Data Processing Agreement

  1. This Data Processing MSA (“DPA”) supplements the Master Services MSA (the “MSA”) with MLM Protec customers (“Customer” or “you”) insofar as it relates to the processing of personal information. To the extent that this DPA conflicts with the MSA, including the Privacy Policy, this DPA will control.

    1. Definitions and Interpretation.

    Capitalized terms used in this DPA shall have the same meaning set forth for those terms in the MSA, unless a different meaning is specified herein.

    “Business Purpose” means the services described in the MSA.

    “Data Subject” means an individual who is the subject of Personal Information.

    “Personal Information” means any information MLM Protec processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in MLM Protec’s possession or control or that MLM Protec is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

    “Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

    “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, California Consumer Privacy Act (CCPA), the Massachusetts Data Security Regulation, the Nevada Online Privacy Law, or the EU’s General Data Protection Regulation (GDPR).

    “Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

    “Standard Contractual Clauses (SCC)” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Information from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

  2. 2. Applicable Privacy and Data Protection Requirements.

    When you use the Services, you may obtain Personal Information about your affiliates, customers, employees, leads, suppliers, or other individuals with whom you interact. That Personal Information may be subject to the protections of relevant Privacy and Data Protection Requirements. For purposes of clarity, the parties agree that Personal Information does not include data that is anonymized or de-identified in a manner that prevents the tracking or identification of any specific individual.

    Acknowledging that certain of your obligations under Data Privacy Law must be passed along to any company or individual that processes the Personal Information of your data subjects, we agree to perform the following functions and to facilitate your compliance in the following ways.

  3. 3. Personal Information Processing.

    Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to MLM Protec.

  4. 4. MLM Protec’s Obligations.

    4.1. MLM Protec will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. MLM Protec will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements.

    4.2. MLM Protec will comply with any Customer request or instruction requiring MLM Protec to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

    4.3. MLM Protec will maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires MLM Protec to process or disclose Personal Information, MLM Protec must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

    4.4 MLM Protec will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of MLM Protec’s processing and the information available to MLM Protec.

    4.5 The Customer acknowledges that MLM Protec is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.

  5. 5. Security Breaches and Personal Information Loss.

    5.1. MLM Protec will at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.

    5.2. MLM Protec will promptly notify the other party if it becomes aware of any unauthorized or unlawful processing of the Personal Information; or any Security Breach.

    5.3. Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. MLM Protec will reasonably co-operate with the Customer in the Customer’s handling of the matter.

    5.4. MLM Protec will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.

    5.5. MLM Protec will cover all reasonable expenses associated with the performance of the obligations under this Section, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses. MLM Protec will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that MLM Protec caused a Security Breach.

  6. 6. Cross-Border Transfers of Personal Information.

    6.1. If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to MLM Protec under the following conditions:

    • (a) MLM Protec, either through its location or participation in a valid cross-border transfer mechanism under the Privacy and Data Protection Requirements, may legally receive that Personal Information, however MLM Protec must immediately inform the Customer of any change to that status;
    • (b) the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
    • (c) the transfer otherwise complies with the Privacy and Data Protection Requirements.

    6.2. If any Personal Information transfer between MLM Protec and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimize the transfer.

    6.3. MLM Protec will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.

  7. 7. Subcontractors.

    7.1. MLM Protec may only authorize a third party (subcontractor) to process the Personal Information if MLM Protec enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA.

    7.2. Where the subcontractor fails to fulfill its obligations under such written agreement, MLM Protec remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

  8. 8. Complaints, Data Subject Requests, and Third Party Rights.

    8.1. MLM Protec must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.

    8.2. MLM Protec must notify the Customer within 24 hours if it receives a request from a Data Subject for access to or deletion of their Personal Information.

    8.3. MLM Protec will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

    8.4. MLM Protec must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this DPA, or is otherwise required by law.

  9. 9. Term and Termination.

    9.1. This DPA will remain in full force and effect so long as the MSA remains in effect or MLM Protec retains any Personal Information related to the MSA in its possession or control (the “Term”).

    9.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the MSA in order to protect Personal Information will remain in full force and effect.

    9.3. MLM Protec’s failure to comply with the terms of this DPA is a material breach of the MSA. In such event, the Customer may terminate any part of the MSA authorizing the processing of Personal Information effective immediately upon written notice to MLM Protec without further liability or obligation.

    9.4. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its MSA obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement, they may terminate the MSA upon written notice to the other party.

  10. 10. Data Return and Destruction.

    10.1. At the Customer’s request, MLM Protec will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.

    10.2. On termination of the MSA for any reason or expiration of its term, MLM Protec will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control. MLM Protec will certify in writing that it has destroyed the Personal Information after it completes the destruction.

    10.3. If any law, regulation, or government or regulatory body requires MLM Protec to retain any documents or materials that MLM Protec would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. MLM Protec may only use this retained Personal Information for the required retention reason or audit purposes.

  11. 11. Records.

    MLM Protec will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”). MLM Protec will ensure that the Records are sufficient to enable the Customer to verify MLM Protec’s compliance with its obligations under this DPA.

  12. 12. Warranties.

    12.1. MLM Protec warrants and represents that:

    • (a) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
    • (b) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the MSA’s contracted services; and
    • (c) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
    • (d) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
      • (i) the nature of the Personal Information protected; and
      • (ii) comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required in Section 6.1.

    12.2. The Customer warrants and represents that MLM Protec’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

  13. 13. Indemnification.

    13.1. MLM Protec agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by MLM Protec or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.

  14. 14. Notice.

    Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to This Section does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.