com.