Data Privacy Addendum for Teams Accounts
Effective Date: June 24, 2024
This Data Privacy Addendum (“DPA”) is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement (as defined below) between mmhmm inc. (“mmhmm”), and the party to which mmhmm is providing the Service (as defined in the Agreement) (“Client”), each a “Party” and collectively the “Parties.” To the extent of any conflict, this DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, including the applicable mmhmm Terms of Service, mmhmm for Teams Agreement, order form and/or statement of work (collectively, the “Agreement”) with regard to the subject matter herein.
In the course of providing the Service to Client pursuant to the Agreement, mmhmm may Process Personal Data on Client’s behalf and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. This DPA shall be deemed to be signed by mmhmm and Client upon Client’s entering into the Agreement (in accordance with its terms).
1. Definitions.
For purposes of this DPA:
a. “Data Privacy Laws” means all applicable laws and regulations in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), privacy laws passed by other U.S. states (together with the CCPA, “U.S. State Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if mmhmm’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
b. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes “consumer” as defined in Data Privacy Laws.
c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that mmhmm Processes to provide the Service. For clarity, Personal Data does not include the Parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a Party’s contact persons’ names used solely to facilitate the Parties’ communications for administration of the Agreement).
e. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
f. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
g. “Subprocessor” means any third party or mmhmm affiliate that mmhmm engages to Process Personal Data.
h. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf and completed as set forth herein.
i. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in applicable Data Privacy Laws.
2. Roles of the Parties; Scope and Purposes of Processing
a. This DPA applies to Personal Data, if any, that mmhmm Processes to provide the Service.
b. The Parties agree that if Client is a Controller or Business, mmhmm is its Processor or Service Provider. If Client is a Processor or Service Provider, mmhmm acts as Client’s Processor (i.e., its Subprocessor) or Service Provider.
c. mmhmm will Process Personal Data solely: (i) to fulfill its obligations to Client under the Agreement, including this DPA; (ii) on Client’s behalf; and (iii) in compliance with Data Privacy Laws (including all applicable provisions of the CCPA). For the avoidance of doubt, mmhmm will Process Personal Data solely to provide the Service to Client under the Agreement for the following express business purposes: to provide software enabling Client to create live and recorded video content, edit videos, store video and related content, and create a virtual video library, and as otherwise set forth in the Agreement.
d. Except as authorized under Data Privacy Laws, mmhmm will:
- i. not retain, use, or disclose the Personal Data outside of the direct business relationship between Client and mmhmm or for any purpose (including any commercial purpose) not set forth in this DPA;
- ii. not “sell” or “share” any Personal Data or Process Personal Data for purposes of “targeted advertising,” as such terms are defined in applicable U.S. State Privacy Laws; and
- iii. comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that mmhmm receives from, or on behalf of, another person or persons, or that mmhmm collects from any interaction between it and any individual.
e. Client retains the right to (i) ensure that mmhmm Processes Personal Data in a manner consistent with Data Privacy Laws, and (ii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
3. Personal Data Processing Requirements
mmhmm will:
a. Provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to Client (including by providing Personal Data subject to the CCPA with the level of protection required of Businesses under the CCPA).
b. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. Assist Client in the fulfilment of Client’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data).
d. Promptly notify Client of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about mmhmm’s Processing of Personal Data on Client’s behalf, unless prohibited by Data Privacy Laws. If mmhmm receives a third party, Data Subject, or governmental request, except where prohibited by applicable law, mmhmm will await written instructions from Client on how, if at all, to assist in responding to the request. mmhmm will provide Client with reasonable cooperation and assistance in relation to any such request.
e. Where required by Data Privacy Laws, and upon Client’s written request and at Client’s sole cost, provide reasonable assistance to Client for Client’s (i) performance of a data protection impact assessment of Processing or proposed Processing of Personal Data and (ii) consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data.
f. Promptly notify Client if mmhmm determines that (i) it can no longer meet its obligations under this DPA or Data Privacy Laws; or (ii) it has breached this DPA, and shall cooperate to remediate such breach; or (iii) in mmhmm’s opinion, an instruction from Client infringes Data Privacy Laws.
4. Data Security
mmhmm will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit A hereto.
5. Security Breach
mmhmm will notify Client promptly, and in any event within seventy-two (72) hours, of any confirmed Security Breach. mmhmm will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist Client in Client’s compliance with its Security Breach-related obligations, including without limitation by:
a. At mmhmm’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved, subject to limitations upon mmhmm’s liability set forth in the Agreement; and
b. Providing Client with the following information, to the extent known:
- i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
- ii. The likely consequences of the Security Breach; and
- iii. Measures taken or proposed to be taken by mmhmm to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subprocessors
a. Client acknowledges and agrees that mmhmm may use Subprocessors to Process Personal Data in accordance with the provisions in this DPA and Data Privacy Laws. Where mmhmm subcontracts any of its rights or obligations concerning Personal Data to a Subprocessor, mmhmm will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Privacy Laws; and (ii) require that each Subprocessor complies with obligations that are no less restrictive than those imposed on mmhmm under this DPA.
b. The current list of Subprocessors is available here. mmhmm will maintain and update this list if its Subprocessors change. mmhmm will notify Client of any change in the Subprocessor list (“Notice”), or any change in the location of the list publication, if Client registers with mmhmm by sending an email to mmhmm-subprocessors@mmhmm.app. In the event Client reasonably and in writing objects to a new Subprocessor on grounds of data protection within twenty (20) days after receipt of Notice at the email address registered with mmhmm, the Parties will cooperate in good faith to resolve the objection Client has identified with such Subprocessor’s access to Personal Data. If mmhmm and Client reach an impasse as to how to mitigate material risks that Client has identified with such Subprocessor’s access to Personal Data, Client may terminate the Agreement by notifying mmhmm within sixty (60) days after Notice.
7. Data Transfers
a. mmhmm will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Privacy Laws. Where mmhmm engages in an onward transfer of Personal Data, mmhmm shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. To the extent legally required, by entering into this DPA, Client and mmhmm are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(c) and (d) below) will be deemed completed as follows:
- i. Module 2 of the EU SCCs applies to transfers of Personal Data from Client (as a Controller) to mmhmm (as a Processor) and Module 3 of the EU SCCs applies to transfers of Personal Data from Client (as a Processor) to mmhmm (as a Subprocessor);
- ii. Clause 7 (the optional docking clause) is not included;
- iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The list of Subprocessors shall be provided to Client and updated in accordance with Section 6 of this DPA;
- iv. Under Clause 11 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
- v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).The Parties select the law of Ireland;
- vi. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- vii. Annex IA (List of Parties) is deemed completed as follows:
- 1. Data Exporter is the Client, as defined in this DPA, and it is a Controller or Processor, as the case may be. Data Importer is mmhmm, and it is a Processor.
- 2. The Parties’ names, addresses, and contact person’s information is deemed to be set forth as provided in the Agreement.
- 3. Client’s activities relevant to the data being transferred are receiving mmhmm’s Service, and mmhmm’s activities relevant to the data being transferred are providing such Service.
- 4. Both Parties are deemed to have signed Annex IA by entering into the Agreement.
- viii. Annex IB (Description of the transfer) is deemed completed as follows:
- 1. Categories of Data Subjects whose Personal Data is transferred: If any Personal Data is transferred, the Personal Data will concern Client personnel.
- 2. Categories of Personal Data transferred: If any Personal Data is transferred, the Personal Data will concern name, email address, profile photo and video content created or uploaded to mmhmm.
- 3. Sensitive data transferred (if applicable) and applied restrictions or safeguards: The Parties do not intend for sensitive data to be transferred under the Agreement.
- 4. The frequency of the transfer: Continuous for the duration of the Agreement.
- 5. Nature of the processing: If Personal Data is transferred, mmhmm’s Processing activities shall be limited to those discussed in the Agreement and the DPA.
- 6. Purpose(s) of the data transfer and further processing: If Personal Data is transferred, the objective of the transfer and further Processing of personal data by mmhmm is to provide the Service to the Client.
- 7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: If Personal Data is transferred, it will be retained for the period of time necessary to provide the Service to Client under the Agreement, the DPA, and/or in accordance with applicable legal requirements. Personal Data will also be retained in system backups until purged according to mmhmm’s data retention policy.
- 8. For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Service.
- ix. Under Annex IC, to the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.
- x. Annex II (Technical and organizational measures) is completed with Exhibit A hereto; and
- xi. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
c. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within UK SCCs are deemed completed as follows:
- i. Table 1: The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement;
- ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(b) of this DPA
- iii. Table 3: Annex I is deemed completed as set forth above in Section 7(b)(vii)-(ix). Annex II is set forth in Exhibit A hereto. Annex III is inapplicable.
- iv. Table 4: Client may end this DPA as set out in Section 19 of the UK SCCs.
d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
8. Audits
Subject to the conditions set forth herein, mmhmm will make available to Client all information necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, including inspections, conducted by Client or another auditor mandated by Client.
a. If the requested audit scope is addressed in an audit report issued by a third-party auditor within the prior twelve (12) months, and mmhmm provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same controls covered by the report.
b. In the event an audit report is not provided, any audit, whether by Client or a third party shall (i) be conducted only on an agreed date during normal business hours (9:00 a.m. – 5:00 p.m. local time) after not less than ten business days’ advance notice; (ii) be limited to no more than one business day; and (iii) be conducted subject to Client’s payment of mmhmm’s then-current audit fee.
c. If a third party will conduct the audit, the third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). mmhmm will not unreasonably withhold its consent to a third-party auditor requested by Client. Any third-party auditor must execute a written confidentiality agreement acceptable to mmhmm.
d. Client must promptly provide mmhmm with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Client’s Personal Data) is confidential information of mmhmm.
e. Nothing herein shall require mmhmm to disclose or make available (i) any data of any other customer or client of mmhmm; (ii) mmhmm’s internal accounting or financial information; (iii) any trade secret of mmhmm; (iv) any information that, in mmhmm’s reasonable opinion, could (1) compromise the security of mmhmm systems or premises; or (2) cause mmhmm to breach its obligations under applicable law or its security and/or privacy obligations to any third party; or (v) any information sought for any reason other than the good-faith fulfillment of Client’s obligations under the EU SCCs, UK SCCs, or Data Privacy Laws.
f. Client agrees that any audit conducted in accordance with this Section 8 satisfies mmhmm’s audit obligations under Data Privacy Laws.
9. Return or Destruction of Personal Data
Except to the extent required otherwise by Data Privacy Laws, mmhmm will, at the choice of Client, return to Client and/or securely destroy all Personal Data upon (a) written request of Client or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, mmhmm will inform Client if it is not able to return or delete the Personal Data. For the avoidance of doubt, mmhmm may retain Personal Data that is included in routine backups, and the provisions of this DPA will apply to such Personal Data for as long as mmhmm retains it.
10. Indemnification and Limitation of Liability
To the extent permitted by Data Privacy Laws, the Parties will indemnify each other and their liability will be limited as provided in the Agreement.
11. Survival
The provisions of this DPA survive the termination or expiration of the Agreement for so long as mmhmm or its Subprocessors Process the Personal Data.
Exhibit A
mmhmm DATA SECURITY MEASURES
If mmhmm Processes Personal Data, mmhmm will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:
mmhmm’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data (“Data Personnel”). mmhmm’s security requirements covers the following areas:
1. Information Security Policies and Standards
mmhmm will maintain written information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. These policies, standards, and procedures shall be designed and implemented to:
a. Prevent unauthorized persons from gaining physical access to Personal Data Processing systems (e.g. physical access controls);
b. Designate one or more employees, or competent subcontractors, to coordinate the Information Security Program;
c. Prevent Personal Data Processing systems from being used without authorization (e.g. logical access control);
d. Ensure that Data Personnel gain access only to such Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that Personal Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
e. Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls);
f. Ensure that all systems that Process Personal Data are the subject of a vulnerability management program that includes regular internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities;
g. Ensure that Personal Data is encrypted while in transit between Client and mmhmm and its Sub-Processors; and
h. Ensure that Personal Data is encrypted at rest at mmhmm and its Subrocessors.
2. Physical Security
mmhmm will maintain commercially reasonable security systems at all mmhmm sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security
mmhmm will maintain information security policies and procedures addressing:
a. Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Personal Data stored on media before they are withdrawn from the mmhmm’s inventory or control.
b. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Personal Data stored on media.
c. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
d. Incident Response. All Security Breaches are managed in accordance with appropriate incident response and remediation procedures.
4. Network Security
mmhmm maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control (Governance)
a. mmhmm governs access to information systems that Process Personal Data.
b. Only authorized mmhmm staff can grant, modify, or revoke access to an information system that Processes Personal Data.
c. mmhmm implements commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls
mmhmm protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system commonly susceptible to malware that handles Personal Data. The architecture of these systems provides inherent protection from the proliferation of malware and granting the permissions necessary for anti-malware software to function on these systems may weaken the inherent architectural controls.
7. Personnel
a. mmhmm has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and Security Breach reporting.
b. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
c. mmhmm shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Personal Data.
8. Business Continuity
mmhmm implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.mmhmm shall also adjust its Information Security Program in light of new laws and circumstances, including as mmhmm’s business and Processing change.