MEZMO Data Processing Addendum

“Customer Personal Data” means Personal Data Processed by Mezmo as Processor on behalf of the Customer pursuant to the performance of the Agreement .

Controller ”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (including corresponding terms such as “Process”, “Processes” and “Processed”), and “Supervisory Authority” shall have the meanings given to those terms in the EU GDPR and to analogous terms with equivalent meanings under Data Protection Laws.

“Data Protection Laws” means all laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection/security, or the Processing of Personal Data, as applicable to the Parties and/or to the Processing of Personal Data under this Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”), and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), and the Swiss New Federal Act on Data Protection 2023 (“FADP”). For the avoidance of doubt, if Mezmo’s Processing activities involving Personal Data are not within the scope of a Data Protection Laws, such law is not applicable for the purposes of this DPA.

“EEA" means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

“EU Controller to Processor Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, with Module Two selected (which covers transfer from a Controller to a Processor).

“Standard Contractual Clauses” means the EU Controller to Processor Standard Contractual Clauses (including as modified to permit Swiss Personal Data transfers) or the UK International Data Transfer Addendum or both, as the context requires.

“Subprocessor” means any Mezmo Affiliate or third party engaged by Mezmo for the Processing of Personal Data in connection with the Services.

“UK International Data Transfer Addendum” means the UK International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s.119A(1) of the Data Protection Act 2018  on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR.

‍

2.1 Mezmo  shall be an independent Controller with respect to its Processing of Personal Data in connection with the execution and administration of the Agreement (including contact details of Customer’s personnel/representatives); creation and maintenance of user accounts on the Services; and the anonymization of Personal Data to perform analysis for the purposes of improving the Services. The Parties agree that the Personal Data described under this Section 2.1 does not form part of Customer Personal Data and Mezmo shall comply with its obligations as a Controller with respect to such Personal Data.

2.2 Subject to Section 2.1, the Parties acknowledge that in respect of Customer Personal Data, Mezmo acts as a Processor Processing Personal Data on behalf of the Customer. In some circumstances, Customer may be a Processor, in which case Customer appoints Mezmo as Customer’s Subprocessor, which shall not change the obligations of either Customer or Mezmo under this DPA.

2.3 Details of Customer Personal Data Processed by Mezmo under the Agreement are as follows :

(a) Subject-Matter, Nature and Purpose of the Processing. Mezmo’s provision of the Services under the Agreement. All operations such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), etc.

Any permitted transfers to Subprocessors shall be in line with the subject matter, nature and duration of the Processing identified above.

(b) Categories of Data Subjects. Customer has sole control over the categories of Personal Data it uploads to the Services. Depending on Customer’s usage, this could include Customer’s personnel, as well as individuals in other categories, such as Customer’s customers, service providers, business partners, affiliates (who are natural persons) and end users of the Services.

(c) Types of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined and controlled solely by Customer in Customer’s discretion.

(d) Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement and in accordance with Mezmo’s retention obligations under the Agreement.

(e) Technical and Organizational Security Measures: Mezmo will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the security whitepaper published at https://www.Mezmo.com/compliance.  As of the Effective Date, Mezmo undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security, availability, and confidentiality set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). Additional information is included in Mezmo’s privacy policy published at https://www.Mezmo.com/privacy-policy. Mezmo will not materially decrease the overall security of the Services during a subscription term.

‍

3.1 Mezmo Process Personal Data only on the written instructions of the Customer (including as set out in the Agreement) and as otherwise agreed by the Parties, unless obligated to do otherwise by applicable law. Mezmo is hereby instructed to Process Customer Personal Data for the purposes of providing the Services under the Agreement... In such case, Where Mezmo is required by applicable laws to Process Customer Personal Data other than for the purposes of providing the Services and in accordance with Customer’s instructions, Mezmo will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so.

3.2 Mezmo will not (a) sell Personal Data, or (b) retain, use or disclose Personal Data outside of the direct business relationship between Customer and Mezmo, except as permitted under applicable Data Protection Laws. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.

3.3 Customer instructions to Mezmo for the Processing of Customer Personal Data shall comply with Data Protection Laws. Mezmo has no obligation to monitor the compliance of Customer’s use of the Services with Data Protection Laws, though Mezmo will i promptly inform Customer if, in Mezmo’s opinion, an instruction from Customer infringes Data Protection Laws. The Agreement, including this DPA, along with Customer’s configuration of the Services (as Customer may be able to modify from time to time) and any features applicable to Customer’s then-current version of the Services, constitute Customer’s complete and final instructions to Mezmo regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties.

3.4. Customer shall ensure that, in connection with its use of the Services, transfer of Customer Personal Data to Mezmo and provision of instructions to Mezmo as Processor: (a) it has provided or will provide all necessary notices to all Data Subjects of Customer Personal Data; (b)it has received all necessary permissions and consents for Mezmo to process Customer Personal Data in accordance with the terms of the Agreement and Data Protection Laws, and (c) Mezmo’s processing of Personal Data in line with Customer’s instructions will not cause Mezmo to violate any applicable law..

4.1 Mezmo will ensure that the persons Mezmo authorizes to Process Customer Personal Data  are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

4.2 Customer acknowledges and agrees that Mezmo’s Affiliates and certain third parties may be retained as Subprocessors to Process Customer Personal Data on Mezmo’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Services. The Subprocessors engaged by Mezmo and authorized by Customer are listed at Mezmo’s Subprocessor web page: https://www.Mezmo.com/sub-processor.

4.3 Mezmo will provide Customer with prior notice before utilizing any new Subprocessor(s) to Process Customer Personal Data in connection with the provision of the applicable Services, such notification to be sent to Customer at the email address provided in the signature block of this DPA. Customer may object in writing to Mezmo’s appointment of a new Subprocessor within ten (10) business days of such notice, provided that such objection is based on reasonable grounds relating to data protection and security. In such event, the Parties will discuss such concerns in good faith with a view to achieving a mutually agreeable resolution. If the Parties are unable to resolve the objection within a reasonable period of time, which shall not exceed thirty (30) days from the date of Mezmo’s original notice, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Mezmo without the use of the objected-to new Subprocessor by providing written notice to the other Party.

4.4 Prior to a Subprocessor’s Processing of Customer Personal Data, Mezmo will impose contractual obligations on the Subprocessor substantially the same as those imposed on Mezmo as a Processor under this DPA. Mezmo remains liable to Customer for the performance of its Subprocessors’ data protection obligations concerning Customer Personal Data in the event the Subprocessor fails to fulfil those obligations .

‍

5.1 Mezmo shall implement and maintain appropriate technical and organizational measures in relation to the Processing of Customer Personal Data to ensure a level of security appropriate to the risks which may occur as a result of Processing Customer Personal Data, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data ., including by implementing the technical and organizational measures set forth in the Agreement, without prejudice to Mezmo’s right to make future replacements or updates to the measures that do not result in material degradation of the overall security of the Services. Mezmo provides reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Data Protection Law relevant to Mezmo’s role in Processing the Personal Data through the technical and organizational measures contemplated by this Section.

5.2 Mezmo will notify Customer without undue delay on becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data or otherwise within the time period required under Data Protection Laws. Mezmo will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include the name and contact details of the data protection officer or other contact point of Mezmo, where more information can be obtained and  Mezmo’s then-current assessment of the following, which may be based on incomplete information:

(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned;

(b) the likely consequences of the Personal Data Breach; and

(c) measures taken or proposed to be taken by Mezmo to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects

Mezmo will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.

‍

7.1 Mezmo will, on request from Customer, make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Customer Personal Data under this DPA by Mezmo.

7.2 To the extent required under applicable Data Protection Laws or the Standard Contractual Clauses (where applicable), Mezmo shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Mezmo provide it with documentation, data, and records (“Records”) no more than once annually relating to Mezmo’s procedures relevant to the protection of Customer Personal Data (an “Audit”). The Audit will be pre-scheduled in writing with Mezmo, at least forty-five (45) days in advance, and subject to a mutually agreed-upon audit plan that includes scope, Mezmo billing rates and estimated costs to be paid by Customer. Audits will be performed not more than once per year (unless the audit is required by a Supervisory Authority). To the extent Customer uses a third-party auditor to conduct the Audit, the third-party auditor will execute a non-disclosure and non-competition undertaking directly with Mezmo. All information disclosed in connection with the Audit together with the results of the Audit shall be the Confidential Information of Mezmo. Customer shall conduct its Audit in a manner that will result in minimal disruption to Mezmo’s business operations and shall not be entitled to receive data or information of other clients of Mezmo or any other Confidential Information of Mezmo that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Mezmo shall take prompt action to correct such non-compliance. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Mezmo’s premises.

Upon written request from Customer’s authorized representative (which for purposes of this section is any Customer employee that is either a billing owner or an administrative user of the Services or who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), Mezmo shall delete or return such Customer Personal Data in accordance with the requirements under Data Protection Law. Notwithstanding the foregoing, this provision will not require Mezmo to delete or return Personal Data from archival and back-up files except as provided by Mezmo's internal data deletion practices and as required by Data Protection Laws.

9.1 Mezmo is certified to the EU-U.S., Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”), such certification permits the international transfer of Customer Personal Data from Customer to Mezmo in the U.S. in compliance with Data Protection Laws. Where Mezmo’s certification to the DPF ceases to permit such international transfers of Customer Personal Data to Mezmo in the U.S., Section 9.2 of this DPA shall apply where permitted under Data Protection Laws.

9.2 Subject to Section 9.1 of this DPA, where Mezmo Processes Customer Personal Data subject to the EU GDPR, FADP or UK GDPR, the following international transfer provisions shall apply:

(a) For Customer Personal Data subject to the EU GDPR, the parties agree to comply with the provisions of the EU Controller to Processor Standard Contractual Clauses (“EU SCCs”), which are incorporated into this Agreement by reference and are varied as follows for this purpose: (i) For Annex I of the EU SCCs, the list of parties section shall be deemed completed with the details of Customer (as data exporter) and Mezmo (as data importer) provided in this Agreement and contact information provided by the parties from time to time; the “description of transfers” section shall be deemed completed with the corresponding information in Section 2.3 of this DPA; transfers are “continuous” and the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs; (ii) For Annex II of the EU SCCs, the technical and organizational measures is completed with the corresponding information set out in Section 2.3 of this DPA; (iii) the optional Clause 7 (Docking Clause) is not included; (iv) Clause 9 (Sub-processors) Option 2 shall apply and the time period for notification of a proposed Subprocessor will be as set out in Section 4.3 of this DPA; (v) the optional Clause 11 (Redress) is excluded; (v) Clause 13 (Supervision) provides for three alternative options and the most appropriate option will apply; (vi) Clause 17 (Governing law) will be the laws of Ireland; and (vii) Clause 18 (Choice of forum and jurisdiction) is amended so that the courts which have jurisdiction are the courts of Ireland.

(b) For Customer Personal Data subject to the Swiss FADP, the parties agree to comply with the provisions of the EU SCCs as set out and varied by Section 9.2(a) of this DPA and as further amended as follows: (i) The term “Member State” according to Clause 18 (c) of the EU SCCs shall not be interpreted in a such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence; (ii) Any references to EU legislation, EU authorities and the EU Member States in the EU SCCs are amended to reflect corresponding Switzerland legislation, Switzerland authorities and Switzerland as appropriate; (iii) The Supervisory Authority selected for the purposes of Clause 13 (Supervision) of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iv) Clause 17 (Governing law) of the EU SCCs shall refer to the law of Switzerland as the governing law and Clause 18 (Choice of forum and jurisdiction) shall refer to the Swiss courts as the proper forum and jurisdiction for disputes and legal proceedings arising.

(c) For Customer Personal Data subject to the UK GDPR, the parties agree to comply with the provisions of the UK International Data Transfer Addendum (“UK IDTA”) which is incorporated into this Agreement by reference and varied as follows for this purpose: (i) the date to be included in Table 1 of the UK IDTA is the date of this Agreement; (ii) for  Table 1 and Table 3 of the UK IDTA, the parties’ details, description of the transfer and technical and organizational measures shall be deemed completed with the relevant information as referenced in Section 9.2(a) of this DPA; (iii) for Table 2 of the UK IDTA, information about the version of the EU Standard Contractual Clauses, modules and selected clauses which the UK IDTA is appended to shall reference the EU Standard Contractual Clauses as modified by Section 9.2(a) of this DPA; (iii) for Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with its terms; and Part 2 Mandatory Clauses of the UK IDTA shall be deemed completed with the following provision “Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018  2 February 2022, as it is revised under section 18 of those Mandatory Clauses”.

10.1 Except as amended by this DPA, the Agreement will remain in full force and effect.

10.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between this DPA and the Standard Contractual Clauses, where the Standard Contractual Clauses are applicable, the Standard Contractual Clauses will control.  

10.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. Each party’s and all of their Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and the DPA together.