Data Processing Agreement for ModerateKit

Effective Date: May 14, 2024 | Last Updated: July 19, 2024

This Data Processing Agreement ("DPA") is incorporated into the Terms of Service ("Agreement") between ModerateKit ("ModerateKit") and the entity agreeing to these terms ("Customer"). This DPA applies to the extent ModerateKit Processes Personal Data on behalf of Customer in the course of providing services under the Agreement. Both parties agree to comply with the following provisions with respect to any Personal Data.

Definitions

Affiliate: Any entity which (directly or indirectly) controls, is controlled by, and/or is under common control with a Party.
Data Privacy Laws: All applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation the GDPR, CCPA, and others as applicable.
ModerateKit Data: Personal Data or Sensitive Confidential Information that ModerateKit receives from Customer or otherwise Processes for or on behalf of Customer in connection with the Agreement.
Personal Data: Any information relating to an identified or identifiable natural person as defined by applicable Data Privacy Laws.
Process and Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
Security Breach: The accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data.
Subprocessor: Any Affiliate or other direct or indirect subcontractor that Processes Personal Data or has access to Customer Systems for ModerateKit.

Scope

This DPA applies to all Personal Data and all access to Customer Systems in connection with the Agreement.

Data Use Limitation

ModerateKit will use, disclose, retain, and otherwise Process Personal Data only to provide services to Customer under the Agreement in compliance with applicable Data Privacy Law and Customer’s written instructions unless applicable Data Privacy Law obligates ModerateKit to engage in different Processing of the data. In such a case, ModerateKit shall inform Customer of that applicable Data Privacy Law within five (5) business days before commencing the different Processing unless prohibited by law.

System Access Limitation

ModerateKit will access Customer Systems only within the scope of Customer’s written authorization and only to provide services to Customer under the Agreement in compliance with applicable Data Privacy Law. Customer may deny, revoke, or monitor access to Customer Systems for security concerns or other lawful purposes in its sole discretion.

Notification of Opinion Regarding Instructions

If, in ModerateKit’s opinion, an instruction from Customer regarding Personal Data infringes applicable Data Privacy Law, ModerateKit shall promptly inform Customer and suggest alternative actions to achieve compliance.

Personnel Security

ModerateKit will ensure that persons permitted to Process Personal Data or access Customer Systems are reliable, competent, and trustworthy. This includes appropriate background checks (e.g., criminal background checks, employment verification), training, confidentiality agreements, and access restrictions.

Assistance with Data Subjects’ Rights and Other Third-Party Requests

ModerateKit will provide reasonable assistance to Customer for fulfilling Customer’s obligations to honor requests by individuals to exercise their rights under applicable Data Privacy Laws. This assistance may include providing necessary information, facilitating access requests, and making technical adjustments. ModerateKit will notify Customer within three (3) business days of receiving any request or complaint related to any Personal Data. ModerateKit will not respond to any such requests unless authorized in writing by Customer, except as required by applicable Data Privacy Law.

Security

ModerateKit shall implement appropriate technical and organizational measures to ensure a level of security for Personal Data and access to Customer Systems appropriate to the risk. Such measures may include encryption, pseudonymization, regular security assessments, and access controls. ModerateKit will provide reasonable assistance to Customer in ensuring compliance with security obligations under applicable Data Privacy Law.

Security Breach

ModerateKit will comply with Security Breach-related obligations directly applicable to it under applicable Data Privacy Law. ModerateKit will inform Customer within 24 hours of determining that a Security Breach likely occurred and provide ongoing updates with relevant information. ModerateKit will assist Customer with measures to reduce risks to individuals and comply with applicable Data Privacy Law.

Return and Destruction of Data

Upon termination of services, ModerateKit will return or securely destroy all Personal Data as instructed by Customer, unless legally required to retain the data, in which case ModerateKit will inform Customer and ensure compliance with Data Privacy Laws. Secure Deletion: Any personal data not retained will be securely deleted in compliance with applicable standards and practices to ensure that it cannot be recovered or reconstructed. Documentation: ModerateKit will provide a certificate of data destruction upon the Customer’s request to verify that personal data has been properly disposed of.

Subprocessing

ModerateKit may subcontract the Processing of Personal Data or access to Customer Systems only in compliance with applicable Data Privacy Law and any conditions set forth in the Agreement. ModerateKit remains responsible for its Subprocessors and liable for their acts and omissions.

International Data Transfers

Customer authorizes ModerateKit and its Subprocessors to make international transfers of Personal Data in compliance with applicable Data Privacy Law, including the use of Standard Contractual Clauses (SCCs) or other legal mechanisms to ensure adequate protection for Personal Data.

Assurance of Compliance

ModerateKit will provide all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or another auditor designated by Customer.

Indemnity

ModerateKit shall indemnify, defend, and hold harmless Customer from any claims arising out of or relating to ModerateKit’s breach of this DPA. This indemnity is not subject to any contractual limitation.

Required Disclosures

Customer may provide this DPA and a copy of the relevant privacy and security provisions of the Agreement to a regulator or Customer’s client as required by applicable Data Privacy Law.

Term

The provisions of this DPA survive the termination or expiration of the Agreement for as long as ModerateKit or its Subprocessors Process Personal Data or have access to Customer Systems.

Data Retention and Deletion

Types of Data Retained:

ModerateKit retains the following categories of personal data provided by the Customer or End User (Customer's Customer):

Contact Information: Customer Email Addresses.
Identification Data: Customer User IDs.
Financial Data: Customer Payment Information, Customer Transaction History.
Usage Data: Customer Login Information, Customer Activity Logs.
Communication Data: Records of communication with ModerateKit Support and Sales.

Types of Data Not Retained:

ModerateKit does not retain sensitive personal data of the Customer or End User (Customer's Customer) unless explicitly required and authorized by the Customer in compliance with applicable Data Privacy Laws. Sensitive data includes but is not limited to:

Contact Information (not outlined above)
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health information
Sexual orientation

Retention Periods:

General Data: Personal data will be retained while the customer is using ModerateKit and as long as necessary to fulfill and comply with legal obligations. Specific retention periods may be defined by applicable Data Privacy Laws or as agreed with the Customer.
Upon Termination: Upon termination of services, ModerateKit will either return all personal data to the Customer or securely destroy it, as instructed by the Customer, unless a longer retention period is required by law.
Destruction of Data:

Secure Deletion: Any personal data not retained will be securely deleted in compliance with applicable standards and practices to ensure that it cannot be recovered or reconstructed.
Documentation: ModerateKit will provide a certificate of data destruction upon the Customer’s request to verify that personal data has been properly disposed of.

By using ModerateKit, you consent and agree to this Data Processing Agreement, which forms part of the Terms of Service which can be found at https://moderatekit.com/tos.