Back to top
  1. Definitions
    1. The following capitalised terms used in this DPA shall be defined as follows:
      1. "Controller" has the meaning given in the GDPR.
      2. "Customer Personal Data" means the "personal data" (as defined in the GDPR) described in Appendix 2 and any other personal data that Metamoto Processes on behalf of Customer in connection with the provision of the Metamoto Services.
      3. "Data Protection Laws" means the "GDPR, any applicable national implementing legislation including, and in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data.
      4. "Data Subject" has the meaning given in the GDPR.
      5. "Processing" has the meaning given in the GDPR, and "Process" will be interpreted accordingly.
      6. "Processor" has the meaning given in the GDPR.
      7. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
      8. "Standard Contractual Clauses" means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 set out in Appendix 1 to this DPA or any subsequent version thereof released by the European Commission (which will automatically apply), and which includes Appendix 2 (Details of the Processing and Transfer) and Appendix 3 (Technical and Organisational Measures) to this DPA.
      9. "Subprocessor" means any Processor engaged by Metamoto who agrees to receive from Metamoto Customer Personal Data.
      10. "Supervisory Authority" has the meaning given in the GDPR.
  2. Data Processing
    1. Instructions for Data Processing. Metamoto will only Process Customer Personal Data in accordance with Customer’s written instructions unless Processing is required by European Union or Member State to which Metamoto may be subject, in which case Metamoto shall, to the extent permitted by that law, inform Customer of that legal requirement before Processing that Customer Personal Data. The Agreement (subject to any changes to the Metamoto Services agreed between the parties) and this DPA shall be Customer’s complete and final instructions to Metamoto in relation to the Processing of Customer Personal Data.
    2. Processing outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Metamoto on additional instructions for Processing.
    3. Required consents. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained all necessary consents and complies with all applicable requirements under Data Protection Laws for the Processing of Customer Personal Data by Metamoto in accordance with the Agreement.
  3. Transfers of Customer Personal Data
    1. Authorised Subprocessors. Customer agrees that Metamoto may use Subprocessors to Process Customer Personal Data. In particular, Customer agrees that Metamoto may use at least the following as Subprocessors. A complete list is available upon request of a signed DPA from Metamoto:
    2. Entity United States
      Amazon Web Services, Inc. United States
      Microsoft Corporation United States
      Google, Inc. United States
    3. Metamoto shall notify Customer from time to time of the identity of any Subprocessors engaged. If Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, Customer may request that Metamoto moves the Customer Personal Data to another Subprocessor and Metamoto shall, within a reasonable time following receipt of such request, use reasonable endeavours to ensure that the original Subprocessor does not Process any of the Customer Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty (30) days written notice. If Customer does not object within thirty (30) days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
    4. Save as set out in clauses 3.1 and 3.2, Metamoto shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without Customer’s prior written consent and unless Metamoto:
      1. enters into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Metamoto under this DPA; and
      2. shall at all times remain responsible for compliance with our obligations under the DPA and will be liable to Customer for the acts and omissions of any Subprocessor as if they were Metamoto’s acts and omissions.
    5. Prohibition on Transfers of Customer Personal Data. To the extent that the Processing of Customer Personal Data by Metamoto involves the export of such Customer Personal Data to a country or territory outside the EEA, other than to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission (an "International Transfer"), such transfer shall be governed by the Standard Contractual Clauses. In the event of any conflict between any terms in the Standard Contractual Clauses, this DPA and the Agreement, the Standard Contractual Clauses shall prevail.
  4. Data Security, Audits, and Security Notifications
    1. Security Obligations. Metamoto will implement and maintain the technical and organizational measures set out in Appendix 3. Customer acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk in accordance with Data Protection Laws.
    2. Upon Customer’s reasonable request, Metamoto will make available all information reasonably necessary to demonstrate compliance with this DPA.
    3. Security Incident Notification. If Metamoto becomes aware of a Security Incident, Metamoto will (a) notify Customer of the Security Incident within 72 hours; and (b) investigate the Security Incident and provide Customer (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
    4. Employees and Personnel. Metamoto will treat the Customer Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
    5. Audits. Metamoto will, upon reasonable request from the Customer, allow for and contribute to audits, including inspections, conducted by the Customer (or a third party auditor on behalf of, and mandated by, the Customer) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (iii) are conducted in a manner that causes minimal disruption to Metamoto’s operations and business.
  5. Access Requests and Data Subject Rights
    1. Government Disclosure. Metamoto will notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
    2. Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Metamoto will use reasonable endeavours to assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in Data Protection Laws.
  6. Data Protection Impact Assessment and Prior Consultation
    1. To the extent required under applicable Data Protection Laws, Metamoto will provide Customer with reasonably requested information regarding the Metamoto Services to enable Customer to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Metamoto.
  7. Termination
    1. Deletion of data. Subject to 7.2 below, Metamoto will, at Customer’s election and within 90 (ninety) days of the date of termination of the Agreement:
      1. return a copy of all Customer Personal Data Processed by Metamoto by secure file transfer to the Customer (and securely delete all other copies of Customer Personal Data Processed by Metamoto); or
      2. securely delete the Customer Personal Data Processed by Metamoto.
    2. Metamoto and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Metamoto ensures the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.