NETLAB+ DATA PROCESSING ADDENDUM (GDPR)
This NETLAB+ Data Processing Addendum (this “Addendum”) is by and between Network Development Group,
Inc. (“NDG”) and the organization who is signing this Addendum below or who is otherwise accepting this
Addendum by other means, such as by attachment or incorporation by reference into a NETLAB+ License
Agreement with NDG (“Licensee”).
This Addendum applies if Licensee has determined that it is a data controller subject to GDPR (defined below)
and contains agreed terms relating to privacy and security. This Addendum serves as an amendment to the
existing License or Customer Agreement (the “Agreement”) entered into by the parties. Capitalized terms
used in this Addendum but not defined have the meaning set forth in the Agreement or under GDPR, as applicable.
For good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the
parties agree as follows:
Definitions. As used herein the following terms shall have the following definitions:
"controller", "processor", "data subject", “personal data” and
"processing" (and "process") shall have the meanings given in Privacy Laws,
as applicable to the processing of Licensee Personal Data under the Agreement.
“Licensee Personal Data” means personal data supplied by Licensee or its Users to NDG in connection
with the Services provided under the Agreement.
“GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
“NETLAB+” means NDG’s standard software solution licensed from NDG by Licensee, and hosted and
managed by Licensee, that lets students complete labs remotely and on-demand.
“Privacy Laws” means all applicable U.S. and international laws that regulate the use,
disclosure and processing of personal data. Privacy Laws include as applicable GDPR and
other applicable laws that specify privacy, data protection, security or security breach
notification obligations that apply to personal data.
“NDG Services” means the technical support and data restoration services provided by NDG
to Licensee, solely to the extent agreed by the parties pursuant to the Agreement.
Roles of the Parties under GDPR. The parties acknowledge and agree that Licensee is the controller
and NDG is processor with regard to the processing by NDG of Licensee Personal Data under the Agreement.
The subject matter, nature and purpose of NDG’s processing are limited to providing the NDG Services
under the Agreement. For clarity, NDG does not store or host any Licensee Personal Data under the
Agreement. The duration of the processing is the term of the Agreement. Data subjects include
Authorized Users who are participating in and administering online labs facilitated by NETLAB+.
Instructions for Processing. NDG shall process Licensee Personal Data only to provide NDG Services
in accordance with the Agreement and this Addendum, which the parties agree serve as Licensee’s
NDG Personnel. NDG shall require its personnel who have access to Licensee Personal
Data to: (a) receive appropriate training on their responsibilities regarding the handling and
safeguarding of Licensee Personal Data, and (b) agree to comply with confidentiality obligations
that survive the termination of such personnel’s employment.
Security Measures. Licensee and NDG each shall maintain (taking into account the state of the
art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons),
appropriate technical and organizational measures to protect against loss, alteration, unauthorized
disclosure of, or access to Licensee Personal Data.
Compliance with Privacy Laws. Licensee and NDG each agree to comply with all Privacy Laws.
As between the parties, Licensee shall be solely responsible for the inputting, deletion,
updating, accuracy, quality, and legality of Licensee Personal Data and the means by which Licensee
obtained Licensee Personal Data.
Rights of Data Subjects. To the extent permitted by law, NDG will tell data subjects who make
requests to NDG exercising their data subject rights (such as deletion, rectification, and data
portability requests) with respect to Licensee Personal Data to contact Licensee directly regarding
such request. Licensee shall be solely responsible to respond to such requests from data subjects.
If the Software does not provide Licensee the ability to respond to such requests, then, upon
Licensee’s request, NDG will provide reasonable support assistance to Licensee to respond to such
requests. Depending on the nature of such assistance, NDG reserves the right to charge Licensee
for assistance with such requests.
Security Incidents. Each party shall, to the extent permitted by law, notify the other party
without undue delay after becoming aware of a personal data breach involving Licensee Personal Data
(“Security Incident”). Each party shall provide reasonably requested assistance to the other party
in dealing with any Security Incident, taking into account the nature of processing and the information
available to such party. Neither party shall make any public announcement about a Security Incident
without the prior written consent of the other party, unless required by applicable law.
Government Access Requests. Unless prohibited by applicable law or a legally-binding request of
law enforcement, NDG shall promptly notify Licensee of any request by government agency or law
enforcement authority for access to or copy of Licensee Personal Data.
Audits. Subject to reasonable notice, and at Licensee’s expense (including fees and expenses to
compensate NDG for its time and out of pocket costs involved in responding to any audit request),
NDG shall provide Licensee with reasonably requested information regarding NDG’s security program
and systems and procedures that are applicable to the NDG Services, as necessary to demonstrate NDG’s
compliance with Privacy Laws, and as reasonably necessary allow for audits of the same. Audits will
occur at most annually or following notice of a Security Incident.
Subprocessors. Licensee grants a general authorization to NDG to appoint subprocessors to support
the performance of the NDG Services, including data center providers. Upon request, NDG will
provide Licensee with a list of such subprocessors. If Licensee has an objection to any such
subprocessor, NDG will work with Licensee to address any such concerns. NDG will ensure that any
subprocessor it engages on its behalf in connection with this Addendum agrees in a written contract to
subprocessor terms substantially as protective of Licensee Personal Data than those imposed on NDG in
this Addendum (the "Subprocessor Terms"). NDG shall be liable to Licensee for any breach by a subprocessor
of any of the Subprocessor Terms.
Entire Addendum; Conflict: This Addendum supersedes and replaces all prior and contemporaneous
statements, understandings, and communications, oral and written, with regard to the subject
matter of this Addendum. If there is any conflict between this Addendum and the Agreement,
the terms of this Addendum shall control. Except as expressly set forth in this Addendum, the
terms of the Agreement shall remain in place. For the avoidance of doubt, the parties intend
that the limitations on liability clauses in the Agreement shall apply to this Addendum.
Each person signing below for a party represents that he or she is duly authorized to execute this
Addendum on behalf of such party.