MindBridge Data Processing Addendum
Date of last update: August 26, 2024
This Data Processing Addendum (“Addendum”),
applies to agreements between MindBridge Analytics Inc (“MindBridge”),
and entities who subscribe for MindBridge’s services and who are subject to
Applicable Law (“Subscriber”) (collectively referred to as
the “Parties”), sets forth the terms and conditions relating
to the privacy, confidentiality and security of Personal Data (as defined
below) associated with services to be rendered by MindBridge to Subscriber
pursuant to the subscription agreement entered into between the Parties
(the “Master Agreement”). For the purpose of this Agreement,
“Subscriber” may also refer to a reseller or other entity that is using
MindBridge’s services as a processor, where MindBridge is acting as a
subprocessor for that Subscriber.
- Definitions
“Applicable Law” means all laws, in any
jurisdictions worldwide, that relate to (i) the confidentiality, processing, right
to privacy, information security, protection, obligation to provide data breach
notifications, transfer or trans-border data flow of Personal Data, or customer
information, or (ii) electronic data privacy; whether such laws are in place as
of the effective date of this DPA or come into effect during the term. Privacy
Laws include but are not limited to EU GDPR, the CCPA and the UK GDPR.
“CCPA” means the California Consumer Privacy Act,
Cal. Civ. Code 1798.100 et seq., as amended or superseded from time to
time (including the California Privacy Rights Act of 2020), and regulations
promulgated thereunder.
“Data
Controller” means a person who alone
or jointly with others determines the purposes and means of the Processing of
Personal Data.
“Data Processor” means a
person who Processes Personal Data on behalf of the Data Controller.
“Data Security Measures” means
technical and organisational measures that are aimed at ensuring a level of
security of Personal Data that is appropriate to the risk of the Processing,
including protecting Personal Data against accidental or unlawful loss, misuse,
unauthorised access, disclosure, alteration, destruction, and all other forms
of unlawful Processing, including measures to ensure the confidentiality of
Personal Data.
“Data Subject” means an
identified or identifiable natural person to which the Personal Data pertain.
“EEA” means the European
Economic Area.
“EU GDPR” means EU General Data Protection Regulation 2016/679 and
any applicable national laws made under it.
“Ex-EEA Sub-processor” means
a natural or legal person subcontracted to provide any part of the Services
that involves the Processing of Personal Data from a location outside the EEA.
“Instructions” means the Master Agreement, this Addendum and any further written
agreement or documentation through which the Subscriber or, where Subscriber is
a Reseller, its customer (if applicable) instructs MindBridge to perform
specific Processing of Personal Data.
“Personal
Data” means any information relating to an
identified or identifiable natural person provided by Subscriber or , where
Subscriber is a Reseller, its customer (if applicable) to the Services and
Processed by MindBridge in accordance with Subscriber’s Instructions pursuant
to this Addendum; an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as
name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
“Personal
Data Breach” a breach of security
leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, Personal Data transmitted, stored or
otherwise Processed.
“Process”,
“Processed”, or “Processing” means
any operation or set of operations performed upon Personal Data, whether or not
by automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
“Services” means the services offered by MindBridge and subscribed for by
Subscriber under the Master Agreement.
“Sub-Processor” means the entity engaged by the Data Processor or any further
Sub-Processor to Process Personal Data on behalf and under the authority of the
Data Controller.
“UK GDPR” means the UK Data Protection Act 2018 (DPA
18) and the GDPR as it forms part of Retained EU Law and includes all
subordinate legislation and relevant regulations.
- Roles and Responsibilities
of the Parties
(A) The Parties
acknowledge and agree that, as between the parties, Subscriber is acting as a
Data Controller, and has the sole and exclusive authority to determine the
purposes and means of the Processing of Personal Data Processed under this
Addendum, and MindBridge is acting as a Data Processor on behalf and under the
Instructions of Subscriber. Where Subscriber is processing Personal Data for a
third party Data Controller, it is acknowledged that Subscriber is acting as
Data Processor and MindBridge is acting as a Sub-Processor of Subscriber.
III.
Obligations of Subscriber
(A) Other than
in respect of MindBridge’s obligations under this Addendum, the Subscriber is
responsible for ensuring that the processing of Personal Data takes place in
compliance with the Applicable Laws, and this Addendum.
(B) The
Subscriber has the right and obligation to make decisions about the purposes
and means of the processing of Personal Data.
(C) The
Subscriber shall be responsible for ensuring that the processing of Personal
Data, which MindBridge is instructed to perform, has a legal basis and, if such
legal basis is consent, the Subscriber shall retain copies of all relevant
consents.
- Obligations of MindBridge
(A) MindBridge
agrees to Process Personal Data disclosed to it by Subscriber only on behalf of
and in accordance with the Instructions of Subscriber and Annex 1 of this Addendum, . If MindBridge believes that an instruction may cause MindBridge to
be in violation of an applicable law, or that an applicable law otherwise
requires MindBridge to process Personal Data other than in accordance with this
DPA, then MindBridge shall immediately inform Subscriber in advance of any
relevant processing of the affected Personal Data, unless the relevant applicable law prohibits
this on important grounds of public interest.
(B) MindBridge
shall ensure that any person authorised by MindBridge to Process Personal Data
in the context of the Services is
subject to a duly enforceable contractual or statutory confidentiality
obligation, and only processes Personal Data in a manner consistent with the
Instructions of the Data Controller.
(C) MindBridge
stores and Processes all data, including Personal Data, in a European Union
member-state, the US and/or Canada or otherwise in accordance with section V (where
such storage may be further determined by the Subscriber in an order form).
MindBridge has and shall continue to enter into any written agreements as are
necessary (in its reasonable determination) to comply with Applicable Law
concerning any cross-border transfer of Personal Data, whether to or from
MindBridge.
(D) MindBridge
shall notify Subscriber immediately in writing of any subpoena or other
judicial or administrative order by a government authority or proceeding
seeking access to or disclosure of Personal Data Processed by MindBridge.
Subscriber shall have the right to defend such action in lieu of and on behalf
of MindBridge. Subscriber may, if it so chooses, seek a protective order.
MindBridge shall reasonably cooperate with Subscriber in such defense.
(E) MindBridge
shall provide assistance to Subscriber in complying with Subscriber’s
obligations relating to data protection impact assessments and prior
consultations with supervisory authorities taking into account the nature of
processing and the information available to MindBridge.
(F) MindBridge shall maintain internal record(s)
of its Processing activities, copies of which shall be provided to Subscriber
by MindBridge or to supervisory authorities upon request.
(G) MindBridge
shall inform Subscriber about any actions of a data protection authority
against MindBridge that could affect Subscriber’s Personal Data unless such
notification is prohibited by Applicable Law.
- Sub-Processing
(A) Subscriber
agrees that MindBridge has its general authorization to engage Sub-Processors
under the following preconditions:
(a) MindBridge
shall not share, transfer, disclose, make available or otherwise provide access
to any Personal Data to any Sub-Processor, or contract any of its rights or
obligations concerning Personal Data, unless MindBridge has entered into a
written agreement with each such Sub-Processor that imposes equivalent data
protection obligations on the Sub-Processor as those imposed on MindBridge
under this Addendum.
(b) MindBridge
shall only retain Sub-Processors that are capable of appropriately protecting
the privacy, confidentiality and security of the Personal Data.
(c) MindBridge
shall inform Subscriber of any intended changes concerning the addition or
replacement of Sub-Processors. Subscriber may object to such intended change
within a period of 4 weeks after receipt of the information for good cause. The
objection must be justified. In case of an objection, the parties will try to
find an amicable solution. If an amicable solution is not possible, the parties
shall each have the right to terminate this agreement.
(d) The
Subscriber authorises MindBridge to engage the Sub-processors listed in ANNEX 2 to this Addendum, which may be updated by MindBridge in accordance
with section IV (c) above..
- Transfer of Personal Data
outside the EEA
(A) MindBridge
is based in Canada and avails of the European Commission decision approving
data transfers to Canada pursuant to the 2002/2/C Commission Decision of 20
December 2001. Subject to Section 1 (C), to section MindBridge may transfer and
process Personal Data received from or on behalf of the Subscriber to a recipient that is located
outside of the EEA and/or the UK only where MindBridge has taken such measures
as are necessary to ensure the transfer is in compliance with Applicable Laws. Where such transfer is outside the European Economic Area,
Switzerland and/or the UK, MindBridge shall, in advance of any such transfer,
ensure that ensure that the transfer is permitted under the Applicable Law,
which may include the use of the following transfer mechanisms:
- The requirement for
MindBridge to execute the Standard Contractual Clauses published by the
Commission on June 7, 2021 and attached hereto at Annex 3.
- The requirement for the
third party to be certified under a framework approved by the European
Commission to facilitate such transfers; or
- The existence of any other
specifically approved safeguard for data transfers (as recognized under
the GDPR) and/or a European Commission finding of adequacy
(C) To the
extent that the parties are relying on a specific statutory mechanism to allow
for data transfer to third countries and that mechanism is subsequently
modified, revoked or held in a court of competent jurisdiction to be invalid,
the Parties agree to cooperate in good faith to promptly suspend the transfer
or to pursue a suitable alternate mechanism that can lawfully support the
transfer.
- Compliance with Applicable
Laws
(A) Each party
covenants and undertakes to the other that it shall comply with all Applicable
Laws in the use of the Services.
(B) Without
limiting the above, (i) Subscriber – unless Subscriber is a Data Processor
itself, in which case it shall require the Data Controller assume such
responsibility – is responsible for ensuring that it has a lawful basis for the
processing of Personal Information in the manner contemplated by this
Agreement, and has adequate record of such basis (whether directly or through
another third party provider); and (ii) MindBridge is not responsible for
determining the requirements of laws applicable to Subscriber’s business or
that MindBridge’s provision of the Services meet the requirements of such laws.
As between the parties, Subscriber is responsible for the lawfulness of the
Processing of the Subscriber Personal Data. Subscriber will not use the
Services in conjunction with Personal Data to the extent that doing so would
violate Applicable Laws.
(C) If a Data
Subject brings a claim directly against MindBridge for a violation of their
Data Subject rights in breach of Applicable Laws and such claim does not arise
from a breach by MindBridge of the terms of this Addendum, Subscriber will
indemnify MindBridge for any cost, charge, damages, expenses or loss arising
from such a claim, to the extent that MindBridge has notified Subscriber about
the claim and given Subscriber the opportunity to cooperate with MindBridge in
the defense and settlement of the claim. Subject to the terms of the Addendum,
Subscriber may claim from MindBridge amounts paid to a Data Subject for a
violation of their Data Subject rights caused by MindBridge’s breach of its
obligations under GDPR.
(D) For purposes of this Section
VI(D), “Business Purpose”, “Sell”, and “Share” shall have the meanings given to
such terms in the CCPA. MindBridge shall
process Personal Data on behalf of Subscriber in furtherance of one or more
enumerated Business Purposes under applicable law and comply with the
obligations applicable to it under the CCPA, including providing the same level
of privacy protection with respect to such Personal Data as is required by the
CCPA. If MindBridge determines that it
can no longer meet its obligations under the CCPA with respect to Personal
Data, MindBridge will notify Subscriber.
Furthermore, MindBridge will not: (i) Sell or Share Personal Data; (ii)
retain, use, or disclose Personal Data for any purpose other than
performing the Services for Subscriber as specified in the Agreement;
(iii) retain, use, or disclose Personal Data outside of the direct business
relationship between Subscriber and MindBridge; and (iv) combine Personal Data
with personal data that it receives from, or on behalf of, another entity, or
collects from its own interaction with data subjects except as permitted under
applicable law. MindBridge certifies
that it understands the foregoing restrictions.
Subscriber shall have the right to take reasonable and appropriate steps
to help ensure that MindBridge processes Personal Data in a manner consistent
with Subscriber’s obligations under the CCPA, including without limitation the
right, upon reasonable advanced notice, to stop and remediate any unauthorized
processing of Personal Data.
- Data Security
(A) MindBridge
maintains and implements a comprehensive written information security program
that complies with Applicable Law and good industry practice. MindBridge’s
information security program includes appropriate administrative, technical,
physical, organisational and operational safeguards and other security measures
designed to (i) ensure the security and confidentiality of Personal Data; (ii)
protect against any anticipated threats or hazards to the security and
integrity of Personal Data; and (iii) protect against any Personal Data Breach,
including, as appropriate:
- The pseudonymisation and
encryption of the Personal Data;
- The ability to ensure the
ongoing confidentiality, integrity, availability and resilience of
Processing systems and services;
- The ability to restore the
availability and access to the Personal Data in a timely manner in the
event of a physical or technical incident; and
- A process for regularly
testing, assessing and evaluating the effectiveness of technical and
organisational measures adopted pursuant to this provision for ensuring
the security of the Processing.
(B) MindBridge
shall supervise MindBridge personnel to the extent required to maintain
appropriate privacy, confidentiality and security of Personal Data. MindBridge
shall provide training, as appropriate, to all MindBridge personnel who have
access to Personal Data.
(C) Promptly:
(i) on written request of Subscriber; and (ii) following the expiration or
earlier termination of the Master Agreement, MindBridge shall return to
Subscriber or its designee, if so requested during such period, or if not so
requested securely destroy or render unreadable or undecipherable, each and
every non-archival copy in every media of all Personal Data in MindBridge’s,
its affiliates’ or their respective subcontractors’ possession, custody or
control. In the event applicable law does not permit MindBridge to comply with
the delivery or destruction of the Personal Data, MindBridge warrants that it
shall ensure the confidentiality of the Personal Data and that it shall not use
or disclose any Personal Data after termination of this Addendum. It is
acknowledged that deletions during the term of the Agreement may result in
MindBridge being unable to perform all or part of the Services, and may result
in additional costs where multiple requests for deletions impact on the
delivery of the Service.
- Data subject rights
(A) MindBridge
shall take such technical and organisational measures as may be appropriate,
and promptly provide such information to the Subscriber to enable the
Subscriber to comply with:
- the rights of Data Subjects
under the Data Protection Laws, including subject access rights, the
rights to rectify and erase personal data, object to the processing and
automated processing of personal data, and restrict the processing of
personal data; and
- information or assessment
notices served on the Subscriber by any supervisory authority under the
Data Protection Laws.
(B) MindBridge
shall promptly inform the Subscriber in the event of receiving a data subject
access request concerning Personal Data and will advise the data subject of the
request having been forwarded to the Data Controller. MindBridge shall
not provide data subjects with access to their personal data nor will it engage
directly with a data subject in relation to such requests, save for advising
that their request has been forwarded to the Data Controller.
(C ) MindBridge
shall provide such co-operation and assistance as may be reasonably required to
enable the Subscriber to deal with any subject access request or other data
subject right in accordance with the provisions of the Data Protection Laws. In
particular, MindBridge shall assist the Subscriber in the fulfilment of the
Data Controller’s obligation to respond to requests exercising data subjects’
rights under Data Protection Laws.
(D) Data
Protection Impact Assessments (DPIAs): MindBridge may be required to assist the
Subscriber in undertaking a DPIA before carrying out any processing that uses
new technologies (and taking into account the nature, scope, context and
purposes of the processing) that is likely to result in a high risk (such as
monitoring activities, systematic evaluations or processing special categories
of data) to the Data Controller’s data, takes place.
- Data Breach
Notification
(A) MindBridge
shall without undue delay inform Subscriber in writing of any Personal Data
Breach of which MindBridge becomes aware. The notification to Subscriber shall
include all available information regarding such Personal Data Breach,
including information on:
- The nature of the Personal
Data Breach including where possible, the categories and approximate
number of affected Data Subjects and the categories and approximate number
of affected Personal Data records;
- The likely consequences of
the Personal Data Breach; and
- The measures taken or
proposed to be taken to address the Personal Data Breach, including, where
appropriate, measures to mitigate its possible adverse effects.
MindBridge
shall cooperate fully with Subscriber in all reasonable and lawful efforts to
prevent, mitigate or rectify such Breach. MindBridge shall provide such
assistance as required to enable Subscriber to satisfy Subscriber’s obligation
to notify the relevant supervisory authority and Data Subjects of a personal
data breach under Articles 33 and 34 of the GDPR.
- Information request / Audit
(A) MindBridge
shall on written request (but not more than once per year, other than in the
event of a breach) make available to Subscriber all information necessary to
demonstrate compliance with the obligations set forth in this Addendum and, at
the Subscriber’s expense, allow for and contribute to audits, including
inspections, conducted by Subscriber or another auditor mandated by Subscriber.
Upon prior written request by Subscriber (provided that it shall be not more
than once per year other than in the event of a breach), MindBridge agrees to
cooperate and, within reasonable time, provide Subscriber with: (a) audit
reports (if any) and all information necessary to demonstrate MindBridge’s
compliance with the obligations laid down in this Addendum.
(B) Where
Subscriber is a Data Processor itself, the Subscriber may provide the Data
Controller with respective documentation received by MindBridge and Data
Controller is entitled to conduct audits contemplated at MindBridge, but only
insofar as this is required by Applicable Law, a competent court or regulator,
all at the Data Controller’s expense.
- Governing Law
This Addendum
shall be governed by the laws of the jurisdiction specified in the Agreement.