Data Processing Agreement

1. Introduction
This DPA forms part of the Terms of Service (the “Terms”) between the Client, who is controller of the Personal Data and Mitigram, who is the processor of the Personal Data (the “Processor”).

As part of the obligations set forth in the Terms, the Processor will process Personal Data and other information on behalf of the Client.
This DPA regulates the Processor’s processing of Personal Data belonging to the Client. This DPA shall remain in force for as long as the Processor is processing Personal Data on behalf of the Client.

2. Nature of Processing
Within the scope of the Terms, the Processor will process the following types of Personal Data:

User data regarding Users (typically employees of the Client), such data includes IP-address, E-mail, Name, phone number and, if the User so chooses, profile picture. The commercial data uploaded by the User/Client may also contain Personal Data.

No “special categories” of Personal Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) is processed. The Client accepts that it is not allowed to process such Personal Data in the service.

3. Definitions
Any terminology used in this DPA which is defined in the General Data Protection Regulation (2016/679) shall have the same meaning and interpretation as defined in the regulation.

Any terminology used in this DPA which is defined in the Terms shall have the same meaning and interpretation as defined in the Terms.

4. Processing of Personal Data
4.1 Processing of Personal Data
Processor shall comply with the Client’s documented instructions strictly to the extent necessary for compliance with applicable data protection laws. Any assistance or instructions going beyond such scope may be provided by Processor subject to reasonable reimbursement for time and material. Processor shall not be required to act on instructions issued directly by a supervisory authority unless such instructions are legally binding on the Processor.

Except to the extent required by applicable legislation, Processor shall not use or process Personal Data for any other purpose than what is instructed by Client or derived from such instructions. Processor shall keep Personal Data confidential and shall have no rights to Personal Data. Processor shall not, during or after the term of the Terms, disclose or transfer, or enable access to or processing of, Personal Data to or by any Third Party other than as agreed with Client. For the avoidance of doubt, transfers of Personal Data to subcontractors for the purposes of this Terms are permitted.

4.2 Use of subcontractors
Processor has a general authorization to engage and replace subcontractors (subprocessors) as necessary to support the delivery of the Service. The Processor shall ensure that any engagement of subcontractors processing Personal Data is under a written contract requiring such subcontractors to comply with the same or higher obligations applicable to the Processor under this DPA and the Laws. The engagement of any subcontractor shall not result in material changes to the delivery of the Service or compromise the security or confidentiality of Personal Data.

Processor remains fully liable under this DPA for the acts and omissions of its subprocessors.

The Processor maintains an up to date list of all approved subprocessors at https://mitigram.com/subprocessors/. The list includes the subprocessors’ names, services and locations. Processor may update the list from time to time, and publication of an updated list on this page shall constitute written notice to the Client.

The Processor shall publish such update at least thirty (30) days before the proposed subprocessor is used to process the Client’s Personal Data.

Client may object to a new subprocessor only on reasonable grounds relating to data protection and compliance with applicable data protection laws by notifying the Processor in writing within thirty (30) days from the date of publication.

Where the Client raises a valid objection, the Processor shall not use the proposed subprocessor to process the Client’s Personal Data and shall continue providing the Service without that subprocessor, unless the Parties agree otherwise or such use is technically infeasible. 

Data disclosures
Where legally permitted, Processor shall notify the Client without undue delay of any legally binding request from a public authority for access to Personal Data. Processor shall not disclose Personal Data unless required to do so under applicable law.

4.3 Processor obligations

a. Documented instructions. Processor shall process Personal Data only in accordance with the Client’s documented instructions, unless processing is required by applicable Union or Member State law.

b. Confidentiality. Processor shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations under contract or applicable law.

c.  Regulatory Assistance. Taking into account the nature of the processing and information available, Processor shall provide reasonable assistance to the Client in relation to obligations under Articles 32–36 GDPR, to the extent applicable to the Services.

d. Data Subject Rights. Processor shall, where reasonably required and technically feasible, assist the Client in responding to data subject requests under Chapter III GDPR.

e. Deletion or Return. Upon termination or expiration of the Services, Processor shall, at the Client’s choice, delete or return Personal Data in accordance with Section 11, unless retention is required by applicable law.

f. Demonstration of Compliance. Processor shall make available information reasonably necessary to demonstrate compliance with this
DPA and Article 28 GDPR, subject to and in accordance with Section 7 (Self-Assessments and Audits).

5. Transfer of Personal Data to Third-Countries

5.1 Location of Processing. Processor and its
subprocessors shall process Personal Data exclusively within the EU or EEA.
Where a subprocessor is headquartered outside the EU/EEA but processes Personal
Data solely within the EU/EEA, such processing shall not constitute a transfer
to a third country under Chapter V GDPR.

5.2 Restricted Transfers. To the extent that the
Processor transfers or permits the transfer of Personal Data to a third country
within the meaning of Chapter V GDPR, such transfer shall be subject to
appropriate safeguards pursuant to Article 46 GDPR, including the Standard Contractual
Clauses adopted by the European Commission, Module Two (Controller to
Processor) or Module Three (Processor to Processor), as applicable.
Processor shall conduct and document a transfer impact assessment where
required by applicable law. The Client shall, upon request, provide information
reasonably necessary to support such assessment.

5.3 Client-Initiated Transfers to Third-Country Entities.
Where the Client, through use of the Service, initiates the disclosure of
Personal Data to an Entity located outside the EU/EEA, such disclosure shall be
deemed a transfer initiated by the Client in its capacity as controller. The
Client is solely responsible for ensuring that such transfer complies with
Chapter V GDPR, including the implementation of appropriate transfer safeguards
where required..

6. Data Security and Safeguards
Processor shall implement and maintain at all times appropriate organizational, operational, managerial, physical and technical measures to protect the Personal Data and Client’s any other data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Client’s reasonable written instructions. These measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.

Technical safeguards shall include all technical security controls defined by Processor, and at all time take into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Processor shall limit access to the Personal Data to authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Processor shall also ensure by technical and organizational means that Client’s Personal Data is not processed for different purposes (e.g. for different Processor customers) and that the Personal Data is processed separately from the data of other Processor customers.

Processor shall implement commercially reasonable measures to prevent unauthorized access, loss, alteration or disclosure of Personal Data but does not warrant absolute security.

7. Self-Assessments and Audits
On an annual basis during the term of the Terms Client (or an independent Third Party on its behalf) may, at its own cost, request a review or audit of Processor’s security documentation and/or a written report of self-assessment on Processor’s compliance with this DPA, the Terms and the Laws. The Processor shall be entitled to reasonable reimbursement for its assistance in such review. Audits may occur no more than once per year, require at least thirty (30) days written notice, and shall be limited to reviewing documentation made available by Processor. On site audits shall only be permitted where required by law and shall not materially disrupt Processor’s business operations.

Client is responsible for the costs of the audits. However, unless the audit should reveal any material violation or breach of this DPA by Processor, in which Case the Processor shall bear such costs.

The Processor shall comply with any decisions from the Data Protection Authority or other competent authority in respect of the Personal Data which is processed on behalf of the Client. The Processor shall also allow any competent authority to conduct supervision of the processing which takes place.

8. Handling of Data Breaches
In the event of a Personal Data Breach, or any other threatening enforcement proceeding against the Processor pertaining to the processing of Personal Data, the Processor will provide Client with an accurate written notice immediately by email to a group or distribution email address, upon becoming aware of it, and in no event later than within twenty-four (24) hours. Processor may take immediate measures necessary to contain and mitigate a Personal Data Breach without the Client’s prior approval. Processor will also, upon Client’s prior request, provide any appropriate remedial services to individuals.

9. Rights of Data Subjects
Processor shall assist the Client in responding to data subject requests only to the extent the Client cannot fulfil such requests independently through the functionality of the Service. Such assistance shall be subject to reasonable reimbursement.
In the event a public authority or a Third Party requests such information as follows from the section above, the Processor shall immediately notify the Client of the request and the Processor and Client shall, in consultation, agree on the appropriate manner of proceeding.

10. Indemnification
Processor shall indemnify the Client only to the extent a final judgment establishes that the Processor has failed to comply with its obligations under this DPA and such failure directly caused the Client to incur damages. Any such indemnity shall be subject to the limitations of liability in the Terms. Processor shall not be liable for indirect or consequential damages.

11. Termination
This DPA shall remain in full force for as long as the Terms are in force and for such period thereafter as is necessary for the activities after Terms termination or expiration to be completed. To the extent that Personal Data is processed by or for Processor, for whatsoever reason, after the termination or expiration of the Terms, this DPA shall continue to apply to such processing for as long as such processing is carried out.

In case of any conflict between the terms of this DPA and the Terms, the provisions of this DPA shall prevail. Any changes to this DPA must be agreed in writing between the Parties.

When the Terms are terminated, the Client shall instruct the Processor to either return or deletes all Personal Data which is processed solely on behalf of the Client. Returning of Personal Data shall, concerning digital data, mean the sending of a copy to the Client and deleting any copies remaining with the Processor.

Should the Client fail to give instructions on whether to return or delete Personal Data within one month from the termination of this DPA, the Client shall be considered to have instructed Personal Data to be deleted.

If the Client does not provide written instructions within thirty (30) days after termination, Processor shall securely delete all Personal Data using commercially reasonable industry standard methods.

12. Warranties
Except as expressly stated in this DPA, Processor provides no additional warranties regarding the processing of Personal Data, and all implied warranties are disclaimed to the maximum extent permitted by law.