8409 - Contract Executed
Docusign Transmittal Coversheet
File Name
Purchasing Contact
Contract Expiration
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
8409- Novelist Plus and Select
Kayla Clark
12/31/2026
Page | 1 License for NoveList Select
www.ebsco.com
EBSCO LICENSE AGREEMENT
NoveList Select
By making the service available to Authorized Users, and others who access the Licensee’s digital services, the
Authorized Users and the Licensee agree to comply with the following terms and conditions (the “Agreement”).
For purposes of this Agreement, “EBSCO” is EBSCO Publishing, Inc.; the “Licensee” is the entity or institution that
makes available databases and services offered by EBSCO; the “Sites” are the websites, applications, or digital
tools offered or operated by Licensee from which Authorized Users can obtain access to EBSCO’s Databases and
Services; and the “Authorized User(s)” are employees, students, registered patrons, walk-in patrons, or other
persons affiliated with Licensee or otherwise permitted to use Licensee’s facilities and authorized by Licensee to
access the Service. “Service” shall mean any version or part of NoveList Select, delivered into any channel
(including, but not limited to, catalog, self-checkout, mobile app, digital signage, etc.). “Content” shall mean
both the textual and graphic information that is transmitted via the Service for display in online catalogs. EBSCO
disclaims any liability for the accuracy, completeness or functionality of any material contained herein, referred
to, or linked to. Publication of the servicing information in this content does not imply approval of the
manufacturers of the products covered. EBSCO assumes no responsibility for errors or omissions nor any liability
for damages from use of the information contained herein. Persons engaging in the procedures included herein
do so entirely at their own risk.
I. LICENSE
A. EBSCO hereby grants to the Licensee a nontransferable and non-exclusive right to use the Service made
available by EBSCO according to the terms and conditions of this Agreement. The Content and Service made
available to Authorized Users are the subject of copyright protection, and the original copyright owner (EBSCO
or its licensors) retains the ownership of the Content and Service and all portions thereof. EBSCO does not
transfer any ownership, and the Licensee and Sites may not reproduce, distribute, display, modify, transfer or
transmit, in any form, or by any means, the Service or any portion thereof without the prior written consent of
EBSCO, except as specifically authorized in this Agreement.
B. The Licensee is authorized to provide on-site access through the Sites to the Content and Service to any
Authorized User. The Licensee and Sites are authorized to provide remote access to the Content and Service to
Authorized Users. For the avoidance of doubt, if Licensee provides remote access to individuals on a broader
scale than was contemplated at the inception of this Agreement then EBSCO may hold the Licensee in breach
and suspend access to the Service. Remote access to the Content or Service is permitted to Authorized Users
of subscribing institutions accessing from remote locations for personal, non-commercial use. However,
remote access to the Databases or Services from non-subscribing institutions is not allowed if the purpose of
the use is for commercial gain through cost reduction or avoidance for a non-subscribing institution. Remote
access for personal use from these institutions is permissible.
C. Licensee and Authorized Users agree to abide by the Copyright Act of 1976 as well as by any contractual
restrictions, copyright restrictions, or other restrictions provided by publishers and specified in the Databases or
Services. Pursuant to these terms and conditions, the Licensee and Authorized Users may download or print
limited copies of citations, abstracts, full text or portions thereof, provided the information is used solely in
accordance with copyright law. Licensee and Authorized Users may not publish the information. Licensee and
Authorized Users shall not use the Content or Services as a component of or the basis of any other publication
prepared for sale and will neither duplicate nor alter the Content or Services in any manner, nor use same for
sale or distribution. Licensee and Authorized Users may create printouts of materials retrieved through the
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 2 License for NoveList Select
www.ebsco.com
Service via online printing, offline printing, facsimile or electronic mail. All reproduction and distribution of such
printouts, and all downloading and electronic storage of materials retrieved through the Service shall be for
internal or personal use. Downloading all or parts of the Service in a systematic or regular manner so as to
create a collection of materials comprising all or part of the Service is strictly prohibited whether or not such
collection is in electronic or print form. Notwithstanding the above restrictions, this paragraph shall not restrict
the use of the materials under the doctrine of “fair use” as defined under the laws of the United States.
Publishers may impose their own conditions of use applicable only to their content. Such conditions of use shall
be displayed on the computer screen displays associated with such content.
D. Authorized Sites may be added or deleted from this Agreement as mutually agreed upon by EBSCO and
Licensee
E. Reserved.
F. The computer software utilized via EBSCO's Service is protected by copyright law and international treaties.
Unauthorized reproduction or distribution of this software, or any portion of it, is not allowed. User shall not
reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of
the software, or create derivative works from the software.
G. The Service is not intended to replace Licensee’s existing subscriptions to content available in the Service.
II. LIMITED WARRANTY AND LIMITATION OF LIABILITY
A. EBSCO and its licensors disclaim all warranties, express or implied, including, but not limited to, warranties of
merchantability, noninfringement, or fitness for a particular purpose. Neither EBSCO nor its licensors assume or
authorize any other person to assume for EBSCO or its licensors any other liability in connection with the
licensing of the Service under this Agreement and/or its use thereof by the Licensee and Sites or Authorized
Users.
B. THE MAXIMUM LIABILITY OF EBSCO AND ITS LICENSORS, IF ANY, UNDER THIS AGREEMENT, OR ARISING OUT
OF ANY CLAIM RELATED TO THE PRODUCTS, FOR DIRECT DAMAGES, WHETHER IN CONTRACT, TORT OR
OTHERWISE SHALL BE LIMITED TO THE TOTAL AMOUNT OF FEES RECEIVED BY EBSCO FROM LICENSEE
HEREUNDER UP TO THE TIME THE CAUSE OF ACTION GIVING RISE TO SUCH LIABILITY OCCURRED. IN NO EVENT
SHALL EBSCO OR ITS LICENSORS BE LIABLE TO LICENSEE OR ANY AUTHORIZED USER FOR ANY INDIRECT,
INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR SPECIAL DAMAGES RELATED TO THE USE OF THESERVICE OR TO
THESE TERMS AND CONDITIONS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
C. Licensee is responsible for maintaining a valid license to the third party resources configured to be used via
the Services (if applicable). EBSCO disclaims any responsibility or liability for a Licensee accessing the third party
resources without proper authorization.
D. EBSCO is not responsible if the third party resources accessible via the Service fail to operate properly or if the
third party resources accessible via the Services cause issues for the Licensee. While EBSCO will make best
efforts to help troubleshoot problems, Licensee acknowledges that certain aspects of functionality may be
dependent on third party resource providers who may need to be contacted directly for resolution.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 3 License for NoveList Select
www.ebsco.com
III. PRICE AND PAYMENT
A. License fees have been agreed upon by EBSCO and the Licensee, and include all retrospective issues of the
Product as well as updates furnished during the term of this Agreement. The Licensee's obligations of payment
shall be to EBSCO or its assignee. Payments are due within 30 days of receipt of invoice(s) and will be deemed
delinquent if not received within thirty (30) days of receipt of the invoice(s). Delinquent invoices are subject to
interest charges of 12% per annum on the unpaid balance (or the maximum rate allowed by law if such rate is
less than 12%). The Licensee will be liable for all costs of collection. Failure or delay in rendering payments due
EBSCO under this Agreement will, at EBSCO's option, constitute material breach of this Agreement. If changes
are made resulting in amendments to the listing of authorized Sites, Service and pricing identified in this
Agreement pro rata adjustments of the contracted price will be calculated by EBSCO and invoiced to the
Licensee and/or Sites accordingly as of the date of any such changes. Payment will be due within 30 days of
receipt of any additional pro rata invoices and will be deemed delinquent if not received within thirty days of
receipt of the invoice.
B. Reserved.
IV. TERMINATION
A. In the event of a breach of any of its obligations under this Agreement, Licensee shall have the right to
remedy the breach within thirty (30) days upon receipt of written notice from EBSCO. Within the period of such
notice, Licensee shall make every reasonable effort and document said effort to remedy such a breach and shall
institute any reasonable procedures to prevent future occurrences of such breaches. If the Licensee fails to
remedy such a breach within the period of thirty (30) days, EBSCO may (at its option) terminate this Agreement
upon written notice to the Licensee.
B. If EBSCO becomes aware of a material breach of Licensee’s obligations under this Agreement or a breach by
Licensee or Authorized Users of the rights of EBSCO or its licensors or an infringement on the rights of EBSCO or
its licensors, then EBSCO will notify the Licensee immediately in writing and shall have the right to temporarily
suspend the Licensee’s access to the Service. Licensee shall be given the opportunity to remedy the breach or
infringement within thirty (30) days following receipt of written notice from EBSCO. Once the breach or
infringement has been remedied or the offending activity halted, EBSCO shall reinstate access to the Service. If
the Licensee does not satisfactorily remedy the offending activity within thirty (30) days, EBSCO may terminate
this Agreement upon written notice to the Licensee.
C. The provisions set forth in Sections I, II and V of this Agreement shall survive the term of this Agreement and
shall continue in force into perpetuity.
V. NOTICES OF CLAIMED COPYRIGHT INFRINGEMENT
EBSCO has appointed an agent to receive notifications of claims of copyright infringement regarding materials
available or accessible on, through, or in connection with our services. Any person authorized to act for a
copyright owner may notify us of such claims by contacting the following agent: Kim Gibbons, EBSCO Publishing,
Inc., 10 Estes Street, Ipswich, MA 01938; phone: 978-356-6500; fax: 978-356-5191; email: kgibbons@ebsco.com.
In contacting this agent, the contacting person must provide all relevant information, including the elements of
notification set forth in 17 U.S.C. 512.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 4 License for NoveList Select
www.ebsco.com
VI. GENERAL
A. Neither Licensee nor EBSCO shall not be responsible for performance under the Agreement should it be
prevented from performance by an act of war, order of legal authority, act of God, or other unavoidable cause
not attributable to the fault or negligence of the Licensee or EBSCO. In the event of an occurrence under this
Section, EBSCO will be excused from any further performance or observance of the requirements so affected for
as long as such circumstances prevail and Vendor continues to use commercially reasonable efforts to
recommence performance or observance whenever and to whatever extent possible without delay. EBSCO shall
immediately notify the City of Denton Procurement Manager by telephone (to be confirmed in writing within
five (5) calendar days of the inception of such occurrence) and describe at a reasonable level of detail the
circumstances causing the non-performance or delay in performance.
B. This Agreement and the license granted herein may not be assigned by the Licensee to any third party
without written consent of EBSCO.
C. If any term or condition of this Agreement is found by a court of competent jurisdiction or administrative
agency to be invalid or unenforceable, the remaining terms and conditions thereof shall remain in full force and
effect so long as a valid Agreement is in effect.
D. If the Licensee and/or Sites use purchase orders in conjunction with this Agreement, then the Licensee and/or
Sites agree that the following statement is hereby automatically made part of such purchase orders: "The terms
and conditions set forth in the NoveList Select License Agreement are made part of this purchase order and are
in lieu of all terms and conditions, express or implied, in this purchase order, including any renewals hereof."
E. This Agreement and our Privacy Policy represent the entire agreement and understanding of the parties with
respect to the subject matter hereof and supersede any and all prior agreements and understandings, written
and/or oral. There are no representations, warranties, promises, covenants or undertakings, except as described
in this Agreement and our Privacy Policy.
F. EBSCO grants to the Licensee a non-transferable right to utilize any IP addresses provided by EBSCO to
Licensee to be used with the Service. EBSCO does not transfer any ownership of the IP addresses it provides to
Licensee. In the event of termination of the Licensee’s license to the Service, the Licensee’s right to utilize such
IP addresses will cease.
G. Information We Collect. All information that EBSCO collects when Licensee accesses, uses, or provides access
to, the Databases and Services is subject to EBSCO’s Privacy Policy, which is incorporated herein by reference. By
accessing or using the Databases and/or Services, you consent to all actions taken by EBSCO with respect to your
information in compliance with the Privacy Policy.
EBSCO Denton Public Library
BY:____________________________________ BY:____________________________________
Name:_________________________________ Name:_________________________________
Title:__________________________________ Title:__________________________________
Date:__________________________________ Date:__________________________________
Alex Saltzman
Senior VP, Inside Sales
12/7/2023
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Buyer
Kayla Clark
12/11/2023
Page | 5 License for NoveList Select
www.ebsco.com
DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “Addendum”) supplements the EBSCO License Agreement (the
“Agreement”) between the Customer (“Customer”) and EBSCO Publishing, Inc. (“EBSCO”).
1. Definitions
1. For the purpose of this Addendum the terms, “Controller,” “Processor,” “Data Subject,”
“Personal Data,” “Personal Data Breach,” “Processing,” “Subprocessor,” and “Supervisory Authority”
shall have the same meanings as in applicable Data Protection Legislation, and their related terms
shall be construed accordingly.
2. “Appropriate technical and organizational measures" shall be interpreted in accordance with
applicable Data Protection Legislation.
3. “Customer Personal Data” means the Personal Data that is provided by Customer to EBSCO or
that is processed by EBSCO on Customer’s behalf in connection with the Agreement.
4. “Data Protection Legislation” means all applicable data protection and privacy legislation in
force from time to time where EBSCO does business, including the General Data Protection
Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”),
the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive
2009/136/EC), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et seq. (the
“CCPA”), and all other applicable laws and regulations relating to the Processing of Personal Data,
including any legislation that implements or supplements, replaces, repeals and/or supersedes any of
the foregoing.
5. “International Data Transfer” means the transfer (either directly or via onward transfer) of
Personal Data from within the European Economic Area/United Kingdom (as applicable) to a country
not recognized by the European Commission as providing an adequate level of protection for Personal
Data (as described in the GDPR).
6. “User Personal Data” means the Personal Data provided directly by Customer’s end users to
EBSCO through the products and services purchased by Customer.
2. Data Processing: EBSCO as Processor for Customer
1. Where Customer Personal Data is processed by EBSCO, EBSCO will act as the Processor and the
Customer will act as the Controller.
1. Subject Matter. The subject matter of the Processing is the Customer Personal Data.
2. Duration. The Processing will be carried out for the duration set forth in the Agreement.
3. Nature and Purpose. The purpose of the Processing is the provision of products and
services to the Customer purchased by the Customer from time to time.
4. Type of Customer Personal Data and Data Subjects. Customer Personal Data consists of
the following categories of information relevant to the following categories of Data Subjects:
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 6 License for NoveList Select
www.ebsco.com
a. Representatives of Customer: name, address; email address; billing information;
login credentials; geolocation data; and professional affiliation.
b. Customer’s end users of the EBSCO products and services purchased by
Customer (where personalized account information is provided to EBSCO by
Customer): name; address; and email address.
2. EBSCO shall not Process Customer Personal Data other than on the Customer’s documented
instructions (as set forth in this Addendum or the Agreement or as otherwise directed by Customer in
writing). EBSCO will not Process Customer Personal Data for any purpose, including for any commercial purpose, other than for the specific purpose of performing the services specified in the
Agreement. If Processing of Customer Personal Data inconsistent with the foregoing provisions of this
section is ever required by applicable Data Protection Legislation to which EBSCO is subject, EBSCO
shall, to the extent permitted by applicable Data Protection Legislation, inform the Customer of that
legal requirement before proceeding with the relevant Processing of that Customer Personal Data.
3. EBSCO will notify Customer promptly if, in EBSCO’s opinion, an instruction for the Processing of
Customer Personal Data infringes applicable Data Protection Legislation.
4. EBSCO shall ensure that all personnel who have access to and/or Process the Customer Personal
Data are subject to confidentiality undertakings or professional or statutory obligations of
confidentiality.
5. EBSCO shall, in relation to the Customer Personal Data, implement appropriate technical and
organizational measures to protect against unauthorized or unlawful Processing of Customer Personal
Data and against accidental loss or destruction of, or damage to, Customer Personal Data. When
considering what measure is appropriate, each party shall have regard to the state of good practice,
technical development and the cost of implementing any measures to ensure a level of security
appropriate to the harm that might result from such unauthorized or unlawful Processing or
accidental loss or destruction, and to the nature of the data to be protected.
6. EBSCO shall assist Customer, taking into account the nature of the Processing, (A) by
appropriate technical and organizational measures and where possible, in fulfilling Customer’s
obligations to respond to requests from data subjects exercising their rights under Applicable Data
Protection Legislation; (B) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of
the GDPR, taking into account the nature of the Processing and the information available to EBSCO;
and (C) by making available to Customer all information reasonably requested by Customer for the
purpose of demonstrating that Customer’s obligations relating to the appointment of processors as
set out in Article 28 of the GDPR have been met.
7. EBSCO shall promptly notify Customer upon becoming aware of any confirmed Personal Data
Breach affecting the Customer Personal Data.
8. Upon termination of the Agreement, EBSCO shall, at Customer’s election, securely delete or
return Customer Personal Data and destroy existing copies unless preservation or retention of such
Customer Personal Data is required by any applicable law to which EBSCO is subject.
9. EBSCO shall allow Customer and Customer’s authorized representatives to access and review
up-to-date attestations, reports, or extracts thereof from independent bodies (e.g., external auditors,
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 7 License for NoveList Select
www.ebsco.com
data protection auditors) or suitable certifications, or to conduct audits or inspections to ensure
compliance with the terms of this Addendum. Any audit or inspection must be conducted during
EBSCO’s regular business hours, with reasonable advance notice to EBSCO and subject to reasonable
confidentiality procedures. In addition, audits or inspections shall be limited to once per year.
EBSCO shall, in the event of third-party subprocessing that is subject to Data Protection Legislation,
(A) inform Customer and obtain its prior written consent (execution of this Addendum shall be
deemed as Customer’s prior written consent to such third-party subprocessing); (B) provide a list of
third-party Subprocessors upon Customer’s request; and (C) inform Customer of any intended changes to third-party Subprocessors, and give Customer a reasonable opportunity to object to such
changes. If EBSCO provides Personal Data to third-party Subprocessors, EBSCO will include in its
agreement with any such third-party Subprocessor terms which offer at least the same level of
protection for the Customer Personal Data as those contained herein and as are required by
applicable Data Protection Legislation.
3. Data Processing: EBSCO as Joint Controller With Customer
1. EBSCO and Customer shall act as joint Controllers with respect to User Personal Data.
2. EBSCO shall be responsible for providing Customer’s end user Data Subjects with the
information required under GDPR Articles 13 and 14 (including by identifying a contact point for Data
Subjects) before processing User Personal Data, and with informing Customer’s end users of the
essence of EBSCO’s arrangement with Customer.
3. EBSCO shall provide Customer’s end user Data Subjects with the ability to exercise their
individual rights with respect to User Personal Data within a self-service portal.
4. International Data Transfer
1. To the extent that any Customer Personal Data is subject to any International Data Transfer, the
parties agree to be bound by, and all terms and provisions of the Controller to Processor Standard
Contractual Clauses adopted by the European Commission (“Processor Model Clauses”) shall be
incorporated by reference to this Addendum with the same force and effect as though fully set forth
in this Addendum, wherein:
1. Customer is the “data exporter” and EBSCO International, Inc. is the “data importer;”
and
2. The provisions of Module Two are incorporated; the provisions under Modules One,
Three, and Four, the footnotes, and Clauses 9, 11(a) Option and 17 Option 1 are omitted; the
clauses shall be governed by the law of Ireland; and the competent supervisory authority is
Ireland.
2. To the extent that any User Personal Data is subject to any International Data Transfer, the
parties the parties agree to be bound by, and all terms and provisions of the Controller to Controller
Standard Contractual Clauses adopted by the European Commission (“Controller Model Clauses”)
shall be incorporated by reference to this Addendum with the same force and effect as though fully
set forth in this Addendum, wherein:
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 8 License for NoveList Select
www.ebsco.com
1. Customer is the “data exporter” and EBSCO is the “data importer;” and
2. The provisions of Module One are incorporated; the provisions under Modules Two,
Three and Four, the footnotes, and Clauses 9, 11(a) Option and 17 Option 1 are omitted; the
clauses shall be governed by the law of Ireland; and the competent supervisory authority is
Ireland.
3. The Processor Model Clauses and Controller Model Clauses shall be collectively, the “Standard
Contractual Clauses.” The applicable version of the Standard Contractual Clauses is those which were
approved by the European Commission on June 4, 2021. In the event that the Standard Contractual Clauses are updated, replaced, amended or re-issued by the European Commission (with the updated
Standard Contractual Clauses being the “New Contractual Clauses”) during the term of this
Addendum, the New Contractual Clauses shall be deemed to replace the Standard Contractual Clauses
and the parties undertake to be bound by the terms of the New Contractual Clauses effective as of the
date of the update (unless either party objects to such change) and the parties shall execute a form of
the New Contractual Clauses.
4. The descriptions required by the Annexes of the Standard Contractual Clauses are replaced by
the information in Schedule 1, Schedule 2, and Schedule 3 of this Addendum.
5. To the extent that the UK Information Commissioner’s Office issues any standard contractual
clauses for the purpose of making lawful International Data Transfers during the term of this
Addendum that will impact the transfers of Customer Personal Data or User Personal Data (with such
clauses being the “UK Standard Contractual Clauses”), to the extent possible, the UK Standard
Contractual Clauses shall be deemed to be incorporated into this Addendum and the parties
undertake to be bound by the terms of the UK Standard Contractual Clauses effective as of the date of
their issuance (unless either party objects to such change) and the parties shall execute a form of the
UK Standard Contractual Clauses.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 9 License for NoveList Select
www.ebsco.com
Schedule I
List of Parties and Description of Data
Transfers
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data
protection officer and/or representative in the European Union]
1. Name:
Address:
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses:
Signature and date:
Role (controller/processor): Controller and Joint Controller
2. Additional Information: EBSCO and Customer shall act as Joint Controllers with respect to User Personal Data (as defined in the Agreement). The Joint Controllers shall perform the following
responsibilities accordingly:
Customer
• Personalization: Customer decides
whether to enable features of personalized
accounts in product
• Authorize the processing of end
user data by EBSCO via the Agreement
between parties
o Provide legal basis for
processing end user data
o Establish the purposes and
scope of processing
• Implementation of technical and
organizational measures to ensure security
of network
o Access controls – provide
guidelines to EBSCO for authorizing
who may access the product under
the customer’s subscription
• Data Subject Access Requests
o As needed, provides details
of requests to EBSCO if request is
received by Customer from end
users (in the event that an end user
submits a request through
Customer rather than through
EBSCO)
• Implementation of organizational
and technical measures
o See Schedule 2 for details
• Maintenance and support of
product
o Security patches
o Feature updates
o Technical support
o Availability and up-time
• Data storage, including backups
• Establish the purposes and scope of
processing via the Agreement between
Parties
• Data Subject Access Requests
o Receives and processes
Data Subject Access Requests and
honors the data subject rights of
information, access, rectification,
erasure, restricted processing, data
portability, right to object, and the
right to avoid automated decision-
making
o Manages the contact form,
email address, and phone number
for intake of privacy requests
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 10 License for NoveList Select
www.ebsco.com
o Upon request, notifies
customer of data subject request
• Provide legal basis for processing
end user data
o Agreement between
parties establishes contract to
provide services
o Collection of individual
consent and acceptance of terms of
use, privacy policy, etc. from end
users
• Incident response
o Implementation of process
o Notification of customer
• Subprocessors - vetting and
notifying customer of new subprocessors
• Privacy Risk Assessments – conduct
PRA/DPIA as needed for vendors, features,
products, etc. which process personal
information
Data importer(s):
For Customer Personal Data:
1. Name: EBSCO International, Inc.
Address: 10 Estes Street, Ipswich, MA 01938
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses: Academic and scholastic research
Signature and date:
Role (controller/processor): Joint Controller and Processor
2. Additional Information: Customer will act as the Controller of Customer Personal Data where
Customer Personal Data is processed by EBSCO. EBSCO will act as the Processor of Customer
Personal Data.
“Customer Personal Data” means the Personal Data that is provided by Customer to EBSCO or that is
processed by EBSCO on Customer’s behalf in connection with the Agreement.
For User Personal Data:
1. Name: EBSCO International, Inc.
Address: 10 Estes Street, Ipswich, MA 01938
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses: Academic and scholastic research,
creation and creation of user profiles
Signature and date:
Role (controller/processor): Joint Controller and Processor
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 11 License for NoveList Select
www.ebsco.com
2. Additional Information: Customer will act as the Controller of User Personal Data where User
Personal Data is processed by EBSCO. EBSCO will act as the Joint Controller of User Personal Data.
“User Personal Data” means the Personal Data provided directly by Customer’s end users to EBSCO
through the products and services purchased by Customer.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Entity information required for handling the subscription and users of applications, including but not limited to students, teachers, employees, authors.
Categories of personal data transferred: First name, last name, email address, authentication information,
search information, research notes.
Sensitive Data transferred (if applicable), and applied restrictions or safeguards that fully take into
consideration the nature of the data and the risks involved: Not Applicable.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Continuous.
Nature of the processing: Providing access to EBSCO databases; storing user information in customized profiles;
facilitating the retrieval of user search history.
Purpose(s) of the data transfer and further processing: To perform the obligations between the parties, per the
Agreement, to provide research tools, to personalize the experience and to prevent harvesting. The period for
which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As
long as reasonably necessary, some personalization information will be held until deletion is requested by a
customer or user.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Subject Matter: First name, last name, email address, authentication information, search information, research
notes
Nature of processing: The nature of processing includes the following: Data storage and software delivery,
consent management, fulfilling data subject rights requests. Please also see Annex III, List of Subprocessors, for
comprehensive information about how specific subprocessors process data.
Duration: Continuous
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority, in accordance with Clause 13, is the Supervisory Authority of Ireland.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 12 License for NoveList Select
www.ebsco.com
Schedule II
Technical and Organizational
Measures Including Technical and
Organizational Measures to Ensure
the Security of Data
EBSCO shall maintain and use appropriate safeguards to prevent the unauthorized access to or use of Customer
Personal Data and to implement administrative, physical and technical safeguards to protect Customer Personal
Data. Such safeguards shall include:
1. Network and Application Security and Vulnerability Management:
a.Measures of pseudonymization and encryption of personal data:
Personal data is encrypted at rest using the 256-bit Advanced Encryption Standard (AES-256),
and in transit using Transport Layer Security (TLS) encryption. Cryptographic key management
is in place as outlined in National Institute of Science and Technology (NIST) standard 800-57.
b. Measures for ensuring ongoing confidentiality, integrity, availability and
resilience of processing systems and services:
EBSCO has an ongoing commitment to certification against relevant International
Organization for Standardization (ISO) standards, including ISO standards 27001, 27017,
27018 and 27701 both on-premise and at Amazon Web Services (AWS) managed data centers.
EBSCO is hosted both within the Amazon Web Services platform and within legacy on premise
data centers in Ipswich, MA and Boston, MA. Applications and data are distributed for
purposes of high availability and resilience. Features such as automatic recovery and
automatic scaling have been implemented. Applications together with their container
configuration can be redeployed within minutes, if necessary.
c. Measures for ensuring the ability to restore the availability and access to personal data
in a timely manner in the event of a physical or technical incident:
All applications and data are distributed across multiple nodes and the nodes are distributed
across multiple availability zones within Amazon Web Services to ensure high availability of
the service. The use of a container-based architecture further helps to ensure high availability
of the service. For example, applications automatically restart if they encounter issues and if a
specific node fails, it is removed from service and traffic is directed to the remaining ‘healthy’
nodes. Where appropriate, nodes are set to automatically scale to handle unexpected spikes
in traffic. Regular service management meetings review the performance and future capacity
needs of the service. The infrastructure enables horizontal and vertical scaling to be
implemented with significantly reduced lead times compared to a physical infrastructure.
For our legacy on premise, EIS employs two concurrent data centers with failover capabilities
in the event that one of the sites experiences an outage. EBSCO’s on-premise data centers are
protected with uninterruptable power supplies, fire suppression systems and limited access
only to personnel necessary for the ongoing operation of the data centers.
EBSCO continuously monitors service availability. The current status can be found here:
https://status.ebsco.com/
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 13 License for NoveList Select
www.ebsco.com
d. Processes for regularly testing, assessing, and evaluating the effectiveness of
technical and organizational measures in order to ensure the security of the processing:
EBSCO contracts third party penetration testing on an annual basis. In addition, vulnerability
scans are conducted through an automated code deployment pipeline. Our production
environment is scanned continuously. We employ a managed 24/7 security operations team
to continuously monitor our environment. EBSCO regularly applies security updates to our
environment following our comprehensive vulnerability management process. These updates
are done on a rolling basis using a Scaled Agile Framework for Enterprises (SAFe).
Organizational measures are reviewed twice annually, through an internal audit as well as an
external audit conducted on an annual basis by accredited third party auditors. In addition,
regular access reviews to sensitive data and systems are conducted on a regular basis.
EBSCO continually evaluates the security of its network and associated Services to determine
whether additional or different security measures are required to respond to security risks or
findings generated by periodic reviews.
e. Measures for the protection of data during transmission:
All data is encrypted in transit using TLS, both from the users’ browser to the applications as
well as data in transit between EBSCO systems and subprocessors.
f. Measures for the protection of data during storage:
Personal Data is encrypted at rest using the 256-bit Advanced Encryption Standard (AES-256).
All data storage is isolated from the public internet by a dedicated firewall to ensure only
EBSCO personnel can access the database.
g. Measures for ensuring system configuration, including default configuration:
Standardized system configurations are enforced through automated code deployment
pipelines where appropriate.
h. Measures for internal IT and IT security governance and management:
EBSCO’s Governance Risk and Compliance (GRC) Team maintains the EBSCO Information
Security and Privacy Management system (ISPMS). The ISPMS is continuously monitored and
improved to conform to or exceed the standards required by ISO 27001, ISO 27701, ISO
27017, and ISO 27108. The EBSCO ISPMS is comprised of the ISMS-Information Security
Management System and PIMS-Privacy Information Management System. External and
internal audits of the ISPMS are performed on an annual basis. Security logs are monitored
continuously.
i. Measures for certification/assurance of processes and products:
In addition to the measures for internal IT management and IT security governance above,
regular, mandatory training is delivered through an online learning platform to ensure all staff
are familiar with their responsibilities and up to date with policies and procedures. Clear
processes are in place to manage security related incidents and to liaise with law enforcement
if required.
j. Measures for ensuring data minimization:
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 14 License for NoveList Select
www.ebsco.com
EBSCO follows best practices for minimizing data attributes to only those needed to perform
required functions and allow its customers and user patrons the ability to extend the
minimum default data set if required.
k. Measures for ensuring data quality:
Institutions and end users have the ability to review and update their information through a
self-service module, or through contacting EBSCO according to the Privacy Policy. Where
applicable, data validation controls are implemented in our environment.
2. Logical access controls:
a.Measures for user identification and authorization:
A small number of the EBSCO Team with responsibilities for administering and supporting the
system have access to the production environment and databases. This is strictly controlled by
role and requires two-factor authentication to gain access.
Customer Administrator access to end user data is only possible through using an
EBSCOadmin administrator account. Only personnel designated by the customer and a small
number of EBSCO’s privileged users have access to this information.
Customers have the ability to set up different authentication options. Options include, but are
not limited to, integration through Single Sign On (SSO) using SAML 2.0, username and
password, IP whitelist authentication, patron ID, Google Campus Activated Subscriber Access
(CASA), Universal CASA and Cookies.
3. Secure media disposal controls:
a.Measures for ensuring limited data retention:
It is vital that personal data stored within EBSCO’s systems meets the requirements for data
privacy and protection and part of that is ensuring personal data is not retained beyond what
is necessary for the defined purpose.
In many cases, EBSCO allows the ability for customers to anonymize end user data by
pseudonymized SSO configuration or removing the option for User Patrons to personalize.
b. Measures for allowing data portability and ensuring erasure:
Upon request or through the self-service module, EBSCO customers can extract Database
Usage Reports, Interface Usage Reports, Link Activity Reports, Login Usage Report and Title
Usage Reports. This data can also be obtained upon request at contract termination, or at any
time through EBSCOadmin.
4. Logging Controls:
a.Measures for ensuring events logging:
EBSCO allows customers to view database usage reports, interface usage reports, link activity
reports, login usage reports and title usage reports through EBSCOadmin.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 15 License for NoveList Select
www.ebsco.com
EBSCO employs Security Information and Event Management (SIEM) logs across our resources.
These logs are monitored internally by our information security team and 24/7 managed
security operations center (SOC). No customer action is required, and customers do not have
access to these internal logs.
5. Personnel Controls:
Contracts for new staff and the onboarding process emphasize individual responsibilities for
information security and the potential penalties for misuse. Staff resignations trigger an automated
process to ensure access rights to EBSCO’s systems are revoked in a timely fashion.
The IT Acceptable Use Agreement covers the acceptable use of EBSCO’s information assets. It is issued
to both permanent and contract staff and forms part of the induction for new starters.
Security awareness training is delivered through EBSCO’s online training platform. It is delivered at
least annually and is mandatory for all employees.
6. Physical security and environmental controls:
a.Measures for ensuring physical security of locations at which personal data are
processed: EBSCO is committed to ensuring the safety of its employees, contractors and
assets and takes the issue of physical security very seriously. EBSCO has a comprehensive
set of physical security controls which ensure that its data centers and offices are
sufficiently protected. Access to data centers is limited only to necessary personnel, and
all access is logged and reviewed for abnormalities.
EBSCO also contracts with AWS for the processing of customer data. AWS provides world class
security within their hosted data centers. For more information on physical security in AWS
hosted environments see: https://aws.amazon.com/compliance/data-center/controls/.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Page | 16 License for NoveList Select
www.ebsco.com
Schedule III
List of Subprocessors
MODULE TWO: Transfer controller to processor
The controller has been notified of the use of the subprocessors linked below may be utilized at the time of
contract execution. For an updated list of subprocessors, please see www.ebsco.com/subprocessors.
DocuSign Envelope ID: 31D0252D-E512-41FE-BF6C-641A39BADD96
Certificate Of Completion
Envelope Id: 31D0252DE51241FEBF6C641A39BADD96 Status: Completed
Subject: ***Purchasing Approval***8409- Novelist Plus and Select
Source Envelope:
Document Pages: 17 Signatures: 2 Envelope Originator:
Certificate Pages: 2 Initials: 1 Kayla Clark
AutoNav: Enabled
EnvelopeId Stamping: Enabled
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
901B Texas Street
Denton, TX 76209
kayla.clark@cityofdenton.com
IP Address: 198.49.140.10
Record Tracking
Status: Original
12/7/2023 7:20:36 AM
Holder: Kayla Clark
kayla.clark@cityofdenton.com
Location: DocuSign
Signer Events Signature Timestamp
Kayla Clark
kayla.clark@cityofdenton.com
Buyer
Security Level: Email, Account Authentication
(None)
Completed
Using IP Address: 198.49.140.104
Sent: 12/11/2023 7:56:17 AM
Viewed: 12/11/2023 7:56:36 AM
Signed: 12/11/2023 7:56:46 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Lori Hewell
lori.hewell@cityofdenton.com
Purchasing Manager
City of Denton
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 198.49.140.10
Sent: 12/11/2023 7:56:48 AM
Viewed: 12/11/2023 8:44:34 AM
Signed: 12/11/2023 8:45:14 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Jennifer Bekker
Jennifer.Bekker@cityofdenton.com
Director of Libraries
City of Denton
Security Level: Email, Account Authentication
(None)
Signature Adoption: Pre-selected Style
Using IP Address: 198.49.140.10
Sent: 12/11/2023 8:45:16 AM
Viewed: 12/11/2023 9:25:36 AM
Signed: 12/11/2023 9:25:41 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Kayla Clark
kayla.clark@cityofdenton.com
Buyer
Security Level: Email, Account Authentication
(None)Signature Adoption: Pre-selected Style
Using IP Address: 198.49.140.104
Sent: 12/11/2023 9:25:43 AM
Viewed: 12/11/2023 9:26:15 AM
Signed: 12/11/2023 9:26:32 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
In Person Signer Events Signature Timestamp
Editor Delivery Events Status Timestamp
Agent Delivery Events Status Timestamp
Intermediary Delivery Events Status Timestamp
Certified Delivery Events Status Timestamp
Carbon Copy Events Status Timestamp
Cheyenne Defee
cheyenne.defee@cityofdenton.com
Procurement Administration Supervisor
City of Denton
Security Level: Email, Account Authentication
(None)
Sent: 12/11/2023 9:26:33 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Rachel Reeves
Rachel.Reeves@cityofdenton.com
Security Level: Email, Account Authentication
(None)
Sent: 12/11/2023 9:26:34 AM
Electronic Record and Signature Disclosure:
Not Offered via DocuSign
Witness Events Signature Timestamp
Notary Events Signature Timestamp
Envelope Summary Events Status Timestamps
Envelope Sent Hashed/Encrypted 12/11/2023 7:56:17 AM
Certified Delivered Security Checked 12/11/2023 9:26:15 AM
Signing Complete Security Checked 12/11/2023 9:26:32 AM
Completed Security Checked 12/11/2023 9:26:34 AM
Payment Events Status Timestamps