Mezmo Data Processing Agreement – Processor Roles & Security

“Customer Personal Data” means Personal Data Processed by Mezmo as Processor on behalf of the Customer pursuant to the performance of the Agreement.

Controller ”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (including corresponding terms such as “Process”, “Processes” and “Processed”), and “Supervisory Authority” shall have the meanings given to those terms in the EU GDPR and to analogous terms with equivalent meanings under Data Protection Laws.

“Data Protection Laws” means all laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection/security, or the Processing of Personal Data, as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”), and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), and the Swiss New Federal Act on Data Protection 2023 (“FADP”). For the avoidance of doubt, if Mezmo’s Processing activities involving Personal Data are not within the scope of a Data Protection Laws, such law is not applicable for the purposes of this DPA.

“EEA" means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

“EU Controller to Processor Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, with Module Two selected (which covers transfer from a Controller to a Processor).

“Standard Contractual Clauses” means the EU Controller to Processor Standard Contractual Clauses (including as modified to permit Swiss Personal Data transfers) or the UK International Data Transfer Addendum or both, as the context requires.

“Subprocessor” means any Mezmo Affiliate or third party engaged by Mezmo for the Processing of Personal Data in connection with the Services.

“UK International Data Transfer Addendum” means the UK International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s.119A(1) of the Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR.

2.1 Mezmo shall be an independent Controller with respect to its Processing of Personal Data in connection with the execution and administration of the Agreement (including contact details of Customer’s personnel/representatives); creation and maintenance of user accounts on the Services; and the anonymization of Personal Data to perform analysis for the purposes of improving the Services. The Parties agree that the Personal Data described under this Section 2.1 does not form part of Customer Personal Data and Mezmo shall comply with its obligations as a Controller with respect to such Personal Data.

2.2 Subject to Section 2.1, the Parties acknowledge that in respect of Customer Personal Data, Mezmo acts as a Processor Processing Personal Data on behalf of the Customer. In some circumstances, Customer may be a Processor, in which case Customer appoints Mezmo as Customer’s Subprocessor, which shall not change the obligations of either Customer or Mezmo under this DPA.

2.3 Details of Customer Personal Data Processed by Mezmo under the Agreement are as follows :

(a) Subject-Matter, Nature and Purpose of the Processing. Mezmo’s provision of the Services under the Agreement. All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

Any permitted transfers to Subprocessors shall be in line with the subject matter, nature and duration of the Processing identified above.

(b) Categories of Data Subjects. Customer has sole control over the categories of Personal Data it uploads to the Services. Depending on Customer’s usage, this could include Customer’s personnel, as well as individuals in other categories, such as Customer’s customers, service providers, business partners, affiliates (who are natural persons) and end users of the Services.

(c) Types of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined and controlled solely by Customer in Customer’s discretion.

(d) Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement and in accordance with Mezmo’s retention obligations under the Agreement.

(e) Technical and Organizational Security Measures: Mezmo will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the security whitepaper published at https://www.Mezmo.com/compliance. As of the Effective Date, Mezmo undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security, availability, and confidentiality set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). Additional information is included in Mezmo’s privacy policy published at https://www.Mezmo.com/privacy-policy. Mezmo will not materially decrease the overall security of the Services during a subscription term.

Data Processing Addendum