Data Processing Agreement
This Data Processing Agreement (“DPA”) constitutes an amendment to the mParticle Accelerator Program Agreement between Customer (“Customer”); and mParticle, Inc., a Delaware corporation, with its principal place of business at 257 Park Ave S, New York, NY 10010 (“mParticle”) dated as of the Effective Date (the “Agreement”) pursuant to which mParticle provides the Services (as defined in the Agreement) to Customer.
The parties agree to comply with the following provisions with respect to any Personal Data Processed by mParticle for Customer in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.
- “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
- “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the individual to whom Personal Data relates.
- “Effective Date” shall have the meaning ascribed to such term in Section 11.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws as specified in Appendix 1. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: mobile advertising IDs, IP addresses and cookie ID’s received from Customer regarding the end users of digital properties.
- “Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
- “Security Breach” has the meaning set forth in Section 7 of this DPA.
- “Sub-processor” means any sub-processor engaged by mParticle for the Processing of Personal Data.
- “Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 11.1.
- “Third Party Partner” means any entity engaged by Customer for the Processing of Personal Data.
2. Processing Of Personal Data
- To the extent the Services involves the Processing of Personal Data, the parties agree that Customer is the Data Controller and mParticle is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. mParticle shall keep a record of all processing activities with respect to Customer’s Personal Data as required under GDPR.
- Each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If mParticle believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, mParticle shall inform Customer. As between the parties, Customer shall have sole responsibility for determining the legal basis for processing of Personal Data and (to the extent legally required) obtain all consents from Data Subjects necessary for collection and Processing of Personal Data in the scope of the Services.
- The objective of Processing of Personal Data by mParticle is the performance of the Services pursuant to the Agreement. During the Term of the Agreement, mParticle shall only Process Personal Data on behalf of and in accordance with the Agreement and Customer’s instructions and shall treat Personal Data as Confidential Information. Customer instructs mParticle to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement in order to provide the Services; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are acknowledged by mParticle as consistent with the terms of the Agreement. mParticle may Process Personal Data other than on the instructions of the Customer if it is mandatory under applicable law to which mParticle is subject. In this situation mParticle shall inform the Customer of such a requirement unless the law prohibits such notice.
3. Rights Of Data Subjects; Data Deletion
- As the Data Controller, Customer has the primary responsibility for honoring Data Subject access requests. mParticle shall provide reasonable and timely assistance to the Customer (at the Customer's expense) to enable the Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to mParticle (a “Direct Access Request”), mParticle shall to the extent legally permitted, promptly inform the Customer providing full details of the same and, upon request, provide the Customer with contact details of the Data Subject(s). If Customer fails to respond to a Direct Access Request within 30 days, mParticle reserves the right to take appropriate steps in its reasonable judgement to respond to such request(s).
4. mParticle Personnel
- mParticle shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
- mParticle will take appropriate steps to ensure compliance with the Security Measures outlined in Appendix 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with mParticle.
- mParticle shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.
- Customer acknowledges and agrees that mParticle may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services mParticle has retained them to provide, and are prohibited from using Personal Data for any other purpose. mParticle will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.
- A list of Sub-processors is available at http://docs.mparticle.com/guides/approved-subcontractors. mParticle may change the list of such other Sub-processors by no less than 5 business days notice via the mParticle user interface. If Customer objects to mParticle’s change in such Sub-processors, mParticle may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days written notice to Customer.
- mParticle shall be liable for the acts and omissions of its Sub-processors to the same extent mParticle would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
- Customer acknowledges and agrees that Third Party Partners are not Sub-processors and mParticle assumes no responsibility or liability for the acts or omissions of such Third Party Partners.
6. Security; Audit Rights; Privacy Impact Assessments
- mParticle shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer’s Personal Data. mParticle will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures"). As described in Appendix 2, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of mParticle’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. mParticle may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- mParticle will (taking into account the nature of the processing of Customer Personal Data and the information available to mParticle) assist Customer in ensuring compliance with any of Customer’s obligations with respect to the security of Personal Data and Personal Data breaches, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of this DPA.
- No more than once per year, Customer may engage a mutually agreed upon third party to audit mParticle solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to security@mParticle.com. The auditor must execute a written confidentiality agreement acceptable to mParticle before conducting the audit. The audit must be conducted during regular business hours, subject to mParticle’s policies, and may not unreasonably interfere with mParticle’s business activities. Any audits are at Customer’s expense.
- Any request for mParticle to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer shall reimburse mParticle for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and mParticle shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by mParticle.
- Customer shall promptly notify mParticle with information regarding any non-compliance discovered during the course of an audit.
7. Security Breach Management And Notification
- If mParticle becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Personal Data transmitted, stored or otherwise Processed on mParticle’s equipment or facilities (“Security Breach”), mParticle will promptly notify Customer of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps mParticle recommends Customer take to address the Security Breach.
- Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of mParticle’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
- Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means mParticle selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on mParticle’s support systems at all times.
- mParticle’s notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by mParticle of any fault or liability with respect to the Security Breach.
- mParticle shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Customer Personal Data. As technical and organisational measures are subject to technological development, mParticle is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Law.
8. Return And Deletion Of Customer Data
- mParticle will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term, this use will constitute an instruction to mParticle to delete the relevant Customer Data from mParticle’s systems in accordance with Data Protection Laws.
- mParticle will comply with instructions from the Customer to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
- On expiry of the Agreement, Customer instructs mParticle to delete all Customer Data (including existing copies) from mParticle’s systems and discontinue processing of such Customer Data in accordance with Data Protection Law. mParticle will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that mParticle has archived Customer Data on back-up systems so long as mParticle securely isolates and protect such data from any further processing except to the extent required by applicable law. Without prejudice to this Section, Customer acknowledges and agrees that Customer will be responsible for exporting, before the Agreement expires, any Customer Data it wishes to retain afterwards. Notwithstanding the foregoing, the provisions of this DPA will survive the termination of this Agreement for as long as the mParticle retains any of the Customer Personal Data.
9. Cross-border Data Transfers, Privacy Shield
- mParticle may, subject to this Section 9, store and process the relevant Customer Data in the European Economic Area, the United States.
- mParticle self-certified to and complies with the Privacy Shield, and mParticle shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.
- Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
- Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
- This DPA will take effect on the date it is executed by Customer and mParticle at the bottom of this Agreement (the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all Customer Data by mParticle or Customer as described in this DPA.
- Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
- Where Customer’s Affiliates are Data Controllers of the Personal Data, they may enforce the terms of this DPA against mParticle directly.
- This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Agreement.
Subject matter and details of the processing
The data importer is mParticle, Inc.
The data exporter is the customer.
The Personal Data concern the following categories of Data Subjects:
The users of the data exporter's websites, mobile applications and other digital mediums and any data received from Third Party Partners as described in the MSA.
Categories of data:
The Personal Data concern the following categories of data:
Data on user behavior collected through an SDK and/or pixels placed on the data exporter's websites, mobile applications and/or digital mediums, including email addresses, telephone numbers mobile advertising identifiers and pseudonymous identifiers of the users of the data exporter's websites, mobile applications and/or digital mediums as outlined in the MSA.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
The data importer will access, reproduce, display and store the relevant personal data in order to provide the services as set out in the Agreement made between (1) Customer and (2) mParticle Inc. effective April 15, 2019 and for no other purposes whatsoever.
As a cloud-native company, mParticle makes extensive use of the Amazon AWS platform and the wide range of security features that it provides.
AWS uses a ‘Shared Responsibility Model’, where Amazon is responsible for securing the underlying infrastructure and networks and mParticle secures the data that is hosted and code that runs in the environment.
All mParticle systems use TLS, where supported, to protect data in transit between end user devices, the mParticle application and our partner services. Data is also encrypted at rest within the AWS environment using AES256 to encrypt our EBS volumes.
Our production secrets are protected using a combination of Hashicorp Vault, Amazon KMS and CloudHSM with role based access configured to prevent plaintext secrets ever being stored on disk.
We make use of AWS Inspector to identify and report on known vulnerabilities in our production hosts.
All staff undergo background checks and annual sec training and must adhere to published internal security policies. Policy areas include:
- Password strength and complexity
- Encryption and key management
- Device tooling and Monitoring
- Secure development practices
- Secrets Management
- Disciplinary actions
We enforce strict role-based access control with periodic audits to all systems (Corp and Prod) and operate using the principle of least privilege. Staff are only given the access that they require to do their job. By default, no mParticle staff are able to access customer data as it is both physically and logically separated from our corporate network. Developers are not granted access to the production infrastructure and all deploys are performed by the Operations team.
We engage a number of highly respected third party penetration testing companies to provide at least annual assessments of our security stance. These tests include web application, infrastructure and social engineering engagements.
Our dedicated security team makes use of extensive monitoring and logging capabilities from all areas of our stack to identify malicious behavior with automated alerting in place to flag anomalies.
Only authorised devices are able to connect to our corporate networks and all devices are forced to include the following protections:
- Antivirus with automatic daily updates
- DNS protection using Cisco Umbrella to protect against malicious sites
- Full disk encryption. Every device is configured to use strong encryption to protect local data.
- Endpoint protection/management tools - we have tooling on every corporate system to ensure compliance and detect malicious behaviour.
- Automatic password protected screensaver locks
- Automatic account lockouts on number of authentication attempts
In addition we utilise Active Directory and ADFS for centralised authentication and supplement with multi factor authentication for access to sensitive systems including our VPNs, AWS and Production environments. For 2FA we make use of Duo, physical yubikeys and smart cards to limit access to individual hosts within production in combination with SSH keys via locked down bastion hosts.
We conduct thorough security audits of any third party vendors and sub-contractors that we engage with and expect at least a comparable level of security from them.