Data Privacy Addendum

Last updated: May 14, 2017


This Data Privacy Addendum (“DPA”) amends the Agreement between Mirror Technologies Inc (“Mirror”) and Customer and addresses the rights and obligations of the parties with respect to data privacy under Applicable Law.


1.1 “Applicable Law” means any statute, regulation, executive order, and other rule(s) issued by a government office or agency that have binding legal force and are generally applicable to Personal Data or the provision of the Services with respect to Personal Data, including EU Regulation 2016/679 and the state and federal laws of the United States.

1.2 “Data Subject” means an individual natural person that is identified or identifiable by means of Personal Data.

1.3 “Personal Data” means any information about a natural person that is identified or identifiable to the natural person, either alone or in combination with other information, that Mirror will Process or have access to during provision of the Services, including any such information that is created by means of the Services. Personal Data includes “personal data” as that term is defined under Applicable Law.

1.4 “Process,” when used with respect to Personal Data, means: (a) to record, store, organize, structure, analyze, query, modify, combine, encrypt, display, disclose, transmit, receive, render unusable, or destroy, by automated means or otherwise; (b) to provide cloud or other remote technology hosting services for applications or services that do any of the foregoing; and (c) any other use or activity that is defined or understood to be processing under Applicable Law.

1.5 “Security Incident” means any of the following: (a) unauthorized Processing or other use or disclosure of Personal Data; (b) unauthorized access to or acquisition of Personal Data; and (c) any material unsuccessful attempt to gain unauthorized access to, or to destroy or corrupt, the Personal Data, but not including any routine, unsuccessful events such as pings, port scans, blocked malware, failed log in attempts, or denial of service attacks.



The Personal Data that Mirror Processes for you as part of the Services is your Confidential Information covered by our confidentiality commitments stated in the Agreement. We make the additional commitments stated in this DPA as to the Personal Data.



We will not use, disclose, or Process the Personal Data except as permitted by the Agreement or your other written instructions, or as necessary for the provision of our Services. We will make available to you a list of any sub-processors we use in compliance with Applicable Law. We will require any sub-processors to contractually agree to terms at least as protective of your Personal Data as those stated in this DPA and the Agreement.



Each party will comply with Applicable Law as it relates to such party’s performance under the Agreement.



We will promptly notify you if we receive a request from a Data Subject to disclose, provide a copy, modify, block, or take any other action with respect to Personal Data pertaining to the Data Subject, unless notice is prohibited by Applicable Law; and, except to the extent required by Applicable Law, we will not independently take any action in response to a request from a Data Subject without your prior written instruction. We will cooperate with your reasonable requests for access to Personal Data and other information and assistance as necessary to respond to a request or complaint by a Data Subject.



In the event of a discovered or suspected Security Incident, Mirror shall provide notice without undue delay to Customer’s technical and account contacts using those means established for routine account-related communications (or other such method of notice as agreed between us). Our notice shall include the following information to the extent it is reasonably available to Mirror at the time of the notice, and Mirror shall update its notice as additional information becomes reasonably available: (a) the dates and times of the Security Incident; (b) the facts behind the discovery of the Security Incident, or the decision to begin an investigation into a suspected Security Incident, as applicable; (c) a description of the Personal Data involved in the Security Incident, and (d) the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Security Incident. We will take those measures available, including measures reasonably requested by you, to address a vulnerability giving rise to a successful Security Incident, both to mitigate the harm resulting from the Security Incident and to prevent similar occurrences in the future. We will cooperate with your reasonable requests in connection with the investigation and analysis of the Security Incident. Mirror shall retain all information that could constitute evidence in a legal action arising from the Security Incident and shall provide the information to you upon your request.



With regard to the Personal Data of others that you may provide to us, you hereby represent and warrant: (a) the Personal Data has been collected in accordance with Applicable Law; (b) the transfer to us for the purpose of providing the Services is authorized under Applicable Law; (c) you will comply with Applicable Law as to requests from Data Subjects in connection with the Personal Data; (d) you shall disclose to us only that Personal Data that is necessary for our provision of the Services; and (e) you shall not ask us to take any action with respect to the Personal Data that you are not permitted to take directly.



We will keep reasonable records to evidence our compliance with our obligations under this DPA and shall preserve such records for at least two (2) years from the date of the events reflected therein.



*  *  *