Data Processing

Data Processing DATA PROCESSING AGREEMENT - TERMS OF NOONA LABS EHF. These terms apply to the processing of Noona Labs ehf., company no. 450310-0690, Skipholt 11-13, 105 Reykjavik (hereinafter also referred to as the "Company" or the "Processor"), of personal data in connection to the use of the online booking and processing system Noona HQ (hereinafter also referred to as "Noona HQ" or the "System"). On the basis of the terms of Noona HQ the Company grants its customers and users, as they are defined in the terms, the right to use the system. In order to be able to provide the service which consists of access to the system, it is necessary for the company to process personal data. With regard to the processing that takes place in relation to the use of Noona HQ, the customer acts as a data controller within the meaning of the Data Protection Legislation (the "Controller") and the Company acts as a data processor (the "Processor"). The purpose of these terms is to specify the obligations of the Processor in relation to the provision of the services on behalf of the Controller and to ensure that personal data is processed in accordance with applicable legislation. The term "Data Protection Legislation" refers to Regulation (EU) 2016/679 (the "GDPR"), the Icelandic Data Protection Act No. 90/2018 on Data Protection and the Processing of Personal Data, and, as applicable, other legislation of the European Union where the Controller is established. 1. Processing of Personal Data The services of the Processor consist of granting the Controller permission to use Noona HQ, receiving bookings through the Noona marketplace, technical assistance in connection with the use of the Systems, hosting of the data entered into the Systems, and sending the Controller's customers reminders of booked services (collectively, the "Service"). In order to provide the Service, the Company needs to process certain personal data. In relation to Noona HQ, the Processor processes the following personal data, as applicable, on behalf of the Controller: Users of the System (e.g. employees and contractors of the Controller): - Contact information, including name, phone number, and email address - Information about user appointments and, where applicable, information about holidays - Activity logs for the users of the System - Information related to technical assistance requests Customers of the Controller (including customers of the users of the System): - Information that the Controller enters into the System, including: - Contact information such as name, ID number, telephone number, and e-mail address - Business history such as list of customer appointments - Comments and notes written by the Controller into the System, including customer service notes - Information related to attendances and cancellations of customers - Photos and attachments - Information entered by customers of the Controller into the Noona marketplace when ordering the Controller's service/product, including: - Contact information such as name, ID number, telephone number, and e-mail address - Business history such as list of customer appointments As part of the Services, as appropriate, the Processor undertakes to send messages to customers on behalf of the Controller, for example via email, text messages, and notifications in the app. In connection with such services, information about name, e-mail address, telephone number, and message content is processed. 2. The Processor's Obligations 2.1 The Controller's Instructions The Processor is only permitted to process personal data in accordance with the instructions of the Controller and in accordance with the purpose of the processing described in these terms. If the Processor believes that the Controller's instructions violate the Data Protection Legislation, the Processor shall notify the Controller. Notwithstanding the above, the Processor has the right to obtain data subjects' consent, including from the customers of the Controller, to process personal data that the Processor processes on behalf of the Controller on the basis of these terms. In connection with such processing, the Processor acts as an independent controller. On the basis of these terms, the Processor is also permitted to process data collected through the use of the Systems in a non-personally identifiable manner for purposes including developing and improving the quality of the Service. 2.2 Confidentiality of Employees The Processor shall ensure that all employees who have access to the Controller's personal data have signed a confidentiality statement. 2.3 Security Measures The Processor shall implement appropriate technical and organizational security measures to ensure an adequate level of security of personal data and to protect it against unlawful destruction, accidental loss or alteration, unauthorized access, and any other unlawful processing. 2.4 Data Breaches If a data breach occurs in relation to the Processor's processing of personal data on behalf of the Controller, the Processor shall without undue delay notify the Controller and, to the extent possible, describe the breach, including its nature and consequences. 2.5 Data Subjects' Rights and Assistance to the Controller The Processor shall, to the extent reasonably possible, assist the Controller in complying with requests from data subjects related to their rights under the Data Protection Legislation, including access and deletion requests. The Processor shall also assist the Controller, as appropriate, with data protection impact assessments, prior consultation with the Data Protection Authority, and other obligations outlined in Articles 32-36 of the GDPR. 2.6 Access and Audit Rights The Processor shall provide the Controller with access to information necessary to demonstrate compliance with Data Protection Legislation and shall provide the Controller, or a third party designated by the Controller, with the opportunity to carry out an audit of the Processor's processing of personal data on behalf of the Controller. 2.7 Return or Erasure of Personal Data While the Processor processes personal data on behalf of the Controller, the Controller may at any time request that the Processor erase that personal data. At the end of the service agreement, the Processor shall return and/or erase the personal data it processes on behalf of the Controller in accordance with the Controller's instructions. If the Processor does not receive instructions, the Processor may erase the data within one year from the end of the service agreement between the parties. If the Processor has obtained consent from data subjects to process personal data that is also processed on behalf of the Controller on the basis of these terms, the Processor is not obliged to erase that data. 3. The Controller's Obligations The Controller warrants that it has the authority to entrust the Processor with the processing of personal data entered into the Systems, that the processing is carried out on a legitimate basis, that the data subjects have been informed about the processing, and that the Controller otherwise fulfils the obligations provided in Data Protection Legislation. 4. Use of Sub-Processors The Processor is entitled to entrust sub-processors with the processing provided for in these terms, in whole or in part, provided that the Processor ensures that each sub-processor is subject to the same obligations as the Processor. An appendix to these terms stipulates the sub-processors used by the Processor. If changes are made and a new sub-processor is added, the Processor must notify the Controller and provide the Controller the opportunity to object within 14 calendar days. Even if the Processor uses sub-processors, the Processor remains responsible for all processing subject to these terms towards the Controller. The Processor shall endeavour to store and process personal data within the European Economic Area ("EEA"). Where transfers outside the EEA cannot be prevented, the Processor shall ensure that adequate measures are in place, such as an adequacy decision or Standard Contractual Clauses of the European Commission. 5. Duration These terms are valid as long as the parties have a business relationship and the Processor processes personal data on behalf of the Controller. 6. Jurisdiction These terms are governed by Icelandic law. If a dispute arises in relation to these terms, proceedings shall be brought before the District Court of Reykjavik. Appendix A: List of Sub-Processors - MongoDB Atlas: database services for storing and managing production data. Production database located in Amsterdam, Netherlands (EU). - Google Cloud Platform: server and data warehouse solutions. Production servers located in Amsterdam, Netherlands (EU). - Segment (Twilio): data integration and routing to analytics tools and services. - Mixpanel: product analytics and user behavior insights. - Intercom: user support and messaging. - Google Analytics: website traffic and user behavior analytics. - Sentry: error tracking and monitoring. - LaunchDarkly: feature flags for controlled rollouts and testing. - Algolia: search and discovery services. - Siminn: telecommunication services including SMS messaging. - Twilio: cloud communication services including SMS, voice, and video. - Posthog: product analytics and user behavior insights. Website hosted in Frankfurt, Germany (EU). - Chargebee: subscription management and recurring billing services. - Sendgrid (Twilio): email delivery services for transactional and marketing emails. - Cloudinary: cloud-based media management for images and rich media content. - Amazon Web Services: storage for documents and attachments.