Data Protection Addendum to Terms of Use
1. Definitions In this Data Protection Addendum (the “Addendum”) defined terms shall have the same meaning and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition in this Data Protection Addendum, the following definitions have the meanings given below:
"Applicable Laws" means applicable laws of the European Union or any of its member states from time to time together with applicable laws in the United Kingdom;
"Appropriate Safeguards" means such legally enforceable mechanisms for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
"Client Data" means Personal Data received from or on behalf of You and uploaded on the Platform under the Agreement;
"Controller" has the meaning given to that term or the term data controller in Data Protection Laws;
"Data Protection Laws" means as applicable and binding on You and Us:
i) in the United Kingdom: The Data Protection Act 2018, the GDPR, and or any corresponding or equivalent national laws or regulations
ii) in member states of the European Union: the GDPR and all relevant member state laws or regulations giving effect to or corresponding with any of the GDPR;
iii) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
"Data Protection Losses" means all liabilities, including all
i) costs (including legal costs), claims, demands, actions, settlements, interests, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
ii) to the extent permitted by Applicable Laws) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
b) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject;
c) the reasonable costs of compliance with investigations by a Supervisory Authority.
"Data Subject" has the meaning given to the term in Data Protection Laws;
"Data Subject Request" means a request made by a Date Subject to exercise any rights of Data Subjects under the Data Protection Laws;
"EEA" means the European Economic Area;
"GDPR" means the General Data Protection Regulation (EU)2016/679
"Personal Data" has the meaning given to that term in Data Protection Laws;
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
"Processor" has the meaning given to that term or the term data processor in Data Protection Laws;
"Processing" has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have the corresponding meanings);
"Processing Instructions" are set out in Annex 1;
"Standard Contractual Clauses" means the standard contractual clauses adopted by the European Commission for the transfer of Personal Data to third countries set out in Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as the same may be amended, supplemented and/or replaced from time to time for the purposes of GDPR.
"Mivolve Personnel" means all staff, including employees, temporary and agency workers, other contractors, interns and volunteers;
"Mivolve Security Standards" means the security standards attached to this Addendum as Annex 2;
"Sub-Processor" means Amazon Web Services Inc. (AWS) and Rackspace International GmbH or such other Processor engaged by Us in a subcontractor capacity for carrying out Processing activities in respect of the Client Data on Your behalf; and
"Supervisory Authority" means any local, national or multinational agency, department, official, parliament, public or statutory person or nay governmental or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
2. Data Processing Terms
2.1 Scope and Roles. This Schedule 3 applies when Client Data is Processed by Us. In this context, You acknowledge that You act as the Controller and We act as the Processor for the purposes of Data Protection Laws. In some circumstances, You may act as the Processor, in which case You appoint us as Sub-Processor which shall not change the obligations of either You or Us under this Data Protection Addendum, as We will always remain a Processor with respect to You in such event.
2.1.1 You warrant, represent and undertake, that:
(a) all Client Data sourced by You for use in connection with the Platform or accessed by Us for the performance of the Services and Your Access to the Platform, shall comply in all respects, including in terms of its collection, storage and Processing (which shall include You providing all of the required fair processing information to, and the existence of a legal basis for Processing (which may include obtaining all necessary consents from Data Subjects) in accordance with Data Protection Laws;
(b) all instructions given by You to Us in respect of Client Data shall at all times be in accordance with the Data Protection Laws;
(c) all Client Data is accurate and up to date;
2.1.2 You have undertaken due diligence in relation to Our processing operations, and are satisfied (and at all times You continue to use Our Platform are satisfied) that:
(a) our Processing operations are suitable for the purposes for which You propose to use the Platform,
(b) the technical and organisational measures set out in Annex 2 shall ensure a level of security appropriate to the risk in regard to the Client Data;
(c) We have sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.2 Compliance with Laws. Each party will comply with all Applicable Laws and Data Protection Laws when Processing Client Data. You shall not unreasonably withhold, delay or condition Your agreement to any change, upgrade or Maintenance Release requested by Us in order to ensure the Platform can comply with Data Protection Laws.
2.3 Instructions for Data Processing. We will Process Client Data in accordance with Your Processing Instructions set out in the Agreement and as set out in Annex 1, being Your complete and final instructions to Us in relation to Processing of Client Data. Processing outside the scope of this Agreement (if any) will require prior written agreement between Us and You on additional instructions for Processing and You will pay reasonable Fees to Us for carrying out such instructions.
2.4 Access or Use. We will not access or use Client Data, except as necessary to provide the Service and or to provide Access to the Platform as initiated by You. For the avoidance of doubt, We access Client Data when ingesting data into the Platform and or when resolving technical issues within the Platform or when You choose to use Services like Surveillance with voice transcripts which will access Your Data to enable such transcripts to be made.
2.5 Legally Required Disclosure. We will not disclose Client Data, except as necessary to comply with the law or a valid and binding order of a Supervisory Authority. If a Supervisory Authority sends Us a demand for Client Data, We will attempt to redirect such Supervisory Authority to request Client Data directly from You. As part of this effort, We may provide Your basic contact information to the Supervisory Authority. If compelled to disclose Client Data to a Supervisory Authority, then We will give You reasonable notice of the demand to allow You to seek a protective order or other appropriate remedy unless We are legally prohibited from doing so.
2.6 Mivolve Personnel. We restrict Our Personnel from processing Client Data without authorisation by Us as described in the Mivolve Security Standards and any Processing by Our Personnel will only be permitted for the provision of the Services to You under the Agreement. We will impose appropriate contractual obligations upon Our Personnel, including relevant obligations regarding confidentiality, data protection and data security.
2.7 Your Controls. The Platform provides You with controls to enable You to retrieve, correct, delete or block Client Data. The Platform has security features and functionalities that You may elect to use. You are responsible for properly
(a) accessing and using the Platform,
(b) using the controls available in connection with the Platform (including the security controls), and
(c) taking such steps as You consider adequate to maintain appropriate security, protection, deletion and backup of Client Data, which may include use of encryption technology to protect Client Data from unauthorised access and routine archiving of Client Data, and
(d) taking appropriate technical and organisational measures within Your systems, infrastructure and network against unauthorised or unlawful access, processing or accidental loss, destruction or damage of Client Data.
2.8 Transfers of Client Data. Client Data will be processed within Our network and Platform, within the EEA. We will not transfer Client Data outside the EEA except as necessary to comply with the Applicable Laws or a valid and binding order of any Supervisory Authority or on Your written instructions, in which case a transfer will be only be made in accordance with Data Protection Laws.
We acknowledge that the transfer of Personal Data to countries outside the EEA (a “third country”) must be carried out in accordance with the requirements of GDPR. We will not transfer Personal Data to a third country unless:
(i) such third country ensures an adequate level of data protection in accordance with a decision of the European Commission under Article 45(3) of GDPR; or
(ii) in the absence of such a decision, We have provided for Appropriate Safeguards in accordance with Article 46(2) of GDPR, including, where applicable, procuring that any transferee (including any affiliate or Sub-Processor) established in a third country enters into the Standard Contractual Clauses with Us, and on condition that enforceable Data Subjects’ rights and effective legal remedies for Data Subjects are available.
3. Sub-Processor Obligations. We use Amazon Web Services Inc. (“AWS”) and Rackspace International GmbH (“Rackspace”) as part of the Platform and by accepting our Terms of Use You consent to the use of AWS and Rackspace or such other Sub-Processor that may be used in the future as part of the Platform. Where We authorise the use of Sub-Processors for the Platform:
3.1 We will, as with existing Sub-Processors, restrict access to Client Data only to what is necessary to maintain the Platform, provide the Services or to provide You and Your Users Access to the Platform in accordance with the Agreement and We will prohibit the Sub-Processor from accessing Client Data for any other purpose other than as set out above;
3.2 We will impose appropriate contractual obligations in writing upon any Sub-Processor that are no less protective than the terms contained herein, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and
3.3 We will remain responsible for its compliance with the obligations and for any acts or omissions of the Sub-Processor that cause Us to breach any of Our obligations herein;
3.4 We will maintain an up to date list of Sub-Processors and give You notice of the use of a new Sub-Processors prior to the use of such Sub-Processor. If You object to the use of a new Sub-Processor You may terminate the Agreement for convenience by giving thirty (30) days’ notice to Us as Your sole and exclusive remedy. Any proposed new Sub-Processor shall not be effective prior to expiry of Your notice of termination.
4. Our Security Responsibilities
4.1 We are responsible for implementing and maintaining the technical and organisational measures for Our Platform as described in the Mivolve Security Standards set out in Annex 2, designed to help You secure Client Data against unauthorised processing and accidental or unlawful loss, access or disclosure.
4.2 The technical and organisational measures as set in Annex 2 include the following:
4.2.1 We have implemented and will maintain measures to maintain the physical security of the Platform.
4.2.2 We have implemented and will maintain measures to control access rights for Our Personnel in relation to Client Data on the Platform.
4.2.3 You have implemented and will maintain measures to control access rights to Client Data;
4.2.4 We will process Client Data in accordance with Your instructions as set out in this Agreement and Annex 1 herein.
4.3 You are solely responsible for reviewing the information made available by Us relating to data security and making an independent determination as to whether the Platform meets Your requirements, and for ensuring that Your Users, personnel or consultants follow the guidelines they are provided regarding data security.
5. Audit of Technical and Organisational Measures.
We will upon Your reasonable request, submit to an audit and inspection and provide You with all such information that You may reasonably require to ensure that You and Us are meeting our obligations under Data Protection Laws. We will immediately inform You if in our opinion such instruction infringes or may infringe Data Protection Laws. We will also provide such assistance as may be reasonably requested by You in relation to security of Processing, notifications of Personal Data breaches and data protection assessments.
6. Security Breach Notification.
6.1 If We become aware of either
(a) any unlawful access to any Client Data stored on Our Platform, or
(b) any unauthorised access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Client Data (each a “Security Incident”), We will
(c) notify You of the Security Incident, and
(d) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
6.2 You agree that:
6.2.1 an unsuccessful Security Incident will not be subject to this clause 6 of Schedule 3. An unsuccessful Security Incident is one that results in no unauthorised access to Client Data or to any of Our equipment of facilities storing Client Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and
6.2.2 Our obligations to report or respond to a Security Incident under this clause 6 of Schedule 3 is not and will not be construed as an acknowledgement by Us of nay fault or liability by Us with respect to the Security Incident.
6.3 Notifications of Security Incidents, if any, will be delivered to the contact as set out in the Engagement Letter by any means We select including email. It is Your sole responsibility to ensure You maintain accurate contact information.
7. Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Us, We will inform You without undue delay. We will, without undue delay, notify all relevant parties in such actions or agreed to ion (e.g. creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Your property and area if responsibility and that Client Data is at Your sole disposition.
8. Rights of Data Subjects. You have Access to the Platform that holds Client Data to enable You to respond to Data Subject Requests to access, delete, release, correct or block access to specific Client Data. To the extent that You are unable to access such Client Data, We will follow Your detailed instructions to access, delete, release, correct or block access to Client Data held on the Platform. You agree to pay Our reasonable Fees relating to such access, deletion, release, correction of blocking of access to Client Data on behalf of You. We will pass on to You any request of an individual Data Subject to access, delete, release, correct or block Client Data processed under the Agreement. We will not be responsible for responding directly to the request, unless otherwise required by law.
9. Return and Deletion of Client Data. Following termination of the Agreement and or once Processing by You or Us is no longer required for the purposes of Your services or use on the Platform, We will return and or delete or otherwise make available for retrieval Client Data then available on the Platform to You.
10. Liability, Indemnities, and compensation claims. You shall indemnify and keep indemnified Us in respect of all Data Protection Losses suffered or incurred by, awarded against, or agreed to be paid by Us or Our Sub-Processor arising from or in connection with any:
10.1
(a) non-compliance by You of the Data Protection Laws,
(b) Processing carried out by Us or any Sub-Processor pursuant to any Processing Instructions that infringe Data Protection Laws.
(c) breach by You of Your obligations under the Agreement.
10.2
We shall be liable for Data Protection Losses however arising, whether in contract or tort (including negligence) under or in connection with the Agreement:
(a) only to the extent caused by the Processing of the Client Data and directly resulting from Our breach of this Agreement.
(b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Agreement by You, in particular when We follow Your Processing Instructions.
10.3 If a party receives a compensation claim from a person relating to Processing of Personal Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of action shall:
(a) make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not unreasonably be withheld or delayed) (b) consult fully with the other party in relation to such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under the Agreement for paying the compensation.
10.4 This clause 10 of Schedule 3 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
(a) to the extent not permitted by Applicable Laws (including Data Protection Laws)
(b) that it does not affect the liability of either party to any Data Subject.
11. Non-disclosure You agree that the details of this Agreement are not publicly known and constitute Our Confidential Information under the confidentiality provisions of the Agreement and will not disclose the contents to any third party except as required by law.
12. Survival of data protection provisions Clauses 2-11 of this Schedule 3 shall survive expiry and or termination (for any reason) of the Agreement.
13. Conflict. Only to the extent that there is a conflict between the main body of the Agreement and this Schedule, the provisions of this Schedule will control.
ANNEX 1 Categories of Data The Client Data relating to the Data Subjects which is uploaded onto the Platform by You may include among other personal information relating to identified or identifiable natural persons, such as name, gender, date of birth, age, nationality, biometric data, photographs; home/work landline phone number, personal/work mobile, home/work postal address, personal/work email address; bank account number, source of funds, personal net worth, details of investment activities; passport number, driver's licence number, social security or national insurance number, or other tax identification number.
Processing Operations Client Data transferred will be subject to the following basic Processing activities (as applicable): compute, storage and content delivery on the Mivolve Platform.
1. Subject-matter of Processing Client Data uploaded onto Our Platform by You to provide services to Your customers and or Data Subjects.
2. Duration of the Processing From commencement of the Agreement until the Agreement is terminated or the Processing has terminated whichever is the sooner.
3. Nature and purpose of the Processing
Other than as set out in the Agreement for the provision of the Services, We do not access Your Client Data in the Platform. You authorise and request Us to Process the Client Data relating to Data Subjects which is uploaded on to the Platform by You to enable You to provide services to Your customers and or Data Subjects.
4. Categories of Data Subjects
Your Client Data may contain Personal Data from Data Subjects which may include Your customers, representatives and Users, partners and or collaborators.
5. Processing Instructions
5.1 You will at all times remain the Controller of Client Data and the Processor for purposes of providing services to Your Data Subjects and or customers. We will remain the Processor or Sub-Processor for purposes of the provision of the Platform and based on the terms set out in the Agreement. We will not use Client Data or disclose such Client Data other than is set forth herein or as instructed by You.
5.2 All Client Data within the Platform is or will be encrypted in motion and at rest including TLS 1.2 protocols, AES256 encryption and SHA2 signatures or such other equivalent industry standard applicable from time to time.
5.3 Client Data at rest in the Platform’s production network is encrypted using FIPS 140-2 compliant encryption standards or such other equivalent industry standard applicable from time to time. This applies to all types of data including relational databases, file stores and database backups.
5.4 Encryption keys in a secure server on a segregated network with very limited access. Keys not to be stored on the local file systems.
ANNEX 2Mivolve Security Standards
1. Information Security Program. We maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help You secure Client Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Platform, and (c) minimize security risks, including through risk assessment and testing. We will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
2 Platform Security. We will maintain access controls and policies to manage what access is allowed to the Platform from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. We will maintain corrective action and incident response plans to respond to potential security threats.
3 Physical Security
3.1 Physical Access Controls. Physical components of the Platform are housed in nondescript AWS facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
3.2 Limited Employee and Contractor Access. Access to the Facilities is allowed to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked.
3.3 Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Electronic intrusion detection systems are used designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion- detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
4. Continued Evaluation. We will conduct periodic reviews of the security of the Platform and adequacy of Our information security program as measured against industry security standards and Our policies and procedures. We will continually evaluate the security of the Platform to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews. AWS is certified under ISO 27001 and will maintain an information security program for the services to Us that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of the its Security Standards.