DATA PROCESSING ADDENDUM
The Customer, as set out on the Order Form (“Customer”), and Miso Technologies, Inc. (“Miso”) (the “Parties”) are each party to the attached API License Agreement (the “License Agreement”), as amended from time to time, pursuant to which Miso processes certain Customer Personal Data (as defined below) in connection with the provision of the Services (as defined in the License Agreement). The Parties wish to enter into this DPA to address their respective obligations when Processing Customer Personal Data under the DP Law.
- DEFINITIONS
- In this Data Processing Addendum (“DPA”), the following terms shall have the following meanings and shall be construed accordingly:
-
“Controller” means the person or entity who determines the purposes and means of the Processing of Personal Information and includes the term “Business” as similarly defined under applicable DP Law.
-
“DP Law” means any applicable current and future laws, rules, regulations and guidance governing the privacy, security and protection of Personal Information, including but not limited to Customer Personal Data processed under the Agreement, including but not limited to: (i) the US Data Protection Laws; (ii) the European Data Protection Laws.
-
“EEA” means the European Economic Area including all EU member states, plus Iceland, Liechtenstein, and Norway.
-
“European Data Protection Laws” means all applicable legislation applicable to data protection and privacy regarding residents of the EU, UK or Switzerland, including but not limited to: (i) the EU General Data Protection Regulation ((EU) 2016/679) (the “EU GDPR”); (ii) Directive 2002/58/EC the Privacy and Electronic Communications Regulations 2003 as amended (iii) the EU GDPR as applicable as part of UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”); (d) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (the “FADP”); and any applicable guidance or codes of practice issued by any applicable Supervisory Authorities from time to time.
-
“Customer Personal Data” means any Personal Data Processed by Miso on behalf of Customer pursuant to or in connection with the Order Form and License Agreement.
-
“Personal Information” or “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject or household, or is otherwise regulated by applicable DP Law. Personal Information or Personal Data does not include data that has been de-identified or aggregated such that its can no longer identify a Data Subject.
-
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
-
“Processor” means the entity which Processes Personal Data on behalf of Customer and includes the term “Service Provider” as similarly defined under applicable DP Law.
-
“Restricted Transfer” means (i) where EU GDPR or the FADP applies, a transfer of Personal Data from the European Economic Area (“EEA”) including Switzerland to a country outside of the EEA, which is not the subject of an adequacy determination by the European Commission; and (ii) where UK GDPR applies, a transfer of Personal Information from the United Kingdom to any country which is not subject based on adequacy regulations pursuant to Section 17A of the UK Data Protection Act.
-
“Services” has the meaning set forth in the License Agreement.
-
“Standard Contractual Clauses” means:
in respect of Personal Data subject to GDPR, the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from Module Two of such clauses and not including any clauses marked as optional;
in respect of Swiss Personal Data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses and
in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but as permitted by Clause 17 of such Addendum, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that:
- The details of the parties in Table 1 of the Addendum shall be as set out in Appendix 1 to this DPA (with no requirement for signature);
- For the purposes of Table 2 of the Addendum, the Addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and Clause 13(2)(a) below selects the option and timescales for Clause 9 of the EU Standard Contractual Clauses;
- The appendix information listed in Table 2 of the Addendum is set out in Appendices 2 and 3 to this DPA; and
- For the purposes of Table 3 of the Addendum, the following option is selected regarding which party/ies may end the Addendum as set out in Clause 19 thereof: the Data Controller only.
-
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from the EEA to Data Processors established in third countries as set out in the Annex to European Commission Decision 2010/87/EU, (or any subsequent clauses that may amend or supersede such standard contractual clauses);
-
“Subprocessor” means any person (including any third party, but excluding an employee of Miso or any employee of its sub-contractors) appointed by or on behalf of Miso to Process Personal Data on behalf of Customer in connection with the License Agreement; and
-
“Miso Personnel” means any employee, agent or contractor of Miso.
-
“US Data Protection Laws” means the US federal, state and local laws, rules, regulations and guidance related to the privacy, security and protection of Personal Information processed under the Agreement, including but not limited to: (i) the Federal Trade Commission Act, 15 U.S.C. § 45 and its implementing regulations; (ii) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations, (iii) any other federal or state consumer privacy laws, consumer health privacy laws, data breach notification laws and data security laws governing the protection of Personal Information.
-
- The terms, “Data Protection Impact Assessments” and “Supervisory Authority” shall have the same meaning as in the DP Law, and similar terms shall be construed accordingly.
- The word “include” shall be construed to mean include without limitation, and similar terms shall be construed accordingly.
- In this Data Processing Addendum (“DPA”), the following terms shall have the following meanings and shall be construed accordingly:
- PROCESSING OF PERSONAL DATA
- The Parties acknowledge and agree that for the purposes of DP Law, Customer is the Data Controller and Miso is the Data Processor of any Customer Personal Data Processed by Miso on behalf of Customer in connection with its provision of the Services.
- Miso shall:
- comply with all applicable obligations which may arise under DP Law in connection with its Processing of Customer Personal Data;
- not Process Customer Personal Data other than as contemplated by this DPA, the License Agreement, or pursuant to Customer’s documented instructions;
- Process Customer Personal Data solely for the purposes of providing the Services unless Processing is required by any applicable DP Law to which Miso is subject, in which case Miso shall to the extent permitted by any applicable DP Law inform Customer of that legal requirement before the relevant Processing of that Customer Personal Data; and
- Inform Customer if Miso is no longer able to meet its obligations under the DP Law when Processing Customer Personal Data.
- Miso shall not:
- retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purposes provided in the Agreement;
- process Customer Personal Data for commercial purposes other than as required to perform its obligations under the Agreement;
- combine the Customer Personal Data it receives from or on behalf of Customer with information that it receives from, or on behalf of, another person or persons or that Miso collects from its own interactions with Data Subjects;
- retain, use, or disclose Customer Personal Data outside of Miso’s direct relationship with Customer;
- sell or share Customer Personal Data (as defined in applicable DP Law); or
- re-identify any deidentified Customer Personal Data.
- The subject matter of the Processing of Customer Personal Data by Miso is the performance of the Services pursuant to the Order Form and License Agreement, the Processing initiated by Data Subjects in their use of the Services. Schedule 1 sets out certain information regarding Miso’s Processing of the Customer Personal Data under the License Agreement as required by DP Law. Customer may make reasonable amendments to Schedule 1 by written notice to Miso from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Schedule 1 (including as amended pursuant to this Clause 2.3) confers any right or imposes any obligation on any Party.
- Miso may de-identify and aggregate Customer Personal Data as described in the License Agreement and its Privacy Policy.
- MISO PERSONNEL
- Miso shall take reasonable steps to ensure the reliability of any Miso Personnel who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as necessary for the performance of the Services, their regular job duties, or to comply with any applicable DP Law in the context of that individual’s duties to Miso.
- Miso shall ensure that all such individual Miso Personnel referred to in Clause 3.1 are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, have committed themselves to confidentiality, and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Miso shall ensure that such confidentiality obligations survive the termination of the Miso Personnel engagement.
- SECURITY
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Miso shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including at least those set out in Schedule 2 of this DPA and as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Miso shall take account in particular of the risks that are presented by its Processing, in particular from a Personal Data Breach.
- SUBPROCESSING
- Miso shall give Customer prior written notice of the intended appointment of any Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Miso shall not appoint (nor disclose any Customer Personal Data to) any Subprocessor except with the prior written consent of Customer (with such Subprocessor becoming an “Approved Subprocessor”).
- With respect to each Approved Subprocessor, Miso shall:
- before the Approved Subprocessor first Processes Customer Personal Data, carry out and document adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by measures referred to in applicable DP Law and those set out in Schedule 2;
- ensure that the arrangement between Miso and the Approved Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of applicable DP Law; and
- if the engagement of the Approved Subprocessor involves a Restricted Transfer of Customer Personal Data, ensure that the transfer complies with all applicable requirements of DP Law.
- DATA SUBJECT RIGHTS
- Taking into account the nature of the Processing, Miso shall at its own cost assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to enable Customer to comply with its obligations to respond to requests to exercise Data Subject rights under applicable DP Law relating to Customer Personal Data Processed by Miso.
- Miso shall:
- promptly notify Customer if Miso or any Approved Subprocessor receives a request from a Data Subject, if such Data Subject can be attributed to Customer, under any applicable DP Law in respect of Customer Personal Data; and
- ensure that neither Miso nor any Approved Subprocessor shall respond to that request except on the documented instructions of Customer.
- Provide reasonable assistance to Customer in responding the request in accordance with applicable DP Law and Customer’s instructions.
- PERSONAL DATA BREACH
- Miso shall immediately (and without undue delay) notify Customer upon Miso or any Approved Subprocessor first suspecting or becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with all necessary information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under DP Law.
- Miso shall, at its own cost, co-operate fully with Customer (and/or its advisors as applicable) in respect of the Personal Data Breach and take all reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, by:
- co-operating with Customer (and/or its advisors as applicable) and any Supervisory Authorities; providing information on the Personal Data Breach; investigating the incident and its cause; and securing and recovering the compromised Customer Personal Data to the extent Miso is able to do so; and
- coordinating with Customer (and/or its advisors as applicable) on the management of public relations and public statements relating to the Personal Data Breach. For the avoidance of doubt, Miso shall not make any public statement in relation to the Personal Data Breach.
- Customer shall have sole control over the timing, content, and method of providing notification to the impact individuals and Supervisory Authorities of a Personal Data Breach as it relates to impacted Customer Personal Data.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- At Customer’s request, Miso shall, at its own cost, provide reasonable assistance to Customer with any Data Protection Impact Assessments as required under DP Law and consultations with the Information Commissioner’s Office or any other competent Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data by Miso and/or its Approved Subprocessor(s).
- DELETION OR RETURN OF PERSONAL DATA
- Subject to Clause 9.2, in the event of termination or expiry of the Services, the License Agreement or this DPA for any reason (the “Cessation Date”), Customer may in its absolute discretion by written notice to Miso require Miso to:
- return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Miso; and/or
- delete and procure the deletion of all other copies of Customer Personal Data Processed by Miso and any Approved Subprocessor.
- Miso and any Approved Subprocessor may retain Customer Personal Data solely to the extent required by any applicable DP Law and only to the extent and for such period as required by any applicable DP Law and always provided that Miso shall ensure (and procure) the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified by any applicable DP Law requiring its storage and for no other purpose.
- Miso shall upon Customer’s reasonable request provide written certification to Customer’s satisfaction, that it has fully complied with this Clause 9.
- Subject to Clause 9.2, in the event of termination or expiry of the Services, the License Agreement or this DPA for any reason (the “Cessation Date”), Customer may in its absolute discretion by written notice to Miso require Miso to:
- AUDIT RIGHTS
- Upon request from Customer, Miso shall make available to Customer on request, and at its own cost, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to reasonable audits and access, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Miso or its Approved Subprocessor(s) as required by applicable DP Law.
- Once per calendar year commencing on the date 12 months after the date of this DPA, Miso shall, at its own cost, supply to Customer a report from its own internal audit of its Processing activities in so far as they relate to the Customer Personal Data to enable Customer to verify that Miso is in compliance with its obligations under this DPA. Such report shall include, but shall not be limited to, descriptions of Miso’s security control policies and procedures, including a statement on the operating effectiveness of those policies and procedures and remediation plans for any deficiencies.
- Miso may redact any confidential or commercially sensitive information from such audit reports before providing copies to Customer as described above. Miso shall be responsible for promptly remediating, at its cost, all failures, deficiencies and risks identified in such audit reports.
- RESTRICTED TRANSFERS
- The Parties acknowledge that, Customer Personal Data will be Processed in the United States pursuant to the under the License Agreement. To the extent any Customer Personal Data from the EEA, the United Kingdom, or Switzerland (as applicable) is transferred to Miso in the United States for Processing under the License Agreement and Order Form, such Restricted Transfer shall be executed in compliance with Module 2 of the Standard Contractual Clauses.
- Miso undertakes not further transfer any Customer Personal Data to a country outside of the United States without:
- Customer’s prior written consent; and
- complying with and executing with Customer the Standard Contractual Clauses or the Parties executing another transfer mechanism as required by applicable DP Law.
- The Parties agree that all terms and provisions of the Standard Contractual Clauses shall be incorporated by reference to this DPA with the same force and effect as though fully set forth in this DPA, save that Appendix 1 of the Standard Contractual Clauses shall be replaced by Schedule 1 of this DPA and Appendix 2 of the Standard Contractual Clauses shall be replaced by Schedule 2 of this DPA.
In addition, the Parties agree that the following optional clauses are incorporated into the EU Standard Contractual Clauses:
- Clause 9 option (2): specific prior authorization for Sub-processors and the Parties agree that the timeframe for requesting the specific authorization shall be 30 days;
- Clause 17 (Governing law): the clauses shall be governed by the laws of Ireland;
- Clause 18 (Choice of forum and jurisdiction): the courts of Ireland shall have jurisdiction.
- In respect of transfers of Customer Personal Data from the United Kingdom, the Parties agree to comply with the obligations set out in the EU Standard Contractual Clauses as amended by the UK Addendum, which is incorporated by reference, as though they were set out in full in this Agreement, with Customer as the “exporter” and Miso as the “importer”.
- Miso hereby agrees to comply with the data importer obligations set out in the Standard Contractual Clauses in respect of the transfer of Customer Personal Data outside of the EEA, United Kingdom, or Switzerland in connection with Miso’s obligations under the License Agreement.
- To the extent that the Standard Contractual Clauses are updated, replaced, amended or re-issued by the European Commission (with the updated Standard Contractual Clauses being the “New Contractual Clauses”) during the term of the License Agreement:
- the New Contractual Clauses shall be deemed to replace the Standard Contractual Clauses and the Parties undertake to be bound by the terms of the New Contractual Clauses effective as of the date of the update; and
- the Parties shall execute a form of the New Contractual Clauses.
- INDEMNITY
- Miso shall indemnify and hold harmless Customer against any actual, direct, and non- contingent damages, loss, liability, costs and expenses incurred by Customer arising directly or indirectly out of or in connection with any breach by Miso of this DPA by, or any act or omission of, Miso, any Approved Subprocessor or Miso Personnel. Miso shall not be required to indemnify Customer to the extent that any loss is caused by the negligence of Customer.
- Notwithstanding any other provision of this Clause 12, for the purposes of this DPA, losses for which Miso assumes responsibility and which shall be recoverable by Customer shall include, but not be limited to, the following:
- costs and expenses of reconstituting or reloading lost or corrupted data damaged due to the negligent or more culpable acts or omissions of Miso;
- losses, costs and expenses arising out of or in connection with any claim, demand, fine, penalty, action, investigation or proceeding by any third party (including any Supervisory Authority, any other regulator or any Data Subject) against Customer to the extent arising out of the negligent or more culpable acts or omissions of Miso; and
- direct and immediate costs and expenses related to mitigating a Personal Data Breach (including but not limited to credit and fraud monitoring and Data Subject notification expenses) to the extent such Personal Data Breach is a direct result of the Processing of Customer Personal Data pursuant to the License Agreement and Order Form and it arises from a negligent or more culpable act or omission by Miso.
- MISO SHALL IN NO EVENT, UNDER THIS SECTION 12 OR OTHERWISE, BE LIABLE TO CUSTOMER FOR LOST REVENUE, PROFITS, OR BUSINESS OR FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF MISO KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT FULLY SATISFY ANY LOSSES BY CUSTOMER.
- Without limiting or diminishing Miso’s obligation to indemnify or hold Customer harmless, Miso shall procure and maintain or cause to be maintained commercially reasonable cyber and general liability insurance coverages during the term of this DPA and shall supply Customer with proof of such insurance upon reasonable request by Customer no more often than once per year.
- RESPONSE TO COMPLAINTS AND REQUESTS FROM SUPERVISORY AUTHORITIES
- In the event that Miso receives any official complaint, notice, or communication that relates to Processing of Customer Personal Data, (including from a Data Subject or Supervisory Authority) in connection with the Order Form or License Agreement, to the extent legally permitted, Miso shall promptly notify Customer. Miso shall provide Customer with reasonable cooperation and assistance in relation to any such complaint, notice, or communication.
- Miso shall inform Customer without undue delay of requests, audits, subpoenas, or other inquiries from a Supervisory Authority in relation to the Customer Personal Data or Processing of the Customer Personal Data as permitted under applicable law.
- Miso and Miso Personnel shall provide Customer with reasonable cooperation in responding or cooperating with any audit, review, investigation, or other activity undertaken by a Supervisory Authority pertaining to the Processing of Customer Personal Data under this DPA.
- GENERAL TERMS
- Order of Priority
- Nothing in this DPA shall be intended to reduce, restrict or limit Miso’s obligations under the License Agreement in relation to the protection of Personal Data.
- In the event of conflict or inconsistency between the provisions of this DPA and the License Agreement, this DPA shall prevail.
- No provision of the License Agreement shall have the effect of excluding, restricting or limiting Miso’s obligations or Customer’s rights under this DPA.
- For the avoidance of doubt, each Party shall bear its own costs incurred in connection with the preparation, negotiation, execution and performance of this DPA.
- Changes in DP Law, etc.
- In the event of any change in, or decision of a competent authority under, the applicable DP Law, the Parties shall mutually agree in good faith on any amendments or changes to this DPA, and the Parties shall reasonably agree in good faith on a timeline for ensuring that such amendments or changes become applicable to Approved Subprocessors.
- Severance
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either:
- amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible;
- construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either:
- Termination
- This DPA shall automatically terminate if the License Agreement is terminated or expires.
- Customer may terminate the License Agreement with immediate effect by giving written notice to Miso if Miso commits a breach of any term of this DPA.
- Governing Law and Jurisdiction
- This DPA and all non-contractual or other obligations arising out of or in connection with it shall be governed by and construed as set out in the License Agreement.
- Order of Priority
Schedule 1
Details of Processing
For the purposes of the EU GDPR; UK GDPR, and the FADP.
PARTIES OF THE TRANSFER
For the purpose of SSC Module 2, the Customer is the data exporter, and Miso is the data importer. The Parties’ addresses and contact information as listed in the Order Form shall be the Parties’ contact information for the purposes of the Standard Contractual Clauses. The Parties’ signature to and date of the Order Form shall be deemed to be their signature to and date of the Standard Contractual Clauses.
DATA SUBJECTS
The Customer Personal Data transferred concern the following categories of Data Subjects: Users of the customers website and other services
CATEGORIES OF PERSONAL DATA
The Customer Personal Data transferred may concern the following types/categories of Personal Data:
- Name
- Location
- Personal Preferences
- Browsing Activities
The Customer Personal Data described above may include but will not be limited to:
- General browsing and usage behavior of individual site users.
Special Categories of the Personal Data Transferred: None.
FREQUENCY OF THE TRANSFER
At the time during the Service or as required to provide the Service.
PURPOSE OF THE TRANSFER AND FURTHER PROCESSING
The Personal Data to be transferred may be Processed by Miso for the following purposes:
- Implementation and use of the Services;
- Implementation services related to configuration of the Customer’s version of the Services; and
- Technical support and customer service.
NATURE / PURPOSE OF PROCESSING
The Customer Personal Data transferred is to be Processed by Miso as necessary to perform the Services pursuant to the Order Form and License Agreement and as further instructed by Customer in its use of the Services.
DURATION OF THE PROCESSING
For the term of the Order Form and License Agreement.
RETENTION PERIOD FO THE PERSONAL DATA TRANSFERRED
For the term of the Order Form and License Agreement unless Customer requests the Personal Data be deleted prior to the termination date.
LOCATION OF PROCESSING
Amazon Web Services – Oregon
Amazon Web Services – Virginia (not currently in use for Customer Personal Data, but could be used in the event of an outage or other issue in Oregon).
FADP AND EU STANDARD CONTRACTUAL CLAUSES ONLY: COMPETENT SUPERVISORY AUTHORITY
For EU Personal Data: the Supervisory Authority of Ireland; For Swiss Personal Data: the Swiss Federal Data Protection and Information Commissioner.
Renewed as of April 10, 2025