EXHIBIT DPA
DATA PROCESSING ADDENDUM
The customer set out on the Order Form (“Customer”) and Miso Technologies, Inc. (“Miso”) (the “Parties”) are each party to the attached Enterprise API License Agreement (the “License Agreement”), as amended from time to time, pursuant to which Miso Processes (as defined below) certain Customer Personal Data (as defined below) in connection with the provision of the Services (as defined in the License Agreement).
- DEFINITIONS
- In this Data Processing Addendum (“DPA”), the following terms shall have the following meanings and shall be construed accordingly:
- "DP Law" means the Data Protection Act 2018, the GDPR, the E-Privacy Directive (2002/58/EC), and all other applicable laws and regulations relating to the Processing of Personal Data, including any legislation that implements or supplements, replaces, repeals, and/or supersedes any of the foregoing;
- "EEA" means the European Economic Area;
- "GDPR" means the EU General Data Protection Regulation 2016/679;
- "Customer Personal Data" means any Personal Data Processed by Miso on behalf of Customer pursuant to or in connection with the License Agreement;
- "Standard Contractual Clauses" means the standard contractual clauses for the transfer of Personal Data from the EEA to Data Processors established in third countries as set out in the Annex to European Commission Decision 2010/87/EU, (or any subsequent clauses that may amend or supersede such standard contractual clauses);
- "Subprocessor" means any person (including any third party, but excluding an employee of Miso or any employee of its sub-contractors) appointed by or on behalf of Miso to Process Personal Data on behalf of Customer in connection with the License Agreement; and
- "Miso Personnel" means any employee, agent or contractor of Miso.
- The terms, "Data Controller", “Data Processor”, “Data Protection Impact Assessments”, "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
- The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
- In this Data Processing Addendum (“DPA”), the following terms shall have the following meanings and shall be construed accordingly:
- PROCESSING OF PERSONAL DATA
- The Parties acknowledge and agree that for the purposes of DP Law, Customer is the Data Controller and Miso is the Data Processor of any Customer Personal Data Processed by Miso on behalf of Customer in connection with its provision of the Services.
- Miso warrants and undertakes that it shall:
- comply with all applicable obligations which may arise under DP Law in connection with its Processing of Customer Personal Data;
- not Process Customer Personal Data other than as contemplated by this DPA, or pursuant to Customer’s documented instructions;
- Process Customer Personal Data solely for the purposes of providing the Services unless Processing is required by any applicable DP Law to which Miso is subject, in which case Miso shall to the extent permitted by any applicable DP Law inform Customer of that legal requirement before the relevant Processing of that Personal Data; and
- Schedule 1 sets out certain information regarding Miso’s Processing of the Customer Personal Data under the License Agreement as required by Article 28(3) of the GDPR. Customer may make reasonable amendments to Schedule 1 by written notice to Miso from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Schedule 1 (including as amended pursuant to this Clause 2.3) confers any right or imposes any obligation on any Party.
- SUPPLIER PERSONNEL
- Miso shall take reasonable steps to ensure the reliability of any Miso Personnel who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the performance of the Services, and to comply with any applicable DP Law in the context of that individual's duties to Miso.
- Miso shall ensure that all such individual Miso Personnel referred to in Clause 3.1 are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Miso shall ensure that such confidentiality obligations survive the termination of the Miso Personnel engagement.
- SECURITY
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Miso shall in relation to the Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including at least those set out in Schedule 2 of this DPA and as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Miso shall take account in particular of the risks that are presented by its Processing, in particular from a Personal Data Breach.
- SUBPROCESSING
- Miso shall give Customer prior written notice of the intended appointment of any Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Miso shall not appoint (nor disclose any Customer Personal Data to) any Subprocessor except with the prior written consent of Customer (with such Subprocessor becoming an “Approved Subprocessor”).
- With respect to each Approved Subprocessor, Miso shall:
- before the Approved Subprocessor first Processes Customer Personal Data, carry out and document adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by measures referred to in Article 32(1) of the GDPR and those set out in Schedule 2;
- ensure that the arrangement between Miso and the Approved Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR; and
- if the engagement of the Approved Subprocessor involves a transfer of Customer Personal Data outside the EEA, ensure that the transfer complies with all applicable requirements of DP Law.
- Miso shall procure that each Approved Subprocessor performs the obligations under Clauses 2, 3, 4, 6, 7, 8, 9 and 10 as they apply to Processing of Customer Personal Data carried out by that Subprocessor as if it were party to this DPA in place of Miso.
- DATA SUBJECT RIGHTS
- Taking into account the nature of the Processing, Miso shall at its own cost assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to enable Customer to comply with its obligations to respond to requests to exercise Data Subject rights under applicable DP Law relating to Customer Personal Data Processed by Miso.
- Miso shall:
- promptly notify Customer if Miso or any Approved Subprocessor receives a request from a Data Subject under any applicable DP Law in respect of Customer Personal Data; and
- ensure that neither Miso nor any Approved Subprocessor shall respond to that request except on the documented instructions of Customer or as required by any applicable DP Law to which it is subject, in which case Miso shall to the extent permitted by any applicable DP Law inform Customer of that legal requirement before it responds to the request.
- PERSONAL DATA BREACH
- Miso shall immediately (and without undue delay) notify Customer upon Miso or any Approved Subprocessor first suspecting or becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with all necessary information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under DP Law.
- Miso shall, at its own cost, co-operate fully with Customer (and/or its advisors as applicable) in respect of the Personal Data Breach and take all reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, including without limitation:
- co-operating with Customer (and/or its advisors as applicable) and any Supervisory Authorities; providing information on the Personal Data Breach; investigating the incident and its cause; and securing and recovering the compromised Customer Personal Data; and
- co-ordinating with Customer (and/or its advisors as applicable) on the management of public relations and public statements relating to the Personal Data Breach. For the avoidance of doubt, Miso shall not make any public statement in relation to the Personal Data Breach.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- Miso shall, at its own cost, provide reasonable assistance to Customer with any Data Protection Impact Assessments and consultations with the Information Commissioner’s Office or any other competent Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data by Miso and/or its Approved Subprocessor(s).
- DELETION OR RETURN OF PERSONAL DATA
- Subject to Clause 9.2, in the event of termination or expiry of the Services, the License Agreement or this DPA for any reason (the “Cessation Date”), Customer may in its absolute discretion by written notice to Miso require Miso to:
- return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Miso; and/or
- delete and procure the deletion of all other copies of Customer Personal Data Processed by Miso and any Approved Subprocessor.
Miso shall comply with any such written request within 14 days of the Cessation Date. - Miso and any Approved Subprocessor may retain Customer Personal Data solely to the extent required by any applicable DP Law and only to the extent and for such period as required by any applicable DP Law and always provided that Miso shall ensure (and procure) the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified by any applicable DP Law requiring its storage and for no other purpose.
- Miso shall upon Customer’s reasonable request provide written certification to Customer’s satisfaction, that it has fully complied with this Clause 9.
- Subject to Clause 9.2, in the event of termination or expiry of the Services, the License Agreement or this DPA for any reason (the “Cessation Date”), Customer may in its absolute discretion by written notice to Miso require Miso to:
- AUDIT RIGHTS
- Miso shall make available to Customer on request, and at its own cost, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to reasonable audits and access, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Miso or its Approved Subprocessor(s) as required by Article 28(3)(h) of the GDPR.
- Once per calendar year commencing on the date 12 months after the date of this DPA, Miso shall, at its own cost, supply to Customer a report from its own internal audit of its Processing activities in so far as they relate to the Customer Personal Data to enable Customer to verify that Miso is in compliance with its obligations under this DPA. Such report shall include, but shall not be limited to, descriptions of Miso’s security control policies and procedures, including a statement on the operating effectiveness of those policies and procedures and remediation plans for any deficiencies.
- Miso may redact any confidential or commercially sensitive information from such audit reports before providing copies to Customer as described above. Miso shall be responsible for promptly remediating, at its cost, all failures, deficiencies and risks identified in such audit reports.
- INTERNATIONAL DATA TRANSFERS
- The Parties acknowledge that, Customer Personal Data will be processed in the United States pursuant to the under the License Agreement. To the extent any Customer Personal Data is transferred to Miso for processing from the EEA, such transfer shall be in compliance with the Standard Contractual Clauses.
- Miso undertakes not to transfer any Customer Personal Data outside of the United States without:
- Customer’s prior written consent; and
- complying with and executing with Customer the Standard Contractual Clauses (as may be amended, updated, replaced or reissued from time to time) in respect of the transfer of Customer Personal Data outside of the EEA.
- The Parties agree that all terms and provisions of the Standard Contractual Clauses shall be incorporated by reference to this DPA with the same force and effect as though fully set forth in this DPA, save that Appendix 1 of the Standard Contractual Clauses shall be replaced by Schedule 1 of this DPA and Appendix 2 of the Standard Contractual Clauses shall be replaced by Schedule 2 of this DPA.
- Miso hereby agrees to comply with the data importer obligations set out in the Standard Contractual Clauses in respect of the transfer of Customer Personal Data outside of the EEA in connection with Miso’s obligations under the License Agreement.
- To the extent that the Standard Contractual Clauses are updated, replaced, amended or re-issued by the European Commission (with the updated Standard Contractual Clauses being the “New Contractual Clauses”) during the term of the License Agreement:
- the New Contractual Clauses shall be deemed to replace the Standard Contractual Clauses and the Parties undertake to be bound by the terms of the New Contractual Clauses effective as of the date of the update; and
- Miso shall, at Customer’s request, execute a form of the New Contractual Clauses.
- INDEMNITY
- Miso shall indemnify and hold harmless Customer against any actual, direct, and non-contingent damages, loss, liability, costs and expenses incurred by Customer arising directly or indirectly out of or in connection with any breach by Miso of this DPA by, or any act or omission of, Miso, any Approved Subprocessor or Miso Personnel. Miso shall not be required to indemnify Customer to the extent that any loss is caused by the negligence of Customer.
- Notwithstanding any other provision of this Clause 12, for the purposes of this DPA, losses for which Miso assumes responsibility and which shall be recoverable by Customer shall include, but not be limited to, the following:
- costs and expenses of reconstituting or reloading lost or corrupted data damaged due to the negligent or more culpable acts or omissions of Miso;
- losses, costs and expenses arising out of or in connection with any claim, demand, fine, penalty, action, investigation or proceeding by any third party (including any Supervisory Authority, any other regulator or any Data Subject) against Customer to the extent arising out of the negligent or more culpable acts or omissions of Miso; and
- direct and immediate costs and expenses related to mitigating a Personal Data Breach (including but not limited to credit and fraud monitoring and Data Subject notification expenses) to the extent such Personal Data Breach is a direct result of the Processing of Customer Personal Data and it arises from a negligent or more culpable act or omission by Miso.
- MISO SHALL IN NO EVENT, UNDER THIS SECTION 12 OR OTHERWISE, BE LIABLE TO CUSTOMER FOR LOST REVENUE, PROFITS, OR BUSINESS OR FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF MISO KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT FULLY SATISFY ANY LOSSES BY CUSTOMER.
- Without limiting or diminishing Miso’s obligation to indemnify or hold Customer harmless, Miso shall procure and maintain or cause to be maintained commercially reasonable cyber and general liability insurance coverages during the term of this DPA and shall supply Customer with proof of such insurance upon reasonable request by Customer no more often than once per year.
- GENERAL TERMS
-
Order of priority
- Nothing in this DPA shall be intended to reduce, restrict or limit Miso's obligations under the License Agreement in relation to the protection of Personal Data.
- In the event of conflict or inconsistency between the provisions of this DPA and the License Agreement, this DPA shall prevail.
- No provision of the License Agreement shall have the effect of excluding, restricting or limiting Miso’s obligations or Customer’s rights under this DPA.
- For the avoidance of doubt, each Party shall bear its own costs incurred in connection with the preparation, negotiation, execution and performance of this DPA.
-
Changes in DP Law, etc.
-
- In the event of any change in, or decision of a competent authority under, the applicable DP Law, the Parties shall mutually agree in good faith on any amendments or changes to this DPA, and the Parties shall reasonably agree in good faith on a timeline for ensuring that such amendments or changes become applicable to Approved Subprocessors.
-
Severance
-
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either:
- amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible
- construed in a manner as if the invalid or unenforceable part had never been contained therein.
-
Termination
- This DPA shall automatically terminate if the License Agreement is terminated or expires.
- Customer may terminate the License Agreement with immediate effect by giving written notice to Miso if Miso commits a breach of any term of this DPA.
-
Governing law and jurisdiction
-
- This DPA and all non-contractual or other obligations arising out of or in connection with it shall be governed by and construed as set out in the License Agreement.
-
SCHEDULE 2a
Technical & Organizational Security Measures
Miso shall implement the following technical and organizational security measures:
1. PHYSICAL SECURITY AND ACCESS CONTROLS
Access to Miso business facilities is restricted to authorized personnel only. All business information is protected against access from unauthorized third parties and from personnel without the appropriate security clearance. Miso personnel are required to use personal badges with photo identification so that access to a controlled area is only granted upon identity and authorization verification.
If Miso relies on third party data center partners to host its product infrastructure, these third parties are contractually required to uphold strict physical and environmental security standards, which are or may be audited for SOC 2 Type II and ISO 27001 compliance.
2. LOGICAL ACCESS CONTROLS
User permissions for Miso personnel are granted on a need to know basis, according to principles of segregation of duties and least privilege. Unauthorized access, disclosure, duplication, accidental or unauthorized modification, destruction and misuse or theft of information are strictly prohibited.
3. ACCOUNT MANAGEMENT AND DATA ACCESS CONTROLS
Account managers are designated for accounts to access Miso’s information systems and resources, in accordance with Miso’s access control policies and standards. Users with administrative privileges are subject to additional scrutiny to prevent abuses and violations of Miso’s internal controls and policies.
4. PASSWORD AND AUTHENTICATION CONTROLS
Strong password standards, including multi-factor authentication, are implemented across the Miso organization. Passwords are periodically rotated and must be kept strictly confidential by all Miso personnel.
5. DATA TRANSFER CONTROLS
Standard security protocols and mechanisms (such as Transport Layer Security protocol) are implemented following industry standard algorithms and certificates for in-transit data.
6. NETWORK SECURITY CONTROLS
Controls such as IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are put in place to identify incoming attacks and preemptively block malicious requests over Miso’s network.
7. DATA AVAILABILITY CONTROLS
Backup and recovery policies are implemented to ensure availability of Miso information and resources. Your platform can support millions of users and its uptime rate is best in class at 99%. There is continuous monitoring on the availability of Miso’s network and related systems/equipment. Data center and infrastructure partners used by Miso offer industry standard uptime and availability.
8. DATA SEPARATION / SEGREGATION CONTROLS
Within any multi-tenant application, Miso keeps data logically separated to ensure that tenant-specific data is appropriately isolated for each tenant.
Renewed as of August 18, 2023