1. Acceptance of Terms

Nemesysco and Licensee have entered into a Nemesysco Cloud/ API License Agreement (“Agreement”).  These Data Processing and Protection terms governing the terms of the processing of Licensee Personal Data are entered into by Nemesysco and Licensee as of the Effective Date and supplement the Agreement.

LICENSEE ACCEPTS AND AGREES TO BE BOUND BY THE TERMS AND CONDITIONS IN THIS DATA PROCESSING AND PROTECTION APPENDIX BY CLICKING THE “I AGREE” OR “YES” BUTTON WHEN PROMPTED, or otherwise using the Licensed Technology for any commercial purpose.  LICENSEE IS NOT AUTHORIZED TO USE THE LICENSED TECHNOLOGY IF LICENSEE DOES NOT CLICK “I AGREE” OR “YES”.  IF LICENSEE DOES NOT AGREE TO THESE TERMS AND CONDITIONS OF THIS APPENDIX, LICENSEE SHOULD NOT SIGN THIS AGREEMENT; OR SHOULD CLICK THE “CANCEL” OR “NO” BUTTON; AND MAKE NO FURTHER USE OF THE LICENSED TECHNOLOGY.

THE INDIVIDUAL WHO ACCEPTS THE TERMS AND CONDITIONS OF THIS AGREEMENT IS ACTING ON BEHALF OF THE LICENSEE AND HEREBY REPRESENTS AND WARRANTS THAT HE OR SHE IS AUTHORIZED BY THE LICENSEE TO ACCEPT THE TERMS OF THIS AGREEMENT ON LICENSEE’S BEHALF.

1. Definitions

In this Appendix, the following terms shall be accorded the meaning ascribed to them hereunder.  Other capitalized terms, which are defined in the Agreement shall have the meaning set forth therein, and if not defined in the Agreement, they shall have the meaning ascribed in the Directive (as defined below).

• “Agreement” means the Nemesysco Cloud/API License Agreement, including any future modifications and addendums.
• “Directive” means Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, as amended (and/or any EU directive or policy which may supplant or complement said Directive), on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data.
• “Licensee Personal Data” means with respect to each Licensee; (i) any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity; and (ii) provided by Licensee, on its behalf, or through Licensee’s identification key, including without limitation voice samples.
• “Process” or “Processing” means any operation or set of operations which is performed by Nemesysco in particular as part of the Cloud Services upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
• “Third Party Sub-Processor” means a third-party subcontractor, other than Nemesysco or a Nemesysco Affiliate, engaged by Nemesysco which, as part of the subcontractor’s role of delivering the Cloud Services, will Process Personal Data of the Licensee.

These terms shall take effect upon the Effective Date of the Agreement and shall terminate upon termination of the Agreement.

4. Processing of Personal Data
   • Controller and Processor. As between the parties, to the extent the Directive is applicable, the parties acknowledge and agree that: (i) Licensee is the Controller of Licensee Personal Data under the Agreement; and (ii) Nemesysco is a Processor of such Licensee Personal Data.
   • Scope. Nemesysco will only process Licensee Personal Data for the purpose of providing voice analytic services or Additional Services, as the case may, and in accordance with the written instructions of Licensee.
   • Obligations of Nemesysco. Nemesysco will comply with its obligations as a Processor.
   • Obligations of License: Licensee shall abide by each of the following: (i) Licensee will comply with its obligations as a Controller, under the Directive, if and to the extent applicable; (ii) License shall comply with all data protection laws applicable to it; (iii) For the avoidance of doubt, to the extent Licensee provides Licensee Personal Data of any third party, including a user, Licensee shall obtain any required consents for the Processing of such Licensee Personal Data, storage, and transfer thereof, in accordance with the terms herein and all applicable laws and regulations.
5. Third Party Content

When so instructed by Licensee and for the provision of extended services, Nemesysco may allow third party providers of programs, services or content to access Licensee Personal Data as required for the interoperation of such third party programs or services with the Licensed Technology. Nemesysco will not be responsible for any use or disclosure of Licensee Personal Data resulting from any such access by third party program, service or content providers.

6. Sub-Processors
   • Some or all of Nemesysco’s obligations under the Agreement may be performed by Third Party Processors and Sub-processors including without limitation use of a cloud-computing Sub-processor. Nemesysco maintains a list of Third-Party Processors and Sub-processors that may Process Personal Data. A copy of the updated list will be available to Licensee upon request. The Third-Party Sub-processors are required to abide by applicable legal provisions to their Processing of Personal Data.
   • Licensee consents to Nemesysco’s use of Third Party Sub-processors in performance of the services, including without limitation the use of a cloud-computing Sub-Processor. Nemesysco will notify (via the website) at least 30 days in advance before using a new Sub-Processor.  If Licensee does not consent to the use of the new Sub-Processor, Licensee may terminate the Agreement, with immediate effect.
7. Security. Nemesysco shall use a reputable cloud-computing Sub-Processor. The list of Sub-Processors is set forth on Nemesysco’s website.  Licensee is solely responsible for reviewing the security documentation of such Sub-Processor and that the security controls are sufficient for Licensee’s needs, including with respect to any security obligations of Licensee under the Directive and any other data protection legislation, as applicable.
8. Location of Data Storage.  Processing of data by Nemesysco is typically done on Azure based server in the Netherlands, but Nemesysco reserves the option to use any reasonable European or US based server for such uses. Licensee may request the jurisdiction in which the Licensee Personal Data will be Processed from Nemesysco. In these cases Nemesysco will provide Licensee with specific upload instructions. Licensee shall not collect Personal Data of a User in one jurisdiction and upload it to Nemesysco’s cloud-based server in a different jurisdiction, without having obtained all required consents of the user for the transfer of his/her personal data.
9. Deletion of Data by Nemesysco. It is hereby clarified that Nemesysco, unless otherwise instructed by Licensee (and contracted to be compensated for the same under Extended Services), will not save any Licensee Personal Data on its servers.  Immediately after providing the analytic service and providing the computerized response to Licensee,  Nemesysco will delete the temporary files and Licensee Personal Data completely from its servers, subject to the legal requirements. Notwithstanding the above, Nemesysco may, as a part of its service improvement surveys, keep on record raw analysis data for statistical use, but never and under no circumcenters such statistical or raw data contain any individual data set, voice recording and/or identifying information.
10. Requests of Data Subjects. During the term of the Agreement, if Nemesysco receives any requests from a data subject in relation to Licensee Personal Data, Nemesysco will advise the data subject to submit its request to Licensee and Licensee will be responsible for responding to such request, including where necessary by using the services.  If, and to the extent applicable (in light of Section ‎9 above), Nemesysco will grant Licensee the means, within a reasonable amount of time, either directly or by way of instruction to Nemesysco, the ability to correct, block, export, and delete any Licensee Personal Data Nemesysco was instructed to store (including data of Data Subjects).
11. Legally Required Disclosures. Except as otherwise required by law, Nemesysco will promptly notify Licensee of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority that it receives and which relates to the Processing of Personal Data. At Licensee’s request, Nemesysco will provide Licensee with reasonable information in its possession that may be responsive to the demand and any assistance reasonably required for Licensee to respond to the demand in a timely manner. Licensee acknowledges that Nemesysco has no responsibility to interact directly with the entity making the demand.
12. Data Incident. If Nemesysco becomes aware of a Data Incident, Nemesysco will notify Licensee of the Data Incident promptly and without undue delay after becoming aware of the Data Incident.  Notification shall be delivered to the primary email contact for Licensee. Nemesysco’s notification of a Data Incident will not be construed as an acknowledgement by Nemesysco of any fault or liability with respect to the Data Incident.  For purposes hereof, a Data Incident means (a) a breach of security in the cloud Sub-Processor leading to the accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to Licensee Personal Data on systems managed by or otherwise controlled by Nemesysco or its cloud Sub-Processor.  Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Licensee Personal Data.