Table of contents
Table of contents
This Controller-Controller Data Processing Agreement ("Controller Agreement") is entered into between RealtimeBoard, Inc., dba Miro ("Miro") and the entity identified as the Partner in the Agreement ("Partner"), and is appended to either (i) the Solutions Partner Program Agreement located at https://m.turbidity.top/legal/solutions-partner-program-agreement/ (and all attachments and exhibits thereto); or (ii) other electronic or written agreement incorporating this Controller Agreement, governing access to and use of any personal data exchanged between the parties (“Shared Data”) (the "Agreement"). Capitalized terms used but not defined in this Controller Agreement shall take the meanings assigned to them in the Agreement. This Controller Agreement reflects the parties’ agreement on the processing of Controller Personal Data related to the Shared Data in connection with the Applicable Data Protection Law.
“Applicable Data Protection Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this Controller Agreement is subject and which is applicable to a party’s information protection and privacy obligations. For the avoidance of doubt, Applicable Data Protection Law shall include without limitation the EU GDPR and the UK GDPR (each as defined below), the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder (as amended from time to time, the “CCPA”).
“Controller Data Subject” shall mean any individual to whom Controller Personal Data relates.
“Controller Personal Data” shall mean any information processed by a party under the Agreement in connection with the party’s access to or use of Shared Data that identifies an individual or directly or indirectly relates to an identifiable individual.
“EU GDPR” means the General Data Protection Regulation (Regulation 2016/679).
“EU SCCs” means the Standard Contractual Clauses (Module One, excluding Clause 7, Clause 11 (Option)) approved by the European Commission in decision 2021/914/EC.
“Prohibited Data” means any (a) special categories of data enumerated in European Union Regulation 2016/679, Article 9(1) or any successor legislation, (b) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (as amended and supplemented) (“HIPAA”), (c) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (PCI DSS), (d) other information subject to privacy regulation or protection under specific Laws such as the Children’s Online Privacy Protection Act or related rules or regulations, social security numbers, driver’s license numbers or other government ID numbers or (f) any medical data, financial data, data about minors, or other sensitive personal data protected under Laws.
“UK GDPR” means the UK Data Protection Act 2018, as amended from time to time.
“UK SCCs” means the Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC.
Each party to this Controller Agreement: (a) is an independent controller or business with respect to the Controller Personal Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Controller Personal Data; (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Controller Personal Data; (d) neither party will “sell” or “share” (as those terms are defined in CCPA) the Controller Personal Data for the purposes of behavioral advertising and, for avoidance of doubt, neither party is “selling” or “sharing” the Personal Data to the other party under the Agreement nor this Controller Agreement.
No sensitive data as defined by Applicable Privacy Laws nor Prohibited Data as defined in this Controller Agreement shall be processed or shared hereunder by either party.
Nothing in this Section shall modify any restrictions applicable to either party’s rights to use or otherwise process Controller Personal Data under the Agreement or other agreements with Miro, and each party will process Controller Personal Data solely and exclusively for the purposes specified in such Agreement.
Either party may transfer Controller Personal Data to third countries if it complies with the provisions on the transfer of personal data to third countries in the Applicable Data Protection Law.
Where a party receiving Controller Personal Data is located in a country not recognized by the European Commission as providing an adequate level of protection for Personal Data within the meaning of the EU GDPR (a “Restricted Transfer”), no Controller Personal Data processed within the European Economic Area, the United Kingdom or Switzerland (“EEA”), by either of the parties pursuant to this Controller Agreement shall be exported outside the EEA (or transferred onward to another non-EEA location) without a legally recognized transfer mechanism.
To that end the EU SCCs are hereby incorporated by reference and shall apply to any Restricted Transfers under this Controller Agreement, provided that Annex I and II of the EU SCCs shall be deemed completed as set forth in Attachment 2 and 3 to this Controller Agreement.
The parties agree that the law of the Netherlands shall be the governing law for the purposes of clause 17 of the EU SCCs, and the Dutch Courts shall have jurisdiction for the purposes of clause 18(b) of the EU SCCs.
With respect to transfers subject to the UK GDPR, the UK SCCs are hereby incorporated by reference and shall apply in addition to the EU SCCs, provided that Annex B of the UK SCCs shall be deemed completed as set forth in Attachment 1 to this Controller Agreement. In the event of a conflict or inconsistency between the EU SCCs and the UK SCCs, the provisions which provide the most protection to data subjects shall prevail.
The EU and/or UK SCCs, where appropriate, shall, as of the Effective Date of this Controller Agreement, supersede and replace any standard contractual clauses previously entered into between the parties in connection with this Controller Agreement.
Each party shall implement appropriate technical and organizational measures to protect the Controller Personal Data from an actual unauthorized access or disclosure, unauthorized, unlawful or accidental loss, destruction, acquisition of or damage to Shared Data or other Personal Information belonging to the other Party, or any other breach of Applicable Data Protection Law or Controller Agreement in relation to the Processing of Personal Information by any current or former employee, contractor or agent of Partner or by any other person or third party (“Security Incident”).
In the event that a party experiences a Security Incident, it shall notify the other party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
Nothing herein prohibits either party from providing notification of the Security Incident to regulatory authorities as may be required by Applicable Data Protection Laws prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay.
Each party shall ensure that all of its personnel who have access to and/or process Controller Personal Data are obliged to keep the Controller Personal Data confidential.
This Controller Agreement shall be effective as of the date on which Partner clicked to accept, or the parties otherwise agreed to, the Agreement to which it is appended.
Notwithstanding anything to the contrary in the Agreement, the obligations pursuant to this Controller Agreement shall survive termination of the Agreement for as long as either party holds or processes Controller Personal Data.
The liability of the parties under or in connection with this Controller Agreement will be subject to the exclusions and limitations of liability in the Agreement.
This Controller Agreement shall be governed by the laws of the jurisdiction specified in the Agreement. Notwithstanding the foregoing and anything to the contrary in the Agreement, if Applicable Data Protection Laws require application of the laws of another jurisdiction to this Controller Agreement, such laws shall govern.
The parties agree that Affiliates are intended third party beneficiaries of this Controller Agreement and that the provisions of this Controller Agreement are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all processing and transfer provisions of this Controller Agreement as if each was a signatory to this Controller Agreement.
Each party warrants that the execution and performance of its obligations under this Controller Agreement do not conflict with or violate any other instrument, contract, agreement, or other commitment or arrangement to which it is a party or by which it is bound, and that it knows of no other fact or circumstance that prevents it from entering into this Controller Agreement.
In case of a conflict between this Controller Agreement and any other written agreement between the parties, this Controller Agreement will govern.
(Capitalized terms used in this Annex are as defined in the Controller Agreement)
Depending on the nature of the access to or use of Shared Data, data subjects may include individuals: (a) who are partners or users of the products or services of Partner; (b) who are partners or users of the products or services of Miro; and/or (c) who have visited specific websites or applications in connection with access to or use of Shared Data or agreed to provide Shared Data.
The transfer is made for the following purposes: to facilitate access to and use of Shared Data between the parties; in the case of Miro, as described in the Agreement, and/or Miro’s Privacy Policy available at: https://m.turbidity.top/legal/privacy-policy/; in the case of Partner, any such sharing is done in accordance with their privacy policy.
The personal data transferred concern the categories of personal data described in the Agreement namely individuals’ business contact information such as First Name, Last Name, Phone Number, Work Email Address, Company Name, Job Title.
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
In the case of Miro, as described in the Agreement, and/or Miro’s Privacy Policy available at: https://m.turbidity.top/legal/privacy-policy/.
In the case of Partner, as permitted under the Agreement, Partner’s applicable privacy policy, or the Controller Agreement.
The personal data transferred concern the following categories of sensitive data: Not applicable.
When required under Applicable Data Protection Law, the data exporter will file relevant registration(s) in its relevant location(s).
Data importer (controller)
a. RealtimeBoard, Inc. d/b/a Miro contact details as stated in the Agreement.
b. Partner: contact details as stated in Partner’s privacy policy.
Data exporter (controller)
a. RealtimeBoard, Inc. d/b/a Miro contact details as stated in the Agreement.
b. Partner: contact details as stated in Partner’s privacy policy.
Name: RealtimeBoard, Inc. d/b/a Miro (“Miro”)
Address: As stated in the Agreement
Contact person’s name, position and contact details: As stated in Miro’s privacy policy.
Activities relevant to the data transferred under these Clauses: The data importer will engage in a partnership with the data exporter as described in the Agreement.
Signature and Date: These SCCs shall become binding on both parties upon the Partner’s acceptance of the Agreement.
Name: The entity identified as the Partner in the Agreement (“Partner”)
Address: As stated in the Partner’s privacy policy
Contact person’s name, position and contact details: As stated in the Partner’s privacy policy
Activities relevant to the data transferred under these Clauses: The data exporter will engage in a partnership with the data importer as described in the Agreement.
Signature and Date: These SCCs shall become binding on both parties upon the Partner’s acceptance of the Agreement.
Role (controller/processor): Controller
Name: RealtimeBoard, Inc. d/b/a Miro (“Miro”)
Address: As stated in the Agreement
Contact person’s name, position and contact details: As stated in Miro’s privacy policy.
Activities relevant to the data transferred under these Clauses: The data importer will engage in a partnership with the data exporter as described in the Agreement.
Signature and Date: These SCCs shall become binding on both parties upon the Partner’s acceptance of the Agreement.
Name: The entity identified as the Partner in the Agreement (“Partner”)
Role (controller/processor): Controller
Address: As stated in the Agreement
Contact person’s name, position and contact details: As stated in Partner’s privacy policy.
Activities relevant to the data transferred under these Clauses: The data importer will engage in a partnership with the data exporter as described in the Agreement.
Signature and Date: These SCCs shall become binding on both parties upon the Partner’s acceptance of the Agreement.
Name: Partner
Categories of data subjects whose personal data is transferred
As described in Attachment 1 to this Controller Agreement
Categories of personal data transferred
As described in Attachment 1 to this Controller Agreement
No sensitive data to be transferred between the parties, nevertheless each party shall apply appropriate restrictions and safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As described in Attachment 1 to this Controller Agreement
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data may be transferred on a continuous basis in accordance with the terms of the Agreement and this Controller Agreement.
Nature of the processing
The data importer will process the Shared Data to further its partnership with the data exporter in accordance with the Agreement and this Controller Agreement.
Purpose(s) of the data transfer and further processing
As described in Attachment 1 to this Controller Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The period for which the personal data will be retained will be determined by the Data Importer in accordance with its data privacy and data retention policies.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority shall be the supervisory authority of the EU Member State in which the data exporter is established (or alternatively, the supervisory authority of the EU Member State in which the data exporter’s representative is established, where the data exporter has appointed such a representative pursuant to Article 27(1) of Regulation (EU) 2016/769). If the data exporter is not established in an EU Member State, and is not required to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/769, the competent supervisory authority shall be the Dutch Data Protection Authority in Netherlands.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Each party’s security measures shall include, at a minimum:
Preventing unauthorized persons from gaining access to Personal Information Processing systems (physical access control);
Preventing Personal Information Processing systems being used without authorization (logical access control);
Ensuring that persons entitled to use a Personal Information Processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
Ensuring that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);
Ensuring the establishment of an audit trail to document whether and by whom Personal Information have been entered into, modified in, or removed from Personal Information Processing (entry control);
Ensuring that Personal Information are protected against accidental destruction or loss (availability control); and
Ensuring that Personal Information collected for different purposes can be processed separately (separation control).