Data Processing Agreement - NagaOpportunity

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NagaOpportunity ("Provider") and the user ("Customer") and applies where Provider processes Personal Data on behalf of the Customer in the course of providing the Services.

Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation or set of operations which is performed on Personal Data.
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including (where applicable) the General Data Protection Regulation (EU) 2016/679 ("GDPR").
"Data Controller," "Data Processor," "Data Subject," have the meanings set out in the applicable Data Protection Laws.

Roles and Responsibilities

The Customer acts as the Data Controller for the Personal Data processed in connection with the Services. The Provider acts as the Data Processor on behalf of the Customer.

Provider shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Provider is subject.

Security Measures

Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Sub-processors

Provider may engage third-party sub-processors in connection with the provision of the Services. Provider shall ensure that any sub-processor is subject to data protection obligations compatible with those set out in this DPA.

Data Subject Rights

Provider shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise the Data Subject's right of access, rectification, erasure, restriction of processing, data portability, or object to processing ("Data Subject Request"). Taking into account the nature of the processing, Provider shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws.