UK Data Processing Addendum
Last Modified: September 24, 2021
THIS UK DATA PROCESSING ADDENDUM (“Addendum”) is incorporated into the Mode Analytics, Inc. (“Mode”) Terms of Service or, as applicable, the agreement between Customer and Mode (“Platform Agreement”) pursuant to which Mode agrees to provide the Mode Services to Customer. This Addendum is intended to ensure that Customer Personal Data is Processed by Mode in accordance with UK Data Protection Laws.
NOTE: this Addendum only covers and applies to Processing of Customer Personal Data by Mode under UK data protection laws (including, the so-called ‘UK GDPR’ and UK Data Protection Act 2018). Any Processing carried out by Mode on behalf of Customers under any other data protection laws (including the ‘EU GDPR’ and the ‘CCPA’) is covered by and subject to our general Data Processing Addendum (a copy of which can be found here.)
THE PARTIES AGREE THAT:
1. DEFINITIONS AND INTERPRETATION
1.1 In this Addendum (including the recitals above), the following terms shall have the meanings set out in this clause 1.1, unless expressly stated otherwise:
means this UK data processing addendum;
means either (a) the Mode Terms of Service; or (b) if the Customer and Mode entered into a Platform Agreement, the Platform Agreement;
|“Anonymized Usage Data”||
means statistics concerning the use of the Mode Services by Data Subjects which has been anonymised and/or aggregated such that the Data Subject is not or is no longer identifiable (e.g. the number query runs per day per user);
means the person, corporation (including any non-profit corporation), general partnership, limited partnership, limited liability partnership, joint venture, estate, trust, company, firm or other enterprise, association or organization (including any governmental body or public entity) receiving the Mode Services;
|“Customer Personal Data”||
means any Personal Data supplied by Customer for analysis using the Mode Services that is Processed by Mode on behalf of Customer pursuant to or in connection with the Agreement;
means the identified or identifiable natural person to whom Personal Data relates;
|“Data Subject Request”||
means the exercise of rights by a Data Subject of Customer Personal Data made under and in accordance UK Data Protection Laws;
means the UK Information Commissioner’s Office;
means those services and activities to be supplied to or carried out by or on behalf of Mode for Customer pursuant to the Agreement;
|“Personal Data Breach”||
means a breach of Mode’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Mode’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems;
|“Process” or “Processing”||
means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
means a transfer of Customer Personal Data to any person in a country or territory outside the UK, which the UK Government has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance Article 45 of the UK GDPR, and which would be prohibited without transfer mechanism under Article 46 to 49 of the UK GDPR;
means all documents and information made available by Mode under clause 10.2;
means any third party appointed by or on behalf of Mode to Process Customer Personal Data as part of the Mode Services;
|“UK Data Protection Laws”||
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (the "UK GDPR”), together with the UK Data Protection Act 2018 and any other UK privacy and data protection laws, in each case, to the extent applicable to Mode’s Processing of Customer Personal Data; and
|“UK Standard Contractual Clauses”||
means the standard contractual clauses published by the ICO, based on an adapted form of those adopted by the European Commission pursuant to implementing Decision (EU) 2010/87, for the transfer of Personal Data from data exporters (acting as controllers) in the UK to data importers outside the UK (acting as processors), the populated form of which is shown here.
1.2 In this Addendum:
(a) the terms, “Controller”, “Personal Data” and “Processor” shall have the meaning > ascribed to such terms in the UK GDPR.
(b) unless otherwise defined herein, all capitalised terms shall have the meaning given to them in the Agreement;
(c) the singular includes the plural and vice versa, unless the context otherwise requires;
(d) references to this Addendum include its Schedules;
(e) references to clauses and/or Schedules are to clauses of, and Schedules to, this Addendum;
(f) the words “including” and “include” shall be construed only as illustration or emphasis > and shall not be construed or take effect as limiting the generality of any earlier words;
(g) references to “laws” shall mean (i) any statute, regulation, by-law, or subordinate legislation; (ii) > the common law and the law of equity; (iii) any binding court order, judgment or decree; or (iv) any industry code, > policy or standard enforceable by law; and
1.3 This Addendum shall be incorporated into and form part of the Agreement. In the event of any conflict or inconsistency between:
(a) this Addendum and the main body of the Agreement, this Addendum shall prevail to the extent of such conflict or > inconsistency; or
(b) the UK Standard Contractual Clauses that apply pursuant to clause 11 and this Addendum and/or the Agreement, > those UK Standard Contractual Clauses shall prevail in the context of the Restricted Transfer to which they apply to > the extent of such conflict or inconsistency.
2. PROCESSING OF CUSTOMER PERSONAL DATA
2.1 Mode shall:
(a) comply with UK Data Protection Laws as applicable to Mode in Processing > Customer Personal Data; and
(b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to clause 2.7 and clause 2.8); > and
(ii) as required by applicable laws.
2.2 To the extent permitted by applicable laws, Mode shall inform Customer of:
(a) any Processing to be carried out under clause 2.1(b)(ii); and
(b) the relevant legal requirements that require it to carry out such Processing,
before the relevant Processing unless the relevant law prohibits Mode from doing so on important grounds of public interest.
2.3 Customer instructs Mode to Process Customer Personal Data only as necessary (i) to provide the Mode Services to Customer (including to improve and update the Mode Services, for security or business continuity purposes, troubleshooting and support, accounting purposes, and to carry out Processing initiated by Customer’s users in their use of the Mode Services) and (ii) to perform Mode’s obligations and exercise Mode’s rights under the Agreement.
2.4 Schedule 1 (Data Processing Details) to this Addendum sets out certain information regarding Mode’s Processing of Customer Personal Data as required by Article 28(3) of the UK GDPR.
2.5 If Customer reasonably determines that it is necessary to modify Schedule 1 (Data Processing Details) in order meet any applicable requirements of UK Data Protection Laws, Customer shall provide a written request to Mode specifying such amendment and the legal necessity for it; provided, however, that no amendment shall be made under this clause without Mode’s prior written consent, which shall not be unreasonably withheld. Nothing in Schedule 1 (Data Processing Details) (including as amended pursuant to this clause 2.5) confers any right or imposes any obligation on any Party to this Addendum.
2.6 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing by Mode of Customer Personal Data pursuant to or in connection with the Agreement shall (i) be strictly required for the sole purpose of ensuring compliance with UK Data Protection Laws, and (ii) not relate to the scope of the Mode Services or otherwise materially change the services to be provided by Mode under the Agreement. Notwithstanding anything to the contrary herein, Mode may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Mode considers (in its absolute discretion) that (a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities, and/or (b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.7 Customer represents and warrants on an ongoing basis that there is, and will be throughout the term of the Agreement, a valid and effective legal basis, and Article 9 UK GDPR condition (where applicable), under the UK GDPR for the Processing by Mode of Customer Personal Data in accordance with this Addendum and the Agreement (including any and all instructions issued by Customer from time to time in respect of such Processing).
2.8 Customer acknowledges that Mode may create and derive Anonymised Usage Data from Processing related to the Mode Services and use such Anonymized Usage Data to improve Mode’s services and for its other legitimate business purposes.
3. MODE PERSONNEL
Mode will grant access to Customer Personal Data only to employees, contractors and Subprocessors who need such access for the scope of their performance, and have committed themselves to confidentiality or are under an appropriate professional or statutory obligation of confidentiality.
4.1 Mode will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access as described in Schedule 2 (Security Measures). Mode may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Mode Services.
4.2 Customer agrees that Mode will (taking into account the nature of the Processing of Customer Personal Data and the information available to Mode) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Customer Personal Data under the UK GDPR, including Articles 32 to 34 (inclusive) of the UK GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with clause 4.1;
(b) complying with the terms of clause 7; and
(c) providing Customer with the Security Documentation in accordance with clause 10.2 and the Agreement including this Addendum.
5.1 Customer generally authorizes Mode’s engagement of Subprocessors. Information about Mode’s currently appointed Subprocessors, including their functions and locations, is set forth in Schedule 3 (Authorized Subprocessors) (as may be updated by Mode from time to time in accordance with this Addendum).
5.2 When engaging any Subprocessor, Mode will:
(a) ensure via a written contract that:
(i) the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement;
(ii) the data protection obligations set out in Article 28(3) of the UK GDPR are imposed on the Subprocessor in a similar manner as described in this Addendum; and
(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor with respect to the provision of Mode Services.
5.3 When any new Subprocessor is engaged during the term of the Agreement, Mode will, at least thirty (30) days before the new Subprocessor Processes any Customer Personal Data, notify Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform).
5.4 Customer may object to any new Subprocessor by terminating its use of the Mode Services or, as applicable, the Platform Agreement immediately upon written notice to Mode, on condition that Customer provides such notice within sixty (60) days of being informed of the engagement of the Subprocessor as described in clause 5.3. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
5.5 If Customer does not object to Mode’s appointment of a Subprocessor during the sixty (60) day period referred to in clause 5.4, Customer shall be deemed to have approved Mode’s engagement and ongoing use of that Subprocessor.
5.6 Operational clarifications relevant to the UK Standard Contractual Clauses:
(a) The terms and conditions of this clause 5 apply in relation to Mode’s appointment and use of Subprocessors under the UK Standard Contractual Clauses.
(b) Any approval by Customer of Mode’s appointment of a Subprocessor that is given expressly or deemed given pursuant to clause 5.5 constitutes Customer’s prior written consent to Mode’s appointment of that Subprocessor if and as required under Clause 5(h) of the UK Standard Contractual Clauses.
(c) Mode will only provide copies of Subprocessor agreements to Customer under Clause 5(j) of the UK Standard Contractual Clauses upon Customer’s request; provided, Mode may remove or redact therefrom all commercial information and/or any clauses, recitals, schedules, annexes, appendices etc., unrelated to the UK Standard Contractual Clauses beforehand.
6. DATA SUBJECT RIGHTS
6.1 During the term of the Agreement, if Mode receives any request from a Data Subject in relation to Customer Personal Data, Mode will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request. Taking into account the nature of the Processing, Mode shall, at Customer’s cost, provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2 Mode shall:
(a) notify Customer if Mode receives a Data Subject Request; and
(b) not respond to any Data Subject Request except on the documented instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws, in which case Mode shall to the extent permitted by applicable laws inform Customer of that legal requirement before Mode responds to the Data Subject Request.
7. PERSONAL DATA BREACH
7.1 If Mode becomes aware of a Personal Data Breach, Mode will: (a) notify Customer of the Personal Data Breach promptly and without undue delay after becoming aware of the Personal Data Breach; and (b) promptly take reasonable steps to minimise harm and secure Customer Personal Data.
7.2 Notifications made pursuant to this clause will describe, to the extent possible and known, details of the Personal Data Breach, including steps taken to mitigate the potential risks and steps Mode recommends Customer take to address the Personal Data Breach.
7.3 Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Personal Data Breach(s).
7.4 Mode’s notification of or response to a Personal Data Breach under this clause 7 will not be construed as an acknowledgement by Mode of any fault or liability with respect to the Personal Data Breach.
7.5 Operational clarification relevant to the UK Standard Contractual Clauses: the Parties agree that the provisions of clause 7 (Personal Data Breach) satisfy the requirements of the UK Standard Contractual Clauses.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Mode shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with the ICO, which Customer reasonably considers to be required of Customer by Article 35 or 36 of the UK GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Mode.
9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
9.1 Upon the expiration of the Subscription Period or earlier termination of the Agreement (the “Term End Date”) subject to clause 9.2, Customer may in its absolute discretion by written notice to Mode within thirty (30) days of the Term End Date require Mode to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Mode; and/or (b) delete and all copies of Customer Personal Data Processed by Mode. Mode shall comply with any such written request as soon as reasonably practicable and in all events within ninety (90) days of the date Customer’s written notice is received by Mode.
9.2 Mode may retain Customer Personal Data after the Term End Date to the extent required by applicable laws.
9.3 Operational clarification relevant to the UK Standard Contractual Clauses: certification of deletion of Personal Data as described in Clause 12(1) of the UK Standard Contractual Clauses shall be provided only upon Customer’s written request.
10. AUDIT RIGHTS
10.1 Mode will allow an independent auditor appointed by Customer to conduct audits (including inspections) to verify Mode’s compliance with its obligations under this Addendum in accordance with clause 10. Provided, however, Mode may object in writing to an auditor appointed by Customer to conduct any audit if the auditor is, in Mode’s reasonable opinion, not suitably qualified or independent, a competitor of Mode, or otherwise manifestly unsuitable. Any such objection by Mode will require Customer to appoint another auditor.
10.2 In addition to the information contained in the Agreement (including this Addendum), Mode will make available for inspection by Customer the following Security Documentation to assist Customer’s determination of compliance by Mode with its obligations under this Addendum: Mode’s most recent System and Organization Controls (SOC) (SOC 2 Type 1) Report.
10.3 Prior to the commencement of any audit or inspection, Mode and Customer will discuss and agree in advance on: (i) the security and confidentiality controls applicable to any inspection or audit; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
10.4 Customer shall give Mode reasonable notice of any audit or inspection to be conducted under clause 10.1 (which shall in no event be less than thirty (30) days’ notice unless required by the ICO pursuant to clause 10.4(f)(ii)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Mode in respect of, any damage, injury or disruption to Mode’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Mode’s other customers or the availability of the Mode Services to such other customers) while its personnel are on those premises in the course of such an audit or inspection; provided, however, that Mode need not give access to its premises, equipment, personnel, data, business, Security Documentation or systems for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) to any auditor whom Mode has not given its prior written approval;
(c) unless the auditor enters into a non-disclosure agreement with Mode on terms acceptable to Mode;
(d) where, and to the extent that, Mode considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Mode’s other customers or the availability of the Mode Services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one (1) occasion in each period of twelve (12) months during the term of the Agreement (or where the term of the Agreement is less than twelve (12) months, on more than one (1) occasion during such shorter term), except for any additional audits or inspections which:
(i) Customer reasonably considers necessary because of a Personal Data Breach; or
(ii) Customer is required to carry out by UK Data Protection Laws or the ICO or other regulator,
where Customer has identified the Personal Data Breach or the legal relevant requirement in its notice to Mode of the audit or inspection.
10.5 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Customer pursuant to this clause 10 in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, Customer shall bear any third party costs in connection with such inspection or audit and reimburse Mode for all costs incurred by Mode and time spent by Mode (at Mode’s then-current professional services rates) in connection with any such inspection or audit.
10.6 Operational clarification relevant to the UK Standard Contractual Clauses: the audits described in Clauses 5(f) and 12(2) of the UK Standard Contractual Clauses shall be performed in accordance with this clause 10, subject to any relevant conditions, limitations or restrictions detailed herein.
11.1 Mode may store and Process Customer Personal Data anywhere Mode or its Subprocessors maintains facilities. Mode will provide information about the location of its data centers used to Process Customer Personal Data upon request.
11.2 To the extent that any Processing of Customer Personal Data under this Addendum involves a Restricted Transfer, the Parties shall comply with their respective obligations set out in the UK Standard Contractual Clauses, which are hereby deemed entered into and incorporated by reference into this Addendum.
11.3 In respect of any Restricted Transfer involving Processing in respect of which Customer is itself acting as a Processor on behalf of any other person, Customer warrants and represents on an ongoing basis, and further undertakes, that it has full and sufficient authority to enter into the UK Standard Contractual Clauses for and on behalf of each such other person.
11.4 To the extent that Mode effects an onwards transfer of Personal Data to which the UK Standard Contractual Clauses apply to a Subprocessor, Customer hereby authorises Mode to enter into the UK Standard Contractual Clauses as agent for Customer (as ‘data exporter’) with that Subprocessor (as ‘data importer’).
11.5 The UK Standard Contractual Clauses referred to in this clause 11 shall only have effect if and to the extent permitted and required under the UK GDPR to establish a valid basis under Chapter V or the UK GDPR in respect of the transfer to Mode of Customer Personal Data hereunder.
11.6 In the event that the UK Standard Contractual Clauses are superseded by standard data protection clauses adopted by either the Secretary of State (under Section 17C of the UK Data Protection Act 2018) or the ICO (under Section 119A of the UK Data Protection Act 2018) pursuant to the UK GDPR, Mode may on notice: (a) update this Addendum to replace the UK Standard Contractual Clauses with the appropriate form of such newly-adopted standard data protection clauses; or (b) update and apply its general Data Processing Addendum (a copy of which can be found here to apply to UK Data Protection Laws and such newly-adopted standard data protection clauses, to replace this Addendum and the UK Standard Contractual Clauses.
12. PROCESSING RECORDS
Customer acknowledges that Mode may be required under the UK GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Mode is acting and, where applicable, of such Processor’s or Controller’s local representative (e.g., any such representative(s) appointed under Article 27 of the UK GDPR) and data protection officer; and (b) make such information available to the ICO. Accordingly, Customer will, where requested, provide such information to Mode, and will ensure that all information provided is kept accurate and up-to-date.
13.1 If and as the UK Standard Contractual Clauses apply, the total combined liability of either party towards the other party under or in connection with the Agreement and such UK Standard Contractual Clauses combined will be limited to limitations on, or exclusions of, liability or other liability caps agreed to by the parties in the Agreement, subject to clause 13.2.
13.2 Nothing in clause 13.1 will affect any party’s liability to Data Subjects under the third party beneficiary provisions of the UK Standard Contractual Clauses to the extent limitation of such rights is prohibited by the UK GDPR or other laws, where applicable.
This Schedule 1 (Data Processing Details) includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the UK GDPR.
Subject matter of the Processing of Customer Personal Data
Mode’s provision of the Mode Services to Customer
Nature and Purpose of the Processing
Mode will process Customer Personal Data for the purposes of providing the Mode Services to Customer in accordance with the Addendum.
Duration of the Processing
From the Effective Date of the Agreement until deletion of all Customer Personal Data by Mode in accordance with the Addendum.
The Categories of Customer Personal Data to be Processed
Data relating to individuals provided to Mode in connection with the Mode Services, by (or at the direction of) Customer.
The Categories of Data Subject to Whom the Customer Personal Data Relates
Data subjects include the individuals about whom Mode Processes data in connection with the Mode Services.
The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
Mode will implement and maintain the Security Measures set out in this Schedule 2. Mode reserves the right to revise the security measures set out in this Schedule 2 at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Mode processes in the course of providing the Mode Services.
1) Organizational management and staff responsible for the development, implementation and maintenance of Mode’s information security controls. Executive leadership is involved in reviewing and approving all security policies.
2) Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Mode’s organization, monitoring compliance with Mode’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3) Data security controls that include logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
a) Encryption in Transit: Customer content is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users.
b) Encryption at Rest: Confidential customer data is encrypted at rest with Advance Encryption Standard (AES). Backups are encrypted at rest.
4) Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions. Access accounts are provisioned for engineers on their hire date and deprovisioned on their closing date by a member of the senior engineering staff.
5) User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems. Mode has defined the following password requirements: (i) password length must have a minimum of 10 characters; (ii) password must contain both upper and lowercase characters; (iii) password must contain a number (0-9) and/or a special character; (iv) password must be different from user’s previous 10 passwords; and (v) password must be changed annually.
6) With respect to physical and environmental security, Mode’s production resources are hosted in Amazon Web Services. Physical and environmental security is handled entirely by Amazon and their vendors. Amazon has provided a list of compliance and regulatory security assurances, including representations of SOC 1-3, and ISO27001 compliance.
7) Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
8) Incidents are handled in accordance with Mode’s Incident Response Plan following the lifecycle of an incident: Discovery, Acknowledgement, Verification, Scope, Resolution and finally Response. The Privacy Officer(s) and Director of Engineering are responsible for managing the response process in accordance with the IRP, completing an after-action review and coordinating any outbound communication that may be necessary following an incident.
9) Network security controls designed and implemented so that internet connections are required to use transport encryption. Default deny has been established for each application/service group/layer. Service to service connections must be explicitly allowed.
10) Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11) Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
The list of authorized sub-processors is available here.