NordPass Business and NordLocker Business

Data Processing Agreement

NordLayer

General Privacy Policy

Effective from: November 3, 2022

  1. NOTICE TO END USERS
    1. PROCESSING OF PERSONAL DATA – NORD AS DATA CONTROLLER
      • Personal information. In order to conclude and perform a business agreement with the Customer, we may process Customer’s representatives’ contact information (full name, telephone number, and/or email address) and professional information (position, represented entity’s information).
      • Payment data. If you have provided payment information to us, such as basic billing information belonging to a natural person (date of purchase, IP address, postal (ZIP) code, billing address, credit card owner’s full name, and credit card information, its expiration date, subscription details), we will process this information (i) to verify payment’s information and prevent fraudulent payments for the Services; (ii) to collect payments to the extent that doing so is necessary to complete a transaction.
      • Country details. When making a purchase as a natural individual, we process the information on the country the purchase takes place. This information is necessary for VAT calculation purposes.
      • Access logs. To ensure Website support and security we collect access logs, such as your IP address, operating system, and browser information. This information is essential for fighting DDoS attacks, scanning, and similar hacking attempts. We also use this information to help us to better design our site, help diagnose problems with our server, and administer our Website.
      • Information received from analytics service providers. To analyze and improve our Website and users’ experience, we use analytics service providers (e.g., Google Analytics) to help us collect aggregated information that does not directly identify you, but provides us with various statistics, such as, which pages visitors visit the most and for how long they stay there. We may also see the following: your device’s IP address, device type, browser information, geographic location (country only), preferred language, the title of the page being viewed, screen size and resolution, out links, referrers, page and website speed. For the collection of such information, our service providers mostly use cookies.
      • Cookies. Cookies, pixels, and other similar technologies are usually small text or image files that are placed on your device when you visit our Website. Some cookies are essential for our Website to operate smoothly; others are used to improve the Website’s functionality, analyze aggregated usage statistics to improve the Website’s performance, and for advertising purposes. Our Website may include social media features, such as the Facebook like and/or share buttons, to help you share our content more easily. These features may collect information about your IP address and which page you are visiting on our Website, and they may set a cookie to make sure the feature functions properly. We also use affiliate cookies to identify the Customers referred to our Website by our partners so that we can grant the referrers their commission. You can check what cookies we use in our Cookie Policy.
      • Communication optimization data. We use various tools to help us optimize our email campaigns. These tools may track actions you perform with an email, such as open rates, click-through rates or unsubscribes from further communication. We may also be able to see the user device’s operating system (e.g., Windows, Mac, iOS, Android), End User custom properties (such as user status, email, member level, which organization the End User belongs to, etc.), End User events (such as, End Users account creation date) and country in order to optimize push and email notifications and automatically set the language.
      • Social media. When you interact with us via social media, we may process information available on your social media profile, also your inquiry or post information, and other information you provide us with.
      • Other communication means. When you contact us to inquire about our Services, we process your full name, email address, entity’s information you contact on behalf of (if provided), and/or other information you provide us with.
      • Information related to marketing activities. We may receive certain data about you (i) directly from you, if you subscribe to marketing communications, complete surveys, or sign up for our events or webinars, publicly available material prepared by Nord or (ii) from certain advertisers and other partners which we use for advertising purposes. Those partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising) and account-based advertising. We may also receive your personal data from the organizers of events that you and Nord participate in, or promotions that we sponsor or participate in. Such data may include your contact and professional data (e.g., name, company, position, email address, preferences, and/or interests), cookie id, mobile device id, and inferences about your interests and preferences. We use this information in order to send you offers, surveys, and other marketing content (in line with applicable law) and to manage your participation in our events or seminars. You can easily opt-out of future marketing communications using the opt-out link provided in the emails sent to you.
      • Referrals data. Participation in referral programs maintained by Nord requires referrers to submit personal data (e.g., full name, e-mail address, phone number, relationship with the referred party) about themselves and a referred party so that we could (i) reach out to the referred party; (ii) contact referrers with regards to their participation in referral programs and/or provision of rewards. It is the referrer’s responsibility to abide by applicable privacy laws when disclosing third parties’ personal data to Nord, including informing third parties that they are providing referred parties’ personal data to Nord and how it will be used and processed. Referred parties may unsubscribe from any future communication at any time. If you believe that one of your contacts has provided us with your personal data and you would like it to be removed from our database, please contact us as provided below (Section "Contact Us").
      1. GROUNDS FOR PROCESSING OF PERSONAL DATA
        • To fulfill contractual obligations. The information provided might be required for the performance of a contract, i.e., (i) to provide Services and customer support; (ii) to process your purchase transactions; (iii) to ensure the secure, reliable, and robust performance of our Services and Website.
        • To ensure legal obligation. We might be required to use your information as per legal requirements, e.g., to keep and process records for tax purposes and accounting.
        • Your consent. We might use your information where you have given your consent to us, i.e., (i) to send marketing communication (unless applicable law permits us to contact you without prior consent); (ii) to communicate with you and manage your participation in our contests, offers, referrals, or promotions. Please note that although we may also process your personal data for marketing purposes when applicable law permits us to contact you without your separate consent, if you choose not to receive marketing communication from us (i.e., if you opt out), we will honor your request.
        • Legitimate interest. We sometimes may process your personal data under the legitimate interest, i.e., (i) to properly administer business communication with you; (ii) to detect, prevent, or otherwise address fraud, abuse, security, or technical issues with our Services and Websites; (iii) to protect against harm to the rights, property, and safety of Nord, our Customers, End Users, or third parties; (iv) to improve or maintain our Services and provide new products and features; (v) to receive knowledge of how our Website and application are being used.
        1. SHARING YOUR PERSONAL DATA
          1. CHOICES RELATED TO YOUR PERSONAL DATA
            • Delete: request us to erase your personal data;
            • Access: know and access personal data Nord has collected about you;
            • Rectify: rectify, correct, update, or complement inaccurate/incomplete personal data Nord has about you;
            • Object: object to the processing of your personal data which is done on the basis of our legitimate interests (e.g., for marketing purposes);
            • Portability: request us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format or to transmit (if technically feasible) your personal data to another controller (only where our processing is based on your consent, and carried out by automated means);
            • Restrict: restrict the processing of your personal data (when there is a legal basis for that);
            • Withdraw consent: withdraw your consent where processing is based on the consent you have previously provided;
            • Lodge a complaint: exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.
            1. DATA SECURITY
              • Physical Measures. We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.
              • Technical Measures. We use layered defense with firewalls, anti-malware protection, intrusion detection, and prevention systems. Our infrastructure is regularly updated and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.
              • Organizational Measures. We adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know basis.
              1. DATA RETENTION

                For more information about specific retention periods, please reach out to us at [email protected].

                1. COUNTRY-SPECIFIC PROVISIONS

                  For users in European Economic Area ("EEA")

                  For users in California

                  1. MINORS’ DATA
                    1. CONTACT US
                      • until December 31, 2022: nordvpn s.a., PH F&F TOWER, 50th Street & 56th Street, Suite #32-D, Floor 32, Panama City, Republic of Panama.
                      • from January 1, 2023: Nord Security Inc., Americas Towers, 1177 6th Avenue, 5th FLR, New York, NY 10036, United States of America.
                      1. OTHER TERMS