Data Processing Agreement
ANNEX III
This Data Processing Agreement (“DPA”) forms Annex III to the Noxus Software License Agreement (“Agreement”) between Spot-Technologies Limited (“Noxus” or “Processor”) and the Customer (“Controller”).
Hereafter jointly referred to as the "Parties".
WHEREAS:
I.The Customer has entered into a Software License Agreement (the “Agreement”) with Spot-Technologies Limited (“Noxus” or the “Processor”), under which Noxus provides access to the Noxus AI Platform and related Services.
II.The performance of the Agreement and the delivery of such Services by Noxus may involve the Processing of Personal Data by Noxus on behalf of the Customer.
III.The Parties acknowledge and agree that, for the purposes of Applicable Data Protection Laws, the Customer acts as the Controller and Noxus acts as the Processor.
IV.The Parties wish to set forth their respective rights and obligations regarding the Processing of Personal Data by Noxus on behalf of the Customer, in accordance with all Applicable Data Protection Laws.
The Parties enter into this DPA, which is regulated by the following clauses:
1.Definitions
Capitalized terms not defined herein have the meaning set forth in the Agreement.
1.1.“Applicable Data Protection Laws” means all laws, regulations, and other legally binding requirements relating to the Processing of Personal Data that apply to the Parties in connection with the performance of this Agreement. This includes, without limitation, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act, the California Consumer Privacy Act (“CCPA”), and any other similar national, federal, state, or local laws, rules, or regulations relating to privacy and data protection.
1.2.“Personal Data” shall mean as described in the Applicable Data Protection Laws and shall include, without limitation, any data or information that relates to an identified or identifiable natural person.
1.3.“Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given to them in Applicable Data Protection Laws.
2.Description of the Processing
2.1.Customer’s Processing of Personal Data. Customer, as Controller, is solely responsible for ensuring that its use of the Software, including any collection, storage, or other Processing of Personal Data through or in connection with the Software, is conducted in full compliance with all Applicable Data Protection Laws. Customer acknowledges that, while Noxus provides the Software and may formally Process certain categories of Personal Data as described in this DPA, the Customer and its users have the ability to build solutions within the Software, determining the scope, nature, and categories of Personal Data Processed that may Process any type of information, including Personal Data, at their discretion.
2.2.Instructions. Noxus shall process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Laws to which the Processor is subject. In this case, Noxus shall inform the Controller of that legal requirement before Processing, unless the Applicable Laws prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the Processing of Personal Data. These instructions shall always be documented.
2.3.Purpose Limitation. Noxus shall process the Personal Data only for the specific purpose(s) of the Processing, as set out in Sections 2.4 and 2.5, unless it receives further Instructions from the Controller.
2.4.Processing Activities. Noxus will Process Personal Data as necessary to perform the Agreement and applicable Order Forms.
2.5.Nature and Purpose of the Processing. The Processing to be carried out may include, as applicable, the following operations on Controller’s Personal data: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The purpose of the Processing is the provision of Services by Noxus pursuant to the Agreement and instructed by the Controller in this DPA.
2.6.Categories of Data Subjects. The Processing may include, as applicable, Personal Data in connection with the Agreement of the following categories of Data Subjects: employees or representatives of the Controller, Controller’s users authorized by the Controller, and business partners, and any other Data Subjects whose Personal Data is submitted to the Software by the Controller.
2.7.Categories Personal Data. Controller may submit Personal Data to Noxus, to the extent of which is determined and controlled by Controller in its sole discretion, and which may include, as applicable, but is not limited to the following categories of Personal Data: identification data, contact data, professional data, and credential data, and any other categories of Personal Data that the Controller choose to Process through the Software. Noxus does not determine or limit the categories of Personal Data that may be Processed by the Controller within the Software.
2.8.Duration of the Processing. The Processing shall be carried out for the duration of the Agreement, unless otherwise agreed upon in writing by the Parties.
3.Assistance to the Controller
3.1.Data Subjects’ Rights. Noxus shall promptly notify the Controller of any request it has received from the Data Subject. It shall not respond to the request itself, unless authorized to do so by the Controller. The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing.
3.2.Documentation and Compliance. Noxus shall, where necessary and upon request, reasonably cooperate and assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the Processing and the information available to the Processor:
(a)the obligation to deal promptly and adequately with inquiries from the Controller about the Processing of Personal Data in accordance with this DPA;
(b)the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘data protection impact assessment’) where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
(c)the obligation to consult the competent supervisory authority/ies prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
(d)the obligation to ensure that Personal Data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the Personal Data it is Processing is inaccurate or has become outdated;
(e)the obligation to make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Applicable Data Protection Laws.
3.3.Audits. Noxus will facilitate audits relating to the Processing of Personal Data under the Agreement. Noxus shall, on a regular basis, conduct audits or obtain certifications relevant to its information security and data protection practices, and will make available to the Controller, upon request, the resulting audit reports or applicable certifications, subject to reasonable confidentiality and distribution restrictions imposed by Noxus and any involved auditors. If the Controller’s audit obligations under Applicable Data Protection Laws cannot reasonably be fulfilled through the review of such audit reports or certifications, the Controller may request to conduct an audit of Noxus’s Processing activities relating to the Controller’s Personal Data under the Agreement. The Controller must provide Noxus with reasonable advance written notice of any such audit or inspection (which shall be no less than thirty (30) days, unless a shorter period is required by a competent supervisory authority or Applicable Law). The Parties will cooperate in good faith to agree on the scope, methodology, timing, and duration of the audit, ensuring minimal disruption to Noxus’s business operations, and subject to Noxus’s reasonable confidentiality and security requirements. For the avoidance of doubt, the Controller shall bear all third-party costs associated with any audit initiated by or on behalf of the Controller.
4.Use of Sub-Processors
4.1.General Authorization. Noxus has the Controller’s general authorization for the engagement of Sub-Processors from an agreed list (hereinafter “Sub-Processors List” specified in Appendix A).
4.2.Governance. Where Noxus engages a sub-Processor for carrying out specific Processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this DPA. Noxus shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to this DPA and to Applicable Data Protection Laws.
4.3.Right to Object. Noxus shall specifically inform in writing the Controller of any intended changes of the Sub-Processors List through the addition or replacement of Sub-Processors at least thirty (30) days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). Noxus shall provide the Controller with the information necessary to enable the Controller to exercise the right to object. Upon receiving notice of a proposed change to the Sub-Processor list, the Controller will have thirty (30) days from the date of notification to raise any reasonable and objectively justified objections to the engagement of the new or replacement Sub-Processor. Any objection must be submitted in writing and include the specific grounds for the objection, based on legitimate data protection concerns. If the Controller submits a timely and substantiated objection, both Parties will engage in good faith discussions to seek a mutually acceptable, commercially reasonable solution.
4.4.Third-Party Providers. If Controller subscribes to any Third-Party services, even if they have some interaction with the Software, Controller shall perform its own due diligence from a data protection, and security perspective. Said Third-Party Providers are not qualified as Sub-Processors for the purposes of this DPA and Noxus is not liable for the Processing of Controller’s Personal Data by any Third-Party Providers.
4.5.Noxus Liability. Noxus shall remain fully responsible to the Controller for the performance of the Sub-Processor’s obligations in accordance with its contract with Noxus. Noxus shall notify the Controller of any failure by the Sub-Processor to fulfil its contractual obligations.
5.Use of Third-Party Providers
5.1.Third-Party AI Models. For the performance of the Agreement, Noxus may use artificial intelligence models provided by third parties (“Third-Party Providers”).
5.2.Third-Party Providers List. The list of AI Third-Party Providers, as well as descriptions of the models, terms of use, and Customer obligations, shall be set forth in Appendix B to this DPA, which will be updated as necessary.
5.3.Customer’s Liability. Customer is responsible for ensuring compliance with the terms of use of the Third-Party Providers, including obtaining any required licenses and adhering to any restrictions imposed by the Third-Party Providers.
6.International Data Transfers
6.1.Restriction. Noxus agrees that no Personal Data Processed on behalf of the Controller shall be Processed outside the EU/EEA except in accordance with the requirements set forth in this Agreement and Applicable Data Protection Laws. In particular, any such transfer of Personal Data shall only occur where an adequate transfer mechanism is in place, including but not limited to: (a) the existence of an Adequacy Decision from the competent supervisory authorities; or, in the absence of such an Adequacy Decision, (b) the implementation and adoption of Standard Contractual Clauses or other appropriate safeguards as recognized by the competent supervisory authorities.
6.2.Transfers by Sub-Processors. Noxus shall ensure that any Sub-Processor engaged for Processing activities, and those Processing activities involve a transfer of Personal Data, is contractually bound to comply with the same data protection obligations as set out in this DPA, and that such Processing is carried out in a manner that ensures the ongoing protection, confidentiality, and integrity of the Personal Data in accordance with the Applicable Data Protection Laws and the terms of this DPA. Noxus shall include in the Sub-Processors List information regarding International Data Transfers.
7.Security of Processing
7.1.Personnel. Noxus ensures that its personnel who has access or Processes Controller’s Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
7.2.Technical and Organizational Measures. Noxus shall implement the technical and organizational measures adequate to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (Personal Data Breach), including, but not limited to, the pseudonymization and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the data subjects.
7.3.Security Program. Notwithstanding the provisions set forth in the Agreement, Noxus maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all data processed in connection with this Agreement. Noxus is in the process of finalizing audits for ISO/IEC 27001, SOC 2 Type 1 and 2, and HIPAA compliance applicable to its operations relevant to the Software. Upon completion of these audits and receipt of the relevant certifications, Noxus will provide Customer with evidence of its current certifications upon reasonable request.
8.Data Breach
8.1.Cooperation. In the event of a Personal Data Breach, Noxus shall cooperate with and assist the Controller for the Controller to comply with its obligations under Applicable Data Protection Laws, where applicable, taking into account the nature of Processing and the information available to Noxus.
8.2.Notification. In the event of a Personal Data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having become aware of the breach. Such notification shall contain, at least:
(a)a description of the nature of the Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
(b)the details of a contact point where more information concerning the Personal Data Breach can be obtained;
(c)its likely consequences and the measures taken or proposed to be taken to address the Breach, including to mitigate its possible adverse effects.
8.3.Information Availability. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
9.Deletion or Return
Following termination of the Agreement, Noxus shall, at the choice of the Controller, delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, or return all the Personal Data to the Controller and delete existing copies unless Applicable Laws requires storage of the Personal Data.
10.Liability
The total liability of each Party and its Affiliates, collectively, for any claims related to this DPA and Noxus, whether based on contract, tort, or any other legal theory, is governed by the Limitation of Liability Section of the main Agreement. This means that any reference to a Party's liability in that Section includes the combined liability of that Party and all its Affiliates under both the Agreement and all DPAs.
11.General Provisions
11.1.Governing Law and Jurisdiction. This DPA shall be governed by, and construed and enforced in accordance with, the governing clause established in the Agreement, excluding the rules regarding the conflict of laws. In the absence of a governing clause, the governing law applicable to Noxus, as determined by the place of its registered office, shall prevail.
11.2.Counterparts. This DPA may be executed in several counterparts, signed electronically, or transmitted via facsimile, PDF, or other reliable means, and still be considered an original and all of which, collectively, constitute this Agreement.
11.3.Notices. Any notice, consent, approval, or other communication intended to have legal effect to be given under this Agreement (“Notices”) must be in writing and will be delivered (as elected by the Party giving such notice): (a) if provided to Noxus, by email to privacy@noxus.ai, or if provided to Customer, to the email address of the Customer provided in the Order Form; (b) by registered mail; or (c) by overnight courier with proof of signature upon delivery. Unless otherwise provided in this Agreement, all Notices will be deemed effective on the date of receipt (or if delivery is refused, the date of such refusal) if delivered by registered mail and at 9.00 am of the next business day after the date of the transmission by email. Notices under this Agreement will be sent to the contact and addresses set forth in the signature sections of this Agreement and/or in the applicable Order Form. Either Party may change the address to which Notices shall be sent by giving Notice to the other Party in the manner herein provided. Notices shall be written in the English language.
11.4.Severability. If for any reason a court of competent jurisdiction finds any provision of this DPA, or portion thereof, to be unenforceable, that provision of the DPA will be enforced to the maximum extent permissible so as to affect the intent of the Parties, and the remainder of this DPA or of the provision will continue in full force and effect, except to the extent such invalid provision or part of provision relates to essential aspects of the DPA. The Parties agree that such provision or portion thereof shall be substituted by a provision with an equivalent legal and economic effect.
APPENDIX A
NOXUS SUB-PROCESSORS LIST
Currently, Noxus has engaged the following Sub-Processors:
|
Company
|
Address / Location
|
Purpose
|
|
Google Cloud Platform
|
Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
|
Core Hosting / Cloud Services Platform
|
|
Serper API
|
SerpApi, LLC, 5540 N Lamar Blvd #12, Austin, TX 78751
|
Web Search API Services
|
|
Anthropic
|
Anthropic Ireland, Limited, 7/29 Orwell Road, Rathgar, Dublin 6, Ireland
|
AI LLM services
|
|
Google
|
Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
|
AI LLM services
|
|
Mistral AI
|
Mistral AI is a French company incorporated in Paris, under number 952 418 325, having its registered offices at 15 rue des Halles, 75001 Paris
|
AI LLM services
|
|
Stripe
|
Stripe Payments Europe, Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, D01 C4E0, Ireland
|
Payment Processor
|
|
Revolut
|
REVOLUT LTD, 7 Westferry Circus, Canary Wharf, London, England, E14 4HD
|
Payment Processor
|
|
CloudFlare
|
Cloudflare,Inc. ,101 Townsend St. San Francisco, CA 94107
|
Network protection
|
APPENDIX B
THIRD-PARTY PROVIDERS
|
LLM
|
Company
|
Description
|
|
Anthropic Models
Google Models
Mistral Models
|
Google Cloud Platform
|
Noxus has entered into a with Google. Noxus uses Google Cloud Platform services based on the . In these terms, Google has committed not to use customer data for training or improving AI/ML models without prior customer consent.
Accordingly, Google also states in a from Google Cloud and in a that Google Cloud, by default, does not use customer data to train its foundation models: "Customers can use Google Cloud's foundation models knowing that their prompts, responses, and any adapter model training data aren't used for the training of foundation models."
Additionally, Noxus has entered into a with Google Cloud, which governs data processing by Google Cloud. In the Service Terms, Google Cloud also assures that if the customer chooses a specific region or multi-region as the data location, Google will store the customer data only in that selected region or multi-region.
|
