Effective Date: October 16, 2023
This Data Processing Agreement (“DPA”) reflects the agreement between MSPintegrations, LLC (“MSPintegrations,” “we,” “us,” or “our“) and registered Subscribers (“Subscribers,” “you,” or “your“) with respect to the processing of Personal Data by MSPintegrations on your behalf in connection with your access and ongoing use of MSPintegrations Products.
This DPA is made pursuant to the MSPintegrations Subscription Agreement (“Subscription Agreement”) and supplements and forms an integral part of the Subscription Agreement and is effective as of your first use of any MSPintegrations Products. All terms and conditions of the Subscription Agreement apply to this DPA unless clearly stated otherwise in this DPA. Should a conflict between this DPA and the Subscription Agreement exist, the terms of this DPA shall control.
Acceptance of this DPA
Your access to and use of MSPintegrations Products is conditional on your acceptance of the terms and conditions of this DPA. By accessing and using MSPintegrations Products, you agree on your own behalf and on behalf of any Authorized Affiliates on whose behalf you may act to accept and abide by this DPA. If you do not agree with all terms and conditions of this DPA, please do not access or use any MSPintegrations Products.
Modification to this DPA
We reserve the right to modify this DPA at any time by posting an updated DPA on the Site. If we make changes, we will notify you by revising the date at the top of the policy. We may also, at our sole discretion, provide active Subscribers with an email notice of changes. You are responsible for regularly reviewing this DPA, and your continued use of MSPintegrations Products after the effective date of any change shall constitute your acceptance of the updated DPA. If any modification is unacceptable to you, you shall cease using the Integration. If you have any questions about this DPA, you may contact us at firstname.lastname@example.org.
- Definitions. Capitalized terms not defined herein have the meaning set forth in the Subscription Agreement.
“Data Protection Laws” means, as applicable, data protection laws of the State of California under the CCPA and the laws of the European Union (“EU”) and, to the extent applicable, the data protection or privacy laws of any other country. Data Protection Laws include, without limitation, the EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
“Data Subjects” means Subscriber’s Clients, representatives, and end users, such as employees, job applicants, contractors, collaborators, partners, suppliers, customers, and clients.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Member State” means a country that is a member of the European Union or the European Economic Area.
“Personal Data” shall have the same meaning as the term “personal information,” “personally identifiable information (PII),” or the equivalent term under applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed on MSPintegrations systems or the Services that compromises the security, confidentiality or integrity of such Personal Data.
“Personnel” means all workers, including, without limitation, MSPintegrations’ employees, contractors, and others employed or contracted by MSPintegrations that have access to, store, Process, or use Subscriber Personal Data.
“Process/Processing,” “Controller,” and “Processor” (or the equivalent terms) have the meaning set forth under applicable Data Protection Law.
“Regulator” shall have the same meaning as the term “supervisory authority,” “data protection authority,” or the equivalent term under applicable Data Protection Law.
“Sensitive Data” means (i) any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations; or (ii) any other information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations).
“Special Category Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Subcontractor” means MSPintegrations’ vendors, agents, subcontractors, and all other persons, entities, or organizations, exclusive of Subscriber employees or Third-Party Services providers who are subject to the direction, supervision, and control of Subscriber.
“Sub-Processor” means any Subcontractor engaged by MSPintegrations to Process Subscriber Personal Data who are identified by MSPintegrations in the Subscription Agreement or otherwise approved or acknowledged in writing by Subscriber.
“Subscriber Personal Data” means the Personal Data about Subscriber and its personnel or Clients that MSPintegrations receives from Subscriber, or otherwise Processes for or on behalf of Subscriber in the provision of MSPintegrations Products under our Subscription Agreement.
This DPA applies if and to the extent Subscriber Personal Data is received by MSPintegrations from or on behalf of Subscriber as a data Processor while providing MSPintegrations Products under the Subscription Agreement.
This DPA begins when MSPintegrations first Processes Subscriber Personal Data and continues thereafter for the period during which MSPintegrations is a data Processor and has possession or access to Subscriber Personal Data in connection with MSPintegrations Products.
- MSPintegrations Responsibilities
MSPintegrations will Process Personal Data solely for the purpose of providing MSPintegrations Products in accordance with the Subscription Agreement and this DPA or as otherwise instructed by Subscriber. MSPintegrations does not control the type of Personal Data Subscriber submits to MSPintegrations’ for Processing through MSPintegrations Products. MSPintegrations may Process some or all of the following categories of Personal Data: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance, and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; IP addresses and online behavior and interest data.
MSPintegrations will comply with all reasonable instructions provided by Subscriber in the Processing of Subscriber Personal Data. If MSPintegrations cannot comply with Subscriber’s instructions for any reason, it agrees to promptly inform Subscriber of its inability to comply. Subscriber is solely responsible for the legality or reasonableness of any instructions provided by it to MSPintegrations relating to Processing Personal Data.
MSPintegrations will implement and maintain reasonable policies, procedures, and practices that satisfy the applicable requirements set forth in this DPA.
- Subscriber Responsibilities
Subscriber is responsible for compliance with its requirements under the applicable Data Protection Laws.
No Special Categories of Data
Unless otherwise specified in the Subscription Agreement, Subscriber may not provide MSPintegrations with any Sensitive Data or Special Category Data that imposes specific data security or protection obligations on MSPintegrations in addition to or different from those specified in this DPA or the Subscription Agreement.
MSPintegrations may Process Personal Data as necessary to provide MSPintegrations Products, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates, and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration, implementation, configuration, and performance testing.
MSPintegrations may subcontract its Processing work that relates to Personal Data under the Subscription Agreement to Third-Party Services providers identified in the Subscription Agreement or any related documentation. Subject to applicable Data Protection Laws, Subscriber agrees that MSPintegrations may later use Sub-Processors not identified in the Subscription Agreement if, prior to the use of any additional Sub-Processor, MSPintegrations provides notice to Subscriber of such additional Sub-Processors. Subscriber will have fourteen (14) days from the date of notice to provide a justifiable and reasonable objection to the use by MSPintegrations of such Sub-Processor. MSPintegrations will require that its Sub-Processors maintain adequate measures reasonably appropriate to such Sub-Processor’s storage, maintenance, or processing activities that comply in all material respects with the relevant obligations in this DPA. MSPintegrations is responsible for its Sub-Processor’s compliance with the terms of this DPA and applicable Data Protection Laws.
- International Transfers
Unless otherwise specified in an applicable Order, MSPintegrations may Process Personal Information globally as necessary to perform the Services. If an Order or any applicable addenda indicates a specific geographic location where Subscriber Personal Data will be stored and hosted (“Country of Origin”), then any transfer of Subscriber Personal Data outside of the Country of Origination by MSPintegrations (if any) will only be done through written permission of Subscriber and in compliance with the relevant provisions of the Data Protection Laws in the originating country.
- Cooperation and Inquiries
The parties will promptly inform the other party if it receives any inquiry, complaint, or claim from any court, governmental official, third parties, or individuals (including but not limited to Data Subjects) arising out of the Services and will provide the other party reasonable support and cooperation in a timely manner in responding to any such request. Should MSPintegrations directly receive a request or inquiry from a Data Subject that has identified Subscriber as the Controller, MSPintegrations will promptly pass on such requests to Subscriber without responding to the Data Subject. Should Subscriber, on the basis of applicable law, be obliged to provide access or information to a Data Subject about the Processing of Personal Data relating to him or her, MSPintegrations will reasonably assist Subscriber in providing such access or information.
- Confidentiality and Information Security
MSPintegrations has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These security measures govern all areas of security applicable to MSPintegrations Products, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement, and other security controls and measures. All MSPintegrations employees and contractors, as well as any Sub-Processors that Process Personal Data, are subject to appropriate written confidentiality arrangements.
- Data Breach Incidents
When known or reasonably suspected by MSPintegrations while providing MSPintegrations Products under the Subscription Agreement, MSPintegrations will inform Subscriber without undue delay if MSPintegrations becomes aware of a Personal Data Breach. MSPintegrations will take appropriate measures to address the Personal Data Breach, including, where appropriate, securing Personal Data, and will work in good faith to reduce risk to the Data Subjects whose Personal Data was involved. Applicable Data Protection Laws may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Data or access to it, and MSPintegrations agrees to provide Subscriber with sufficient information to allow Subscriber to meet any obligations to report or inform Data Subjects of the Personal Data Breach under applicable Data Protection Laws. MSPintegrations will cooperate with Subscriber and take reasonable steps as necessary to assist in the investigation, mitigation, and remediation of each Personal Data Breach. Subscriber responsible for and will coordinate the messaging related to any privacy violation, security breach, or data breach incident with MSPintegrations prior to making any public disclosures.
- Inspection and Audit Rights
- Form of Audit. Subscriber may inspect, at Subscriber’s expense, MSPintegrations’ operating facilities or conduct an audit of MSPintegrations’ security, technical, and organizational procedures used for Processing Subscriber Personal Data to verify compliance with this DPA (“Audit”). Unless otherwise required by applicable Data Protection Laws, Subscriber may Audit MSPintegrations’ compliance with this DPA once per twelve (12) month period, unless a violation of MSPintegrations’ obligations is found, in which case Subscriber may conduct another Audit within six (6) months. The Audit may be conducted by Subscriber’s data protection officer or a mutually accepted authorized representative or third-party auditor. MSPintegrations agrees to provide Subscriber with any reasonably necessary information and documents during the Audit. All Audits will be performed during normal working hours and in such a way that the Audit does not disrupt or compromise MSPintegrations’ normal business operations. In addition, MSPintegrations will cooperate with any Audit ordered by a relevant Regulator that arises from its performance under the Subscription Agreement. Notwithstanding the foregoing, any Audit shall not entitle Subscriber to view or in any way access records and/or processes: (i) not directly related to Subscriber Personal Data Processed by MSPintegrations; (ii) not directly related to the MSPintegrations Products provided to Subscriber under the Subscription Agreement; (iii) in violation of applicable laws; and/or (iv) in violation of MSPintegrations’ confidentiality obligations owed to a third party.
Scope of Audit
Prior to any Audit, the parties must mutually agree in writing on the scope of the Audit, which must describe the proposed scope, duration, and start date of the Audit. Subscriber must provide prior written notice, including a written explanation of the reason for the Audit, to MSPintegrations no later than thirty (30) days before any such Audit commences. Prior to any Audit, both parties shall agree to pursue, in good faith, other means of reconciling the documents that would render such Audits not necessary. Audits may be performed by a third party mutually accepted by the parties, and any such third party auditor must sign a confidentiality agreement acceptable to MSPintegrations, or otherwise be bound by a statutory or legal confidentiality obligation. Such third-party Auditor may not disclose to Subscriber anything other than the results of MSPintegrations’ compliance or non-compliance with the Audit.
Disclosure of Audit
Subscriber agrees to provide MSPintegrations with the results of the Audit, including any documented reports, which shall be subject to the confidentiality terms of the Subscription Agreement. Subscriber may use the Audit reports only for the purpose of meeting Subscriber’s requirements in accordance with applicable Data Protection Laws or for confirming MSPintegrations’ compliance with this DPA.
Subscriber may request that MSPintegrations Audit any Sub-Processor or provide confirmation that such an Audit has occurred (or, where available, obtain or assist Subscriber in obtaining a third-party audit report concerning the Sub-Processor’s operations) to verify compliance with the Sub-Processor’s obligations. Subscriber will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of MSPintegrations’ agreement with any Sub-Processors that may Process Subscriber Personal Data.
Data Protection Impact Assessment
MSPintegrations will provide reasonable assistance to Subscriber with any data protection impact assessments which Subscriber reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Subscriber Personal Data by MSPintegrations.
The parties agree that: (i) if one party is held liable for a violation of the Data Protection Laws committed by the other party, the latter will, to the extent to which it is liable, indemnify the other party for any cost, charge, damages, expenses, or loss it has incurred as part of its obligations; and (ii) the limitations of liability provided in the Subscription Agreement, including the aggregate liability cap, applies to this DPA.
- Deletion of Personal Data
Following termination of the Subscription Agreement, MSPintegrations will, except to the extent provided in the Subscription Agreement or prohibited by applicable law, and at the written request of Subscriber, return to Subscriber or destroy and delete all Subscriber Personal Data subject to Processing. Upon request from Subscriber, MSPintegrations will certify in writing to Subscriber that it has complied with the foregoing obligations.
- Legal Requirements
MSPintegrations may be required by law to provide access to Personal Data, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities, for national security and/or law enforcement purposes. MSPintegrations will promptly inform Subscriber of requests for access to Subscriber Personal Data unless otherwise required by law.
If any provision of this DPA is held invalid or unenforceable by any court or agency of competent jurisdiction, the parties shall mutually agree on an alternate, legally valid, and enforceable provision. The remainder of this DPA shall nevertheless continue in full force and effect to the extent that continued operation under this DPA without the invalid or unenforceable provision is consistent with the intent of the parties as expressed in this DPA.
- Governing Law
This DPA will be governed by the choice of law and jurisdiction provisions contained in the Subscription Agreement unless otherwise required by applicable Data Protection Laws.
Except as otherwise set forth in this DPA, all terms and conditions contained in the Subscription Agreement and not amended herein shall remain in full force and effect. In the event of a conflict between the SubscriptionAgreement and this DPA or any other confidentiality term in an agreement between us, the order of precedence in respect of the Processing of Subscriber Data shall be this DPA and then the SubscriptionAgreement.
If you have any questions or complaints about this Data Processing Agreement or our handling of Subscriber Personal Data, please contact us at email@example.com.