Data Processing Addendum
Last updated: May 15, 2018
This Data Processing Addendum (“DPA”) amends the Agreement between Mirror Technologies Inc (“Mirror”) and Customer and addresses the rights and obligations of the parties with respect to data privacy under Applicable Data Protection Law.
1.1 The terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in Applicable Data Protection Law.
1.2 “Applicable Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”)
1.3 “Controlled Data” means the personal data that Mirror processes on Customer’s behalf and instructions as part of the Services, but only to the extent that Customer is subject to Applicable Data Protection Law in respect of such personal data.
1.4 “Mirror Services” or “Services” shall have the same meanings as in the Agreement.
1.5 “Privacy Shield Framework” shall mean the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce.
1.6 “Security Incident” means any of the following: (a) unauthorized processing or other use or disclosure of personal data; (b) unauthorized access to or acquisition of personal data; and (c) any material unsuccessful attempt to gain unauthorized access to, or to destroy or corrupt, the personal data, but not including any routine, unsuccessful events such as pings, port scans, blocked malware, failed log in attempts, or denial of service attacks.
1.7 “Sub-processor” means an entity engaged by Mirror to process Customer’s Controlled Data.
2 RELATIONSHIP OF THE PARTIES
The parties acknowledge and agree that with regard to the processing of Customer Controlled Data, Customer is a controller or processor, as applicable, and Mirror is a processor.
3 DETAILS OF THE PROCESSING
3.1 Subject Matter. The subject matter of the data processing under this Data Processing Addendum is Customer’s Controlled Data.
3.2 Purpose of the Processing. The purpose of the data processing under this Addendum is the provision of the Mirror Services as initiated by Customer from time to time.
3.3 Categories of Data. Data relating to individuals provided to Mirror via the Mirror Services, by (or at the direction of) Customer or Customer’s end users.
3.4 Categories of Data Subjects. Data subjects may include Customer’s customers, employees, suppliers and end users about whom data is provided to Mirror via the Mirror Services by (or at the direction of) Customer or by Customer’s end users.
3.5 Duration of the Processing. As between Mirror and Customer, the duration of the data processing of Customer Controlled Data under this Addendum is necessarily determined by Customer.
4 OUR PROCESSING RESPONSIBILITIES
4.1 How We Process. Mirror will process Customer’s Controlled Data in accordance with the Agreement and this Data Processing Addendum as necessary to provide the Services. Additional instructions outside the scope of the Agreement and this Data Processing Addendum require prior written agreement between Customer and Mirror, including agreement on any additional fees payable by Customer for carrying out such instructions. Customer shall ensure that its instructions comply with all laws, regulations and rules applicable to the Controlled Data, and that Mirror’s processing of the Controlled Data in accordance with Customer’s instructions will not cause Mirror to violate any applicable law, regulation or rule, including Applicable Data Protection Law. Mirror agrees not to access or use Controlled Data, except as necessary to maintain or provide the Mirror Services, or as necessary to comply with the law or other binding governmental order.
4.2 Notification of Security Incident. Mirror will promptly notify Customer after becoming aware of and confirming the occurrence of a Security Incident for which notification to Customer is required under Applicable Data Protection Law. Mirror will provide Customer with such information about the Security Incident as we are reasonably able to disclose, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality.
4.3 Notification of Inquiry or Complaint. Mirror will provide Customer notice, if permitted by applicable law, upon receiving an inquiry or complaint from a data subject whose personal data is included in Customer’s Controlled Data, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Customer’s Controlled Data that we process on Customer’s behalf and instructions.
4.4 Reasonable Assistance with Compliance. Mirror provides Customer with a number of self-service features through the Services or Mirror API, including the ability to delete or retrieve Customer’s Controlled Data, which may be used by Customer to assist in its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects. Mirror will, to the extent that Customer cannot reasonably do so through the Services or Mirror API, provide assistance to Customer in respect of Customer’s fulfillment of Customer’s obligation as controller to respond to requests by data subjects, taking into account the nature of the Services and information available to us. Customer will be responsible for Mirror’s reasonable costs arising from our provision of such assistance.
4.5 Confidentiality of Controlled Data and Responding to Third Party Requests. In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory or third party is made directly to Mirror in connection with Mirror’s processing of Controlled Data, Mirror shall promptly inform Customer providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Mirror shall not respond to any such request, inquiry or complaint without Customer’s prior consent except to confirm that the request relates to Customer to which Customer hereby agrees.
4.6 Confidentiality Obligations of Mirror Personnel. Mirror will ensure that any person it authorizes to process the Controlled Data shall protect the Controlled Data in accordance with Mirror’s confidentiality obligations under the Agreement.
4.7 Security Measures. Mirror has implemented and will maintain appropriate technical and organizational measures to protect Customer’s Controlled Data.
4.8 Sub-processors. Customer agrees that Mirror can share Customer’s Controlled Data with Sub-processors in order to provide Customer the Services. Mirror will impose contractual obligations on our Sub-processors that provide the same level of data protection for Customer’s Controlled Data in all material respects as the contractual obligations imposed in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. A list of our current Sub-processors is available at https://www.mirror.me/sub-processors or upon request by sending an email to firstname.lastname@example.org. Customer may object to Mirror’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the parties shall discuss commercial reasonably alternative solutions in good faith. If the parties cannot reach resolution, Mirror will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the Agreement without prejudice to any fees incurred by Customer prior or termination.
4.9 Mirror Audits. Mirror uses external auditors to verify the adequacy of our security measures with respect to processing of Customer’s Controlled Data. Such audits performed at Mirror’s expense and are conducted annually by independent third-party security professionals at Mirror’s selection, and result in the generation of a confidential audit report.
4.10 Customer Audits and Information Requests. Customer agrees to exercise its right to conduct an audit or inspection of our security measures by instructing Mirror to carry out the audit described in Section 4.9. If Customer wishes to change this instruction, then Customer must send a written request to Mirror. Customer will pay our reasonable costs in considering and addressing any such request. If Mirror declines the request to change the instruction, Customer may terminate the Agreement without prejudice to any fees incurred by Customer prior or termination.
5 DATA TRANSFERS
Customer acknowledges that Mirror’s primary processing facilities are in the United States. To the extent that Customer’s use of the Mirror Services requires transfer of personal data transfer out of the European Economic Area (“EEA”) and Switzerland, Mirror will take such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Customer agrees that the Privacy Shield Framework will be the lawful data transfer mechanism of Controlled Data from the EEA to the United States.
The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties or claims by data subjects or others incurred by Mirror in relation to Customer’s Controlled Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Data Processing Addendum or Applicable Data Protection Law shall reduce Mirror’s maximum aggregate liability to Customer under the Agreement in the same amount as the fine and/or liability incurred by Mirror as a result.
In the event of a conflict between this Data Processing Addendum and the Agreement, this Data Processing Addendum will control.
* * *