Mosaic Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Agreement (defined below) by and between the customer (or its Affiliate(s), as applicable) as identified in the Agreement ("Customer") and MosaicApp Inc. ("Mosaic"). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. Data Protection.

  1. 1.1 Definitions: In this DPA, the following terms have the following meanings:
  1. Australian Data Protection Law” means the Australian Privacy Act 1988 (Cth).
  2. Agreement” means the agreement in place between Customer and Mosaic covering Customer’s use of the Services.
  3. Applicable Data Protection Law” means all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Law.
  4. Brazilian Data Protection Law” means the Brazilian General Data Protection Law No. 13,709/2018 (“LGPD”).
  5. controller”, “processor”, “data subject”, “personal data”, “personal information”, “processing” (and “process”), “commercial purpose”, and “service provider” have the meanings given in Applicable Data Protection Law, as appropriate.
  6. Customer Personal Data” means any personal data provided by (or on behalf of) Customer to Mosaic in connection with the Services, all as further described in Exhibit A, Annex 1(B), Part A of this DPA.
  7. Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
  8. End Users” or “Users” means an individual the Customer permits or invites to use the Services. For the avoidance of doubt: (a) individuals invited by End Users and (b) individuals interacting with the Services as Customer`s customers are also considered End Users.
  9. Europe” means, for the purposes of this DPA, the Member States of the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland.
  10. European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK Data Protection Law”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) the Swiss Federal Act on Data Protection and its implementing regulations (“Swiss FADP”), in each case as may be amended, superseded or replaced from time to time.
  11. “Japanese Data Protection Law” means the Japanese Act on the Protection of Personal Information.
  12. Restricted Transfer” means a transfer (directly or via onward transfer) of personal data subject to European Data Protection Law from Europe to a country outside of Europe that is not subject to an adequacy decision by the European Commission, or the competent UK or Swiss authorities (as applicable).
  13. Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data processed by Mosaic and/or its Sub-processors in connection with the provision of the Services. For the avoidance of doubt, "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
  14. special categories of personal data” or “sensitive data” means any Customer Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, and (iii) relating to criminal convictions and offenses.
  15. Standard Contractual Clauses” or “EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  16. Sub-processor” means any other processor engaged by Mosaic in its role as a processor to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA where such entity processes Customer Personal Data. Sub-processors may include Mosaic’s affiliates or other third parties.
  17. UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
  18. U.S. Data Protection Law” means all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
  1. 1.2 Relationship of the Parties: Where Applicable Data Protection Law provides for the roles of “controller,” “processor,” and “sub-processor”:
  1. Where Mosaic processes Customer Personal Data on behalf of Customer in connection with the Services, Mosaic will process such personal data as a processor or Sub-processor on behalf of Customer (who, in turn, processes such personal data as a controller or a processor) and this DPA will apply accordingly. A description of such processing is set out in Exhibit A, Annex 1(B), Part A.
  2. Where Mosaic processes personal data as a controller, as further detailed in Exhibit A, Annex 1(B), Part B, Mosaic will process such personal data in compliance with Applicable Data Protection Law and only for the purposes that are compatible with those described in Exhibit A, Annex 1(B), Part B. For these purposes, only Sections 1.3 and 1.6 of this DPA will apply, to the extent applicable.
  1. 1.3 Description of Processing: A description of the processing of personal data related to the Services, as applicable, is set out in Exhibit A. 
  2. 1.4 Customer Processing of Personal Data: Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Law in its processing of Customer Personal Data and any processing instructions it issues to Mosaic, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Law for Mosaic to process personal data (including but not limited to any special categories of personal data) and provide the Services pursuant to the Agreement (including this DPA).
  1. 1.5 Mosaic Processing of Personal Data: 
  1. When Mosaic processes Customer Personal Data in its capacity as a processor on behalf of the Customer, Mosaic will commit to (i) comply with Applicable Data Protection Law, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with the documented lawful instructions of Customer (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer’s End Users through the Services), unless required to do so by the applicable Laws to which Mosaic is subject. In this case Mosaic shall inform the Customer of such legal requirement before processing, unless relevant Laws prohibit such information on important grounds of public interest. Mosaic will promptly inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.
  2. To the extent Customer Personal Data includes personal information protected under the CCPA that Mosaic processes as a service provider acting on behalf of Customer, Mosaic will process such Customer Personal Data in accordance with the CCPA, including by complying with applicable sections of the CCPA and providing the same level of privacy protection as required by CCPA, and in accordance with Customer's written instructions, as necessary for the limited and specified purposes identified in Exhibit A, Annex 1(B), Part A of this DPA and the Agreement. Mosaic will not:
  1. retain, use, disclose or otherwise process such Customer Personal Data other than for the limited and specified purposes identified in this DPA and the Agreement;
  2. retain, use, disclose or otherwise process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA and the Agreement, or as otherwise permitted under the CCPA;
  3. "sell" or “share” such Customer Personal Data within the meaning of the CCPA; and
  4. retain, use, disclose or otherwise process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under the CCPA.
  • Mosaic must inform Customer if it determines that it can no longer meet its obligations under U.S. Data Protection Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of such Customer Personal Data.
  1. To the extent Customer discloses or otherwise makes available Deidentified Data to Mosaic or to the extent Mosaic creates Deidentified Data from Customer Personal Data, in each case in its capacity as a service provider, Mosaic will:
  1. adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
  2. publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Mosaic may attempt to re-identify such data solely for the purpose of determining whether its deidentification processes are compliant with the U.S. Data Protection Law; and
  3. before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 1.5(c)of the DPA (including imposing this requirement on any further Recipients).
  1. 1.6 Restricted transfers: Parties agree that when the transfer of personal data from Customer (as “data exporter”) to Mosaic (as “data importer”) is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the transfer will be subject to the Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:
  1. In relation to transfers of Customer Personal Data governed by the EU GDPR and processed in accordance with Section 1.2(a) of this DPA, the EU SCCs will apply, completed as follows:
  1. Module Two or Module Three will apply (as applicable);
  2. in Clause 7, the optional docking clause will not apply;
  3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 1.10 of this DPA;
  4. in Clause 11, the optional language will not apply;
  5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  6. in Clause 18(b), disputes will be resolved before the courts of Ireland;
  7. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
  8. Subject to Section 1of this DPA, Annex II of the EU SCCs is deemed completed with the information found in https://www.mosaicapp.com/security;
  1. In relation to transfers of personal data governed by the EU GDPR and processed in accordance with Section 1of this DPA, the EU SCCs apply, completed as follows:
  1. Module One will apply;
  2. in Clause 7, the optional docking clause will not apply;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  5. in Clause 18(b), disputes will be resolved before the courts of Ireland;
  6. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
  7. Subject to Section 1 of this DPA, Annex II of the EU SCCs is deemed completed with the information found in https://www.mosaicapp.com/security;
  1. In relation to transfers of personal data governed by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 1.9, as well as Exhibits A and B of this DPA; Table 4 in Part 1 is deemed completed by selecting “neither party.” Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
  1. In relation to transfers of personal data governed by the Swiss FADP, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:
  1. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP;
  2. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
  3. Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss FADP. Subject to the foregoing, all other requirements of Clause 13 will be observed;
  4. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;
  5. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
  6. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.
  1. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses prevail to the extent of such conflict.
  1. 1.7 Confidentiality of processing: Mosaic must ensure that any person that it authorizes to process Customer Personal Data (including Mosaic’s staff, agents and Sub-processors) will be subject to a duty of confidentiality(whether a contractual duty or a statutory duty), and must not permit any person to process Customer Personal Data who is not under such a duty of confidentiality.
  2. 1.8 Security: Mosaic and, to the extent required under the Agreement, Customer must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. Mosaic’s current technical and organizational measures are described in Mosaic’s security measures found at https://www.mosaicapp.com/security (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Mosaic may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.
  3. 1.9 Sub-processing: Customer consents to Mosaic engaging Sub-processors to process Customer Personal Data, provided that Mosaic maintains an up-to-date list of its sub-processors at https://trust.mosaicapp.com. Mosaic will: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Law (and in substance, to the same standard provided by this DPA); and (ii) remain liable to Customer if such Sub- processor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Agreement.
  4. 1.10 Changes to Sub-processors: Mosaic will provide a notice to Customer of any new Sub-processors as soon as reasonably practicable, however at least fourteen (14) days’ prior to allowing such Sub-processor to process Customer Personal Data (the “Notice Period”). Customer may object in writing to Mosaic’s appointment of a new Sub-processor during the Notice Period, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties are not able to achieve resolution within the Notice Period, Customer, as its sole and exclusive remedy, may terminate the applicable Order(s) or parts of the Service provided by the Sub-processor in question for convenience. If the Customer does not object during the Notice Period, Mosaic will deem Customer to have authorized the new Sub-processor.
  5. 1.11 Cooperation obligations and data subjects’ rights:
  1. Taking into account the nature of the processing, Mosaic must provide reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Mosaic processes on Customer’s behalf;
  2. In the event that any request, correspondence, enquiry or complaint (referred to under paragraph (a) above) is made directly to Mosaic, Mosaic acting as a processor will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so, and instead, after being notified by Mosaic, Customer may respond. If Mosaic is legally required to respond to such a request, Mosaic will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so; and
  3. To the extent Mosaic is required under Applicable Data Protection Law, Mosaic will provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to Mosaic.
  1. 1.12 Security incidents: Upon becoming aware of a Security Incident, Mosaic will notify Customer without undue delay and provide timely information (taking into account the nature of processing and the information available to Mosaic) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Data Protection Law. Mosaic will further take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Mosaic’s notification of or response to a Security Incident in accordance with this Section 1will not be construed as an acknowledgment by Mosaic of any fault or liability with respect to the Security Incident.
  2. 1.13 Deletion or return of Data: After the end of the provision of Services, Mosaic will delete or return to Customer all Customer Personal Data (including copies) processed on behalf of the Customer in accordance with the procedures and retention periods outlined in the DPA. This requirement does not apply to the extent Mosaic is required by applicable Laws to retain some or all of the Customer Personal Data which Customer Personal Data Mosaic will securely isolate and protect from any further processing.
  3. 1.14 Audit:
  1. Customer acknowledges that Mosaic is regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Mosaic, Mosaic will:
  1. supply (on a confidential basis) a summary copy of relevant audit report(s) (“Report”) to Customer, so Customer can verify Mosaic’s compliance with the audit standards against which it has been assessed, and this DPA; and
  2. provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data that are necessary to confirm Mosaic’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.
  1. b. Only to the extent Customer cannot reasonably satisfy Mosaic’s compliance with this DPA through the exercise of its rights under Secti, or where required by Applicable Data Protection Law or a regulatory authority, Customer, or its authorized representatives, may conduct audits (including inspections) during the term of the Agreement to assess Mosaic’s compliance with the terms of this DPA. Any audit must (i) be conducted during Mosaic’s regular business hours, with reasonable advance notice of at least 45 calendar days; (ii) be subject to reasonable confidentiality controls; (iii) occur no more than once annually; (iv) restrict its findings to only data and information relevant to Customer; and (v) obligate Customer, to the extent permitted by law or regulation, to keep confidential any information disclosed that, by its nature, should be confidential.
  1. 1.15 Law enforcement: If a law enforcement agency sends Mosaic a demand for Customer Personal Data (e.g., a subpoena or court order), Mosaic will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Mosaic may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Mosaic will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, to the extent Mosaic is legally permitted to do so.

2. Relationship with the Agreement

  1. 2.1 The parties agree that this DPA replaces and supersedes any existing DPA the parties may have previously entered into in connection with the Services.
  2. 2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. The order of precedence in case of any conflict, exclusively in relation to the processing of personal data under this DPA, will be, in order of priority:
  1. Standard Contractual Clauses, if applicable;
  2. this DPA;
  3. the Agreement.
  1. 2.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
  2. 2.4 Any claims against Mosaic or its affiliates under this DPA can only be brought by the Customer entity that is a party to the Agreement against the Mosaic entity that is a party to the Agreement. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.
  3. 2.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
  4. 2.6 This DPA and the Standard Contractual Clauses will terminate simultaneously and automatically upon deletion by Mosaic of the Customer Personal Data processed on behalf of the Customer, in accordance with Section  of this DPA.