1. Applicability.
This Data Processing Addendum (“DPA”) is incorporated by reference into the MSA terms and conditions ("Agreement") entered by and between Mitiga Security Inc., and its affiliates ("Mitiga") and you - the Client (as defined in the Agreement), to the extent that Mitiga processes Personal Data (as defined below) on behalf of Client.
By accepting the Agreement, and/or accessing and/or using the Services (as defined in the Agreement), Client accepts this DPA and if the person signing or accepting or clicking through to the Services is entering the DPA on behalf of another entity or person, such person hereby represents and warrants to Mitiga that he is an Authorized User (as defined in the Agreement) with authority to bind Client to this DPA through such consent or use of the Services. If such person does not have such authority or if Client does not agree to this DPA, please do not provide Personal Data to Mitiga.
2. Definitions.
2.1. Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in the Applicable Data Protection Laws.
2.2. "Applicable Data Protection Laws" shall mean, to the extent applicable to Mitiga's processing of Personal Data hereunder (with respect to each data subject): (i) General Data Protection Regulations (European Parliament and Council of European Union (2016) Regulation (EU) 2016/679) (EU GDPR); (ii) EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (UK GDPR); (iii) California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA); (iv) Protection of Privacy Law (Israel); and (v) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws.
2.3. "Personal Data" refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws.
2.4. “Sensitive Data” means Personal Data which includes any of the following: (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under Applicable Data Protection Laws.
2.5. Security Documentation/s” means the security documentations applicable to the services purchased by Client under the Agreement, as updated from time to time and as made reasonably available by Mitiga. This can be provided upon request.
2.6. “Standard Contractual Clauses or SCCs” shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission's Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner’s Office addendum, under S119A(1) of the Data Protection Act 2018 (“UK Addendum”); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law.
3. Processing of Personal Data on behalf of Client.
3.1. Mitiga’s Processing of Personal Data. Mitiga acts as a processor/service provider for Client and performs processing operations on behalf of Client and upon the instructions of Client as a controller/business, as set forth herein, in the Agreement, and any additional agreement entered into between Client and Mitiga (collectively, the "Terms"), pursuant to which Client may provide Personal Data to Mitiga ("Contracted Business Purpose").
3.2. Sensitive Data. The Parties agree that the provision of the services under the Agreement is not intended for the processing of Sensitive Data. For the avoidance of doubt, this DPA will not apply to Sensitive Data and Mitiga shall have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.
4. Client Representations.
Client sets forth the details, including the purpose, the means and the ways in which Mitiga shall process Personal Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and Client represents and warrants that:
4.1. It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/business, and that the provision of Personal Data to Mitiga is in strict compliance with Applicable Data Protection Laws;
4.2. It only processes Personal Data that has been collected in accordance with the Applicable Data Protection Laws;
4.3. It has in place procedures in case an individual whose Personal Data is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws;
4.4. It provides Personal Data to Mitiga for the Contracted Business Purpose in accordance with the representations Client makes to individuals in Client's privacy policy, and Client does not sell Personal Data to Mitiga;
4.5. It shall have the sole responsibility for the accuracy, quality, and legality of such Client’s Personal Data;
4.6. It shall provide to Mitiga as a processor/service provider, or otherwise have Mitiga (or anyone on its behalf) process such Personal Data which is explicitly permitted under Applicable Data Protection Laws ("Permitted Personal Data"). Solely Client shall be liable for any data which is made available to Mitiga in excess of the Permitted Personal Data (“Non-Permitted Data”). Mitiga's obligations under the Terms shall not apply to any such Non-Permitted Data;
4.7. It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which Mitiga is lawfully processing Personal Data.
5. Mitiga Obligations.
5.1. Mitiga carries out the processing of Personal Data on Client's behalf;
5.2. Pursuant to the provisions of Article 28 of the GDPR, to the extent applicable with respect to each data subject, Mitiga agrees that it will:
5.2.1. process Personal Data solely on Client's behalf and in compliance with Client's instructions, including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law;
5.2.2. implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
5.2.3. take reasonable steps to ensure that access to the processed Personal Data is limited on a need to know/access basis, and that all Mitiga personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Personal Data;
5.2.4. it shall provide reasonable assistance to Client with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of Personal Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the Client, and at Client's sole expense; and
5.3. Pursuant to the CCPA, to the extent applicable with respect to each data subject, Mitiga agrees that:
5.3.1. Migita is acting solely as a service provider with respect to Personal Data;
5.3.2. Mitiga shall not retain, use or disclose Personal Data for any purpose other than for the Contracted Business Purpose;
5.3.3. Mitiga may de-identify or aggregate Personal Data as part of performing the services specified in the Terms; and
5.3.4. Mitiga will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
6. Sub-Processing.
6.1. Authorized Sub-processors.
6.1.1. Client authorizes Mitiga to use its current Sub-processors engaged by Mitiga as of the effective date of this DPA, and provides Mitiga, subject to Section 6.2, with a general authorization to engage Sub-processors, in connection with the provision of the services under the Agreement. A list of Mitiga’s currently engaged Sub-processors shall be made available upon email request to DPO@mitiga.io (“Sub-Processor List”). The Sub-Processor List, as of the date of the effective date of this DPA is hereby deemed authorized by Client.
6.2. Changes to Sub-Processors List.
6.2.1. Mitiga may appoint new Sub-processors and shall give reasonable notice of the appointment of any new Sub-processor, before authorizing such new Sub-processor to process Personal Data in connection with the provision of the services under the Agreement.
6.2.2. Client may reasonably object to Mitiga’s use of a new Sub-processor on grounds relating to a Sub-Processor’s non-compliance with Applicable Data Protection Laws, by notifying Mitiga in writing within no more than fourteen (14) days after receipt of Mitiga’s notice of any planned appointment. Client’s written objection shall reasonably explain the objection to Mitiga’s use of such new Sub-processor. Client’s continued use of the applicable services after the lapse of fourteen (14) days from such notification constitutes Client’s acceptance of the new sub-processor.
6.2.3. In the event Client reasonably objects to a new Sub-processor hereunder, as described above, Mitiga will use reasonable efforts to make available to Client a change in the services or recommend a commercially reasonable change to Client’s use of the services, to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Mitiga is unable to make available such change within thirty (30) days, Client may, as a sole remedy, terminate the applicable Agreement and this DPA only with respect to those services which cannot be provided by Mitiga without the use of the objected-to new Sub-processor, by providing written notice to Mitiga. For the avoidance of doubt all amounts due under the Agreement shall be duly paid to Mitiga. Until a decision is made regarding the new Sub Processor, Mitiga may temporarily suspend the processing of the affected Personal Data and/or suspend access to the services. Client will have no further claims against Mitiga due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA under the circumstances described herein.
6.3. Mitiga shall ensure that any sub-processor used must qualify as a service provider under the Applicable Data Protection Laws and Mitiga cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
7. Data Subjects' Rights.
7.1. Client shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed Personal Data, etc.). Mitiga shall reasonably endeavor to assist Client insofar as feasible, to fulfill Client's said obligations with respect to such data subject requests, as applicable, at Client's sole expense.
7.2. Mitiga shall (i) without undue delay notify Client if it receives a request from a data subject under any Applicable Data Protection Laws in respect of processed personal data; and (ii) not respond to that request, except on the written instructions of Client or as required by Applicable Data Protection Laws, in which case Mitiga shall, to the extent permitted by Applicable Data Protection Laws, inform Client of that legal requirement before it responds to the request.
8. Personal Data Breach.
8.1. Mitiga shall notify Client without undue delay upon Mitiga becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to Personal Data processed on behalf of the Client, including Personal Data transmitted, stored or otherwise processed by Mitiga or its Sub-processors of which Mitiga becomes aware, which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws "Personal Data Breach").
8.2. At the written request of the Client and at Client's sole expense, Mitiga shall provide reasonable co-operation and assistance to Client in respect of Client's obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach.
9. Deletion or Return of Processed Personal Data.
9.1. Subject to the terms hereof, Mitiga shall promptly and in any event within up to sixty (60) days (unless a sooner time period is required by Applicable Data Protection Laws) return and then destroy the Personal Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.
9.2. Mitiga may retain Personal Data to the extent authorized or required by Applicable Data Protection Laws, provided that Mitiga shall ensure the confidentiality of such Personal Data and shall ensure that it is only processed for such legal purpose(s).
9.3. Upon Client's prior written request, Mitiga shall provide written certification to Client that it has complied with this Section 9.
10. Security; Audit Rights
10.1. Controls & Certifications.
10.1.1. Mitiga shall implement and maintain industry-standard technical and organizational measures to protect the Personal Data processed hereunder, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as set forth in the Security Documentations, including, as appropriate, the measures required pursuant to Article 32 of the GDPR. Such security measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Mitiga’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Further, Mitiga is SOC2 (System and Organization Controls) certified, and as part of such certification, reports are created by independent third-party auditors to demonstrate and verify that Mitiga’s security measures are adequate. Upon Client’s request, Mitiga shall make available to Client, the most recent version of such third-party security audit and certification reports commonly made available to Mitiga’s Clients.
10.2. Audit Rights.
10.2.1.Subject to the terms hereof, and not more than once in each calendar year, Mitiga shall make available to a reputable auditor mandated by Client in coordination with Mitiga, at the cost of the Client, upon prior written request, within normal business hours at Mitiga premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Client in relation to the processing of the Personal Data by the processor/service provider, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2.2.Client shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Mitiga's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
11. International Data Transfers
11.1. To the extent that Mitiga transfers Personal Data to countries outside of the European Economic Area and/or outside of the United Kingdom (UK), which do not provide an adequate level of data protection, as determined by the European Commission pursuant to Article 45 of GDPR, and by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively, or other adequate authority as determined by the EU and the UK (“Adequacy Decisions”), such transfer of Client’s Personal Data to other countries, where the application of the SCCs, as between the parties, is required under Applicable Data Protection Laws, shall be subject to: (i) Adequacy Decisions; (ii) exemptions under Article 49 of GDPR; or (iii) Standard Contractual Clauses are incorporated into this DPA by reference, which shall be implemented as follows:
11.1.1. In the case of transfer of Personal Data from Client to Mitiga, the parties shall implement Module II - “Controller to Processor”, of the Standard Contractual Clauses, with modifications detailed under this Section 11.1.1, in which case Mitiga shall be deemed as a "Data Importer" and Client shall be deemed as a "Data Exporter". The parties are deemed to have accepted and executed the SCCs, including the associated annexes. However, when Client is acting as a processor, Module III (“Processor-to-Processor”) shall apply, provided that, taking into account the nature of the processing, Client agrees that it is unlikely that Mitiga will know the identity of Client’s controllers, as Mitiga has no direct relationship with Client’s controllers and therefore, Client will fulfill Mitiga’s obligations to Client’s controllers under the Processor-to-Processor SCCs. The contents of Annex I of the SCCs are included within Appendix A to this DPA. The contents of Annex II of the SCCs are included within the Security Documentation. The parties further agree to the following implementation choices under the SCCs:
11.1.1.1. The Parties agree that for the purpose of transfer of Personal Data between Mitiga (Data Importer) and the Client (Data Exporter), the following shall apply:
11.1.1.2. Clause 7: shall not be applicable.
11.1.1.3. Clause 9(a): The parties choose Option 2, “General Written Authorization” and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 6 of the DPA
11.1.1.4. Clause 11: The parties choose not to include the optional language relating to the use of an independent dispute resolution body.
11.1.1.5. Clause 17: The parties select Option 1 and specify the law of Ireland.
11.1.1.6. Clause 18(b): The parties specify the courts of Ireland.
11.1.2. In the case of transfer of Personal Data between Mitiga and its Sub-Processors for the purposes of carrying out specific Processing activities (on behalf of Client), Mitiga and its Sub-Processors will enter into Module III (“Processor-to-Processor”) of the Standard Contractual Clauses.
11.1.3. If the applicable Data Exporter, under Section 11.1.1 or 11.1.2, is transferring Personal Data governed by the UK GDPR, the parties agree to implement the applicable SCCs, as modified by the UK Addendum. The information required by Table 1 of the UK Transfer Addendum appears within Appendix A to this DPA. In addition, the parties adopt the SCCs, as modified by the UK Transfer Addendum, as to applicable international transfers of UK Personal Data in exactly the same manner set forth in Section 11.1 above, subject to the following:
11.1.3.1. Clause 13: The UK Information Commissioner’s Office (“ICO") shall be the competent supervisory authority.
11.1.3.2. Clause 17: The SCCs, as modified by the UK Transfer Addendum, shall be governed by the laws of England and Wales.
11.1.3.3. Clause 18: The parties agree that any dispute arising from the SCCs, as modified by the UK Transfer Addendum, shall be resolved by the courts of England and Wales. A UK Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.
11.2. Appendix A attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law.
11.3. Mitiga reserves the right to adopt an alternative compliance standard to the SCCs for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. Mitiga will provide 30 days’ advance notice of its adoption of an alternative compliance standard.
12. General Terms.
12.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the governing law provisions set forth in the Agreement.
12.2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
12.3. Changes in Applicable Data Protection Laws. Client may by at least forty-five (45) calendar days' prior written notice to processor/service provider, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Personal Data. If Client provides its modification request, Mitiga shall make commercially reasonable efforts to accommodate such modification request, and Client shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect the Mitiga against any additional risks, and/or to indemnify and compensate Mitiga for any further costs associated with the changes made hereunder.
12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
******
Appendix A
ANNEX 1.A. LIST OF PARTIES
Data exporter(s): Client.
Contact details: As detailed in the Agreement.
Signature and date: By entering into the Agreement and DPA, Data Exporter is deemed to have executed the SCCs incorporated herein by reference (including their Annexes), as of the Effective Date of the Agreement.
Role: where Module Two applies: The Data Exporter is a data controller; where Module Three applies: The Data Exporter is a data processor.
Data importer(s): Mitiga.
Contact details: As detailed in the Agreement.
Signature and date: By entering into the Agreement and DPA, Data Importer is deemed to have executed the SCCs incorporated herein by reference (including their Annexes), as of the Effective Date of the Agreement.
Role: where Module Two applies: The Data Importer is a data processor; and where Module Three applies: The Data Importer is a sub-processor.
ANNEX 1.B. DETAILS OF PROCESSING OF PROCESSED PERSONAL DATA
1. The subject matter and duration of the processing of processed personal data:
Mitiga will process personal data pursuant to the DPA and the Terms for the duration of the Agreement, unless otherwise agreed upon in writing.
2. The nature and purpose of the processing of personal data:
a. Providing the services to Client under the Agreement;
b. Performing the Agreement, and this DPA;
c. Acting upon Client’s written instructions in accordance with the Agreement and the DPA;
d. Complying with applicable laws and regulations.
3. The types of processed personal data:
In providing the services to Client under the Agreement, Mitiga may have access to Personal Data as required for the provision of Mitiga’s services, including:
- Name or Individual Identifier;
- Location;
- Free form text, limited to (a) naming conventions on shared or group channels and folder or file names, and (b) email subject lines.
4. The categories of data subjects to whom the processed personal data relates to are as follows:
- Employees; Contractors; Suppliers; Job applicants; Visitors; Prospects; Trainees; Next of kin
5. Sensitive Data (if applicable).
The Parties do not intend for Sensitive Data to be transferred.
ANNEX 1.C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 11.1 above.