This Data Processing Addendum (“Addendum”), is between Mimosa Networks, Inc. (“Mimosa”) and the client, distributor, or reseller (each, as applicable, “Partner”) specified in the (a) agreement to which this Addendum is attached or, (b) the agreement to which this Addendum applies or, (c) the agreement which this Addendum modifies (“Original Agreement”). Mimosa offers products and services to Partners around the world which are further described herein and in the Original Agreement. Collectively, Mimosa and Partner are referred to as the “Parties”.
WHEREAS:
A. Partner either uses Mimosa’s products and services or is a distributor or reseller that resells Mimosa’s products or services to its customers;
B. Mimosa offers certain cloud-based network and device management solutions, and certain other products and services as described in the Original Agreement (“Services”) either directly or through its applicable Partner; and
C. This Addendum sets out data protection, security and confidentiality requirements with regard to the Processing of Personal Data collected, disclosed, stored, accessed or otherwise Processed by or on behalf of Partner for the purpose of performing the Services.
NOW, THEREFORE, in consideration of the mutual covenants and agreements in this Addendum and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Mimosa and Partner agree as follows:
1. Definitions. When used in this Addendum, the following terms have the following meaning. Any capitalized terms not defined in this Addendum shall have the meaning given to them in the Original Agreement.
“Applicable Data Protection Law” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Data including without limitation: (i) the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. §§ 6801-6827, and all regulations implementing GLBA; the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., as amended by the Fair and Accurate Credit Transactions Act (“FACTA”), and all regulations implementing the FCRA and FACTA; Health Insurance Portability and Accountability Act of 1996 (“HIPAA”, and all regulations implementing HIPAA); the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”); information security breach notification laws; laws imposing minimum information security; laws requiring the secure disposal of records containing certain Personal; and all other similar international, federal, state, provincial, and local requirements; (ii) the European Union (“EU”) Data Protection Directive 95/46/EC, as repealed by the General Data Protection Regulation 2016/679 (“GDPR”), effective as of May 25, 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive; and (iii) all applicable industry standards concerning privacy, data protection, confidentiality or information security including, without limitation the Payment Card Industry Data Security Standard (“PCI DSS”);
“Data Controller” shall have the meaning given to it in the Applicable Data Protection Law;
“Data Processor” shall have the meaning given to it in the Applicable Data Protection Law;
“Data Security Measures” means administrative, technical and physical safeguards and other security measures that are designed to (i) ensure the security and confidentiality of Personal Data, (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data and (iii) protect against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of or access to any Personal Data;
“Data Subject” means a natural person to which the Personal Data pertain;
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be specifically identified, directly or indirectly by reference to certain information such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and,
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Roles and Responsibilities of the Parties.
a. If Partner serves as a Data Processor, it agrees and warrants to Process Personal Data and to perform all of its obligations under this Addendum in compliance with the Applicable Data Protection Law.
b. If Mimosa serves as a Data Processor, it agrees and warrants to Process Personal Data and to perform all of its obligations under this Addendum in compliance with the Applicable Data Protection Law.
c. The Parties acknowledge and agree that Mimosa may, in certain instances in connection with the Services, act as a Data Controller, and solely in such instance, has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and that Partner will Process Personal Data only on behalf of and under the instructions of Mimosa for the purpose of using, providing, maintaining or distributing the Services.
d. Partner shall limit access to Personal Data to its personnel who have a need to know the Personal Data as a condition to Partner’s provision or performance of the Services, and who have explicitly agreed in writing to comply with legally-enforceable privacy, confidentiality and security obligations that are substantially similar to those required by this Addendum. Partner shall provide training, as appropriate, regarding the privacy, confidentiality, and information security requirements set forth in this Addendum to relevant personnel who have access to Personal Data.
e. Partner will implement and maintain a comprehensive written information security program that complies with the Applicable Data Protection Law, including commercially reasonable Data Security Measures to protect Personal Data processed under this Addendum from loss, theft, misuse, unauthorized access, disclosure, or acquisition, destruction or other compromise (“Information Security Incident”). Partner shall inform Mimosa without unreasonable delay, but in no event more than 24 hours, after it knows or reasonably suspects that an Information Security Incident has occurred in or with respect to its systems which affects Personal Data under this Addendum or the Original Agreement. Partner shall promptly take all necessary steps to mitigate the impact of the Information Security Incident, cooperate with Mimosa and provide information as appropriate to address the incident. Upon the occurrence of an Information Security Incident involving Personal Data in the possession, custody, or control of Partner or for which Partner is otherwise responsible, Partner shall reimburse Mimosa on demand for all Notification Related Costs (defined below) incurred by Mimosa arising out of or in connection with any such Information Security Incident. “Notification Related Costs” shall include Mimosa’s internal and external costs associated with investigating, addressing, and responding to the Information Security Incident, including but not limited to: (i) preparation and mailing or other transmission of notifications or other communications to Mimosa users, consumers, employees, customers or others as Mimosa deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., customer service FAQs, talking points and training); (iii) public relations and other similar crisis management services; (iv) legal, consulting, and accounting fees and expenses associated with Mimosa’s investigation of and response to such event; and (v) costs for commercially reasonable credit reporting and monitoring services that are associated with legally required notifications or are advisable under the circumstances. Partner shall not publish or communicate any filings, communications, notices, press releases or reports related to any Information Security Incident that expressly mention Mimosa or its clients, customers, resellers, or distributors who are not a Partner under this Addendum.
f. If the Partner is serving as a Data Processor, it may engage a sub-processor to Process Personal Data protected under this Addendum only if it is authorized by Mimosa to do so. Partner shall enter into a written agreement with the sub-processor imposing on the sub-processor the same obligations as imposed on Partner under this Addendum, including appropriate Data Security Measures. In case the sub-processor fails to fulfil its obligations under such written agreement with Partner, Partner shall remain fully liable to Mimosa for the performance of the sub-processor’s obligations.
g. Partner agrees and warrants that it will inform Mimosa promptly of any requests made by government authorities of any jurisdiction requesting or requiring Partner to disclose the Personal Data Processed under this Addendum or to participate in an investigation involving such Personal Data, including but not limited to subpoenas, judicial or administrative orders, or proceedings seeking access to or disclosure of Personal Data. Mimosa shall have the right to defend such action in lieu of and/or on behalf of Partner. Mimosa may, if it chooses, seek a protective order. Partner shall reasonably cooperate with Mimosa in such defense or in any action seeking a protective order.
h. Mimosa will have the right to monitor and audit Partner’s compliance with the terms of this Addendum. Upon prior written request by Mimosa, Partner agrees to cooperate and, within reasonable time, provide Mimosa with: (a) audit reports and all information necessary to demonstrate Partner’s compliance with the obligations in this Addendum; and (b) confirmation that the audit has not revealed any material vulnerability in Partner’s systems, or to the extent that any such vulnerability was detected, that Partner has fully remedied such vulnerability.
i. Promptly upon the expiration or earlier termination of this Addendum or the related Original Agreement, or such earlier time as Mimosa requests, Partner shall securely delete or return all Personal Data to Mimosa, and securely delete any existing copies, unless further storage of Personal Data is required by applicable law, in which case Partner shall protect the confidentiality of Personal Data, will not actively process Personal Data further, and will continue to comply with this Addendum.
j. Partner shall enter into any further privacy or information security agreement reasonably requested by Mimosa for purposes of compliance with the Applicable Data Protection Law.
3. Onward Transfer Terms.
a. This Section 3 applies to the extent that Partner receives, accesses or otherwise Processes Personal Data for the purpose of using, performing, maintaining or distributing the Services.
b. Partner will Process Personal Data only as directed by Mimosa for the purpose of performing the Services in accordance with this Addendum and the Original Agreement.
c. Partner will provide Personal Data at least the same level of privacy protection as is required by all applicable laws including the Applicable Data Protection Law. If Partner determines that it can no longer meet its obligation to provide at least the same level of privacy protection as is required by applicable laws, Partner will immediately notify Mimosa in writing and will: (i) stop Processing the Personal Data; and (ii) return or destroy all Personal Data in accordance with Mimosa’s instructions. In that event, Mimosa may terminate, without penalty, this Addendum, the Original Agreement, and/or any other agreement made between the Parties. Mimosa may also take any actions it deems reasonable to stop or remediate unauthorized Processing.
4. Termination. This Addendum will have the same duration as the Original Agreement. The obligations of Partner to implement appropriate security measures survive the termination of this Addendum to the extent that further storage of Personal Data is required by the Applicable Data Protection Law.
5. Invalidity and Severability. If any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this Addendum and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
6. Indemnification. Partner agrees to indemnify and hold harmless Mimosa and its officers, directors, employees and agents from, and at Mimosa’s option, defend against, any and all claims, losses, liabilities, damages, costs and expenses, including third-party claims, demands, reasonable attorneys’ fees, consultants’ fees and court costs (collectively, “Claims”), to the extent that such Claims arise from, or may be in any way attributable to (i) any violation of its obligations under this Addendum; (ii) the negligence, gross negligence, bad faith, or intentional or willful misconduct of Partner or its personnel in connection with obligations set forth in this Addendum; (iii) Partner’s use of any contractor or subcontractor providing services in connection with or relating to Partner’s performance under this Addendum and the Original Agreement; or (iv) any Information Security Incident involving Personal Data in Partner’s possession, custody or control, or for which Partner is otherwise responsible.
7. Governing Law and Dispute Resolution. The governing law and dispute resolution provisions of the Original Agreement will apply to this Addendum.
8. Conflicts. In case of a conflict between this Addendum and any other agreements made between the Parties with regard to the Processing of Personal Data in the context of the Services, this Addendum shall prevail.
9. Summary or Copy of Agreement. Mimosa may provide a summary or a representative copy of the relevant privacy provisions of this Addendum to an authorized regulatory body upon request.