Data Processing Addendum

This Data Processing Addendum ("DPA") is an agreement between MetaRouter and Customer, and supplements the MetaRouter Master Solution Agreement ("Agreement"). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement. This DPA applies only to the extent that MetaRouter processes Personal Data for Customer as Customer’s processor or sub-processor. The MetaRouter Privacy Policy applies to Personal Data that MetaRouter processes for its own purposes, as the data controller.
‍

Definitions
‍In this DPA, the following definitions apply: 

"Data Protection Law" means all applicable current data protection and privacy legislation to the extent binding on the parties, and as may be updated or amended from time to time, and which may include, without limitation, (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10), and as supplemented by section 205(4)), of the UK Data Protection Act of 2018 ("UK GDPR"); (ii) any national implementing laws (including laws implementing the EU GDPR or UK GDPR), and associated regulations and secondary legislation; and (iii) any other applicable national, provincial, federal, state, and/or local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation.

"Data Subject" will have the meaning given to it in the Data Protection Law.

"EU Standard Contractual Clauses" or "EU SCCs" means the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-ex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and/or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time.

"GDPR" means the EU GDPR and/or UK GDPR, as applicable.

"Instructions" has the meaning set forth in section 9.1 below.

"Standard Contractual Clauses" or "SCCs" means the EU Standard Contractual Clauses and/or the UK Addendum, as applicable.

"Sub-processor" means any data processor other than MetaRouter who have been instructed to process data on behalf of the Customer by MetaRouter.

"UK Addendum" means the ICO’s UK Addendum to the EU Standard Contractual Clauses, as amended from time to time, and available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.


Data Protection

1. Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Law.

2. This DPA applies to Personal Data processed by MetaRouter for Customer, if any. In this context, MetaRouter may act as "processor" to Customer, who may act either as "controller" or "processor" (as those terms are defined in Data Protection Law) with respect to Personal Data. If Customer acts as a processor, Customer represents and warrants on an ongoing basis that the relevant controller has authorized the Instructions and Customer’s engagement of MetaRouter and its sub-processors. Customer will forward to the relevant controller promptly and without undue delay any notice provided by MetaRouter under this DPA.

3. Details of Personal Data Processing (Annex 1 and Annex 2 to the EU SCCs and/or Appendix 1 Information for the UK Addendum, if and as applicable):
‍
‍Data Exporter: the Customer, as the party sending or responsible for Customer Content, some of which may contain Personal Data, to MetaRouter for MetaRouter's processing in furtherance of provision of the MetaRouter Service.
‍
‍Data Importer: MetaRouter as a conduit of Customer Content transmitted through the use of the MetaRouter Service, some of which, unbeknownst to MetaRouter, may contain Personal Data.

‍Subject Matter: the subject matter of the data processing under this DPA is the data and content as described below. 

‍Purpose: the provision of the MetaRouter Service initiated by Customer from time to time. 

‍Nature of the Processing: provision of the MetaRouter Service as described in the Agreement and initiated by Customer from time to time. 

‍Categories of Data Subjects: the Data Subjects may include Customer's (and its customers’) users, visitors, guests, employees and staff, as well as any other individual(s) identified or identifiable within Customer Content shared by such persons and/or any others whose Personal Data is captured in Customer Content.

‍Description of Processing: in addition to Personal Data incidentally captured and processed as Customer Content in the MetaRouter Service ("Captured Personal Data"), MetaRouter collects and processes the following as a necessary step in providing the MetaRouter Service, all or some of which may or may not be personally identifying or identifiable information:
- IP addresses
- Authorized User login credentials
- Other identifiers (refer to table below)

Customer Content transmitted through the use of the MetaRouter Service may, unbeknownst to MetaRouter, contain Personal Data. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent of such data the Customer elects to store, as data controller).

‍Special Categories of Data: the parties do not anticipate or knowingly collect or process highly sensitive or special categories of data.

‍Duration of Processing: during the term of the Customer’s subscription and for 90 days thereafter or as set forth in the table below.

‍Processing Operations: as described in this DPA, including Annex 1.


4. Customer will ensure and warrants that it has all necessary and appropriate consents and notices, in any form required by Data Protection Law, in place to enable lawful transfer of the Personal Data to MetaRouter for the duration and purposes of the Agreement. Customer acknowledges that the MetaRouter Service is not intended or designed for the processing of special categories of data or sensitive information (including as may be defined by applicable Data Protection Law), and Customer agrees not to enable the transmission of any such information or data through the MetaRouter Service. The parties agree that Personal Data processing is required as a part of MetaRouter's provision of the MetaRouter Service, and that Personal Data is not exchanged for monetary or other valuable consideration.

5. Customer will ensure and warrants that where Personal Data is transferred outside the European Economic Area ("EEA"), Switzerland, or outside the UK, as part of Customer’s use or deployment of the MetaRouter Service, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to MetaRouter’s obligation in section 9.5 below with respect to MetaRouter sub-processors, and section 11 below with respect to the Standard Contractual Clauses if applicable, Customer acknowledges that Customer is solely responsible for ensuring that Personal Data is transferred out of the EEA, Switzerland, or the UK in full compliance with the Data Protection Law.

6. Customer will ensure and warrants that Customer utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law.

7. Customer confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Customer is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.

8. Customer undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by the Customer.

9. MetaRouter will, in relation to any Personal Data processed in connection with the provision of the MetaRouter Service:

9.1. process that Personal Data only on the written instructions of Customer in the form of (a) the Agreement (including this DPA), (b) Customer's use of the MetaRouter Service including Customer's preferences, settings and controls within the MetaRouter Service, and (c) any other written instructions provided by Customer and acknowledged by MetaRouter as valid instructions with which MetaRouter agrees to comply (collectively the "Instructions"), except to the extent MetaRouter is required to process data by applicable law or if in MetaRouter's opinion such Instructions infringe Data Protection Laws. In either case MetaRouter will notify Customer unless applicable law prohibits MetaRouter from so notifying Customer;

9.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the MetaRouter Service, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);

9.3. ensure that it has in place appropriate technical and organizational measures set forth in Annex 1 to this DPA designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

9.4. ensure that all MetaRouter personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

9.5. ensure that where Sub-processors are used outside the EEA, Switzerland, or the UK such that Personal Data is transferred outside the EEA, Switzerland, or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR) or that is recognized as ensuring adequate protection under applicable Swiss law (in the case of transfers subject to Swiss data protection law), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;

9.6. maintain general records of processing activities carried out on behalf of Customer as required by Data Protection Law;

9.7. taking into account the nature of the processing, insofar as reasonable and practicable, assist the Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

9.8. notify Customer without undue delay on becoming aware of a Personal Data security incident. MetaRouter is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorized access to Personal Data or any of MetaRouter’s equipment or facilities storing Personal Data. Such non-reportable incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. MetaRouter’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by MetaRouter of any fault or liability of MetaRouter with respect to the incident. MetaRouter has no obligation to assess or inspect data in order to identify information subject to any specific legal requirements;

9.9. make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this section 9 and, subject to section 14, to permit Customer-initiated audits and inspections (including those described in the SCCs), no more than once per calendar year at Customer's sole expense (including a reasonable fee charged by MetaRouter), to confirm compliance with this DPA and Data Protections Laws, on mutually agreed terms regarding the third party auditor (if any), confidentiality, timing, duration, and scope of such audits; and

9.10. at the written direction of Customer, delete Personal Data to the extent MetaRouter is capable of doing so via its standard retrieval and delete mechanism, unless required by applicable law to store the Personal Data.

10. Customer will immediately notify MetaRouter if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to MetaRouter for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.

11. The parties agree that (a) the EU SCCs apply if Personal Data from the EEA and/or Switzerland is transferred via use of the MetaRouter Service to MetaRouter in a country that is outside of the EEA or Switzerland, and such transfer is not to a third country that the EU Commission or the Swiss data protection authority considers to provide an adequate level of protection, and (b) the UK Addendum applies if Personal Data from the UK is transferred via use of the MetaRouter Service to MetaRouter in a country that is outside of the UK, and such transfer is not to a country that the UK Secretary of State considers to provide an adequate level of protection (such outbound transfers of Personal Data from the EU, Switzerland, or the UK, each an "EU/UK Outbound Transfer"). If no EU/UK Outbound Transfer occurs, the SCCs and this section 11 will not apply. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses, MetaRouter is acting in the capacity of a Data Importer and Customer is the Data Exporter (notwithstanding that Customer may be located outside of the EEA/Switzerland/UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in Appendix 1 of the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures MetaRouter has implemented, as required to be disclosed in Appendix 2 of the Standard Contractual Clauses.

12. The parties further agree that for all EU/UK Outbound Transfers, the governing law of the Standard Contractual Clauses entered into by MetaRouter and the Customer will be: (a) the laws of Ireland, if the Customer is located in the EEA or Switzerland, or (b) the laws of the UK, if the Customer is located in the UK. If any inconsistency arises between this section 12 and any other provision for the governing law of the Standard Contractual Clauses entered into between Customer and MetaRouter, this section 12 will take precedence.

13. In the event of any conflict between this DPA and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail. In the event of any conflict between this DPA and the UK Addendum, the UK Addendum will prevail.

14. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing MetaRouter to comply with the audit measures described in Annex 1 to this DPA, and if such measures fail to adequately confirm compliance as the parties may mutually agree, as stipulated in section 9.9 above.

15. MetaRouter represents and warrants that it has not received any order, request or other communication from a governmental body for the disclosure of Personal Data and it shall:

15.1. if it receives such order, request or other communication, attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, MetaRouter may provide Customer’s basic contact information to the relevant body. If compelled to disclose Personal Data to a governmental body, then MetaRouter will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MetaRouter is legally prohibited from doing so;

15.2. publish a transparency report or provide information to Customer on request regarding: (a) the number of orders, requests or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests and communications; and

15.3. notify Customer if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.

16. Customer agrees that MetaRouter may use Sub-processors (including Google Cloud, Amazon Web Services and/or Microsoft Azure) to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The MetaRouter website (currently posted at https://metarouter.io/sub-processors; such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable.) lists Sub-processors that are currently engaged by MetaRouter to deliver the MetaRouter Service. At least 10 business days before MetaRouter engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Customer, MetaRouter will endeavor to provide Customer notice of that update as per the means specified for notices in the Agreement. If Customer objects to a new Sub-processor, Customer must notify MetaRouter in writing within ten days of Customer’s notice of the change (without prejudice to any termination rights Customer has under the Agreement), after which time Customer shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such Customer notice. If Customer objects to a new Sub-processor, MetaRouter may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of any Sub-processor; or (c) terminate the Customer's subscription on thirty days written notice.
‍
17. MetaRouter may propose revisions to this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Customer and MetaRouter will negotiate such changes in good faith as soon as reasonably practicable. The parties agree that if any new versions or revisions to the EU SCCs are approved by the European Commission, or if any new versions or revisions to the UK Addendum is adopted by the UK, such that the implementation of the Standard Contractual Clauses in this DPA and/or UK Addendum no longer applies or is no longer appropriate, the parties shall work together to enter into the new SCCs as applicable as soon as reasonably practicable.

18. Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.

19. California Consumer Privacy Act (CCPA) Notice: as a "Service Provider" (as that term is defined in the CCPA), MetaRouter will process California Personal Data that is subject to the CCPA strictly for the purpose of providing to Customer the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose, or sell or share California Personal Data, except as permitted by the CCPA.

20. Customer agrees not to process any HIPAA Data via the MetaRouter Service unless Customer has entered into a Business Associate Agreement ("BAA") with MetaRouter. Unless a BAA is in place, MetaRouter will have no liability under this Agreement for HIPAA Data. "HIPAA Data" means any patient, medical or other protected health information regulated by US HIPAA or any similar US federal or state laws, rules or regulation.

21. Where the UK Addendum applies to transfers of Personal Data governed by this DPA, the parties agree that:

(a) the UK Addendum shall be populated by reference to this DPA and its Annex and that any changes in formatting (including for the avoidance of doubt with respect to Part 1: Tables) will not adversely affect the validity of the DPA or the compliance with Data Protection Law of any international transfers of Personal Data made thereunder;

(b) any formatting changes do not reduce the standard of Appropriate Safeguards (as defined in the UK Addendum) provided; and

(c) without prejudice to any of the rights and remedies under the Agreement, pursuant to Section 19 of the UK Addendum, neither party shall be entitled to terminate the UK Addendum.
‍
‍

Table of Categories of Personal Data Processed
‍Any of the following if and to the extent satisifying the definition of Personal Data: