Data Processing Addendum
Last Modified: September 24, 2021
THIS DATA PROCESSING ADDENDUM (“Addendum”) is incorporated into the Mode Analytics, Inc. (“Mode”) Terms of Service or, as applicable, the agreement between Customer and Mode (“Platform Agreement”) pursuant to which Mode agrees to provide the Mode Services to Customer. This Addendum is intended to ensure that Customer Personal Data is Processed by Mode in accordance with Data Protection Laws.
NOTE: this Addendum does not cover or apply to any Processing of Customer Personal Data by Mode under UK data protection laws (including, the so-called ‘UK GDPR’ and UK Data Protection Act 2018). Any such Processing is covered by and subject to our UK Data Processing Addendum (a copy of which can be found here.)
THE PARTIES AGREE THAT:
- DEFINITIONS AND INTERPRETATION
1.1 In this Addendum (including the recitals above), the following terms shall have the meanings set out in this clause 1.1, unless expressly stated otherwise:
|“Anonymized Usage Data”|
|“Customer Personal Data”|
|“Data Protection Laws”|
|“Data Subject Request”|
|“Personal Data Breach”|
|“Process” or “Processing”|
|“Standard Contractual Clauses”|
1.2 In this Addendum:
(a) the terms, “Controller”, “Processor”, “Member State”, and “Supervisory Authority” shall have the meaning ascribed to such terms in the GDPR.
(b) unless otherwise defined herein, all capitalised terms shall have the meaning given to them in the Agreement;
(c) the singular includes the plural and vice versa, unless the context otherwise requires;
(d) references to this Addendum include its Schedules;
(e) references to clauses and/or Schedules are to clauses of, and Schedules to, this Addendum;
(f) the words “including” and “include” shall be construed only as illustration or emphasis and shall not be construed or take effect as limiting the generality of any earlier words;
(g) references to “laws” shall mean (i) any statute, regulation, by-law, or subordinate legislation; (ii) the common law and the law of equity; (iii) any binding court order, judgment or decree; or (iv) any industry code, policy or standard enforceable by law; and
1.3 This Addendum shall be incorporated into and form part of the Agreement. In the event of any conflict or inconsistency between this Addendum and the main body of the Agreement, this Addendum shall prevail to the extent of such conflict or inconsistency.
2.PROCESSING OF CUSTOMER PERSONAL DATA
2.1 Mode shall:
(a) comply with Data Protection Laws as applicable to Mode in Processing Customer Personal Data; and
(b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to clause 2.7 and clause 2.8); and
(ii) as required by applicable laws.
2.2 To the extent permitted by applicable laws, Mode shall inform Customer of:
(a) any Processing to be carried out under clause 2.1(b)(ii); and
(b) the relevant legal requirements that require it to carry out such Processing,
before the relevant Processing unless the relevant law prohibits Mode from doing so on important grounds of public interest.
2.3 Customer instructs Mode to Process Customer Personal Data only as necessary (i) to provide the Mode Services to Customer (including to improve and update the Mode Services, for security or business continuity purposes, troubleshooting and support, accounting purposes, and to carry out Processing initiated by Customer’s users in their use of the Mode Services) and (ii) to perform Mode’s obligations and exercise Mode’s rights under the Agreement. For purposes of CCPA, Mode hereby certifies that it understands the obligations under this clause 2.3 and will comply with them. Notwithstanding anything in the Agreement, this Addendum or any order form entered in connection therewith, the Parties acknowledge and agree that Mode’s access to Customer Personal Data or the exchange of Customer Personal Data between the Parties does not constitute part of the consideration exchanged by the Parties in respect of the Agreement or any other business dealings.
2.4 Schedule 1 (Data Processing Details) to this Addendum sets out certain information regarding Mode’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.5 If Customer reasonably determines that it is necessary to modify Schedule 1 (Data Processing Details) in order meet any applicable requirements of Data Protection Laws, Customer shall provide a written request to Mode specifying such amendment and the legal necessity for it; provided, however, that no amendment shall be made under this clause without Mode’s prior written consent, which shall not be unreasonably withheld. Nothing in Schedule 1 (Data Processing Details) (including as amended pursuant to this clause 2.5) confers any right or imposes any obligation on any Party to this Addendum.
2.6 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing by Mode of Customer Personal Data pursuant to or in connection with the Agreement shall (i) be strictly required for the sole purpose of ensuring compliance with Data Protection Laws, and (ii) not relate to the scope of the Mode Services or otherwise materially change the services to be provided by Mode under the Agreement. Notwithstanding anything to the contrary herein, Mode may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Mode considers (in its absolute discretion) that (a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities, and/or (b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.7 Customer represents and warrants on an ongoing basis that there is, and will be throughout the term of the Agreement, a valid and effective legal basis, and Article 9 GDPR condition (where applicable), under the GDPR for the Processing by Mode of Customer Personal Data in accordance with this Addendum and the Agreement (including any and all instructions issued by Customer from time to time in respect of such Processing).
2.8 Customer acknowledges that Mode may create and derive Anonymised Usage Data from Processing related to the Mode Services and use such Anonymized Usage Data to improve Mode’s services and for its other legitimate business purposes.
3. MODE PERSONNEL
Mode will grant access to Customer Personal Data only to employees, contractors and Subprocessors who need such access for the scope of their performance, and have committed themselves to confidentiality or are under an appropriate professional or statutory obligation of confidentiality.
4.1 Mode will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access as described in Schedule 2 (Security Measures). Mode may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Mode Services.
4.2 Customer agrees that Mode will (taking into account the nature of the Processing of Customer Personal Data and the information available to Mode) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Customer Personal Data under the GDPR, including Articles 32 to 34 (inclusive) of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with clause 4.1;
(b) complying with the terms of clause 7; and
(c) providing Customer with the Security Documentation in accordance with clause 10.2 and the Agreement including this Addendum.
5.1 Customer generally authorizes Mode’s engagement of Subprocessors. Information about Mode’s currently appointed Subprocessors, including their functions and locations, is set forth in Schedule 3 (Authorized Subprocessors) (as may be updated by Mode from time to time in accordance with this Addendum).
5.2 When engaging any Subprocessor, Mode will:
(a) ensure via a written contract that:
(i) the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement;
(ii) the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Subprocessor in a similar manner as described in this Addendum; and
(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor with respect to the provision of Mode Services.
5.3 When any new Subprocessor is engaged during the term of the Agreement, Mode will, at least thirty (30) days before the new Subprocessor Processes any Customer Personal Data, notify Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform).
5.4 Customer may object to any new Subprocessor by terminating its use of the Mode Services or, as applicable, the Platform Agreement immediately upon written notice to Mode, on condition that Customer provides such notice within sixty (60) days of being informed of the engagement of the Subprocessor as described in clause 5.3. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
5.5 If Customer does not object to Mode’s appointment of a Subprocessor during the sixty (60) day period referred to in clause 5.4, Customer shall be deemed to have approved Mode’s engagement and ongoing use of that Subprocessor.
5.5 Operational clarifications relevant to the Standard Contractual Clauses:
(a) The terms and conditions of this clause 5 apply in relation to Mode’s appointment and use of Subprocessors under the Standard Contractual Clauses.
(b)Any approval by Customer of Mode’s appointment of a Subprocessor that is given expressly or deemed given pursuant to clause 5.5 constitutes Customer’s documented instructions to effect onwards transfers to that Subprocessors under Clause 8.8 of the Standard Contractual Clauses (where relevant).
6 DATA SUBJECT RIGHTS
6.1 During the term of the Agreement, if Mode receives any request from a Data Subject in relation to Customer Personal Data, Mode will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request. Taking into account the nature of the Processing, Mode shall, at Customer’s cost, provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2 Mode shall:
(a) notify Customer if Mode receives a Data Subject Request; and
(b) not respond to any Data Subject Request except on the documented instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws, in which case Mode shall to the extent permitted by applicable laws inform Customer of that legal requirement before Mode responds to the Data Subject Request.
6.3 Operational clarifications relevant to the Standard Contractual Clauses:
(a) When complying with its transparency obligations under Clause 8.3 of the Standard Contractual Clauses, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Mode’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
(b) Where applicable, for the purposes of Clause 10(a) of Module Three of the Standard Contractual Clauses, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Mode to notify any third party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
7. PERSONAL DATA BREACH
7.1 If Mode becomes aware of a Personal Data Breach, Mode will: (a) notify Customer of the Personal Data Breach promptly and without undue delay after becoming aware of the Personal Data Breach; and (b) promptly take reasonable steps to minimise harm and secure Customer Personal Data.
7.2 Notifications made pursuant to this clause will describe, to the extent possible and known, details of the Personal Data Breach, including steps taken to mitigate the potential risks and steps Mode recommends Customer take to address the Personal Data Breach.
7.3 Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Personal Data Breach(s).
7.4 Mode’s notification of or response to a Personal Data Breach under this clause 7 will not be construed as an acknowledgement by Mode of any fault or liability with respect to the Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Mode shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Mode.
9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
9.1 Upon the expiration of the Subscription Period or earlier termination of the Agreement (the “Term End Date”) subject to clause 9.2, Customer may in its absolute discretion by written notice to Mode within thirty (30) days of the Term End Date require Mode to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Mode; and/or (b) delete and all copies of Customer Personal Data Processed by Mode. Mode shall comply with any such written request as soon as reasonably practicable and in all events within ninety (90) days of the date Customer’s written notice is received by Mode.
9.2 Mode may retain Customer Personal Data after the Term End Date to the extent required by applicable laws.
9.3 Operational clarification relevant to the Standard Contractual Clauses: certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided only upon Customer’s written request.
10. AUDIT RIGHTS
10.1 Mode will allow an independent auditor appointed by Customer to conduct audits (including inspections) to verify Mode’s compliance with its obligations under this Addendum in accordance with clause 10. Provided, however, Mode may object in writing to an auditor appointed by Customer to conduct any audit if the auditor is, in Mode’s reasonable opinion, not suitably qualified or independent, a competitor of Mode, or otherwise manifestly unsuitable. Any such objection by Mode will require Customer to appoint another auditor.
10.2 In addition to the information contained in the Agreement (including this Addendum), Mode will make available for inspection by Customer the following Security Documentation to assist Customer’s determination of compliance by Mode with its obligations under this Addendum: Mode’s most recent System and Organization Controls (SOC) (SOC 2 Type 1) Report.
10.3 Prior to the commencement of any audit or inspection, Mode and Customer will discuss and agree in advance on: (i) the security and confidentiality controls applicable to any inspection or audit; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
10.4 Customer shall give Mode reasonable notice of any audit or inspection to be conducted under clause 10.1 (which shall in no event be less than thirty (30) days’ notice unless required by a Supervisory Authority pursuant to clause 10.4(f)(ii)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Mode in respect of, any damage, injury or disruption to Mode’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Mode’s other customers or the availability of the Mode Services to such other customers) while its personnel are on those premises in the course of such an audit or inspection; provided, however, that Mode need not give access to its premises, equipment, personnel, data, business, Security Documentation or systems for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) to any auditor whom Mode has not given its prior written approval;
(c) unless the auditor enters into a non-disclosure agreement with Mode on terms acceptable to Mode;
(d) where, and to the extent that, Mode considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Mode’s other customers or the availability of the Mode Services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one (1) occasion in each period of twelve (12) months during the term of the Agreement (or where the term of the Agreement is less than twelve (12) months, on more than one (1) occasion during such shorter term), except for any additional audits or inspections which:
(i) Customer reasonably considers necessary because of a Personal Data Breach; or
(ii) Customer is required to carry out by Data Protection Laws or a Supervisory Authority or other regulator,
where Customer has identified the Personal Data Breach or the legal relevant requirement in its notice to Mode of the audit or inspection.
10.5 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Customer pursuant to this clause 10 in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, Customer shall bear any third party costs in connection with such inspection or audit and reimburse Mode for all costs incurred by Mode and time spent by Mode (at Mode’s then-current professional services rates) in connection with any such inspection or audit.
10.6 Operational clarification relevant to the Standard Contractual Clauses: the audits described in Clauses 8.9(c) and 8.9(d) of the Standard Contractual Clauses shall be performed in accordance with this clause 10, subject to any relevant conditions, limitations or restrictions detailed herein.
11.1 Mode may store and Process Customer Personal Data anywhere Mode or its Subprocessors maintains facilities. Mode will provide information about the location of its data centers used to Process Customer Personal Data upon request.
11.2 To the extent that any Processing of Customer Personal Data under this Addendum involves a Restricted Transfer, the Parties shall comply with their respective obligations set out in the Standard Contractual Clauses, which are hereby deemed entered into and incorporated by reference into this Addendum, in manner applicable having regard to clause 11.3.
11.3 The following Modules of the Standard Contractual Clauses apply in the manner set out below (having regard to the role(s) of the Customer) –
(a) Module 2 of the Standard Contractual Clauses applies to any Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
(b) Module 3 of the Standard Contractual Clauses applies to any Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
11.4 The Standard Contractual Clauses referred to in this clause 11 shall only have effect if and to the extent permitted and required under the GDPR to establish a valid basis under Chapter V or the GDPR in respect of the transfer to Mode of Customer Personal Data hereunder.
12. PROCESSING RECORDS
Customer acknowledges that Mode may be required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Mode is acting and, where applicable, of such Processor’s or Controller’s local representative (e.g., any such representative(s) appointed under Article 27 of the GDPR) and data protection officer; and (b) make such information available to the Supervisory Authorities. Accordingly, Customer will, where requested, provide such information to Mode, and will ensure that all information provided is kept accurate and up-to-date.
13.1 If and as the Standard Contractual Clauses apply, the total combined liability of either party towards the other party under or in connection with the Agreement and such Standard Contractual Clauses combined will be limited to limitations on, or exclusions of, liability or other liability caps agreed to by the parties in the Agreement, subject to clause 13.2.
13.2 Nothing in clause 13.1 will affect any party’s liability to Data Subjects under the third party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by the GDPR or other laws, where applicable.
This Schedule 1 (Data Processing Details) includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter of the Processing of Customer Personal Data
Mode’s provision of the Mode Services to Customer
Nature and Purpose of the Processing
Mode will process Customer Personal Data for the purposes of providing the Mode Services to Customer in accordance with the Addendum.
Duration of the Processing
From the Effective Date of the Agreement until deletion of all Customer Personal Data by Mode in accordance with the Addendum.
The Categories of Customer Personal Data to be Processed
Data relating to individuals provided to Mode in connection with the Mode Services, by (or at the direction of) Customer.
The Categories of Data Subject to Whom the Customer Personal Data Relates
Data subjects include the individuals about whom Mode Processes data in connection with the Mode Services.
The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
Mode will implement and maintain the Security Measures set out in this Schedule 2. Mode reserves the right to revise the security measures set out in this Schedule 2 at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Mode processes in the course of providing the Mode Services.
1) Organizational management and staff responsible for the development, implementation and maintenance of Mode’s information security controls. Executive leadership is involved in reviewing and approving all security policies.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Mode’s organization, monitoring compliance with Mode’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Data security controls that include logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
a) Encryption in Transit: Customer content is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users.
b) Encryption at Rest: Confidential customer data is encrypted at rest with Advance Encryption Standard (AES). Backups are encrypted at rest.
4) Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions. Access accounts are provisioned for engineers on their hire date and deprovisioned on their closing date by a member of the senior engineering staff.
5) User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems. Mode has defined the following password requirements: (i) password length must have a minimum of 10 characters; (ii) password must contain both upper and lowercase characters; (iii) password must contain a number (0-9) and/or a special character; (iv) password must be different from user’s previous 10 passwords; and (v) password must be changed annually.
6) With respect to physical and environmental security, Mode’s production resources are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors. Amazon has provided a list of compliance and regulatory security assurances, including representations of SOC 1-3, and ISO27001 compliance.
7) Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
8) Incidents are handled in accordance with Mode’s Incident Response Plan following the lifecycle of an incident: Discovery, Acknowledgement, Verification, Scope, Resolution and finally Response. The Privacy Officer(s) and Director of Engineering are responsible for managing the response process in accordance with the IRP, completing an after-action review and coordinating any outbound communication that may be necessary following an incident.
9) Network security controls designed and implemented so that internet connections are required to use transport encryption. Default deny has been established for each application/service group/layer. Service to service connections must be explicitly allowed.
10) Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
The list of authorized sub-processors is available here.