Skip to main content

Data Processing Addendum

 

This Data Processing Addendum (“DPA”) supplements the terms of the Platform Terms of Service (“Terms”) and associated Order Form between Nashville Biosciences, LLC, a Tennessee limited liability company with offices located at 3841 Green Hills Village Dr., Suite 200, Nashville, TN 37215 (“NashBio”) and Customer (as defined in the Terms). This DPA is intended to satisfy legal requirements that may apply to the Parties under Data Protection Laws (defined below). Terms not defined in this DPA will have the meanings given to them in the Terms or the Order Form, as applicable.

 

Section 1 – Definitions

“CCPA” means the California Consumer Privacy Act.
“Controller” means the natural or legal person or other body which alone or jointly with others determines the purposes and means for the Processing of Personal Information.
“Data Protection Laws” means all applicable data protection, data privacy, and cybersecurity laws, rules and regulations anywhere in the world in force from time to time to which Personal Information exchanged under the Agreement is subject. Data Protection Laws may include, but are not limited to the CCPA and GDPR, and any comparable law.
“Data Subject” means an identified or identifiable natural person to whom Personal Information relates.
“GDPR” means the EU General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Information and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
“Personal Information” has the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws and refers such types of information shared by Customer with NashBio for purposes of the Agreement.
“Process” or “Processing” means any operation or set of operations, which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Incident” means an actual event that leads to the unauthorized disclosure of, or access to Customer’s Personal Information.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
“Sub-processor” means any processor engaged by, or on behalf of, NashBio to perform or provide any Processing activities on Personal Information in connection with the Agreement.
“UK Addendum” means the United Kingdom’s International Data Transfer Addendum to the EU Commission form issued by the Information Commissioner’s Office in the United Kingdom and effective as of March 22, 2022 to regulate the transfer of personal data from the United Kingdom, as applicable to international Transfers of Personal Data under this DPA, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

 

Section 2 – Relationship of the Parties

2.1 NashBio and Customer agree that NashBio is a Processor/Service Provider and Customer is a Controller/Business as those terms are defined under Data Protection Laws.
2.2 NashBio will only Process Personal Information for the purpose of fulfilling the obligations set out in the Agreement and complying with Data Protection Laws. NashBio will not retain, use or disclose Personal Information exchanged under the Agreement for any purpose other than for the purposes set forth in the Agreement.

 

Section 3 – Data Processing Terms

3.1 Processing Requirements.

  • NashBio will provide Customer with information reasonably requested to enable Customer to respond, in accordance with its obligations under Data Protection Laws, to any communications from a Data Subject or supervisory authority that relates to the Processing of the Personal Information under the Agreement.
  • NashBio will notify Customer following receipt of any request received from a Data Subject in relation to the Personal Information under the Agreement.
  • NashBio will inform Customer if it determines that it can no longer meet its obligations under Data Protection Laws.

3.2 Duration. This DPA will remain in effect for as long as NashBio Processes Personal Information pursuant to the Agreement.
3.3 Audits. Customer may request information necessary to evidence NashBio’s obligations under this DPA.
3.4 Subprocessors. Customer provides general authorization to NashBio’s use of sub-processors to provide Processing activities on Customer’s Personal Information on behalf of Customer in accordance with this DPA. NashBio will restrict sub-processors’ access to Customer’s Personal Information to what is necessary to provide or maintain the services under the Agreement. NashBio will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause NashBio to breach its obligations under this DPA.
3.5 Compliance Requirements. Each Party will comply with all Data Protection Laws.
3.6 Security Requirements. NashBio will protect the security, confidentiality, integrity and availability of Customer Personal Information through a security program that incorporates reasonable administrative, technical, and physical safeguards.
3.7 Security Incident Notification. NashBio will, without undue delay, and within the period specified by applicable Data Protection Laws, provide notice to Customer of any Security Incident. The Parties agree to cooperate and assist one another in the event of a Security Incident.

 

Section 4 – Data Transfers

4.1 To the extent NashBio must Process Personal Information that is subject to the GDPR or the UK GDPR in connection with the Agreement and such data must be transferred to a country outside the EEA or the UK, unless such transferee country is an Adequate Country (as defined in the GDPR), the Parties agree that the SCCs and UK Addendum will apply in respect of that Processing, and NashBio will comply with the obligations of the ‘data importer’ in the SCCs and UK Addendum and Customer will comply with the obligations of the ‘data controller’ in the SCCs and UK Addendum.

 

Section 5 – General

5.1 This DPA is without prejudice to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the Processing of Personal Information.
5.2 This DPA does not confer any third-party beneficiary rights. It is intended for the benefit of the Parties and their respective permitted successors and assigns only and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
5.3 This DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Terms and each of the Parties agrees to submit to the choice of jurisdiction as stipulated in the Terms in respect of any claim or matter arising under this DPA.

 

Last revised: 2024.11.15