Data Processing

DATA PROCESSING AGREEMENT – TERMS OF NOONA LABS EHF.

These terms apply to the processing of Noona Labs ehf., company no. 450310-0690, Skipholt 11-13, 105 Reykjavík (hereinafter also referred to as the "Company" or the "Processor"), of personal data in connection to the use of the online booking - and processing system Noona HQ (hereinafter also referred to as “Noona HQ” or the “System”).

On the basis of the terms of Noona HQ the Company grants its customers and users, as they are defined in the terms, the right to use the system. In order to be able to provide the service which consists of access to the system, it is necessary for the company to process personal data.

With regard to the processing that takes place in relation to the use of Noona HQ, the customer acts as a so-called data controller within the meaning of the Data Protection Legislation (hereinafter referred to as the “Controller”) and the Company as a so-called data processor.

The purpose of these terms is to specify the obligations of the Processor in relation to the provision of the services on behalf of the Controller and to ensure that personal data is processed in accordance with applicable legislation.

The term “Data Protection Legislation” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), the Icelandic Data Protection Act No. 90/2018 on Data Protection and the Processing of Personal Data and, as applicable, other legislation of the European Union where the Controller is established. 

1. Processing of Personal Data 

The services of the Processor consist of granting the Controller permission to use Noona HQ, to receive bookings through the Noona marketplace, technical assistance in connection with the use of the Systems, hosting of the data entered into the Systems and the services of sending the Controller’s customers a reminder of the booked services (hereinafter collectively referred to as the "Service").

In order to be able to provide the Service, the Company needs to process certain personal data.

In relation to Noona HQ, the Processor processes the following personal data, as applicable, on behalf of the Controller: 

• Users of the System (e.g. employees and contractors of the Controller):

  • Contact information, i.e. information about name, phone number and email address;

  • Information about user appointments and where applicable, information about holidays;

  • Activity logs for the users of the System;

  • Information related to technical assistance requests. 

    
    

• Customers of the Controller (including customers of the users of the System):

  • The information that the Controller enters into the System, e.g.: 

    • Contact information, i.e. information about name, ID number, telephone number and e-mail address;

      • Business history, i.e. list of customer appointments;

      • Comments and notes written by the Controller into the System, including in terms of customer service;

      • Information related to attendances and cancelations of customers;

      • Photos and attachments;

  • The information which the customers of the Controller enter into the Noona marketplace when ordering the Controller's service/product and the information which the Controller receives into the system, e.g.:

    • Contact information, i.e. information about  name, ID number, telephone number and e-mail address;

    • Business history, i.e. list of customer appointments.

As part of the Services, as appropriate, the Processor undertakes to send messages to customers on behalf of the Controller, e.g. via email, text messages and notifications in the app. In connection with such services, information about name, e-mail address, telephone number and messages’ content is processed.

2. The Processor‘s Obligations

1. The Controller‘s Instructions 

The Processor is only permitted to process personal data in accordance with the instructions of the Controller and in accordance with the purpose of the processing described in these terms. If the Processor believes that the Controller’s instructions violate the Data Protection Legislation, the Processor shall notify the Controller thereof.

Notwithstanding the above, the Processor shall have the right to obtain the data subjects’ consent, including from the customers of the Controller, to process the personal data that the Processor processes on behalf of the Controller on the basis of these terms. That includes i.e. data about the business history of the customers. In connection with such processing the Processor acts as an independent controller and such processing activities shall be independent and irrelevant to the processing activities undertaken under these terms. 

On the basis of these terms, the Processor shall be permitted to process the data collected through the use of the Systems in a non-personally identifiable manner, including for the purpose of developing and improving the quality of the Service.

2. Confidentially of Employees   

The Processor shall ensure that all employees who have access to the Controller’s personal data have signed a confidentiality statement. 

3. Security Measures

The Processor shall implement appropriate technical and organizational security measures to ensure adequate level of security of the personal data and to protect it against unlawful destruction, accidental loss or alteration, unauthorized access, and any other unlawful processing. The measures shall take into account the latest technology, the cost of implementation, scope, context and purpose of processing and the associated risk.

4. Data Breaches 

If a data breach occurs in relation to the Processor’s processing of personal data on behalf of the Controller, the Processor shall without undue delay notify the Controller of such a breach. In such a notification, the Processor shall, to the extent possible, describe the breach, including the nature of the breach and its consequences.

5. Data Subjects’ Rights and Assistance to the Controller 

The Processor shall, to the extent reasonably possible, assist the Controller in complying with requests from data subjects related to their rights on the basis of the Data Protection Legislation i.e. in connection to access and deletion requests. The Processor shall also assist the Controller, as appropriate taking into account the nature and scope of the processing,  in conducting a data protection impact assessment, in connection with prior consultation with the Data Protection Authority and other obligations outlined in Articles 32-36 of the GDPR.

6. Access and Audit Rights

The Processor shall provide the Controller with access to information that is necessary to demonstrate that obligations under the Data Protection Legislation have been complied with. The Processor shall also provide the Controller, or a third party designated by the Controller, with the opportunity to carry out an audit of the Processor's processing of personal data on behalf of the Controller.

7. Return or Erasure of Personal Data

While the Processor processes personal data on behalf of the Controller, the latter may at any time request that the Processor erases the personal data that it processes on behalf of the Controller. At the end of the service agreement, the Processor shall also return and/or erase the personal data the Processor processes on behalf of the Controller, in accordance with the Controller's instructions thereof. If the Processor does not receive any instructions from the Controller, the Processor shall be allowed to erase the data within one year from the end of the service agreement between the parties.

If the Processor has obtained a consent from the data subjects to process the personal data which is also processed on behalf of the Controller on the basis of these terms, the Processor shall not be obliged to erase that data.  

3. The Controller‘s Obligations 

The Controller warrants that the Controller has the authority to entrust the Processor with the processing of the personal data entered into the Systems, that the processing is carried out on a legitimate basis, that the data subjects have been informed about the processing and that the Controller otherwise fulfils the obligations provided in Data Protection Legislation.

4. Use of Sub-Processors

The Processor shall be entitled to entrust sub-processors for the processing provided for in these terms, in whole or in part, provided that the Processor ensures that the sub-processor is subject to the same obligations as the Processor on the basis of these terms.

An appendix to these terms stipulates the sub-processors used by the Processor. If changes are made and the Processor adds a new sub-processor, the Processor shall be obliged to notify the Controller thereof and provide the Controller the opportunity to object within 14 calendar days.

Even if the Processor uses sub-processors, the Processor shall be responsible for all processing subject to these terms towards the Controller. 

The Processor shall endeavour to store and process personal data within the European Economic Area („EEA“). In cases where the transfer of information outside the EEA cannot be prevented, e.g. where a sub-processor has an establishment outside the EEA or uses a sub-processor outside the EEA itself, the processor shall ensure that adequate measures are in place to ensure the security of the personal data processed by the Controller on behalf of the Processor, e.g. that the transfer is based on an adequacy decision or Standard Contractual Clauses of the European Commission. In the appendix to these processing terms it is outlined in which cases transfers outside the EEA may take place, but the possible transfers are contingent and limited as all hosting takes place within the EEA.

5. Duration

These terms shall be valid as long as the parties have a business relationship and the Processor processes personal data on behalf of the Controller. 

6. Jurisdiction 

These terms are governed by Icelandic law. If a dispute arises in relation to these terms, proceedings shall be brought before the District Court of Reykjavík.

Appendix A:  List of Sub-Processors

• MongoDB Atlas
  Provides database services for storing and managing production data. Our production database is located in Amsterdam, Netherlands (EU).
  The Proccesor uses MongoDB Atlas to store all information about users and the data they store  in the System.
  DPA
  Privacy Policy
  
  

• Google Cloud Platform
  Offers server and data warehouse solutions for storing, processing, and managing data. Our production servers are located in Amsterdam, Netherlands (EU).
  The Proccesor uses Google to host web servers and store information about users and the data they store in the System.
  The hosting takes place within the EEA however since Google´s parent company is established in the United States, access to the information from there can´t be excluded. Such a transfer would be based on an adequacy decision, but the transfer would always be contingent.
  DPA
  Privacy Policy
  
  

• Segment (Twilio)
  Facilitates data integration by collecting, unifying, and routing data to other analytics tools and services. 
  The processor uses Segment in connection with the measurement and analysis of user behavior, with the aim of improving the user experience. In connection with the Service, Segment has access to user information such as the name of the user and the email address of the person logged in.
  DPA
  Privacy Policy
  
  

• Mixpanel
  Provides product analytics and user behavior insights for understanding user interactions with the platform. 
  The Processor uses Mixpanel in connection with system measurements and analysis of user behavior, with the aim of improving the user experience. In connection with the service, Mixpanel has access to user information such as the name of the user and the email address of the person logged in.
  DPA
  Privacy Policy
  
  

• Intercom
  The Processor uses Intercom in connection with user support and for sending messages. In relation to the Service, Intercom has access to conversations between customers and Processors, the names of customers and their contacts.
  DPA
  Privacy Policy
  
  

• Google Analytics
  Delivers web analytics services for tracking and reporting website traffic and user behavior.
  The Processor uses Google Analytics in connection with system measurements and analysis of user behavior, with the aim of improving the user experience. In connection with the service, Google Analytics has access to user information such as the name of the user and the email address of the person who is logged in.
  The hosting takes place within the EEA however since Google´s parent company is established in the United States, access to the information from there can´t be excluded from there. Such a transfer would be based on an adequacy decision, but the transfer would always be contingent.
  DPA
  Privacy Policy
  
  

• Sentry
  Supplies error tracking and monitoring services to identify and resolve issues in the platform.
  The Processor uses Sentry in connection with error reporting and analysis thereof. In connection with the Service, Sentry has access to user information such as the name of the user and the email address of the person logged in.
  DPA
  Privacy Policy
  
  

• LaunchDarkly
  Manages feature flags for controlled rollouts and testing of new platform features. 
  The Processor uses LaunchDarkly in connection with controlling which functionality users have access to. In connection with the Services, LaunchDarkly has access to user information such as the name of the user and email address of the person who is logged in, along with other information that may help manage access, such as information about country and subscription.
  DPA
  Privacy Policy
  
  

• Algolia
  Delivers search and discovery solutions for enhancing platform search capabilities.
  The Processor uses Algolia in connection with offering a powerful and fast search service. In connection with the service, Algolia has access to user information, together with information about users' customers and other data that customers may store inside the System.
  DPA
  Privacy Policy
  
  

• Síminn
  Provides telecommunication services, including SMS messaging.
  The Processor uses Síminn to send short messages on behalf of the Controller through Síminn's web service. Information about phone numbers and message content is processed.
  DPA
  Privacy Policy
  
  

• Twilio
  Offers cloud communication services, including SMS messaging, voice, and video calls.
  The Processor uses Twilio to send short messages on behalf of the Controller via Twilio's web service. Information about phone numbers and message content is processed.
  DPA
  Privacy Policy
  
  

• Posthog
  Supplies product analytics and user behavior insights for understanding user interactions with the platform. The website is hosted in Frankfurt, Germany (EU).
  The processor uses Posthog in connection with system measurements and analysis of user behavior, with the aim of improving the user experience. In connection with the Service, Posthog has access to user information such as the name of the user and the email address of the person logged in. 
  DPA
  Privacy Policy
  
  

• Chargebee
  Delivers subscription management and recurring billing services for handling platform subscriptions and payments. 
  The Processor uses Chargebee in connection with collecting payments from the user. In connection with the Service, Chargebee has access to user information and subscription channels.
  DPA
  Privacy Policy
  
  

• Sendgrid (Twilio)
  Provides email delivery services for sending transactional and marketing emails to platform users.
  The Processor uses Sendgrid to send e-mails, both in connection with system notifications and on behalf of the Controller through Twilio's web service. Information about email addresses and message content is processed.
  DPA
  Privacy Policy
  
  

• Cloudinary
  Provides cloud-based media management solutions for uploading, storing, and delivering images, videos, and other rich media content. We use it to store profile images.
  The Processor uses Cloudinary to save images that the user enters into the System in connection with the profiles of employees and companies.
  DPA
  Privacy Policy
  
  

• Amazon Web Services
  Offers a wide range of cloud computing services, such as server hosting, storage, databases, and content delivery, to power and scale web applications and services. We use it to store file attachments. 
  The Processor uses AWS to host documents and attachments that the Controller processes  in the System.
  The hosting takes place within the EEA however since Google´s parent company is established in the United States, access to the information from there can´t be excluded from there. Such a transfer would be based on an adequacy decision, but the transfer would always be contingent.
  DPA
  Privacy Policy