End User Licence Agreement
Updated: 12 October 2021General Terms & Conditions
- Introduction & Acceptance
- NV Play has developed and owns the Software.
- These General Terms and Conditions (General Terms) apply to your use of the Software and any Services that we make available or provide to you.
- Please read these General Terms carefully as they, along with the Engagement Agreement we have provided to you, form the agreement governing your use of the Software and Services (the Agreement). By using or accessing the Software or receiving any Services you are deemed to have read and agreed to be bound by the Agreement including these General Terms.
- Definitions
-
The definitions in this clause apply in this Agreement.
Business Day: a day other than a Saturday or Sunday where banks are generally open for business in Christchurch, New Zealand.
Engagement Agreement: means a further form of agreement entered into between NV Play and the Client for the provision of Software and/or Services which will take the form of an Invoice, Software Licence Agreement, Support Agreement, Statement of Work or similar depending on the requirements of the Client.
Fees: means the fees payable by the Client to NV Play for the licensing of the Software and provision of the Services as set out in the applicable Engagement Agreement and varied from time to time in accordance with clause 8.6.
Force Majeure Event: means anything outside the reasonable control of a Party, including acts of God, strikes by employees of a third party, acts or omissions (including laws, regulations, disapprovals or failures to approve) of any government or government agency and includes (unless expressly stated otherwise by other terms of the Agreement):
- unavoidable accident, explosion, public mains electrical supply failure, or nuclear accident;
- sabotage, riot, civil disturbance, insurrection, epidemic, national emergency (whether in fact or law) or act of war (whether declared or not);
- requirement or restriction of, or failure to act by, any government, semi-governmental or judicial entity;
- Service Providers’, or any other third party’s acts or omissions (including failure to deliver) outside of NV Play’s reasonable control; and
- any other similar cause beyond the reasonable control of the Party concerned.
A Force Majeure Event does not include:
- any event which the affected party could have avoided or overcome by exercising a standard of reasonable care at a reasonable cost;
- a lack of funds for any reason or any other inability to pay; or
- strike, lockout, work stoppage or other labour hindrance by employees of a Party or its Related Companies unless the strike is part of an industry wide campaign which does not arise out of a dispute between that Party or Related Company and its employees.
General Terms: has the meaning given to that term in clause 1.2.
Good Industry Practice: means, in relation to a particular activity, the exercise of a degree of skill, care and diligence which would reasonably be expected from a skilled and experienced person engaged in New Zealand in the same activity, under the same or similar circumstances.
Input Material: all documents, information, data and materials provided by the Client to NV Play relating to the Services or inputted by the Client and the Users into the Software including computer programs, data, reports and specifications, and the Marks.
Insolvency Event: occurs in respect of a party when it: (i) becomes unable to pay its debts as and when they fall due, makes an arrangement or composition with its creditors or goes into liquidation; (ii) is the subject of the commencement of any bankruptcy proceedings, the passing of a resolution for its winding up, the giving of a notice of appointment or intention to appoint an administrator or liquidator (which is not dismissed, withdrawn or set aside within 14 days after presentation); or (iii) has an administrator, an administrative receiver or trustee appointed over all or any of its assets.
Intellectual Property Rights: all patents, copyrights, design rights, trademarks, service marks, trade secrets, know-how, database rights and other rights in the nature of intellectual property rights (whether registered or unregistered) and all applications for the same (and the right to apply for any such rights), anywhere in the world.
Invoice Date: is as set out in the applicable Engagement Agreement.
Licence End Date :is as set out in the applicable Engagement Agreement.
Licence Start Date: is as set out in the applicable Engagement Agreement.
Licence Term: the period the applicable Software is licensed to the Client as set out in the corresponding Engagement Agreement commencing on the Licence Start Date and ending on the Licence End Date, unless this Agreement or the applicable Engagement Agreement is terminated earlier (either as a whole or in relation to the Software only) in accordance with its terms.
Marks: all trade marks, logos and brands (whether registered or unregistered) of the Client.
Major Release: a new release of the Software which is developed and offered for purchase or licence by NV Play which adds such significant functionality that it is a required installation for all users.
Minor Release: a release of the Software which corrects faults, adds functionality or otherwise amends or upgrades the Software.
Modification: any Major Release or Minor Release of the Software.
Permitted Purpose: is as set out in the applicable Engagement Agreement.
Service Levels: means the service levels and requirements that relate to provision of Services as set out in the applicable Engagement Agreement (if any).
Services: means the services to be supplied by NV Play to the Client as identified in any Engagement Agreement entered into between the parties from time to time.
Services Term: the period the applicable Services are to be supplied to the Client by NV Play as set out in the corresponding Engagement Agreement commencing from the Services Start Date to the Services End Date, unless this Agreement is terminated earlier (either as a whole or in relation to the Services only) in accordance with its terms.
Software: means the software to be licensed by NV Play to the Client as identified in any Engagement Agreement entered into between the parties from time to time, including any Major or Minor Releases to that software.
Specification: means the specification in relation to the Software as identified in any Engagement Agreement entered into between the parties from time to time.
Term: has the meaning given to that term in clause 15.1.
Users: any individual or organisation designated as a user of the Software by the Client within the scope of the Permitted Purpose of the licenced activities as set out in the applicable Engagement Agreement.
Warranty Period: has the meaning given to in in clause 10.1c).
-
- Interpretation
- Unless the context otherwise requires:
- references to NV Play and the Client include their permitted successors and assigns;
- references to statutory provisions include those statutory provisions as amended
or re-enacted; - another grammatical form of a defined word or expression has a corresponding meaning;
- references to any document are references to that document as modified, novated, supplemented, varied or replaced from time to time;
- references to persons includes individuals, companies, corporations, partnerships, firms and other entities;
- references to the singular include the plural and vice versa; and
- references to including or includes shall be deemed to have the words "without limitation" inserted after them.
- In the case of conflict or ambiguity between any provision contained in: (i) these General Terms; or (ii) any Engagement Agreement, the documentation will be given the following order of precedence:
- the Appendices (and in particular the Data Processing Agreement);
- the Engagement Agreement; and
- these General Terms.
- Unless the context otherwise requires:
- Licensing of Software and Ordering Services
- This Agreement sets out the terms and conditions that will apply to the provision by NV Play of the Software and Services to the Client.
- These General Terms will apply to the provision of all Software and Services by NV Play to the Client subject to any variations to these General Terms set out in any Engagement Agreement. Any such variations will only apply to the Software and Services that the Engagement Agreement relates.
- Each Engagement Agreement shall constitute a separate binding agreement between the parties and the General Terms shall be deemed to be incorporated in and apply to the Engagement Agreement. The waiver or exercise of any right or remedy under one Engagement Agreement will not affect any other
- Upon execution of an Engagement Agreement by both parties, NV Play will deliver the Software or Services (as the case may be) as set out in, and in accordance with, such Engagement Agreement and these General Terms.
- Software Delivery
- On the Licence Start Date, NV Play shall make available to the Client the Software in accordance with the provisions of the applicable Engagement Agreement.
- The Client acknowledges that NV Play may make available Modifications to the Client from time to time. In the event that a Modification is made available to the Client and provided that the Modification has not been designated as optional in writing by NV Play, the Client will promptly undertake all required actions to update any locally stored versions of the Software with the Modification. The Client acknowledges that until such update occurs, the Software may not be available for use by the Client.
- Software Licence and Duration
- In consideration of the Client's obligation to pay the Fee(s) under clause 8.1, NV Play grants to the Client a non-exclusive, worldwide licence for the Users to use the Software (which for the purposes of this clause includes any Modification) and any Deliverables during the Licence Term for the Permitted Purpose.
- In relation to scope of use:
- for the purposes of clause 6.1 above, "use" of the Software shall be restricted to use of the Software in object code form by the Client and Users, but shall include any act which is reasonably incidental to such use, including the creation of as many copies of the Software as may be necessary to enable use of the Software in accordance with this clause 6.2a); and
- except as stated in clause 6.2a), the Client shall have no right to copy, adapt, reverse engineer, decompile, disassemble or modify the Software in whole or in part.
- The Client shall not:
- sub-license the Software in whole or in part except that the Client may sub-license the use of the Software to Users (provided such sub-licence terminates on expiry or termination of the applicable Engagement Agreement and that the Client remain at all times liable for the actions of any sub-licensee);
- use the Software other than for the Permitted Purpose;
- allow the Software to become the subject of any charge, lien or encumbrance; or
- deal with the Software in any manner not permitted by this Agreement,
without the prior written consent of NV Play.
- Services
- During the Services Term, NV Play shall perform the Services in accordance with Good Industry Practice and at all times in accordance with the terms of this Agreement (including to any applicable Specifications and by any due dates as set out in the applicable Engagement Agreement) and all applicable laws and regulations.
- NV Play shall:
- ensure that its personnel comply with the Client’s safety and security standards and site procedures and any other lawful guidelines or instructions issued by the Client from time to time;
- have no right or authority, express or implied, to commit or otherwise obligate the Client any manner whatsoever except to the extent specifically agreed in writing by the Client.
- NV Play shall ensure that its personnel performing the Services shall be suitably experienced and qualified.
- Fees
- The Fees are to be paid by the Client to NV Play in accordance with the provisions of this clause 8 in consideration of NV Play licensing the Software and providing the Services to the Client. The currency of the Fees payable will be set out in the applicable Engagement Agreement.
- NV Play shall invoice the Client for the relevant Fees on the Invoice Date(s). The Client shall pay each valid invoice from NV Play on or before the 20th of the month following the date of the invoice, unless stipulated otherwise in the applicable Engagement Agreement.
- If the Client fails to pay any invoice by the due date (other than in the case of bona fide dispute), NV Play may (without prejudice to any other rights and remedies available to it) charge interest on the unpaid amount (after as well as before any judgment) from the due date until payment is received (both dates inclusive) at an annual rate of 12% compounding on a daily basis.
- All sums payable under this Agreement are exclusive of any tax payable on such amounts (including any goods and services tax or value added tax), which, if applicable, shall be charged in accordance with applicable law and paid by the Client. Each party is entirely responsible for compliance with their own tax obligations.
- The Fees comprise the entire payment to be made by the Client to NV Play in relation to licence of the Software and provision of the Services. Any additional costs and expenses must be approved in writing and in advance by the Client.
- NV Play may amend the Fees once in any 12 month period by providing notice in writing to the Client.
- Confidentiality and Publicity
- Each party agrees to, during the Term and thereafter, keep confidential, and shall not use for its own purposes (other than implementation of this Agreement) nor without the prior written consent of the other disclose to any third party (except its professional advisors or as may be required by any law or any legal or regulatory authority) any information of a confidential nature (including trade secrets, information of commercial value, and the terms of this Agreement) which may become known to such party from the other party and which relates to the other party or any of its affiliates, unless such information is public knowledge or already known to such party at the time of disclosure, or subsequently becomes public knowledge other than by breach of this Agreement, or subsequently comes lawfully into the possession of such party from a third party (Confidential Information). Each party shall use its reasonable endeavours to prevent the unauthorised disclosure of Confidential Information.
- NV Play may refer to the Client and this Agreement in a general way in its website, social media channels, publicity, marketing or advertising material without the Client's consent.
- Each party acknowledges and agrees that, in the event of a breach by either party of its confidentiality obligations under this clause 9, damages may not be a sufficient remedy for the other party. Accordingly, in addition to other remedies, each party shall have the right to seek from a court of competent jurisdiction injunctive relief or specific performance of the other party’s relevant obligations. Any such remedy shall not be deemed to be exclusive or all-inclusive and shall be in addition to any and all other remedies which may be available to the parties at law or in equity
- Export
- Neither party shall export, directly or indirectly, any technical data acquired from the other party under this Agreement (or any products, including software, incorporating any such data) in breach of any applicable laws or regulations (Export Control Laws), including United States of America export laws and regulations, to any country for which the government or any agency thereof at the time of export requires an export licence or other governmental approval without first obtaining such licence or approval.
- Each party undertakes:
- contractually to oblige any third party to whom it discloses or transfers any such data or products to make an undertaking to it in similar terms to the one set out above; and
- if requested, to provide the other party with any reasonable assistance, at the reasonable cost of the other party, to enable it to perform any activity required by any competent government or agency in any relevant jurisdiction for the purpose of compliance with any Export Control Laws.
- Supplier's Warranties
- NV Play warrants that:
- to its actual knowledge, use and/or possession of the Software or any Deliverable, and receipt of the Services, by the Client and/or any User will not infringe the Intellectual Property Rights of any third party;
- it shall promptly inform the Client of any material matter which comes to its attention and which may have a detrimental effect on its supply of the Services; and
- the Software, any Deliverable and any media on which the Software or any Deliverable is delivered will be free from viruses and other malicious code.
- NV Play warrants that:
- Limitation of Liability
- Subject to clause 12.3, neither party shall in any circumstances have any liability for any losses or damages which may be suffered by the other, whether the same are suffered directly or indirectly or are immediate or consequential, which fall within any of the following categories:
- indirect damage even though that party was aware of the circumstances in which such indirect damage could arise;
- loss of profits;
- loss of anticipated savings;
- loss of business opportunity and management time; or
- loss of goodwill.
- Subject to clause 12.3 the total liability of each party in any 12 month period, whether in contract, tort (including negligence) or otherwise in connection with this Agreement shall in no circumstances exceed a sum equal to the aggregate Licence Fee(s) paid in the 12 month period in which the liability first arose.
- Notwithstanding any other provision of this Agreement, neither party excludes or limits any liability:
- for death or personal injury caused by its negligence, or the negligence of its employees or agents; or
- for fraud or fraudulent misrepresentation or the deliberate default or wilful misconduct of that party, its employees or agents or subcontractors.
- Despite any other provision in this Agreement, neither party will be liable for any failure or delay in complying with any obligation under this Agreement (excluding any payment obligation) if:
- the failure or delay arises from a Force Majeure Event; and
- the affected party, on becoming aware of the Force Majeure Event, promptly notifies the other party in writing of the nature of, the expected duration of, the obligation(s) affected by, and the steps being taken by that party to mitigate, avoid or remedy the Force Majeure Event; and
- the affected party uses its best endeavours to:
- mitigate the effects of the Force Majeure Event on that party’s obligations under this Agreement;
- perform that party’s obligations which are not affected by the Force Majeure Event; and
- perform that party’s obligations under this Agreement on time despite the Force Majeure Event, or that performance of an obligation affected by a Force Majeure Event will be resumed as soon as practicable after the termination or abatement of the Force Majeure Event
- Subject to clause 12.3, neither party shall in any circumstances have any liability for any losses or damages which may be suffered by the other, whether the same are suffered directly or indirectly or are immediate or consequential, which fall within any of the following categories:
- Intellectual Property Rights
- The parties agree that all Intellectual Property Rights subsisting in the Software and Services are owned by NV Play or its third party licensees as the case may be.
- The Client grants to NV Play a non-exclusive, royalty free, licence during the Term to reproduce and use the Marks solely in connection with the delivery of the Software and the performance of the Services .
- If the Client becomes aware of a claim or likely claim that the Intellectual Property Rights of NV Play has infringed any of the Intellectual Property Rights of a third party (IP Claim), then:
- the Client will promptly notify NV Play in writing accordingly; and
- the Client will provide such assistance (at NV Play’s cost) as is reasonably necessary to allow NV Play to resolve or settle the IP Claim.
- The Client will not, at any time, directly or indirectly challenge or contest (nor assist any other person to challenge or contest) NV Play’s right and title to, and interest in, any Intellectual Property Rights subsisting in the Software or Services (which for the avoidance of doubt does not include the Input Material).
- The Client will do all things and sign all documents to assist NV Play in obtaining any rights or registrations which NV Play considers (at its sole discretion) are required or desirable in relation to any new Intellectual Property Rights that are developed or created by NV Play in connection with the Services or Software.
- Data Usage, Access and Ownership
- Subject to the rights granted under clause 14.2, NV Play acknowledges that the Input Material is the property of the Client.
- NV Play may during and following the end of the Term, subject to any applicable laws and regulations (including any data protection laws), retain and use a copy of the Input Materials and any other data related to the Software or Services for the purposes of accessing, modifying, downloading, transferring, viewing and/or using any data forming part of the Input Material:
- as necessary to perform the Services and make available the Software;
- to administer, maintain and improve the Services and Software;
- for the purposes of aggregating such data for incorporation in statistics and other reports which will be published or otherwise used by NV Play for its internal and external business purposes;
- for the purposes of making available to NV Play, any other NV Play clients or any authorised third parties any video or photographic footage, and any statistical data or material, of any players or matches;
- for the purposes of incorporating or using such data in any software application (including statistical models, player development programmes, or games) for any purpose including high performance applications or tools.
- NV Play will, in respect of any Input Materials comply at all times with any applicable privacy or data protection legislation and any other applicable laws relevant to its possession or use of any such data.
- The Client shall comply with the provisions of any applicable privacy or data protection legislation and any other applicable laws in its collection and use of the Input Material. The Client warrants that it has a legitimate interest or has obtained all required consents to enable NV Play to possess, store and use any Input Material in accordance with the terms of this Agreement.
- The Client acknowledges that all data, information and content held or stored by NV Play, or otherwise forming part of or generated through the Services that is not Input Material is owned by NV Play and that the Client has no right to access or use in any way such data other than as expressly set out in this Agreement.
- Term and Termination
- This Agreement shall commence on the Commencement Date of this Agreement and shall continue until terminated in accordance with the provisions of this clause 15 (Term).
- If the Software or Services provided for in any Engagement Agreement are used or accessed by the Client following the expiry or termination of that agreement, the term of the applicable Engagement Agreement will be deemed to have been extended by a period of twelve months from the previous expiry date of the agreement.
- This Agreement and any Engagement Agreement may be terminated by either party on written notice to the other party if the other party:
- has committed a material breach of any of its obligations under an Engagement Agreement and, where that breach is capable of remedy, has failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach; or
- suffers an Insolvency Event.
Termination of this Agreement or an Engagement Agreement will not impact or affect the rights and obligations of the parties under any other Engagement Agreement.
- Termination of this Agreement or an Engagement Agreement by either party in accordance with this clause 15 shall not affect the accrued rights, remedies, obligations or liabilities of the parties existing at termination.
- Any provision of this Agreement which expressly or by implication is intended to come into or continue in force on or after termination of this Agreement (including clauses 1, 8, 9, 12, 13, 20, 23 and 25) shall remain in full force and effect.
- Entire Agreement
- This Agreement and the Data Processing Agreement contained in Appendix 1 shall constitute the entire agreement between NV Play and the Client in relation to its subject matter and any other terms, conditions, performance criteria, guarantees or prior representations whatsoever (whether written or oral, and including any quotations or terms and conditions issued by NV Play) shall be of no effect unless expressly incorporated herein. Each party acknowledges that it has not entered into this Agreement in reliance on any statement or representation of the other party except to the extent that such statement or representation has been incorporated in this Agreement. Nothing in this Agreement shall limit or exclude either party’s liability for fraud or fraudulent misrepresentation.
- No Assignment
- The parties may not assign, transfer or burden all or part of their rights under this Agreement or transfer their legal relationship towards the other party under the Agreement without prior written consent of the other party such consent not to be unreasonably withheld, conditioned or delayed. If consent has been granted, the consenting party undertakes to execute all documentation necessary to effect a prompt assignment, transfer or encumbrance.
- Waiver
- No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.
- Variation
- No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
- Severance
- If any court or competent authority finds that any provision of this Agreement (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this Agreement shall not be affected.
- If any invalid, unenforceable or illegal provision of this Agreement would be valid, enforceable and legal if some part of it were deleted, the provision shall apply with the minimum modification necessary to make it legal, valid and enforceable.
- Counterparts
- This Agreement may be signed in counterparts (including by copy sent via email in PDF format), and such copies may be relied upon by the other party as though it were an original copy. All signed counterparts together will constitute one document.
- No Partnership or Agency
- Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.
- Notices
- Any notice or other communication required to be given under this Agreement shall either be in writing and shall be delivered personally, sent by pre-paid post or recorded delivery or by commercial courier, or emailed to the parties at the addresses listed below.
- The parties address for notice via email shall be the email address of the Key Representatives, or:
- for the Client:
the address listed on the Client’s public website or such other address or email address as notified to NV Play in writing from time to time; and - for NV Play:
NV Play, PO Box 25411, City East, Christchurch 8141, New Zealand and
notices@nvplay.com or such other email address as notified to the Client in writing from time to time.
- for the Client:
- Any notice or other communication shall be deemed to have been duly received:
- if delivered personally, when left at the address and attention to the contact referred to in this clause;
- if sent by email - at the time and date of receipt by the sender of a successful delivery report in respect of that email, it being agreed that the relevant notice shall take the form of a scanned PDF signed by the authorised representatives of the relevant Party (such PDF to be attached to the relevant email);
- if sent by pre-paid post or recorded delivery, at 9.00 am on the fifth Business Day after posting; or
- if delivered by commercial courier, on the date and at the time that the courier's delivery receipt is signed.
- If deemed receipt under clause 22.3 would occur outside business hours in the place of receipt, it shall be deferred until business hours resume. In this Clause 22.4, “business hours” means 9.00am to 5.00pm on any Business Day.
- Subcontracting
- To the extent NV Play subcontracts any part of the Services to a third party, NV Play will ensure that each such subcontractor complies with the terms of this Agreement that are relevant to that subcontractor’s part in the performance of obligations under this Agreement. Any subcontracting will not relieve NV Play from any of its obligations under this Agreement and NV Play shall remain responsible and liable for all obligations, services and functions performed by any subcontractor to the same extent as if those obligations, services or functions were performed by NV Play.
- Governing Law and Jurisdiction
- This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of New Zealand.
- The parties irrevocably agree that the courts, tribunals and any competent regulators of New Zealand shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
Appendix 1
Data Processing Agreement
This Data Processing Agreement sets out the provisions that will govern all processing of Personal Data by the parties in connection with the General Terms and any Engagement Agreement (the Agreement). Its provisions amend and supplement the Agreement, and will take precedence over the Agreement unless expressly stated otherwise. Terms that are defined in the Agreement will have the same meaning when used in this Data Processing Agreement unless the context dictates otherwise.
- Introduction
- This Data Processor Agreement regulates NV Play’s (the Data Processor) processing of personal data on behalf of the Client (the Data Controller) and is attached as an addendum to the Agreement in which the parties have agreed to the Data Processor’s delivery of Software and/or Services to the Data Controller through various Engagement Agreements (the Agreed Deliverables).
- NV Play may be an independent Data Controller for some personal data relating to the Client or its Users, where there is a legitimate interest in it being so. Examples of a legitimate interest may include enabling billing and account management of a commercial relationship, user administration and authentication, analysis of operational usage or performance data to ensure optimal service delivery, statistical analysis of aggregate data for research & development of new analysis models and algorithms, internal reporting and modelling, or any other legitimate business purposes. When NV Play processes personal data as a Data Controller, the Client acknowledges and confirms that this Data Protection Agreement does not create a joint-controller relationship between the parties.
- Legislation
- This Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation within the primary territory of the Data Controller’s operations (the “Applicable Law”), including in particular the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- Processing of Personal Data
- The purpose of the processing is the provision of the Agreed Deliverables to the Data Controller by the Data Processor.
- In connection with the Data Processor’s delivery of the Agreed Deliverables to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
- ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, Article 4 (1) (the ”Personal Data”). The Data Processor only performs processing activities that are necessary and relevant to deliver the Agreed Deliverables, except as required to comply with a legal obligation to which the Data Processor is subject. The categories, types and nature of Personal Data processed by the Data Processor on behalf of the Data Controller are described in Schedule 1 to this Appendum. The parties shall update Schedule 1 whenever changes occur that necessitates that it be updated.
- The Data Processor shall maintain a register of processing activities in accordance with GDPR, Article 30, except where the exceptions defined in Article 30 (5) are satisfied.
- Instruction
- The Data Processor may only act and process the Personal Data in accordance with a documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Agreed Deliverables. Subject to the terms of this Data Processor Agreement and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.
- The Data Controller guarantees to process Personal Data in accordance with the requirements of Applicable Law, and that the Data Controller’s Instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
- The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed not to violate Applicable Law or are appropriately modified.
- The Data Processor’s Obligations
- Confidentiality:
- The Data Processor shall treat all the Personal Data as confidential information.
- The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processing Agreement with strict confidentiality.
- Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Agreed Deliverables by the Data Processor under this Data Processor Agreement.
- The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
- The Data Processor shall implement the appropriate technical and organizational measures as set out in this Data Processing Agreement and in the Applicable Law, including in accordance with GDPR, Article 32. The security measures are detailed in Appendix 1, Schedule 2 of this Agreement and are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security. The Data Processor shall provide documentation of the Data Processor’s security measures if requested by the Data Controller in writing.
- If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, Article 35, along with any prior consultation in accordance with GDPR, Article 36. Where assistance is necessary, requests will take the form of a written request by the Data Controller to the Data Processor, detailing the assistance required from the Data Processor and nature of the response requested.
- Rights of the Data Subjects:
- If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
- If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
- Personal Data breaches:
- The Data Processor shall give notice in writing to the Data Controller, in the manner prescribed by clause 22.3 (a) or (b) of the General Terms and for the attention of the persons named in clause 22.2 (a), within 36 hours of first becoming aware, if a breach occurs that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a Personal Data Breach).
- The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
- Upon becoming aware of any suspected or actual Personal Data Breach, the Data Processor shall provide such assistance and co-operation as the Data Controller may require in order to support any and all related investigations, mitigation and remediation of each Personal Data Breach. In such circumstances, the Data Processor shall provide the Data Controller with as many details as are known by the Contractor at that time (including without limitation (i) the nature and scope of the Personal Data Breach, the categories and numbers of data subjects concerned and the categories and number of personal data records concerned; (ii) the name and contact details of the Data Processor’s data protection officer or other relevant contact from whom more information may be obtained; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach) and the Data Processor shall regularly update the Data Controller thereafter setting out such further details as may be reasonably requested by the Data Controller.
- Documentation of compliance and Audit Rights:
- Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
- The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
- The Data Processor is given general authorisation to transfer Personal Data to countries outside the jurisdiction of the Applicable Law for the sole purpose of meeting the Agreed Deliverables, including countries outside of the European Economic Area (EEA) where the Data Processor is subject to GDPR. In respect of transfers to outside of the EEA, the Data Processor will restrict transfers to where the receiving country is subject to an EU Commission adequacy decision (specifically including New Zealand), where the transfer is subject to appropriate safeguards in accordance with the Applicable Law (which may include, without limitation, Standard Contractual Clauses).
- The Data Controller acknowledges and accepts that access to and use of the Agreed Deliverables by its authorised users may occur outside the EEA and, in such circumstances, Personal Data may be viewed outside the EEA by the relevant user.
- Confidentiality:
- Sub-Processors
- The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, with such appointments being subject to New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.6.3.
- The Data Controller acknowledges and accepts that the Data Processor engages Microsoft Corporation (Microsoft) as a primary Sub-Processor to provide core online services required to deliver the Agreed Deliverables, specifically including SQL Azure, App Service, Storage, Application Insights (each of which forms part of the Microsoft Azure Core Services) and related Microsoft cloud services. These sub-processing services are provided to the Data Processor subject to the following terms (together, the Microsoft Terms):
Microsoft Online Services Agreement (MOSA):
https://www.microsoft.com/licensing/terms/welcome/WelcomePage?programMoniker=MOSAMicrosoft Products and Services Data Protection Addendum (DPA):
The Data Controller and the Data Processor accept that these terms are substantially similar to the standards set forth in this Data Processing Agreement, and agree that where in conflict the Microsoft Terms will apply in respect to any Sub-Processing provided by Microsoft in relation to the delivery of the Agreed Deliverables.
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA?lang=1 - New or replacement Sub-Processors are able to be appointed by the Data Processor, provided that the Data Controller is notified in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor. In the event the Data Controller objects to a new Sub-Processor on reasonable data protection grounds, the Data Processor will discuss these objections with the Data Controller in good faith with a view to achieving resolution.
- The Data Processor will enter into an agreement with each Sub-Processor that obligates the Sub-Processor to process the Personal Data in a manner substantially similar to the standards set forth in this Data Processing Agreement, and at a minimum, at the level of data protection required by the Applicable Law (to the extent applicable to the services provided by the Sub-Processor).
- The Data Processor shall carry out appropriate due diligence on each of its Sub-Processors prior to their appointment and shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law.
- Subject to 6.2, the Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
- The Data Processor will maintain a list of Sub-Processors that may process Personal Data, a copy of which will be provided to the Data Controller on receipt of a written request.
- Remuneration and costs
- The Data Controller agrees it shall remunerate the Data Processor on a time and materials basis to meet its obligations under section 5.4, 5.5, 5.6 and 5.7 of this Data Processor Agreement. Such co-operation and assistance will be charged at the Data Processor’s prevailing rates at the time of the request.
- The Data Processor is entitled to remuneration on a time and material basis to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Agreed Deliverables due to the change in the Instruction.
- The Data Processor is exempted from liability for non-performance with delivery of the Agreed Deliverables if the performance of these obligations would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can realistically & reliably be implemented; and (iii) in the period of time until the agreement defining the Agreed Deliverables is varied or otherwise changed to reflect the new Instruction and commercial terms thereof.
- Limitation of liability
- The total aggregate liability to the Data Controller, of whatever nature, whether in contract, tort or otherwise, of the Data Processorfor any losses whatsoever and howsoever caused arising from or in any way connected with the provision of the Agreed Deliverables shall be subject to Section 11 of the General Terms.
- Nothing in this Data Processing Agreement relieves the Data Processor of its own direct responsibilities and liabilities under the GDPR or other Applicable Laws.
- Duration
- The Data Processor Agreement shall remain in force while the Agreement is in force, and will survive termination or expiration should the Data Processor continue to store or process Personal Data.
- Data Protection Officer
- The Data Processor will appoint a Data Protection Officer where such appointment is required by the Applicable Law.
- Termination
- Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data, except as expressly provided for in the Agreement (specifically including clause 13.2 of the Agreement), and to the extent the Data Processor is required by Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Data Processing Agreement will continue to apply to any retained Personal Data.
- Governing Law and Jurisdiction
- This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of New Zealand.
- The parties irrevocably agree that the courts, tribunals and any competent regulators of New Zealand shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement or its subject matter or formation (including non-contractual disputes or claims).
- Severance
- Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
- amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
- construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Should any provision of this Data Processing Agreement be invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
Appendix 1 | Schedule 1
Data being processed
Background
NV Play is a comprehensive sports technology platform, primarily focussed on the sport of cricket, specifically designed to meet the needs of governing and organisational bodies. Its primary purpose is to a) capture and analyse match outcomes & results to drive both engagement and performance, and b) provide platforms & tools to support the underlying competition structure & formats of the game.
In order to deliver this purpose, and meet the Agreed Deliverables, may involve the Processing of Personal Data about any or all of the following Data Subjects:
- Players
- Officials (including Umpires, Coaches, Scorers, Referees, Analysts, Administrators)
- Users of the Software
Types of Personal Data Processed
Depending on the Client’s usage of the Software, any or all of the following types of Personal Data may be processed in order to meet the Agreed Deliverables:
- Players: full name, gender, player type & roles, playing status, club memberships, match & team participation, match performance, career performance, video or photographic footage
- Consented Player data: address, email address, phone number, social media account names, profile picture, date of birth (and these details of parent and/or guardian if Player under the age of consent)
- Officials: full name, organisation, roles, match participation
- Users: full name, email address, user/login name, organisation, role, IP address, system usage
No Sensitive Personal Data, as defined in GDPR Article 9 (1), will be collected or Processed by the Data Processor without specific Instruction in writing from the Data Controller, including specifically detailing the qualifying requirement for its collection & Processing under GDPR Article 9 (2) and the additional processing & security processes the Data Controller has in place to secure the Sensitive Personal Data.
Other Types of Data Processed
In addition to the above listed Personal Data, any or all of the following addition types of data may be Processed in order to meet the Agreed Deliverables.
- Platform usage metrics to optimise scale & performance
- Automated error reporting to assist with diagnosis & remedy of issues
- Website and app usage analytics to provide insights to usage patterns & optimal workflows, including browser and device information
- Commercial information in relation to the billing of services & contract administration
- Participation & demographic data to support the development & delivery of amateur & professional sporting programmes
Appendix 1 | Schedule 2
Technical and Organisational Security Overview
Background
NV Play is in the business of collecting, analysing and publishing data, and takes this responsibility very seriously. This document provides an overview of the investments we have made in both infrastructure and processes to ensure that all data under our stewardship remains secure.
Confidential Data
NV Play defines "confidential data" as any of the following:
- Personal data, including "any information relating to an identified or identifiable natural person", as defined in GDPR, Article 4 (1)
- Customer owned data of a non-personal nature that is not in the public domain
- Customer, supplier and shareholder information
- Patents, business processes and/or new or innovative technologies
- Employees' credentials, medical, and personal information
- Company contracts and legal records
Physical Security
NV Play operates a secure premises policy at all sites where confidential information is handled. In practice, this means that all data analysis, coding or technical development occurs on machines located in a physically secured premises. This physical security is maintained through:
- Entrance doors are permanently & automatically electronically locked
- Personally assigned physical security fobs for all staff or contractors
- All visitors are met with in non-secure meeting rooms outside of the physically secured work area
- If visitors are permitted to enter the secured area, they are escorted at all times
- Outside of business hours, the premises are secured by monitored alarm services
- Secure destruction services used for disposing of sensitive documents
Infrastructure Security
NV Play leverage a combination of local data centre and public cloud infrastructure to respectively deliver internal and external services.
Local infrastructure
Local server infrastructure is provisioned in industry leading Tier 3+ datacentres located in New Zealand, with security and reliability features that include the following:
- Regular proactive maintenance and upgrades of underlying server, storage and network
- 24 x 7 x 365 monitoring and alerting of all infrastructure
- 24 x 7 x 365 on site staff
- Diverse A&B power supplies
- Dual backup generators
- Dual uninterrupted power supplies
- Dual-path fibre networks to multiple network providers
- Redundant cooling
- Perimeter fences, motion activated security and Interlock mantrap used to control facility access
Cloud infrastructure
Cloud infrastructure is provisioned within the Microsoft Azure public cloud platform. We deliver production, pre-production, UAT and some development environments leveraging Azure’s Platform-as-a-Service capabilities, and leverage Microsoft 365 for internal & external communications and productivity tools.
Azure Security Center provides unified security management and advanced threat protection across cloud workloads. It allows us to apply security policies across workloads and leverages advanced monitoring & analytics and threat intelligence to detect attacks and rapidly respond to threats.
Remote Access and Authentication
NV Play’s password policy is strictly enforced and remote access to all local and internal infrastructure requires use of the FortiClient VPN for end to end encryption. We secure access to all Public Cloud services for Microsoft 365 and Microsoft Azure using Azure Active Directory with Multi Factor Authentication (MFA) enforced.
Internet and Managed Services
NV Play has in place long term managed services contracts with a specialist IT services provider to manage all local infrastructure, including servers and workstations. This contract has strict terms to ensure all infrastructure is monitors and patched regularly, and encompasses delivery of Secure Internet Services including Antivirus, Intrusion Prevention System (IPS) and Web Filtering for all incoming and outgoing internet traffic.
Data Security
At NV Play, all databases and storage services are encrypted by default. This starts with enabling encryption at rest, providing data protection for data while stored (at rest). Attacks against data at-rest include attempts to obtain physical access to the hardware on which the data is stored, or unauthorised attempts to access backups of the data.
Azure SQL databases are encrypted at rest by using Transparent Data Encryption against generated managed keys. Additionally, a client side encryption function called “Always Encrypted” is available for certain database fields in specific databases, offering an additional level of encryption on data which may be deemed more sensitive than others, and require an additional level of encryption.
By default all Azure Storage accounts are configured to be encrypted at rest using 256 bit AES encryption, again using generated managed keys.
Data Recovery
NV Play has a comprehensive data backup and recovery regime in place, across both our local and cloud infrastructure.
Local infrastructure
All local infrastructure and storage is securely backed up daily, with the backup retention for Local Backups being:
- Daily Backups – retained for 14 days
- Weekly Backups – retained for 6 weeks
- Monthly Backups – retained for 6 months
Backups are securely replicated externally to NV Play’s network for additional resilience, with Offsite Backups being retained for 14 days
Backup Monitoring Checks are completed daily to ensure all backups are working correctly.
Cloud infrastructure
Through leveraging Azure Database services, we gain full point-in-time backup and restore functionality. All databases are automatically backed-up by Azure as part of the base service offering, taking full, differential and log backups in the background to guarantee we always keep your data safe. These backups are retained for 7 days for Basic, 14 days for Standard and 35 days for Premium tier services. Additional long term retention of database backups is able to be configured for up to 10 years if required.
Within this period, we are able to choose any minute and restore any database to that point in time. The restore always happens to a new database, it does not overwrite the current database.
This same Point-in-time Restore is leveraged for disaster recovery planning purposes. The backups are able to be automatically replicated to selected alternative Azure datacentres, and can later be restored in any Azure data centre in the eventuality a full disaster recovery is required.
In case of failure of the primary datacentre (for example, North Europe located in Dublin), we can immediately restore the database in another datacentre (West Europe located in Netherlands for example). A guarantee of maximum one hour recency (data loss) is provided by Azure in this instance, as the replication is done asynchronously.
The level of geographic redundancy can be extended to full geo-replication if desired, meaning the live databases are constantly replicated across multiple geographic regions. We do not leverage capability this by default due to data privacy and sovereignty considerations, but it is available to be configured in consultation with each client on a case by case basis.
Security and Performance Monitoring
Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Whilst each client configuration is unique to their situation, Azure Traffic Manager is able to be utilised to isolate targeted traffic from unexpected international traffic in order to ensure unusual global demand spikes does not impede performance. This architecture by default provides a high degree of flexibility around managing overseas based DDoS style incidents.
Standard monitoring of all public facing components of the NV Play platform includes:
- Alerts on unexpected traffic i.e. a lot of traffic from unexpected locations or one IP address
- Alerts indicating performance issues i.e. indicates there is an issue with platform performance and further investigation needs to be carried out immediately
DDoS Incident Response Strategy
In the event that a DDoS attack on NV Play platform is detected, our technical, engineering and leadership teams are immediately notified. Whilst each incident will require a different response, our high level response plan is as follows:
- Notify all relevant stakeholders to the incident
- Activate primary countermeasures:
- If identifiable, block all attack IP addresses from affected endpoints
- replicate & sync services to alternate infrastructure
- redirect safe traffic to the alternative implementation)
- Actively monitor attack progression
- Collaboratively plan ongoing response with stakeholders
Staff training and threat awareness
NV Play operates a culture of privacy and security. All staff are inducted into this culture and undertake training as an essential preventive measure against unauthorized collection, access, use and disclosure of confidential information.