This Data Processing Addendum (“DPA”) is a part of and is hereby integrated into the Hexnode UEM Software as a Service Agreement (the “Agreement”) between Mitsogo, Inc. (“Hexnode”) and our Customer. In furtherance of the obligations set out in the Agreement, Hexnode (as the Data Processor) shall Process certain Personal Data provided by the Customer (as Data Controller) pursuant to the terms herein. This DPA includes the Standard Contractual Clauses adopted by the European Commission set out in the EU General Data Protection Regulation (GDPR), as applicable.
For purposes of this DPA, the following capitalized terms shall have the meaning set out in this Article 1. Capitalized terms used, but not defined in this DPA shall have the same meaning as set forth in the Agreement or applicable Data Protection Laws.
Section 2.01 Scope of this DPA. This DPA shall apply to the extent any Personal Data is Processed by the Data Processor, if and to the extent such Processing is subject to Data Protection Laws
Section 2.02 Customer’s Control & Instructions for Processing. Customer shall, in its use of the Services, provide or arrange for the provision of all Personal Data for Processing in accordance with the requirements of the Data Protection Law. Customer hereby represents and warranties that all instructions it gives for the Processing of Personal Data shall comply with the Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, and Customer shall indemnify Processor for all costs without limitation that Processor incurs due to Customer’s breach of the foregoing representations and warranties.
Section 2.03 Processor’s Processing of Personal Data. Processor shall only Process any Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes:
Section 2.04 Details of the Processing. Details relating to the Processing of Personal Data by Processor including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects whose Personal Data may be Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.
Section 3.01 Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Data Processor shall ensure that such confidentiality obligations survive the termination of the Data Processor of the personnel processing data.
Section 3.02 Reliability. Data Processor shall take commercially reasonable steps to ensure the reliability of any personnel engaged in the Processing of Personal Data.
Section 3.03 Limitation of Access. Data Processor shall ensure that access to Personal Data is limited to personnel performing Services in accordance with the agreement.
Section 4.01 Security Measures. Data Processor has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data, including the measures specified in this Section to the extent applicable to Data Processor's Processing of Personal Data. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of Processing. Additional measures, and information concerning such measures, including the specific security measures and practices for the particular Services ordered by Customer, may be specified in the Agreement.
Section 4.02 Physical Access Control. Data Processor employs measures designed to prevent unauthorized persons from gaining access to data processing systems in which Personal Data is Processed, such as the use of security personnel, secured buildings and data center premises.
Section 4.03 System Access Control. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on several levels. For Services hosted at Data Processor: (i) log-ins by Data Processor employees and Sub processors are logged; (ii) logical access to the data centers is restricted and protected by firewall/VLAN; and (iii) intrusion detection systems, centralized logging and alerting, and firewalls are used.
Section 4.04 Data Access Control. Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted, and application access rights are established and enforced. In addition to the access control rules, Data Processor implements an access policy under which Customer controls access to its Services environment and to Personal Data and other data by its authorized personnel.
Section 4.05 Transmission Control. Except as otherwise specified for the Services (including within any applicable service specifications referenced in the Agreement), transmissions of data outside the Services environment are encrypted. Some aspects of the Services may be configurable by Customer to permit access to third-party sites that require unencrypted communications. The content of communications (including sender and recipient addresses) sent through some email or messaging services may not be encrypted. Customer is solely responsible for the results of its decision to use such unencrypted communications or transmissions.
Section 4.06 Input Control. The Personal Data source is under the control of the Customer, and Personal Data integration into the system, is managed by secured file transfer (i.e., via web services or entered into the application) from the Customer. Some features of the Service permit Customers to use unencrypted file transfer protocols. In such cases, Customer is solely responsible for its decision to use such unencrypted field transfer protocols.
Section 4.07 Data Backup. For Services hosted at Data Processor: back-ups are taken on a regular basis; backups are secured using a combination of technical and physical controls, depending on the particular Services.
Section 4.08 Data Segregation. Customer Data received from different customers is logically segregated on Data Processor's systems.
Section 4.09 Confidentiality. All Data Processor employees and Subprocessors that may have access to Personal Data are subject to appropriate confidentiality arrangements.
Section 5.01 Obligation to Notify. Processor will, to the extent permitted by law, inform Controller of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Processor regarding User Data.
Section 5.02 Responses to Data Subjects. If a Data Subject contacts Processor to exercise their rights over their Personal Data, Processor shall first notify Controller of the request. Unless otherwise directed by Controller, Processor shall be responsible to respond to such requests of Data Subjects. Controller will reasonably assist Processor in responding such Data Subject requests.
Section 5.03 Indemnification by Customer. If a Data Subject brings a claim directly against Processor for a violation of their Data Subject rights, and such violation is not the sole and exclusive fault of Processor, Customer will indemnify Processor for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that Processor has notified Customer about the claim and given Customer the opportunity to cooperate with Processor in the defense and settlement of the claim.
Section 5.04 Claims by Customer. Subject to the terms of the Agreement, Customer may claim from Processor amounts paid to a Data Subject for a violation of their Data Subject rights caused by Processor's breach of its obligations under the applicable Data Protection Laws.
Section 5.05 Data Breach. In the event of any unauthorized access or theft of Customer Data, Hexnode shall promptly notify Customer without any undue delay and do all such acts and things as Customer considers reasonably necessary to remedy or mitigate the effects of the data breach. The parties shall coordinate and cooperate in good faith on developing the content of any related public statements or any required notices.
Hexnode may engage or replace sub processors, as needed, in the fulfilment of its responsibilities and obligations under this DPA. Misogo shall inform Customer of any intended changes concerning the addition or replacement of other Data Processors, thereby giving Customer the opportunity to object to such changes. If Customer objects to a change, Hexnode will not engage such sub-processor or shall replace the sub processor concerned.
Customer acknowledges and accepts that in order for Hexnode to fulfill its obligations and responsibilities under this Agreement, the use of Third Country Sub-processors may, at various times, be required.
The Customer may, upon prior notice of 2 weeks and no more often than annually (except audits conducted in response to a Security Breach), request an audit to verify that Hexnode has taken adequate measures to comply with all organizational and technical standards in relation to the Processing of Personal Data pursuant to this DPA. Such audit shall be scheduled only during Hexnode's regular business hours and shall not interfere unreasonable with Hexnode’s business activities while on the premises where Hexnode processes Customer’s data. Any such audit shall be conducted by an auditor appointed by Customer, at the Customer’s own expense, in accordance with Hexnode’s security rules and requirements. Such auditor shall prior to such audit, execute an appropriate confidentiality agreement with Hexnode. Nothing in this DPA will require Hexnode to disclose to the Customer or its independent auditor any information sought for any reason other than the good faith fulfillment of Customer’s obligations under the applicable data protection legislations.
Hexnode shall, after full performance of his contractual obligations or earlier upon request of Customer, return all materials in its possession, all results of the use and processing and all data records relating to the Processing or destroy these in compliance with the applicable Data Protection Law upon prior consent of Customer, and to the extent permitted by its own compliance requirements under the applicable Data Protection Law. Hexnode shall, upon request of Customer, provide a copy of the protocol documenting the deletion. Hexnode shall, after termination of this Agreement and in accordance with the statutory retention periods, retain any documentation which serves as evidence that the data has been processed properly and in compliance with the contractual obligations in place.
This DPA is entered into as of the Effective Date of the Agreement and shall commence for the Term of the Agreement. The DPA may only be amended by the parties subject to mutual consent. In the event of new Data Protection Laws, either party shall extend its full cooperation in amending this DPA. This DPA shall immediately terminate upon termination of the Agreement. Interpretation of the provisions of this DPA shall be governed by the relevant provisions in the Agreement, including all parts of Section 11 (Miscellaneous). Unless expressly made subordinate by the terms of this DPA, the provisions of the Agreement shall control in the event of any contradiction between such Agreement and this DPA. Neither party shall be responsible or liable for any failure to perform its obligations under this DPA when such failure is due at least in part to any event that is beyond the reasonable control of that party, including acts of God, terrorism, explosions, floods, mechanical breakdowns, strikes, labour unrest, breakdown in essential utilities, etc.
Data Subjects are those individuals to whom Personal Data relates to and are Users who interact using the Service(s).
Hexnode processes information collected by User devices on behalf of Customer. Such information includes the device’s manufacturing details, operating details, and current statistics like battery level and storage usage. All information is submitted to the Service(s) by Customer through Customer’s account in connection with Customer’s use of the Service(s). Hexnode does not process the details of any communications taking place on any device.
Personal Data will be processed for the duration of the Term of the Agreement.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity identified as “Customer” in the DPA
(the “Data Exporter”)
111 Pine St #1225, San Francisco, CA 94111
(the “Data Importer”)
each a “Party”; together the “Parties”,
HAVE AGREED to adopt the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
The data exporter agrees and warrants:
The data importer agrees and warrants:
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data Exporter: The data exporter is the Customer who is a party to the Agreement, who may send data from the EU to the United States, where Processing of the information collected pursuant to the Services, including storage of all Customer Data, is performed.
Data Importer: The data importer is Mitsogo, Inc. located in California, United States and its affiliates and subsidiaries who receives the data from the data exporter and processes it in the United States in order to provide the Services.
Data Subjects: The personal data transferred concern the following categories of data subjects Mitsogo, Inc. will collect information related to the Customer and some personal information related to Customer’s Users.
Categories of data: The personal data transferred concern the following categories of data ; Data Exporter will send data usage information from devices used for work purposes to the data importer via Data Exporter-controlled devices for processing. For more details about what all data we collect, refer: https://www.hexnode.com/legal/privacy-policy/
Special categories of data (if appropriate): The personal data transferred concern the following special categories of data ; The only special category of data transferred may be the location of the devices, depending on whether the Customer elects to review such data (Mitsogo requires that all Customers have secured acknowledgement from their Users that they will track and monitor their data in and out of devices used for the Customer’s business purposes).
This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Hexnode exercises a set of layered security services and cryptographic framework that is in accordance with industry standard. Hexnode’s data security architecture is designed to implement preventative, detective, and remediation policies ensuring robust architectural security.
Hexnode provides a multi-tenant SaaS solution where the customer data is logically segmented. Dedicated sub-domains are assigned per tenant. Each user has a unique ID and all the data and objects specific to the user are stored in it. Our application log consists of log details, IP details and security related administrative and configuration settings. Individual customer data can be recovered, changed, and removed upon request. Hexnode requires that all Customers warrant that any data collected by the Services is in accordance with local law related to monitoring of employees and other personnel.