Login
    Contents x
    Data Processing Agreement
    • 16 May 2024
    • 19 Minutes to read
    • Print
    • Dark
      Light
    Contents

    Data Processing Agreement

    • Updated on 16 May 2024
    • 19 Minutes to read
    • Print
    • Dark
      Light
    Article summary

    1. Background

      1. In the course of performance of the Services, Natterbox will process Relevant Personal Data and the Parties agree that the terms of this Addendum shall govern such Processing.

      2. This Addendum forms part of and is incorporated into the Master Agreement (as defined below) entered into between Natterbox and the Client on the Effective Date.

      3. The terms of the Master Agreement apply in full to this Addendum, however in case of any conflict or inconsistency between the terms of this Addendum and the Master Agreement, the terms of this Addendum shall take precedence.

    2. Definitions

      1. In this Addendum, unless the context otherwise requires, the following terms shall have the following meanings:

        Call Logs

        In relation to any call or communication using the Services means, any data that constitutes traffic data as defined in the Privacy and Electronic Communications (EC Directive) Regulations 2003.

        Client Personal Data

        Personal Data for which Client is the Data Controller and which Natterbox Processes on Client's behalf as a Data Processor to provide the Services to Client.

        Data Protection Laws

        means any applicable laws and regulations in any applicable jurisdiction from which the Services are provided relating to the Processing of Personal Data including: (i) the GDPR; (ii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR (including, in the UK, the UK GDPR and Data Protection Act 2018 ("DPA"); (iii) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC) (including, in the United Kingdom, the Privacy and Electronic Communications (EC Directive) Regulations 2003), in each case, as updated, amended or replaced from time to time.

        Enquiry

        means any request, complaint, investigation, notice or communication from a Data Subject or a Supervisory Authority.

        Master Agreement

        means the Master Services Agreement or Subscription Services Agreement (as applicable) entered into by Natterbox and Client for the provision of the Services.

        Derived Data

        means data derived or generated by Natterbox as part of the Services that is not information directly supplied or provided by the Client (such as call statistics, call metadata analytics, call quality metrics, etc).

        Relevant Personal Data

        means Personal Data that Client or a User discloses to Natterbox or which may be accessed or generated by Natterbox in the course of performance of the Services including Client Personal Data and, to the extent they are Personal Data, Call Logs and Natterbox Derived Data.

        Sub-Processor(s)

        a sub-contractor or supplier of Natterbox which Processes Client Personal Data on Natterbox's behalf in performance of the Services.

      2. Any other capitalised terms used in this Addendum shall have the same meaning as defined in the Master Agreement.

    3. General

      1. In respect of Relevant Personal Data, each Party shall (and shall ensure that their personnel shall) cooperate with the other Party and provide such information and assistance as the other Party may reasonably require to enable that Party:

        1. to comply with their obligations under Data Protection Laws;

        2. to deal with and respond to any Enquiry; and

        3. to demonstrate the Party's compliance with this Addendum and clause 7 of the Master Agreement.

      2. If a Party receives an Enquiry which relates directly to its sharing of Relevant Personal Data pursuant to this Agreement, or to the other Party’s compliance with any Data Protection Laws, it shall notify the other Party as soon as reasonably practicable.

      3. Subject to paragraph 3.2, no Party shall take any action in relation to any Enquiry where it relates to the other Party’s Processing of Relevant Personal Data as a Data Controller without prior written notice to the other Party and providing the other Party with a reasonable opportunity to contribute to the response to mitigate the impact of the action on the other Party.

      4. Except as provided otherwise in this Addendum, any request to Natterbox under this Addendum shall be made to privacy@natterbox.com

    4. Data Processor obligations

      1. To the extent that Natterbox Processes any Client Personal Data on behalf of Client, each Party shall comply with its respective obligations set out in this paragraph 4.

      2. Natterbox shall process Client Personal Data only upon Client’s lawful written instructions exclusively set out in the Master Agreement unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, Natterbox shall notify Client of the relevant legal requirement before processing the relevant Client Personal Data). Such Processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes and durations set out in Annex A of this Addendum.

      3. Client provides Natterbox general authorisation for the engagement of sub-processors from an agreed list. Sub-processors perform the Services as defined in Annex A to this Addendum including any suppliers, advisors, contractors and auditors. Natterbox shall maintain a list of all current Sub-processors at https://docs.natterbox.com/docs/natterbox-sub-processors. Natterbox will also notify Client of proposed changes by email to a Client-nominated email address twenty-one (21) days prior to the engagement of a new or replacement Sub-processor. If a change of Sub-processor is likely to cause material detriment to Client, Client may object (in writing to the relevant address for notices set out in the Master Agreement or email to legal@natterbox.com) within ten (10) days with documented reasons, provided that such objection must be on reasonable, substantial grounds, directly related to such new Sub-Processor's ability to comply with substantially similar obligations to those set out in this Addendum. If the Parties are unable to come to a resolution within thirty (30) days after such notice of objection, then Client may, by thirty (30) days' notice in writing to Natterbox, terminate those Services which cannot be provided by Natterbox without the use of the new or replacement Sub-processor in accordance with the Master Agreement. If Client does not so object, the engagement of the new Sub-Processor shall be deemed accepted by Client.

      4. Natterbox shall only share Client Personal Data with Sub-processors or transfer Client Personal Data to any country outside the European Economic Area and/or the United Kingdom, provided that:

        1. Natterbox procures that GDPR requirements applicable in respect of any such transfer are complied with including, where applicable, that such transfer is subject to International Data Transfer Agreements approved by the UK Information Commissioner's Office for the transfer of Personal Data to Data Processors established in third countries; and

        2. Natterbox ensures that any Sub-processor is under substantially similar data protection obligations as between Natterbox and Client as set out in this Addendum.

      5. Client acknowledges and agrees that for compliance with paragraph 4.4.1, Natterbox will enter into UK Information Commissioner's Office International Data Transfer Agreements with sub-processors when required.

      6. Appointment of any Sub-processor by Natterbox shall not relieve Natterbox of any of its liabilities, responsibilities or obligations to Client under this Addendum and Natterbox shall remain liable for the acts and omissions of its Sub-processors.

      7. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, Natterbox shall implement technical and organisational measures and procedures to ensure a level of security for Client Personal Data appropriate to the risk as required by the GDPR, in particular to safeguard Client Personal Data against any unlawful or unauthorised: access, loss, destruction, theft, use or disclosure.

      8. Natterbox shall take reasonable steps to ensure that its employees who are authorised to have access to Client Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when Processing Client Personal Data.

      9. Natterbox shall make available to Client all information necessary to demonstrate compliance with its obligations under this Addendum, and allow Client to conduct an audit of Natterbox's compliance with its obligations under this Addendum, subject to the following requirements:

        1. Client may perform such audits once per year, or more frequently if required by the Data Protection Laws applicable to the Client;

        2. Client may use a third party to perform the audit on its behalf, provided that such third party executes a confidentiality agreement acceptable to Natterbox before the audit;

        3. audits must be conducted during regular business hours, subject to Natterbox's policies, and may not unreasonably interfere with Natterbox's business activities;

        4. Client must provide Natterbox with any audit reports generated in connection with any audit at no charge unless prohibited by law. Client may use the audit reports only for the purposes of meeting its audit requirements under the Data Protection Laws and/or confirming compliance with the requirements of this Addendum. The audit reports shall be confidential;

        5. to request an audit, Client must first submit a detailed audit plan to Natterbox at least 6 weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, requirements, form and start date of the audit. Natterbox will review the audit plan and inform Client of any concerns or questions (for example, any request for information that could compromise Natterbox's confidentiality obligations or its security, privacy, employment or other relevant policies). Natterbox will work cooperatively with Client to agree a final audit plan;

        6. nothing in this clause 4.9 shall require Natterbox to breach any duties of confidentiality owed to any of its clients or employees; and

        7. all audits are at Client's sole cost and expense.

      10. Natterbox shall inform Client without undue delay upon becoming aware of any Personal Data Breach in respect of Client Personal Data whilst within Natterbox’s or any of its Sub-processors' possession or control.

      11. Subject to paragraph 4.12, and except as required by applicable law or in order to defend any actual or possible legal claims, on termination of the Master Agreement, Natterbox shall, as Client so directs, either return to Client all Client Personal Data and copies thereof in its possession; or delete all Client Personal Data as soon as practicable.

      12. Natterbox will cooperate with all valid and lawful requests by a Data Subject to exercise its rights as detailed in the GDPR or other applicable Data Protection Laws in respect of Client Personal Data and where such requests are sent directly to Natterbox rather than Client, Natterbox shall redirect the Data Subject to submit their request to Client as soon as reasonably practicable.

      13. Notwithstanding any other provision of the Master Agreement or this Addendum, Client acknowledges and agrees that: (a) as a registered telecommunications operator, Natterbox is subject to national and international telecommunications laws and regulations that require certain Relevant Personal Data such as Client records and Call Logs to be maintained for security and regulatory purposes; and (b) accordingly Natterbox shall not be obliged to comply with Client or Data Subject deletion requests in these circumstances.

    Annex A - Data Processing Details

    In this addendum, "Operational Call Logs" and "Client Call Logs" mean call data records containing the information referred to against each name in the "Types of Personal Data" section below.

    SCOPE  OF PROCESSING  

    Natterbox provides global telephony and data services to route and connect inbound and outbound telephone calls and to transfer recordings and information about those calls into the Customer’s Salesforce CRM system and other storage services.

    NATURE  OF PROCESSING  

    General:

    The provision of marketing, sales, support, operational and managerial information to support business activities.

    Platform:

    1. Configuration and storage of call routing and call management policies to facilitate call routing between global telecoms carriers.

    2. Using information from the caller and the Client’s CRM to route and manage calls in real time.

    3. Telephony call connection and termination.

    4. Facilitating two-way audio and media for telephone conversations.

    5. Gathering and processing Operational Call Logs to produce Client Call Logs containing call meta-data and information about calls.

    6. Transferring Client Call Logs to Client’s CRM system.

    7. Gathering, processing and storing voicemails.

    8. Gathering, processing and storing call data and metrics from Operational Call Logs for, billing, system analytics, regulatory retention and system management.

    9. Diagnosing call connection issues on notification to customers using network traces at an audio and signalling level.

    Feature dependant based on product options:

    1. When using Natterbox’s recording service - gathering, processing and storing call recordings within Amazon’s third-party storage servers.

    2. When using Natterbox’s SMS service - gathering, sending, processing and storing SMS messages.

    3. When using Natterbox’s Insight call analytics services - call transcription and post-processing of call recordings to create business intelligence and insights for Client.

    4. When using Natterbox’s PCI payment service module -diverting call flows to PCI Compliant Service Providers.

    PURPOSE OF PROCESSING  

    To provide business services and facilitate advanced telephony and data services with integration into CRM and other third party systems.

    LOCATION OF PROCESSING

    Natterbox maintains a list of Sub-processors at https://docs.natterbox.com/docs/natterbox-sub-processors

    To provide a secure and reliable telecoms service where calls can be routed with minimum latency between callers in any global locations, Natterbox data centres and services are distributed globally within both global AWS services and a private cloud infrastructure housed geographically in dedicated secure racks inside commercially run tier 1/2 data centres.

    All data centres are SOC 1 or ISO27001 compliant and provide solely co-location facilities for Natterbox network equipment. No other suppliers or sub-processors are utilised at these data centre locations, other than Carrier and Network interconnect providers.

    Operational Call Logs are transferred from the global data centres where the calls were facilitated to UK/EU data centres in real time for processing. Once processed, call information is pushed into Client’s own Salesforce instances for storage and retention to facilitate reporting and business intelligence. Natterbox retains basic call log information for billing and regulatory requirements within the UK/EU.

    If utilising Natterbox’s call recording solution, encrypted recordings are stored using Amazon Web Services. As standard, these are located in the EU, but optionally (subject to Client’s consent) can be geographically located in alternative regions or Client’s own AWS storage instance.

    Due to the Schrems II ruling of the European Court of Justice of 16 July 2020 the following applies to the transfer of Personal Data to data hosting locations outside of the UK/EEA:

    • Natterbox is based in a country with an adequacy decision by the European Commission in the sense of Article 45 GDPR.

    • Servers, systems and services running inside these data hosting locations are managed and secured solely by Natterbox.

    • Only Natterbox personnel have access to the Natterbox’s systems within data hosting locations; there is no local or remote access to the data or systems by the suppliers.

    DURATION OF THE PROCESSING  

    Platform:

    During and after telephone calls and SMS messaging:

    1. Operational Call Logs are retained for the minimum time required for processing and purged automatically and permanently on a rolling 30 day basis.

    2. Where applicable, data transferred to external systems may be retained by the third party for an agreed retention period and then will be deleted automatically.

    3. Client Call Logs are stored by Natterbox for billing and regulatory purposes according to national and international telecommunications law dependent on operating territory.

    4. Client Call Logs are transferred to Client’s CRM for business intelligence purposes.

    During user and system usage:

    1. When data is accessed via a user interface that requires access into other systems (such as retrieving call logs, playing voicemails or listening to call recordings).

    2. Periodic archiving, processing or data centre synchronisations.

    Further details of Natterbox’s international data flows and transfers

    TYPES OF PERSONAL DATA  

    Contact Data:

    Client’s business names, address and location details, staff names, staff email addresses, staff contact mobile and DDI numbers, staff roles and titles, staff contact preferences, marketing preferences, web-site activity history, communication history, business relationships, customer history.

    Contract Data:

    Client’s business details, tax ID, statutory registration information, credit information, billing information, contract terms, contractual agreements, sales agreements, non-disclosure agreements.

    Client Business and Operational Data:

    Details of telephony configuration and requirements, network infrastructure, organisational structure and communications relationships, telecoms policies and processes. Details of CRM configuration and setup. Diagnostic information and logs provided for support purposes.

    Product and Service Data:

    Data stored in Operational Databases:

    1. Client’s business name, staff names, staff email addresses, staff mobile and DDI numbers, agent (staff) skills (optional), numbers and custom voice messages. These are used for IVRs, call announcements, personalisation and intelligent and skills-based call routing.

    Data stored in Operational Call Logs:

    1. Client’s staff business phone numbers, names, business email addresses.

    2. Meta-data about calls such as time, duration, telephony device’s IP address, location.

    3. Any data required by the Client and provided to the Natterbox’s systems from Client’s CRM to facilitate intelligent call routing, enhanced call experience and call management. This may include but is not limited to the calling customer’s preferred language, location, time zone, business name, account executive, music preferences, staff skills etc. Such data is unstructured, optional and under control of Client.

    Data stored in Client Call Logs:

    1. Phone numbers of anyone that calls to or receives calls from Client’s customers or staff.

    2. Meta-data about the call such as country, date and time, duration, ring time etc.

    3. No other personal information (personal names, IP addresses etc) is stored in Client Call Logs.

    Other:

    1. Diagnostic data in the form of network and packet traces captured to debug call issues which may include unstructured data in the form of call meta-data, media content, call quality information, signalling traces and call information (IP, Phone Number, Date/Time).

    2. When using Natterbox’s recording service - voice recordings of calls.

    3. When using Natterbox’s SMS service - SMS message content.

    4. When using Natterbox’s Insight call analytics service - potentially personally identifiable information gathered from call analytics, sentiment analysis, content transcription etc. Natterbox systems do not make automated decisions based on this data, but instead transfer it to Client’s CRM.

    CATEGORIES OF DATA SUBJECT  

    1. Clients’ staff using the telephony service

    2. Clients’ customers and members of the general public who may be customers of or in telecommunications contact with the data controller (Client), including:

      1. Customers

      2. Potential Customers

      3. Subscribers

      4. Employees

      5. Suppliers

      6. Authorised Agents

      7. Contact Persons

    SPECIAL CATEGORIES OF PERSONAL DATA

    No Special Categories of data are stored as structured data. However, there may be instances of Special Categories of data stored in call recordings and transcriptions of telephone conversations if those services are used.

    THIRD-PARTY PROCESSORS

    All Processors are selected according to Natterbox’s Supplier Review and selection criteria process.

    The full supplier list is published at https://docs.natterbox.com/docs/natterbox-sub-processors

    Selection categories and criteria for key suppliers:

    International Telecoms carriers and Internet Service Providers – Services providing point to point transmission of call and other data across the Internet.

    National Telecoms carriers - Partners that provide local connectivity, call routing and termination services.

    Telecoms Number providers – Organisations that provide numbers in different global markets. Client details are sometimes required to be shared for regulatory purposes when acquiring numbers.

    Hosted Web Services - Suppliers that host Natterbox’s voice and telecommunications platform and services to enable call routing, call management, processing and storage.

    Cloud Databases – Processing and storage of call information.

    CRM and Associated Tools - CRM providers and the business services that the Natterbox platform interacts with and pushes Client Call Logs to.

    DataCentre Hosting Providers – Natterbox's private cloud servers and infrastructure that provide low latency call connectivity globally.

    Call Transcription and Analytics services – Call processing and data analytics.

    Service Provider Partners –Partners providing additional voice, telecoms and system services.

    Administrative Suppliers - Suppliers that provide administration, management, security and other business services.

    Annex B – Optional 

    Agreement for Platform Integrations and the third-party use of Natterbox-derived data

    Natterbox Derived Data may be transferred by Client out of the Natterbox platform to other platforms for Processing by or on behalf of Client for use in operational metrics, machine learning or statistical call analysis.

    Derived Data by definition does not normally contain Personal Information. Parties acknowledge and agree that Natterbox is the Data Controller of Natterbox Derived Data and Client is the Data Controller of any Personal Data.

    This Annex to the Data Processing Addendum outlines Client’s responsibilities when it transfers, integrates or stores (i.e. Processes). Natterbox Derived Data with their own or third-party systems where such derived data includes Personal Data.

    1. General Terms

      1. To the extent that Client Processes Natterbox Derived Data that contains Personal Data (or provides Natterbox Derived Data that contains Personal Data to third parties) it shall do so as a Data Controller.

      2. The right to re-Process specific Natterbox Derived Data by third parties must be agreed and approved in writing by Natterbox. The Client's request for such approval shall set out details of the specific Natterbox Derived Data requested ("Specific Data") together with the information in paragraph 2.

      3. Subject to paragraph 1.2, where explicit authorisation and instructions are provided by Client, Natterbox will facilitate integration or transfer of Specific Data to specified third parties.

      4. Natterbox may charge fees for:

        1. technical assistance and costs implementing, managing and facilitating such integrations referred to in paragraph 1.3; and

        2. integration or transfers of Natterbox Derived Data to Client where Natterbox reasonably considers such assistance to be onerous.

      5. Client must apply or ensure it has and at all times maintains in place technical and organisational measures and procedures to ensure an appropriate level of security for Natterbox Derived Data in its possession or control (including any Natterbox Derived Data shared by or on behalf of Client with third parties) appropriate to the risk, including protecting such Natterbox Derived Data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access.

      6. By transferring Natterbox Derived Data out of Natterbox’s platform to Client's own or third-party systems, to the extent permitted by law, Natterbox is no longer responsible (and hereby excludes any and all liability) for the security and integrity of such Natterbox Derived Data including any compliance with the GDPR and Client shall be wholly responsible for all GDPR and other statutory regulations governing the usage, security and retention of such Natterbox Derived Data.

    2. Requirements
      In any request for access to Natterbox Derived Data, Client must inform Natterbox of:

      1. The Natterbox Derived Data to be transferred

      2. The means of Natterbox Derived Data transfer

      3. The nature of the processing of the Natterbox Derived Data

      4. The purpose of the processing of the Natterbox Derived Data

      5. The name of the processor(s) of the Natterbox Derived Data

      6. The location of the processing of the Natterbox Derived Data

      7. The duration of the processing of the Natterbox Derived Data

    3. Termination

      1. Natterbox reserves the right to modify or terminate this Annex and the permission for Client and third parties to use the Natterbox Derived Data with immediate effect by notice in writing to the Client in the event of misuse of Natterbox Derived Data by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data, unreliability, performance impact, excessive communications load, insufficient data security or any data breach (including a Personal Data Breach) or otherwise if Natterbox receives notification in accordance with paragraph 3.2.

      2. Client must inform Natterbox as soon as practicable when the integration or transfer of Natterbox Derived Data is no longer required, the Natterbox Derived Data is no longer being Processed by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data or if Client wishes to terminate this Annex.

    4. Communication

      1. Authorisation requests and communication regarding transfers of Natterbox Derived Data should be sent to privacy@natterbox.com

    Annex C - EU to UK Data Transfer Safeguards

    As Natterbox is based in a country with an adequacy decision by the European Commission, it is not required to conclude Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data. However, Natterbox will duly observe all its respective obligations under this Agreement and the applicable Data Protection Laws. In addition, in connection with the processing of Personal Data, Natterbox shall:

    1. Ensure that any Subcontractor and/or Affiliate will be subject to a written agreement with Natterbox requiring the Subcontractor to comply with the same data protection obligations as set out in this Agreement; and

    2. Include in its agreement with its Subcontractor(s) and/or Affiliate(s) any additional contractual obligations for the Subcontractor(s) and/or Affiliate(s) resulting from the outcome of a Transfer Impact Assessment to be performed by Natterbox; and

    3. Enter into International Data Transfer Agreements, or any other model contract that provide adequate safeguards and is issued by Natterbox’s competent data protection authority, with its Subcontractor and/or Affiliate, if Personal Data is processed outside the European Economic Area (EEA) without an adequate level of protection as determined by the European Commission. With regard to transfer of Personal Data between Natterbox and its Affiliate(s) Binding Corporate Rules can serve as such model contract, if available; and

    4. Grant the right to audit Natterbox’s compliance with above mentioned obligations and applicable Data Protection Laws in accordance with clause 4.9 (Audit Rights) of this Data Processing Agreement.

    Was this article helpful?
    What's Next
    Products
    Company
    Social Links
    Copyright © Natterbox Ltd. 2024 All Rights Reserved
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence