Octo Members Group Ltd operate a community for financial services professionals. Octo Members technology partner is Mighty Networks. They comply with both California (United States of America) and the EU (European Union) data protection laws. The below agreement sets out the responsibilities of Octo Members Group Ltd, Mighty Networks and any subprocessors appointed by both.
Mighty Networks EU Data Processing Addendum
Last updated: May 24, 2018
This Data Processing Addendum (“DPA”), forms part of the Agreement between Mighty Software, Inc. (“Mighty Networks”) and you, Octo Members Group Ltd, of a Mighty Network. It is effective on May 25, 2018 (“Effective Date”).
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the EU Data Protection Law.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including, where applicable, EU Data Protection Law.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EEA” means the European Economic Area, United Kingdom and Switzerland.
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self- certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Octo Members Group Ltd Data.
“Services” means any product or service provided by Mighty Networks to Octo Members Group Ltd pursuant to the Agreement.
“Subprocessors” means the other processors that are used by Mighty Networks to process Personal Data.
“Octo Members Group Ltd Data” means any personal data that Mighty Networks processes on behalf of Octo Members Group Ltd as a processor in the course of providing Services, as more particularly described in this DPA. Octo Members Group Ltd Data means all personal data provided directly by Octo Members Group Ltd to Mighty Networks, and all personal data that Members of Octo Members Group Ltd’s Networks provide when they registration for and participate in Octo Members Group Ltd’s Networks.
- Relationship with the Agreement
- 2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
- 2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
- 2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
- 2.4 Octo Members Group Ltd further agrees that any regulatory penalties incurred by Mighty Networks in relation to the Octo Members Group Ltd Data that arise as a result of, or in connection with, Octo Members Group Ltd’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce Mighty Networks’ liability under the Agreement.
- 2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- 2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- Scope and Applicability of this DPA
- 3.1 This DPA applies where and only to the extent that Mighty Networks processes Octo Members Group Ltd Data that originates from the EEA or that is otherwise subject to EU Data Protection Law on behalf of Octo Members Group Ltd as a processor in the course of providing Services pursuant to the Agreement.
- Roles and Scope of Processing
- 4.1 Role of the Parties.
As between Mighty Networks and Octo Members Group Ltd, Octo Members Group Ltd is the controller of Octo Members Group Ltd Data, and Mighty Networks shall process Octo Members Group Ltd Data only as a processor acting on behalf of Octo Members Group Ltd.
- 4.2 Octo Members Group Ltd Processing of Octo Members Group Ltd Data.
Octo Members Group Ltd agrees that (i) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Octo Members Group Ltd Data and any processing instructions it issues to Mighty Networks; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Mighty Networks to process Octo Members Group Ltd Data and provide the Services pursuant to the Agreement and this DPA.
- 4.3 Mighty Networks Processing of Octo Members Group Ltd Data.
Mighty Networks shall process Octo Members Group Ltd Data only for the purposes described in this DPA and only in accordance with Octo Members Group Ltd’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Octo Members Group Ltd’s complete and final instructions to Mighty Networks in relation to the processing of Octo Members Group Ltd Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Octo Members Group Ltd and Mighty Networks.
- 4.4 Details of Data Processing
- a. Subject matter: The subject matter of the data processing under this DPA is the Octo Members Group Ltd Data.
- b. Duration: As between Mighty Networks and Octo Members Group Ltd, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
- c. Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Octo Members Group Ltd and the performance of Mighty Networks’ obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
- d. Nature of the processing: Mighty Networks provides a platform for Octo Members Group Ltd to create and manage communities dedicated to an individual, identity, or interest. Octo Members Group Ltd invite people (“Members”) to connect with each other, to message, and to exchange information and content. Octo Members Group Ltd tailor their Mighty Network by the Members they invite, the conversations they organize, what they call their Mighty Network, and additional branding they may choose to use.
- e. Categories of data subjects: Any individual accessing and/or using the Services through the Octo Members Group Ltd’s account (“Users”); and any individual who joins one of Octo Members Group Ltd’s Networks (collectively, “End Users” or Members).
- f. Types of Octo Members Group Ltd Data:
- i. Octo Members Group Ltd and Users: Identification and contact data (name, email address, title, contact details, username); employment details (employer, job title, geographic location, area of responsibility); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information);
- ii. End Users: Identification and contact data (name, gender, occupation, email address, title), personal interests or preferences (including marketing preferences and, if End User chooses to integrate Network account with social media profile, social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data (depending on End User’s settings) and browser data); financial information if End User must pay to join Network (credit card details, account details, payment information); and all other information provided by End User to Network.
- 4.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Octo Members Group Ltd acknowledges that Mighty Networks shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
- 4.6 Tracking Technologies.
- 5.1 Authorized Subprocessors.
Octo Members Group Ltd agrees that Mighty Networks may engage Subprocessors to process Octo Members Group Ltd Data on Octo Members Group Ltd’s behalf. The Subprocessors currently engaged by Mighty Networks and authorized by Octo Members Group Ltd are listed in Exhibit A.
- 5.2 Subprocessor Obligations.
Mighty Networks shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Octo Members Group Ltd Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Mighty Networks to breach any of its obligations under this DPA.
- 5.3 The list of Subprocessors as of the Effective Date is at Exhibit A. Mighty Networks shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Octo Members Group Ltd.
- 5.4 Mighty Networks shall give Octo Members Group Ltd prior written notice of the appointment of any new Subprocessor. Octo Members Group Ltd may object in writing to Mighty Networks’ appointment of additional Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If, within five (5) business days of receipt of that notice, Octo Members Group Ltd notifies Mighty Networks in writing of any objections (on reasonable grounds) to the proposed appointment, Mighty Networks shall not appoint that proposed SubProcessor until reasonable steps have been taken to address the objections raised by Octo Members Group Ltd and the Octo Members Group Ltd has been provided with a reasonable written explanation of the steps taken. If Octo Members Group Ltd and Mighty Networks are not able to resolve the appointment of a Subprocessor within a reasonable period, Octo Members Group Ltd shall have the right to terminate the Agreement (without prejudice to any fees incurred by Octo Members Group Ltd prior to suspension or termination).
- 6.1 Security Measures.
- 6.2 Updates to Security Measures.
Octo Members Group Ltd is responsible for reviewing the information made available by Mighty Networks relating to data security and making an independent determination as to whether the Services meet Octo Members Group Ltd’s requirements and legal obligations under Data Protection Laws. Octo Members Group Ltd acknowledges that the Security Measures are subject to technical progress and development and that Mighty Networks may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- 6.3 Octo Members Group Ltd Responsibilities.
Notwithstanding the above, Octo Members Group Ltd agrees that except as provided by this DPA, Octo Members Group Ltd is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services.
- 6.4 Confidentiality of processing.
Mighty Networks shall ensure that any person who is authorized by Mighty Networks to process Octo Members Group Ltd Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- 6.5 Security Incident Response.
Upon becoming aware of a Security Incident, Mighty Networks shall notify Octo Members Group Ltd without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Octo Members Group Ltd.
- 7.1 Upon reasonable request, Mighty Networks will verify its compliance with this DPA, provided that Octo Members Group Ltd shall not exercise this right more than once per year.
- International Transfers
- 8.1 Data centre locations.
Mighty Networks may transfer and process Octo Members Group Ltd Data anywhere in the world where Mighty Networks, its Affiliates or its Subprocessors maintain data processing operations. Mighty Networks shall at all times provide an adequate level of protection for the Octo Members Group Ltd Data collected, transferred, processed, or retained in accordance with the requirements of Data Protection Laws.
- 8.2 Privacy Shield.
Mighty Networks will not process Octo Members Group Ltd Data related to personal data of data subjects located in the EEA in a location outside of the EEA, except pursuant to the EU-US Privacy Shield, provided that Mighty Networks obtains and maintains its certification under the EU-US Privacy Shield. Mighty Networks will provide Octo Members Group Ltd with reasonable prior written notice if it can no longer meet its obligations under the Privacy Shield or if it plans not to renew its certification, at which time, as the parties’ sole remedy, the parties will negotiate entry into an alternative data transfer solution, including entering into the European Commission Standard Contractual Clauses for Data Processors (2010/87/EU) or any replacement thereof. The foregoing will not entitle Octo Members Group Ltd to any termination of cancellation right with respect to the Agreement.
- 8.3 Changes in the Law.
To the extent that Octo Members Group Ltd or Mighty Networks are relying on a specific statutory mechanism to normalize international data transfers (namely, Privacy Shield) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Mighty Networks and Octo Members Group Ltd agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.
- Return or Deletion of Data
- 9.1 Upon termination or expiration of the Agreement, Mighty Networks shall (at Octo Members Group Ltd’s election) delete or return to Octo Members Group Ltd all Octo Members Group Ltd Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Mighty Networks is required by applicable law to retain copies of some or all of the Octo Members Group Ltd Data, or to Octo Members Group Ltd Data it has archived on back-up systems, which Octo Members Group Ltd Data Mighty Networks shall securely isolate and protect from any further processing, except to the extent required by applicable law.
- 10.1 The Services provide Octo Members Group Ltd and Members with controls that Octo Members Group Ltd and Members may use to retrieve, correct, delete or restrict Octo Members Group Ltd Data, which Octo Members Group Ltd may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Octo Members Group Ltd is unable to independently access the relevant Octo Members Group Ltd Data within the Services, Mighty Networks shall (at Octo Members Group Ltd’s expense) provide reasonable cooperation to assist Octo Members Group Ltd to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to Mighty Networks, Mighty Networks shall not respond to such communication directly without Octo Members Group Ltd’s prior authorization, unless legally compelled to do so. If Mighty Networks is required to respond to such a request, Mighty Networks shall promptly notify Octo Members Group Ltd and provide it with a copy of the request unless legally prohibited from doing so.
- 10.2 If a law enforcement agency sends Mighty Networks a demand for Octo Members Group Ltd Data (for example, through a subpoena or court order), Mighty Networks shall attempt to redirect the law enforcement agency to request that data directly from Octo Members Group Ltd. As part of this effort, Mighty Networks may provide Octo Members Group Ltd’s basic contact information to the law enforcement agency. If compelled to disclose Octo Members Group Ltd Data to a law enforcement agency, then Mighty Networks shall give Octo Members Group Ltd reasonable notice of the demand to allow Octo Members Group Ltd to seek a protective order or other appropriate remedy unless Mighty Networks is legally prohibited from doing so.
- 10.3 To the extent Mighty Networks is required under EU Data Protection Law, Mighty Networks shall (at Octo Members Group Ltd’s expense) provide reasonably requested information regarding the Services to enable the Octo Members Group Ltd to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
- Changes in Data Protection Laws
- 11.1 Mighty Networks may modify or supplement this Addendum, with reasonable notice to the Octo Members Group Ltd: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.