Data Processing Addendum

Last Revised: April 28th, 2018

This Data Processing Addendum (“DPA”) forms part of NodeChef’s Terms Of Service Agreement ( Agreement), located at https://www.NodeChef.com/terms. The DPA applies in respect of the provision of the NodeChef’s Services to the Customer if the Processing of User Personal Data is subject to the GDPR, only to the extent the Customer is a Controller (or Processor, as applicable) of User Personal Data and NodeChef is a Processor or sub-Processor of User Personal Data (as defined below). This Addendum shall amend and supplement any provisions relating to the processing of User Personal Data contained in the Agreement, and shall be effective for the term of the Agreement.

1. Definitions

1.1. Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws.

“User Personal Data” means Personal Data uploaded to or published, displayed or backed up through the NodeChef Services.

“GDPR” means the General Data Protection Regulation (EU) 2016/679, together with any national implementing laws in any Member State of the European Union, as amended, repealed, consolidated or replaced from time to time.

“DPA Effective Date” means, as applicable, (a) May 25, 2018 if Customer clicked to accept or otherwise agreed to this DPA prior to or on such date; or (b) the date on which Customer clicked to accept otherwise agreed to this DPA, if such date is after May 25, 2018.

1.2. “Personal Data”, “Personal Data Breach”, “Data Subject”, “Data Protection Authority”, “Data Protection Impact Assessment”, “Process”, “Processor” and “Controller” will each have the meaning given to them in Article 4 of the GDPR.


2. Processing of User Personal Data

2.1. For the For purposes of this DPA, NodeChef and Customer agree that Customer is the Controller of User Personal Data and NodeChef is the Processor of such data, except when Customer acts as a Processor of User Personal Data, in which case NodeChef is a sub-Processor. If Customer is a Processor, Customer warrants that Customer’s instructions to NodeChef with respect to that User Personal Data, including Customer’s designation of NodeChef as a sub-Processor, have been authorized by the relevant Controller.

2.2. NodeChef will only Process User Personal Data on behalf of and in accordance with the Customer’s prior instructions and for no other purpose. NodeChef is hereby instructed to Process User Personal Data to the extent necessary to enable NodeChef to provide the NodeChef Services in accordance with the Agreement.

2.3. Each of the Customer and NodeChef will comply with their respective obligations under the GDPR, to the extent applicable to the Processing of any User Personal Data in the context of the provision of the NodeChef Services. Customer will (i) comply with all applicable privacy and data protection laws with respect to Customer’s Processing of User Personal Data and any Processing instructions that Customer issues to NodeChef, and (ii) ensure that Customer has obtained (or will obtain) all consents and rights necessary for NodeChef to Process User Personal Data in accordance with this Addendum.

2.4. Customer will select the country where User Personal Data will be stored. Customer consents to the storage of the User Personal Data in the country that Customer chooses when Customer purchases specific Services. By uploading User Personal Data to the Services, Customer acknowledges that Customer may transfer and access User Personal Data from around the world, including to and from the country in which User Personal Data is maintained.

2.5. For Customers located in the EU, Customer acknowledges that NodeChef may process User Personal Data in countries outside of the EU as necessary to provide the NodeChef Services and in accordance with the terms of this Addendum. Where this is the case, NodeChef will take such measures as are necessary to ensure that the transfer is in compliance with applicable data protection laws.

2.6. The Customer acknowledges that NodeChef is reliant on the Customer for direction as to the extent to which NodeChef is entitled to use and Process User Personal Data on behalf of Customer in performance of the NodeChef Services. Consequently NodeChef will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by NodeChef, to the extent that such action or omission resulted directly from the Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable data protection law.

2.7. If for any reason (including a change in applicable law) NodeChef becomes unable to comply with any instructions of the Customer regarding the Processing of User Personal Data, NodeChef will (a) promptly notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (b) cease all Processing of the affected User Personal Data (other than merely storing and maintaining the security of the affected User Personal Data) until such time as the Customer issues new instructions with which NodeChef is able to comply. If this provision applies, NodeChef will not be liable to Customer under the Agreement in respect of any failure to perform the NodeChef Services due to its inability to process User Personal Data until such time as the Customer issues new instructions in regard to such Processing.


3. Security Measures

3.1. NodeChef will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Customer Data, including Customer Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Customer Data, and (ii) the confidentiality and integrity of Customer Data.

3.2. NodeChef will take reasonable steps to ensure the reliability and competence of NodeChef team members engaged in the processing of Customer Personal Data. NodeChef will take appropriate steps to ensure that all NodeChef team members engaged in the processing of Customer Personal Data (i) comply with the Security Measures to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Customer Personal Data, and (iii) have received appropriate training on their responsibilities and (iv) have executed written confidentiality agreements. NodeChef shall ensure that such confidentiality obligations survive the termination of the personnel engagement.


4. Security Breach

4.1. If NodeChef becomes aware of a Data Breach, NodeChef will: (a) notify Customer of the Data Breach without undue delay after becoming aware of the Data Breach; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.

4.2. Notification(s) of any Data Breach will be delivered to Customer by direct communication (for example, by phone call or email). Customer is solely responsible for ensuring that any contact information, including notification email address, provided to NodeChef is current and valid.

4.3. NodeChef will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with data breach notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Breach.

4.3. NodeChef’s notification of or response to a Data breach under this Section 4. (Security Breach) will not be construed as an acknowledgement by NodeChef of any fault or liability with respect to the Data Breach.


5. Customer’s Security Responsibilities and Assessment of NodeChef

5.1. Customer agrees that, without prejudice to NodeChef’s obligations under Section 3. (Security Measures) and Section 4. (Security Breaches):

5.2. Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any Additional Security Information to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up the Customer Data; and

5.3. NodeChef has no obligation to protect Customer Data that Customer elects to store or transfer outside of NodeChef’s systems.

5.4. Customer is solely responsible for reviewing the Security Measures and evaluating for itself whether the Services, the Security Measures, and NodeChef’s commitments under this Section 3 (Security Measures) will meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Laws. Customer acknowledges and agrees that the Security Measures implemented and maintained by NodeChef as set out in Section 3 (Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.


6. Data Protection Impact Assessment; Prior Consultation

6.1. NodeChef will, at the Customer’s request and subject to the Customer paying all of NodeChef’s fees at prevailing rates, and all expenses, provide the Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to NodeChef. NodeChef will provide reasonable assistance to Customer in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the GDPR.


7. Deletion of User Personal Data

7.1. NodeChef will enable Customer to delete during the Term Customer Data in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to NodeChef to delete the relevant Customer Data from NodeChef’s systems in accordance with applicable law. NodeChef will comply with this instruction as soon as reasonably practicable within a maximum of 30 days, unless the European Union or member state law requires storage.

7.2. On expiration of the Agreement, Customer instructs NodeChef to permanently and securely delete all User Personal Data in the possession or control of NodeChef, within a reasonable period of time, maximum of 30 days (unless the applicable law of the EU or of an EU Member State requires otherwise), except if the Customer requests, prior to expiration of the Agreement, to have access to the NodeChef Services in order to retrieve User Personal Data. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.


8. Order of Precedence

8.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.