Data Processing Acknowledgment
Last Updated: December 12, 2024
This Data Processing Acknowledgement (“DPA”) governs Mimicrii, Inc. (“Mimicrii”)’s processing of personal data or confidential information provided by Customer that Mimicrii processes on behalf of Customer (“Customer Data”) through Mimicrii’s services (“Services”) under the terms of certain agreement(s) between Customer and Mimicrii governing the Customer’s use of the Services (the “Agreement”), and is hereby incorporated into the Agreement. To the extent there is a conflict between the Agreement and this DPA, this DPA takes precedence unless the Agreement expressly overrides particular terms of this DPA.
Customer is the entity that determines the purposes and means for which Customer Data is processed (“Data Controller”), and Mimicrii processes Customer Data on the Data Controller’s behalf and in accordance with the Data Controller’s written instructions (“Data Processor”). The terms “Data Controller” and “Data Processor” shall have the same meaning as those similar concepts used in any applicable privacy, data security, and data protection laws and regulations (“Data Protection Laws”). Mimicrii and Customer each agree to comply with their respective obligations under Data Protection Laws.
1. Customer Data Processing Requirements. Mimicrii agrees to use Customer Data solely for the nature, purpose, and duration of the processing identified in the Agreement and in this DPA. For clarity, as Data Processor, Mimicrii will not sell or share Customer Data, nor will Mimicrii use, disclose, retain, or otherwise process Customer Data (i) for a purpose other than the specific purpose of providing the Services; (ii) outside of the direct business relationship between Mimicrii and Customer and the written instructions received from Customer; and (iii) in a manner inconsistent with applicable Data Protection Laws. The parties agree that any Customer Data exchanged between them in connection with the Agreement is not consideration from either party to the other with respect to the Agreement or otherwise. Where the Customer Data is subject to the California Privacy Rights Act of 2020 (“CCPA”), Mimicrii will not combine any Customer Data with any personal data or personal information as defined under applicable Data Protection Laws (“Personal Data”) that Mimicrii receives from or on behalf of another party, or collects from its own interactions with individuals, except as otherwise permitted under the CCPA. The foregoing sentence does not apply to Customer Data that has been anonymized, aggregated, or de-identified to the extent the Agreement permits or instructs Mimicrii to process or use Customer Data that is anonymized, aggregated, or de-identified. In such cases, Mimicrii will (i) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not make attempts to re-identify the information, except solely for the purpose of determining whether its de-identification process function as designed; and (iii) before sharing de-identified data with any other party, contractually obligate such recipients to comply with the requirements of this provision.
2. Subprocessors. Mimicrii may disclose Customer Data to Mimicrii’s sub-processors as necessary to deliver the Services or to help satisfy its obligations in accordance with this DPA (“Subprocessor”), and Customer hereby consents to the use of such Subprocessors. Mimicrii will enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection to that provided for in the Agreement and this DPA. Mimicrii agrees to be liable for the acts and omissions of its Subprocessors to the same extent Mimicrii would be liable under the terms of the DPA if it performed such acts or omissions itself, subject to the limitations of liabilities set forth in the Agreement. Upon Customer’s request, Mimicrii will provide Customer with a list of Mimicrii’s Subprocessors. Mimicrii will provide notification of a change regarding Subprocessors with at least fifteen (15) days prior notice before authorizing any new Subprocessors to process Customer Data. Customer may notify Mimicrii that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by emailing privacy@. In such case, Mimicrii will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing by the objected-to, new Subprocessor without unreasonable burden to Customer. If Mimicrii is unable to make such a change within a reasonable amount of time, which shall not exceed sixty (60) days, Customer may terminate any applicable Agreements, order forms, or usage with respect only to those Services which cannot be provided by Mimicrii without the use of the objected-to, new Subprocessor, by providing written notice to Mimicrii. Mimicrii will refund to Customer any prepaid fees covering the remainder of the term of such Agreements, order forms or usage following the effective date of termination of the applicable Services. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
3. Notifications to Customer. Mimicrii will inform Customer if Mimicrii determines that an instruction from Customer violates any applicable Data Protection Laws and/or if Mimicrii can no longer meet its obligations under this DPA. If Mimicrii is required by Data Protection Laws to process any Customer Data for reasons outside of the Agreement, Mimicrii will inform Customer in advance of any such processing, unless prohibited by law. Mimicrii will provide Customer prompt notice if Mimicrii becomes aware of a legally required request for disclosure of Customer Data to law enforcement authorities, unless prohibited by law.
4. Data Subject Rights. If Customer’s data subjects submit a complaint or request with respect to access to or the rectification, erasure, restriction, portability, objection, blocking, or deletion of Customer Data directly to Mimicrii, Mimicrii will inform the Customer and will not respond to such a request without Customer’s prior written authorization. Mimicrii will provide reasonable assistance to Customer to provide information necessary to respond to such requests.
5. Security and Breach Prevention. Mimicrii will maintain reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data, and protect the rights of the Customer Data subjects. Appropriate safeguards will be taken to confirm that Mimicrii personnel are protecting the security, privacy, and confidentiality of Customer Data consistent with the requirements of this DPA, and require that persons employed by Mimicrii and other persons engaged to perform on its behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to Mimicrii under the Agreement and this DPA. Mimicrii will inform Customer without undue delay if Mimicrii becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by Mimicrii for Customer (“Data Breach Incident”) by Mimicrii, its Subprocessors, or any other third parties acting on Mimicrii’s behalf. Mimicrii will provide reasonable assistance to Customer for investigation of any Data Breach Incident.
6. Customer Assistance, Audits, and Assessments. Mimicrii will cooperate with assessments or audits performed by or on behalf of Customer to confirm that Mimicrii is processing Customer Data in a manner consistent with this DPA and Data Privacy Laws (“Audits”) on the condition that: (i) the Audit is required by law; (ii) where permitted by law, Mimicrii may first provide a summary of the results of a third-party audit or certification report (“Third-Party Certification”) to demonstrate compliance; (iii) the Audit occurs if such Third-Party Certification is not sufficient to demonstrate Mimicrii’s compliance with the obligations set out in this DPA and Data Privacy Laws; (iv) Mimicrii is given at least 30 days advance written notice of the Audit; (v) the parties mutually agree upon the scope, time, and duration of the Audit; (vi) the Audit is at the Customer’s sole expense; and (vii) the Audit is conducted in a manner that is minimally disruptive to Mimicrii’s business. The results of such Audits and any Third-Party Certifications provided to Customer shall be the Confidential Information of Mimicrii. Where required by law, Mimicrii grants Customer the right to stop and remediate unauthorized use of Customer Data. Mimicrii will provide commercially reasonable assistance to Customer for the preparation of data protection impact assessments with respect to the processing of Customer Data by Mimicrii, and where necessary, provide consultations with any supervisory authority with jurisdiction over such processing.
7. Customer Obligations. Customer represents and warrants that it has and will maintain throughout the term all necessary rights, consents, and authorizations to provide Customer Data to Mimicrii, and that it shall only transfer Customer Data to Mimicrii using secure, reasonable and appropriate mechanisms to the extent these mechanisms are within Customer’s control. Customer authorizes Mimicrii to use, disclose, retain, and otherwise process Customer Data as contemplated by the Agreement, this DPA, and/or other processing instructions provided by Customer to Mimicrii. Customer acknowledges and agrees that Customer, not Mimicrii, is responsible for certain design and configuration decisions related to the Services, and the secure implementation of these decisions that complies with applicable Data Protection Laws.
8. International Transfers. Mimicrii will process Customer Data only on documented instructions from Customer, including transfers to a third country or an international organization, unless required to do so by applicable Data Protection Laws. Where Customer Data that originates in the European Economic Area is transferred to a country outside of Europe that is not subject to an adequacy decision, Mimicrii will do so in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“SCC”) which are hereby incorporated into this DPA by reference and deemed entered into and completed as follows: (i) Module 2 (Controller to Processor) of the SCCs apply when Customer is a controller and Mimicrii is processing Customer Data as a processor; (ii) Module 3 (Processor to Processor) of the SCCs apply when the Customer is a processor and Mimicrii is processing Customer Data as a subprocessor. For each of these modules, the following applies: (a) Clause 7 (Docking Clause) does not apply; (b) In Clause 9(a), Option 2 (General Written Authorization) is selected, and the minimum time period for prior notice shall be as set forth in Section 2 of this DPA; (c) the optional language in Clause 11 (Redress) does not apply; (d) the square brackets (“\[“ and “\]”) in Clause 13 (Supervision) are hereby removed; (e) In Clause 17 (Governing Law), Option 1 is selected, and the parties agree that the SCCs will be governed by the law of the EU member state in which the data exporter is located; (f) in Clause 18 (Choice of Forum and Jurisdiction), the parties agree that any disputes arising from the SCCs shall be resolved by the courts of the EU member state in which the data exporter is located. The information required in Annex I and II of the SCCs are included in Appendix A and B of this DPA. Customer Data that originates from Switzerland and is transferred to a country outside of Switzerland that is not subject to an adequacy decision shall be processed in accordance with the SCCs, with the following changes: (I) the term “EU member state” must not be interpreted to exclude data subjects from bringing legal proceedings before the courts in their place of habitual residence of Switzerland in accordance with Clause 18(c); and (II) the Swiss Federal Data Protection and Information Commissioner shall act as the competent supervisory authority insofar as the relevant data transfer is governed by the Swiss Federal Act on Data Protection. For Customer Data transfers originating from the United Kingdom and to a country outside of the United Kingdom that is not subject to an adequacy decision, the parties will comply with the terms of the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as revised under Section 18 of the Mandatory Clauses (“UK Addendum”). The information required for Part One of the UK Addendum is set out in Appendix A of this DPA, as applicable. For the purposes of Table 4 of Part One of the UK Addendum, either party may end the UK Addendum when it changes.
9. Term and Termination. This DPA will remain in effect for as long as Mimicrii is processing Customer Data on Customer’s behalf, or until the termination of the Agreement, and all Customer Data has been returned or deleted in accordance with this DPA. Upon termination of this DPA, Mimicrii will direct each Subprocessor to delete Customer Data within thirty (30) days of the termination, unless prohibited by law.
APPENDIX A: Mimicrii DPA
SCC ANNEX I
-
LIST OF PARTIES
Data Exporter(s): Customer
Role: For the purposes of SCC Module 2, Customer is a controller. For the purposes of SCC Module 3, Customer is a processor.
Data Importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection.
Company Name: Mimicrii, Inc.
Contact person’s name, position, and contact details: Salima Ghadimi, Operations, [privacy@Mimicrii.com
Activities relevant to the data transferred under these Clauses: Performance of the Services pursuant to the Agreement.
Signature and date:
Role: Processor
DESCRIPTION OF TRANSFER
_Categories of data subjects whose personal data is transferred_
Data exporter’s users.
_Categories of personal data transferred_
Name, contact information, usernames, demographic information, and other information provided by users.
_Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures._
No sensitive data is intended to be transferred, unless a user voluntarily and unexpectedly submits it.
_The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)._
Continuous.
_Nature of the processing_
The performance of the Services as described in the Agreement.
_Purpose(s) of the data transfer and further processing_
The performance of the Services as described in the Agreement.
_The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period_
During the term of the Agreement.
_For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing_
The performance of the Services as described in the Agreement.
-
COMPETENT SUPERVISORY AUTHORITY
_Identify the competent supervisory authority/ies in accordance with Clause 13_
The data protection authority of the EU member state in which the data exporter is located.
APPENDIX B: Mimicrii DPA
SCC ANNEX II
-
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Mimicrii has put in place technical and organizational security measures to protect Customer Data:
Authentication and Authorization Controls. Mimicrii maintains best practices for authenticating and authorizing employee permissioning and service access:
- Mimicrii uses single sign-on (SSO) to authenticate to third-party services. Role Based Access Controls (RBAC) are used when provisioning internal access to the Services via Okta;
- Multi-factor authentication is used by employees;
- Review and approval processes for any access requests to services storing Customer Data;* Established procedures for promptly revoking access rights upon employee separation;
- Use of a third-party identity access management service to manage Customer identity (SSO);
- Separation of Customer Data by organization account.
Security. Mimicrii maintains best practices for securing and operating its cloud infrastructure, including the following measures:
- Separate production and non-production environments;
- Primary backend resources are deployed behind a VPN;
- All employees are issued company devices and prohibited from using personal devices;
- All devices are provisioned via MDM, and devices are protected in the event of physical loss;
- Keys for cryptographic protected are securely managed and stored in AWS KMS;
- Services logs are monitored for security and availability;
- Mimicrii’s maintains the following policies and standards: (1) information security policy; (2) computer and network security policy; (3) access control policy; (4) asset management policy; (5) incident management response policy;
Data Controls. Mimicrii maintains best practices to prevent the unauthorized reading, modification or disclosure of data at rest and during transfer:
- All data transmission is encrypted in transit and at rest;
- Production software is routinely monitored via logging, error handling and monitoring dashboards of live metrics. Unusual application states (ie. unusually high error rates, slowness, failures) trigger alerts which are promptly investigated;
- Employee access to the Services follows the principle of least privilege, such that only employees with the relevant roles have access to the Services environment;
- Customer Data submitted to the Services is only used in accordance with the terms of the DPA, Agreement, and any other applicable contractual agreements in place with Customer.
Personnel. Mimicrii ensures all personnel are vetted and trained with respect to security practices.
- Mimicrii requires all personnel to complete security training at least annually;
- All employees are run through background checks.
