DPA

Last Updated: November 1st, 2024

This Data Processing Addendum ("DPA") forms part of the End-User License Agreement ("EULA") between Mercero, Inc. ("Processor," "we," "our," or "us") and the User ("Controller," "you," or "your") and applies to the processing of Personal Data under applicable Data Protection Laws.

1. DEFINITIONS

1.1. "Personal Data" means any information relating to an identified or identifiable natural person.

1.2. "Data Protection Laws" means all applicable laws relating to data protection and privacy including:

- The General Data Protection Regulation (EU) 2016/679 ("GDPR")

- The California Consumer Privacy Act ("CCPA")

- Other applicable state, federal, and international data protection laws

1.3. "Processing" means any operation performed on Personal Data, whether automated or not.

1.4. "Data Subject" means the identified or identifiable person to whom Personal Data relates.

1.5. "Sub-processor" means any third party engaged by Processor to process Personal Data.

2. SCOPE AND ROLE OF PARTIES

2.1. Controller Role

- You act as the Data Controller for any Personal Data processed through the Service

- You determine the purposes and means of processing Personal Data

- You are responsible for obtaining all necessary consents and legal bases for processing

2.2. Processor Role

- We act solely as a Data Processor

- We process Personal Data only on your documented instructions

- We do not determine the purposes or means of processing

3. PROCESSING DETAILS

3.1. Nature and Purpose of Processing

- Providing CRM functionality

- Facilitating email integration services

- Generating analytics and reports as requested

- Providing technical support

- Maintaining service security

3.2. Categories of Personal Data

- Contact information

- Business relationship data

- Communication records

- Transaction history

- Email metadata (but not email content)

- Usage logs

3.3. Categories of Data Subjects

- Your employees and representatives

- Your clients and prospects

- Your business contacts

4. PROCESSOR OBLIGATIONS

4.1. Processing Instructions

- We process Personal Data only on your documented instructions

- We will inform you if any instruction violates Data Protection Laws

- We maintain records of all processing activities

4.2. Confidentiality

- Our staff are bound by written confidentiality obligations

- Access to Personal Data is strictly limited to those who need it

- We maintain access logs and control mechanisms

4.3. Security Measures

We implement appropriate technical and organizational measures including:

- Encryption of Personal Data in transit and at rest

- Individual user authentication and authorization

- Secure email integration with encrypted access

- Regular security testing and assessments

- Access logging and monitoring

- Data isolation between users

- Incident detection and response procedures

4.4. Sub-processors

- We will not engage sub-processors without your prior written authorization

- We impose the same data protection obligations on sub-processors

- We remain fully liable for sub-processors' performance

4.5. Data Subject Rights

- We assist you in fulfilling Data Subject requests

- We provide tools for data export and deletion

- We forward any direct Data Subject requests to you

- We maintain capability to rectify, restrict, or erase Personal Data

5. EMAIL INTEGRATION PROCESSING

5.1. Email Data Handling

- We do not store email content

- Email access is encrypted per user

- Authentication tokens are securely stored

- Email integration access is immediately revocable

5.2. Email Security Measures

- End-to-end encryption for email access

- Individual authentication requirements

- Regular security audits of email integration

- Immediate access termination capabilities

6. DATA BREACH NOTIFICATION

6.1. We will notify you without undue delay of any Personal Data breach

6.2. Breach notifications will include:

- Nature of the breach

- Categories of data affected

- Approximate number of Data Subjects affected

- Likely consequences

- Measures taken or proposed

- Contact point for further information

7. DATA TRANSFERS

7.1. International Transfers

- We only transfer Personal Data to countries with adequate protection

- We comply with EU Standard Contractual Clauses

- We maintain appropriate transfer impact assessments

7.2. Transfer Safeguards

- Encryption during transfer

- Contractual safeguards with recipients

- Regular compliance monitoring

8. AUDIT RIGHTS

8.1. You may audit our compliance with this DPA by:

- Requesting documentation

- Conducting remote audits

- Conducting on-site inspections with reasonable notice

8.2. We will contribute to audits by:

- Providing access to relevant facilities

- Sharing required documentation

- Making staff available for interviews

9. DATA RETURN AND DELETION

9.1. Upon termination of services, we will:

- Return all Personal Data in a standard format

- Delete existing copies after 30 days

- Provide written confirmation of deletion

9.2. Exceptions for Legal Requirements

- We may retain data required by law

- We will ensure continued protection of retained data

- We will limit access to retained data

10. LIABILITY AND INDEMNIFICATION

10.1. We maintain liability insurance covering data protection

10.2. We will indemnify you for breaches of this DPA

10.3. Liability caps in the EULA apply to this DPA

11. MODIFICATIONS

11.1. This DPA may only be modified in writing

11.2. Changes to Data Protection Laws may require updates

11.3. We will notify you of any necessary changes

12. PRECEDENCE

In the event of any conflict between this DPA and the EULA, this DPA shall prevail with respect to data protection matters.

13. CONTACT INFORMATION



Data Protection Officer:

Russ Decker

201 Columbine, Unit 300, Denver CO 80206

info@mercero.com