Data Protection Agreement

Updated 19th March 2018

Introduction

This Data Protection Agreement “DPA” becomes effective upon the later of i) the acceptance of the Terms of Service or ii) May 25, 2018.

Customer shall make available to Nevis Systems and Customer authorizes Nevis Systems to process information including personal data for the provision of the Services under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Privacy Laws.

1.  Definitions

1.1  For the purposes of this DPA:

Nevis Systems Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Nevis Systems. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

Privacy Laws” mean any applicable law relating to data protection and security, including without limitation EU Data Protection Directive (EU Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), Directive on privacy in electronic communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic  communications sector) and General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/RC)  (“GDPR”)and any amendments, replacements or renewals thereof (collectively the “EU Legislation”), all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;

Security Directives” means all agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1.

the terms “data controller“, “data processor“, “data subject“, “personal data” “processing” and “appropriate technical and organisational measures” shall have the meanings given to them under applicable Privacy Laws.

2.  Role of the Parties

2.1  The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data: (i) the provision of platform services (i.e. the database of call data records and the logs created and managed by Nevis Systems on behalf and under the supervision of Customer) for which Nevis Systems will act as a data processor and agrees to comply with the respective obligations set out in Articles 3 – 11, and (ii) the transmission of messages (i.e. A2P SMS) by Nevis Systems and other Service Providers for which Nevis Systems will act as a data controller and agrees to comply with the respective obligations set out in Article 13.

3.  Subject matter, nature and purpose of Nevis Systems’s processing of personal data

3.1 The subject matter, nature and purpose of the processing of personal data under this DPA is Nevis Systems performance of the Services pursuant to the Agreement and as further instructed in writing by the Customer in its use of the Services, unless required to do so otherwise by Privacy Laws, in which case to the extent permitted by Privacy Laws, Nevis Systems shall inform the Customer of this legal requirement prior to carrying out the processing. Nevis Systems shall only collect or process personal data for the duration of the Agreement to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and Privacy Laws applicable to Nevis Systems in its role as data processor.

Nevis Systems shall process personal data originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless personal data is transferred to a country approved by the European Commission as providing an adequate level of protection for personal data, the transfer is made pursuant to European Commission approved

3.2  standard contractual clauses for the transfer of Personal Data for which the Customer provides a power of attorney for Nevis Systems to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 9 in the name and on behalf of the Customer.

4.  Duration

4.1 The processing of personal data will be carried out by Nevis Systems for the duration of the Agreement unless otherwise agreed upon in writing.

5.  Type of personal data processed

5.1  The Customer may submit Customer personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Contact information (company, email, phone, physical address)
  • First and last name
  • ID data
  • Title
  • Position
  • Employer
  • Connection data
  • Localisation data

6  Type of data subjects

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subject:

  • Customers, business partners and vendors of the Customer (who are natural persons)
  • Employees of contact persons of the Customer’s customers, business partners and vendors
  • Employees, agents, advisors, freelancers of the Customer (who are natural persons)
  • Customer’s Service user including any user of the Services, which Customer permits using the Services

 

7.  Technical and organisational measures

7.1  Nevis Systems has implemented and maintains appropriate technical and organisational measures in accordance with Article 28, 3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR. Such measures include but not limited to physical and IT measures, and organisational measures to protect personal data processed against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures, as described in the Security Directives, and provide a level of security that is appropriate to the risks of the processing having regard to:

  1. the state of the art technology;
  2. the costs of implementation;
  3. the nature, scope, context and purposes of processing, including the type of personal data; and
  4. risk for the rights and freedoms of natural persons that personal data relate to.

7.2  The Technical and Organisational Measures are subject to technical progress and further development. In this respect Nevis Systems may implement alternative adequate measure, however, the security level of the defined measures must never be reduced. Major changes must be documented.

8.  Quality assurances and other duties of Nevis Systems

8.1  Nevis Systems shall comply with the mandatory requirements referred to in Articles 28 to 33 GDPR, and ensures in particular compliance with the following requirements:

a) Appoint a data protection officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The data protection officers contact details are available at Nevis Systems web page.

b) Confidentiality in accordance with Article 28, 3 (b), Articles 29 and 32 (4) GDPR. Nevis Systems entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. Nevis Systems and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Privacy Laws.

c) At the Customer’s cost and expense and taking into account the nature of the processing and the information available to Nevis Systems, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Privacy Laws which may include assisting the Customer to:

(i) notify the Customer of any request Nevis Systems receives for a data subject relating to personal data processed;

(ii) comply with its security obligations;

(iii) discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services);

(iv) carry out Data Protection Impact Assessment and audit Data Protection Impact Assessment compliance and consult with the supervisory authority

(v) following Data Protection Impact Assessment.

d)  Unless prohibited by applicable law or a legally binding request of law enforcement, Nevis Systems shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data;

e) Nevis Systems shall periodically monitor the internal processes and the Security Directives to ensure that processing within Nevis Systems area of responsibility is in accordance with the requirements of Privacy Laws and the protection of the rights of the data subject.

9.  Sub-Processors

9.1  The Customer agrees that Nevis Systems may engage Nevis Systems Affiliate or third parties to process personal data in order to assist Nevis Systems to deliver the Services on behalf of the Customer (“Sub-processors”). Nevis Systems has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor. If the Sub-processor processes the Services outside the EU/EEA, Nevis Systems shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the Customer authorises Nevis Systems to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.

9.2  The current Sub-processors for the Services are set out at https://www.world-text.com/docs/sub-processors.php (“Sub-processor List”) and the Customer agrees and approves that Nevis Systems has engaged such Sub-processors to process personal data as set out in the list. The Customer may find at https://www.world-text.com/docs/sub-processors.php a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe, and if the Customer subscribes, Nevis Systems shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.

9.3  Nevis Systems shall notify the Customer, in accordance with the mechanism set out in clause 2, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following Nevis Systems’s notification of the intended changes). Should Nevis Systems choose to retain the objected to Sub-processor, Nevis Systems will notify the customer at least fourteen (14) days before authorising the Sub-processor to process personal data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. Nevis Systems will refund the Customer any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.

9.4  for the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law Nevis Systems will remain fully liable to the Customer for the fulfilment of its obligations under this DPA.

10.  Audits and inspections

10.1  The Customer agrees that except as otherwise set out in this provision, Nevis Systems’s ISO 27001/22301 certifications, or comparable industry standards, and then current International Standards on Auditing (ISAs) audit reports or comparable industry standard successor reports will be used to satisfy any audit or inspection requests by or on behalf of the Customer and Nevis Systems shall make such reports available to the Customer on request. In the event that the Customer, a regulator or data protection authority requires additional information or an audit related to the Services, then, Nevis Systems agrees to submit its data processing facilities, data files and documentation needed for processing personal data to audit by the Customer (or any third party such as inspection agents or auditors, selected by Customer) to ascertain compliance with this DPA, subject to being given reasonable notice and compliance with Nevis Systems’s Security Directives and the auditor entering into a non-disclosure agreement directly with Nevis Systems. Nevis Systems agrees to provide reasonable cooperation to Customer in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc. used for the performance of Services, including processing of personal data. Such audits shall be carried out at the Customer’s cost and expense.

11.  Notification of a data breach

11.1 In the event of Nevis Systems aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data Nevis Systems shall, among other things:

a.)  Notify the Customer in writing immediately but not later than 36 hours after becoming aware of the breach of security

b.) Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard

c.) Support the Customer in consultations with data protection authority.

11.2  To the extent legally possible, Nevis Systems may claim compensation for support services under this clause 11 which are not attributable to failures on the part of Nevis Systems.

11.3  Customer shall retain all rights, copyright or other intellectual property rights, title and interest to any and all personal data, including all rights relating to

11.4  Nevis Systems understands and agrees that such personal data constitutes Customer proprietary and Confidential Information.

12.  Deletion and return of personal data

12.1  Upon expiration of the Agreement or in the event of early termination for any reason whatsoever, Nevis Systems and its subcontractors shall promptly provide to Customer all personal data held by them for the duration of the Agreement for the performance of the Services. Upon Customer’s request, Nevis Systems will destroy copies of personal data held in its systems and confirm this to Customer in writing unless required to keep certain personal data in order to comply with applicable laws.

13.  Nevis Systems’ Obligations as Data Controller

13.1  In situations where Nevis Systems will act as a Data Controller, it undertakes to comply with its obligations under applicable Privacy Laws in respect of any Personal Data processed under the Agreement. It shall process such Personal Data in connection with the transmission of messages and to fulfil its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at https://www.world-text.com/docs/privacy-policy.php.

14. Customer’s Obligations

14.1  The Customer shall comply at all times with applicable Privacy Laws in relation to the processing of personal data in connection with the Agreement and the Services.

15.  Limitation of Liability

15.1  Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA.

16.  Security Directives

Description of the technical and organisational measures implemented by Nevis Systems:

Nevis Systems shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the agreement concluded between the Parties for the processing of data. If Nevis Systems believes that a measure is not necessary for the respective Service or part thereof, Nevis Systems will justify this and come to an agreement with the Customer.

The technical and organisational measures are subject to technical progress and development. In this respect Nevis Systems is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein. All major changes are to be agreed with the Customer and documented.

16.1 Risk management

Security risk management

  1. Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
  2. Nevis Systems shall have documented processes and routines for handling risks within its operations.
  3. Nevis Systems shall periodically assess the risks related to information systems and processing, storing and transmitting information.

Security risk management for personal data

  1. Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by Nevis Systems, including inter alia as appropriate:
    • The pseudonymisation and encryption of personal data
    • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
    • The ability to restore the availability and access to the Customer’s Data in a timely manner in the event of a physical or technical incident
    • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
  2. Nevis Systems shall have documented processes and routines for handling risks when processing personal data on behalf of the Customer.
  3. Nevis Systems shall periodically assess the risks related to information systems and processing, storing and transmitting personal data.

16.2  Information security policies

16.2.1 Nevis Systems shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by Nevis Systems’s management. They shall be published within Nevis Systems´s organization and communicated to relevant Nevis Systems Personnel.

16.2.2 Nevis Systems shall periodically review Nevis Systems’ security policies and procedures and update them if required to ensure their compliance with the Security Directives.

16.3 Organisation of information security

  • Nevis Systems shall have defined and documented security roles and responsibilities within its organization.
  • Nevis Systems shall appoint at least one data protection officer who has appropriate security competence and who has an overall responsibility for implementing the security measures under the Security Directives and who will be the contact person for the Customer’s security staff.

16.4 Human resource security

  • Nevis Systems shall ensure that Nevis Systems personnel handles information in accordance with the level of confidentiality required under the Agreement.
  • Nevis Systems shall ensure that relevant Nevis Systems personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities and systems under the Agreement.
  • Nevis Systems shall ensure that any Nevis Systems personnel performing assignments under the Agreement is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification.
  • Nevis Systems shall ensure that Nevis Systems personnel with security responsibilities is adequately trained to carry out security related duties.
  • Nevis Systems shall provide or ensure periodical security awareness training to relevant Nevis Systems personnel. Such Nevis Systems training shall include, without limitation:
    1. How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
    2. Why information security is needed to protect customers information and systems;
    3. The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
    4. The importance of complying with information security policies and applying associated standards/procedures;
    5. Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).

16.5  Access control

  • Nevis Systems shall have a defined and documented access control policy for facilities, sites, network, system, application and information/data access (including physical, logical and remote access controls), an authorisation process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for Nevis Systems personnel in place.
  • Nevis Systems shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
  • Nevis Systems shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
  • Nevis Systems shall use strong authentication (multi-factor) for remote access users and users connecting from an untrusted network.
  • Nevis Systems shall ensure that Nevis Systems Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.

16.6  Cryptography

  • Nevis Systems shall ensure proper and effective use of cryptography on information classified as confidential and secret (such as personal data) in accordance with the Customer’s confidentiality classification scheme as directed by the Customer.
  • Nevis Systems shall protect cryptographic keys.

16.7  Physical and environmental security

  • Nevis Systems shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
  • Nevis Systems shall protect goods received or sent on behalf of the Customer from theft, manipulation and destruction.

16.8  Admission to the Customer’s premises and the Customer’s leased premises

  • Nevis Systems’ admission to the Customer’s premises and property (such as datacentre buildings, office buildings, technical sites) is subject to the following:
    1. Nevis Systems shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement.
    2. Nevis Systems Personnel shall carry ID card or a visitor’s badge visible at all time when working within the Customer’s premises.
    3. After completing the assignment, or when Nevis Systems personnel is transferred to other tasks, Nevis Systems shall without delay inform the Customer of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
    4. Keys or key cards shall be personally signed for by Nevis Systems personnel and shall be handled according to the written rules given upon receipt.
    5. Loss of the Customer’s key or key card shall be reported without delay to the Customer.
    6. Photographing in or at the Customer’s premises without permission is prohibited.
    7. The Customer’s goods shall not be removed from the Customer’s premises without permission.
    8. Nevis Systems Personnel shall not allow unauthorized persons access to the premises.

16.9 Operations security

  • Nevis Systems shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.
  • Nevis Systems shall implement malware protection to ensure that any software used for Nevis Systems’s provision of the Services to the Customer is protected from malware.
  • Nevis Systems shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Customer.
  • Nevis Systems shall log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, Nevis Systems shall protect and store (for at least 6 months or such period/s set by Privacy Laws) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out in clause 13, below.
  • Nevis Systems shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
  • Nevis Systems shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
  • Nevis Systems shall ensure development is segregated from test and production environment.

16.10  Communications security

  • Nevis Systems shall implement network security controls such as service level, firewalling and segregation to protect information systems.

16.11  System acquisition, development and maintenance (when software development or system development is provided to the Customer by Nevis Systems)

  • Nevis Systems shall implement rules for development lifecycle of software and systems including change and review procedures.
  • Nevis Systems shall test security functionality during development in a controlled environment.

16.12  Nevis Systems relationship with sub-suppliers

  • Nevis Systems shall reflect the content of these Security Directives in its agreements with Sub-processors that perform tasks assigned under the Agreement.
  • Nevis Systems shall regularly monitor, review and audit Sub-processor’s compliance with the Security Directives.
  • Nevis Systems shall, at the request of the Customer, provide the Customer with evidence regarding Sub-processor’s compliance with the Security Directives.

16.13  Data breach management

  • Nevis Systems shall have established procedures for data breach management.
  • Nevis Systems shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 36 hours after the data breach has been identified.
  • All reporting of security-related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
  • The data breach report shall contain at least the following information:
    1. The nature of the data breach,
    2. The nature of the personal data affected,
    3. The categories and number of data subjects concerned,
    4. The number of personal data records concerned,
    5. Measures taken to address the data breach,
    6. The possible consequences and adverse effect of the data breach, and
    7. Any other information the Customer is required to report to the relevant regulator or data subject.
  • To the extent legally possible, Nevis Systems may claim compensation for support services under this clause 13 which are not attributable to failures on the part of Nevis Systems.

16.14  Business continuity management

  • Nevis Systems shall identify business continuity risks and take necessary actions to control and mitigate such risks.
  • Nevis Systems shall have documented processes and routines for handling business continuity.
  • Nevis Systems shall ensure that information security is embedded into the business continuity plans
  • Nevis Systems shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).

Add text messaging and two-way text messaging into your business.

Over 1100+ networks worldwide.


Market leading coverage and specialist support, HTTP, SMPP and SMTP (Email) interfaces.

Easy Use APIs
HTTP, SMPP & SMTP

Premium Support
20+ Years Experience

Free Cloud SMS Software
Communicator Pro

Auto Responder
Auto SMS Processing