1.1 “Customer Personal Data” means Personal Data that is included in Customer Data. Customer Personal Data does not include Personal Data that Marq collects to administer the Services.
1.2 “Data Subject” means an individual to whom Customer Personal Data relates.
1.3 “Data Protection Legislation” means as applicable: (a) the GDPR; (b) any United Kingdom law replacing or succeeding the GDPR; and/or (c) the Federal Data Protection Act of 19 June 1992 (Switzerland).
1.4 “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
1.5 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
1.6 “Standard Contractual Clauses” means the standard contractual clauses (i) in relation to personal data transfers subject to the GDPR, the Standard Contractual Clauses set out in the European Commission’s Decision 2021/914 of 4 June 2021, specifically including Modules 2 and 3, and (ii) in relation to personal data transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as in force and as amended, updated or replaced from time to time.
1.7 The terms “controller”, “processing”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. If there is any inconsistency or conflict between this Exhibit and the Agreement to which it is attached as it relates to data processing, this Exhibit will govern.
- PROCESSING OF DATA.
2.1. Scope and Purpose of Processing. This DPA applies only where and to the extent Data Protection Legislation applies to Marq’s processing of Customer Personal Data on behalf of Customer in the course of providing the Services pursuant to the Agreement. The purpose of data processing under this DPA is the provision of the Services pursuant to the Agreement.
2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Marq is a processor of Customer Personal Data under the Data Protection Legislation; (b) Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data.
2.3. Authorization by Third-Party Controller. If Customer is a processor, Customer warrants to Marq that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Marq as another processor, have been authorized by the relevant controller.
2.4. Customer Instructions. Customer instructs Marq to process Customer Personal Data: (a) in accordance with the Agreement, any applicable Order Form or Statement of Work, and Customer’s use of the Services; and (b) to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer will ensure that its instructions for the processing of Customer Personal Data comply with the Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data.
2.5. Marq’s Compliance With Customer Instructions. Marq will only process Customer Personal Data in accordance with Customer’s instructions and will treat Customer Personal Data as confidential information. Marq may process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Marq is subject. In this situation, Marq will inform Customer of such requirement before Marq processes the Customer Personal Data unless prohibited by applicable law.
- SECURITY; PRIVACY IMPACT ASSESSMENTS.
3.1. Marq Personnel. Marq will ensure that its personnel engaged in the processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with Marq.
3.2. Security. Marq will implement appropriate technical and organizational measures to safeguard Customer Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.3 Data Privacy Impact Assessments. Marq will take reasonable measures to cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any supervisory authority, if Customer is required to do so under Data Protection Legislation.
- DATA SUBJECT RIGHTS.
4.1. Assistance with Customer’s Obligations. Marq provides Customer the ability to correct, amend, restrict, block or delete Customer Personal Data contained in the Services. Marq will promptly comply with reasonable requests by Customer to assist with such actions to the extent Marq is legally permitted and able to do so.
4.2. Notification Obligations. Marq will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of Customer Personal Data relating to such individual. Marq will forward such Data Subject request relating to Customer Personal Data to Customer and Customer will be responsible for responding to any such request using the functionality of Services. Marq will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Services.
5.1. General Authorization. Customer generally authorizes the use of subprocessors to process Customer Personal Data in connection with fulfilling Marq’s obligations under the Agreement and/or this DPA.
5.2 New Subprocessors. When Marq engages a new subprocessor to process Customer Personal Data, Marq will, at least ten (10) days before the new subprocessor processes any Customer Personal Data, notify Customer by updating its list of subprocessors located at https://www.marq.com/pages/sub-processor and give Customer the opportunity to object to such subprocessor.
5.3. Marq Obligations. Marq will remain liable for the acts and omissions of its subprocessors to the same extent Marq would be liable if performing the services of each subprocessor directly under the terms of this DPA. Marq will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Marq under this DPA.
- DATA TRANSFERS.
6.1. Governing Terms. The parties will transfer Customer Personal Data internationally only pursuant to a transfer mechanism valid under Data Protection Legislation or applicable law. If the transfer mechanism authorizing the transfer of Customer Personal Data from the European Economic Area, Switzerland, or the United Kingdom as contemplated in this Section is no longer applicable to Marq, then the Standard Contractual Clauses, incorporated herein by reference, will apply. For purposes of the Standard Contractual Clauses, (a) Customer will be referred to as the “Data Exporter”; and (b) Marq will be referred to as the “Data Importer.”
- SECURITY INCIDENT.
7.1. Notification Obligations. In the event Marq becomes aware of any Security Incident, Marq will notify Customer of the Security Incident without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Customer or Customer’s personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7.2. Manner of Notification. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Marq selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Marq’s support systems at all times. Furthermore, it is Customer’s sole responsibility to notify the relevant data protection supervisory authority and, when applicable, the Data Subjects of a Security Incident as required under the Article 33 and 34 of the GDPR.
- TERM AND TERMINATION.
8.1. Term of DPA. This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data as described in this DPA.
8.2. Deletion of Customer Data. Marq will retain Customer Personal Data in its possession until 30 days following the earlier of: (a) written confirmation from Customer that Marq may delete Customer’s account and all authorized user accounts; or (b) the date that Customer and all authorized users delete their accounts. Prior to deletion, Marq will make any Customer Personal Data in its possession available for download by Customer. Marq has no obligation to retain any portion of Customer Personal Data after such period except to the extent that Marq is required under Data Protection Legislation to keep a copy of the Customer Personal Data.
9.1. Audit Rights. Upon Customer’s written request no more than once per year, Marq will provide a copy of its then most recent security audit report, when available (the “Auditor’s Report”). Upon request and under appropriate confidentiality obligations, Marq will provide Customer with a copy of (1) its current Information Security Program, and (2) a summary of its Auditor’s Report. Report requests must be sent via certified mail to 215 South State Street suite 850 Salt Lake City, Utah 84111, ATTN: Legal.