This Data Processing Addendum (“DPA”) supplements and is incorporated into Miruni's Terms of Service or other agreement between Customer and Miruni governing Customer’s use of and access to the Services (“Agreement”). Capitalized terms used below that are not otherwise defined have the meanings given to them in the Agreement.
1.1 Scope of DPA. This DPA applies to Miruni’s processing of Personal Data to provide the Services to Customer pursuant to the Agreement.
1.2 Processor. The parties agree that Miruni acts as a processor under Data Protection Law and/or service provider under CCPA for Customer in providing the Services to Customer.
1.3 Processing Activities. The subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and categories of data subjects are described in Exhibit A.
2. Processing of Personal Data
2.1 Miruni Obligations. Miruni will:
(a) process Personal Data only on documented instructions from Customer, including transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Miruni is subject, in which a case Miruni will inform Customer of the legal requirement before processing, unless prohibited by law;
(b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) implement appropriate technical and organizational measures designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed and to ensure a level of security appropriate to the risk;
(d) respect the conditions for engaging other processors as required by applicable Data Protection Law and set forth in Section 4 below;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, to the extent possible, to enable Customer to fulfill its legal obligations as a controller to respond to requests for exercising data subject rights pursuant to applicable Data Protection Law;
(f) taking into account the nature of processing and the information available to Miruni, assist Customer in ensuring compliance with its legal obligations pursuant to applicable Data Protection Law regarding (i) security of processing, (ii) notification of and communication of Security Incidents, (iii) data protection impact assessments, and (iv) prior consultation with the applicable supervisory authority;
(g) at Customer’s choice, delete or return all Personal Data to Customer after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with its obligations under applicable Data Protection Law and allow for and assist with audits in accordance with Section 6 below, in each case at Customer’s expense; and(i) inform Customer if, in its opinion, an instruction infringes applicable Data Protection Law.
2.2 Customer Instructions. Customer instructs Miruni to process Personal Data as documented in this DPA and the Agreement, and as otherwise necessary to provide the Services to Customer. Customer’s instructions to Miruni for the processing of Personal Data will comply with all applicable laws, including Data Protection Laws.
2.3 Controller Authorization. If Customer is a processor, Customer warrants to Miruni that Customer’s instructions and actions with respect to Personal Data, including its appointment of Miruni as a subprocessor, have been authorized by the relevant controller.
3. Data Transfers
3.1 Customer Authorization. Customer authorizes Miruni to perform Data Transfers: (a) to any country subject to an adequacy determination by the European Commission; (b) pursuant to the Standard Contractual Clauses; or (c) any other legally valid data transfer mechanism. The Standard Contractual Clauses will only apply for Data Transfers to a country not recognized as having an adequate level of data protection if there is no other legally valid data transfer mechanism.
3.2 Standard Contractual Clauses. For Data Transfers out of the European Economic Area, Switzerland, or the United Kingdom pursuant to the Standard Contractual Clauses: (a) the Controller-to-Processor Clauses will apply where Customer acts as a controller of Personal Data; and (b) the Processor-to-Processor Clauses will apply where Customer acts as a processor of Personal Data, and Customer will fulfill any obligations Miruni may have to Customer’s controller(s) as a processor.
3.3 UK Addendum. For Data Transfers out of the United Kingdom, the UK Addendum will also apply.
4.1 General Authorization. Customer hereby grants Miruni general authorization to engage Subprocessors, subject to the terms of this DPA and the Agreement. Miruni uses the Subprocessors listed at Miruni.com/privacy-policy to provide the Services and will notify Customer of any intended changes concerning the addition or replacement of a Subprocessor via the mechanism listed on that page. If Customer provides a reasonable written objection to a new Subprocessor within 10 days of receiving notice, and Miruni chooses not to suggest an alternative, Customer may terminate the Agreement after 30 days’ notice to Miruni.
4.2 Subprocessor Requirements. Prior to the engagement of a Subprocessor, Miruni will enter into a written agreement with the Subprocessor containing at least the same data protection obligations as those set out in this DPA, including providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable Data Protection Law. If a Subprocessor fails to fulfill its data protection obligations, Miruni will be liable to Customer for the performance of that Subprocessor’s obligations.
5. Security Incidents
5.1 Security Incident Notification. Upon becoming aware of a Security Incident, Miruni will notify Customer without undue delay and promptly take reasonable steps to minimize harm and secure Personal Data.
5.2 Notification Description. To the extent possible, notification to Customer will describe the nature of the Security Incident, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident. Miruni’s notification of or response to a Security Incident will not be construed as an acknowledgement by Miruni of any fault or liability with respect to the incident.
6.1 Customer Audit. Upon Customer’s prior written request and subject to the confidentiality obligations, Miruni will allow Customer or an independent third-party auditor that is not a competitor of Miruni to access information or inspect Miruni’s procedures relevant to the protection of Customer Data in order to audit Miruni’s compliance with this DPA.
6.2 Process for Inspections. Inspections may be conducted no more than once per year and only in a manner that does not interfere with Miruni’s normal business operations. Customer and Miruni will mutually agree upon the scope, timing, and duration of the inspection, and Customer will reimburse Miruni for reasonable fees associated with time spent on the inspection. Any deficiencies or reports created based on such access or inspection must be promptly shared with Miruni and will be Miruni’s Confidential Information.
7. CCPA Certification
Miruni will not:
(a) sell Customer personal information;
(b) retain, use, or disclose any Customer personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer personal information for a commercial purpose other than providing the Service; or
(c) retain, use, or disclose Customer personal information outside of the direct business relationship between Customer and Miruni.
This DPA is subject to the terms of the Agreement, including without limitation, those regarding dispute resolution, limitation of liability, and termination. If any of the provisions of this DPA conflict with the provisions of the Agreement, the provisions of this DPA will prevail.
9. Exhibit A
1. Subject Matter of Processing
The subject matter of the processing is the Personal Data submitted to the Services by Customer pursuant to the Agreement.
2. Duration of Processing
The processing will continue until the expiration or termination of the Agreement, or as otherwise determined by Customer by deleting Personal Data from its account.
3. Nature and Purpose of Processing
Processing by Miruni to provide the Services to Customer pursuant to the Agreement.
4. Types of Personal Data
Personal Data provided to Miruni by Customer or its Authorized Users, including: