Data Processing Agreement

This GDPR Data Processing Addendum (“DPA”) forms part of the Terms of Service available at https://www.mercury.ai/terms-conditions.html or such other location as the Terms of Service, entered into by and between the Customer and Mercury.ai UG (haftungsbeschränkt) (“Mercury.ai”), pursuant to which Customer has accessed Mercury.ai’s Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

If the Customer entity entering into this DPA has executed an order form or statement of work with Mercury.ai pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.

This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

In the course of providing the Application Services to Customer pursuant to the Agreement, Mercury.ai may process personal data on behalf of Customer. Mercury.ai agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

Data Processing Agreement within the Meaning of Art. 28, 29 of the GDPR

Recitals
Processor processes personal data under the authority of Controller within the meaning of Art. 4 no. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter "GDPR"). This Data Processing Agreement defines the specific data protection obligations of the parties arising in connection with the outsourced data processing provided for in the master agreement. The Data Processing Agreement applies to all services which relate to the master agreement and in connection with which employees of Processor or third parties acting on behalf of Processor may come into contact with personal data of Controller.

  1. Definitions
    1. Personal data means any information about personal or factual circumstances of an identified or identifiable natural person (Art. 4 no. 1 of the GDPR).
    2. Outsourced data processing means the collection, processing, or use of personal data within the meaning of Art. 4 no. 2 of the GDPR by Processor under the authority of Controller.
    3. Instruction means any directions issued by Controller to Processor ordering that Processor perform a certain action with respect to personal data (e.g., anonymization, blocking, erasure, or return of data). Instructions are originally defined by the master agreement and thereafter may be modified, amended, or replaced by Controller through written, individual instructions (individual instructions).
    4. Collecting, processing, and using personal data has the meaning defined in Art. 4 no. 2 of the GDPR.

  2. Applicability, Responsibility
    Processor shall process personal data under the authority of Controller. This includes the services defined in the master agreement and in the statement of work. In connection with this Agreement, Controller is the sole party responsible for compliance with all applicable data protection laws, including, without limitation, the lawful transfer of data to contractors, and for lawful data processing ("controller" within the meaning of Art. 4 no. 7 of the GDPR). Processor has the right to inform Controller if in the opinion of Processor data processing provided for in the contract and/or instructions would be unlawful.

  3. Subject Matter and Duration
    1. The subject matter of the contract is defined in the master agreement/statement of work, which is/are hereby incorporated by reference.
    2. The term of this contract corresponds to the term of the master agreement.
    3. The right to terminate for good cause shall remain unaffected thereby.

  4. Extent, Type, and Purpose of Contracted Collection, Processing, or Use of Data
    The extent, type, and purpose of the collection, processing, and use of personal data by Processor under the authority of Controller are described in detail in the master agreement.

  5. Type of Data
    The collection, processing, and use of personal data involve the following types/categories of data:
    User data provided by Controller and/or user:
    Name, User IDs, location data, user’s time zone, user's IP address, user attributes and details, message content entered by user in form of text, audio, images and video.

  6. Data Subjects
    The handling of personal data in accordance with this contract involves the following data subjects:
    Users of connected communication channels including but not limited to Facebook Messenger, Amazon Alexa, WhatsApp, WebWidgets embedded in Websites, API based ingtegrations, SMS

  7. Rectification, Erasure, Blocking, and Return of Data
    1. Data processed by Processor in accordance with this contract may not be rectified, erased, or blocked, except as instructed by Controller.
    2. Controller may demand that data be rectified, erased, blocked, or returned at any time during or after the term of this contract and the master agreement.

  8. Technical and Organizational Measures
    1. Processor shall structure the business operations for which Processor is responsible in such a way that they are in compliance with the special requirements of data protection law.
    2. Processor shall implement technical and organizational measures to adequately protect data of Controller against the risks of misuse and loss in conformity with the requirements of the GDPR (Art. 24, 32 of the GDPR). Such measures include, without limitation, the following, provided that such measures are appropriate:
      - measures preventing unauthorized parties from gaining access to data processing systems employed to process or use personal data (physical access control); - measures preventing unauthorized parties from using data processing systems (system access control);
      - measures guaranteeing that persons authorized to use data processing systems have access exclusively to personal data covered by their access authorizations, and that during processing or use and after storage personal data cannot be read, copied, modified, or removed without authorization (data access control);
      - measures guaranteeing that personal data cannot be read, copied, modified, or removed during electronic transfer or during transport or storage on data carriers and that it is possible to review and determine to whom personal data are to be transferred using data transmission systems (data transfer control);
      - measures guaranteeing that it can be reviewed and determined later on whether and by whom data have been input into, modified in, or removed from data processing systems (data input control);
      - measures guaranteeing that personal data processed by Processor on behalf of Controller can be processed only as instructed by the Controller;
      - measures guaranteeing that personal data are protected from accidental erasure or loss (data availability control);
      - measures guaranteeing that data that have been collected for different purposes can be processed separately (data separation control);
      - measures for the pseudonymization and encryption of personal data;
      - measures guaranteeing on a long-term basis the capability, confidentiality, integrity, availability, and resilience of systems and services related to the processing of data;
      - measures guaranteeing that in the event of any physical or technical incidence the availability of personal data and access to personal data can be quickly restored; and
      - procedures for the regular review, analysis, and evaluation of the effectiveness of technical and organizational measures to guarantee the security of data processing.
    3. Technical and organizational measures are subject to technological progress and continued development. Therefore Processor is permitted to implement adequate alternative measures, provided that such alternative measures guarantee the same level of security as the agreed measures.
    4. At the request of Controller, Processor shall submit a list of technical and organizational measures taken to ensure safe processing data on behalf of Controller.
    5. At the request of Controller, Processor shall make available the information needed for a record of processing activities within the meaning of Art. 30 of the GDPR (record of processing activities).

  9. Other Obligations of Processor
    1. Controller shall have the right to issue supplementary instructions regarding the type, extent, and procedures of data processing to Processor. Instructions may be issued in text form (e.g., by e-mail).
    2. Processor shall collect, process, or use data only as agreed with and as instructed by Controller, unless Processor has a legal obligation to process data under EU law or the law of any member state.
    3. Provisions regarding any compensation for additional costs incurred by Processor as a result of supplementary instructions issued by Controller shall remain unaffected thereby.
    4. Processor shall notify Controller of any exceptions to the obligation to process data only in accordance with Controller's instructions that may apply to Processor under applicable law, unless such notification is prohibited by such applicable law for the protection of an important public interest.
    5. Processor designates – if obliged by law - a data protection officer who can carry out his duties in accordance with Art. 37, 38, 39 of the GDPR. Processor shall provide Controller with the name and contact information of its data protection officer (if applicable) separately and in text form.
    6. Processor shall require those of its employees who are assigned to process personal data of Controller to agree to comply with the duty of data confidentiality (Art. 29 of the GDPR) and provide such employees with training and instruction on compliance with the data protection provisions of the GDPR. The duty of data confidentiality continues in effect after work has been completed.
    7. Processor shall promptly notify Controller if in the opinion of Processor an instruction issued by Controller violates applicable data protection law.
    8. Processor shall notify Controller of any major disruptions of Processor's business operations, of any suspected data breaches, and of any other irregularities concerning the processing of Controller's data. This also applies to any audits, measures by the regulatory authority within the meaning of Art. 51 – 59 of the GDPR, or investigations within the meaning of Art. 83, 84 of the GDPR.
    9. Processor acknowledges that Controller may be subject to disclosure obligations under Art. 33 of the GDPR in the event of any unlawful transfer or acquisition of certain personal data. Therefore such incidents must be promptly reported to Controller regardless of the cause. Processor's report to Controller shall include, without limitation, the following information: a description of the type of personal data breach, if possible including the categories and approximate number of data subjects, and the categories and approximate number of affected personal data sets; a description of the measures implemented or proposed by Processor to remedy the personal data breach and, if applicable, measures to mitigate potential adverse effects of the breach. Processor shall implement adequate measures to secure data and to mitigate potential adverse consequences for data subjects in agreement with Controller. In the event that Controller is subject obligations under Art. 33 of the GDPR, Processor shall support Controller in complying with such obligations.
    10. Processor has an obligation to notify Controller at any time if data or documents of Controller are affected by a personal data breach. Processor shall destroy data material in conformity with data protection law as instructed by Controller on a case-by-case basis. In special cases designated by Controller, data shall be stored or returned to Controller.
    11. Processor shall notify Controller if any data subjects seek to enforce their rights against Processor.

  10. Rights and Obligations of Controller
    1. Controller is the sole party responsible for assessing the lawfulness of data collection, processing or use, as well as for protecting the rights of data subjects.
    2. Controller shall promptly and fully inform Processor if Controller discovers any errors or irregularities with respect to data protection laws during its review of data processing results.
    3. Controller is responsible for keeping a record of processing activities as required by Art. 30 of the GDPR.
    4. Controller is responsible for complying with the notification obligations under Art. 33 of the GDPR.
    5. Controller shall determine, by contract or instruction, measures for returning data carriers and/or erasing stored data after termination of the agreement.

  11. Inquiries Received by Controller from Data Subjects
    If Controller is obligated under applicable data protection law to provide individuals with information about the collection, processing, or use of their personal data, Processor shall assist Controller with making such information available, provided that Controller has requested such assistance from Processor in writing.

  12. Cooperation with Regulatory Authority
    Upon request Controller and Processor and, if necessary, their respective representatives shall cooperate with the regulatory authority when performing their responsibilities.

  13. Inspection Obligations of Controller
    1. Controller approves the technical and organizational measures taken by Processor before transmitting data to processor and continually during the term of this agreement and documents the result. For this purpose, he may request self-disclosure from Processor or may conduct an audit during regular business hours with at least one month prior notice at its own cost. In case of an audit, Controller bears the costs of manpower to be provided by Controller in order to conduct the audit.

  14. Subcontractors
    1. Controller accepts that Processor employs Amazon Web Services. In addition to this, outsourcing of the tasks under this agreement and of the tasks mentioned in Sections 3, 4, 5, 6 to a sub-processor is possible as long as Processor ensures that sub-processor is subject to the same obligations laid out in this agreement, in particular, Processor shall verify that the requirements of confidentiality, data protection and data security are met.
    2. Controller shall receive inspection rights in the sense of Section 13. By written request of Controller, Processor shall provide Controller with information about the relevant contents of the data processing agreement between Processor and sub-processor as well as a copy thereof.

  15. Duty of Confidentiality
    When processing data under the authority of Controller Processor shall keep confidential all data which Processor receives or of which Processor acquires knowledge in connection with the contract. Processor agrees to comply with the same data confidentiality obligations to which Controller is subject. Controller shall notify Processor of any special data confidentiality obligations.

  16. General Provisions, Disclosure Obligations, Written Form, Choice of Law
    1. If data of Controller should be jeopardized at Processor's place of business as a result of any attachment or seizure proceeding, any insolvency or composition proceeding, or any other events or third-party measures, Processor shall promptly notify Controller thereof. Processor shall promptly notify all parties responsible in this connection that as the "controller" within the meaning of the GDPR. Controller has exclusive ownership of and authority over the data.
    2. Data shall be processed and used exclusively in the territory of the Federal Republic of Germany, in any member state of the European Union, or in any other country that is a party to the Agreement on the European Economic Area. Each data transfer to a third country is subject to the prior consent of Controller and may proceed only if the special requirements of Art. 44, 45, and 46 of the GDPR are satisfied.
    3. Any modifications or amendments to this Agreement or its provisions – including any representations by Processor – shall require a written agreement and shall be expressly identified as modifications or amendments to provisions of this Agreement. The same shall also apply to any waiver of this form requirement.
    4. This Agreement shall be subject to German law.
    5. Venue and jurisdiction shall be as provided in the master agreement, provided that under the terms of the master agreement venue and jurisdiction is in courts of the Federal Republic of Germany. Otherwise exclusive venue and jurisdiction shall be in courts at the place of Controller's registered office.