MEZMO Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into as of the last date executed below by and between Mezmo, Inc. (“Mezmo”) and the “Customer” as defined below.
THIS DPA APPLIES BETWEEN THE PARTIES WHERE CUSTOMER CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO MEZMO FOR PROCESSING BY MEANS OF SERVICES, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CUSTOMER”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO MEZMO. MEZMO RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CUSTOMER’S CONTINUED TRANSFER OF PERSONAL DATA TO MEZMO.
Mezmo and Customer may each be referred to as a “Party” and collectively referred to as the “Parties”. As of the DPA Effective Date, this DPA shall be incorporated by reference into the agreement between Customer and Mezmo that governs Customer’s use of the Mezmo software-as-a-service products and services (“Services”), whether such agreement is online or in a written agreement executed in counterparts with Mezmo (“Agreement”). All capitalized terms used in this DPA but not defined shall have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.This DPA sets out the terms that apply when Personal Data is Processed by Mezmo under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Data Protection Law and respects the rights of individuals whose Personal Data are Processed under the Agreement.
“Data Protection Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection/security, or the Processing of Personal Data, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”). For the avoidance of doubt, if Mezmo’s processing activities involving Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes “consumer” as such term is defined under the CCPA.
“EEA" means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.
“EU SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), Module Two (Transfer controller to processor), and completed as described in the “Onward and Trans-border Data Transfers” section below.
“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data
“Personal Data” includes “personal data,” and “personal information,” and such terms shall have the same meaning as defined by Data Protection Law.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” means the EU SCCs or the UK SCCs or both, as the context requires.
“Subprocessor” means any Mezmo Affiliate or third party engaged by Mezmo for the Processing of Personal Data in connection with the Services.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
“Third Country” is a country outside the European Economic Area or the UK which is not acknowledged by the EU Commission or a UK Secretary of State as providing an adequate level of protection in accordance with Article 45(3) of the GDPR or Article 45 of the UK GDPR.
“UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (officially published at: draft-ico-addendum-to-com-scc-20210805.pdf, as a draft), and officially published by the Information Commissioner’s Office. The UK Addendum together with the EU SCCs as amended by the UK Addendum is referred to herein as the “UK SCCs.”
2. Relationship of the Parties
This DPA applies when Personal Data is Processed by Mezmo as part of Mezmo’s provision of the Services, as further specified in the Agreement. Customer is (or represents that it is acting with full authority on behalf of) the “Controller”, and Mezmo is the “Processor”, as such terms (or the equivalent thereof) are defined in Data Protection Law, with respect to the Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints Mezmo as Customer’s subprocessor, which shall not change the obligations of either Customer or Mezmo under this DPA.
3. Customer’s Instructions to Mezmo
3.1 Purpose Limitation. Mezmo will not Process Personal Data for any purpose other than for the specific purposes set forth in the Agreement and as otherwise agreed by the parties, unless obligated to do otherwise by applicable law. In such case, Mezmo will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Further details regarding Mezmo’s Processing operations are set forth in Annex I. Mezmo will not (a) sell Personal Data, or (b) retain, use or disclose Personal Data outside of the direct business relationship between Customer and Mezmo, except as permitted under applicable Data Protection Laws. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
3.2 Lawful Instructions. Customer will not instruct Mezmo to Process Personal Data in violation of Data Protection Law. Mezmo has no obligation to monitor the compliance of Customer’s use of the Services with Data Protection Law, though Mezmo will immediately inform Customer if, in Mezmo’s opinion, an instruction from Customer infringes Data Protection Law. The Agreement, including this DPA, along with Customer’s configuration of the Services (as Customer may be able to modify from time to time) and any features applicable to Customer’s then-current version of the Services, constitute Customer’s complete and final instructions to Mezmo regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties. Customer, as Controller, shall ensure that, in connection with its use of the Services, transfer of Personal Data to Mezmo and provision of instructions to Mezmo as Processor: (a) it will provide all necessary notices to Data Subjects and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Mezmo to process Personal Data on Customer's behalf under the terms of the Agreement and this DPA, pursuant to the applicable Data Protection Laws, and (b) to the extent required under applicable Data Protection Law, it will appropriately document the Data Subjects' notices and consents, or necessary assessment with other applicable lawful grounds of Processing.
Customer acknowledges and agrees that Mezmo’s Affiliates and certain third parties may be retained as Subprocessors to Process Personal Data on Mezmo’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Services, as set forth in this Section 4. Prior to a Subprocessor’s Processing of Personal Data, Mezmo will impose contractual obligations on the Subprocessor substantially the same as those imposed on Mezmo under this DPA. Mezmo remains liable for its Subprocessors’ performance under this DPA to the same extent Mezmo is liable for its own performance. The Subprocessors engaged by Mezmo and authorized by Customer are listed at Mezmo’s Subprocessor web page: https://www.Mezmo.com/sub-processor. Mezmo will provide Customer with prior notice before utilizing any new Subprocessor(s) to Process Personal Data in connection with the provision of the applicable Services, such notification to be sent to Customer at the email address provided in the signature block of this DPA. Customer may object in writing to Mezmo’s appointment of a new Subprocessor within ten (10) business days of such notice, provided that such objection is based on reasonable grounds relating to data protection and security. In such event, the parties will discuss such concerns in good faith with a view to achieving a mutually agreeable resolution. If the parties are unable to resolve the objection within a reasonable period of time, which shall not exceed thirty (30) days from the date of Mezmo’s original notice, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Mezmo without the use of the objected-to new Subprocessor by providing written notice to the other party.
5. Assistance & Cooperation
5.1 Security. Mezmo will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Data Protection Law relevant to Mezmo’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Mezmo, by implementing the technical and organizational measures set forth in the Agreement, without prejudice to Mezmo’s right to make future replacements or updates to the measures that do not result in material degradation of the overall security of the Services. Mezmo will ensure that the persons Mezmo authorizes to Process the Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data, and are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.
5.2 Personal Data Breach Notification & Response. Mezmo will comply with the Personal Data Breach-related obligations directly applicable to it under Data Protection Law. Taking into account the nature of Processing and the information available to Mezmo, Mezmo will assist Customer by informing it of a confirmed Personal Data Breach without undue delay or otherwise within the time period required under Data Protection Law. Mezmo will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include Mezmo’s then-current assessment of the following, which may be based on incomplete information:
(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned;
(b) the likely consequences of the Personal Data Breach; and
(c) measures taken or proposed to be taken by Mezmo to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.
Mezmo will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
6. Responding to Individuals Exercising Their Rights Under Applicable Data Protection Law
To the extent legally permitted, Mezmo shall promptly notify Customer if Mezmo receives any requests from an individual seeking to exercise any rights afforded to them under Data Protection Law regarding their Personal Data, which may include: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. To the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, Mezmo shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Mezmo is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Law. To the extent legally permitted, Customer shall be responsible for any costs arising from Mezmo’s provision of such assistance.
7. DPIAs, Prior Consultation, and Supervisory Authorities or other Regulatory Authorities
Taking into account the nature of the Processing and the information available to Mezmo, Mezmo will, to the extent required by Data Protection Laws, provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving the Mezmo Services, and in consultation with Supervisory Authorities or other regulatory authorities as required by Data Protection Law, by providing Customer with any publicly available documentation for the Services or by complying with the Audits section below. To the extent legally permitted, Mezmo shall notify Customer without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data, and will attempt to redirect the Supervisory Authority or law enforcement agency to request that data directly from Customer. As part of this effort, Mezmo may provide Customer’s basic contact information to the authority. If compelled to disclose Personal Data to a Supervisory Authority or law enforcement agency, Mezmo will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Mezmo is legally prohibited from doing so.Additional support for data protection impact assessments or relations with regulators or law enforcement authority may be available upon mutual agreement on fees, the scope of Mezmo’s involvement, and any other terms that the Parties deem appropriate.
8.1 Mezmo will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Mezmo and its Subprocessors.
8.2 To the extent required under applicable Data Protection Law or the Standard Contractual Clauses (where applicable), Mezmo shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Mezmo provide it with documentation, data, and records (“Records”) no more than once annually relating to Mezmo’s procedures relevant to the protection of Personal Data (an “Audit”). The Audit will be pre-scheduled in writing with Mezmo, at least forty-five (45) days in advance, and subject to a mutually agreed-upon audit plan that includes scope, Mezmo billing rates and estimated costs to be paid by Customer. Audits will be performed not more than once per year (unless the audit is required by a Supervisory Authority). To the extent Customer uses a third-party auditor to conduct the Audit, the third-party auditor will execute a non-disclosure and non-competition undertaking directly with Mezmo. All information disclosed in connection with the Audit together with the results of the Audit shall be the Confidential Information of Mezmo. Customer shall conduct its Audit in a manner that will result in minimal disruption to Mezmo’s business operations and shall not be entitled to receive data or information of other clients of Mezmo or any other Confidential Information of Mezmo that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Mezmo shall take prompt action to correct such non-compliance. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Mezmo’s premises.
9. Return or Destruction of Personal Data
Upon written request from Customer’s authorized representative (which for purposes of this section is any Customer employee that is either a billing owner or an administrative user of the Services or who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), Mezmo shall delete or anonymize such Personal Data in accordance with the requirements under Data Protection Law. Notwithstanding the foregoing, this provision will not require Mezmo to delete Personal Data from archival and back-up files except as provided by Mezmo's internal data deletion practices and as required by Data Protection Law.
10. Onward and Trans-border Data Transfers
10.1 Transfer of Personal Data governed by GDPR (“EEA Transferred Data”) to a Third Country is made in accordance with the EU SCCs, which is incorporated by reference into this DPA, or, as required, in accordance with any successor thereof or an alternative lawful data transfer mechanism, and are deemed completed as follows:
(a) Customer acts as a controller and Mezmo acts as Customer’s processor with respect to the Personal Data subject to the EU SCCs, and its Module 2 applies.
(b) In Clause 7, the optional docking clause is not included.
(c) In Clause 9 (Use of sub-processors), Option 2 (General written authorization) will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section 4 of this DPA.
(d) In Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
(e) In Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights), and the EU SCCs will be governed by Irish law.
(f) Under Clause 18 (Choice of forum and jurisdiction), disputes will be resolved before the courts of Ireland.
(g) Annexes I and II of the EU SCCs are attached hereto as Annexes I and II.
10.2 In accordance with Article 46 of the GDPR and the EU SCCs, and without prejudice to any provisions of this DPA, Mezmo undertakes the following additional safeguards to secure Personal Data transferred on the basis of the EU SCCs and in accordance with Clause 14(b)(iii) of the EU SCCs, to ensure the required adequate level of protection to the EEA Transferred Data:
(a) Mezmo will implement and maintain the technical and organizational measures, as specified in Annex II, such as encryption, access controls, or similar technologies, as applicable, with a purpose to protect EEA Transferred Data against any processing for national security or other government purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances;
(b) For the purposes of safeguarding EEA Transferred Data when any government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Mezmo may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Mezmo will:
- not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;
- not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data; and
- upon Customer’s written request, provide reasonably available information about the requests for access to Personal Data by government agencies Mezmo has received in the 6 months immediately preceding Customer’s request.
(c) If Mezmo receives a Request, Mezmo will notify Customer of such request to enable the Customer to take necessary actions, to communicate directly with the relevant authority and to respond to the Request. If Mezmo is prohibited by law to notify the Customer of such request, Mezmo will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
10.3 Transfer of Personal Data governed by UK GDPR (“UK Transferred Data”) to a Third Country, is made in accordance with the UK SCCs as follows:
- the EU SCCs, which is incorporated by reference into this DPA, will also apply to UK Transferred Data, subject to Sections 10.1 and 10.2 above; and
- the UK Addendum will be deemed executed between the parties, and the EU SCCs will be deemed amended as specified by the UK Addendum in relation to the UK Transferred Data.
11.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
11.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between this DPA and the Standard Contractual Clauses, where the Standard Contractual Clauses are applicable, the Standard Contractual Clauses will control.
11.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Each party’s and all of their Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and the DPA together.
A. LIST OF PARTIES
Module Two: Transfer controller to processor
Name: The exporter is the Customer specified above
Role (controller/processor): Controller as specified in the DPA
Name: Mezmo, Inc.
Address: 2059 Camden Ave #297, San Jose, CA 95124 USA
Mezmo’s contact person’s name, position and contact details: Caitlin Haberberger, CFO. privacy@Mezmo.com.
Activities relevant to the data transferred under these Clauses: Personal Data processing for the performance of the Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Module Two: Transfer controller to processor
Categories of data subjects whose personal data is transferred -
Customer has sole control over the categories of Personal Data it uploads to the Services. Depending on Customer’s usage, this could include Customer’s personnel, as well as individuals in other categories, such as Customer’s customers, service providers, business partners, affiliates (who are natural persons) and end users of the Services.
Categories of personal data transferred -
Customer may submit Personal Data to the Services, the extent of which is determined and controlled solely by Customer in Customer’s discretion.
Special categories of data –
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) -
Continuous basis, for the term of the Agreement.
Nature of the processing –
All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.
Purpose(s) of the data transfer and further processing -
The provision of the Services in accordance with the Agreement and as detailed above.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period -
Personal Data will be retained during the term of the Agreement and will be deleted in accordance with the terms therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing –
Mezmo’s subprocessors will process personal data to assist Mezmo in providing the Services pursuant to the Agreement, for as long as needed for Mezmo to provide the Services.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Data importer will not materially decrease the overall security of the Services during a subscription term.
LIST OF SUB-PROCESSORS
The controller has authorized the use of the Subprocessors included on the list available at https://www.Mezmo.com/sub-processor as of the DPA Effective Date. Additional Subprocessors may be added in accordance with Section 6 of the DPA.