DATA PROCESSING ADDENDUM

Last Modified August 28, 2023

This Data Processing Addendum ("DPA") is incorporated into, and supplements, the agreements between MxToolbox, Inc. ("MxToolbox") and Customer governing MxToolbox’s provision, and Customer’s receipt of, the Services (collectively, the "Agreement"). MxToolbox and Customer are each referred to herein as a "Party" and collectively as the "Parties".

This DPA is an agreement between MxToolbox and the entity who receives the Services from MxToolbox pursuant to an Agreement that incorporates this DPA ("Customer") and is effective as of the date this DPA is incorporated into such Agreement (the "DPA Effective Date").

  1. Definitions Capitalized terms shall have the definitions set forth in this Section or throughout this DPA. All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
    1. "Adequate Country"means: (1) for Personal Data Processed subject to the EU GDPR: (a) a member state of the EEA; or (b) a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the EU GDPR ("EU Adequate Countries"); (2) for Personal Data Processed subject to the UK GDPR: (a) the UK; or (b) a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the UK DPA ("UK Adequate Countries"); or (3) for Personal Data Processed subject to the Swiss FADP: (a) Switzerland; or (b) a country or territory that: (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner; or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FADP ("Swiss Adequate Countries").
    2. "Affiliate" means any entity that controls, is controlled by, or is under common control with a Party, where "control" means the ability, whether directly or indirectly, to direct the affairs of another by means of ownership, contract, or otherwise.
    3. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100, et. seq., as amended, including by the California Privacy Rights Act of 2020, and their implementing regulations.
    4. "Controller" means the natural or legal person or entity who determines the purposes and means of the Processing of Personal Data
    5. "Customer Data" means any Personal Data provided by Customer that is Processed by MxToolbox pursuant to the Agreement and this DPA. For clarity, Customer Data does not include any Operational Data or MxToolbox Data.
    6. "Customer Instructions" means Customer’s instructions to MxToolbox to Process Customer Data on Customer’s behalf: (1) as necessary to provide the Services to Customer; (2) as documented in the Agreement and this DPA; and (3) as otherwise instructed by Customer in writing and acknowledged and agreed by MxToolbox.
    7. "Data Privacy Laws"means all laws, rules, regulations, and orders issued thereunder relating in any way to data protection, breach notification, privacy, or electronic marketing of any country, state, principality, or other territory that are applicable to the Processing of Customer Data under the Agreement, which may include, where applicable and without limitation, CCPA, the European Privacy Laws, PIPEDA, and/or VCDPA.
    8. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
    9. "Data Subject Request" means a request from an individual seeking to exercise rights granted to individuals under the Data Privacy Laws.
    10. "Europe" means, for the purposes of this DPA, the European Union, the European Economic Area ("EEA"), and/or their respective member states; the United Kingdom; and Switzerland.
    11. "European Privacy Laws" means all data protection laws and regulations applicable to Europe, each as amended from time to time, including: (1) with respect to the European Union, the EEA, and/or their respective member states: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC ("EU GDPR"); (b) Directive 2002/58/EC concerning the Processing of Personal Data and protection of privacy in the electronic communications sector (the "E-Privacy Directive"); and/or (c) applicable national implementations of the EU GDPR and the E-Privacy Directive; (2) with respect to Switzerland, the Federal Act on Data Protection of June 19, 1992 ("Swiss FADP"); and (3) with respect to the United Kingdom: (a) the Data Protection Act of 2018 ("UK DPA"); and (b) the retained EU law version of the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Norther Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (SI 2019/419) ("UK GDPR").
    12. "Operational Data" means any Customer Data and any other data or information related to Customer’s use of the Services that is aggregated and deidentified or otherwise anonymized by or on behalf of MxToolbox in a manner that complies with any requirements under applicable law relating to the nature and effect of such aggregation, de-identification, or anonymization and, in all cases, does not, as applicable, identify Customer as the source of such Customer Data or other data or information or, with respect to any Customer Data, any individual to whom such Customer Data relates.
    13. "Personal Data" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable Data Subject. For clarity, Personal Data does not include, without limitation, any data that has been aggregated and deidentified or otherwise anonymized.
    14. "Personnel" means MxToolbox’s employees, agents, and contractors engaged by MxToolbox to provide the Services and as otherwise necessary to enable MxToolbox to perform its obligations and/or exercise its rights under the Agreement and/or this DPA.
    15. "PIPEDA" means the Canadian Information Protection and Documents Act, as amended from time to time.
    16. "Processing" (including corollary terms) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    17. "Processor" means the entity which Processes Personal Data on behalf of the Controller.
    18. "Restricted Transfer" means: (1) for Personal Data subject to the EU GDPR, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not an EU Adequate Country (an "EU Restricted Transfer"); (2) for Personal Data subject to the UK GDPR, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not a UK Adequate Country (a "UK Restricted Transfer"); and/or (3) for Personal Data subject to the Swiss FADP, the transfer of such Personal Data to, or making such Personal Data available for Processing in, any country, territory, or other jurisdiction that is not a Swiss Adequate Country (a "Swiss Restricted Transfer").
    19. "Security Breach" means a breach of MxToolbox’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data on systems managed or otherwise controlled by MxToolbox.
    20. "Security Documentation" means the security documents applicable to the specific Services provided to Customer, as updated from time to time and as made reasonably available to Customer by MxToolbox.
    21. "Services" means those services provided by MxToolbox to Customer pursuant to an Agreement where, in the performance of such services, MxToolbox Processes Customer Data on behalf of Customer as a Processor.
    22. "Standard Contractual Clauses" means, generally or as context otherwise dictates: (1) where the EU GDPR or the Swiss FADP applies, the contractual clauses annexed to the Commission’s implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (2) where the UK GDPR applies, the "UK Addendum to EU Standard Contractual Clauses" issued by the Information Commissioner’s Office under the UK DPA ("UK Addendum").
    23. "Sub-Processor" means a Processor engaged by MxToolbox to Process Customer Data on Customer’s behalf under this DPA.
    24. "Supervisory Authority" means any applicable federal, state, local, or foreign government or any provincial, departmental, or other political subdivision thereof, or any entity, body, or authority having or asserting executive, legislative, judicial, regulatory, administrative, or other governmental functions of any court, department, commission, board, bureau, agency, or instrumentality of any of the foregoing, responsible for or involved in the enforcement and/or oversight of the Data Privacy Laws.
    25. "VCDPA" means the Virginia Consumer Data Protection Act, Va. Code § 59.1-575, et. seq., as amended, and any regulations issued thereunder.
  2. Scope of DPA.
    1. Roles of the Parties. As between the Parties, Customer shall be the Controller and MxToolbox shall be the Processor with respect to the Customer Data MxToolbox Processes for or on behalf of Customer in connection with MxToolbox’s provision of the Services and the Customer Instructions and this DPA shall apply to all such Processing undertaken by MxToolbox.
    2. Limitation of Obligations.Notwithstanding anything to the contrary in the Agreement or this DPA, Customer acknowledges and agrees that MxToolbox has no obligation to assess Customer Data in order to identify information subject to any legal requirements. Customer further acknowledges and agrees that this DPA, and MxToolbox’s actions under this DPA, do not, and shall not be interpreted to, relieve Customer of its obligations under the Data Privacy Laws and Customer shall be solely responsible for its compliance therewith.
    3. Excluded Processing.Notwithstanding anything to the contrary in the Agreement or this DPA, Customer acknowledges and agrees that due to the nature MxToolbox’s operations and the services MxToolbox provides, MxToolbox acts as a Controller with respect to certain Personal Data Processed in connection with those operations and services ("MxToolbox Data"). Customer expressly agrees that any MxToolbox Data Processed by or on behalf of MxToolbox in its role as a Controller is not subject to this DPA. Further, the Parties agree that with respect to any Personal Data to which each party is a Controller, the Parties are independent Controllers with respect to such Personal Data.
    4. Operational Data.Notwithstanding anything to the contrary in the Agreement or this DPA, Customer acknowledges and agrees that MxToolbox may, subject to MxToolbox’s compliance with applicable Data Privacy Laws, create, collect, generate, or otherwise obtain Operational Data through or in connection with MxToolbox’s provision and Customer’s use of the Services. Customer further acknowledges and agrees that Customer shall not acquire any right, title, or interest in or to any Operational Data.
  3. Customer Obligations.
    1. Compliance with Data Privacy Laws.Customer shall comply with the Agreement, this DPA, and the Data Privacy Laws in connection with the Processing of Personal Data applicable to Customer as a Controller, including, without limitation:
      1. providing legally-compliant privacy notices to, and obtaining all necessary consents and permissions from, Data Subjects with respect to the Processing of such Data Subjects’ Personal Data included within the Customer Data;
      2. responding to and fulfilling Data Subject Requests in accordance with the applicable Data Privacy Laws;and
      3. ensuring Customer has the right to transfer Customer Data to MxToolbox, or otherwise provide MxToolbox access to Customer Data for the purpose of MxToolbox Processing the Customer Data on Customer’s behalf as contemplated under the Agreement, this DPA, and the Customer Instructions.
    2. Accuracy and Quality of Customer Data. Customer shall have the sole responsibility for the accuracy and quality of the Customer Data provided by Customer to MxToolbox for Processing under the Agreement and this DPA and complying with all applicable laws, including, without limitation, the Data Privacy Laws, with respect to the means by which Customer acquired such Customer Data.
    3. Customer Instructions. Customer shall be solely responsible for ensuring that all Customer Instructions comply with all applicable laws, including, without limitation, the Data Privacy Laws.
    4. Data Localization Requirements Without limiting anything set forth in the Agreement or this DPA, Customer shall notify MxToolbox of any data localization requirement or restriction on the transfer of Customer Data to the extent that such requirement or restriction may affect MxToolbox’s Processing of such Customer Data in accordance with the Agreement, this DPA, or the Customer Instruction.
  4. MxToolbox Obligations.
    1. Compliance.MxToolbox shall only Process Customer Data as specified in the Agreement and this DPA, in accordance with the Customer Instructions, and/or as otherwise permitted under applicable Data Privacy Laws. For clarity, MxToolbox shall comply with the Customer Instructions with respect to MxToolbox’s Processing of Customer Data unless applicable law to which MxToolbox is subject requires MxToolbox to undertake other Processing of Customer Data, in which case MxToolbox will notify Customer (unless otherwise prohibited by such applicable law) before undertaking such other Processing.
    2. Restrictions. Without limiting anything set forth in the Agreement or this DPA, MxToolbox shall not:
      1. sell or share (as and to the extent such terms are defined in the Data Privacy Laws) Customer Data;
      2. retain, use, or disclose the Customer Data for any purpose other than the business purposes specified in the Agreement or this DPA, including, retaining, using, or disclosing Customer Data for a commercial purpose other than the applicable business purposes or as otherwise permitted under the Data Privacy Laws;
      3. retain, use, or disclose Customer Data outside of the direct relationship between MxToolbox and Customer except as necessary to perform the Services under the Agreement or otherwise pursuant to the Customer Instructions; and/or
      4. combine the Customer Data which MxToolbox receives from or on behalf of Customer, with Personal Data MxToolbox receives from or on behalf of any third party or collects through MxToolbox’s own interactions with Data Subjects, provided that MxToolbox may combine Customer Data with other Personal Data to perform any business purpose as defined or permitted under the Data Privacy Laws where applicable.
    3. Certification. MxToolbox certifies to Customer that:
      1. it understands and will comply with the foregoing restrictions placed on its Processing of Customer Data, including complying with applicable obligations under the Data Privacy Laws;
      2. it will provide the same level of privacy protection as the Data Privacy Laws require; and
      3. it will notify Customer without undue delay if MxToolbox is or is likely to become unable to substantially comply with any of its material obligations under this DPA or its obligations under the Data Privacy Laws.
  5. Data Subject Requests.
    1. Notification of Data Subject Requests. In the event MxToolbox receives a Data Subject Request in relation to Customer Data and the request identifies Customer as the Controller, MxToolbox will advise the Data Subject to submit the Data Subject Request to Customer. Customer will be responsible for responding to and fulfilling any Data Subject Request.
    2. MxToolbox’s Assistance.Taking into account the nature of the Processing of Customer Data undertaken by MxToolbox, MxToolbox shall provide reasonable assistance to Customer, through MxToolbox’s appropriate technical and organizational measures, insofar as this is possible, in fulfilling MxToolbox’s obligations under the Data Privacy Laws as a Processor in connection with Customer’s response to Data Subject Requests.
  6. Handling Customer Data.
    1. Disclosure to MxToolbox Personnel. MxToolbox shall take reasonable steps to ensure the reliability and confidentiality of any Personnel to whom MxToolbox provides access to Customer Data, ensuring that access is strictly limited to those Personnel who need to have access to the relevant Customer Data for the purposes of provided the Services and/or as otherwise necessary to enable MxToolbox to comply with MxToolbox’s obligations under the Agreement, this DPA, the Customer Instructions, and applicable laws, including, without limitation, applicable Data Privacy Laws.
    2. Disclosure to Third Parties. MxToolbox may transfer, disclose, or provide access to Customer Data to third parties: (1) as permitted under the Agreement, this DPA, and in accordance with the Customer Instructions; (2) to the extent required by applicable law (subject to compliance with applicable Data Privacy Laws); (3) to a Supervisory Authority and/or as otherwise required by the Data Privacy Laws; and/or (4) on a "need-to-know" basis under an obligation of confidentiality or professional secrecy to its legal counsel(s), data protection advisor(s), and accountant(s).
  7. Sub-Processors.
    1. Consent to Sub-Processor Engagement. Customer specifically authorizes MxToolbox to engage as Sub-Processors: (1) those entities listed in Schedule 1, attached hereto and incorporated herein by reference; and (2) all MxToolbox Affiliates. Without prejudice to Section 7.4 below, Customer generally authorizes MxToolbox to engage any other third party as a Sub-Processor at any time during the term of this DPA ("New Third Party Sub-Processor").
    2. Sub-Processor Information. To the extent required under the applicable Data Privacy Laws, MxToolbox will make available to Customer information about Sub-Processors engaged by MxToolbox, including their respective functions and locations.
    3. Sub-Processor Engagement Requirements. In connection with its engagement of any Sub-Processor, MxToolbox will:
      1. ensure via written contract that the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations assigned to it, and does so in accordance with a binding written agreement that imposes the same or greater obligations as MxToolbox’s obligations set forth in this DPA; and
      2. remain fully liable for all obligations assigned to, and all acts and omissions of, the Sub-Processor in connection with such Sub-Processor’s Processing of Customer Data.
    4. Right to Object to Sub-Processor Changes.
      1. In the event MxToolbox engages any New Third Party Sub-Processor during the term of the Agreement, MxToolbox will, at least thirty (30) days before the New Third Party Sub-Processor starts Processing any Customer Data, notify Customer of the engagement (including the name and location of the relevant New Third Party Sub-Processor and the activities it will perform).
      2. Customer may, within fifteen (15) days after being notified of the engagement of a New Third Party Sub-Processor, reasonably object to such New Third Party Sub-Processor. In the event Customer reasonably objects to such New Third Party Sub-Processor, MxToolbox will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Customer Data by the objected-to New Third Party Sub-Processor without unreasonably burdening Customer. If MxToolbox is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as its sole remedy, terminate the Agreement and this DPA by providing written notice to MxToolbox provided that all undisputed amounts due under the Agreement before the termination date shall be duly paid to MxToolbox. Until a decision is made regarding the objected-to New Third Party Sub-Processor, MxToolbox may temporarily suspend the Processing of the affected Customer Data. Customer will have no further claims against MxToolbox due to Services performed by MxToolbox or Sub-Processors before the date of objection.
  8. Security and Additional Assistance.
    1. Security Measures. Taking into account the nature of the Processing of Customer Data undertaken by MxToolbox for or on behalf of Customer, MxToolbox shall, in relation to its Processing of Customer Data, implement and maintain appropriate and commercially reasonable technical, physical and organizational security controls designed to prevent the reasonably foreseeable accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access to the Customer Data and other security controls required under the Data Privacy Laws (the "Security Measures"). Such Security Measures shall be documented in the applicable Security Documentation found here: https://mxtoolbox.com/SecurityStatement.aspx
    2. Review of Security Documentation. Upon Customer’s written request at reasonable intervals, but no more frequently than annually, and subject to the confidentiality obligations set forth in the Agreement and this DPA, MxToolbox will make available to Customer a copy of the applicable Security Documentation, which may include, based on the Services provided under the Agreement, MxToolbox’s most recent third party audits or certifications; provided, however, that such Security Documentation shall only be used by Customer to assess MxToolbox’s compliance with this DPA and/or the Data Privacy Laws, and Customer shall not use any such Security Documentation for any other purpose or disclose such Security Documentation to any third party without MxToolbox’s prior written approval. Without limiting anything set forth in the Agreement or this DPA, upon MxToolbox’s request, Customer shall return to MxToolbox all Security Documentation in Customer’s possession or under its control.
    3. Audits.
      1. Solely to the extent required under the Data Privacy Laws and subject to this Section 8.3, MxToolbox will allow Customer, no more frequently than annually, to conduct audits (including inspections) to verify MxToolbox’s compliance with its obligations under this DPA and/or applicable Data Privacy Laws ("Customer Audit"); provided, however, any such Customer Audit, including, without limitation, any observations, conclusions, or other results of any such Customer Audit and any documents reflecting the foregoing (collectively, "Customer Audit Results"), shall only be used by Customer to assess MxToolbox’s compliance with this DPA and/or the Data Privacy Laws, and shall not be used for any other purpose or disclosed to any third party without MxToolbox’s prior written approval and, subject to express requirements under the Data Privacy Laws to the contrary, upon MxToolbox’s request, Customer shall transfer all such Customer Audit Results in Customer’s possession or under its control to MxToolbox.
      2. Customer must send any requests to conduct a Customer Audit of MxToolbox to legal@mxtoolbox.com. Following MxToolbox’s receipt of such request, MxToolbox and Customer will discuss and agree in advance on the reasonable start date and duration of such Customer Audit and the scope of MxToolbox’s Security Measures in scope for such Customer Audit. Notwithstanding the foregoing, unless otherwise agreed by MxToolbox in writing, any Customer Audit: (1) involving inspection of MxToolbox’s business offices or data centers shall be limited to such business offices or data centers where MxToolbox Processes Customer Data for or on behalf of Customer and shall expressly exclude inspection of or access to any premises and systems containing Personal Data MxToolbox Processes for or on behalf of itself or any third party that is logically but not physically separated from Customer Data; (2) shall only occur during MxToolbox’s normal business hours; (3) shall be conducted in a manner that minimizes any disruptions to MxToolbox’s business operations; and (4) shall be subject to all confidentiality obligations set forth in the Agreement and this DPA and security policies and rules in effect at the applicable business office or data center.
      3. Except as otherwise expressly prohibited under the Data Privacy Laws, MxToolbox may charge a fee (based on MxToolbox’s reasonable costs) for any Customer Audit conducted pursuant to this Section 8.3. Upon Customer’s written request, MxToolbox will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of the applicable Customer Audit. Without limiting the foregoing, Customer will be responsible for any fees charged by any auditor appointed by Customer to conduct any such Customer Audit.
      4. MxToolbox may object in writing to any third party auditor appointed by Customer to conduct any Customer Audit under this Section 8.3 if the third party auditor is, in MxToolbox’s reasonable opinion, not suitably qualified or independent, a competitor of MxToolbox, or otherwise manifestly unsuitable. Any such objection by MxToolbox will require Customer to appoint a different third party auditor or conduct the Customer Audit itself.
      5. Without limiting the foregoing, prior to conducting any Customer Audit, Customer shall undertake reasonable efforts to conduct any such Customer Audit through a review of the Security Documentation in accordance with the procedures described in Section 8.2.
    4. Additional Reviews Under CCPA.
      1. Solely to the extent required under the CCPA and solely with respect to MxToolbox’s Processing of Customer Data subject to the CCPA ("CCPA Data"):
        1. MxToolbox grants Customer the right to: (1) take reasonable and appropriate steps to help ensure MxToolbox uses CCPA Data it receives from Customer in a manner consistent with Customer’s obligations under the CCPA; and (2) upon notice, take reasonable and appropriate steps to stop and remediate MxToolbox’s unauthorized use of CCPA Data; and
        2. subject to MxToolbox’s agreement, in MxToolbox’s sole and absolute discretion, no more frequently than annually, Customer may monitor MxToolbox’s compliance with this DPA with respect to MxToolbox’s Processing of CCPA Data through additional measures that may include, without limitation, manual reviews, automated scans or other technical and operational testing.
      2. For clarity, except where prohibited under the CCPA:
        1. the rights and reviews set forth in Section 8.4(a) shall be subject to any applicable limitations or requirements set forth in the Agreement or this DPA, including, without limitation, all confidentiality obligations set forth in the Agreement and this DPA and exceptions to MxToolbox’s obligations to provide the Services in accordance with any service level agreement or other service level commitment; and
        2. under no circumstances shall Section 8.4(a)(2) prohibit or otherwise preclude MxToolbox from: (1) declining to agree to permit Customer to perform any additional measure; or (2) conditioning MxToolbox’s agreement to permit Customer to perform any particular additional measures on Customer’s agreement to comply with any restrictions or requirements specified by MxToolbox.
    5. Security Breach.In the event of a Security Breach, MxToolbox will notify Customer promptly and without undue delay after MxToolbox discovers such Security Breach. Such notification of a Security Breach will be delivered to the notice address for Customer provided in the Agreement, or, at MxToolbox’s discretion, by telephone or other direct communication. MxToolbox will provide reasonable assistance to Customer to investigate, remediate, and mitigate the effects of a Security Breach and to comply with any requirements to notify affected Data Subjects, applicable Supervisory Authorities, or other third parties, all as and to the extent required under the applicable Data Privacy Laws.
  9. Restricted Transfers.
    1. EU Restricted Transfers and Swiss Restricted Transfers. For any transfer of Customer Data that is an EU Restricted Transfer or a Swiss Restricted Transfer, the Parties agree that such transfer shall be subject to the EU SCCs, completed as follows:
      1. the appropriate Module will apply based on the nature of the transfer, including, without limitation, the nature and role of the data exporter and data importer;
      2. in Clause 7, the optional docking clause will apply;
      3. for EU SCCs utilizing Modules Two or Three, in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set forth in Section 7.4 of this DPA;
      4. in Clause 11(a), the optional language shall not apply;
      5. for EU SCCs utilizing Modules One, Two or Three:
        1. in Clause 17, Option 1 will apply and the governing laws shall be the laws of the EEA member state where Customer’s main business operations are located or, if no such business operations are located in any EEA member state, the Republic of Ireland; and
        2. in Clause 18(b), disputes shall be resolved before the courts of the EEA member state where Customer’s main business operations are located or, if no such business operations are located in any EEA member state, the Republic of Ireland;
      6. for EU SCCs utilizing Module Four:
        1. in Clause 17, the EU SCCs shall be governed by the laws of the United States of America; and
        2. in Clause 18(b), disputes shall be resolved before the United States District Court for the Western District of Texas or, in the event such jurisdiction is not available, any of the appropriate courts of the State of Texas;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I of Schedule 2, attached hereto and incorporated by reference;
      8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II of Schedule 2, attached hereto and incorporated herein by reference; and
      9. for EU SCCs utilizing Modules Two or Three, Annex III of the EU SCCs shall be deemed completed with the information set out in Schedule 1.
    2. UK Restricted Transfers. When a transfer of Customer Data is a UK Restricted Transfer, the Parties agree to rely on the EU SCCs for such UK Restricted Transfers, subject to completion of the UK Addendum as follows:
      1. the EU SCCs, completed as set out in Section 9.1 shall also apply to such UK Transfers, subject to Section 9.2(b); and
      2. the UK Addendum shall be deemed completed with the information set out in Schedule 3, attached hereto and incorporated herein by reference, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of such UK Restricted Transfers.
    3. No Modification of Standard Contractual Clauses.In the event of any conflict, directly or indirectly, between the terms of this DPA and/or the Agreement and the terms of the EU SCCs and/or UK Addendum, the EU SCCs and/or UK Addendum, as applicable, shall control.
  10. Destruction and Retention of Customer Data.Without limitation, upon Customer’s request, the cessation of MxToolbox’s provision of the applicable portion of the Services under the Agreement involving the Processing of Customer Data, or the expiration or earlier termination of the Agreement, MxToolbox shall promptly, and in any event, within sixty (60) days, delete, and procure for the deletion, of the applicable Customer Data; provided, however, the foregoing shall not apply if and to the extent MxToolbox is required to retain such Customer Data pursuant to MxToolbox’s obligations under applicable laws. For the avoidance of doubt, in the event MxToolbox retains any Customer Data pursuant to the foregoing, MxToolbox shall Process such retained Customer Data solely to the extent necessary to comply with MxToolbox’s obligations under applicable laws.
  11. Restricted Transfers.
    1. Liability and Indemnification.With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with a Party’s performance or breach of this DPA: (1) such Party shall only be obligated to indemnify, defend, and hold the other Party harmless to the extent such obligation exists pursuant to such Party’s indemnification, defense, and hold harmless obligations set forth in the Agreement (if any); and (2) each Party’s total liability to the other Party is limited in accordance with the applicable limitations of liability set forth in the Agreement.
    2. Term.This DPA shall be effective as of the DPA Effective Date and continue in full force and effect until MxToolbox ceases providing all Services to Customer under and in accordance with the Agreement. The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with applicable laws, and restrictions on the Processing of Customer Data shall survive the expiration or earlier termination of this DPA.
    3. Relationship to Agreement.This DPA shall be governed by and construed in accordance with the terms set forth in the Agreement as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under the Agreement to incorporate this DPA therein. Any dispute arising out of this DPA shall be resolved as set out in the Agreement. The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the Agreement. Notwithstanding anything to the contrary in the Agreement, to the extent any conflict or inconsistency between the terms of this DPA and the Agreement, this DPA shall control. Except as set forth in this DPA, the Agreement remains in full force and effect, as amended, and is hereby ratified and confirmed in all respects.
    4. Invalidity.Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as completely as possible; or (2) if (1) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
    5. Amendments.MxToolbox may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on MxToolbox’s website and publishing a general notice of such changes via MxToolbox’s website or, as applicable and feasible, through the Services. Subject to compliance with applicable laws, Customer’s access to or use of the Services after receiving notice of changes to this DPA, whether by general notice or direct notice provided by MxToolbox to Customer, shall constitute Customer’s acceptance of such updates or modifications.
    6. Changes to Data Protection Laws.MxToolbox and Customer acknowledge that the Data Protection Laws as of the DPA Effective Date may change during the term of the Agreement. MxToolbox and Customer shall comply with any and all such changes to the extent applicable to the Processing of Customer Data under the Agreement and this DPA.

SCHEDULE 1

MXTOOLBOX SUB-PROCESSORS

Infrastructure Sub-Processors – Personal Data Storage and Processing

MxToolbox uses third party Sub-Processors to provide infrastructure services, host and Process Customer Data submitted through the Services and to help MxToolbox to provide customer support and email notifications. Currently, the MxToolbox production systems used for hosting Customer Data are in co-location facilities in the United States. The following table describes the legal entities MxToolbox has engaged as Sub-Processors to Process Customer Data together with a description of the Processing undertaken by such Sub-Processors and the countries in which they Process Customer Data.

SUB-PROCESSOR DESCRIPTION OF THE SERVICE THE SUB-PROCESSOR IS PROVIDING SERVER LOCATION
Amazon Web Services, Inc. Cloud Service Provider Content Delivery Network United States
Hubspot Support Ticket Management United States
Customer.io In-App Automated Customer Messaging United States

Contractual Safeguards

MxToolbox generally requires its Sub-Processors to satisfy equivalent obligations as those imposed on MxToolbox under the DPA, including, but not limited to, the requirements to:

  • Process Customer Data in accordance with Customer’s documented as communicated to the relevant Sub-Processor by MxToolbox;
  • In connection with their Processing activities undertaken as a Sub-Processor, only use personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable Data Privacy Laws;
  • Provide regular training in security and data protection to personnel to whom they grant access to Customer Data;
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which MxToolbox is contractually committed to adhere to insofar as they are equally relevant to the Sub-Processor’s Processing of Customer Data) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification MxToolbox reserves the right to audit the Sub-processor;
  • Promptly inform MxToolbox about any actual or potential Security Breach; and
  • Cooperate with MxToolbox in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

The foregoing does not provide Customer any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate MxToolbox’s engagement process for Sub-Processors as well as to provide the actual list of Sub-Processors engaged by MxToolbox as Sub-Processors as of the DPA Effective Date which MxToolbox may use in the delivery and support of the Services.

SCHEDULE 2

ANNEX I – Details of the Processing

  1. LIST OF PARTIES

    Data exporter(s):

    Name: As specified in the Agreement

    Address: As specified in the Agreement.

    Contact person’s name, position and contact details: As specified in the Agreement

    Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.

    Signature and date: The parties agree that execution of the Agreement and acceptance of the DPA by Customer shall constitute execution of these Clauses by both parties.

    Role (controller/processor): Controller

    Data exporter(s):

    Name: MxToolbox, Inc

    Address: 12710 Research Blvd. Ste. 225 Austin Texas, 78759

    Contact person’s name, position and contact detail: Steve Davies, Sales Manager, legal at mxtoolbox.com

    Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.

    Signature and date: The parties agree that execution of the Agreement and acceptance of the DPA by Customer shall constitute execution of these Clauses by both parties.

    Role: Processor

  2. DESCRIPTION OF TRANSFER

    Categories of data subjects whose personal data is transferred

    • Customers or prospective customers – information about those that use a company’s services or have inquired about their services.
    • Employees – information collected about members of staff within an organization.
    • Subscribers – individuals that have signed up for a regular service, such as newsletters or products. These people may or may not also be customers, depending on the services they have signed up for.
    • Users – individuals that use a service, such as a social media platform or forum. Users have signed up but are not purchasing a product or receiving a regular service.

    ………………………

    Categories of personal data transferred

    • Basic personal identifiers - information, such as name, email address, or address, that can identify an individual. This does not include information that is of a more sensitive nature.
    • Identification data – information that is used to identify an individual. This may not be a name, but could also be a customer number or username that can be combined with other information to uniquely identify a person
    • Location data – information such as geolocation data that can identify where a person lives, works or otherwise spends their time. As this data can be used to track someone’s movements, it can in turn help identify individuals and can therefore be personal data.

    ………………………

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    Not applicable

    ………………………

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous for the duration of the Agreement.

    ………………………

    Nature of the processing

    Processing necessary to provide the Services to Customer in accordance with the documented instructions provided in the Agreement and the DPA.

    ………………………

    Purpose(s) of the data transfer and further processing

    Processing necessary to provide the Services to Customer in accordance with the documented instructions provided in the Agreement and the DPA.

    ………………………

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

    The data importer will retain transferred Customer Data until its deletion in accordance with the provisions of the Agreement and the DPA (as applicable).

    ………………………

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

    The subject matter, nature and duration of the Processing shall be as specified in the Agreement and the DPA (as applicable).

    ………………………

  3. COMPETENT SUPERVISORY AUTHORITY

    Identify the competent supervisory authority/ies in accordance with Clause 13.

    With respect to the EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the EU GDPR.

    With respect to the UK SCCs, the data exporter’s competent supervisory authority is the United Kingdom Information Commissioner’s Office.

    ………………………

SCHEDULE 2

ANNEX II – Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data importer shall comply with the measures set out in MxToolbox’s Security Measures in force from time to time, including those set forth in MxToolbox’s Security Statement, a current copy of which is located at: https://mxtoolbox.com/SecurityStatement.aspx

SCHEDULE 3

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

See Annex 1.A of Schedule 1

Table 2: Selected SCCs, Modules and Selected Clauses

See Section 10 of the DPA

Table 3: Appendix Information

See Annexes I, II, and III of Schedule 1

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19: ☒ Importer

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

  1. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
    Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
    Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
    Appendix Information As set out in Table 3.
    Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
    Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    ICO The Information Commissioner.
    Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
    UK The United Kingdom of Great Britain and Northern Ireland.
    UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    UK GDPR As defined in section 3 of the Data Protection Act 2018.
  2. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
  3. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  4. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  5. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
  6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

  1. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
  2. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  3. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

  1. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  2. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
  3. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
  4. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
    1. References to the "Clauses" means this Addendum, incorporating the Addendum EU SCCs;
    2. In Clause 2, delete the words:

      "and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";

    3. Clause 6 (Description of the transfer(s)) is replaced with:

      "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.";

    4. Clause 8.7(i) of Module 1 is replaced with:

      "it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";

    5. Clause 8.8(i) of Modules 2 and 3 is replaced with:

      "the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"

    6. References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. References to Regulation (EU) 2018/1725 are removed;
    8. References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
    9. The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";
    10. Clause 13(a) and Part C of Annex I are not used;
    11. The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
    12. In Clause 16(e), subsection (i) is replaced with:

      "the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";

    13. Clause 17 is replaced with:

      "These Clauses are governed by the laws of England and Wales.";

    14. Clause 18 is replaced with:

      "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and

    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
  1. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  2. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  3. From time to time, the ICO may issue a revised Approved Addendum which:
    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    2. reflects changes to UK Data Protection Laws;

    The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  4. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
    1. its direct costs of performing its obligations under the Addendum; and/or
    2. its risk under the Addendum,

    and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  5. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com