MindBridge Data Processing Addendum
- Definitions
“Applicable Law” means all laws, in any jurisdictions worldwide, that relate to (i) the confidentiality, processing, right to privacy, information security, protection, obligation to provide data breach notifications, transfer or trans-border data flow of Personal Data, or customer information, or (ii) electronic data privacy; whether such laws are in place as of the effective date of this DPA or come into effect during the term. Privacy Laws include but are not limited to EU GDPR, the CCPA and the UK GDPR.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended or superseded from time to time (including the California Privacy Rights Act of 2020), and regulations promulgated thereunder.
“Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
“Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of\ security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
“Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
“EEA” means the European Economic Area.
“EU GDPR” means EU General Data Protection Regulation 2016/679 and any applicable national laws made under it.
“Ex-EEA Sub-processor” means a natural or legal person subcontracted to provide any part of the Services that involves the Processing of Personal Data from a location outside the EEA.
“Instructions” means the Master Agreement, this Addendum and any further written
agreement or documentation through which the Subscriber or, where Subscriber is a Reseller, its customer (if applicable) instructs MindBridge to perform specific Processing of Personal Data.
“Personal Data” means any information relating to an identified or identifiable natural person provided by Subscriber or, where Subscriber is a Reseller, its customer (if applicable) to the Services and Processed by MindBridge in accordance with Subscriber’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” means the services offered by MindBridge and subscribed for by Subscriber under the Master Agreement.
“Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller. “UK GDPR” means the UK Data Protection Act 2018 (DPA 18) and the GDPR as it forms part of Retained EU Law and includes all subordinate legislation and relevant regulations.
- Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that, as between the parties, Subscriber is acting as a Data Controller and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and MindBridge is acting as a Data Processor on behalf and under the Instructions of Subscriber. Where Subscriber is processing Personal Data for a third-party Data Controller, it is acknowledged that Subscriber is acting as Data Processor and MindBridge is acting as a Sub-Processor of Subscriber.
III. Obligations of Subscriber
(A) Other than in respect of MindBridge’s obligations under this Addendum, the Subscriber is responsible for ensuring that the processing of Personal Data takes place in compliance with the Applicable Laws, and this Addendum.
(B) The Subscriber has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.
(C) The Subscriber shall be responsible for ensuring that the processing of Personal Data, which MindBridge is instructed to perform, has a legal basis and, if such legal basis is consent, the Subscriber shall retain copies of all relevant consents.
- Obligations of MindBridge
(A) MindBridge agrees to Process Personal Data disclosed to it by Subscriber only on behalf of and in accordance with the Instructions of Subscriber and Annex 1 of this Addendum, . If MindBridge believes that an instruction may cause MindBridge to be in violation of an applicable law, or that an applicable law otherwise requires MindBridge to process Personal Data other than in accordance with this DPA, then MindBridge shall immediately inform Subscriber in advance of any relevant processing of the affected Personal Data, unless the relevant applicable law prohibits this on important grounds of public interest.
(B) MindBridge shall ensure that any person authorised by MindBridge to Process Personal Data in the context of the Services is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in a manner consistent with the Instructions of the Data Controller.
(C) MindBridge stores and Processes all data, including Personal Data, in a European Union member-state, the US and/or Canada or otherwise in accordance with section V (where such storage may be further determined by the Subscriber in an order form). MindBridge has and shall continue to enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from MindBridge.
(D) MindBridge shall notify Subscriber immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data Processed by MindBridge. Subscriber shall have the right to defend such action in lieu of and on behalf of MindBridge. Subscriber may, if it so chooses, seek a protective order. MindBridge shall reasonably cooperate with Subscriber in such defense.
(E) MindBridge shall provide assistance to Subscriber in complying with Subscriber’s obligations relating to data protection impact assessments and prior consultations with supervisory authorities taking into account the nature of processing and the information available to MindBridge.
(F) MindBridge shall maintain internal record(s) of its Processing activities, copies of which shall be provided to Subscriber by MindBridge or to supervisory authorities upon request.
(G) MindBridge shall inform Subscriber about any actions of a data protection authority against MindBridge that could affect Subscriber’s Personal Data unless such notification is prohibited by Applicable Law.
- Sub-Processing
(A) Subscriber agrees that MindBridge has its general authorization to engage Sub Processors under the following preconditions:
(a) MindBridge shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any Sub-Processor, or contract any of its rights or obligations concerning Personal Data, unless MindBridge has entered into a written agreement with each such Sub-Processor that imposes equivalent data protection obligations on the Sub-Processor as those imposed on MindBridge under this Addendum.
(b) MindBridge shall only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data.
(c) MindBridge shall inform Subscriber of any intended changes concerning the addition or replacement of Sub-Processors. Subscriber may object to such intended change within a period of 4 weeks after receipt of the information for good cause. The objection must be justified. In case of an objection, the parties will try to find an amicable solution. If an amicable solution is not possible, the parties shall each have the right to terminate this agreement.
(d) The Subscriber authorises MindBridge to engage the Sub-processors listed in ANNEX2 to this Addendum, which may be updated by MindBridge in accordance with section IV (c) above..
- Transfer of Personal Data outside the EEA
(A) MindBridge is based in Canada and avails of the European Commission decision approving data transfers to Canada pursuant to the 2002/2/C Commission Decision of 20 December 2001. Subject to Section 1 (C), to section MindBridge may transfer and process Personal Data received from or on behalf of the Subscriber to a recipient that is located outside of the EEA and/or the UK only where MindBridge has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Laws. Where such transfer is outside the European Economic Area, Switzerland and/or the UK, MindBridge shall, in advance of any such transfer, ensure that ensure that the transfer is permitted under the Applicable Law, which may include the use of the following transfer mechanisms:
- The requirement for MindBridge to execute the Standard Contractual Clauses published by the Commission on June 7, 2021 and attached hereto at Annex 3.
- The requirement for the third party to be certified under a framework approved by the European Commission to facilitate such transfers; or
- The existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy
(C) To the extent that the parties are relying on a specific statutory mechanism to allow for data transfer to third countries and that mechanism is subsequently modified, revoked or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
- Compliance with Applicable Laws
(A) Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.
(B) Without limiting the above, (i) Subscriber – unless Subscriber is a Data Processor itself, in which case it shall require the Data Controller assume such responsibility – is responsible for ensuring that it has a lawful basis for the processing of Personal Information in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) MindBridge is not responsible for determining the requirements of laws applicable to Subscriber’s business or that MindBridge’s provision of the Services meet the requirements of such laws. As between the parties, Subscriber is responsible for the lawfulness of the Processing of the Subscriber Personal Data. Subscriber will not use the Services in conjunction with Personal Data to the extent that doing so would violate Applicable Laws.
(C) If a Data Subject brings a claim directly against MindBridge for a violation of their Data Subject rights in breach of Applicable Laws and such claim does not arise from a breach by MindBridge of the terms of this Addendum, Subscriber will indemnify MindBridge for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that MindBridge has notified Subscriber about the claim and given Subscriber the opportunity to cooperate with MindBridge in the defense and settlement of the claim. Subject to the terms of the Addendum, Subscriber may claim from MindBridge amounts paid to a Data Subject for a violation of their Data Subject rights caused by MindBridge’s breach of its obligations under GDPR.
(D) For purposes of this Section VI(D), “Business Purpose”, “Sell”, and “Share” shall have the meanings given to such terms in the CCPA. MindBridge shall process Personal Data on behalf of Subscriber in furtherance of one or more enumerated Business Purposes under applicable law and comply with the obligations applicable to it under the CCPA, including providing the same level of privacy protection with respect to such Personal Data as is required by the CCPA. If MindBridge determines that it can no longer meet its obligations under the CCPA with respect to Personal Data, MindBridge will notify Subscriber. Furthermore, MindBridge will not: (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than performing the Services for Subscriber as specified in the Agreement; (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Subscriber and MindBridge; and (iv) combine Personal Data with personal data that it receives from, or on behalf of, another entity, or collects from its own interaction with data subjects except as permitted under applicable law. MindBridge certifies that it understands the foregoing restrictions. Subscriber shall have the right to take reasonable and appropriate steps to help ensure that MindBridge processes Personal Data in a manner consistent with Subscriber’s obligations under the CCPA, including without limitation the right, upon reasonable advanced notice, to stop and remediate any unauthorized processing of Personal Data.
- Data Security
(A) MindBridge maintains and implements a comprehensive written information security program that complies with Applicable Law and good industry practice. MindBridge’s information security program includes appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
- The pseudonymisation and encryption of the Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.
(B) MindBridge shall supervise MindBridge personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. MindBridge shall provide training, as appropriate, to all MindBridge personnel who have access to Personal Data.
(C) Promptly: (i) on written request of Subscriber; and (ii) following the expiration or earlier termination of the Master Agreement, MindBridge shall return to Subscriber or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every non-archival copy in every media of all Personal Data in MindBridge’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit MindBridge to comply with the delivery or destruction of the Personal Data, MindBridge warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum. It is acknowledged that deletions during the term of the Agreement may result in MindBridge being unable to perform all or part of the Services, and may result in additional costs where multiple requests for deletions impact on the delivery of the Service.
- Data subject rights
(A) MindBridge shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Subscriber to enable the Subscriber to comply with:
- the rights of Data Subjects under the Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
- information or assessment notices served on the Subscriber by any supervisory authority under the Data Protection Laws.
(B) MindBridge shall promptly inform the Subscriber in the event of receiving a data subject access request concerning Personal Data and will advise the data subject of the request having been forwarded to the Data Controller. MindBridge shall not provide data subjects with access to their personal data nor will it engage directly with a data subject in relation to such requests, save for advising that their request has been forwarded to the Data Controller.
(C) MindBridge shall provide such co-operation and assistance as may be reasonably required to enable the Subscriber to deal with any subject access request or other data subject right in accordance with the provisions of the Data Protection Laws. In particular, MindBridge shall assist the Subscriber in the fulfilment of the Data Controller’s obligation to respond to requests exercising data subjects’ rights under Data Protection Laws.
(D) Data Protection Impact Assessments (DPIAs): MindBridge may be required to assist the Subscriber in undertaking a DPIA before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk (such as monitoring activities, systematic evaluations or processing special categories of data) to the Data Controller’s data, takes place.
- Data Breach Notification
(A) MindBridge shall without undue delay inform Subscriber in writing of any Personal Data Breach of which MindBridge becomes aware. The notification to Subscriber shall include all available information regarding such Personal Data Breach, including information on:
- The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
- The likely consequences of the Personal Data Breach; and
- The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
MindBridge shall cooperate fully with Subscriber in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. MindBridge shall provide such assistance as required to enable Subscriber to satisfy Subscriber’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.
- Information request / Audit
(A) MindBridge shall on written request (but not more than once per year, other than in the event of a breach) make available to Subscriber all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Subscriber’s expense, allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor mandated by Subscriber.
Upon prior written request by Subscriber (provided that it shall be not more than once per year other than in the event of a breach), MindBridge agrees to cooperate and, within reasonable time, provide Subscriber with: (a) audit reports (if any) and all information necessary to demonstrate MindBridge’s compliance with the obligations laid down in this Addendum.
(B) Where Subscriber is a Data Processor itself, the Subscriber may provide the Data Controller with respective documentation received by MindBridge and Data Controller is entitled to conduct audits contemplated at MindBridge, but only insofar as this is required by Applicable Law, a competent court or regulator, all at the Data Controller’s expense.
- Governing Law
This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.