Data Processing Addendum
This Data Processing Addendum and any Schedules and Annexes hereto (“DPA”) forms part of and is incorporated into the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. In the event of a conflict between the Agreement (including any other Addendum attached thereto) and this DPA with respect to Processing of any Personal Data (each term as defined below), this DPA shall control. Except as modified below, the terms of the Agreement shall remain in full force and effect.
1. DEFINITIONS.
“Authorized Personnel” means any person who processes Personal Data, including ModernRails and Customer’s employees, officers, directors, partners, principals, agents, representatives, contractors and Subprocessors.
“Data Protection Laws” means all applicable data privacy and security laws relating to the Processing of Personal Data that may exist in any relevant jurisdiction, including (but not limited to): (i) the California Consumer Privacy Act of 2018, Civil Code §1798.100 et seq. (“CCPA”), including any regulation, guideline and opinion issued by any competent authority; (ii) General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all relevant laws or regulations implementing or supplementing same, including, any measure, guideline and opinion issued by any competent authority; (iii) European e-Privacy Directive 2002/58/EC; and (iv) in respect of the United Kingdom, the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK Data Protection Law”), in each case as may be amended, superseded, supplemented, or replaced.
“Effective Date” means the Effective Date of the DPA.
“Personal Data” means any data that is protected as “personal data,” “personally identifiable information,” “personal information”, or comparable term under Data Protection Laws and Processed in connection with the Services.
“Public Authority” means a government agency or law enforcement authority, including judicial authorities.
“Security Incident” means any actual or suspected breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure or access to Personal Data.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj.
“Subprocessor” means any third party (including any ModernRails affiliates but excluding any ModernRails employee) engaged directly or indirectly by ModernRails to Process any Personal Data.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom’s Information Commissioner and laid before Parliament in accordance with s119A of the UK Data Protection Law on 28 January 2022, as currently set out at https://ico.org.uk/media/for- organisations/documents/4019483/international-data-transfer-addendum.pdf.
“Controller,” “Processor,” “Processing,” “Service Provider,” and any terms not otherwise defined herein or in the Agreement shall have the meanings given to them in Data Protection Laws and their cognate terms shall be construed accordingly.
2. PROCESSING OF PERSONAL DATA.
2.1
Parties’ Roles.
2.1.1
ModernRails as Processor. Except as stated in Paragraph 2.1.2, the Parties acknowledge and agree that Customer is the Controller and ModernRails is the Processor of Personal Data. Customer authorizes ModernRails to Process Personal Data on its behalf for the limited and specified purposes of providing the Purchased Services as set forth in the Agreement. Customer acknowledges that ModernRails also Processes Personal Data on behalf of third-party financial institutions that deliver the financial services as specified in the Agreement. Each third-party financial institution is a Controller of Personal Data as it concerns the financial service(s) it delivers.
2.1.2
ModernRails as Controller. Customer acknowledges and agrees that ModernRails may Process Personal Data for business operations incident and ancillary to providing the Purchased Services to Customer, such as to comply with audit, insurance, legal and regulatory obligations, to enhance and improve core “Know Your Customer” verification and fraud prevention functionality (e.g., machine learning), and to develop and facilitate cross-Customer products and services. To the extent ModernRails Processes Personal Data for business operations incident or ancillary to providing the Services to Customer, ModernRails will comply with the obligations of a Controller under Data Protection Laws for such use.
2.2
Details of the Processing. The subject matter of the Processing is the provision of the Purchased Services identified in the Agreement. Annex I of this DPA sets out the types of Personal Data subject to Processing, the nature and purpose of Processing, and the duration of Processing.
3. Privacy.
3.1
Parties’ Responsibilities. Each Party shall comply with its obligations under Data Protection Laws with respect to any Personal Data it Processes under this DPA and shall provide the same level of privacy protection as required by Data Protection Laws.
3.2
Customer Responsibilities. Customer’s collection of Personal Data shall be limited to that which (i) ModernRails needs to perform the Purchased Services; (ii) Customer needs for the User to use the Customer, and/or (iii) as otherwise permitted by Data Protection Laws. Prior to the collection of Personal Data, Customer will provide Users with a privacy policy that complies with Data Protection Laws and discloses what Personal Data Customer collects, how Personal Data will be disclosed to others, including ModernRails and the applicable third-party financial institutions, and that Personal Data will be transferred to the United States and jurisdictions outside of the country in which they reside. Notwithstanding any disclosure obligations set forth in the Agreement, Customer shall include in Customer’s Privacy Policy a hyperlink to ModernRails’ Privacy Policy, found at https://modernrails.io/privacy, and to the privacy policy of any applicable third-party financial institution.
3.3
User Consents. In accordance with Data Protection Laws, Customer shall obtain User consent and, if necessary, express consent, prior to collecting Personal Data. Obtained consents shall be stored by Customer and ModernRails reserves the right to dictate the storage format and audit obtained consents at any time during the term of the Agreement or within seven (7) years of the expiration of the Agreement.
4. Security.
4.1
Controls for Protection of Personal Data. The Parties represent and warrant that they have adopted, documented, and implemented and shall maintain commercially reasonable written information security guidelines, inclusive of physical, technical, and organizational measures appropriate to the nature of the information rocessed that are designed to protect Personal Data against Security Incidents and in material compliance with all Data Protection Laws.
4.2
Confidentiality. The Parties will advise all Authorized Personnel (via training or other processes) of the security guidelines/programs instituted by them prior to providing them with such access rights and require all Authorized Personnel to be subject to a contractual or statutory duty of confidentiality.
4.3
Authorized Personnel. The Parties will take commercially reasonable steps to ensure that Personal Data is available only to Authorized Personnel who have a need to access it.
4.4
Unauthorized Use. The Parties have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
5. Security Incidents.
5.1
If a Party becomes aware of a Security Incident, it shall comply with data breach obligations under Data Protection Laws; and, without undue delay and to the extent required by applicable Data Protection Laws, provide Notice to the other Party.
5.2
In the case of a known or suspected breach of Customer’s Application or systems, ModernRails, at its sole discretion, may suspend or revoke Customer APIs Keys.
6. Instructions.
6.1
Instructions. When ModernRails acts as a Processor, ModernRails will Process Personal Data in accordance with the instructions from Customer as reflected in the Agreement and this DPA. ModernRails shall not Process Personal Data for its own or for any other purposes except as set forth in Paragraph 2.1.2 or as permitted by Data Protection Laws.
6.2
Compliance with Instructions. Unless prohibited by law, ModernRails will notify Customer prior to Processing Personal Data or will immediately stop Processing Personal Data and notify Customer if ModernRails: (i) becomes aware or reasonably believes that any instruction from Customer violates any applicable law; (ii) is unable to comply with Customer’s instructions; (iii) is unable to meet its obligations under this DPA; or (iv) is unable to comply with Data Protection Laws.
6.3
California Personal Data. Notwithstanding the above obligations, if ModernRails is Processing Personal Data within the scope of the CCPA, ModernRails will not: (i) sell or share (as those terms are defined under the CCPA) Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing it for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted under the CCPA; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between ModernRails and Customer. ModernRails certifies that it understands these restrictions and will comply with them. This provision does not prohibit ModernRails from using Personal Data as described in Paragraph 2.1.2 or disclosing Personal Data to applicable third-party financial institution(s).
7. Subprocessing.
7.1
List of Subprocessors and Notification of New Subprocessors. Where required by Data Protection Laws, ModernRails shall not provide Personal Data to any Subprocessor unless authorized, in writing, by Customer. Customer hereby authorizes ModernRails to engage those Subprocessors necessary to provide the Services. Where required by Data Protection Laws, ModernRails will make available a list of Subprocessors if requested by Customer in writing and will not use additional Subprocessors to Process Personal Data without first providing at least fifteen (15) days’ Notice to Customer. Customer’s consent shall be deemed given if it does not object in writing within fifteen (15) days after receipt of this prior Notice.
7.2
Subprocessor Obligations. Where required by Data Protection Laws, ModernRails will enter into a written contract with each Subprocessor regarding the Processing of Personal Data and such contract will require the Subprocessor to meet the same Processor obligations as ModernRails under this DPA.
8. User Rights and Cooperation.
8.1
User Requests. ModernRails will provide reasonable assistance to Customer to meet Customer’s obligations to respond to User requests to exercise their rights under Data Protection Laws with respect to their Personal Data. Where required by Data Protection Laws, ModernRails will notify Customer in writing if it receives a User request concerning Personal Data.
8.2
Data Protection Impact Assessment. ModernRails will provide all necessary information to enable Customer to conduct and document a data protection impact assessment or similar analysis.
9. Deletion or Return of Personal Data.
ModernRails shall not retain Personal Data for longer than is necessary to provide the Purchased Services. At the end of the Purchased Services, or upon Customer’s request, ModernRails, for itself, will either securely destroy or return Personal Data to Customer. This requirement shall not apply to the extent that ModernRails is required by any applicable law to retain some or all of the Personal Data. It also shall not apply to any Personal Data that ModernRails Processes as set forth in Paragraph 2.1.2.
10. Assessments.
To the extent required by Data Protection Law, ModernRails shall allow Customer and its respective auditors or authorized agents to conduct audits and inspections during the term of the Agreement and for 12 months thereafter. Such inspections shall include providing access to the premises, resources and Authorized Personnel, and provide all reasonable assistance to assist Customer in exercising its audit rights under this paragraph. Inspections may only be carried out with reasonable prior notice, during normal business hours, and if Customer or any auditor takes all reasonable measures to prevent unnecessary disruption to ModernRails operations. Customer or any auditor conducting any such audit shall comply with any and all reasonable security and confidentiality guidelines and other policies of ModernRails with respect to the audit.
11. Government Access Requests.
In its role as a Processor, ModernRails shall maintain appropriate measures to protect Personal Data in accordance with the requirements of Data Protection Laws, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defense and public security. If ModernRails receives a legally binding request to access Personal Data from a Public Authority, ModernRails shall, if required under Data Protection Laws and unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent ModernRails is required under Data Protection Laws to provide such notification but prohibited by law from doing so, ModernRails shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable ModernRails to communicate as much information as possible, as soon as possible. Further, ModernRails shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. ModernRails shall pursue possibilities of appeal. When challenging a request, ModernRails shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. ModernRails agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. ModernRails shall promptly notify Customer if ModernRails becomes aware of any direct access by a Public Authority to Personal Data and provide information available to ModernRails in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require ModernRails to pursue action or inaction that could result in civil or criminal penalty for ModernRails such as contempt of court.
12. Cross-Border Data Transfers.
12.1
Europe
12.1.1
In respect of Personal Data where the GDPR applies, the Parties agree to comply with the obligations of the Standard Contractual Clauses, Module Two with Customer as data exporter and ModernRails as data importer. Annexes I to II of this DPA shall be incorporated as Annexes I to II of the Standard Contractual Clauses. Clause 7 shall not apply. Option 2, Clause 9 shall apply and the time period shall be 15 days. In Clause 11, the optional language shall not apply. In Clause 17, Option 1 shall apply and Irish law shall apply. In Clause 18(b), disputes shall be resolved before the courts of Ireland.
12.1.2
In respect of Personal Data where the Swiss Federal Act on Data Protection (“FADP”) applies, the Parties agree to comply with the obligations of the Standard Contractual Clauses, Module Two as described in Paragraph 12.1.1, subject to the following amendments:
12.1.2.1
references in the Standard Contractual Clauses to the GDPR shall refer to the FADP;
12.1.2.2
references to specific Articles of GDPR shall be replaced with the equivalent article of the FADP;
12.1.2.3
references to “EU”, “Union” and “Member State” shall be replaced with references to Switzerland;
12.1.2.4
the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Standard Contractual Clause 18(c); and
12.1.2.5
the Standard Contractual Clauses shall also protect the data of legal persons until the entry into force of the revised FADP.
12.1.3
In respect of Personal Data where UK Data Protection Law applies, the Parties agree to comply with the obligations of the Standard Contractual Clauses, Module Two, as described in Paragraph 12.1.1, as modified by the UK Addendum. In Table 4 of the UK Addendum, either Party may end the UK Addendum.
12.2
Non-Europe and U.S.
To the extent that the laws of countries other than the United States, EU, Switzerland and the UK require the Parties to utilize a cross-border data transfer mechanism for the transfer of Personal Data, the Parties agree that they shall, only to the extent required by relevant law, rely on (i) an adequacy decision, (ii) the Standard Contractual Clauses(as modified to apply to such a country’s laws), (iii) consent, or (iv) any other valid legal basis.
12.3
Alternative Transfer Mechanism
If any transfer mechanism in this Paragraph 12 is subsequently cancelled, suspended, modified, revoked, or held in a courtof competent jurisdiction to be invalid, the Parties shall co-operate in good faith to implement a suitable alternate mechanismthat can lawfully support the transfer and if the Parties are unable to provide a suitable alternate, Customer reserves the right to suspend the transfer of Personal Data and/or terminate (without liability) the Agreement (with respect to the Services thatare implicated). If, after the Effective Date of the DPA, a new transfer mechanism becomes available, the Parties agree to operate in good faith to incorporate same into this DPA.
13. General.
13.1
Changes to Data Protection Laws. Notwithstanding any provision of the Agreement to the contrary, the Parties recognize that there may be changes to Data Protection Laws that require the Parties to modify this DPA. Upon Notice to the other Party of any such changes, the Parties agree to undertake to amend this DPA in good faith without undue delay and shall agree on a reasonable amount of time for the Parties to implement any such additional requirements.
13.2
Order of Priority. In the event of a conflict between the Agreement and this DPA, this DPA shall control to the extent of the conflict with respect to the Processing of Personal Data. In the event of a conflict between the Agreement or DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control. In the event of a conflict between the Standard Contractual Clauses and the UK Addendum (as it concerns Personal Data where UK Data Protection Law applies), the UK Addendum shall control.
13.3
Effective Date. This DPA shall take effect on the Effective Date and unless terminated earlier in accordance with the terms of this DPA, will continue for the term of the Agreement, unless by their nature should survive.
