Updated June 01, 2022

This Data Protection Agreement (the “DPA”) is incorporated into and made part of the Master Subscription Agreement (the “Agreement”) between Masthead Data, Ltd. (“Masthead Data”) and the customer identified in the Agreement (“Customer”), and pertains to Masthead Data’s protection of Customer-provided personal data when Customer uses the Services. Capitalized terms have the meanings provided in the Agreement (defined below) except as provided here.

1. Definitions.

In this DPA, the following terms shall have the following meanings:

1.1. “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing” (and “Process”), and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Law.

1.2. “Applicable Data Protection Law” means the GDPR, the UK Data Protection Laws, US Data Protection Laws, and all other data protection and privacy laws and regulations of the United States, the United Kingdom, and the EEA applicable to the processing of personal data under the Agreement.

1.3. “EEA” means the European Economic Area, which includes the member states of the European Union, Iceland, Liechtenstein, Norway, and Switzerland.

1.4. “GDPR” refers to the General Data Protection Regulation (2016/679) of the European Parliament and Council of 27 April 2016, concerning the protection of individuals regarding the processing of personal data and the free movement of such data, repealing Directive 95/46/EC.

1.5. “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under the GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 of this DPA contains interpretive and supplementary provisions regarding the application of these clauses. Required information under Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA.

1.6. “UK Data Protection Laws” refers to Regulation (EU) 2016/679 as adopted into UK law through section 3 of the European Union (Withdrawal) Act of 2018, and the Data Protection Act 2018.

1.7. “US Data Protection Laws” refers to the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and related regulations, as well as other US state and federal data protection laws, including but not limited to the Colorado Privacy Act, Connecticut Personal Data Privacy and Online Monitoring Act, Indiana Consumer Data Protection Act, and others as outlined in this DPA.

2. Data Protection.

2.1. Relationship of the Parties
Customer (the Controller) appoints Masthead Data as a Processor to process the personal data described in the Agreement (“Data”) solely for the limited purpose of providing data integrity management services specified in the relevant Order Form or as otherwise agreed in writing (the “Permitted Purpose”). Each party shall comply with its respective obligations under Applicable Data Protection Law. Masthead Data shall promptly inform Customer if it:
(a) becomes aware that the Permitted Purpose infringes Applicable Data Protection Law, or
(b) determines it can no longer meet its obligations under this DPA or Applicable Data Protection Law.

2.2. Processing in Accordance with US Data Protection Law

Masthead Data agrees that, for personal data subject to US Data Protection Laws, it will not:
(a) “sell” personal data as defined under applicable law;
(b) collect, share, retain, use, or disclose personal data except as necessary to perform services for the Customer; or
(c) use personal data outside the direct business relationship between the parties.

Customer has the right to take reasonable steps to ensure that Masthead Data uses personal data in accordance with Applicable Data Protection Law.

2.3. International Transfers

Masthead Data shall not transfer the Data outside of the EEA unless it ensures compliance with Applicable Data Protection Law.

2.4. Confidentiality of Processing

Masthead Data will ensure that any authorized personnel processing the Data (“Authorized Persons”) comply with confidentiality obligations consistent with those in the Agreement.

2.5. Security

Masthead Data will implement technical and organizational measures as described in the Annex to protect the Data from:
(a) accidental or unlawful destruction, and
(b) loss, alteration, unauthorized disclosure, or access (collectively, “Security Incidents”).

2.6. Subprocessors

Customer consents to Masthead Data’s use of subprocessors listed in Exhibit A, provided Masthead Data:
(a) informs Customer of changes regarding subprocessors, allowing Customer to object;
(b) ensures subprocessors adhere to Applicable Data Protection Law; and
(c) remains liable for breaches caused by subprocessors.

2.7. Cooperation and Data Subject Rights

Masthead Data shall assist Customer in responding to requests from Data Subjects and regulators. If a request is received directly by Masthead Data, it will notify the Customer.

2.8. Data Protection Impact Assessment

Masthead Data will cooperate with Customer in conducting data protection impact assessments, where required.

2.9. Security Incidents

In the event of a Security Incident, Masthead Data will notify Customer promptly and assist with mitigation efforts.

2.10. Deletion or Return of Data

Upon termination of the Agreement, Masthead Data will destroy or return Data to Customer unless legal obligations require its retention.

2.11. Audit

Masthead Data agrees to provide audit summaries or allow on-site audits, subject to reasonable conditions and reimbursement of costs

3. Miscellaneous.

3.1. Construction; Interpretation. This DPA is not a standalone agreement and is only effective if the Agreement is in effect between Customer and Masthead Data. This DPA is part of the Agreement and is governed by its terms and conditions, including the limitations of liability therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

3.2. Severability.  If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

3.3. Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.

3.4. Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

3.5. Governing Law. This DPA will be governed by and construed in accordance with the laws the jurisdiction governing the Agreement unless otherwise required by Applicable Data Protection Law, in which case this DPA will be governed by the laws of the Republic of Ireland.

3.6. Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

Exhibit A: Subprocessors

Google Cloud Platform: Services include hosting, data storage, and caching.

1. Incorporation of Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:

1.1. Where Masthead Data processes personal data as a processor pursuant to the terms of the Agreement, Masthead Data and its relevant subprocessor affiliates are located in non-adequacy approved third countries, and Customer and its relevant affiliates are established in the EEA, Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply.

1.2. Where Masthead Data processes personal data as a processor pursuant to the terms of the Agreement, Masthead Data and its relevant subprocessor affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply.

2. Standard Contractual Clause Option Provisions

Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

2.1. Clause 7 (Docking Clause) is omitted;

2.2. In Clause 9(a) (Use of sub-processors) ”“ Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;

2.3 In Clause 11(a) (Redress) – the Optional provision shall NOT apply; and

2.4. In Clause 16(b) (Suspension of transfers) if Masthead Data is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension.

3. EU Optional Provisions

3.1. In Clause 17 (Governing Law) – the laws of the Republic of Ireland shall govern; and 

3.2. In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of Ireland shall have jurisdiction.

4. Swiss Law Provisions

4.1. With respect to Personal Data transferred from Switzerland for which Swiss law governs: (a) references to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act (as it may be updated or replaced from time to time), and the Swiss Federal Data Protection and Information Commissioner; and (b) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.

5. United Kingdom Law Provisions

5.1 Personal data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022

5.2. In Part 1 of the IDTA, the information required by Tables 1 ”“ 3 is provided in the Agreement, the DPA and these SCCs. 

5.3. The IDTA”s Mandatory Clauses are incorporated by reference into this DPA in accordance with IDTA Alternative Part 2. 

5.4. References to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to the United Kingdom and UK GDPR. 

5.5. In Clause 17 of the SCCs (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.

6. Supplementary Measures. The following additional safeguards will be added as a new supplementary annex of the EU SCCs:

6.1. Masthead Data represents that, to the best of its knowledge, as of the Effective Date, it has not received any access requests under Section 702 of the U.S. Foreign Intelligence Surveillance; and 

6.2. Masthead Data will use reasonable measures to encrypt personal data transferred to it pursuant to EU SCCs during transmission.

Annex 1: Identification of Parties

The full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement; and

a.  In the case of Module 2, Customer and its relevant affiliates which are established in the EEA are the data exporter and controller, and Masthead Data and its relevant subprocessor affiliates located in non-adequacy approved third countries are the data importer and processor; 

b. In the case of Module 3, Customer and its relevant affiliates established in the EEA are the data exporter and processor, and Masthead Data and its relevant subprocessor affiliates located in non-adequacy approved third countries are the data importer and processor.

Description of Data Processing

The data processing activities carried out by Masthead Data under the Agreement may be described as follows:

Subject Matter and Purpose

The personal data transferred will be subject to the following basic processing activities:

Masthead Data will process Customer personal data in order to perform the Services described in the Agreement. The frequency and retention periods for which personal data may be stored will vary depending on Customer’s use of Masthead Data’s Service. 

Masthead Data may process personal data of Customer’s employees and consultants who use Masthead Data’s Service in order to improve its own service and user experience by analyzing the usage of its products and providing personalized educational and information materials. 

Masthead Data may have access and process personal data of individuals whose personal data is stored in Customer’s data sources as a core functionality of the Masthead Data product. For example, Masthead Data may include a personal work email in the incident list to alert on detected anomalies.

Data subjects

The personal data transferred concern the following categories of data subjects:

Customer’s employees and consultants who use Masthead Data as Service. 

Individuals whose personal data is stored in Customer’s logs and processed by Masthead Data.

Categories of personal data

The personal data transferred concern the following categories of data:

Masthead Data may have access to personal data of Customer’s employees and consultants who use Masthead Data âs Service. 

Masthead Data may have access to personal data of individuals whose personal data is stored in Customer’s data sources. 

The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.

Special categories of data

The personal data transferred concern the following special categories of data:

As above

Annex 2: Security Measures

Masthead Data will:

1. take all reasonable measures to prevent unauthorized access to the Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;

2. use built-in system and audit trails; 

3. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure login procedures, and virus protection; 

4. account for all risks presented by processing, for example, from an accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access, or disclosure of the Data; 

5. ensure pseudonymization and/or encryption of the Data where appropriate; 

6. maintain the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; 

7. maintain the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident; 

8. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Data; 

9. monitor compliance on an ongoing basis; 

10. implement measures to identify vulnerabilities concerning the processing of the Data in systems used to provide Services to Customer; 

11. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.