Last Updated: May 20, 2024
This Data Processing Addendum (“DPA”) is a part of the Nomad’s Terms of Service, and sets forth the parties’ rights and obligations in respect of the processing of Company in relation to the Nomad Services, to the extent that the same is subject to Applicable Privacy and Data Protection Laws.
If there is any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail. If there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.
1. Definitions
1.1 “Agreement” means subscription purchase, together with Nomad’s Terms of Service, available at https://www.workwithnomad.com/terms-conditions, unless there is a separately negotiated agreement for Nomad Services between you and Nomad, then “Agreement” means that agreement.
1.2 “Applicable Privacy and Data Protection Laws” means collectively all local privacy and data protection laws, rules, and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”); the European Union’s General Data Protection Regulation (“GDPR”); and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
1.3 “Company,” “you,” and “your” means the Nomad customer that has entered into the Agreement for Nomad Services.
1.4 “Company User” means a Data Subject for whom Company initiates and administers a Nomad account, Data Subjects acting on behalf of Company to administer the Nomad Service, and users of the LinkedIn platform (https://linkedin.com, further referred to as “LinkedIn”) whose data is being searched, collected and structured on Nomad Services.
1.5 “Company User Data” means the Personal Data of Company Users that is submitted to Nomad in connection with the Nomad Services.
1.6 “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.7 “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.
1.8 “Nomad Services” means the Nomad-branded online platform and other services provided by Nomad pursuant to subscription purchase, or other, by Company and that involves the transfer of Company User Data to Nomad.
1.9 “Personal Data” means all ‘personal data’, ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.
1.10 “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’, and other similar terms under Applicable Privacy and Data Protection Laws.
1.11 “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, and Personal Data similarly classified under Applicable Privacy and Data Protection Laws.
1.12 “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For transfers of Personal Data subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.
1.13 “Nomad” means, for the purpose of this DPA, Nomad Digital Agency, DBA Nomad Growth Consulting, https://www.workwithnomad.com/.
1.14 The terms “commercial purpose”, “personal data breach”, “process”, “sell”, “share”, and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.
2. Roles
2.1. To the extent Company User Data is subject to Applicable Privacy and Data Protection Laws, the parties agree that with respect to processing Company User Data in the provision of the Nomad Services, Company is the Controller, and Nomad is a Processor.
2.2. Company acknowledges and agrees that notwithstanding Section 2.1, Nomad and its affiliates may collect and process certain data directly from Data Subjects in their capacity as users of other Nomad Services. Though these Data Subjects may also be Company Users, Nomad acts as a Controller for Personal Data collected or submitted outside of the Nomad Services.
2.3. The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.
3. Terms of Processing by
3.1. Nomad agrees that it will:
3.1.1. Process Company User Data only (a) for the provision of the Nomad Services to Company according to the written instructions set forth in the Agreement or as otherwise instructed by Company, and (b) as permitted as a Processor under Applicable Privacy and Data Protection Laws (collectively, the “Agreed Purposes”);
3.1.2. Ensure that anyone acting on its behalf will process Company User Data according to the provisions of this DPA and applicable data protection regulations, and is bound by an appropriate obligation of confidentiality;
3.1.3. Notify Company if Nomad becomes aware of any circumstance which would prevent it from fulfilling Company’s instructions under this DPA;
3.1.4. Notify Company if Nomad becomes aware that any applicable law or regulation prevents it from fulfilling the instructions received from Company and its obligations under this DPA;
3.1.5. Notify Company within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws and allow Company to take reasonable and appropriate steps to stop and remediate unauthorised processing of Company User Data;
3.1.6. Upon Company’s request, provide information to reasonably enable Company to conduct and document data protection assessments; and
3.1.7. To the extent required under Applicable Privacy and Data Protection Laws, not more than once annually, allow and cooperate with reasonable assessments by Company or its designated assessor, to conduct an assessment of Nomad’s technical and organisational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Nomad engages its own assessor, it shall provide a summary report to Company upon request, which shall satisfy Nomad’s obligations under this Section 3.1.7.
3.2. Subject to Section 3.1.1., Nomad will not:
3.2.1. Sell or share the Company User Data;
3.2.2. Retain, use or disclose the Company User Data for any purpose other than the Agreed Purposes;
3.2.3. Retain, use or disclose the Company User Data outside of the direct business relationship between Company and Nomad; or
3.2.4. Combine Company User Data with Personal Data Nomad receives from other customers.
4. Terms of Processing by Company
4.1. Company agrees that it will:
4.1.1. Collect, use and process Company User Data in accordance with Applicable Privacy and Data Protection Laws, including obtaining any necessary consents, licences, and approvals;
4.1.2. Have sole responsibility for the accuracy, quality, and legality of Company User Data and the means by which it was obtained; and
4.1.3. Not submit to Nomad or otherwise cause Nomad to Process any Sensitive Data. Without limiting Sections 4.1.1. and 4.1.2., Company acknowledges that Nomad will not assess the contents of Company User Data to identify information subject to any specific legal requirements.
5. Security & Compliance
5.1. Nomad shall implement reasonable technical, organisational and security measures to protect the privacy and security of the Company User Data.
5.2. Nomad shall assist Company, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to ), in complying with its obligations under Articles 32 to 36 of the GDPR.
5.3. Any storage and/or transfer of Company User Data by Company to any third party or platform other than Nomad shall be at the sole risk and responsibility of Company.
5.4. If Nomad becomes aware of any personal data breach affecting Company User Data, Nomad will, without undue delay, provide notification to Company in accordance with applicable regulations. Nomad’s notification of a personal data breach will not be deemed as an acknowledgement by Nomad of any fault or liability with respect to such incident. In the event of a personal data breach, Company shall be obligated to take the measures required under applicable laws in connection with its Company User Data. Where requested, Nomad will assist Company with communicating with regulators regarding the personal data breach.
5.5. Upon reasonable written request, Nomad will make available to Company information necessary to demonstrate compliance with its obligations under this DPA and applicable law.
6. Sub-processors
6.1. Nomad is hereby generally authorised by Company to engage any sub-processor, provided that Nomad shall (i) ensure in each case that the sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than those contained in this DPA; and (ii) subject to the terms of the Agreement (including but not limited to any limitations on liability agreed therein), remain fully liable to Company for the performance of that sub-processor’s obligations. For a list of current sub-processors, see Annex III.
6.2. Nomad shall notify Company of any intended changes concerning the addition or replacement of sub-processors, thereby giving Company the opportunity to object to such changes. Notice will be provided by email to the email address(es) submitted by Company. If Company objects to any sub-processing by Nomad, Company should immediately discontinue its use of the Nomad Services.
7. Individual Rights Requests
7.1. To the extent required under Applicable Privacy and Data Protection Laws, Nomad will take appropriate measures to assist Company in complying with its obligations under Applicable Privacy and Data Protection Laws in responding to Data Subject rights requests.
7.2. Nomad will notify Company when it receives a Data Subject rights request for erasure or access to information directed towards Company User Data. Company shall provide direction to Nomad regarding whether to fulfil such request.
8. International Transfers
8.1. Standard Contractual Clauses
8.1.1. Company understands and agrees that Nomad operates the Nomad Service primarily from the United States and as such, Company User Data will be transferred from Company’s location and/or the applicable Data Subject’s location to Nomad in the United States. Nomad will ensure such transfers are made in compliance with Applicable Privacy and Data Protection Law, including by relying on the Standard Contractual Clauses (Module 2: Transfer Controller to Processor), which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as follows:
Clause 7: the optional clause is included;
Clause 11(a): the optional clause is disregarded;
Clause 13(a): For the competent supervisory authority, insert the Information Commissioner’s Office of UK;
Clause 17: the governing law shall be that of the England and Wales; and
Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the England and Wales.
8.1.2. Company and Nomad agree that subscription purchase will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any transfers falling within Section 8.1.1. that are required in relation to the Nomad Services, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses together (where applicable) with the UK Addendum.
8.2. Supplementary Measures. If Nomad receives an order from any third party for compelled disclosure of Personal Data that has been transferred using the Standard Contractual Clauses, Nomad will:
8.2.1. Use every reasonable effort to redirect the third party to request the data directly from Company;
8.2.2. Promptly notify Company, unless prohibited by law;
8.2.3. Request a reasonable extension of time from the third party to allow Company to evaluate the request; and
8.2.4. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK or applicable EU member state law.
If, after exhausting these steps, Nomad remains compelled to disclose Personal Data to a third party, Nomad will disclose only the minimum necessary to satisfy the request.
8.3 Transfers from the UK. In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
8.3.1. The EU SCCs shall also apply to transfers of such Personal Data, subject to sub-Section below;
8.3.2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above in Section 8.1.1 of this Addendum, and the option “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Addendum.
9. Term and Termination
9.1. This DPA shall be in effect for as long as Company uses any of the Nomad Services, provided however, that where Nomad is obligated, according to the terms of this DPA or any Nomad’s Terms & Conditions, to retain Company User Data following the termination or expiration of the Nomad Services, this DPA shall continue to be in effect for as long as Nomad holds such data.
9.2. Upon termination or expiration of the Agreement, and unless Nomad has a lawful basis to retain such Company User Data under Nomad’s Terms & Conditions, any agreement or applicable law, Nomad shall enable Company, through its admin account, to delete the Company User Data. If Company does not take any action to delete, Nomad will delete it when retention is no longer necessary for the purposes for which it was collected or required to be retained under applicable law.
9.3. Nomad shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
9.4. Any questions regarding this DPA or requests from Company to support the fulfilment of Data Subject rights requests should be addressed to info@workwithnomad.com. Nomad will attempt to resolve any complaints regarding the use of Company User Data in accordance with this DPA and Nomad’s Terms & Conditions.
9.5. In the event of inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail.
Annex I: Details of the Processing
A. List of Parties
B. Description of Transfer
C. Purpose of processing and Personal data categories
D. Competent Supervisory Authority
UK’s Information Commissioner’s Office
Annex II: Technical and Organizational Measures to Ensure the Security of the Data
maintains internal Information Security and Privacy Policies. These policies include standards for information security management as required by the EU’s General Data Protection Regulation (GDPR) and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Nomad's information security framework:
Monitoring of API endpoints;
Limitation and management of access rights to personal data;
SSH protocol for accessing LinkedIn login data;
Database encryption at-rest;
VPN for accessing servers;
Secure (https://) connection;
Compliance with password protection and management, access control policies;
Usage of antivirus software and firewalls;
Employees are aware of and trained on their respective data protection responsibilities;
Regular back-ups of the data processed.
Annex III: Sub-Processors
The Controller has provided a general authorization for use of sub-processors per Section 6.1 of the DPA. The Sub-processors currently engaged by Processor and authorized by Controller are: