Version Date: August 1, 2022
This Has Been Updated. Click Here to View It.
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) Metadata, Inc., a Delaware corporation with its principal business address 1754 Technology Drive, Suite 212, San Jose, CA 95110, United States (“Metadata”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.
I. RECITALS
i. Metadata and Customer have executed an Agreement pursuant to which Metadata will provide Customer with the Company Services.
ii. As part of Metadata’s provision of the Company Services:
iii. The Parties agree to comply with the provisions of this DPA with respect to the Processing of Customer Personal Data and Metadata Personal Data.
1. INTERPRETATION
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
3. PROCESSING OF PERSONAL DATA
Metadata as a Processor
3.1 Subject to Sections 3.3 to 3.4, Metadata shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws.
3.2 Customer instructs Metadata to Process Customer Personal Data as necessary to provide the Company Services to Customer under and in accordance with the Agreement.
Metadata as a Controller
3.3 The Parties acknowledge and agree that Metadata may provide Client with Metadata Personal Data as part of Metadata’s provision of the Company Services.
3.4 The Parties acknowledge and agree that, in respect of any Processing of Metadata Personal Data pursuant to Section 3.3, each Party:
4. METADATA PERSONNEL
Metadata shall take commercially reasonable steps to ascertain the reliability of any Metadata Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Metadata Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
5. SECURITY
5.1 Metadata shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described in Annex 3 (Security Measures) (the “Security Measures”).
5.2 Metadata may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
6. DATA SUBJECT RIGHTS
6.1 Metadata, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Metadata receives a Data Subject Request in respect of Customer Personal Data, Customer will be responsible for responding to any such request.
6.2 Metadata shall:
6.3 Operational clarifications (if and as the EU SCCs apply in accordance with Paragraph 4.2 of Annex 1):
7. PERSONAL DATA BREACH
Breach notification and assistance
7.1 Metadata shall notify Customer without undue delay upon Metadata’s discovery of a Personal Data Breach affecting Customer Personal Data. Metadata shall provide Customer with information (insofar as such information is within Metadata’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Metadata) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Metadata’s notification of or response to a Personal Data Breach shall not be construed as Metadata’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
7.2 Metadata shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
7.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
7.4 Operational clarifications:
Notification to Metadata
7.5 If Customer determines that a Personal Data Breach (whether related to Customer Personal Data or Metadata Personal Data) must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Metadata, where permitted by applicable laws, Customer agrees to:
8. SUB-PROCESSORS
With respect to all Customer Personal Data except Customer Personal Data subject to Annex 1, Metadata may use Sub-Processors to Process such Customer Personal Data provided such Sub-Processors agree (i) to comply with Applicable Data Protection Laws, (ii) to take reasonable steps designed to protect and secure Customer Personal Data, and (iii) not to Process Customer Personal Data other than on behalf of Metadata. Metadata shall remain liable for any breach of this DPA caused by a Sub-Processor. A list of Sub-Processors engaged by Metadata as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations), is contained in the Sub-Processor list shown at https://metadata.io/subprocessors (the “Sub-Processor List”).
Metadata’s obligations with respect to Sub-Processors that Process Customer Personal Data subject to the GDPR are addressed in Annex 1.
9. RETURN AND DELETION
9.1 Subject to Paragraph 9.2 and 9.3, upon the date of cessation of any Company Services involving the Processing of Customer Personal Data (the “Cessation Date”), Metadata shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA or the Agreement.
Subject to Paragraph 9.4, to the extent technically possible in the circumstances (as determined in Metadata’s sole discretion), on written request to Metadata (to be made no later than fourteen (14) days after the Cessation Date (“Post-cessation Storage Period”)), Metadata shall within fourteen (14) days of such request:
9.3 In the event that during the Post-cessation Storage Period, Customer does not instruct Metadata in writing to either delete or return Customer Personal Data pursuant to Paragraph 9.2, Metadata shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or irreversibly render anonymous, all Customer Personal Data then within Metadata possession to the fullest extent technically possible in the circumstances.
9.4 Metadata may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Metadata shall:
9.5 Operational clarification: Certification of deletion of Customer Personal Data, including as described in Clauses 8.5 and 16(d) of the EU SCCs (if and as applicable), shall be provided only upon Customer’s written request.
10. AUDIT RIGHTS
10.1 Metadata shall make available to Customer on request, such information as Metadata (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA in relation to its Processing of Customer Personal Data.
10.2 Subject to Paragraphs 10.3 to 10.8, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Metadata pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Metadata’s compliance with this DPA, Metadata shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Metadata.
10.3 Customer shall give Metadata reasonable notice of any audit or inspection to be conducted under Paragraph 10.2 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Metadata’s equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Metadata’s other customers or the availability of Metadata’s services to such other customers).
10.4 Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Metadata will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Metadata security, privacy, employment or other relevant policies). Metadata will work cooperatively with Customer to agree on a final audit plan.
10.5 If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Metadata has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
10.3 Metadata need not give access to its Personnel, equipment, data or other resources for the purposes of such an audit or inspection:
10.7 Nothing in this DPA shall require Metadata to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers.
10.8 Operational clarifications:
11. CUSTOMER’S RESPONSIBILITIES
11.1 Customer agrees that, without limiting Metadata’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Company Services, including (a) making appropriate use of the Company Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Company Services; (c) securing Customer’s systems and devices that Metadata uses to provide the Company Services; and (d) backing up Customer Personal Data.
11.2 Customer shall ensure:
11.3 Customer agrees that the Service, the Security Measures, and Metadata’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
11.4 Customer shall not provide or otherwise make available to Metadata any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).
12. LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the Data Transfer Mechanism(s) (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 9 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the Data Transfer Mechanism(s) (if and as they apply).
13. INCORPORATION AND PRECEDENCE
13.1 This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
13.2 In the event of any conflict or inconsistency between:
Annex 1
European Annex
1.PROCESSING OF CUSTOMER PERSONAL DATA
1.1 The Parties acknowledge and agree that the details of:
under this DPA are as set out in Attachment 1 to Annex 1 (European Annex) to the DPA.
1.2 Where Metadata receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Metadata shall inform Customer.
1.3 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Metadata pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.
2. SUBPROCESSING
2.1 Customer generally authorises Metadata to appoint Sub-Processors in accordance with this Paragraph 2.
2.2 Metadata may continue to use those Sub-Processors identified in the Sub-Processor List located here.
2.3 Metadata shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by providing Customer with an updated copy of the Sub-Processor List via a ‘mailshot’ or similar bulk distribution mechanism sent via email to Customer’s contact point as set out in Attachment 1 to Annex 1 (European Annex). If, within fourteen (14) days of receipt of that notice, Customer notifies Metadata in writing of any objections (on reasonable grounds) to the proposed appointment:
2.4 If Customer does not object to Metadata’s appointment of a Sub-Processor during the objection period referred to in Paragraph 2.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
2.5 With respect to each Sub-Processor, Metadata shall maintain a written contract between Metadata and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Metadata shall remain liable for any breach of this DPA caused by a Sub-Processor.
2.6 Operational clarifications:
3. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
3.1 Metadata, taking into account the nature of the Processing and the information available to Metadata, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Metadata.
3.2 Operational clarification: Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Metadata (at Metadata’s then-current professional services rates) in Metadata’s provision of any cooperation and assistance provided to Customer under Paragraph 3.1, and shall on demand reimburse Metadata any such costs incurred by Metadata.
4. RESTRICTED TRANSFERS
4.1 The Parties acknowledge that:
EU Restricted Transfers
4.2 To the extent that any Processing of Personal Data under this DPA involves an EU Restricted Transfer, the Parties shall comply with their respective obligations set out in the EU SCCs, which shall apply to the relevant EU Restricted Transfer in the following manner:
4.3 Any EU SCCs applicable in accordance with Paragraph 4.2 shall be deemed:
UK Restricted Transfers
4.4 To the extent that any Processing of Personal Data under this DPA involves a UK Restricted Transfer:
Adoption of new transfer mechanism
4.5 Metadata may on notice vary this DPA and replace any Data Transfer Mechanism(s) with:
4.6 In respect of any given Restricted Transfer, if requested of either Party (“Requesting Party”) by a Supervisory Authority or Data Subject, on specific written request (made to the contact details set out in Attachment 1 to this Annex 1 (European Annex)), the other Party shall provide Requesting Party with an executed version of the relevant Data Transfer Mechanism(s) responsive to the request made of Requesting Party for countersignature by Requesting Party, onward provision to the relevant requestor and/or storage to evidence Requesting Party’s compliance with Applicable Data Protection Laws.
Attachment 1 TO
EUROPEAN ANNEX
Data Processing Details
Note:
This Attachment 1 to Annex 1 (European Annex) to the DPA includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and to populate the appendices and/or tables to the Data Transfer Mechanism(s) (if and as they apply).
PART 1: DETAILS OF THE PARTIES
METADATA DETAILS
Name: | Metadata, Inc., a Delaware corporation |
Address: | As set out in the pre-amble to the DPA |
Contact Details for Data Protection: |
Role: Chief Information Security Officer
Email:
privacy@metadata.io |
Metadata Activities: | Metadata leverages artificial intelligence to offer services for business-to-business marketers to automate their paid campaigns |
Role: | As determined in accordance with Paragraph 4.2 of Annex 1:
|
CUSTOMER DETAILS
Name: | The entity or other person who is a counterparty to the Agreement |
Address: | As set out in the Agreement |
Contact Details for Data Protection: | Customer’s contact details are Customer’s contact details submitted by Customer and associated with Customer’s account for the Company Services – unless otherwise notified to Metadata via email |
Customer Activities: | Customer’s activities relevant to this DPA are the use and receipt of the Company Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations |
Role: | As determined in accordance with Paragraph 4.2 of Annex 1:
|
PART 2: DETAILS OF CUSTOMER PERSONAL DATA
Categories of Data Subjects: | Any individuals whose Personal Data is comprised within data submitted to the Company Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Company Services – but may include Customer’s and its affiliates’:
Where any of the above is a business or organisation, it includes |
Categories of Personal Data: | Any Personal Data comprised within data submitted to the Company Services by or on behalf of Customer under the Agreement, which will be as determined by Customer in its sole discretion through its use of the Company Services – but may include:
|
Sensitive Categories of Data, and associated additional restrictions/safeguards:</b > | Categories of sensitive data: None – as noted in Section 8.4 of the Additional safeguards for sensitive data: N/A |
Frequency of transfer: | Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Company Services. |
Nature of the Processing: | Processing operations required in order to provide the Company Services in accordance with the Agreement. |
Purpose of the Processing: | Customer Personal Data will be processed: (i) as necessary to provide the Company Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA. |
Duration of Processing / Retention Period: | For the period determined in accordance with the Agreement and DPA, including Paragraph 4 of Annex 1 (European Annex) to the DPA. |
Transfers to (sub-)processors: | Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with Paragraph 2 of Annex 1 (European Annex) to the DPA). |
PART 3: DETAILS OF METADATA PERSONAL DATA
Categories of Data Subjects: | Any individuals whose Personal Data is comprised within Metadata Personal Data – but may include marketing prospects. |
Categories of Personal Data: | Any Personal Data comprised within Metadata Personal Data – but may include:
|
Sensitive Categories of Data, and associated additional restrictions/safeguards:</b > | Categories of sensitive data: None. Additional safeguards for sensitive data: N/A |
Frequency of transfer: | Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Company Services. |
Nature of the Processing: | Processing operations required in order to provide the Company Services in accordance with the Agreement. |
Purpose of the Processing: | Metadata Personal Data will be processed as necessary to provide the Company Services as initiated by Customer in its use thereof. |
Duration of Processing / Retention Period: | For the period determined in accordance with the Agreement and DPA, including Paragraph 4 of Annex 1 (European Annex) to the DPA. |
Transfers to (sub-)processors: | See Sub-Processor List. |
Attachment 2 TO
EUROPEAN ANNEX
POPULATION OF EU SCCs
Notes:
1. SIGNATURE OF THE EU SCCs:
1.1 Where applicable in accordance with Paragraphs 6.1 and 6.2 of Annex 1 (European Annex) to the DPA:
2. POPULATION OF THE BODY OF THE EU SCCs
2.1 For each Module of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
2.2 In this Paragraph 2, references to “Clauses” are references to the Clauses of the EU SCCs.
3. POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs
3.1 Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Attachment 1 to Annex 1 (European Annex) to the DPA, with:
3.2 Part C of Annex I to the Appendix to the EU SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
3.3 Annex II to the Appendix to the EU SCCs is populated as below:
Please refer to Section 5 of the DPA and Annex 3 (Security Measures) to the DPA.
In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Metadata, Customer should email Metadata’s contact point for data protection identified in Attachment 1 to Annex 1 (European Annex) to the DPA.
Attachment 3 TO
EUROPEAN ANNEX
UK TRANSFER ADDENDUM
Notes:
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
All relevant information and details are as set out in Attachment 1 to Annex 1 of the DPA and it is noted that the UK Addendum is deemed to have been signed by the Parties pursuant to and in accordance with Paragraph 4.4 of Annex 1 of the DPA with effect from the Addendum Effective Date.
Table 2: Selected SCCs, Modules and Selected Clauses
The version of the Approved EU SCCs which this UK Addendum is appended to, detailed below, including the Appendix Information:
Date: Addendum Effective Date |
Reference (if any): the EU SCCs |
Other identifier (if any): n/a |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
Annex 1A: List of Parties: Part 1 of Attachment 1 to Annex 1 of the DPA |
Annex 1B: Description of Transfer: Part 2 and/or Part 3 of Attachment 1 to Annex 1 of the DPA (as applicable) |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex 3 of the DPA |
Annex III: List of Sub processors (Modules 2 and 3 only): n/a |
Table 4: Ending this Addendum when the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19: Either Party |
Part 2: Mandatory Clauses
The Mandatory Clauses are incorporated by reference and form a binding and effective part of this UK Transfer Addendum.
Annex 2
California Annex
For purposes of this California Annex, the terms, “business,” “commercial purpose,” “personal information,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA.
Customer Personal Data
Metadata Personal Data
Annex 3
Security Measures
As from the Addendum Effective Date, Metadata will implement and maintain the Security Measures as set out in this Annex 3.