Dramatic mountain landscape

    Data Processing Addendum

    Nasdaq Fund Secondaries Services Appendices

    13 September 2022

    Return to Data Processing Addendum

    APPENDIX 1: Processing Details

    1. LIST OF PARTIES

    DATA EXPORTER(S)
     

    Name Customer and its Affiliates
    Address The address for Customer as set forth in the Agreement
    Contact person’s name, position and contact details The contact details for Customer as set forth in the Agreement
    Activities relevant to the data transferred under the Standard Contractual Clauses Receipt of the Services
    Signature and date Customer’s signature and date on the Agreement
    Role (controller/processor) Data Controller


    DATA IMPORTER(S)
     

    Name Nasdaq and its Affiliates
    Address The address for Nasdaq as set forth in the Agreement
    Contact person’s name, position and contact details

    By e-mail: privacy@nasdaq.com

    By postal mail at:

    Office of General Counsel – Privacy Team,

    Nasdaq, Inc.,
    805 King Farm Blvd,
    First Floor,
    Rockville, MD 20850

    Office of General Counsel – Stockholm Office,

    Tullvaktsvägen 15,
    10578 Stockholm,
    Sweden
    Activities relevant to the data transferred under the Standard Contractual Clauses Performance of the Services
    Signature and date Nasdaq’s signature and date on the Agreement
    Role (controller/processor) Data Processor


    2. DESCRIPTION OF THE TRANSFER

    2.1  Categories of data subjects whose personal data is transferred

    Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Data Subjects:

    • Employees, agents, advisors, contractors, equityholders, investors and customers of Customer (in each case, who are natural persons)
    • Individuals or their representatives participating in transactions that form part of the services
    • Users authorized by Customer to access and use the Services
    • Any other category of Data Subjects whose Personal Data is contained or embedded within the data, information, and materials Customer submits to the Services or has Nasdaq (or another third party) submit into the Services on its behalf

    2.2  Categories of personal data transferred

    Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Personal Data:

    • First and last name, title, position, employment-related and professional information
    • Contact information (company, email, phone, physical address)
    • Transaction activity, account numbers, financial holdings

    Any other category of Personal Data contained within the data, information, and materials Customer submits to the Services or has Nasdaq (or another third party) submit into the Services on its behalf

    2.3  Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    • In the general course of using the Services, Nasdaq does not anticipate that Customer will provide any Special Data Categories to Nasdaq. However, subject to Section 2.9 of the DPA, Customer may submit Special Data Categories to the Services (as determined and controlled by Customer in its sole discretion).

    2.4  The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    • Nasdaq transfers Customer Personal Data in accordance with Customer’s instructions as set forth Section 2.5 and Section 2.6 of the DPA. The frequency of such transfers is determined and controlled by Customer in its sole discretion.

    2.5  Nature of the processing

    • The Processing of Customer Personal Data in order to provide the Services to Customer.

    2.6  Purpose(s) of the data transfer and further processing

    • Nasdaq Processes Customer Personal Data, including any necessary Restricted Transfers, for the purpose of providing the Services.

    2.7  The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    • Nasdaq will retain Customer Personal Data for the duration agreed upon by the Parties in the Agreement.

    2.8  For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    • The subject matter and nature of any Processing conducted by a Sub-Processor shall be as set forth in Appendix 3 (Sub-Processors) to the DPA. The duration of any Processing conducted by a Sub-Processor shall be as set forth in Section 2.7 of this Appendix 1 (Processing Details).
       

    3. COMPETENT SUPERVISORY AUTHORITY

    3.1 Identify the competent supervisory authority/ies in accordance with Clause 13

    For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority.

     

    APPENDIX 2: Information Security Program

    Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. Nasdaq has implemented, and will maintain, a comprehensive written information security program ("Information Security Program") with respect to the Customer Personal Data transferred to or received by Nasdaq in performance of the Services that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data.

    In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Customer Personal Data:

    Measures of pseudonymisation and encryption of personal data

    • Access Controls – policies, procedures, and physical and technical controls to encrypt and decrypt Customer Personal Data where appropriate.

    Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.

    Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

    • Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.

    Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

    Measures for user identification and authorization

    • Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals.
    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for the protection of data during transmission

    • Storage and Transmission Security – technical security measures to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Customer Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

    Measures for the protection of data during storage

    • Storage Media – policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Customer Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Customer Personal Data.

    Measures for ensuring physical security of locations at which personal data are processed

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data

    Measures for ensuring events logging

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for ensuring system configuration, including default configuration

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for internal IT and IT security governance and management

    • Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Personal Data, internal or external threats to the data importer or the Customer Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for certification/assurance of processes and products

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Personal Data, internal or external threats to the data importer or the Customer Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for ensuring data quality

    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for ensuring limited data retention

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Customer Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Customer Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
    • Storage Media – policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Customer Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Customer Personal Data.

    Measures for ensuring accountability

    • Security Awareness and Training – a security awareness and training program for all members of the data importer's workforce (including management), which includes training on how to implement and comply with its Information Security Program.
    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for allowing data portability and ensuring erasure

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Customer Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Customer Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.

    For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

    • Nasdaq shall ensure Sub-Processors provide technical and organizational measures no less protective than those set forth in the DPA, including this Appendix 2 (Information Security Program).

     

    APPENDIX 3: Sub-Processors

     

    THIRD-PARTY SUB-PROCESSORS

    Name Amazon Web Services, Inc.
    Address 410 Terry Avenue North

    Seattle, Washington 98109

    United States of America
    Contact Details https://aws.amazon.com/compliance/data-privacy/
    Subprocessing Activities Hosting Services
    Subprocessing Location(s) United States of America

     

    Name Docusign, Inc.
    Address 221 Main Street, Suite 1000
    San Francisco, CA 94105
    United States of America
    Contact Details https://www.docusign.com/company/privacy-policy
    Subprocessing Activities Electronic Signature and Related Services
    Subprocessing Location(s) United States of America


    NASDAQ AFFILIATE SUB-PROCESSORS

    Contact Details
    By e-mail: privacy@nasdaq.com

    By postal mail at:

    Office of General Counsel – Privacy Team
    Nasdaq, Inc.
    805 King Farm Blvd
    First Floor
    Rockville, MD 20850

    Office of General Counsel – Stockholm Office
    Tullvaktsvägen 15,
    10578 Stockholm Sweden

     

    Name Registered Address Subprocessing Location(s)
    eVestment, Inc. The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    eVestment Alliance Holdings, Inc. The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    eVestment Alliance Holdings, LLC 100 Glenridge Point Parkway, Suite 100, Atlanta, GA, 30342 United States of America
    eVestment Alliance, LLC 100 Glenridge Point Parkway, Suite 100, Atlanta, GA, 30342 United States of America
    Nasdaq Fund Secondaries, LLC The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    NFSTX, LLC The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    Nasdaq International, Ltd. 22 Bishopsgate, London, UK, EC2N 4AJ United Kingdom
    Nasdaq, Inc. 151 W 42nd Street, 27th Floor New York, NY 10036 United States of America
    Nasdaq Vilnius Services UAB Lvovo 25, 10th Floor, Vilnius, LT-08501, Lithuania Lithuania
    Nasdaq Canada, Inc 1155 boul. Rene-Levesque Ouest, Bureau 4000, Montreal, PQ, H3B 3V2 Canada Canada
    Nasdaq Technology AB Tullvaktsvägen 15, Stockholm, SE 105 78, Sweden Sweden

     

    APPENDIX 4: UK International Data Transfer Addendum

    Any capitalized term used herein and not specifically defined in the Agreement shall be deemed to have the meaning given to it in the UK International Data Transfer Addendum.

    Table 1: Parties
     

    Start date As set out on first page of the DPA Nasdaq and its Affiliates

    The Parties’ details

    A. Full legal name 
    B. Trading name (if different)
    C. Main address 
    D. Official registration number 

    		 A. As set out in the Agreement.
    B. N/A
    C. As set out in the Agreement.
    D. To the extent applicable, as set out in the Agreement.
         		 A. As set out in the Agreement.
    B. N/A
    C. As set out in the Agreement.
    D. To the extent applicable, as set out in the Agreement.
     
    The Parties As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work. As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work.
    Signature  The parties agree that the Signature to the Agreement to which the DPA and this Appendix is attached/linked shall serve as the signature for this UK International Data Transfer Addendum. The parties agree that the Signature to the Agreement to which the DPA and this Appendix is attached/linked shall serve as the signature for this UK International Data Transfer Addendum

     

    Table 2: Selected SCCs, Modules and Selected Clauses

    The version of the Approved EU SCCs which this UK International Data Transfer Addendum is appended to, detailed below, including this appendix information are the Commission Implementing Decision (EU) 2021/914 establishing for data transfers to Third Countries (as amended, modified, or replaced from time to time); specifically, the applicable module within the Standard Contractual Clauses is MODULE TWO (Transfer Controller to Processor). For the avoidance of doubt, MODULE ONE (Transfer Controller to Controller), MODULE THREE (Transfer Processor to Processor), and MODULE FOUR (Transfer Processor to Controller) do not apply to this DPA. 

    The clauses options are set out in Section 11.1 of the DPA.

    TABLE 3: Appendix Information
     

    Annex 1A
    List of Parties    		 See appendix 1 to the DPA

    Annex 1B
    Description of Transfer

    		 See appendix 1 to the DPA
    Annex II
    Technical and organizational measures    		 See appendix 2 to the DPA
    Annex III
    List of Sub processors    		 See appendix 3 to the DPA


    TABLE 4: Ending this Addendum when the Approved Addendum Changes

    Neither party shall have the right to end this UK International Data Transfer Addendum if the approved addendum changes. In the event any such change occurs, the parties shall work together to agree any relevant updates.


    PART 2

    Mandatory Clauses

    Mandatory Clauses of the approved addendum, being the template addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before the UK Parliament in accordance with s119A of UK GDPR on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses is hereby incorporated by reference into this International Data Transfer Addendum.

    APPENDIX 1: Processing Details

    1. LIST OF PARTIES

    DATA EXPORTER(S)
     

    Name Customer and its Affiliates
    Address The address for Customer as set forth in the Agreement
    Contact person’s name, position and contact details The contact details for Customer as set forth in the Agreement
    Activities relevant to the data transferred under the Standard Contractual Clauses Receipt of the Services
    Signature and date Customer’s signature and date on the Agreement
    Role (controller/processor) Data Controller


    DATA IMPORTER(S)
     

    Name Nasdaq and its Affiliates
    Address The address for Nasdaq as set forth in the Agreement
    Contact person’s name, position and contact details

    By e-mail: privacy@nasdaq.com

    By postal mail at:

    Office of General Counsel – Privacy Team,

    Nasdaq, Inc.,
    805 King Farm Blvd,
    First Floor,
    Rockville, MD 20850

    Office of General Counsel – Stockholm Office,

    Tullvaktsvägen 15,
    10578 Stockholm,
    Sweden
    Activities relevant to the data transferred under the Standard Contractual Clauses Performance of the Services
    Signature and date Nasdaq’s signature and date on the Agreement
    Role (controller/processor) Data Processor


    2. DESCRIPTION OF THE TRANSFER

    2.1  Categories of data subjects whose personal data is transferred

    Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Data Subjects:

    • Employees, agents, advisors, contractors, equityholders, investors and customers of Customer (in each case, who are natural persons)
    • Individuals or their representatives participating in transactions that form part of the services
    • Users authorized by Customer to access and use the Services
    • Any other category of Data Subjects whose Personal Data is contained or embedded within the data, information, and materials Customer submits to the Services or has Nasdaq (or another third party) submit into the Services on its behalf

    2.2  Categories of personal data transferred

    Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Personal Data:

    • First and last name, title, position, employment-related and professional information
    • Contact information (company, email, phone, physical address)
    • Transaction activity, account numbers, financial holdings

    Any other category of Personal Data contained within the data, information, and materials Customer submits to the Services or has Nasdaq (or another third party) submit into the Services on its behalf

    2.3  Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    • In the general course of using the Services, Nasdaq does not anticipate that Customer will provide any Special Data Categories to Nasdaq. However, subject to Section 2.9 of the DPA, Customer may submit Special Data Categories to the Services (as determined and controlled by Customer in its sole discretion).

    2.4  The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    • Nasdaq transfers Customer Personal Data in accordance with Customer’s instructions as set forth Section 2.5 and Section 2.6 of the DPA. The frequency of such transfers is determined and controlled by Customer in its sole discretion.

    2.5  Nature of the processing

    • The Processing of Customer Personal Data in order to provide the Services to Customer.

    2.6  Purpose(s) of the data transfer and further processing

    • Nasdaq Processes Customer Personal Data, including any necessary Restricted Transfers, for the purpose of providing the Services.

    2.7  The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    • Nasdaq will retain Customer Personal Data for the duration agreed upon by the Parties in the Agreement.

    2.8  For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    • The subject matter and nature of any Processing conducted by a Sub-Processor shall be as set forth in Appendix 3 (Sub-Processors) to the DPA. The duration of any Processing conducted by a Sub-Processor shall be as set forth in Section 2.7 of this Appendix 1 (Processing Details).
       

    3. COMPETENT SUPERVISORY AUTHORITY

    3.1 Identify the competent supervisory authority/ies in accordance with Clause 13

    For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority.

     

    APPENDIX 2: Information Security Program

    Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons. Nasdaq has implemented, and will maintain, a comprehensive written information security program ("Information Security Program") with respect to the Customer Personal Data transferred to or received by Nasdaq in performance of the Services that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data.

    In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Customer Personal Data:

    Measures of pseudonymisation and encryption of personal data

    • Access Controls – policies, procedures, and physical and technical controls to encrypt and decrypt Customer Personal Data where appropriate.

    Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.

    Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

    • Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
    • Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.

    Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

    Measures for user identification and authorization

    • Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals.
    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for the protection of data during transmission

    • Storage and Transmission Security – technical security measures to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Customer Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.

    Measures for the protection of data during storage

    • Storage Media – policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Customer Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Customer Personal Data.

    Measures for ensuring physical security of locations at which personal data are processed

    • Information Security Program – a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data

    Measures for ensuring events logging

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for ensuring system configuration, including default configuration

    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for internal IT and IT security governance and management

    • Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Personal Data, internal or external threats to the data importer or the Customer Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for certification/assurance of processes and products

    • Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
    • Adjust the Program – The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Personal Data, internal or external threats to the data importer or the Customer Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.

    Measures for ensuring data quality

    • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.

    Measures for ensuring limited data retention

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Customer Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Customer Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
    • Storage Media – policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Customer Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Customer Personal Data.

    Measures for ensuring accountability

    • Security Awareness and Training – a security awareness and training program for all members of the data importer's workforce (including management), which includes training on how to implement and comply with its Information Security Program.
    • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

    Measures for allowing data portability and ensuring erasure

    • Device and Media Controls – policies and procedures on hardware and electronic media that contain Customer Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Customer Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.

    For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

    • Nasdaq shall ensure Sub-Processors provide technical and organizational measures no less protective than those set forth in the DPA, including this Appendix 2 (Information Security Program).

     

    APPENDIX 3: Sub-Processors

     

    THIRD-PARTY SUB-PROCESSORS

    Name Amazon Web Services, Inc.
    Address 410 Terry Avenue North

    Seattle, Washington 98109

    United States of America
    Contact Details https://aws.amazon.com/compliance/data-privacy/
    Subprocessing Activities Hosting Services
    Subprocessing Location(s) United States of America

     

    Name Docusign, Inc.
    Address 221 Main Street, Suite 1000
    San Francisco, CA 94105
    United States of America
    Contact Details https://www.docusign.com/company/privacy-policy
    Subprocessing Activities Electronic Signature and Related Services
    Subprocessing Location(s) United States of America


    NASDAQ AFFILIATE SUB-PROCESSORS

    Contact Details
    By e-mail: privacy@nasdaq.com

    By postal mail at:

    Office of General Counsel – Privacy Team
    Nasdaq, Inc.
    805 King Farm Blvd
    First Floor
    Rockville, MD 20850

    Office of General Counsel – Stockholm Office
    Tullvaktsvägen 15,
    10578 Stockholm Sweden

     

    Name Registered Address Subprocessing Location(s)
    eVestment, Inc. The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    eVestment Alliance Holdings, Inc. The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    eVestment Alliance Holdings, LLC 100 Glenridge Point Parkway, Suite 100, Atlanta, GA, 30342 United States of America
    eVestment Alliance, LLC 100 Glenridge Point Parkway, Suite 100, Atlanta, GA, 30342 United States of America
    Nasdaq Fund Secondaries, LLC The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    NFSTX, LLC The Corporation Trust Company: 1209 Orange Street, Wilmington, County of New Castle, Delaware, 19801 United States of America
    Nasdaq International, Ltd. 22 Bishopsgate, London, UK, EC2N 4AJ United Kingdom
    Nasdaq, Inc. 151 W 42nd Street, 27th Floor New York, NY 10036 United States of America
    Nasdaq Vilnius Services UAB Lvovo 25, 10th Floor, Vilnius, LT-08501, Lithuania Lithuania
    Nasdaq Canada, Inc 1155 boul. Rene-Levesque Ouest, Bureau 4000, Montreal, PQ, H3B 3V2 Canada Canada
    Nasdaq Technology AB Tullvaktsvägen 15, Stockholm, SE 105 78, Sweden Sweden

     

    APPENDIX 4: UK International Data Transfer Addendum

    Any capitalized term used herein and not specifically defined in the Agreement shall be deemed to have the meaning given to it in the UK International Data Transfer Addendum.

    Table 1: Parties
     

    Start date As set out on first page of the DPA Nasdaq and its Affiliates

    The Parties’ details

    A. Full legal name 
    B. Trading name (if different)
    C. Main address 
    D. Official registration number 

    		 A. As set out in the Agreement.
    B. N/A
    C. As set out in the Agreement.
    D. To the extent applicable, as set out in the Agreement.
         		 A. As set out in the Agreement.
    B. N/A
    C. As set out in the Agreement.
    D. To the extent applicable, as set out in the Agreement.
     
    The Parties As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work. As set out in the Agreement and/or relevant applicable ordering documents, including service orders, order forms, statements of work.
    Signature  The parties agree that the Signature to the Agreement to which the DPA and this Appendix is attached/linked shall serve as the signature for this UK International Data Transfer Addendum. The parties agree that the Signature to the Agreement to which the DPA and this Appendix is attached/linked shall serve as the signature for this UK International Data Transfer Addendum

     

    Table 2: Selected SCCs, Modules and Selected Clauses

    The version of the Approved EU SCCs which this UK International Data Transfer Addendum is appended to, detailed below, including this appendix information are the Commission Implementing Decision (EU) 2021/914 establishing for data transfers to Third Countries (as amended, modified, or replaced from time to time); specifically, the applicable module within the Standard Contractual Clauses is MODULE TWO (Transfer Controller to Processor). For the avoidance of doubt, MODULE ONE (Transfer Controller to Controller), MODULE THREE (Transfer Processor to Processor), and MODULE FOUR (Transfer Processor to Controller) do not apply to this DPA. 

    The clauses options are set out in Section 11.1 of the DPA.

    TABLE 3: Appendix Information
     

    Annex 1A
    List of Parties    		 See appendix 1 to the DPA

    Annex 1B
    Description of Transfer

    		 See appendix 1 to the DPA
    Annex II
    Technical and organizational measures    		 See appendix 2 to the DPA
    Annex III
    List of Sub processors    		 See appendix 3 to the DPA


    TABLE 4: Ending this Addendum when the Approved Addendum Changes

    Neither party shall have the right to end this UK International Data Transfer Addendum if the approved addendum changes. In the event any such change occurs, the parties shall work together to agree any relevant updates.


    PART 2

    Mandatory Clauses

    Mandatory Clauses of the approved addendum, being the template addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before the UK Parliament in accordance with s119A of UK GDPR on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses is hereby incorporated by reference into this International Data Transfer Addendum.