This Data Processing Agreement and its Annexes (collectively referred to as the “DPA”) is incorporated into the Master Terms of Service (“Master Terms”) between Customer and Modus Engagement, Inc. (“Modus”). This DPA states the parties’ agreement with respect to the Processing of Personal Data by Modus on Customer’s behalf. This DPA includes the following Annexes:
Modus may update the terms of this DPA from time to time as data processing requirements change or products evolve. If this happens, Modus will notify you via email or the Service interface. For prior versions of the DPA, please click here.
I. DEFINITIONS
All defined terms in the Master Terms are incorporated by reference into this DPA. This DPA will control with respect to the subject matter herein in the event of any conflict with the Master Terms. In addition to those terms defined in the Master Terms or elsewhere in this DPA, the following definitions apply:
“California Data” means Personal Data that is subject to the California Consumer Privacy Act.
“CCPA” means the California Consumer Privacy Act, California Civil Code § 1798.100 et seq., as amended, and its implementing regulations.
“Controller” means the entity that determines the purposes and means of Processing Personal Data, in this case, Customer.
“Customer Data” means any data, information, or material that Customer collects, saves, maintains, transmits, and otherwise Processes (as defined here).
“Data Protection Laws” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Master Terms, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its member states.
“Data Subject” means the individual or entity to whom Personal Data relates.
“European Data” means Personal Data that is subject to European Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (1) the General Data Protection Regulation (“GDPR”), Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended, and (2) the applicable data protection laws of Switzerland and the United Kingdom.
“Personal Data” means any information that falls within the definition of Customer Data and relates to an identified or identifiable individual or relates to an identified or identifiable legal entity where such entity’s information is protected similarly as that of an individual under Data Protection Laws.
“Processing,” “Processes,” or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated needs, such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
“Processor” means an entity that Processes Personal Data on behalf of the Controller, in this case, Modus.
“Service” means the Modus online sales enablement service and platform, including all mobile applications offered for use in conjunction with the platform.
“Standard Contractual Clauses” means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C (2010) 593) of 5 February 2010, as may be amended, superseded or replaced.
“Sub-processor” means any third-party service providers that Process Customer Data for Modus.
“Supervisory Authority” means an independent public authority which is established by an EU member state pursuant to the GDPR, or for the United Kingdom, the Information Commissioner’s Office.
II. PROCESSING OF PERSONAL DATA
Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Modus is the Processor, and Modus will engage Sub-Processors according to the requirements for Sub-Processors below.
Customer’s Processing of Personal Data. Customer controls the categories of Data Subjects and Personal Data Processed pursuant to the Master Terms. Modus has no knowledge of, or control over, the Personal Data that Customer provides for Processing. Customer is solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which it acquired the Customer Data. Customer is solely responsible for ensuring that its submission of Personal Data to Modus and its instructions for the Processing of Personal Data will comply with Data Protection Laws. Customer acknowledges and agrees that it has complied with all applicable Data Protection Laws, including obtaining any necessary consents and authorizations to Process Personal Data. Modus will inform Customer without unreasonable delay if, in Modus’ opinion, Customer’s instructions violate Data Protection Laws.
Modus Will Process Data According to Customer’s Instructions. The parties agree that the Master Terms, including this DPA, constitute Customer’s complete and final instructions to Modus in relation to the Processing of Personal Data, and additional instructions from Customer will require prior written agreement. Modus will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s instructions. Modus will not otherwise disclose Personal Data to third parties unless required to do so by applicable law, in which case Modus will inform Customer in advance unless it is prohibited from doing so. Modus will not Process Personal Data for any other purpose unless Customer instructs it to do so.
Details of the Processing. The details of the Processing, including the nature and purpose of Processing, duration of Processing, types of Personal Data Processed, categories of Data Subjects, and nature of Processing operations, are contained in Annex 1.
Return or Deletion of Customer Data. Modus will return or delete all Customer Data, including Personal Data, that is Processed pursuant to this DPA after termination of the Service on the terms stated in the Master Terms, except to the extent Modus is required by applicable law to retain the Customer Data. Unless Customer requests immediate return or deletion of Customer Data, Modus will follow the procedures and timeframes of its usual deletion practices.
III. RIGHTS OF DATA SUBJECTS
Data Subject Requests. Modus will, to the extent legally permitted, promptly notify Customer if Modus receives a request from a Data Subject to exercise the Data Subject’s right of access, right of rectification, restriction of Processing, right of erasure (“right to be forgotten”) data portability, objection to Processing, or its right not to be Subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Modus will assist Customer through the use of appropriate technical and organization measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer does not have the ability to address a Data Subject Request, Modus will upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Requests, to the extent Modus is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer will be responsible for any costs arising from Modus’ providing such assistance.
IV. SUB-PROCESSORS
Appointment of Sub-Processors. Customer expressly authorizes Modus to use Sub-processors to enable it to provide the Service pursuant to the Master Terms. Modus has entered into written agreements with its Sub-processors that contain obligations as to Processing of Personal Data that are substantially similar to Modus’ obligations under this DPA. A list of Modus’ Sub-Processors is contained in Annex 3. Modus will notify Customer of changes to its Sub-Processors upon written request.
V. SECURITY & CONFIDENTIALITY
Appropriate Technical and Organizational Measures. Modus shall maintain appropriate technical and organizational safeguards to protect the confidentiality, integrity, and security of Customer Data, including protection from unauthorized or unlawful Processing, accidental or unlawful destruction, unauthorized disclosure or access, accidental loss or alteration, or damage. From time to time, Modus may modify or update its security measures provided that such modification does not result in a material degradation of security.
Confidentiality of Processing by Modus Personnel. Modus will ensure its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities in regard to that Personal Data, and have executed written confidentiality agreements that will survive the termination of their relationship with Modus. Modus will ensure that access to Personal Data is limited to those personnel who require access to Process such Personal Data as part of the Service provided pursuant to the Master Terms.
Security Incidents. Modus will notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized access, or unauthorized disclosure of Customer Data, including Personal Data, transmitted, stored, or otherwise Processed by Modus or its Sub-processor of which Modus becomes aware (“Customer Data Incident”). Modus will make reasonable efforts to identify the cause of such Customer Data Incidents and take steps it deems necessary and reasonable to remediate the cause of such incidents to the extent doing so is within Modus’ control. These obligations do not apply to incidents that are caused by Customer, its affiliates, or users.
VI. ADDITIONAL PROVISIONS FOR EUROPEAN DATA
Scope of Section VI. This Section VI applies only in respect to European Data. Modus will Process Personal Data in accordance with the European Data Protection Law’s requirements that are directly applicable to the Service provided by Modus.
Applicability of Standard Contractual Clauses. The parties acknowledge that in connection with providing the Service, Modus is a recipient of European Data in the United States. Modus agrees to abide by and process European Data in compliance with the Standard Contractual Clauses, attached as Annex 2. If there is any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will apply.
Roles of the Parties. When Processing European Data, the parties acknowledge and agree that Customer is the Controller of the European Data, and Modus is the Processor of such data.
Objection to New Sub-Processors. Modus will notify Customer of any changes to Sub-Processors by updating Annex 3 to this DPA and notifying Customer via email or the Service interface. After such notification, Customer may object to the engagement of the new Sub-Processor within thirty (30) days. Customer’s objection must be on reasonable grounds, relate to the protection of Personal Data, and be in writing. If Customer notifies Modus of an objection, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonably solution. If no such resolution can be reached, Modus will, at its sole discretion, either not appoint the Sub-Processor or permit Customer to suspend or terminate the Service in accordance with the Master Terms without liability to either party (but without prejudice to any fees incurred by Customer prior to termination).
Data Protection Impact Assessments and Consultation with Supervisory Authorities. Upon Customer’s request, Modus will provide Customer with reasonable cooperation and assistance needed for Customer to fulfill its obligations under the European Data Protection Laws to conduct a data protection impact assessment related to Customer’s use of the Service, to the extent Customer does not have access to certain relevant information and such information is available to Modus. To the extent required by the European Data Protection Laws, in connection with the tasks in this section, Modus will provide reasonable assistance to Customer in cooperation, or prior to consultation, with any Supervisory Authority.
Data Transfers. Modus will not transfer European Data to any country not recognized as providing an adequate level of protection for Personal Data within the meaning of the European Data Protection Laws unless it first takes measures necessary to ensure the transfer complies with applicable European Data Protection Laws, such as agreement to the Standard Contractual Clauses.
Demonstration of Compliance. Upon written request, Modus will make available to Customer such information as necessary to demonstrate compliance with its obligations under this DPA and to allow for reasonable audits to assess compliance with this DPA. Modus has obtained third-party certifications and audits, and upon Customer’s written request, Modus will make available to Customer a copy of Modus’ most recent third-party audits or certifications that relate to compliance with this DPA.
VII. ADDITIONAL PROVISIONS FOR CALIFORNIA DATA
Scope of Section VII. This Section VII applies only in respect to California Data. Modus will Process Personal Data in accordance with the CCPA’s requirements that are directly applicable to the Service Modus provides.
Roles of the Parties. When Processing California Data, the parties acknowledge and agree that Customer is a Business and Modus is a Service Provider for the purpose of, and as defined by, the CCPA.
Responsibilities. The parties agree that Modus will Process California Data as a Service Provider solely for purposes of providing the Service under the Master Terms or as otherwise permitted by the CCPA, and that Modus is prohibited from retaining, using or disclosing California Data for any other purpose.
VIII. GENERAL PROVISIONS
Amendments. Modus may update or amend the terms of this DPA from time to time as data processing requirements change or products evolve. If this happens, Modus will notify Customer via email or in-app application.
Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
Limitation of Liability. Except as required otherwise by the Data Protection Laws, each party’s liability arising out of or related to this DPA, and all DPAs between Customer and Modus, which in contract, tort, or under any other theory of liability, is subject to the Limitation of Liability section of the Master Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Master Terms and all DPAs together.
Governing Law. This DPA will be governed by and construed in accordance with the designated law in the Master Terms, except as required otherwise by the Data Protection Laws.
Term. The term of this DPA will follow the term of the Customer’s subscription for the Service as defined by the Terms and the applicable Order.