This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (the “Agreement”) between Customer and hiddenMind, Inc. (”hiddenMind”).
1. Subject Matter and Duration
1.1 Subject Matter. This DPA is intended to govern Customer’s provision and hiddenMind’s Processing of Customer Personal Data pursuant to the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its attachments conflicts with the Agreement, this DPA shall control.
1.2 Duration and Survival. This DPA will become binding upon the effective date of the Agreement and shall survive until expiration or termination of the Agreement or the return or deletion of Customer Personal Data in accordance with Section 8.1, whichever later.
2. Definitions
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including the California Privacy Rights Act amendments.
“Controller” means the person who, alone or jointly with others, determines the purposes and means of the Processing of personal data; for purposes of this DPA, the term “Controller” shall also include “business” as such term is defined under the CCPA.
“Customer Personal Data” means Customer Data that is “personal data” or “personal information” under applicable Data Protection Law.
“Data Protection Law(s)” means all worldwide data protection and privacy laws and regulations applicable to Customer Personal Data, including, where applicable, EU/UK Data Protection Law and the CCPA.
“EEA” means the European Economic Area.
“EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“hiddenMind Security Standards” means hiddenMind’s security standards, as updated from time to time, available at: https://hiddenmind.ai/security-and-privacy/ .
“Process” or “Processing” means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the person who, alone or jointly with others, Processes personal data on behalf of the Controller; for purposes of this DPA, the term “Processor” shall also include “service provider” as such term is defined under the CCPA.
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer.
“SCCs” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“).
“Security Incident(s)” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Customer Data processed under or in connection with the Agreement, including but not limited to Customer Personal Data.
“Subprocessor(s)” means a third party engaged by hiddenMind to Process Customer Personal Data under the Agreement.
3. Data Use and Processing
3.1 Data Processing Relationship. Customer is either the Controller of Customer Personal Data or else Processes Customer Personal Data as a Processor on behalf of a third-party Controller (such as an end customer to Customer). In either case, the parties acknowledge and agree that hiddenMind has been appointed by the Customer to Process the Customer Personal Data as a Processor (or sub-Processor, as applicable) on behalf of the Customer. If Customer is a Processor on behalf of a third-party Controller, Customer will ensure that any Processing instructions it provides to hiddenMind pursuant to this DPA shall be consistent with the instructions the Controller has issued to Customer.
3.2 Documented Instructions. hiddenMind shall Process Customer Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; and (3) in compliance with Data Protection Laws. hiddenMind shall Process Customer Personal Data strictly for the business purpose(s) agreed between the parties and as provided under the Agreement, this DPA, and any instructions expressly agreed upon by the parties in writing (together, the “Business Purpose(s)“). Customer will not instruct hiddenMind to Process Customer Personal Data in violation of applicable law (including Data Protection Law(s)). hiddenMind has no obligation to monitor the compliance of Customer’s use of the Services with applicable law (including Data Protection Law(s)) and hiddenMind will have no liability for any harm or damages resulting from hiddenMind’s compliance with unlawful Instructions received from Customer. However, hiddenMind will, unless legally prohibited from doing so, (i) inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law (including Data Protection Law(s)) or otherwise seek to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions, and (ii) in either such event, cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which hiddenMind is able to comply. If this provision is invoked, hiddenMind will not be liable to Customer under the Agreement for failure to perform the Services until such time as the parties agree on new instructions. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including any use of Customer Personal Data not authorized in this DPA.
3.3 Service provider certification. hiddenMind shall not: (a) “sell” Customer Personal Data (as such term in quotation marks is defined in the CCPA), (b) “share” or Process Customer Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in the CCPA); (c) retain, use, or disclose Customer Personal Data for any purpose other than for the Business Purpose(s), including to retain, use, or disclose the Customer Personal Data for a commercial purpose other than performing its Services under the Agreement; (d) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Customer and hiddenMind. hiddenMind (i) will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data without Customer’s express written permission; and (iii) will comply with any applicable restrictions under Data Protection Laws on combining the Customer Personal Data with personal data that hiddenMind receives from, or on behalf of, another person or persons. hiddenMind certifies that it understands the restrictions set out in this Section 3.3 and will comply with them.
3.4 Authorization to Use Subprocessors. Customer hereby authorizes hiddenMind to engage affiliates and other Subprocessors to Process Customer Personal Data in accordance with the provisions within this DPA and Data Protection Laws. A current list of hiddenMind’s Subprocessors can be found here (“Subprocessor List”). Customer acknowledges and agrees that hiddenMind’s use of such Subprocessors satisfies the requirements of this DPA.
3.5 hiddenMind and Subprocessor Compliance. hiddenMind agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for hiddenMind’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
3.6 Notice of and Right to Object to New Subprocessors. hiddenMind shall maintain an up-to-date list of its Subprocessors in its Subprocessor List. Customer should refer to the hiddenMind Subprocessor List regularly. Customer may also sign up to receive notification of new Subprocessors by emailing [email protected] with the subject “Subscribe to New Subprocessors.” Once Customer has signed up to receive new Subprocessor notifications, hiddenMind will then provide Customer with notice of any new Subprocessor before authorizing such new Subprocessor to Process Customer Personal Data and allow Customer ten (10) days to submit a legitimate, good-faith objection to such new Subprocessor(s) from Customer’s receipt of hiddenMind’s notice. In the objection, Customer shall explain its reasonable grounds for such objection. In the event of such objection, the parties will work together in good faith to resolve the grounds for the objection. If the parties are unable to resolve the objection within a reasonable time period, which shall not exceed thirty (30) days, either party may terminate the Agreement by providing written notice to the other party. hiddenMind may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services. In such instance, hiddenMind shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor.
3.7 Confidentiality. hiddenMind will ensure that any person whom hiddenMind authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
3.8 Customer Personal Data Inquiries and Requests. To the extent Customer, in Customer’s use of the Services, does not have the ability to address a request from a data subject exercising their rights under applicable Data Protection Laws (e.g., access, deletion, etc.), hiddenMind shall, upon Customer’s request, use commercially reasonable efforts to assist Customer in responding to such data subject request. If a request relating to Customer Personal Data is sent directly to hiddenMind, hiddenMind shall use commercially reasonable efforts to promptly notify Customer within five (5) business days of receiving such request and shall not respond to the request unless Customer has authorized hiddenMind to do so. To the extent legally permitted, Customer shall be responsible for any non-negligible costs arising from hiddenMind’s provision of assistance under this Section. Customer acknowledges that hiddenMind is reliant on Customer for direction as to the extent to which hiddenMind is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, hiddenMind will not be liable under the Agreement for any claim brought by a data subject arising from any action or omission by hiddenMind, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under applicable law.
3.9 Data Protection Impact Assessment and Prior Consultation. Where and to the extent required by Data Protection Law(s), hiddenMind agrees to provide Customer reasonable assistance to and cooperation for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Customer’s reasonable expense.
3.10 Limitation on Disclosure of Customer Personal Data. To the extent legally permitted in each case, hiddenMind shall: (i) promptly notify Customer in writing upon receipt of an order, demand, subpoena, warrant, legal demand or other document purporting to request, demand or compel the production of Customer Personal Data to any non-data-subject third party, including, but not limited to, regulatory authorities and the United States government for surveillance and/or other purposes; and (ii) not disclose Customer Personal Data to the third party without providing Customer at least forty-eight (48) hours’ notice, so that Customer may, at its own expense, exercise such rights as it may have under applicable laws to prevent, challenge or limit such disclosure to the extent permitted by applicable laws. If hiddenMind is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Customer, hiddenMind shall inform Customer that it can no longer comply with Customer’s instructions under this DPA without providing more details and await Customer’s further instructions. hiddenMind shall use all reasonable and available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
4. Cross-Border Transfers of Customer Personal Data
4.1 Cross-Border Transfers of Customer Personal Data. Customer authorizes hiddenMind and its Subprocessors to transfer Customer Personal Data across international borders, including from the EEA, Switzerland, and/or the United Kingdom to the United States.
5. Information Security Program
5.1 Security Measures. hiddenMind shall implement and maintain commercially reasonable administrative, technical, and physical measures designed to protect Customer Personal Data as set forth in the hiddenMind Security Standards. hiddenMind regularly monitors compliance with these measures. hiddenMind will not materially decrease the overall security of the Service during any Subscription Term.
6. Security Incidents.
6.1 Notice. Upon becoming aware of a Security Incident, hiddenMind agrees to provide written notice to Customer without undue delay. Any such notification is not an acknowledgment of fault or responsibility. Where possible, such notice will include all details known to hiddenMind and required under Data Protection Law(s) for Customer to comply with Customer’s own notification obligations to regulatory authorities or individuals affected by the Security Incident, which may include, as applicable and if known, how the Security Incident occurred, the categories and approximate number of data subjects concerned, and the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Incident, and measures taken or proposed to be taken by hiddenMind to address the Security Incident, including, where appropriate, measures designed to mitigate its possible adverse effects. hiddenMind shall use commercially reasonable efforts to: (i) investigate and identify the cause of such Security Incident; (ii) remedy or mitigate the possible adverse effects of such Security Incidents, and (iii) reduce the likelihood that such Security Incident recurs. hiddenMind will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements or assess the applicability of any specific privacy, data protection or cybersecurity requirement pertaining to such information. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident, provided that, at Customer’s written request and subject to Customer paying hiddenMind’s reasonable fees (at then current rates) and expenses, hiddenMind will provide Customer with assistance reasonably necessary to enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected data subjects, if Customer is required to do so under Data Protection Law(s).
7. Audits
7.1 Third-Party Audit Reports. hiddenMind obtains the third-party audits set forth in the hiddenMind Security Standards. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement and the entry into specific non-disclosure agreements, hiddenMind shall make available to Customer (or Customer’s independent, reputable, third-party auditor) information regarding hiddenMind’s compliance with the obligations set forth in this DPA by providing Customer with summaries of the most recent third-party audits reports referenced in the hiddenMind Security Standards. All such summaries, to the extent not made generally publicly available by hiddenMind on its website, constitute hiddenMind’s Confidential Information.
7.2 Audit of hiddenMind. Where Data Protection Laws afford Customer an audit right, Customer (or Customer’s independent, reputable, third-party auditor) may contact hiddenMind in accordance with the “Notices” Section of the Agreement to request an audit of hiddenMind’s policies, procedures, and records relevant to the Processing of Customer Personal Data necessary to confirm hiddenMind’s compliance with this DPA, provided that the foregoing are within hiddenMind’s control and hiddenMind is not precluded from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Customer shall reimburse hiddenMind for its costs and expenses, including any time expended in connection with any such audit at hiddenMind’s then-current rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and hiddenMind shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by hiddenMind. In no event shall hiddenMind be required, in connection with any of its obligations under this DPA or otherwise, to provide information it is precluded from disclosing by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Any audit must be: (i) conducted during hiddenMind’s regular business hours; (ii) with reasonable advance notice to hiddenMind; (iii) carried out in a manner that prevents unnecessary disruption to hiddenMind’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction. Customer shall promptly notify hiddenMind of any alleged non-compliance with this DPA discovered during the course of an audit, and hiddenMind shall use commercially reasonable efforts to address any confirmed non-compliance.
8. Data Deletion
8.1 Data Deletion. Upon termination or expiration of the Agreement, hiddenMind shall, upon Customer’s request, and subject to the limitations described in the Agreement and the hiddenMind Security Standards, return to Customer (or make available for export in accordance with the Agreement) all Customer Personal Data in hiddenMind’s possession, or securely destroy such Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with hiddenMind’s data retention schedule), except where hiddenMind is required to retain copies under applicable laws, in which case hiddenMind will limit its processing of such Customer Personal Data except to the extent required by applicable laws.
9. Processing Details.
9.1 Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
9.2 Duration. Customer Personal Data will be Processed for the duration of the Agreement, including any post-termination retention period specified therein, subject to Section 8.1 of this DPA.
9.3 Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement may include Employees, Suppliers, Customers, Job Applicants, Consultants, and/or Contractors.
9.4 Nature and Purpose of the Processing. The nature and purpose of the Processing of Customer Personal Data by hiddenMind is the performance of the Services pursuant to the Agreement. Customer acknowledges and agrees that it will not use the Services for any purposes deemed a “High Risk AI System” under the proposed EU Artificial Intelligence Act.
9.5 Types of Customer Personal Data. Customer represents and warrants to hiddenMind that Customer Personal Data does not and will not contain, and Customer has not and will not otherwise provide or make available to hiddenMind for Processing any sensitive personal data, including but not limited to financial information (e.g. credentials to any financial accounts or tax return data); health information (e.g. protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental, or physical condition, or medical treatment or diagnosis by a health care professional, health insurance information, or genetic information); biometric information; government IDs or other government-issued identifiers (e.g. social security numbers); passwords for online accounts (other than passwords necessary to access the Services); credit reports or consumer reports; any payment card information or cardholder data subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or similar laws, or the regulations promulgated thereunder; information subject to restrictions under applicable law governing personal data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined under the EU/UK Data Protection Law or otherwise interpreted under the implementing laws of the EEA member states).
Last Updated: November 28, 2023