MindBridge Data Processing Addendum

Date of last update: August 28, 2023

This Data Processing Addendum (“Addendum”), applies to agreements between MindBridge Analytics Inc (“MindBridge”), and entities who subscribe for MindBridge’s services and who are subject to Applicable Law (“Subscriber”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by MindBridge to Subscriber pursuant to the subscription agreement entered into between the Parties (the “Master Agreement”). For the purpose of this Agreement, “Subscriber” may also refer to a reseller or other entity that is using MindBridge’s services as a processor, where MindBridge is acting as a subprocessor for that Subscriber.

I. Definitions

(A) “Applicable Law” means all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.

(B) “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

(C) “Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.

(D) “Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.

(E) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.

(F) “EEA” means the European Economic Area.

(G) “Ex-EEA Sub-processor” means a natural or legal person subcontracted to provide any part of the Services that involves the Processing of Personal Data from a location outside the EEA.

(H) “Instructions” means the Master Agreement, this Addendum and any further written agreement or documentation through which the Subscriber or, where Subscriber is a Reseller, its customer (if applicable) instructs MindBridge to perform specific Processing of Personal Data.

(I) “Personal Data” means any information relating to an identified or identifiable natural person provided by Subscriber or , where Subscriber is a Reseller, its customer (if applicable) to the Services and Processed by MindBridge in accordance with Subscriber’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(J) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

(K) “Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(L) “Services” means the services offered by MindBridge and subscribed for by Subscriber under the Master Agreement.

(M) “Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.

II. Roles and Responsibilities of the Parties

(A) The Parties acknowledge and agree that, as between the parties, Subscriber is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and MindBridge is acting as a Data Processor on behalf and under the Instructions of Subscriber. Where Subscriber is processing Personal Data for a third party Data Controller, it is acknowledged that Subscriber is acting as Data Processor and MindBridge is acting as a Sub-Processor of Subscriber.

III. Obligations of Subscriber

(A) Other than in respect of MindBridge’s obligations under this Addendum, the Subscriber is responsible for ensuring that the processing of Personal Data takes place in compliance with the Applicable Laws, and this Addendum.

(B) The Subscriber has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.

(C) The Subscriber shall be responsible for ensuring that the processing of Personal Data, which MindBridge is instructed to perform, has a legal basis and, if such legal basis is consent, the Subscriber shall retain copies of all relevant consents.

1. Obligations of MindBridge

MindBridge agrees and warrants to:

(A) Process Personal Data disclosed to it by Subscriber only on behalf of and in accordance with the Instructions of Subscriber and Annex 1 of this Addendum, unless MindBridge is otherwise required by Applicable Law, in which case MindBridge shall inform Subscriber of that legal requirement before Processing the Personal Data, unless informing the Subscriber is prohibited by Applicable Law on important grounds of public interest. MindBridge shall immediately inform Subscriber if, in MindBridge’s opinion, an Instruction provided infringes Applicable Law.

(B) Ensure that any person authorised by MindBridge to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.

(C) MindBridge stores and Processes all data, including Personal Data, in a European Union member-state, the US and/or Canada (such storage may be determined by the Subscriber in an order form). MindBridge has and shall continue to enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from MindBridge.

(D) Notify Subscriber immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Subscriber shall have the right to defend such action in lieu of and on behalf of MindBridge. Subscriber may, if it so chooses, seek a protective order. MindBridge shall reasonably cooperate with Subscriber in such defense.

(E) Provide assistance to Subscriber in complying with Subscriber’s obligations relating to the security of Personal Data, data protection impact assessments and prior consultations with supervisory authorities taking into account the nature of processing and the information available to MindBridge.

(F) Maintain internal record(s) of Processing activities, copies of which shall be provided to Subscriber by MindBridge or to supervisory authorities upon request.

(G) Inform Subscriber about any actions of a data protection authority against MindBridge that could affect Subscriber’s Personal Data unless such notification is prohibited by Applicable Law.

IV. Sub-Processing

(A) Subscriber agrees to MindBridge engaging Sub-Processors under the following preconditions:

(a) MindBridge shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any Sub-Processor, or contract any of its rights or obligations concerning Personal Data, unless MindBridge has entered into a written agreement with each such Sub-Processor that imposes the same data protection obligations on the Sub-Processor as those imposed on MindBridge under this Addendum.

(b) MindBridge shall only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data.

(c) MindBridge shall inform Subscriber of any intended changes concerning the addition or replacement of Sub-Processors. Subscriber may object to such intended change within a period of 4 weeks after receipt of the information for good cause. The objection must be justified. In case of an objection, the parties will try to find an amicable solution. If an amicable solution is not possible, the parties shall each have the right to terminate this agreement.

(d) The Subscriber authorises MindBridge to engage the Sub-processors listed in ANNEX 2 to this Addendum.

V. Transfer of Personal Data outside the EEA

(A) MindBridge is based in Canada and avails of the European Commission decision approving data transfers to Canada pursuant to the 2002/2/C Commission Decision of 20 December 2001. MindBridge may transfer and process Personal Data received from or on behalf of the Subscriber to third parties (which shall include without limitation any affiliates of MindBridge) with the authorization of the Subscriber. A list of such third parties is included at Annex 2. The Subscriber hereby authorises transfers to these third parties, but MindBridge shall not transfer data outside of the EEA or Canada unless requested by Subscriber (either directly or through the request for the functionality that requires processing outside of Canada or the EEA as specified in the table set out in Annex 2).  Where such third party is located outside the European Economic Area, MindBridge shall, in advance of any such transfer, ensure that ensure that the transfer is permitted under the Applicable Law, which may include the use of the following transfer mechanisms:

• The requirement for MindBridge to execute or procure that the third party sub processor executes Standard Contractual Clauses for transfers from Data Controllers to Data Processors published by the Commission on June 7, 2021 and attached hereto at Annex 3. MindBridge will make the executed Standard Contractual Clauses available to the Subscriber on request.
• The requirement for the third party to be certified under a framework approved by the European Commission to facilitate such transfers; or
• The existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy

(C) MindBridge shall promptly notify the Subscriber of any planned permanent or temporary transfers of Personal Data to a third country and shall only perform such a transfer after obtaining authorisation from the Subscriber which may be refused at its own discretion.

(D) To the extent that the parties are relying on a specific statutory mechanism to allow for data transfer to third countries and that mechanism is subsequently modified, revoked or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

VI. Compliance with Applicable Laws

(A) Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.

(B) Without limiting the above, (i) Subscriber – unless Subscriber is a Data Processor itself, in which case it shall require the Data Controller assume such responsibility – is responsible for ensuring that it has a lawful basis for the processing of Personal Information in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) MindBridge is not responsible for determining the requirements of laws applicable to Subscriber’s business or that MindBridge’s provision of the Services meet the requirements of such laws. As between the parties, Subscriber is responsible for the lawfulness of the Processing of the Subscriber Personal Data. Subscriber will not use the Services in conjunction with Personal Data to the extent that doing so would violate Applicable Laws.

(C) If a Data Subject brings a claim directly against MindBridge for a violation of their Data Subject rights in breach of Applicable Laws and such claim does not arise from a breach by MindBridge of the terms of this Addendum, Subscriber will indemnify MindBridge for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that MindBridge has notified Subscriber about the claim and given Subscriber the opportunity to cooperate with MindBridge in the defense and settlement of the claim. Subject to the terms of the Addendum, Subscriber may claim from MindBridge amounts paid to a Data Subject for a violation of their Data Subject rights caused by MindBridge’s breach of its obligations under GDPR.

VII. Data Security

(A) MindBridge shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Law and good industry practice. MindBridge’s information security program shall include appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:

1. The pseudonymisation and encryption of the Personal Data;
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
3. The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.

(B) MindBridge shall supervise MindBridge personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. MindBridge shall provide training, as appropriate, to all MindBridge personnel who have access to Personal Data.

(C) Promptly: (i) on written request of Subscriber; and (ii) following the expiration or earlier termination of the Master Agreement, MindBridge shall return to Subscriber or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every non-archival copy in every media of all Personal Data in MindBridge’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit MindBridge to comply with the delivery or destruction of the Personal Data, MindBridge warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum. It is acknowledged that deletions during the term of the Agreement may result in MindBridge being unable to perform all or part of the Services, and may result in additional costs where multiple requests for deletions impact on the delivery of the Service.

VII. Data subject rights

(A) MindBridge shall take such technical and organisational measures as may be appropriate, and promptly provide such information to the Subscriber to enable the Subscriber to comply with:

• the rights of Data Subjects under the Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
• information or assessment notices served on the Subscriber by any supervisory authority under the Data Protection Laws.

(B) MindBridge shall promptly inform the Subscriber in the event of receiving a data subject access request and will advise the data subject of the request having been forwarded to the Data Controller.  MindBridge shall not provide data subjects with access to their personal data nor will it engage directly with a data subject in relation to such requests, save for advising that their request has been forwarded to the Data Controller.

(C ) MindBridge shall provide such co-operation and assistance as may be reasonably required to enable the Subscriber to deal with any subject access request or other data subject right in accordance with the provisions of the Data Protection Laws. In particular, MindBridge shall assist the Subscriber in the fulfilment of the Data Controller’s obligation to respond to requests exercising data subjects’ rights under Data Protection Laws.

(D) Data Protection Impact Assessments (DPIAs): MindBridge may be required to assist the Subscriber in undertaking a DPIA before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk (such as monitoring activities, systematic evaluations or processing special categories of data) to the Data Controller’s data, takes place.

 IX. Data Breach Notification

(A) MindBridge shall without undue delay inform Subscriber in writing of any potential Personal Data Breach of which MindBridge becomes aware. The notification to Subscriber shall include all available information regarding such Personal Data Breach, including information on:

1. The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
2. The likely consequences of the Personal Data Breach; and
3. The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

MindBridge shall cooperate fully with Subscriber in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. MindBridge shall provide such assistance as required to enable Subscriber to satisfy Subscriber’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.

X. Information request / Audit

(A) MindBridge shall on written request (but not more than once per year, other than in the event of a breach) make available to Subscriber all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Subscriber’s expense, allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor mandated by Subscriber. Upon prior written request by Subscriber (provided that it shall be not more than once per year other than in the event of a breach), MindBridge agrees to cooperate and, within reasonable time, provide Subscriber with: (a) audit reports (if any) and all information necessary to demonstrate MindBridge’s compliance with the obligations laid down in this Addendum.

(B) Where Subscriber is a Data Processor itself, the Subscriber may provide the Data Controller with respective documentation received by MindBridge and Data Controller is entitled to conduct audits contemplated at MindBridge, but only insofar as this is required by Applicable Law, a competent court or regulator, all at the Data Controller’s expense.

XIII. Governing Law

This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.