Data processing terms

Data processing agreement


Last modified: June 12, 2018

(1) This Data Processing Agreement (this “Agreement”) is made upon acceptance of the terms of the Nuance Experience Studio Service (“NES”) Agreement (“NES Agreement”) between the Customer and Nuance as identified in the Agreement. The entity accepting the terms of the NES Service Agreement ] ( “Customer”);

(2) Nuance Communications, Inc. a Delaware corporation whose principal place of business is at 1 Wayside road, Burlington, MA, USA (“Processor”).
each a “party” and together the “parties”.



RECITALS

(A) Processor and Customer have established a commercial relationship for the provision of certain [NES services ( “Services”) to Customer from time to time as detailed in the NES Agreement.(“Main Agreement”).

(B) The parties have agreed that in order for Processor to perform its obligations pursuant to such Main Agreement, it will be necessary for Processor to Process certain personal data in respect of which Customer will be a data controller, or acting on behalf of the data controller, for the purposes of this agreement under and subject to the EU Data Protection Laws (as defined below).

(C) The parties have agreed to enter into this overarching Agreement in order to address the compliance obligations imposed upon Customer pursuant to EU Data Protection Laws, and to ensure that adequate safeguards are put in place with respect to the protection of such personal data.



1. DEFINITIONS The following expressions are used in this Agreement:

(a) “Service” refers to the application, product or services and other activities to be supplied or carried out by or on behalf of Company/Company Affiliate pursuant to the Main Agreement;

(b) “Data Subject Request” means a request from or on behalf of a data subject relating to access of, or the rectification of, erasure of or data portability of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of his or her Personal Data;

(c) “EU Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, the United Kingdom and Switzerland, applicable to the processing of Personal Data under the Main Agreement, including the GDPR;

(d) “GDPR” means Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the General Data Protection Regulation);

(e) “Standard Contractual Clauses” means the agreement executed by and between Company and Nuance. Attached hereto as Annex 4, pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, is Standard Contractual Clauses for the transfer of personal data to processors established in countries which do not ensure an adequate level of data protection by Commission standards;

(f) “Personal Data” means all data defined as personal data under EU Data Protection Laws that is provided by Company to Nuance and sub-processors, or is accessed, stored or otherwise processed by Nuance and sub-processors in connection with the Services;

(g) “Adequate Country” means a country, territory, or specified sectors within a country and international organization published by European Commission in the Official Journal of the European Union for which it has decided that an adequate level of protection is ensured;

(h) “Processing”, “Controller”, “Data Controller”, “Processor”, “Data Processor”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” shall have the meanings given to them by EU Data Protection Laws.




2. STATUS OF THE PARTIES

2.1 Company is the data controller and Nuance is the data processor. Accordingly, Company grants Nuance the right to process the Personal Data for the purposes of providing the Services to Company. Nuance agrees that it shall process all Personal Data in accordance with its obligations in performing the Services pursuant to this Agreement and the Main Agreement.

2.2 Company acknowledges that delivery of the Services requires Nuance to operate, maintain, tune, enhance, improve and provide technical support services for the speech recognition, natural language understanding, and other Nuance software and technologies that are embodied in the Services delivered to Company and that such processing constitutes a legitimate interest as defined under EU Data Protection Laws

2.3 Each party warrants to the other that it will comply with all EU Data Protection Laws applicable to its performance under the Agreement. As between the parties, Company is solely responsible for the accuracy, and quality of Personal Data and legality and the means by which Company acquired Personal Data. If required, Company is solely responsible for obtaining all necessary consents required under EU Data Protection Laws to allow Nuance to lawfully complete the Services.



3. PROCESSING REQUIREMENTS

3.1 Data Processing Details. Company, as data controller, will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Nuance, including the transfer by Nuance of Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement. The type of Personal Data processed pursuant to this Agreement as well as the subject matter, nature and purpose of the processing, the Data Subjects involved, and the location(s) and duration of the processing (details required by GDPR Article 28(3)) are as described in Annex 1.

3.2 Processing under Control of Controller. Company’s individual instructions on processing of Personal Data shall be as detailed in the Main Agreement and this Agreement. Nuance shall only process the Personal Data to provide the Services and shall act only in accordance with Company’s documented instructions to the extent appropriate for the provision of the Services, and except as required to comply with a legal obligation to which Nuance is subject. Personal Data processing instructions can be modified, amended or replaced through an amendment to this Agreement through the established changed process. Instructions not foreseen in or covered by the Main Agreement or this Agreement shall be treated as requests for amendments to this Agreement. If applicable law requires Nuance to process Personal Data other than that pursuant to Company’s instruction, Nuance will notify Company as reasonably practicable, unless prohibited from doing so by applicable law. Nuance shall, as soon as reasonably practicable upon becoming aware, inform Company if, in Nuance’s opinion, any instructions provided by Company will lead to infringement of EU Data Protection Laws.

3.3 Confidentiality. Without prejudice to any existing contractual arrangements between the parties, Nuance shall treat all Personal Data as strictly confidential. Nuance shall take appropriate steps so that only authorized personnel who are subject to binding obligations of confidentiality, either contractual or statutory, will have access to the Personal Data. Termination or expiration of this Agreement shall not discharge Nuance from its confidentiality obligations.

3.4 Limitation of Access. Nuance will ensure the performance of the Services according to this agreement is limited to the personnel performing the Service under the Main Agreement.

3.5 Data Protection Officer (DPO) Nuance has appointed a data protection officer, who can be reached at: Privacy@Nuance.com or by mail (Worldwide) at:

Chief Privacy Officer
Nuance Communications, Inc.
1 Wayside Road
Burlington MA 01803
USA

Or by contacting our representative in the EU at:

Chief Privacy Officer
Nuance Communications Ireland, Ltd
20 Merrion Road
Ballsbridge, Dublin 4
IRELAND


Any changes to this contact information will be published at nuance.com/about-us/company-policies/privacy-policies.html.

3.6 Data Subject Requests. As between the parties, Company shall be responsible for addressing all Data Subject Requests. Nuance shall promptly notify Company if Nuance receives a request from a Data Subject to exercise his or her Data Subject’s rights. Taking into account the nature of the Processing and insofar as possible, Nuance shall assist Company by appropriate technical and organization measures in fulfilment of Company’s obligations to respond to said Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Company shall be responsible for any costs arising from Nuance’s provision of such assistance.

3.7 Notice of Personal Data Breach. Nuance maintains an Incident Management Policy and shall notify Company within 48 hours of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company’s Personal Data within Supplier’s scope of responsibility by any of its staff, sub-processors or any other identified or unidentified third party (a “Personal Data Breach”) after Nuance becomes aware with a reasonable degree of certainty that such Personal Data Breach has occurred.

In the event of a Personal Data Breach, Nuance shall make reasonable efforts to identify the cause of such Personal Data Breach and take reasonable steps as Nuance deems necessary and reasonable under industry standards, in order to remediate the cause of such breach to the extent the remediation is within Nuance’s reasonable control, in fulfilling Company’s obligation under GDPR Article 33 or other applicable law or regulation. Nuance shall not be responsible for incidents that are caused by Company or Company’s end users.

3.8 Deletion of Personal Data. Upon Company’s written request, or as reasonably practicable following the termination of this Agreement or the Main Agreement, Nuance shall delete all Personal Data, except to the extent applicable law requires Nuance to continue to store the Personal Data. Company acknowledges that Nuance’s deletion of Personal Data represents compliance with any legal obligation to return Personal Data to Company.

3.9 Audit and Records. Subject to reasonable prior notice from Company, Nuance shall provide Company with reasonable evidence to demonstrate Nuance’s compliance with this Agreement and EU Data Protection Laws and shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company. Company’s right of audit under EU Data Protection Laws may be satisfied by Nuance through Nuance providing to Company:

(a) an audit report not older than 18 months by a registered and independent external auditor demonstrating that Nuance’s technical and organizational measures described in Annex 2 are sufficient and in accordance with an accepted industry audit standard such as ISAE 16 SOC 2; and/or

(b) additional information in Nuance’s possession or control to an EU supervisory authority when it requests or requires additional information in relation to the data processing activities carried out by Nuance under this Agreement.

(c) Company shall reimburse Nuance for any time expended for any such on-site audit at Nuance’s then-current professional services rates, which shall be made available to Company upon request. Before the commencement of any such on-site audit, Company and Nuance shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Company shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Nuance. Company shall promptly notify Nuance with information regarding any noncompliance discovered during the course of an audit and allow reasonable time for remediation.

(d) The parties agree that when carrying out audit procedures relevant to the protection of Personal Data, the Company shall take all reasonable measures to limit any impact on Nuance and Nuance’s usual course of business operations and its sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Company affiliates authorized by the Company to make audit requests into one single audit.



4. SECURITY

Taking into account the most recent available technology, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nuance will maintain appropriate technical and organizational protections as set forth in Annex 2 “Technical and Organizational Measures”




5. SUB-PROCESSING

5.1 Affiliates as Sub-Processors. Company grants a general authorization to Nuance to appoint as sub-processors to

support the delivery of the Services any other entities under common ownership and control of Nuance’s parent corporation, Nuance Communications, Inc. (“Affiliates”).

5.2 Cloud Services Sub-Processor. Company grants Nuance a specific authorization to appoint Microsoft Azure as cloud services provider for the Services.

5.3 Other Sub-Processors. Company grants Nuance and Affiliates a general authorization to appoint the following types of sub-processors to support the delivery of the Services: Nuance and its Affiliates’ accountants, auditors and attorneys; consulting firms providing information technology and security advisory and support services; third party data center operators; [and providers of outsourced technical support services.

5.4 List Available. A list of all sub-processors approved by Company above is included in Annex 3.

5.5 Sub-processor Changes; Company Right to Object. Nuance will notify Company of the names of any new and replacement sub-processors prior to them beginning sub-processing of Personal Data. Within ten (10) business days of receiving notice of a sub-processor change, Company may object by providing written notice to Nuance. The notice shall describe the basis for Company’s objection, which must have reasonable grounds. Failure to notify an objection during such time period shall constitute waiver of the right to object. If Company gives written notice of objection, Nuance and Company will discuss the objection in good faith to seek to resolve it. If no objection by Company, Annex 3 is deemed amended to include the sub-processor identified in the notice.

5.6 Nuance’s Responsibility. Nuance will require any sub-processor to enter into a written agreement with Nuance to protect Personal Data with substantially similar data protection obligations to those in this Agreement. Nuance shall remain liable to Company for any breach by the sub-processor of its agreement with Nuance; Company’s authorization of the sub-processor does not remove this responsibility.



6. EUROPEAN DATA PROTECTION TERMS

6.1 General Data Protection Regulation (GDPR) As of May 25, 2018, Nuance will process Personal Data in accordance with the GDPR requirements directly applicable to Nuance’s service to the Company.



7. DATA TRANSFERS

7.1 Nuance Transfer. If, in the performance of this Agreement, Nuance transfers any Personal Data outside the EEA (and not to an Adequate Country), Nuance shall ensure that a mechanism to achieve adequacy in respect to the processing is in place, such as:

(a) Nuance maintained EU-US and Swiss-US Privacy Shield Framework

(b) Process ensures the Standard Contractual Clauses, as set forth in Annex 4, are at all relevant times incorporated into the appropriate agreements. Upon request, Nuance will provide to Company for review such copies of agreements, subject to redaction for confidential commercial information not relevant to the requirements under this Agreement.



8. GOVERNING LAW

Without prejudice to the Standard Contractual Clauses the parties to this Agreement hereby submit to the choice of jurisdiction stipulated in the Main Agreement with respect to any material disputes or technical claims howsoever arising under the Main Agreement;

With regard to the subject matter of the Agreement, in the event of inconsistencies between the provisions of the Agreement and any other agreements between the parties, including the Main Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of the Agreement, the provisions of this Agreement shall prevail.

Should any provision of this Agreement be invalid or unenforceable, then the remainder of the Agreement shall remain valid and in force. The invalid or unenforceable provisions shall be either (i) amended as necessary to ensure their validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.



9. MISCELLANEOUS PROVISIONS

9.1 Limitation of Liability. Company’s remedies and Nuance’s liability arising out of or related to this Agreement will be subject to those limitations and exclusions of liability that apply to Company under the Product Agreement to which this Agreement relates. As between the parties, in no event shall Nuance be responsible for any liability arising from Nuance’s compliance with Company’s instructions.

9.2 Order of Precedence. To the extent that any provisions of this Agreement conflict with the Product Agreement, this Agreement shall prevail as to the specific subject matter of such provisions; provided, however, that any limitations and exclusions of liability in the Product Agreement and any indemnification provisions in the Product Agreement shall in any event prevail over any provision of this Agreement.

This Agreement, as signed below, becomes a binding part of the Main Agreement between the parties, effective from the date first set out above.

List of Annexes:

Annex 1 – Data Processing Details

Annex 2 – Description of Technical and Organizational Measures

Annex 3 – Sub-Processor List

Annex 4 – Standard Contractual Clauses