NV Play
Download Trial

Data Processing Agreement



This Data Processing Agreement (DPA) forms Appendix 1 to the NV Play End User Licence Agreement (EULA) and is incorporated into the EULA by reference.

Background

This Data Processing Agreement sets out the provisions that will govern all processing of Personal Data by the parties in connection with the General Terms and any Engagement Agreement (the Agreement).  Its provisions amend and supplement the Agreement, and will take precedence over the Agreement unless expressly stated otherwise.  Terms that are defined in the Agreement will have the same meaning when used in this Data Processing Agreement unless the context dictates otherwise.

  1. Introduction
    1. This Data Processor Agreement regulates NV Play’s (the Data Processor) processing of personal data on behalf of the Client (the Data Controller) and is attached as an addendum to the Agreement in which the parties have agreed to the Data Processor’s delivery of Software and/or Services to the Data Controller through various Engagement Agreements (the Agreed Deliverables).
    2. NV Play may be an independent Data Controller for some personal data relating to the Client or its Users, where there is a legitimate interest in it being so.  Examples of a legitimate interest may include enabling billing and account management of a commercial relationship, user administration and authentication, analysis of operational usage or performance data to ensure optimal service delivery, statistical analysis of aggregate data for research & development of new analysis models and algorithms, internal reporting and modelling, or any other legitimate business purposes.  When NV Play processes personal data as a Data Controller, the Client acknowledges and confirms that this Data Protection Agreement does not create a joint-controller relationship between the parties.
  2. Legislation
    1. This Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation within the primary territory of the Data Controller’s operations (the “Applicable Law”), including in particular the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
  3. Processing of Personal Data
    1. The purpose of the processing is the provision of the Agreed Deliverables to the Data Controller by the Data Processor. 
    2. In connection with the Data Processor’s delivery of the Agreed Deliverables to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
    3. ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, Article 4 (1) (the ”Personal Data”). The Data Processor only performs processing activities that are necessary and relevant to deliver the Agreed Deliverables, except as required to comply with a legal obligation to which the Data Processor is subject. The categories, types and nature of Personal Data processed by the Data Processor on behalf of the Data Controller are described in Schedule 1 to this Appendum.  The parties shall update Schedule 1 whenever changes occur that necessitates that it be updated.
    4. The Data Processor shall maintain a register of processing activities in accordance with GDPR, Article 30, except where the exceptions defined in Article 30 (5) are satisfied.
  4. Instruction
    1. The Data Processor may only act and process the Personal Data in accordance with a documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Agreed Deliverables. Subject to the terms of this Data Processor Agreement and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.
    2. The Data Controller guarantees to process Personal Data in accordance with the requirements of Applicable Law, and that the Data Controller’s Instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
    3. The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed not to violate Applicable Law or are appropriately modified.
  5. The Data Processor’s Obligations
    1. Confidentiality:
      1. The Data Processor shall treat all the Personal Data as confidential information.
      2. The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processing Agreement with strict confidentiality.
      3. Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Agreed Deliverables by the Data Processor under this Data Processor Agreement.
    2. The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
    3. The Data Processor shall implement the appropriate technical and organizational measures as set out in this Data Processing Agreement and in the Applicable Law, including in accordance with GDPR, Article 32. The security measures are detailed in Appendix 1, Schedule 2 of this Agreement and are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security. The Data Processor shall provide documentation of the Data Processor’s security measures if requested by the Data Controller in writing.
    4. If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, Article 35, along with any prior consultation in accordance with GDPR, Article 36.  Where assistance is necessary, requests will take the form of a written request by the Data Controller to the Data Processor, detailing the assistance required from the Data Processor and nature of the response requested.
    5. Rights of the Data Subjects:
      1. If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
      2. If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
    6. Personal Data breaches:
      1. The Data Processor shall give notice in writing to the Data Controller, in the manner prescribed by clause 22.3 (a) or (b) of the General Terms and for the attention of the persons named in clause 22.2 (a), within 36 hours of first becoming aware, if a breach occurs that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a Personal Data Breach).
      2. The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
      3. Upon becoming aware of any suspected or actual Personal Data Breach, the Data Processor shall provide such assistance and co-operation as the Data Controller may require in order to support any and all related investigations, mitigation and remediation of each Personal Data Breach. In such circumstances, the Data Processor shall provide the Data Controller with as many details as are known by the Contractor at that time (including without limitation (i) the nature and scope of the Personal Data Breach, the categories and numbers of data subjects concerned and the categories and number of personal data records concerned; (ii) the name and contact details of the Data Processor’s data protection officer or other relevant contact from whom more information may be obtained; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach) and the Data Processor shall regularly update the Data Controller thereafter setting out such further details as may be reasonably requested by the Data Controller.
    7. Documentation of compliance and Audit Rights:
      1. Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
      2. The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
    8. The Data Processor is given general authorisation to transfer Personal Data to countries outside the jurisdiction of the Applicable Law for the sole purpose of meeting the Agreed Deliverables, including countries outside of the European Economic Area (EEA) where the Data Processor is subject to GDPR.  In respect of transfers to outside of the EEA, the Data Processor will restrict transfers to where the receiving country is subject to an EU Commission adequacy decision (specifically including New Zealand), where the transfer is subject to appropriate safeguards in accordance with the Applicable Law (which may include, without limitation, Standard Contractual Clauses).
    9. The Data Controller acknowledges and accepts that access to and use of the Agreed Deliverables by its authorised users may occur outside the EEA and, in such circumstances, Personal Data may be viewed outside the EEA by the relevant user.
  6. Sub-Processors
    1. The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, with such appointments being subject to New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.6.3.
    2. The Data Controller acknowledges and accepts that the Data Processor engages Microsoft Corporation (Microsoft) as a primary Sub-Processor to provide core online services required to deliver the Agreed Deliverables, specifically including SQL Azure, App Service, Storage, Application Insights (each of which forms part of the Microsoft Azure Core Services) and related Microsoft cloud services.  These sub-processing services are provided to the Data Processor subject to the following terms (together, the Microsoft Terms):

      Microsoft Product Terms:
      https://www.microsoft.com/licensing/terms/welcome/WelcomePage?programMoniker=MOSA

      Microsoft Products and Services Data Protection Addendum (DPA):
      https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

      The Data Controller and the Data Processor accept that these terms are substantially similar to the standards set forth in this Data Processing Agreement, and agree that where in conflict the Microsoft Terms will apply in respect to any Sub-Processing provided by Microsoft in relation to the delivery of the Agreed Deliverables.
    3. New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.  In the event the Data Controller objects to a new Sub-Processor on reasonable data protection grounds, the Data Processor will discuss these objections with the Data Controller in good faith with a view to achieving resolution.
    4. The Data Processor will enter into an agreement with each Sub-Processor that obligates the Sub-Processor to process the Personal Data in a manner substantially similar to the standards set forth in this Data Processing Agreement, and at a minimum, at the level of data protection required by the Applicable Law (to the extent applicable to the services provided by the Sub-Processor).
    5. The Data Processor shall carry out appropriate due diligence on each of its Sub-Processors prior to their appointment and shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law.
    6. Subject to 6.2, the Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
    7. The Data Processor will maintain a list of Sub-Processors that may process Personal Data, a copy of which will be provided to the Data Controller on receipt of a written request.
  7. Remuneration and costs
    1. The Data Controller agrees it shall remunerate the Data Processor on a time and materials basis to meet its obligations under section 5.4, 5.5, 5.6 and 5.7 of this Data Processor Agreement. Such co-operation and assistance will be charged at the Data Processor’s prevailing rates at the time of the request.
    2. The Data Processor is entitled to remuneration on a time and material basis to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Agreed Deliverables due to the change in the Instruction.
    3. The Data Processor is exempted from liability for non-performance with delivery of the Agreed Deliverables if the performance of these obligations would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can realistically & reliably be implemented; and (iii) in the period of time until the agreement defining the Agreed Deliverables is varied or otherwise changed to reflect the new Instruction and commercial terms thereof.
  8. Limitation of liability
    1. The total aggregate liability to the Data Controller, of whatever nature, whether in contract, tort or otherwise, of the Data Processorfor any losses whatsoever and howsoever caused arising from or in any way connected with the provision of the Agreed Deliverables shall be subject to Section 11 of the General Terms.
    2. Nothing in this Data Processing Agreement relieves the Data Processor of its own direct responsibilities and liabilities under the GDPR or other Applicable Laws.
  9. Duration
    1. The Data Processor Agreement shall remain in force while the Agreement is in force, and will survive termination or expiration should the Data Processor continue to store or process Personal Data.
  10. Data Protection Officer
    1. The Data Processor will appoint a Data Protection Officer where such appointment is required by the Applicable Law.
  11. Termination
    1. Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data, except as expressly provided for in the Agreement (specifically including clause 13.2 of the Agreement), and to the extent the Data Processor is required by Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Data Processing Agreement will continue to apply to any retained Personal Data.
  12. Governing Law and Jurisdiction
    1. This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of New Zealand.
    2. The parties irrevocably agree that the courts, tribunals and any competent regulators of New Zealand shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement or its subject matter or formation (including non-contractual disputes or claims).
  13. Severance
    1. Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
      1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
      2. construed in a manner as if the invalid or unenforceable part had never been contained therein.

Schedule 1

Data being processed

Background

NV Play is a comprehensive sports technology platform, primarily focussed on the sport of cricket, specifically designed to meet the needs of governing and organisational bodies.  Its primary purpose is to a) capture and analyse match outcomes & results to drive both engagement and performance, and b) provide platforms & tools to support the underlying competition structure & formats of the game.

In order to deliver this purpose, and meet the Agreed Deliverables, may involve the Processing of Personal Data about any or all of the following Data Subjects:

        • Players
        • Officials (including Umpires, Coaches, Scorers, Referees, Analysts, Administrators)
        • Users of the Software
        • Individuals who use NV Play Software or Services in a personal capacity (including supporters and other end users)

Types of Personal Data Processed

Depending on the Client’s usage of the Software, any or all of the following types of Personal Data may be processed in order to meet the Agreed Deliverables:

        • Players: full name, gender, player type & roles, playing status, club memberships, match & team participation, match performance, career performance, video or photographic footage
        • Consented Player data: address, email address, phone number, social media account names, profile picture, date of birth (and, where the Player is under the relevant age of consent, these details of a parent and/or guardian), in each case as determined by the Data Controller and collected and processed in accordance with Applicable Data Protection Laws.
        • Officials: full name, organisation, roles, match participation
        • Users: full name, email address, user/login name, organisation, role, IP address, system usage
        • Individual end users: full name, email address, user/login name, subscription or account details, marketing and communication preferences, IP address, device and browser information, system and feature usage

No Sensitive Personal Data, as defined in GDPR Article 9(1) (or any equivalent concept of special categories of data or sensitive information under Applicable Data Protection Laws), will be collected or Processed by the Data Processor without specific Instruction in writing from the Data Controller, subject to the Data Processor’s obligations under GDPR Article 9(2) and any equivalent provisions of Applicable Data Protection Laws.

Other Types of Data Processed

In addition to the above listed Personal Data, any or all of the following addition types of data may be Processed in order to meet the Agreed Deliverables.

        • Platform usage metrics to optimise scale & performance
        • Automated error reporting to assist with diagnosis & remedy of issues
        • Website and app usage analytics to provide insights to usage patterns & optimal workflows, including browser and device information
        • Commercial information in relation to the billing of services & contract administration
        • Participation & demographic data to support the development & delivery of amateur & professional sporting programmes

Schedule 2

Technical and Organisational Security Overview

Background

These technical and organisational security measures are designed to protect Confidential Data in accordance with Applicable Data Protection Laws and the Agreement, and may be updated from time to time to reflect technical progress and development without reducing the overall level of security.

NV Play is in the business of collecting, analysing and publishing data, and takes this responsibility very seriously.  This document provides an overview of the investments we have made in both infrastructure and processes to ensure that all data under our stewardship remains secure.

Confidential Data

NV Play defines "confidential data" as any of the following:

        • Personal data, including "any information relating to an identified or identifiable natural person", as defined in GDPR, Article 4 (1)
        • Customer owned data of a non-personal nature that is not in the public domain
        • Customer, supplier and shareholder information
        • Patents, business processes and/or new or innovative technologies
        • Employees' credentials, medical, and personal information
        • Company contracts and legal records

Physical Security

NV Play operates a secure premises policy at all sites where confidential information is handled.  In practice, this means that all data analysis, coding or technical development occurs on machines located in a physically secured premises.  This physical security is maintained through:

        • Entrance doors are permanently & automatically electronically locked
        • Personally assigned physical security fobs for all staff or contractors
        • All visitors are met with in non-secure meeting rooms outside of the physically secured work area
        • If visitors are permitted to enter the secured area, they are escorted at all times
        • Outside of business hours, the premises are secured by monitored alarm services
        • Secure destruction services used for disposing of sensitive documents

Infrastructure Security

NV Play leverage a combination of local data centre and public cloud infrastructure to respectively deliver internal and external services.

Local infrastructure

Local server infrastructure is provisioned in industry leading Tier 3+ datacentres located in New Zealand, with security and reliability features that include the following:

        • Regular proactive maintenance and upgrades of underlying server, storage and network
        • 24 x 7 x 365 monitoring and alerting of all infrastructure
        • 24 x 7 x 365 on site staff
        • Diverse A&B power supplies
        • Dual backup generators
        • Dual uninterrupted power supplies
        • Dual-path fibre networks to multiple network providers
        • Redundant cooling
        • Perimeter fences, motion activated security and Interlock mantrap used to control facility access

Cloud infrastructure

Cloud infrastructure is provisioned within the Microsoft Azure public cloud platform.  We deliver production, pre-production, UAT and some development environments leveraging Azure’s Platform-as-a-Service capabilities, and leverage Microsoft 365 for internal & external communications and productivity tools.

Azure Security Center provides unified security management and advanced threat protection across cloud workloads. It allows us to apply security policies across workloads and leverages advanced monitoring & analytics and threat intelligence to detect attacks and rapidly respond to threats.

Remote Access and Authentication

NV Play’s password policy is strictly enforced and remote access to all local and internal infrastructure requires use of the FortiClient VPN for end to end encryption.  We secure access to all Public Cloud services for Microsoft 365 and Microsoft Azure using Azure Active Directory with Multi Factor Authentication (MFA) enforced.

Internet and Managed Services

NV Play has in place long term managed services contracts with a specialist IT services provider to manage all local infrastructure, including servers and workstations.  This contract has strict terms to ensure all infrastructure is monitors and patched regularly, and encompasses delivery of Secure Internet Services including Antivirus, Intrusion Prevention System (IPS) and Web Filtering for all incoming and outgoing internet traffic.

Data Security

At NV Play, all databases and storage services are encrypted by default.  This starts with enabling encryption at rest, providing data protection for data while stored (at rest). Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, or unauthorised attempts to access backups of the data.

Azure SQL databases are encrypted at rest by using Transparent Data Encryption against generated managed keys.  Additionally, a client side encryption function called “Always Encrypted” is available for certain database fields in specific databases, offering an additional level of encryption on data which may be deemed more sensitive than others, and require an additional level of encryption.

By default all Azure Storage accounts are configured to be encrypted at rest using 256 bit AES encryption, again using generated managed keys.

Access to production systems and databases is restricted on a role-based, least-privilege basis and logged, with access granted only to authorised personnel who require it to perform their duties.

Data Recovery

NV Play has a comprehensive data backup and recovery regime in place, across both our local and cloud infrastructure.

Local infrastructure

All local infrastructure and storage is securely backed up daily, with the backup retention for Local Backups being:

        • Daily Backups – retained for 14 days
        • Weekly Backups – retained for 6 weeks
        • Monthly Backups – retained for 6 months

Backups are securely replicated externally to NV Play’s network for additional resilience, with Offsite Backups being retained for 14 days

Backup Monitoring Checks are completed daily to ensure all backups are working correctly.

Cloud infrastructure

Through leveraging Azure Database services, we gain full point-in-time backup and restore functionality. All databases are automatically backed-up by Azure as part of the base service offering, taking full, differential and log backups in the background to guarantee we always keep your data safe.  These backups are retained for 7 days for Basic, 14 days for Standard and 35 days for Premium tier services.  Additional long term retention of database backups is able to be configured for up to 10 years if required.

Within this period, we are able to choose any minute and restore any database to that point in time. The restore always happens to a new database, it does not overwrite the current database.

This same Point-in-time Restore is leveraged for disaster recovery planning purposes. The backups are able to be automatically replicated to selected alternative Azure datacentres, and can later be restored in any Azure data centre in the eventuality a full disaster recovery is required.

In case of failure of the primary datacentre (for example, North Europe located in Dublin), we can immediately restore the database in another datacentre (West Europe located in Netherlands for example). A guarantee of maximum one hour recency (data loss) is provided by Azure in this instance, as the replication is done asynchronously.

The level of geographic redundancy can be extended to full geo-replication if desired, meaning the live databases are constantly replicated across multiple geographic regions.  We do not leverage capability this by default due to data privacy and sovereignty considerations, but it is available to be configured in consultation with each client on a case by case basis.

Security and Performance Monitoring

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Whilst each client configuration is unique to their situation, Azure Traffic Manager is able to be utilised to isolate targeted traffic from unexpected international traffic in order to ensure unusual global demand spikes does not impede performance.  This architecture by default provides a high degree of flexibility around managing overseas based DDoS style incidents.

Standard monitoring of all public facing components of the NV Play platform includes:

        • Alerts on unexpected traffic i.e. a lot of traffic from unexpected locations or one IP address
        • Alerts indicating performance issues i.e. indicates there is an issue with platform performance and further investigation needs to be carried out immediately

DDoS Incident Response Strategy

In the event that a DDoS attack on NV Play platform is detected, our technical, engineering and leadership teams are immediately notified.  Whilst each incident will require a different response, our high level response plan is as follows:

        • Notify all relevant stakeholders to the incident
        • Activate primary countermeasures:
          • If identifiable, block all attack IP addresses from affected endpoints
          • replicate & sync services to alternate infrastructure
          • redirect safe traffic to the alternative implementation)
        • Actively monitor attack progression
        • Collaboratively plan ongoing response with stakeholders

Staff training and threat awareness

NV Play operates a culture of privacy and security.  All staff are inducted into this culture and undertake training as an essential preventive measure against unauthorized collection, access, use and disclosure of confidential information.