This Data Processing Addendum (“DPA”), forms part of the Agreement between Mighty Software, Inc. (“Mighty Networks”) and you, a Host of a Mighty Network. It was first effective on May 25, 2018, and modified on October 14, 2020, to incorporate the Standard Contractual Clauses regarding data transfers and remove references to Privacy Shield. It was updated again on December 22, 2021, and on May 5, 2022, to incorporate the Standard Contractual Clauses issued by the European Commission on June 4, 2021. It was updated April 4, 2023 to include references to the International Data Transfer Addendum required by the UK Parliament and the revised Swiss Federal Data Protection Act.
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the EU Data Protection Law.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including, where applicable, EU, Swiss, and UK Data Protection Laws.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EEA” means the 27 countries of the European Union, plus Iceland, Liechtenstein, and Norway.
"Host Data” means any personal data that Mighty Networks processes on behalf of Host as a processor in the course of providing Services, as more particularly described in this DPA. Host Data means all personal data provided directly by Host to Mighty Networks, and all personal data that Members of Host’s Networks provide when they register for and participate in Host’s Networks.
“International Data Transfer Addendum” means Schedule 2, attached to and forming part of this DPA pursuant to UK Parliamentary approval on 21 March 2022, and issued under Section 119A of the Data Protection Act of 2018. This International Data Transfer Addendum is an Addendum to the Standard Contractual Clauses.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Host Data.
“Services” means any product or service provided by Mighty Networks to Host pursuant to the Agreement.
“Standard Contractual Clauses” means Schedule 1, attached to and forming part of this DPA pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Subprocessors” means the other processors that are used by Mighty Networks to process Personal Data.
“Swiss Data Protection Law” means the revised Federal Data Protection Act (FADP) effective September 1, 2023.
“UK Data Protection Law” means the UK General Data Protection Regulation (UK GDPR)
2. Relationship with the Agreement
2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Host further agrees that any regulatory penalties incurred by Mighty Networks in relation to the Host Data that arise as a result of, or in connection with, Host’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce Mighty Networks’ liability under the Agreement.
2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. Data subjects are third party beneficiaries of the Standard Contractual Clauses at Schedule I.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Scope and Applicability of this DPA
3.1 This DPA applies where and only to the extent that Mighty Networks processes, on behalf of Host, Host Data that originates from the EEA or that is otherwise subject to EU, UK, or Swiss Data Protection Laws on behalf of Host in the course of providing Services pursuant to the Agreement.
4. Roles and Scope of Processing
4.1 Role of the Parties.
As between Mighty Networks and Host, Host is the controller of Host Data, and Mighty Networks shall process Host Data only as a processor acting on behalf of Host.
4.2 Host Processing of Host Data.
Host agrees that (i) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Host Data and any processing instructions it issues to Mighty Networks; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Mighty Networks to process Host Data and provide the Services pursuant to the Agreement and this DPA.
4.3 Mighty Networks Processing of Host Data.
Mighty Networks shall process Host Data only for the purposes described in this DPA and only in accordance with Host’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Host’s complete and final instructions to Mighty Networks in relation to the processing of Host Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Host and Mighty Networks.
4.4 Details of Data Processing
a. Subject matter: The subject matter of the data processing under this DPA is the Host Data.
b. Duration: As between Mighty Networks and Host, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
c. Purpose: The purpose of the data processing under this DPA is to provide the Services to the Host, to perform Mighty Networks’ obligations under the Agreement (including this DPA), to analyze the use of the Mighty Networks, to comply with the law, to prevent misuse of the Services, and as otherwise agreed by the parties.
d. Nature of the processing: Mighty Networks provides a platform for Hosts to create and manage communities dedicated to an individual, identity, or interest. Hosts invite people (“Members”) to connect with each other, to message, and to exchange information and content. Hosts tailor their Mighty Network by the Members they invite, the conversations they organize, what they call their Mighty Network, and additional branding they may choose to use.
e. Categories of data subjects: Any individual accessing and/or using the Services through the Host’s account (“Users”); and any individual who joins one of Host’s Networks (collectively, Members).
f. Types of Host Data:
i. Host and Users: Identification and contact data (name, email address, title, contact details, username); employment details (employer, job title, geographic location, area of responsibility); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information);
ii. Members: Identification and contact data (name, gender, occupation, email address, title), personal interests or preferences (including marketing preferences and, if End User chooses to integrate Network account with social media profile, social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data (depending on End User’s settings) and browser data); financial information if End User must pay to join Network (credit card details, account details, payment information); and all other information provided by End User to Network.
4.5 Disclosures for Legitimate Business Purposes.
Notwithstanding anything to the contrary in the Agreement (including this DPA), Host acknowledges that Mighty Networks shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
4.6 Tracking Technologies.
5.1 Authorized Subprocessors.
Host agrees that Mighty Networks may engage Subprocessors to process Host Data on Host’s behalf.
5.2 Subprocessor Obligations.
Mighty Networks shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Host Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Mighty Networks to breach any of its obligations under this DPA.
5.3 The list of Subprocessors as of the Effective Date is here and here: https://www.mightynetworks.com/subprocessors. Mighty Networks shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Host. The Subprocessor list shall be updated on a regular basis.
5.4 Mighty Networks shall give Host prior written notice of the appointment of any new Subprocessor by posting the updated list. Host may object in writing to Mighty Networks’ appointment of additional Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If, within five (5) business days of receipt of that notice, Host notifies Mighty Networks in writing of any objections (on reasonable grounds) to the proposed appointment, Mighty Networks shall take reasonable steps to address the objections raised by Host. If Host and Mighty Networks are not able to resolve the appointment of a new Subprocessor within a reasonable period, Host shall have the right to terminate the Agreement (without refund or prejudice to any fees incurred by Host prior to suspension or termination).
6.1 Security Measures.
a. Measures of pseudonymisation and encryption of personal data:
All datastores containing personal data are fully encrypted at rest and passwords are symmetrically encrypted within the tables. All intra application transfer of data is within Amazon Web Services’ secure networking environments and inter application transfers utilise SSL encryption. Personal information fields for analytic data are pseudonymized by our data ingestion pipeline before reaching the data warehouse.
b. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:
All systems reside in Amazon Web Services virtual private networks and ingress traffic is controlled through edge network web application firewalls. Compute is highly available in multiple regions and load balanced via Amazon Web Services elastic load balancing. All data stores have redundancy built in through v data services.
c. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:
Durability is ensured with point in time recovery restorable within sixty minutes for all relational data stores.
d. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing:
System and organisational measures are conducted through automation via Vanta and penetration tests are conducted manually once a year.
e. Measures for user identification and authorisation:
System authentication and authorisation is accomplished via Amazon Web Services Identity and Access Management Service. Application authentication is through DoorKeeper and authorization via CanCan.
f. Measures for the protection of data during transmission:
All data transmission channels to and from processors are SSL encrypted.
g. Measures for the protection of data during storage:
All datastores containing personal data are fully encrypted at rest.
h. Measures for ensuring physical security of locations at which personal data are processed:
We rely on our data center provider (AWS) to ensure physical security. Below is a copy of the Physical Access Policy for AWS data centers.
EMPLOYEE DATA CENTER ACCESS
AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
THIRD-PARTY DATA CENTER ACCESS
Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.
i. Measures for ensuring events logging:
All source control changes are auditable through the Github audit trail. All infrastructure access, authorization, and authentication are auditable through Amazon Web Services Cloud Trail. All application traces are captured via New Relic APM.
j. Measures for ensuring system configuration, including default configuration:
We use standard industry best practices such as infrastructure as code to perform system configuration at scale.
k. Measures for internal IT and IT security governance and management:
- Information Security Roles and Responsibilities Policy
- Information Security Policy
- Operations Security Policy
l. Measures for certification/assurance of processes and products:
Vanta is used to ensure process compliance and policy enforcement of third party products.
m. Measures for ensuring data minimisation:
Our Data Management Policy classifies and limits the retention.
n. Measures for ensuring data quality and measures for allowing data portability and ensuring erasure:
Our Data Management Policy specifically covers data classification, handling and retention.
o. Measures for ensuring limited data retention:
Data retention is limited and automatically deleted after the retention period.
p. Measures for ensuring accountability:
Mighty Networks successfully completed a SOC2 Type 1 audit with 15 policies in place. Each policy must be accepted by all employees and contractors.
Mighty Networks shall not voluntarily assist the U.S. government in its conduct of Executive Order 12333 https://dodsioo.defense.gov/Library/EO-12333/ activities, and has not received any directives under Section 702 of the U.S. Foreign Surveillance Act (https://www.law.cornell.edu/uscode/text/50/1881a.
6.2 Updates to Security Measures.
Host is responsible for reviewing the information made available by Mighty Networks relating to data security and making an independent determination as to whether the Services meet Host’s requirements and legal obligations under Data Protection Laws. Host acknowledges that the Security Measures are subject to technical progress and development and that Mighty Networks may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.3 Host Responsibilities.
Notwithstanding the above, Host agrees that except as provided by this DPA, Host is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services. Host understands that the Services are hosted on Amazon cloud servers.
6.4 Confidentiality of processing.
Mighty Networks shall ensure that any person who is authorized by Mighty Networks to process Host Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6.5 Security Incident Response.
Upon becoming aware of a Security Incident, Mighty Networks shall notify Host without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Host. Mighty Networks shall fully cooperate and assist with Host’s investigation, containment and mitigation efforts.
6.6 Disaster Recovery
For all systems used in connection with the Services, Mighty Networks shall establish and maintain arrangements for emergency backup services and resources that assure uninterrupted delivery of the Services to the extent reasonably practicable. If a disaster occurs at and/or affects the facilities and interrupts the Services, whether or not covered by a written disaster recovery plan in existence as of the effective date, Mighty Networks shall take all commercially reasonable measures to minimize the damage caused by any impairment of the Services resulting from the disaster and avoid recurrence.
7.1 Upon reasonable request, Mighty Networks will verify its compliance with this DPA, provided that Host shall not exercise this right more than once per year.
8. International Transfers
8.1 Data center locations.
Mighty Networks may transfer and process Host Data anywhere in the world where Mighty Networks, its Affiliates or its Subprocessors maintain data processing operations. Mighty Networks shall at all times provide an adequate level of protection for the Host Data collected, transferred, processed, or retained in accordance with the requirements of Data Protection Laws.
8.2 Standard Contractual Clauses and International Data Transfer Addendum.
Mighty Networks will not process Host Data related to personal data of data subjects located in the EEA or Switzerland in a location outside of the EEA, except pursuant to the Standard Contractual Clauses (attached as Schedule 1) or any replacement thereof. Mighty Networks will not process Host Data related to data subjects located in the UK in a location outside of the UK, except pursuant to the International Data Transfer Addendum (attached as Schedule 2).
8.3 Changes in the Law.
To the extent that Host or Mighty Networks are relying on a specific statutory mechanism to normalize international data transfers (namely, Standard Contractual Clauses) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Mighty Networks and Host agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.
9. Return or Deletion of Data
9.1 Upon termination or expiration of the Agreement, Mighty Networks shall (at Host’s election) delete or return to Host all Host Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Mighty Networks is required by applicable law to retain copies of some or all of the Host Data, or to Host Data it has archived on back-up systems, which Host Data Mighty Networks shall securely isolate and protect from any further processing, except to the extent required by applicable law.
10.1 The Services provide Hosts and Members with controls that Hosts and Members may use to retrieve, correct, delete or restrict Host Data, which Host may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Host is unable to independently access the relevant Host Data within the Services, Mighty Networks shall (at Host’s expense) provide reasonable cooperation to assist Host to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to Mighty Networks, Mighty Networks shall not respond to such communication directly without Host’s prior authorization, unless legally compelled to do so. If Mighty Networks is required to respond to such a request, Mighty Networks shall promptly notify Host and provide it with a copy of the request unless legally prohibited from doing so.
10.2 If a law enforcement agency sends Mighty Networks a demand for Host Data (for example, through a subpoena or court order), Mighty Networks shall attempt to redirect the law enforcement agency to request that data directly from Host. As part of this effort, Mighty Networks may provide Host’s basic contact information to the law enforcement agency. If compelled to disclose Host Data to a law enforcement agency, then Mighty Networks shall give Host reasonable notice of the demand to allow Host to seek a protective order or other appropriate remedy unless Mighty Networks is legally prohibited from doing so.
10.3 To the extent Mighty Networks is required under EU Data Protection Law, Mighty Networks shall (at Host’s expense) provide reasonably requested information regarding the Services to enable the Host to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
11. Changes in Data Protection Laws
11.1 Mighty Networks may modify or supplement this Addendum, with reasonable notice to the Host: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.