DATA PROCESSING TERMS
In the course of providing the Mine's platform ("Service") to Customer pursuant to the Agreement, Mine may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Mine as part of the Service for Customer.
- "Mine Information Security Documentation" means the information security documentation applicable to the Service, as updated from time to time, and made available by Mine upon request and subject to adequate confidentiality arrangements.
- "Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.
- "Personal Data" means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- "Personnel" means persons authorized by Mine to Process Customer's Personal Data.
- “Privacy Laws and Regulations” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. (“CCPA”).
- "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
- DATA PROCESSING
- Scope and Roles. This DPA applies when Personal Data is Processed by Mine as part of Mine’s provision of the Service. In this context, for the purposes of the GDPR, Customer is the Data Controller and Mine is the Data Processor and for the purposes of the CCPA, Customer is a Business and Mine is the Service Provider.
- Subject Matter, Duration, Nature and Purpose of Processing. Mine Processes Customer's Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement.
- Instructions for Mine’s Processing of Personal Data. Mine will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Mine to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Mine with lawful instructions only.
- As required under the GDPR, Mine will inform Customer immediately, if in Mine's opinion an instruction infringes any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties.
- Mine will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data (i) for any purpose other than for the specific purpose of performing the Service, or (ii) outside of the direct business relationship between Customer and Mine, except as permitted under applicable Privacy Laws and Regulations. Mine acknowledges and will comply with the restrictions set forth in this Section 2.5.
- The parties acknowledge and agree that the Personal Data that Customer discloses to Mine is provided to Mine for a Business Purpose, and Customer does not Sell Personal Data to Mine in connection with the Agreement.
- Customer undertakes to provide all necessary notices to Data Subject and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Mine to Process Personal Data on Customer's behalf under the terms of the Agreement and this DPA, pursuant to applicable Privacy Laws and Regulations. Customer will advise its customers of Mine’s data Processing activities on behalf of Customer (namely that the exercise of Data Subjects’ rights is Processed and managed by Mine).
- To the extent required under applicable Privacy Laws and Regulations, Customer will appropriately document Data Subjects' notices and consents, or necessary assessment with other applicable lawful grounds of Processing.
- Taking into account the nature of the Processing, Mine will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the Data Subjects' rights under the GDPR. Mine will further assist Customer in ensuring compliance with Customer's obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer's data protection impact assessments and Customer's prior consultation with supervisory authorities, in relation to Mine's Processing of Personal Data under this DPA. Except for negligible costs, Customer will reimburse Mine with costs and expenses incurred by Mine in connection with the provision of assistance Customer under this DPA.
- Limitation of Access. Mine will ensure that Mine’s access to Personal Data is limited to those Personnel who require such access to perform the Agreement.
- Confidentiality. Mine will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Mine will ensure that its Personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Mine will ensure that such confidentiality agreements survive the termination of the employment or engagement of its Personnel.
- OTHER PROCESSORS
- Mine may engage third-party service providers to Process Personal Data on behalf of Customer ("Other Processors"). Customer hereby provides Mine with a general authorization to engage the Other Processors listed in Exhibit A to this DPA.
- All Other Processors have entered into written agreements with Mine that bind them by substantially the same material obligations under this DPA.
- Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Mine will remain fully liable to Customer for the performance of that Other Processor's obligations.
- Mine may engage with a new Other Processor ("New Processor") to Process Customer’s Personal Data on Customer's behalf. Customer may object to the Processing of Customer's Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Mine's written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Mine a written objection notice, the parties will make a good-faith effort to resolve Customer's objection. In the absence of a resolution, Mine will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer's Personal Data.
- ONWARD AND TRANS-BORDER DATA TRANSFER
- Transfer of GDPR-governed Company’s Personal Data (“Transferred Data”) to Mine’s Israel-based site is made in accordance the EU Commission decision 2011/61/EU, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data.
- Transfer of Transferred Data to third-party service providers which are located in Third Countries is subject to a Transfer Impact Assessment and to the EU Standard Contractual Clauses, pursuant to EU Commission Decision C(2021)3972, or, as required in accordance with any successor thereof or an alternative lawful data transfer mechanism.
“Transfer Impact Assessment” will be done with a purpose to protect the Transferred Data from Processing for national security or other governmental purposes that goes beyond what is necessary and proportionate in a democratic society, considering the type of Processing activities and relevant circumstances.
“Third Country” is a country outside the European Economic Area which was not acknowledged by the EU Commission as providing an adequate level of protection in accordance with Article 45(3) of the GDPR.
- INFORMATION SECURITY
- Mine will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer's Personal Data, pursuant to the Mine Information Security Documentation. Mine regularly monitors compliance with these safeguards. Mine will not materially decrease the overall security of the Service during the term of providing the Service to the Customer under the Agreement.
- PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
- Mine will maintain security incident management policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer's Personal Data which Mine, or any of Mine's Other Processors, Process. Mine's notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Mine's data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Mine to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- Mine will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly.
- Mine's liability for a Personal Data Breach toward Customer and any third party is subject to the following limitations: (a) the Personal Data Breach is a result of a breach of Mine's information security obligations under this DPA; and (b) the Personal Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer (collectively "Customer Representatives"); (ii) Customer Representatives' instructions to Mine; (iii) a willful, deliberate or malicious conduct by a third party; or (iv) acts of God or force major, including, without limitation, acts of war, terror, state-supported attacks, acts of state or governmental action prohibiting or impeding Mine from performing its information security obligations under the Agreement and natural and man-made disasters.
- AUDIT AND DEMONSTRATION OF COMPLIANCE
- Mine will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Mine and its Other Processors.
- To the extent required under applicable Privacy Laws and Regulations, Mine will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Mine's obligations under this DPA. Mine may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Mine, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Mine; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Mine's business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; (vi) the auditor will first deliver a draft report to Mine and allow Mine reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (vii) Customer will receive only the auditor's report, without any Mine 'raw data' materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; and (viii) as soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.
- DELETION OF PERSONAL DATA
- Data Deletion. Within reasonable time after the end of the provision of the Service, Mine will return Customer's Personal Data to Customer or delete such data, including by de-identifying thereof.
- Data Retention. Notwithstanding, Customer acknowledges and agrees that Mine may retain copies of Customer’s Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect Mine, its affiliates, agents, and any person on their behalf in court and administrative proceedings.
- DISCLOSURE TO COMPETENT AUTHORITIES
- Mine may disclose Personal Data (a) if required by a subpoena or other judicial or administrative order, or if otherwise required by law; or (b) if Mine deems the disclosure necessary to protect the safety and rights of any person, or the general public.
- ANONYMIZED AND AGGREGATED DATA
- Mine may Process data based on extracts of Personal Data on an aggregated and non-identifiable form, for Mine's legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Mine's discretion.
- DISPUTE RESOLUTION
- The parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commence legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.
- LIMITATION OF LIABILITY
- Each party’s liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the section ‘Limited Liability’ of the Agreement, and any reference in such section to the liability of a party means that party and its Affiliates in the aggregate.
- This DPA will commence on the effective date of the Agreement and will continue until the Agreement expires or is terminated.
- Mine is responsible to make sure that all relevant Mine's Personnel adhere to this DPA.
- Mine's compliance team can be reached at: firstname.lastname@example.org.
- Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.
Name of Other Processor - Type of Services:
- Google Cloud Platform - Hosting Services
- Intercom - Conversational support
- Hubspot - Customer relationship management