Skip navigation

Half-Yearly Sale is on now! Save up to 60% on top brands. Sale

Your Store
The Americana at Brand
0
Main content

Legal DSPA

This Short-Form XaaS Data Privacy and Security Addendum ("Addendum") is incorporated into the Mutual Nondisclosure and Cloud Service Agreement between Nordstrom, Inc. ("Nordstrom") and Supplier named therein ("Supplier") (each individually a "Party" or collectively the "Parties") ("Agreement"). In the event of any conflict between the Agreement and the Addendum, the terms of this Addendum shall apply.

DEFINITIONS

"Data Protection Requirements" means all data protection and privacy laws, regulations, and guidance applicable to a Party's performance under the Agreement in relation to the Processing of Personal Information.

"Nordstrom Data" means any data or other information provided by Nordstrom, or a third party on behalf of Nordstrom, to Supplier in connection with the XaaS Services whether in printed, electronic, or other format. Nordstrom Data includes, without limitation, Nordstrom Confidential Information, all Personal Information and Cardholder Data (where applicable) Processed in connection with the XaaS Services.

"Personal Information" means any data relating to a directly or indirectly identified or identifiable individual, as may be further defined under Data Protection Requirements, which may include a term similar to Personal Information but which shall have the same general meaning (e.g., "personal data") and may include but not be limited to name, address, telephone number, email address, credit card number, medical records, driver's license, social security number, marital status, ethnicity, age, image, customer identification number, device identifier, IP address, location information, browsing behavior or information gathered from online data collection technologies (e.g., cookies, tags, or beacons).

"Process" means to perform any operation or set of operations upon Nordstrom Data, whether manually or by automated means, such as collection, recording, organization, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction, or as may be more fully described in this Addendum, and shall be meant to include any similar term used in Data Protection Requirements.

"Security Incident" means any actual or reasonably suspected (i) accidental, unauthorized or unlawful destruction, loss or alteration of Nordstrom data; (ii) unauthorized or unlawful acquisition, use or disclosure of, or access to Nordstrom Data; (iii) Processing of Nordstrom Data other than as authorized by Nordstrom; (iv) Processing of Nordstrom Data not in compliance with Data Protection Requirements; or (v) interference with system operations in an information system or unauthorized use of a system that Processes Nordstrom Data. Unless deemed otherwise by Data Protection Requirements, pings and other broadcast attacks on firewalls or edge servicers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers and that does not result in unauthorized access to any of Supplier's equipment, systems or facilities Processing Nordstrom Data will not be considered a Security Incident.

"Securely Dispose" means to ensure that all hard copy and electronic information (e.g., papers, files, and media) is rendered permanently and completely unreadable and indecipherable.

"Supplier Personnel" means any employee, independent contractor, contingent worker, agent, temporary worker, augmented staff members, or other individuals employed by Supplier.

"Supplier Resource(s)" means any third party supporting delivery of the Services on behalf of Supplier, including any affiliate, processor (as defined by Data Protection Requirements), or subcontractor that Processes Nordstrom Data.

Any capitalized term not otherwise defined herein shall have the meaning given to such term in the Agreement.

PRIVACY AND SECURITY REQUIREMENTS

  1. Ownership. Nordstrom shall be the exclusive owner and controller of all Nordstrom Data. Supplier will not claim ownership of any Nordstrom Data. Supplier understands and acknowledges that the requirements in the Agreement and this Addendum shall continue for so long as Supplier or a Supplier Resource retains Nordstrom Data.

  2. Processing by Supplier. Supplier shall Process Nordstrom Data in a manner that complies with the Agreement, this Addendum, and Data Protection Requirements. To the extent Supplier receives any customer or employee Personal Information from Nordstrom or directly from Nordstrom customers or employees, Supplier will Process Nordstrom Data: (i) solely as necessary to perform the Services; (ii) only in accordance with Nordstrom written instructions; and (iii) only as a supplier or service provider to Nordstrom. For clarity, Supplier understands and agrees that Supplier's access to and Processing of Personal Information under the Agreement will not result in any independent benefit to Nordstrom. Supplier will not: (i) Process Nordstrom Data (including but not limited to Personal Information or information aggregated or derived from Personal Information) for any other purposes, including for the benefit of Supplier or any third party; (ii) sell or share Personal Information, as defined under Data Protection Requirements, other than as permitted under this Addendum; (iii) retain, use or disclose Personal Information outside the direct business relationship of the Parties; or (iv) combine Personal Information Supplier receives from Nordstrom with personal information it receives from other sources unless permitted by applicable law, including Data Protection Requirements. Supplier certifies that it understands the foregoing restrictions and will comply with them. Supplier shall immediately inform Nordstrom if, in Supplier's reasonable opinion, Nordstrom issues an instruction that would be in breach of Data Protection Requirements. In such case, the Parties shall confer in good faith and discuss resolution.

  3. Supplier Resources. Supplier may utilize Supplier Resources as necessary to deliver the Services, provided that Supplier shall only utilize Supplier Resources that: (i) have a legitimate business need to Process Nordstrom Data in order for Supplier to deliver the Services; (ii) are properly screened for suitability and reliability, as permitted by applicable law and in accordance with Data Protection Requirements; (iii) are properly trained on their responsibilities associated with privacy, security and confidentiality; and (iv) are bound, in writing, to implement measures for Processing Nordstrom Data that are at least as protective as the terms of the Agreement, this Addendum and in accordance with Data Protection Requirements.

  4. Confidential Information. Nordstrom Data is Nordstrom's Confidential Information and is subject to the confidentiality obligations set forth in the Agreement, any nondisclosure agreement between the Parties, and this Addendum. Supplier understands and agrees that its confidentiality obligations associated with Nordstrom Data will not expire. Supplier also understands and acknowledges that Personal Information contained with Nordstrom Data shall not be subject to any exclusions under the confidentiality terms of the Agreement; for clarity, Personal Information contained with Nordstrom Data shall remain confidential regardless of whether that information is already known by Supplier or becomes/is publicly available. Nordstrom may disclose this Addendum and any relevant privacy and security provisions in the Agreement to any governmental authority or regulatory body as required and such disclosure shall not be deemed a breach of confidentiality. To the extent required by law, regulation, subpoena or court order, Supplier may disclose Nordstrom Data provided Supplier first provides advance notice to Nordstrom (where not prohibited by law) sufficient to enable Nordstrom to submit a protective order. Supplier shall provide Nordstrom reasonable cooperation in prohibiting or limiting the disclosure of Nordstrom Data through a protective order or similar mechanism.

  5. Supplier Cooperation. Supplier shall fully cooperate with Nordstrom to promptly and effectively: (i) provide access to, change, block, retain, delete, use, return, Securely Dispose, mask, disclose, transfer and/or encrypt any Nordstrom Data Processed by Supplier or Supplier Resources as reasonably requested by Nordstrom; and (ii) respond to any enquiries, complaints and/or claims relating to the Processing of Nordstrom Data from any government official or authority (including any data protection or law enforcement agency), third parties or individuals. If Supplier receives a request from a third party (including an individual) to access, export, delete, correct, block and/or any other Processing of Personal Information, Supplier shall immediately notify Nordstrom.

  6. Data Protection and Security.

    6.1. Privacy and Security Program. Supplier represents and warrants that it will implement, maintain, and periodically update as necessary, for the term of the Agreement and for as long as it Processes Nordstrom Data, a comprehensive and effective written privacy and information security program that complies with applicable law, industry best practices and protects against reasonably foreseeable forms of compromise (the "Security Program"). The Security Program shall apply to all locations, systems, devices, and equipment used by Supplier or Supplier Resources that Process Nordstrom Data ("Supplier Systems"). The Security program shall include reasonable physical, administrative, and technical safeguards to ensure the ongoing security, integrity, confidentiality, and availability for Nordstrom Data, as well as the resiliency of systems or services Processing Nordstrom Data, as appropriate, to the nature and scope of the Processing activities and Services ("Safeguards").

    6.1.1. In the event Supplier is provided with access to any Nordstrom customer or employee Personal Information, Supplier acknowledges and agrees that it shall have implemented and shall maintain appropriate measures designed to, at a minimum: (1) protect the security and confidentiality of Nordstrom customer and employee information under its control; (2) protect against any anticipated threats or hazards to the security or integrity of such Nordstrom customer and employee information; (3) protect against unauthorized access to or use of such Nordstrom customer and employee Information that could result in harm or inconvenience to Nordstrom or its customers and employees; (4) ensure the proper and secure disposal of Nordstrom customer and employee information, regardless of the form in which such Nordstrom customer and employee Information may be found; and (5) detect, prevent, and mitigate the risk of a Security Breach (as defined below) to the extent required under laws or regulations applicable to Supplier as a vendor of Nordstrom in connection with the Services. Supplier will regularly assess, test, and monitor the effectiveness of Supplier's security measures and safeguards ("Safeguards") implemented relevant to the security and confidentiality of Nordstrom Customer and Employee Information.

    6.2. Security Incidents. Supplier shall notify Nordstrom, in writing at [email protected], upon discovery of any actual or reasonably suspected breach of security leading to the unauthorized access to, unauthorized disclosure or loss of, any Nordstrom Data under its (or its subcontractors') control ("Security Breach"). Following its discovery of a Security Breach, Supplier shall (i) provide Nordstrom with notification within seventy-two hours; (ii) use commercially reasonable efforts designed to halt (if ongoing) and remedy the cause of the Security Breach; (iii) take such actions as may be reasonably necessary to prevent the recurrence of a similar Security Breach; (iv) not contact individuals or Nordstrom vendors or partners regarding the Security Breach without Nordstrom's prior written consent, unless otherwise required by applicable law; and (v) cooperate in all commercially reasonable respects with Nordstrom to investigate the Security Breach. Notification to Nordstrom of a Security Breach shall, to the extent known, include estimates of the number of affected individuals/records in any Nordstrom customer and employee Information associated within the Security Breach and include a summary of corrective action(s) taken by Supplier to remedy the cause of the Security Breach.

    6.3. Third-Party Assessments. Without limiting Supplier's obligations under this section, Supplier shall obtain an annual audit or assessment by a qualified, independent third party that covers the Safeguards. Supplier will continue to maintain its Certification or SOC Report for the duration of the Agreement and shall provide Nordstrom with a copy of the most recent Certification or SOC Report as requested. Nordstrom shall be promptly notified of any material findings that the audit or assessment identifies. Supplier shall promptly correct all findings identified during the audit or assessment. Nordstrom shall also have the right, at its expense, to conduct (or have a third party conduct) an audit, assessment, examination or review of Supplier's Safeguards and its compliance with this section upon written request. Supplier shall fully cooperate with the request by providing access to knowledgeable personnel, Supplier systems, documentation, and other reasonably requested information.

  7. Return and Destruction. Without limiting any other rights or obligations under this DPSA, at termination, expiration, or any time during the term of the Agreement, Supplier shall, at Nordstrom's request: (i) provide Nordstrom Data in a form and format mutually agreed by the Parties; and/or (ii) Securely Dispose of Nordstrom Data. Within 60 days of termination or expiration of this Agreement, Supplier shall, at Nordstrom's election, return or Securely Dispose of all Nordstrom Data that has been provided to or obtained by Supplier in a manner consistent with applicable law and certify upon completion that return or Secure Disposal has occurred. Before disposing of or relinquishing control of hard drives or other equipment used to process, store, or transmit Nordstrom Data, Supplier shall erase such hard drives and equipment in a manner that prevents recovery or restoration of Nordstrom Data. Supplier shall remain fully obligated to comply with the terms of this DPSA until such time as all Nordstrom Data has been Securely Disposed. If requested by Nordstrom, Supplier shall certify in writing that it has met its obligations under this section. Notwithstanding the foregoing, as requested by Nordstrom, Supplier will immediately suspend any deletion, destruction, or data alteration practices, or take other reasonably requested actions such as copying or imaging appropriate storage devices and maintaining activity logs for an extended period of time to ensure preservation of data for forensic investigation or related legal purposes.

  8. Nordstrom Network Access Terms. Where Supplier has access to Nordstrom's computer network, including any internet access (wired or wireless) provided by Nordstrom (the "Network"), Supplier will: (i) only access the Network to provide the Services to Nordstrom; (ii) follow Nordstrom expectations with regard to such use; and (iii) ensure that access by Supplier Personnel and Supplier Resources will be periodically reviewed and limited to those with a legitimate need to access the Network in order to provide the Services. To the extent Supplier accesses the internet (wired or wireless) to deliver the Services, Supplier understands and acknowledges that Nordstrom shall not be responsible for ensuring the security of such access or damage to any Supplier issued equipment resulting from such access. Supplier agrees to keep access credentials to the Network and Nordstrom Data confidential and secure and assumes all responsibility for activity associated with credentialed accounts. Supplier will immediately notify Nordstrom in the event of an actual or reasonably suspected loss, disclosure, or unauthorized access of or to Supplier's credentials by emailing [email protected]. Supplier will not knowingly introduce any malware or other code designed to disrupt, disable, erase, alter, harm, or otherwise impair Nordstrom Data or the Network. Supplier's access to the Network is "as is," and Nordstrom does not warrant that access to the Network will occur without problems or interruption or that the Network is error-free. Access to the Network may be suspended or discontinued by Nordstrom at any time and for any reason, including as a result of breach or suspected breach of this Addendum.

  9. Indemnification; Liability. Supplier will defend, indemnify, and hold harmless Nordstrom and its officers, directors, employees, agents, successors, and permitted assigns from and against any and all third-party claims, causes of action, demands, lawsuits, proceedings, losses, damages, costs (including reasonable attorney and professional fees), and liabilities of any kind (including fines, penalties, judgments, and orders issued by government, regulatory, or judicial bodies) arising out of or related to: (i) breach of Data Protection Requirements; (ii) a Security Incident caused by an act or omission of Supplier or Supplier Resource; or (iii) any representation, warranty, or obligation under this Addendum by Supplier or Supplier Resource. Supplier will not enter into any settlements which: (a) adversely affect the rights of Nordstrom; or (b) impose liabilities or obligations on Nordstrom which will not be satisfied by Supplier's payment or performance upon entry of such settlement. Any limitation of liability and/or waiver of damages set forth in the Agreement, Schedule or other ordering document will not apply to Supplier's obligations under this Addendum.

  10. Termination. Nordstrom may terminate the Agreement immediately and without penalty upon written notice to Supplier, if it determines that Supplier is in breach of this Addendum.

  11. Complete Understanding; Order of Precedence. This Addendum contains the entire understanding of Nordstrom and Supplier with respect to the matters covered, and no other previous or subsequent agreement, statement or promise made by either party that is not contained in the terms of this Addendum shall be binding or valid, unless specifically incorporated by reference in or attachment to this Addendum. This Addendum may be amended only in writing and signed by both Parties to the Agreement.

By signing the Agreement, the Parties acknowledge and agree to be bound by the terms and conditions contained in this Addendum, as of the effective date of the Agreement.

Short-Form XaaS Evaluation Data Privacy and Security Addendum (DPSA)_4June2024

Sorry, we weren’t able to retrieve your bag. Please try again later or try refreshing the page.