Data processing agreement
Last Modified February 2, 2020 / Previous Versions
This Data Processing Agreement (this “Agreement”) is made upon acceptance of the Hosted Services Agreement (the” Main Agreement”) between the entity accepting the terms of the Agreement ( “Company”); and Nuance Communications, Inc., Nuance Ireland Limited, Nuance India Pvt. Ltd., or any other entity that directly or indirectly controls, is controlled by, or is under common control with Nuance Communications, Inc. (as applicable, “Nuance” or “Processor”) each a “party” and together the “parties.”
RECITALS
(A) Nuance and Company have entered into one or more agreements (referred to collectively as the “Product Agreement”) under which Nuance supplies certain hosted products and/or services (“Services”) to Company from time to time as detailed in the existing agreement. ( “Main Agreement”).
(B) The parties have agreed that in order for Nuance to perform its obligations pursuant to such Main Agreement, it will be necessary for Nuance to Process certain personal data in respect of which Company will be a data controller, or acting on behalf of the data controller, for the purposes of this agreement under and subject to the Data Protection Laws (as defined below).
(C) The parties have agreed to enter into this overarching Agreement in order to address the compliance obligations imposed upon Company pursuant to Data Protection Laws, and to ensure that adequate safeguards are put in place with respect to the protection of such personal data.
(D) If the Company has signed a Master Agreement, but the Master Agreement does not include a Data Processing Agreement as required by applicable law, the Services shall be subject to the Main Agreement and this Agreement hereby incorporated by reference.
1. DEFINITIONS The following expressions are used in this Agreement: In the event the definitions herein differ from the Master Agreement relating to data protection, this Agreement shall prevail as to the specific subject matter of such definition.
(a) “Service” refers to the application, product or services and other activities to be supplied or carried out by or on behalf of Company/Company Affiliate pursuant to the Main Agreement.
(b) “Data Subject Request” means a request from or on behalf of a data subject relating to access of, or the rectification of, erasure of or data portability of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of his or her Personal Data.
(c) “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, the United Kingdom and Switzerland, applicable to the processing of Personal Data under the Main Agreement, including but not limited to the GDPR and, the UK Data Protection Act 2018.
(d) “GDPR” means Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the General Data Protection Regulation).
(e) “EU Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR, pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010.
(f) “Personal Data” means all data defined as personal data under Data Protection Laws that is provided by Company to Nuance and sub-processors, or is accessed, stored or otherwise processed by Nuance and sub-processors in connection with the Services.
(g) “Personal Data Breach” means a personal data breach as defined under Data Protection Laws that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data within Nuance’s scope of responsibility by any of its staff, sub-processors or any other identified or unidentified third party after Nuance becomes aware with a reasonable degree of certainty that such personal data breach has occurred.
(h) “Adequate Country” means a country, territory, or specified sectors within a country and international organization published by European Commission in the Official Journal of the European Union for which it has decided that an adequate level of protection is ensured.
(i) “Processing”, “Controller”, “Data Controller”, “Processor”, “Data Processor”, “Data Subject”,” and “Supervisory Authority” or “National Authority” shall have the meanings given to them by Data Protection Laws.
2. STATUS OF THE PARTIES
2.1 Company is the data controller and Nuance is the data processor. Accordingly, Company grants Nuance the right to process the Personal Data for the purposes of providing the Services to Company. Nuance agrees that it shall process all Personal Data in accordance with its obligations in performing the Services pursuant to this Agreement and the Main Agreement.
3. PROCESSING REQUIREMENTS
3.1 Data Processing Details. Company, as data controller, will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Nuance, including the transfer by Nuance of Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement. The type of Personal Data processed pursuant to this Agreement as well as the subject matter, nature and purpose of the processing, the Data Subjects involved, and the location(s) and duration of the processing (details required by GDPR Article 28(3)) are as described in the Data Processing Details.
3.2 Processing under Control of Controller. Nuance shall only process the Personal Data to provide the Services and shall act only in accordance with Company’s documented instructions to the extent appropriate for the provision of the Services, and except as required to comply with a legal obligation to which Nuance is subject. Company’s individual instructions on processing of Personal Data shall be as detailed in the Main Agreement and this Agreement. To fully optimize the speech recognition, digital dictation and communication abilities of the Services, the data controller instructs Nuance and its sub-processors and affiliated companies to use, compile (including creating statistical and other models), annotate and otherwise analyze the Personal Data to operate, maintain, tune, enhance, improve and provide technical support services for the speech recognition, natural language understanding and other Nuance software and technologies that are embodied in the Services. Personal Data processing instructions can be modified, amended or replaced through an amendment to this Agreement through the established change control process. Instructions not foreseen in or covered by the Main Agreement or this Agreement shall be treated as requests for amendments to this Agreement. If applicable law requires Nuance to process Personal Data other than that pursuant to Company’s instruction, Nuance will notify Company as reasonably practicable, unless prohibited from doing so by applicable law. Nuance shall, as soon as reasonably practicable upon becoming aware, inform Company if, in Nuance’s opinion, any instructions provided by Company will lead to infringement of Data Protection Laws.
3.3 Confidentiality. Without prejudice to any existing contractual arrangements between the parties, Nuance shall treat all Personal Data as strictly confidential. Nuance shall take appropriate steps so that only authorized personnel who are subject to binding obligations of confidentiality, either contractual or statutory, will have access to the Personal Data. Termination or expiration of this Agreement shall not discharge Nuance from its confidentiality obligations.
3.4 Limitation of Access. Nuance will ensure the performance of the Services according to this agreement is limited to the personnel performing the Service under the Main Agreement.
3.5 Data Protection Officer (DPO) Nuance has appointed a data protection officer, who can be reached at: Privacy@Nuance.com or by mail (Worldwide) at:
Nuance Communications, Inc.
1 Wayside Road
Burlington MA 01803
USA
Or by contacting our representative in the EU at:
Chief Privacy Officer
Nuance Communications Ireland, Ltd
20 Merrion Road
Ballsbridge, Dublin 4
IRELAND
Any changes to this contact information will be published at Nuance privacy policies(Open a new window).
3.6 Data Subject Notices. For Personal Data that is provided to Nuance by Company under the Agreement, Company is responsible for providing any notices and information required by Data Protection Laws to be given at the time of collection , including, but not limited to notice with respect to:
i) Sharing of Personal Data with data processors as permitted by Section 5 below;
ii) Transfer of Personal Data to Nuance’s affiliated companies and Service Providers oversees, to the United States, the United Kingdom, Canada, India and the Philippines, in order to operate, maintain, tune, enhance, improve and provide technical support services for the speech recognition, natural language understanding, and other Nuance software and technologies that are embodied in the Hosted Services delivered to Company. Nuance shall also comply with the transfer requirements set forth in Section 6 below.
3.7 Data Subject Requests. As between the parties, Company shall be responsible for addressing all Data Subject Requests. Nuance shall promptly notify Company if Nuance receives a request from a Data Subject to exercise his other Data Subject’s rights. Taking into account the nature of the Processing and insofar as possible, Nuance shall assist Company by appropriate technical and organization measures in fulfilment of Company’s obligations to respond to said Data Subject Request under Data Protection Laws. To the extent legally permitted, Company shall be responsible for any costs arising from Nuance’s provision of such assistance.
3.8 Notice of Personal Data Breach. Nuance maintains an Incident Management Policy and shall notify Company of any Personal Data Breach without undue delay.
In the event of a Personal Data Breach, Nuance shall make reasonable efforts to identify the cause of such Personal Data Breach and take reasonable steps as Nuance deems necessary and reasonable under industry standards, in order to remediate the cause of such breach to the extent the remediation is within Nuance’s reasonable control, in fulfilling Company’s obligation under Data Protection Laws. Nuance shall not be responsible for incidents that are caused by Company or Company’s end users.
3.9 Deletion of Personal Data. Upon Company’s written request, or as reasonably practicable following the termination of this Agreement or the Main Agreement, Nuance shall delete all Personal Data, except to the extent applicable law requires Nuance to continue to store the Personal Data. Company acknowledges that Nuance’s deletion of Personal Data represents compliance with any legal obligation to return Personal Data to Company.
3.10 Audit and Records. Subject to reasonable prior notice from Company, Nuance shall provide Company with reasonable evidence to demonstrate Nuance’s compliance with this Agreement and Data Protection Laws and shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company. Company’s right of audit under Data Protection Laws may be satisfied by Nuance through Nuance providing to Company:
(a) an audit report not older than 18 months by a registered and independent external auditor demonstrating that Nuance’s technical and organizational measures described in the Description of Technical and Organizational Measures are sufficient and in accordance with an accepted industry audit standard such as ISAE 16 SOC 2; and/or
(b) additional information in Nuance’s possession or control to a Supervisory Authority when it requests or requires additional information in relation to the data processing activities carried out by Nuance under this Agreement.
(c) If Nuance is unable to provide the information in (a) and (b) above, Company may audit Nuance’s control practices, including on-site at Nuance’s facilities. Company shall reimburse Nuance for any time expended for any such on-site audit at Nuance’s then-current professional services rates, which shall be made available to Company upon request. Before the commencement of any such on-site audit, Company and Nuance shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Company shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Nuance. Company shall promptly notify Nuance with information regarding any noncompliance discovered during the course of an audit and allow reasonable time for remediation.
(d) The parties agree that when carrying out audit procedures relevant to the protection of Personal Data, the Company shall take all reasonable measures to limit any impact on Nuance and Nuance’s usual course of business operations and its sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Company affiliates authorized by the Company to make audit requests into one single audit.
4. SECURITY
Taking into account the most recent available technology, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nuance will maintain appropriate technical and organizational protections as set forth in the Description of Technical and Organizational Measures.
5. SUB-PROCESSING
5.1 Affiliates as Sub-Processors. Company grants a general authorization to Nuance to appoint as sub-processors to support the delivery of the Services any other entities under common ownership and control of Nuance’s parent corporation, Nuance Communications, Inc. (“Affiliates”).
5.2 Cloud Services Sub-Processor. Company grants Nuance a specific authorization to appoint Microsoft Azure as cloud services provider for the Services.
5.3 Other Sub-Processors. Company grants Nuance and Affiliates a general authorization to appoint the following types of sub-processors to support the delivery of the Services: Nuance and its Affiliates’ accountants, auditors and attorneys; consulting firms providing information technology and security advisory and support services; third party data center operators.
5.4 List Available. A list of all sub-processors approved by Company above is included in the Sub‑Processor List.
5.5 Sub-processor Changes; Company Right to Object. Nuance will notify Company of the names of any new and replacement sub-processors prior to them beginning sub-processing of Personal Data. Within ten (10) business days of receiving notice of a sub-processor change, Company may object by providing written notice to Nuance. The notice shall describe the basis for Company’s objection, which must have reasonable grounds. Failure to notify an objection during such time period shall constitute waiver of the right to object. If Company gives written notice of objection, Nuance and Company will discuss the objection in good faith to seek to resolve it. If no objection by Company, the Sub-Processor List is deemed amended to include the sub-processor identified in the notice.
5.6 Nuance’s Responsibility. Nuance will require any sub-processor to enter into a written agreement with Nuance to protect Personal Data with substantially similar data protection obligations to those in this Agreement. Nuance shall remain liable to Company for any breach by the sub-processor of its agreement with Nuance; Company’s authorization of the sub-processor does not remove this responsibility.
6. DATA TRANSFERS
6.1 Nuance Hosting Location. Nuance provides, operates, and maintains the Nuance Hosted Services Center in the locations described in the Data Processing Details to support the operation of the Hosted Services.
6.2 Transfers outside the UK or EEA . Company acknowledges that Nuance may transfer Personal Data to Affiliates and other sub-processors operating outside the UK or EEA, as described in Section 3.6. If, in the performance of this Agreement, Nuance transfers any Personal Data outside the UK or EEA (and not to an Adequate Country), Nuance shall ensure that a mechanism to achieve adequacy in respect to the processing is in place, such as:
(a) The requirement that the sub-processor be certified under EU-US and Swiss-US Privacy Shield Framework.
(b) The requirement for Nuance to execute, for itself and/or on behalf of Company, Standard Contractual Clauses, as set forth in the EU Standard Contractual Clauses. Upon request, Nuance will provide to Company for review such copies of agreements, subject to redaction for confidential commercial information not relevant to the requirements under this Agreement. Company authorizes Nuance and its Affiliates to enter into Standard Contractual Clauses consistent with this Data Processing Agreement on behalf of Company.
(c) The existence of any other specifically approved safeguard for data transfer under Data Protection Laws or a European Commission finding of adequacy.
7. GOVERNING LAW
Without prejudice to the Standard Contractual Clauses this Agreement shall be governed by and construed in all respects in accordance with the laws of Ireland and the parties to this Agreement hereby submit to the exclusive jurisdiction of the courts of Ireland in respect of any dispute arising under or in relation to this Agreement.
Should any provision of this Agreement be invalid or unenforceable, then the remainder of the Agreement shall remain valid and in force. The invalid or unenforceable provisions shall be either (i) amended as necessary to ensure their validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
8. PROVISIONS
8.1 Limitation of Liability. Company’s remedies and Nuance’s liability arising out of or related to this Agreement will be subject to those limitations and exclusions of liability that apply to Company under the Product Agreement to which this Agreement relates. As between the parties, in no event shall Nuance be responsible for any liability arising from Nuance’s compliance with Company’s instructions.
8.2 Order of Precedence. To the extent that any provisions of this Agreement conflict with any provisions in the Product Agreement and/or the Main Agreement relating to data protection, this Agreement shall prevail as to the specific subject matter of such provisions; provided, however, that any limitations and exclusions of liability in the Product Agreement and/or the Main Agreement (as the case may be) and any indemnification provisions in the Product Agreement and/or the Main Agreement (as the case may be) shall in any event prevail over any provision of this Agreement. If Nuance provides this Agreement in more than one language for the country of your billing address, and there is a discrepancy between the English text and the translated text, the English text will govern.
The following additional terms are part of this Agreement, and are
incorporated herein.
Description of Technical and Organizational Measures
EU Standard Contractual Clauses
Previous Versions