Data Processing Agreement

1. Introduction
This DPA forms part of the Terms of Service (the “Terms”) between the Client, who is controller of the Personal Data and Mitigram, who is the processor of the Personal Data (the “Processor”).

As part of the obligations set forth in the Terms, the Processor will process Personal Data and other information on behalf of the Client.
This DPA regulates the Processor’s processing of Personal Data belonging to the Client. This DPA shall remain in force for as long as the Processor is processing Personal Data on behalf of the Client.

2. Nature of Processing
Within the scope of the Terms, the Processor will process the following types of Personal Data:

User data regarding Users (typically employees of the Client), such data includes IP-address, E-mail, Name, phone number and, if the User so chooses, profile picture. The commercial data uploaded by the User/Client may also contain Personal Data.

No “special categories” of Personal Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation) is processed. The Client accepts that it is not allowed to process such Personal Data in the service.

3. Definitions
Any terminology used in this DPA which is defined in the General Data Protection Regulation (2016/679) shall have the same meaning and interpretation as defined in the regulation.

Any terminology used in this DPA which is defined in the Terms shall have the same meaning and interpretation as defined in the Terms.

4. Processing of Personal Data
4.1 Processing of Personal Data
Processor shall comply with the Client’s documented instructions strictly to the extent necessary for compliance with applicable data protection laws. Any assistance or instructions going beyond such scope may be provided by Processor subject to reasonable reimbursement for time and material. Processor shall not be required to act on instructions issued directly by a supervisory authority unless such instructions are legally binding on the Processor.

Except to the extent required by applicable legislation, Processor shall not use or process Personal Data for any other purpose than what is instructed by Client or derived from such instructions. Processor shall keep Personal Data confidential and shall have no rights to Personal Data. Processor shall not, during or after the term of the Terms, disclose or transfer, or enable access to or processing of, Personal Data to or by any Third Party other than as agreed with Client. For the avoidance of doubt, transfers of Personal Data to subcontractors for the purposes of this Terms are permitted.

4.2 Use of subcontractors
Processor has a general authorization to engage and replace subcontractors (subprocessors) as necessary to support the delivery of the Service. The Processor shall ensure that any engagement of subcontractors processing Personal Data is under a written contract requiring such subcontractors to comply with the same or higher obligations applicable to the Processor under this DPA and the Laws. The engagement of any subcontractor shall not result in material changes to the delivery of the Service or compromise the security or confidentiality of Personal Data.

Processor remains fully liable under this DPA for the acts and omissions of its subprocessors.

The Processor maintains an up to date list of all approved subprocessors at https://mitigram.com/subprocessors/. The list includes the subprocessors’ names, services and locations. Processor may update the list from time to time. Client may object to a new subprocessor only on reasonable grounds relating to data protection within thirty (30) days of publication, after which the subprocessor shall be deemed approved. If the Client raises an objection, Processor may cure the objection or, if not feasible, the Client may terminate only the affected service as its sole remedy.

Data disclosures
Where legally permitted, Processor shall notify the Client without undue delay of any legally binding request from a public authority for access to Personal Data. Processor shall not disclose Personal Data unless required to do so under applicable law.

5. Transfer of Personal Data to Third-Countries
Processor and its subprocessors shall process Personal Data exclusively within the EU or EEA. Where a subprocessor is headquartered in a third country but processes Personal Data exclusively within the EU or EEA, such arrangement shall not constitute a third country transfer under the GDPR. Should any restricted transfer occur under Chapter V GDPR, Processor shall ensure appropriate safeguards under Article 46 GDPR, including Standard Contractual Clauses and transfer impact assessments.

The Client is aware that some Entities may be located outside of the EU/EEA. If the Client places a Quote or answers a Request from such Entity, a transfer to such Entity will take place. The Client is responsible for making sure that such third-country transfer complies with the provisions laid forth in the GDPR.

6. Data Security and Safeguards
Processor shall implement and maintain at all times appropriate organizational, operational, managerial, physical and technical measures to protect the Personal Data and Client’s any other data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Client’s reasonable written instructions. These measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.

Technical safeguards shall include all technical security controls defined by Processor, and at all time take into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Processor shall limit access to the Personal Data to authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Processor shall also ensure by technical and organizational means that Client’s Personal Data is not processed for different purposes (e.g. for different Processor customers) and that the Personal Data is processed separately from the data of other Processor customers.

Processor shall implement commercially reasonable measures to prevent unauthorized access, loss, alteration or disclosure of Personal Data but does not warrant absolute security.

7. Self-Assessments and Audits
On an annual basis during the term of the Terms Client (or an independent Third Party on its behalf) may, at its own cost, request a review or audit of Processor’s security documentation and/or a written report of self-assessment on Processor’s compliance with this DPA, the Terms and the Laws. The Processor shall be entitled to reasonable reimbursement for its assistance in such review. Audits may occur no more than once per year, require at least thirty (30) days written notice, and shall be limited to reviewing documentation made available by Processor. On site audits shall only be permitted where required by law and shall not materially disrupt Processor’s business operations.

Client is responsible for the costs of the audits. However, unless the audit should reveal any material violation or breach of this DPA by Processor, in which Case the Processor shall bear such costs.

The Processor shall comply with any decisions from the Data Protection Authority or other competent authority in respect of the Personal Data which is processed on behalf of the Client. The Processor shall also allow any competent authority to conduct supervision of the processing which takes place.

8. Handling of Data Breaches
In the event of a Personal Data Breach, or any other threatening enforcement proceeding against the Processor pertaining to the processing of Personal Data, the Processor will provide Client with an accurate written notice immediately by email to a group or distribution email address, upon becoming aware of it, and in no event later than within twenty-four (24) hours. Processor may take immediate measures necessary to contain and mitigate a Personal Data Breach without the Client’s prior approval. Processor will also, upon Client’s prior request, provide any appropriate remedial services to individuals.

9. Rights of Data Subjects
Processor shall assist the Client in responding to data subject requests only to the extent the Client cannot fulfil such requests independently through the functionality of the Service. Such assistance shall be subject to reasonable reimbursement.
In the event a public authority or a Third Party requests such information as follows from the section above, the Processor shall immediately notify the Client of the request and the Processor and Client shall, in consultation, agree on the appropriate manner of proceeding.

10. Indemnification
Processor shall indemnify the Client only to the extent a final judgment establishes that the Processor has failed to comply with its obligations under this DPA and such failure directly caused the Client to incur damages. Any such indemnity shall be subject to the limitations of liability in the Terms. Processor shall not be liable for indirect or consequential damages.

11. Termination
This DPA shall remain in full force for as long as the Terms are in force and for such period thereafter as is necessary for the activities after Terms termination or expiration to be completed. To the extent that Personal Data is processed by or for Processor, for whatsoever reason, after the termination or expiration of the Terms, this DPA shall continue to apply to such processing for as long as such processing is carried out.

In case of any conflict between the terms of this DPA and the Terms, the provisions of this DPA shall prevail. Any changes to this DPA must be agreed in writing between the Parties.

When the Terms are terminated, the Client shall instruct the Processor to either return or deletes all Personal Data which is processed solely on behalf of the Client. Returning of Personal Data shall, concerning digital data, mean the sending of a copy to the Client and deleting any copies remaining with the Processor.

Should the Client fail to give instructions on whether to return or delete Personal Data within one month from the termination of this DPA, the Client shall be considered to have instructed Personal Data to be deleted.

If the Client does not provide written instructions within thirty (30) days after termination, Processor shall securely delete all Personal Data using commercially reasonable industry standard methods.

12. Warranties
Except as expressly stated in this DPA, Processor provides no additional warranties regarding the processing of Personal Data, and all implied warranties are disclaimed to the maximum extent permitted by law.