Older versions:NordPass Business Data Processing Agreement as updated on 27/09/21
NB! Starting from January 1, 2023, the provider of NordPass Business and NordLocker Business Services changes from nordvpn s.a. (address: PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama) to Nord Security Inc. (address: One Rockefeller Plaza, 11th Floor, New York, NY 10020, United States of America). The current provider, nordvpn s.a., will cease to provide the mentioned Services on December 31, 2022.
By acquiring Services on or after the date indicated by "Effective from" above,Customers explicitly agree and consent to the change of the contracting party on Nord’s side from nordvpn s.a. to Nord Security Inc., and instruct the current data processor nordvpn s.a. to transfer Customers’ Personal Data to the new data processor Nord Security Inc. for further provision of Services, as of January 1, 2023, without any additional notice.
Customers that acquired Services before the date indicated by "Effective from" above have to provide their consent to the mentioned change of contracting party until December 27, 2022, in order to continue using Services after January 1, 2023. If the Customer does not timely provide its consent, the Customer’s (and its end users) access to the Services will be terminated from January 1, 2023 (with the right to request a refund for the unused part of the current Subscription Period by contacting customer support until January 31, 2023).
This Data Processing Agreement ("DPA") is an integral part of the Terms of Service of Nord Services ("Terms") concluded between the Customer and Nord (hereinafter collectively referred to as the "Parties"). The main purpose of this DPA is to define how Nord processes data on behalf and under the Customer’s instructions while providing the Services.
means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Customer’s Personal Data
means all Customer’s personal data in whatever form or medium which is (i) supplied to, or in respect of which access to the Nord is granted by the Customer or otherwise in connection with the Terms, or (ii) produced or generated by or on behalf of the Customer in connection with the Terms.
means the European Economic Area.
Data Protection Laws
means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of processing Personal Data in question under this DPA, including, without limitation, European data protection laws: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (hereinafter, the "GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); (iii) the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (hereinafter, the "UK GDPR"); regulations of the United States of America, including the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations (hereinafter, the "CCPA"), applicable to the processing of the Personal Data (or an analogous variation of such term); other applicable data protection and privacy laws.
means standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Commission implementing decision 2021/914 of 4 June 2021) as updated or replaced from time to time. The current version of the SCCs (i.e., applicable at the time of the conclusion of this DPA) is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
means an International Data Transfer Addendum to the SCCs approved by the UK as updated or replaced from time to time. The current version of the Addendum to the SCCs (i.e., applicable at the time of the conclusion of this DPA) is available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
Description and Instructions for Processing
Purpose and nature of the processing
|To provide the Services to the Customer as provided in the Terms or as instructed by the Customer.|
Categories of the data subjects
|Customer’s end users of the Services, including Customer’s employees, representatives, contractors, customers, and any other natural persons that are authorized by and/or receive access to the Services through the Customer.|
Categories of the Personal Data
|Basic organization contact information, account registration and login information, user emails, information on user roles and status, invites, referrals, passwords’ status, health and breach information, basic device information (e.g., device name, device ID, IP address, OS, platform), activity and email logs, authentication attempts, metadata about items in the vault (e.g., deleted at, last used at, type, pending shares, access rights), application diagnostics.||Basic organization contact information, account registration and login information, user emails, information on user roles and status, invites, referrals, basic device information (e.g., device name, device ID, IP address, OS, platform), activity and email logs, authentication attempts, metadata about items in the vault (e.g., deleted at, last used at, type, pending shares, access rights), application diagnostics.|
Duration and frequency of the processing
|The processing is performed on a continuous basis for the period of providing the Services to the Customer.|
The subject matter, nature, and duration of the processing by sub- processors
|Sub-processors are an integral part of the Services provided to the Customer. Sub-processors are used in all stages of providing the Service and the Customer’s Personal Data is processed for as long as it is needed to provide the Service.|
Description of the TOMs implemented by Nord
Control of Assets in Server Infrastructure
Vulnerability Assessment and Remediation
Data Recovery Capability
Control of Software and Hardware Assets in HR
The TOMs to be taken by sub-processors
|Nord implements technical and organizational measures to ensure that security practices upheld by its sub-processors are not less protective than those provided in the DPA with respect to the protection of the Customer’s Personal Data (to the extent applicable depending on the nature of the services provided by a sub- processor).|
The SCCs and European Transfers Agreement
CCPA Data Protection Addendum