ThoughtSpot acquires Mode to define the next generation of collaborative BI >>Learn More

Data Processing Addendum

Last Updated September 1, 2023

This Data Processing Addendum (“DPA”) is incorporated into and forms a part of the Agreement (defined below) between Mode Analytics, Inc. (“Mode”) and the company set forth in an Order Form (“Customer”). All capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Any inconsistency between the terms of this DPA and the Agreement will be resolved in favor of this DPA with respect to the subject matter herein.

1. Definitions.

1.1 Affiliate” means, with respect to a party, any legal entity (such as a corporation, partnership, or other legal entity) that controls, is controlled by, or is under common control with such party. For purposes of this definition, “control” means the legal power to direct or cause direction of the general management of the corporation, partnership, or other legal entity. Affiliates of Customer are “Customer Affiliates” and Affiliates of Mode are “Mode Affiliates.”

1.2 Agreement” means the Mode Subscription Agreement or other underlying subscription agreement for the purchase of the Mode platform.

1.3 California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.

1.4 “Customer Personal Data” means any Personal Data supplied by Customer for analysis using the Mode platform that is Processed by Mode on behalf of Customer pursuant to or in connection with the Agreement.

1.5 Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

1.6 Data Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Customer, including as applicable any “service provider” as that term is defined by the CCPA.

1.7 Data Protection Law(s)” means all applicable data protection and privacy laws regulating the Processing of Personal Data, including where applicable, EU & UK Data Protection Law, and the CCPA.

1.8 Data Subject” means an identified or identifiable natural person.

1.9 EU & UK Data Protection Law” means: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"), and repealing Directive 95/46/EC; and (b) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018.

1.10 Instructions” means Customer’s documented Processing instructions issued to Mode in compliance with this DPA.

1.11 Order Form” means: (a) an order form or other ordering document signed by the authorized representatives of Customer and Mode that specifies subscriptions purchased, corresponding pricing, and the Subscription Term, as well as the scope and price of consulting services purchased (if any); or (b) an online web form or in-application electronic ordering process initiated by Customer that references the Agreement.

1.12 Personal Data” means any information relating to a Data Subject uploaded to the Mode platform by or for Customer or Customer’s agents, employees, or contractors, including, but not limited to, the definition of “personal information” in the CCPA.

1.13 Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.14 Standard Contractual Clauses” or “SCCs” means together (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data- protection/standard-contractual-clauses-scc_en and (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer- addendum.pdf.

1.15 Sub-Processor” means any legal person or entity engaged in the Processing of Customer Personal Data by Mode.

1.16 Subscription Term” means the term of authorized access to, or use of, Mode as set forth in the Order Form.

1.17 the Mode platform” means the Mode software-as-a-service offering ordered by Customer under an Order Form or via a registration portal, sample data or data provided by Mode, any updates and upgrades thereto, and any modifications, enhancements, or improvements, of any of the foregoing.

PART 1 – EU & UK DATA PROTECTION LAW

2. Scope of the Processing.

2.1 Commissioned Processor. As between Mode and Customer, Customer is either the Data Controller of Personal Data, or in the case that Customer is acting on behalf of a third-party Data Controller, then a Data Processor, and Mode will process Personal Data only as a Data Processor acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein. Mode will comply with its obligations as a processor under EU & UK Data Protection Law.

2.2 Instructions. The Agreement constitutes Customer’s Instructions to Mode for Processing of Customer Personal Data. Customer may issue additional or alternate Instructions provided that such Instructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing by Customer. Customer is responsible for ensuring its Instructions to Mode comply with Data Protection Laws. If Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants to Mode that Customer's Instructions and actions with respect to that Customer Personal Data, including its appointment of Mode as another Processor, have been authorized by the relevant Controller. Mode will have no liability for any harm or damages resulting from Mode’s compliance with Instructions received from Customer. Where Mode believes that compliance with Customer’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Mode’s obligations in operating The Mode platform, Mode shall promptly notify Customer thereof.

2.3 Nature, Scope, and Purpose of the Processing. Mode shall only Process Customer Personal Data in accordance with Customer’s Instructions and only to the extent necessary to provide the Mode platform as described in the Agreement.

2.4 Compliance with Data Protection Laws. The parties shall comply with all of their respective obligations under Data Protection Laws with respect to Personal Data.

3. Authorized Affiliates.

3.1 Customer’s Affiliates. The obligations of Mode set forth herein will extend to Customer’s Affiliates to which Customer provides access to the Mode platform or whose Personal Data is Processed within the Mode platform, subject to the following conditions:

3.1.1 Compliance. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Customer Affiliate are considered acts and omissions of Customer.

3.1.2 Claims. Except where applicable Data Protection Laws require the Affiliate to exercise a right or seek a remedy under this DPA directly against Mode, in the event a Customer Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Mode (a “Customer Affiliate Claim”): (a) Customer must bring such Customer Affiliate Claim against Mode on behalf of such Customer Affiliate; (b) all Customer Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement; and (c) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for itself and all of its Affiliates together.

3.1.3 Affiliate Audits. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an onsite audit of the procedures relevant to the protection of Customer Personal Data, take all reasonable measures to limit any impact on Mode and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Affiliates in one single audit.

3.1.4 Customer Affiliate Ordering. If a Customer Affiliate purchased a separate subscription from Mode under the terms of the Agreement between Mode and Customer, then such Customer Affiliate will be deemed a party to this DPA and shall be treated as Customer under the terms of this DPA.

3.2 Communication. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communications”), must be in writing and between Customer and Mode only and Customer shall inform the applicable Customer Affiliate of any Communications from Mode pursuant to this DPA. Customer shall be solely responsible for ensuring that any Communications (including Instructions) it provides to Mode relating to Personal Data for which a Customer Affiliate is Controller reflect the relevant Customer Affiliate’s intentions.

4. Cooperation.

4.1 Requests from Authorities. In the case of a notice, audit, inquiry or investigation by a government body, data protection authority or law enforcement agency regarding the Processing of Personal Data, Mode shall promptly notify Customer unless prohibited by applicable law. Customer shall keep records of the Customer Personal Data Processed by Mode, and shall cooperate and provide all necessary information to Mode in the event Mode is required to produce such information to a data protection authority.

4.2 Security Risk Assessment. Customer agrees that in accordance with EU & UK Data Protection Law and before submitting any Customer Personal Data to the Mode platform, Customer will perform an appropriate risk assessment to determine whether the security measures within the Mode platform provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Customer Personal Data and the applicable Data Protection Laws. Mode shall provide Customer reasonable assistance by providing Customer with information requested by Customer to conduct Customer’s security risk assessment. Customer is solely responsible for determining the adequacy of the security measures within the Mode platform in relation to the Customer Personal Data Processed. Customer may influence the scope and the manner of Processing of its Customer Personal Data by its own implementation, configuration and use of the Mode platform, including third-party integrations and any other products or services offered by Mode.

4.3 Requests from Data Subjects. Customer is solely responsible for fulfilling any requests from Data Subjects regarding access, correction, rectification, erasure, or to transfer or port such Personal Data, within the Mode platform, as may be required under EU & UK Data Protection Law.

4.4 Data Protection Impact Assessments (DPIA). Mode will, on request, provide Customer with reasonable information required for Customer to carry out a data protection impact assessment for Processing of Personal Data within the Mode platform.

4.5 Mode Assistance. Mode will assist Customer in ensuring compliance with Customer’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing by providing Customer with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Customer’s security risk assessment. For clarity, Customer is solely responsible for carrying out its obligations under GDPR and this DPA. Mode shall not undertake any task that can be performed by Customer.

5. International Data Transfers.

5.1 Transfer Mechanisms. For any transfers by Customer of Customer Personal Data from the European Economic Area and its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Mode in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under applicable Data Protection Laws, such as the Standard Contractual Clauses. For clarity, for transfers from the United Kingdom and Switzerland, references in the SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., “Member State” shall be interpreted to mean “United Kingdom” for transfers from the United Kingdom).

5.2 Enforcement. Any Standard Contractual Clauses executed by Mode and Customer will only be enforceable against Mode as integrated with this DPA and will form the entire agreement with regard to the Processing of Personal Data of the Customer unless the applicable EU & UK Data Protection Law to which the relevant Customer entity is subject requires that the Customer entity itself bring or be a party to such a claim. Any such Customer claim will at all times be subject to any aggregate limitation of liability that applies to the Customer under the Agreement. The existence of more than one claim will not enlarge this limit.

5.3 Standard Contractual Clauses with New Sub-Processors. Where required under EU & UK Data Protection Law, Mode or Mode’s Affiliates shall require Sub-Processors to abide by: (a) the Standard Contractual Clauses for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.

5.4 SCCs. Each party agrees to abide by and transfer Customer Personal Data from the Restricted Countries in accordance with the SCCs, which are incorporated into this DPA by reference. Each party is deemed to have executed the SCCs by entering into this DPA and such details shall apply for the purposes of Table 1 of the UK Addendum.

5.4.1 The below shall apply to the SCCs, including the election of specific terms and/or optional clauses as described in more detail below, and any optional clauses not expressly selected are not included (including with respect to Table 2 of the UK Addendum):

5.4.1.1 The Module 2 terms apply to the extent Customer is a Data Controller and the Module 3 terms apply to the extent Customer is a Data Processor of the Customer Personal Data. The foregoing shall apply with respect to Table 2 of the UK Addendum;

5.4.1.2 The optional Clause 7 in Section I of the SCCs is incorporated, and Affiliates may accede to this DPA and the SCCs under the same terms and conditions as Customer, subject to Section 3.1 of this DPA via mutual agreement of the Parties. The foregoing shall apply with respect to Table 2 of the UK Addendum;

5.4.1.3 For purposes of Clause 9 of the SCCs, Option 2 (“General written authorization”) is selected and the process and time period for the addition or replacement of Sub-processors shall be as described in Section 6 (Sub-Processors) of this DPA. The foregoing shall apply with respect to Table 2 of the UK Addendum;

5.4.1.4 For purposes of Clause 13 and Annex 1.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Mode on request;

5.4.1.5 For purposes of Clause 14(c), Customer may subscribe to the Sub-Processor Site to receive notifications regarding updates to Mode’s overview of relevant laws and practices of Third Countries;

5.4.1.6 For purposes of Clause 17 and Clause 18 of the SCCs, the Member State for purposes of governing law and jurisdiction shall be Ireland. Part 2, Section 15(m) and Part 2, Section 15(n) of the UK Addendum regarding Clause 17 and Clause 18 of the EU SCCs shall apply;

5.4.1.7 For purposes of Annex 1.A, the “data importer” shall be Mode and the “data exporter” shall be Customer and any Affiliates that have acceded to the SCCs pursuant to this DPA. The foregoing shall apply with respect to Table 3 of the UK Addendum;

5.4.1.8 for purposes of the description of the transfer, it is as described in Appendix 1 to this DPA. The foregoing shall apply with respect to Table 3 of the UK Addendum;

5.4.1.9 for purposes of the description of the technical and organization measures, it is as described in Appendix 2 to this DPA. The foregoing shall apply with respect to Table 3 of the UK Addendum;

5.4.2 The Sub-processors shall be as described in Section 6 (Sub-Processors) of this DPA. The foregoing shall apply with respect to Table 3 of the UK Addendum; and

5.4.2.1 with respect to Table 4 of the UK Addendum, Customer may suspend or terminate the Processing of the Customer Personal Data by Mode that is subject to UK GDPR at any time by deleting all such Customer Personal Data in the Mode platform. Additionally, either Party may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the Parties to amend this DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the Parties are unable to come to a mutual agreement.

6. Sub-Processors.

6.1 Use of Sub-Processors. Customer generally authorizes the engagement of Sub-Processors and specifically consents to those listed at https://www.thoughtspot.com/legal/sub-processors. For clarity, the execution of this DPA by Customer constitutes Customer’s general consent for Mode’s engagement of onward Sub-Processors under the Standard Contractual Clauses.

6.2 Sub-Processor Obligations. Mode will: (a) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Personal Data as Mode’s obligations in this DPA to the extent applicable to the nature of the services provided by such Sub-Processor; and (b) remain liable for each Sub- Processor’s compliance with the obligations in this DPA. Upon written request, Mode will provide Customer all relevant information it reasonably can in connection with its applicable Sub-Processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.

6.3 Changes to Sub-Processors. Mode will make available on its Sub-Processor site a mechanism for Customer to subscribe to notifications of new Sub-Processors. Mode will provide such notification at least fourteen (14) days in advance of allowing the new Sub-Processor to Process Personal Data (the “Objection Period”). During the Objection Period, Customer may object in writing to Mode’s appointment of the new Sub-Processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If Customer can reasonably demonstrate that the new Sub-Processor is unable to Process Personal Data in compliance with the terms of this DPA and Mode cannot provide an alternative Sub-Processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect only to those aspects of the Mode platform which cannot be provided by Mode without the use of the new Sub-Processor by providing written notice to Mode. Mode will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of termination effective under this Section 6.

PART 2 – GENERAL DATA PROTECTION OBLIGATIONS

7. Security.

7.1 Security Program. In provisioning the Mode platform, the following terms will apply:

7.1.1 Data Security Measures. Mode shall maintain appropriate technical and organizational safeguards designed to protect the security, confidentiality and integrity of Customer Personal Data. Customer acknowledges that Mode’s data security measures are subject to technical progress and development and that Mode may update or modify the security measures from time to time provided that such updates and modifications do not result in a material reduction in the commitments, protections or overall level of service provided to Customer.

7.1.2 Data Protection Contact. Mode and its Sub-Processor Affiliates will respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@thoughtspot.com.

7.1.3 No Assessment of Customer Personal Data by Mode. Mode shall have no obligation to assess the contents of Customer Personal Data to identify information subject to any specific legal requirements. Customer is responsible for reviewing the information made available by Mode relating to data security and making an independent determination as to whether the Mode platform meets Customer’s requirements and legal obligations under Data Protection Laws.

7.1.4 Third-Party Certifications and Audits. Mode has obtained third-party certifications and audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Mode will make available to Customer (provided that Customer is not a competitor of Mode) or Customer’s independent, third-party auditor, as requested (provided that such auditor is not a competitor of Mode) a copy of Mode’s then most recent third-party audits or certifications, as applicable.

7.1.5 Breach Notification. Mode will report to Customer any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data (“Breach”) that it becomes aware of within seventy-two (72) hours following determination by Mode that a Breach has occurred. Mode’s notification of, or response to, a Breach will not be construed as an acknowledgement by Mode of any fault or liability with respect to such Breach.

7.1.6 Breach Report. The initial report will be made to Customer’s security or privacy contact(s) designated in Mode’s customer support portal (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Mode shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected Data Subjects, government agencies and data protection authorities in accordance with EU & UK Data Protection Law. The report will include the name and contact information of the Mode contact from whom additional information may be obtained. Mode shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches. Notwithstanding the foregoing, Customer acknowledges that because Mode personnel cannot view the content of Personal Data, it will be unlikely that Mode can provide information as to the particular nature of the Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Mode with Customer in connection with a Breach shall not be construed as an acknowledgment by Mode of any fault or liability with respect to the Breach. Customer will cooperate with Mode in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory authorities and impacted Data Subjects and for providing such notice.

7.1.7 Audit. No more than once per year and upon written request by Customer, Customer will have the right directly or through its representative(s) (provided however, that such representative(s) shall enter into written obligations of confidentiality and non-disclosure directly with Mode), to access all reasonable and industry recognized documentation evidencing Mode’s policies and procedures governing the security of Customer Personal Data (“Audit”). Mode reserves the right to refuse to provide Customer (or its representatives) with any information which would pose a security risk to Mode or its customers, or which Mode is prohibited to provide or disclose under applicable law or contractual obligation. Any expenses incurred by Customer in connection with the Audit will be borne exclusively by Customer. Audits will be scheduled at least sixty (60) days in advance of taking place with Customer submitting a detailed proposed audit plan for Mode approval at least two (2) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the Audit. Audits may be subject to an added cost where the cost of the audit to Mode exceeds 2% of the total annual contract commitment under the Agreement.

7.1.8 Audit Output. Upon completion of the Audit, Mode and Customer may schedule a mutually convenient time to discuss the output of the Audit. Mode may in its sole discretion, consistent with industry and Mode’s standards and practices, make commercially reasonable efforts to implement Customer’s suggested improvements noted in the Audit to improve Mode’s security. The Audit and the results derived therefrom are Confidential Information of Mode.

7.2 Mode Personnel. Access to Personal Data by Mode will be limited to personnel who require such access to perform Mode’s obligations under the Agreement, who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement, and who have received appropriate training. Mode will ensure that such confidentiality obligations survive the termination of the personnel engagement.

7.3 Customer Protection. Customer is responsible for its use of the Mode platform, including making appropriate use of the Mode platform to ensure a level of security appropriate to the risk in respect of the Customer Personal Data, securing its account and user credentials, managing its data back-up strategies, and protecting the security of Customer Personal Data when in transit to and from the Mode platform and taking any appropriate steps to pseudonymize, securely encrypt, or backup any Customer Personal Data.

8. General Obligations.

8.1 Confidentiality. Customer may only disclose the terms of this DPA to a supervisory authority to the extent required by Data Protection Laws, provided however, that any such disclosure shall be limited to the minimum information necessary to satisfy such disclosure requirement. Customer shall use commercially reasonable efforts to ensure that data protection or regulatory authorities do not make this DPA public.

8.2 Limitation of Liability. Notwithstanding anything to the contrary in the Agreement or this DPA, Customer’s remedies with respect to any breach by Mode of the terms of this DPA will be subject to any aggregate limitation of liability under the Agreement. Customer further agrees that any regulatory penalties assessed against Mode in relation to Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws will count toward and reduce Mode’s liability under the Agreement as if it were liability to the Customer under the Agreement.

8.3 Termination. This DPA will terminate simultaneously and automatically with the termination of the Agreement or expiration of the Subscription Term where Customer does not renew.

8.4 Waivers and Modifications. A waiver of any right is only effective if it is in writing and only against the party who signed such writing and for the circumstances given. Any modification of this DPA must be in writing and signed by authorized representatives of both parties.

APPENDIX 1

TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix 1 forms part of the Clauses and must be completed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix 1.

Data Exporter

The Data Exporter is the legal entity identified as the "Customer" in the Data Processing Addendum in place between data exporter and data importer and to which these Clauses are appended.

Data Importer

The Data Importer is the provider of the Mode analytics platform in accordance with the Agreement.

Data Subjects

Data Exporter may submit Customer Personal Data to the Mode platform, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons);

  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors;

  • Employees, agents, advisors, freelancers of Customer (who are natural persons); and/or

  • Customer’s Users authorized by Customer to use the Services.

Categories of Data

The Data Exporter may submit Customer Personal Data to the Mode platform, the extent of which is determined and controlled by the Data Exporter in its sole discretion and which may include, but is not limited to, Personal Data relating to the following categories of Personal Data:

The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

  • Identification and contact data (name, address, title, contact details);

  • Financial information (account details, payment information);

  • Employment details (employer, job title, geographic location, area of responsibility); and/or

  • IT information (IP addresses, usage data, cookies data, location data).

Special Categories of Data (if appropriate)

Customer may, subject to the restrictions set out in the Data Protection Laws, submit special categories of Personal Data to the Mode platform , the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Processing Operations

The Data Importer will Process Personal Data in the provision of the Mode platform and support thereof pursuant to the Agreement.

APPENDIX 2

TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix 2 forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clause 4(d) and Clause 5(c) (or documents/legislation attached):

Data Importer will implement and maintain the security measures set out in this Appendix 2. Mode reserves the right to revise the security measures set out in this Appendix 2 at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Mode processes in the course of providing the Mode platform.

1) Organizational management and staff responsible for the development, implementation and maintenance of Mode’s information security controls. Executive leadership is involved in reviewing and approving all security policies.

2) Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Mode’s organization, monitoring compliance with Mode’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3) Data security controls that include logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.

a) Encryption in Transit: Customer Personal Data is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users.

b) Encryption at Rest: Customer Personal Data is encrypted at rest with Advanced Encryption Standard (AES). Backups are encrypted at rest.

4)Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions. Access accounts are provisioned for engineers on their hire date and deprovisioned on their closing date by a member of the senior engineering staff.

5) User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems. Mode has defined the following password requirements: (i) password length must have a minimum of 10 characters; (ii) password must contain both upper and lowercase characters; (iii) password must contain a number (0-9) and/or a special character; (iv) password must be different from user’s previous 10 passwords; and (v) password must be changed annually.

6) With respect to physical and environmental security, Mode’s production resources are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors. Amazon has provided a list of compliance and regulatory security assurances, including representations of SOC 1-3, and ISO27001 compliance.

7) Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.

8) Incidents are handled in accordance with Mode’s Incident Response Plan following the lifecycle of an incident: Discovery, Acknowledgement, Verification, Scope, Resolution and Response. Designated personnel are responsible for managing the response process in accordance with the IRP, completing an after-action review and coordinating any outbound communication that may be necessary following an incident.

9) Network security controls designed and implemented so that internet connections are required to use transport encryption. Default deny has been established for each application/service group/layer. Service to service connections must be explicitly allowed.

10) Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

11) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Get more from your data

Your team can be up and running in 30 minutes or less.