European Data Processing Addendum

This European Data Processing Addendum (“DPA”) amends the applicable agreement (“Agreement”) between Mission Control NOC and HelpDesk Services Inc. or one of its affiliates (“Mission Control”) and the customer identified in an order (“Customer”) for an Mission Control Product only to the extent the Product is used to Process Personal Data covered under the GDPR.

Definitions

Capitalized words are defined in this section or when first used throughout this DPA or the applicable Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

“Controller”, “Data Subject”, “Processor”, Processing” will have the meaning set forth in Article 4 of the GDPR.

“Data Subject Request” means a request made by or on behalf of a Data Subject to exercise a right for access to, rectification, objection, erasure or other applicable right recognized by the GDPR of that Data Subject’s Personal Data.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Personal Data” means information relating to an identified or identifiable natural person (Data Subject) covered under the GDPR that is directly or indirectly submitted, stored or Processed via use of the Product by Customer, its Affiliates, clients or end users.

“Product” means a Product and all related services provided by Mission Control that Processes Personal Data covered by this DPA.

“Subprocessor” means a third party that, by reason of its role in performing services on behalf of Mission Control with respect to Mission Control’s provision of a Product, may have logical access to Personal Data covered by this DPA.

Effectiveness

This DPA will be effective from the later of (a) May 25, 2018; or (b) the date on which Customer clicks to accept the Agreement and this DPA or Mission Control and Customer otherwise agree to this DPA.

In the event of a conflict between this DPA and the Agreement concerning the subject matter hereof, the terms of this DPA will govern.

Duration of Processing/Term of DPA

This DPA and Mission Control Processing of Personal Data will terminate automatically upon termination of the Agreement and of any post termination period during which Mission Control makes Personal Data available for export by Customer, until its final deletion.

Controller/Processor Roles

For purposes of this DPA, the parties agree that Dato is a Processor of Personal Data.  This DPA does not apply where Mission Control is a Controller of Personal Data.

Customer may act either as a Controller or Processor, as applicable, of Personal Data.  If Customer is not the Controller of Personal Data, Customer represents and warrants to Mission Control that Customer has the right and authority to appoint Mission Control as a Processor and provide instructions to Mission Control , and such actions have been authorized by the appropriate Controller of the Personal Data.

Customer has sole responsibility for the quality, ongoing accuracy, legality and scope of Personal Data and the means by which Customer acquired Personal Data. Customer represents and warrants that it has sufficient rights and all third party consents as may be necessary and appropriate for the use of the Personal Data with the Product and that its submission of Personal Data to Mission Control will comply with the GDPR and all applicable laws.

Processing of Personal Data

Mission Control will Process the Personal Data only on the instructions of Customer, including through Customer’s use and configuration of the features within the Product.  Customer instructs Mission Control to Process the Customer Personal Data (a) to provide the applicable Product and related technical and administrative support consistent with the Product Terms of Use and this DPA; (b) as further instructed via Customer’s use of the Product; and (c) to comply with other reasonable instructions provided by Customer (via email or support tickets) that are consistent with the nature and scope of the Product.

Mission Control will inform Customer if, in its opinion, an instruction violates the terms of the GDPR.

Subject Matter and Nature of Processing

The subject matter and scope of Processing is Mission Control’s provision of the Product, including related technical and administrative support (through management portals or otherwise) that is the subject of the Agreement.  Mission Control will Process Personal Data that is provided directly or indirectly by Customer, its clients or end users to Mission Control for the purpose of providing the Product that is the subject of the Agreement.

Data Subject Requests

If Mission Control receives a Data Subject Request related to the Product, to the extent it is able to do so, and it is legally permitted, Mission Control will notify Customer and/or direct the Data Subject to make the request directly to Customer.

Customer is responsible for responding to any Data Subject Requests.  Taking into account the nature of the Processing, Mission Control will provide Customer with commercially reasonable assistance in responding to a Data Subject Request, to the extent legally permitted, if such Data Subject Request is reasonably possible consistent with the functionality of the Product and is required under applicable law. To the extent legally permitted, Customer will be responsible for any costs arising from Mission Control’s assistance.

Duty of Confidentiality

Mission Control ensures that its personnel engaged in the processing Personal Data have committed to maintain the confidentiality of Personal Data by requiring such personnel to execute written confidentiality agreements.

Data Deletion

Within a reasonable amount of time following expiration or termination of the applicable Product Terms of Use plus any post termination period during which Customer has the ability to export Personal Data, Mission Control will delete Personal Data.  Customer hereby instructs Mission Control to delete all Personal Data after such period.  It is Customer’s responsibility to export any Personal Data prior to its deletion.

Personal Data Breach

If Mission Control becomes aware of and confirms a breach of Mission Control’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data covered by the GDPR in Mission Control’s custody or control, Mission Control will, without undue delay, notify Customer and exercise best efforts to mitigate the effects and to minimize any damage resulting from such a security incident.

Customer agrees that an unsuccessful security incident will not be subject to this section.  An unsuccessful security incident includes but is not limited to things such as attempts at unauthorized access to Personal Data or to any of Mission Control’s equipment or facilities storing Personal Data, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers).

Mission Control’s obligation to report or respond to a security incident will not be construed as an acknowledgement of any fault or liability of Mission Control with respect to the security incident.  Mission Control will have no obligation to respond to any incidents caused by Customer or anyone acting with Customer’s authorization.

Subprocessing

Customer acknowledges and agrees that Mission Control Affiliates may be retained as Subprocessors and that Mission Control and its Affiliates respectively may engage third party Subprocessors as needed to provide a Product.  Customer hereby consents to the use of Subprocessors as described in this section.

A current list of Subprocessors for the Product will be available at – www.missioncontrolnoc.com/legal/subprocessors.  Mission Control will provide prior notification, by updating the list of Subprocessors and/or providing notice in the applicable Product management portal, of a new Subprocessor before authorizing such new Subprocessor to have access to Customer’s Personal Data in connection with the provision of the applicable Product.

Customer may reasonably object to Mission Control’a use of a new Subprocessor by notifying Mission Control promptly in writing, explaining the reasonable grounds for objection, within ten (10) business days   following Mission Control’s notice described above.  Mission Control will use commercially reasonable efforts to make available to Customer a change to Customer’s configuration or use of the Product to avoid use of the objected to new Subprocessor.  If Mission Control is unable to make available such change within a reasonable period of time, not to exceed thirty (30) days, either party as its sole remedy may terminate the applicable Agreement with respect only to those services which cannot be provided by Mission Control without the use of the objected-to new Subprocessor. In such case, Mission Control will refund any prepaid fees covering the remainder of the term applicable to such Product.

Mission Control will use only Subprocessors that have executed written contracts with Mission Control containing obligations that are substantially similar to those of Mission Control under this DPA.  Mission Control will be liable for the acts and omissions of its Subprocessors to the same extent Mission Control would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

A Product or Product management portal may provide links or integrations or an API which may be used to facilitate integrations to or from third party products or services (“Third Party Applications”).  If Customer elects to integrate with, enable, access or use an API to interact with such Third Party Applications it does so at its own risk and Mission Control has no responsibility or liability for any Personal Data processed by or through such Third Party Applications.  Customer expressly acknowledges and agrees that all enabled Third Party Applications are expressly authorized by Customer and Mission Control is not a co-processor, subprocessor or controller with respect to any Personal Data processed by or on behalf of Customer through a Third Party Application.

Audit

Mission Control will cooperate with any Customer audit to verify Mission Control’s compliance with its obligations under this DPA by making available, subject to non-disclosure obligations, third party audit reports, where available, descriptions of security controls and other information reasonably requested by Customer regarding Mission Control’s security practices and policies.

Taking into account the nature of the Processing and the information available to Mission Control , Mission Control will provide, at Customer’s cost if legally allowed, commercially reasonable cooperation and assistance to Customer regarding Customer’s compliance obligations described in Articles 32-36 of the GDPR.

Limitation of Liability

To the maximum extent allowed by applicable law, the total combined liability for both Mission Control and Customer and any of their Affiliates arising out of or related to this DPA is subject to the exclusions and limitations of liability set forth in the applicable Agreement.  Any regulatory penalties imposed on either party resulting from this DPA will count toward such liability cap.

Security

Mission Control maintains commercially reasonable technical and organizational measures to protect against accidental or unlawful access, destruction, loss or alteration of Personal Data under its control.  Mission Control may modify such measures, provided that any changes will not result in a material degradation of the security measures.

A Product or Product management portal may make available certain Customer controlled security features, which may include multi-factor authentication, administrative access controls and local encryption.  Mission Control makes available best practices for Customer to adopt to help protect against accidental or unlawful access, destruction, loss or alteration of Personal Data.  Customer is responsible for securing Personal Data under its control, including but not limited to properly configuring and using available Customer controlled security features.

Transfers of Personal Data

Certain Products allow Customer the ability to use a data center located in the European Economic Area (“EEA”) for Processing of Personal Data.  For all such Products, Customer is responsible for using an appropriate data center location in the EEA.  Certain data related to technical and administrative support for a Product or its management portal (“Metadata”) may be hosted in the U.S. even if Customer uses an EEA data center.

Mission Control. and its U.S. subsidiaries self-certify to and comply with the EU-U.S. and Swiss-U.S. Privacy Shield as a transfer mechanism regarding the transfer of Personal Data from the European Union, the EEA and Switzerland to countries that do not ensure adequate levels of data protection.

The foregoing will not apply if Mission Control adopts an alternative GDPR recognized compliance standard for the lawful transfer of Personal Data outside the EEA, Switzerland or the UK.

Governing Law

This DPA is governed by the law of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

Notices

Notice to Mission Control under this DPA should be sent to Mission Control, 330-1881 Steeles Ave West.  Toronto, Ontario, Canada.  M3H 0A1.  Attn: Legal Department.

If Customer is not the primary administrator for a Product (for example, a client who purchases a Product from a managed service provider) Customer acknowledges and agrees that Mission Control will communicate all notices related to this DPA via email or through the Product management portal with the party that is the primary administrator for the Product.

If Customer is the primary administrator for a Product (for example, a managed service provider that manages a Product for its client) Customer acknowledges and agrees that it is responsible for receiving and promptly relaying all notices related to this DPA received via email or through the Product management portal to the appropriate parties, including those notices required by applicable law.

It is Customer’s responsibility to maintain current, accurate contact information within the applicable administrative portal for the Product for purposes of facilitating all notices.

General

The terms of this DPA are confidential information of Mission Control covered by the confidentiality provisions of the applicable Agreement.  Customer agrees not to disclose the terms of this DPA.

Mission Control reserves the right to modify this DPA, including if different GDPR recognized compliance standards become available, or as needed to maintain compliance with the GDPR or other applicable law.