Data Protection Addendum
Last Updated: DRAFT September 27, 2021
The following Data Protection Addendum will be effective as of September 27, 2021.
This Data Protection Addendum (“Addendum”) supplements the agreement between Customer and MST into which it is incorporated by reference (“Agreement”).
I. Introduction
1. Definitions.
Any capitalized term used but not defined in this Addendum has the meaning provided to it in the Agreement.
• “Applicable Data Protection Law” refers to all laws and regulations applicable to MST’s processing of personal data under the Agreement.
• “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Customer Account Data” means personal data that relates to Customer’s relationship with MST, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data MST may need to collect for the purpose of identity verification (including providing the MFA Services, as defined below), or as part of its legal obligation to retain Subscriber Records (as defined below).
• “Customer Content” means (a) personal data exchanged as a result of using the MST Services (as defined below), such as text, message bodies, voice and video media, documents, images, email bodies, email recipients, and sound and (b) data stored on Customer’s behalf such as communication logs within the Services or email data that Customer has uploaded to the MST Services (as defined below).
• “Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, and Customer Content each as defined in this Addendum.
• “Customer Usage Data” means data processed by MST for the purposes of transmitting or exchanging Customer Content, including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the MST Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the MST Services, and investigate and prevent system abuse.
• “Multi Factor Authentication Services” or “MFA Services” means the provision of a portion of the MST Services under which Customer adds an additional factor for verification of Customer’s end users’ identity in connection with such end users’ use of Customer’s software applications or services.
• “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• “Privacy Policy” means the then-current privacy policy for the MST Services available at https://legal.mstipmanager.com/privacy/privacy.
• “processor” means the entity which processes personal data on behalf of the controller.
• “processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
• “MST Services” means the products and services provided under a MST account that are used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an account registration form. Services include products and services that provide both (x) platform services, including access to any application programming interface branded as “MST” (“MST API”) and (y) where applicable, communications services used in connection with the MST APIs. “MST Services” includes the services and any application programming interface branded as “AugmentedIP”, “DockIT”, “FileIT”, “ProtectIT”, “DiscloseIT”, “MST Memotech”, or “CPA Memotech” enabling the request, submission, development, transmission, analysis, and management of intellectual property and the assets, data, documents, email communications and other related digital communications and tools through the website at mstipmanager.com or mstipsolutions.com.
• “Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.
• “Standard Contractual Clauses” has the meaning set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum.
• ”Subscriber Records” means Customer Account Data containing proof of identification and proof of physical address necessary for MST to provide Customer or Customer’s end users with phone numbers in certain countries (“telephone number assignments”). When required by law or regulation, Subscriber Records are shared with local telecommunications providers, which provide local connectivity services, or local government authorities.
• “sub-processor” means processing by (a) MST on behalf of Customer where Customer itself acts in its role as a processor or (b) any third-party processor engaged by MST to process Customer Content in order to provide the MST Services to Customer. For the avoidance of doubt, telecommunication providers are not sub-processors.
• “Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
II. Controller and Processor
2. Relationship of the Parties.
2.1 MST as a Processor.
The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and MST is a processor. MST will process Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).
2.2 MST as a Controller of Customer Account Data.
The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and MST is an independent controller, not a joint controller with Customer. MST will process Customer Account Data as a controller (a) in order to manage the relationship with Customer; (b) carry out MST’s core business operations, such as accounting and filing taxes; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the MST Services; (d) identity verification; (e) to comply with MST’s legal or regulatory obligation to retain Subscriber Data; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Privacy Policy.
2.3 MST as a Controller of Customer Usage Data.
The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and MST is an independent controller, not a joint controller with Customer. MST will process Customer Usage Data as a controller in order to carry out the necessary functions as a communications service provider, such as: (a) MST’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the MST Services and platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the MST Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Privacy Policy.
3. Purpose Limitation.
MST will process personal data in order to provide the MST Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and the categories of data subjects.
4. Compliance.
Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the MST Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to MST for processing in accordance with the terms of the Agreement and this Addendum.
III. MST as a Processor – Processing Customer Content
5. Customer Instructions.
Customer appoints MST as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions as follows:
(a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the MST Services to Customer (which may include investigating security incidents and preventing spam or fraudulent activity, and detecting and preventing network exploits or abuse);
(b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and
(c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that MST is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether MST’s provision of the MST Services meets or will meet the requirements of such laws or regulations. Customer will ensure that MST’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause MST to violate any applicable law or regulation, including Applicable Data Protection Law. MST will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to MST for carrying out such additional instructions.
6. Confidentiality.
6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to MST in connection with MST’s processing of Customer Content, MST will promptly inform Customer and provide details of the same, to the extent legally permitted. MST will not respond to any Third Party Request, without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of MST Personnel. MST will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with MST's confidentiality obligations in the Agreement.
7. Sub-processors.
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for MST to engage onward sub-processors that is conditioned on the following requirements:
(a) MST will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the MST Services, and MST will prohibit the sub-processor from processing the personal data for any other purpose.
(b) MST agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) MST will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to MST engaging additional third party sub-processors to process Customer Content within the MST Services for the Permitted Purposes provided that MST maintains an up-to-date list of its sub-processors at https://legal.mstipmanager.com/privacy/sub-processors. MST will provide details of any change in sub-processors as soon as reasonably practicable. With respect to changes in infrastructure providers, MST will endeavor to give notice sixty (60) days prior to any change, but in any event will give notice no less than thirty (30) days prior to any such change. With respect to MST’s other sub-processors, MST will endeavor to give notice thirty (30) days prior to any change, but will give notice no less than ten (10) days prior to any such change.
7.3 Objection Right for new Sub-processors. Customer may object to MST's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercial reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of MST’s receipt of Customer’s written objection, Customer may discontinue the use of the affected MST Services by providing written notice to MST. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected MST Services. If no objection has been raised prior to MST replacing or appointing a new sub-processor, MST will deem Customer to have authorized the new sub-processor.
8. Data Subject Rights.
8.1 MST Services. MST will, taking into account the nature of the processing, provide reasonable assistance to Customer to the extent possible to enable Customer to respond to requests from a data subject seeking to exercise its rights under Applicable Data Protection Law with respect to Customer Content being processed via the MST Services.
9. Impact Assessments and Consultations.
MST will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require MST to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content.
MST will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the MST Services.
10.1 Extension of Addendum. Upon termination of the Agreement, MST may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that MST will ensure that Customer Content:
(a) is processed only as necessary for the Permitted Purposes and
(b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, MST may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
11. Security.
11.1 Security Measures. MST has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about MST’s technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures).
11.2 Determination of Security Requirements. Customer acknowledges the MST Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the MST Services, such as, but not limited to, availability of multi-factor authentication on Customer’s account, TLS encryption within the MST Services. Customer is responsible for reviewing the information MST makes available regarding its data security, and making an independent determination as to whether the MST Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the MST Services and using features and functionalities made available by MST to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer’s use of the MST Services.
11.3 Security Incident Notification. MST will provide notification of a Security Incident in the following manner:
(a) MST will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after MST’s discovery of a Security Incident impacting Customer Data of which MST is a processor;
(b) MST will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which MST is a controller; and
(c) MST will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.
MST will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by MST’s violation of this Addendum, remediate the cause of such Security Incident. MST will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
12. Audits.
The parties acknowledge that Customer must be able to assess MST’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as MST is acting as a processor on behalf of Customer.
12.1 MST’s Audit Program. MST performs internal audits to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually and result in the generation of a confidential audit report (“Audit Report”). A description of MST’s compliance standards for audit of the MST Services can be found at https://legal.mstipmanager.com/agreements/securitypolicy.
12.2 Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, MST will make available to Customer a copy of MST’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that MST’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with MST that: (a) ensures the use of an independent third party; (b) provides notice to MST in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at MST’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
V. International Provisions
13. Processing in the United States.
Customer acknowledges that, as of the Effective Date, MST’s primary processing facilities are in the United States of America.
14. Jurisdiction Specific Terms.
To the extent MST processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
15. Cross Border Data Transfer Mechanisms for Data Transfers.
To the extent Customer’s use of the MST Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom, Switzerland, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms)) to MST located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) will apply.
VI. Miscellaneous
16. Cooperation and Data Subject Rights.
In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.
17. Conflict.
In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in Schedule 4 (Jurisdiction Specific Terms); (2) the terms of this Addendum outside of Schedule 4; (3) the Agreement; and (4) the Privacy Policy. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
18. Failure to Perform.
In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the parties may renegotiate this Addendum in good faith. If renegotiation would not cure the impossibility or the parties cannot reach an agreement, the parties may mutually agree to terminate the Agreement for convenience.
19. Updates.
MST may update the terms of this Addendum from time to time; provided, however, MST will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing MST Services. The then-current terms of this Addendum are available at https://legal.mstipmanager.com/agreements/dpa.
SCHEDULE 1 - DETAILS OF PROCESSING
1. Nature and Purpose of the Processing.
MST will process personal data as necessary to provide the MST Services under the Agreement. MST does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties except as instructed in writing by Customer.
1.1 Customer Content. MST will process Customer Content as a processor in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions) of this Addendum. The nature of the MST Services utilized includes:
• collection, structuring, storage and restricted retrieval of invention disclosures, trade secrets, patent application filing and prosecution data, and granted patent data, including related inventor personal data which may including related compensation awards and agent personal data.
• collection, structuring, storage and restricted dissemination of intellectual property licensing and joint development agreements, including related contact person personal data and agent personal data.
• collection, structuring, storage and restricted dissemination of requests for intellectual property related services, such as trademark clearances and legal opinions, including related requestor, contact person, and technical contact personal data and agent personal data.
• collection, structuring, storage and restricted dissemination of technical input related to the management of intellectual property, such as review of prior art by inventors, including technical contact personal data.
The purpose of the data transfer is to fulfill the legitimate business interest to track and manage the intellectual property matters of the Controller, including personal data of inventors, contacts, and agents related to the matters and fulfill the legal obligations associated with this business interest.
1.2 Customer Account Data. MST will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (MST as a Controller of Customer Account Data) of this Addendum.
1.3 Customer Usage Data. MST will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (MST as a Controller of Customer Usage Data) of this Addendum.
2. Processing Activities.
2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
• collection, structuring, storage and restricted retrieval of invention disclosures, trade secrets, patent application filing and prosecution data, and granted patent data, including related inventor personal data which may including related compensation awards and agent personal data.
• collection, structuring, storage and restricted dissemination of intellectual property licensing and joint development agreements, including related contact person personal data and agent personal data.
• collection, structuring, storage and restricted dissemination of requests for intellectual property related services, such as trademark clearances and legal opinions, including related requestor, contact person, and technical contact personal data and agent personal data. • collection, structuring, storage and restricted dissemination of technical input related to the management of intellectual property, such as review of prior art by inventors, including technical contact personal data.
Storage of personal data is on MST’s network. MST utilizes the sub-processor Microsoft Azure to host the MST network.
2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the MST Services.
2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the MST Services.
3. Duration of the Processing.
The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content. Upon termination of the Agreement, MST will (i) at Customer’s election, delete or return to Customer the Customer Content (including copies) stored within the MST Services and (ii) automatically delete any stored Customer Content on MST’s back-up systems one (1) year after the termination effective date. Customer will ensure that personal data within Customer Content is retained as long as required (a) for Customer’s legitimate business needs or (b) by application law or regulation. Retention and destruction policies will vary by intellectual property matter type.
3.2 Customer Account Data. MST will process Customer Account Data as long as required (a) to provide the MST Services to Customer; (b) for MST’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Privacy Policy.
3.3 Customer Usage Data. Upon termination of the Agreement, MST may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. MST will anonymize or delete Customer Usage Data when MST no longer requires it for the purposes set forth in Section 1.3 of this Schedule 1.
4. Categories of Data Subjects.
4.1 Customer Content. Customer may submit Personal Data to the MST Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
● Prospects, customers, business partners and vendors of Customer (who are natural persons)
● Employees or contact persons of Customer’s prospects, customers, business partners and vendors
● Employees, agents, advisors, freelancers of Customer (who are natural persons)
● Customer’s End Users authorized by Customer to use the MST Services
4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s MST account or make use of the MFA Services or telephone number assignments received from MST.
4.3 Customer Usage Data. Customer’s end users.
5. Categories of Personal Data.
MST processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.
• Personal data may include name, work or personal email, work address, personal address, work phone number, home phone number, mobile phone number, employment status, employer, employer contact information, location, job title, position, internal employee number, nationality, localization data, and IP address.
• Correspondence and documents transferred may include the personal data above and additionally may include professional or technical opinions or analysis thereof.
• Customer will not submit sensitive data or special categories of personal data to the MST Services, which includes personal data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
6. Sensitive Data or Special Categories of Data.
6.1 Customer Content. Customer agrees that Sensitive Data or Special Categories of Data will not be collected, stored, transmitted, or otherwise become a part of Customer Content, Customer Account Data or Customer Usage Data or Sensitive Data. Customer is responsible for ensuring that suitable safeguards are in place to prevent transmitting or processing, or prior to permitting Customer’s end users to transmit or process any Sensitive Data via the MST Services.
6.2 Customer Account Data and Customer Usage Data. Sensitive Data is not contained in Customer Account Data or Customer Usage Data.
SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The full text of MST’s technical and organizational security measures to protect Customer Data is available at https://legal.mstipmanager.com/agreements/securitypolicy (“Security Policy”).
Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
| Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure |
|---|---|
| Measures of pseudonymisation and encryption of personal data | See Section 13 (Encryption) of the Security Policy |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | See Section 18 ( Resilience and Service Continuity) and Section 19 (Backups and Recovery) of the Security Policy |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | See Section 18 ( Resilience and Service Continuity) and Section 19 (Backups and Recovery) of the Security Policy |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | See Section 3 (Security Organization and Program), Section 7 (Security Certifications), and Section 15 (Penetration Testing) of the Security Policy |
| Measures for user identification and authorization | See Section 11 (Access Controls) of the Security Policy |
| Measures for the protection of data during transmission | See Section 13 (Encryption) and Section 19 (Backups and Recovery) of the Security Policy |
| Measures for the protection of data during storage | See Section 8 (Architecture and Data Segregation) and Section 13 (Encryption) of the Security Policy |
| Measures for ensuring physical security of locations at which personal data are processed | See Section 9 (Physical Security) of the Security Policy |
| Measures for ensuring events logging | Application event logging is enabled and verified via nightly processes. Results of nightly processes including any failures are automatically reported to Support Team. |
| Measures for ensuring system configuration, including default configuration | Application critical system configuration is set via script after initial setup and verified and enabled via nightly processes. Results of nightly processes including any failures are automatically reported to Support Team. |
| Measures for internal IT and IT security governance and management | See Section 3 (Security Organization and Program) of the Security Policy |
| Measures for certification/assurance of processes and products | See Section 3 (Security Organization and Program) and Section 7 (Security Certifications) of the Security Policy |
| Measures for ensuring data minimization | Customer will ensure measures to ensure data minimization are enacted according to their adopted BCR. Customer will implement a personal data retention policy to limit incoming data entered, transferred, and retained in Customer Content to only personal data that is necessary to enable their legitimate business needs including communications or to comply with applicable laws or regulations to achieve the purposes described herein. |
| MST will collect only customer account data and customer usage data necessary to provide the MST Services described herein. More information about how MST processes personal data is set forth in the Privacy Policy available at https://legal.mstipmanager.com/privacy/privacy. | |
| Measures for ensuring data quality | Customer will implement a personal data quality policy to review personal data contained in their Customer Content is accurate, complete, consistent, timely, valid, and unique. Customer may ensure the data quality of their personal data via scheduled comparisons to other internal personal data resources. |
| MST will collect only customer account data and customer usage data necessary to provide the MST Services described herein. MST will routinely provide this data to Customer for review and analysis and comparison to other Customer personal data resources. | |
| Measures for ensuring limited data retention | Customer will implement a personal data retention policy including document and email retention to delete personal data when their legitimate business needs or applicable law or regulation has expired. |
| MST will delete customer account data at the request of the Customer. MST will delete customer account data and customer usage data after 1 year of account inactivity unless retention is otherwise required by law. More information about how MST processes personal data is set forth in the Privacy Policy available at https://legal.mstipmanager.com/privacy/privacy. | |
| Measures for ensuring accountability | Customer and MST will review data protection policies including annually and review and ensure compliance with the measures described in Section 2. |
| Measures for allowing data portability and ensuring erasure | MST will provide Customer with Customer Content when requested. |
Customer is able to request export or deletion of customer account data and customer usage data by emailing request to privacy@mstfirm.com.
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer. When MST engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, MST and the sub-processor enter into an agreement with data protection obligations substantially similar to those contained in this Addendum. Each sub-processor agreement must ensure that MST is able to meet its obligations to Customer.
In addition to implementing technical and organizational measures to protect personal data, sub-processors must:
(a) notify MST in the event of a Security Incident so MST may notify Customer;
(b) delete personal data when instructed by MST in accordance with Customer’s instructions to MST;
(c) not engage additional sub-processors without MST’s authorization;
d) not change the location where personal data is processed; or
(e) process personal data in a manner which conflicts with Customer’s instructions to MST. |
SCHEDULE 3 - CROSS BORDER DATA TRANSFER MECHANISMS
1. Definitions
• “EC” means the European Commission
• “EEA” means the European Economic Area
• "Standard Contractual Clauses” means, depending on the circumstances unique to Customer, any of the following:
(a) UK Standard Contractual Clauses, and
(b) 2021 Standard Contractual Clauses
• “UK Standard Contractual Clauses” means:
(a) Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), and
(b) Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”).
• “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
2. Cross Border Data Transfer Mechanisms.
2.1 Order of Precedence.
In the event the MST Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence:
(a) the applicable Standard Contractual Clauses as set forth in Section 2.3 (UK Standard Contractual Clauses) or Section 2.4 (The 2021 Standard Contractual Clauses) of this Schedule 3; if (a) is not applicable, then
(b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.2 Customer warrants that all intra-group data transfers related to use of MST Services or facilitated by use of MST Services will be governed by their Binding Corporate Rules (BCRs). Customer will limit use to only individuals that are: (1) bound to Customer by their BCRs or (2) bound to the terms of this agreement. Customer will require individuals not bound to Customer by their BCRs to become a party to this agreement prior to use of MST Services.
2.3 UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to personal data that is transferred via the MST Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) The UK Controller to Processor SCCs will apply where MST is processing Customer Content. The illustrative indemnification clause will not apply. Schedule 1 (Details of Processing) of this Addendum serves as Appendix I of the UK Controller to Processor SCCs. Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Appendix II of the UK Controller to Processor SCCs.
(b) The UK Controller to Controller SCCs will apply where MST is processing Customer Account Data or Customer Usage Data. In Clause II(h) of the UK Controller to Controller SCCs, MST will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Schedule 1 (Details of Processing) of this Addendum serves as Annex B of the UK Controller to Controller SCCs. Personal data transferred under these clauses may only be disclosed to the following categories of recipients: (i) MST’s employees, agents, affiliates, advisors, and independent contractors with a reasonable business purpose for processing such personal data; (ii) MST vendors that, in their performance of their obligations to MST, must process such personal data acting on behalf of and according to instructions from MST; and (iii) any person (natural or legal) or organization to whom MST may be required by applicable law or regulation to disclose personal data, including law enforcement authorities and central and local government authorities.
2.4 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the MST Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the 2021 Standard Contractual Clauses will apply where (i) MST is processing Customer Account Data and (ii) Customer is a controller of Customer Usage Data and MST is processing Customer Usage Data.
(b) Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a controller of Customer Content and MST is processing Customer Content.
(c) Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Customer Content and MST is processing Customer Content.
(d) Module Four (Processor to Controller) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Customer Usage Data and MST processes Customer Usage Data.
(e) For each Module, where applicable:
(i) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will apply;
(ii) in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 7.2 (Current Sub-processors and Notification of Sub-processor Changes) of this Addendum;
(iii) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the 2021 Standard Contractual Clauses:
Data Exporter: Customer and all entities bound to Customer by their Binding Corporate Rules (BCRs).
Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: MacMillan, Sobanski & Todd, LLC (MST)
Contact details: MST Privacy Team - privacy@mstfirm.com
Data Importer Role: The Data Importer’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
(vii) in Annex I, Part B of the 2021 Standard Contractual Clauses:
The categories of data subjects are described in Section 4 of Schedule 1 (Details of Processing) of this Addendum.
The Sensitive Data transferred is described in Section 6 of Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is described in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The period for which the personal data will be retained is described in Section 3 of Schedule 1 (Details of Processing) of this Addendum.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://legal.mstipmanager.com/privacy/sub-processors.
(viii) in Annex I, Part C of the 2021 Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses.
2.6 Conflict. To the extent there is any conflict between the Standard Contractual Clauses, and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.
SCHEDULE 4 - JURISDICTION SPECIFIC TERMS
1. Australia
1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2. Brazil
2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
2.2 The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to data subjects.
2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.
3. California
3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Customer Content, and Customer Usage Data.
3.3 The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 8 (Data Subject Rights) of this Addendum, apply to Consumer rights. In regards to data subject requests, MST can only verify a request from Customer and not from Customer’s end user or any third party.
3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
3.6 MST will process, retain, use, and disclose personal data only as necessary to provide the MST Services under the Agreement, which constitutes a business purpose. MST agrees not to (a) sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data; (b)retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the MST Services; or (c) retain, use, or disclose Customer’s personal data outside of the scope of the Agreement. MST understands its obligations under the Applicable Data Protection Law and will comply with them.
3.7 MST certifies that its sub-processors, as described in Section 7 (Sub-processors) of this Addendum, are Service Providers under Applicable Data Protection Law, with whom MST has entered into a written contract that includes terms substantially similar to this Addendum. MST conducts appropriate due diligence on its sub-processors.
3.8 MST will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 11 (Security) of this Addendum.
4. Canada
4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
4.2 MST’s sub-processors, as described in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom MST has entered into a written contract that includes terms substantially similar to this Addendum. MST has conducted appropriate due diligence on its sub-processors.
4.3 MST will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
5. European Economic Area (EEA)
5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
5.2 When MST engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
5.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
5.4 Customer acknowledges that MST, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires MST to notify impacted data subjects with whom MST does not have a direct relationship (e.g., Customer’s end users), MST will notify Customer of this requirement. Customer will provide reasonable assistance to MST to notify the impacted data subjects.
6. Israel
6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
6.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
6.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
6.4 MST will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with MST in accordance with Section 6 (Confidentiality) of this Addendum.
6.5 MST must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
6.6 MST must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with MST pursuant to Section 7.1 (Authorization for Onward Sub-processing) of this Addendum.
7. Japan
7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
7.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
7.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, MST is responsible for the handling of personal data in its possession.
7.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, MST will ensure that the use of the entrusted personal data is securely controlled.
8. Mexico
8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).
8.2 When acting as a processor, MST will:
(a) treat personal data in accordance with Customer’s instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the MST Services;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
9. Singapore
9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
9.2 MST will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
10. Switzerland
10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.
10.2 When MST engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
11. United Kingdom (UK)
11.1 References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
11.2 When MST engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
11.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
11.4 Customer acknowledges that MST, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires MST to notify impacted data subjects with whom MST does not have a direct relationship (e.g., Customer’s end users), MST will notify Customer of this requirement. Customer will provide reasonable assistance to MST to notify the impacted data subjects.