This Data Processing Agreement ("DPA") is an addendum to the Terms between Match Vertical Partners, LLC ("Processor") and the Customer ("Controller").
Recitals
A. Controller and Processor have entered into an agreement pursuant to which Processor will provide the Vitality Index software-as-a-service and related services (the "Agreement" or "Terms").
B. This DPA sets out the terms under which Processor will process personal data on behalf of Controller in connection with the Agreement.
Agreed Terms
1. Purpose and Scope
This DPA governs the processing of "Customer Data" (as defined below) by Processor on behalf of Controller in connection with the Agreement.
2. Definitions
Capitalized terms used but not otherwise defined in this DPA have the meanings given in the Agreement. For the purposes of this DPA:
- "Customer Data" means all data, content, assessments, scoring inputs and outputs, account plans, notes, attachments and other materials uploaded to or entered into the Service by or on behalf of Controller or its Users.
- "DPA" means this Data Processing Agreement.
- "SCCs" means the EU Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914, Module 2 (Controller→Processor), or any successor text.
- "Subprocessor" means any processor engaged by Processor to process Customer Data.
3. Roles
Controller is the data controller and Processor is the data processor for Customer Data processed pursuant to the Agreement, except where the Privacy Policy or Agreement describes Processor as an independent controller (for Processor's own activities such as sales, recruitment or support).
4. Duration
Processing will continue for the term of the Agreement and, after termination, as required to comply with the Agreement's post-termination obligations and applicable law (see Annex A).
5. Subject Matter, Nature and Purpose of Processing
See Annex A.
6. Controller Instructions & Lawful-Instruction Escalation
6.1 Processor will process Customer Data only in accordance with Controller's documented instructions (including the Agreement, Order Form, and this DPA).
6.2 If Processor reasonably believes that an instruction from Controller would (i) violate applicable Data Protection Law or (ii) cause Processor to be in breach of law, Processor will (a) promptly notify Controller, (b) provide details of the legal risk, and (c) suspend processing of the relevant instruction until the issue is resolved.
7. Processor Obligations
Processor will:
- (a) process Customer Data only in accordance with Controller's documented instructions;
- (b) implement and maintain the technical and organizational measures described in Annex B;
- (c) ensure persons authorized to process Customer Data are bound by confidentiality;
- (d) assist Controller to respond to data subject requests, data protection impact assessments (DPIAs), and regulatory inquiries to the extent reasonably possible;
- (e) notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data (target: 72 hours after confirmation);
- (f) not engage subprocessors except under the terms in Section 9;
- (g) make available necessary information to demonstrate compliance and allow audits as set out in Section 10.
8. Controller Obligations
Controller will:
- (a) provide Controller's documented instructions;
- (b) ensure it has lawful grounds and, where required, appropriate notices or consents to permit the processing of Customer Data under Controller's instructions; and
- (c) be responsible for Controller's decisions as to the lawfulness of Controller's instructions.
9. Subprocessors
9.1 Controller authorizes Processor to engage Subprocessors. Processor will maintain a current Subprocessor list at /legal/subprocessors and will provide notice of material additions at least 30 days prior to onboarding.
9.2 Controller may object in writing to a new Subprocessor on reasonable grounds within 15 business days of notice. The parties will use good faith efforts to resolve objections promptly. If objection is not resolved within 30 days, Controller's sole remedy is to terminate the affected Service for convenience per the Agreement.
10. Audits and Inspections
10.1 Controller may (a) obtain Processor's most recent third-party audit reports (e.g., SOC 2 Type II) under NDA or (b) request reasonable demonstrations of the technical and organizational measures. Processor will cooperate.
10.2 On-site audits by Controller are permitted only by mutual written agreement that addresses confidentiality, scope, timing, and costs.
11. Security Measures
Processor implements the measures set out in Annex B. Processor will notify Controller of material changes to these measures that affect processing risk.
12. Personal Data Breach
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide available information to enable Controller's regulatory notifications and data subject responses. Processor will cooperate in remediation and forensic analysis.
13. Data Subject Requests (DSRs)
Controller is responsible for responding to DSRs. Processor will, to the extent possible and lawful, assist Controller in responding to DSRs relating to Customer Data and will follow Controller's documented instructions in that regard. Processor may charge a reasonable fee for repetitive, manifestly unfounded, or excessive requests.
14. International Transfers
Controller instructs Processor to transfer Customer Data internationally as necessary to provide the Service. Processor will not transfer Customer Data from the EEA/UK to a country without an adequacy decision except under an appropriate transfer mechanism (e.g., SCCs) or other lawful basis. Processor will execute SCCs or other transfer agreements or addenda as required.
15. Return & Deletion
On termination of the Agreement, Controller may, at its option, request return of Customer Data or require deletion. Processor will, at Controller's direction, return or delete Customer Data, except where retention is required by law; backups will be retained up to 90 days and then deleted as practicable.
16. Liability
Liability is governed by the Agreement. Nothing in this DPA limits Processor's liability for breaches of confidentiality, negligence, willful misconduct, or liabilities not permitted to be excluded by law.
17. Governing Law; SCC Carve-out
This DPA is governed by the governing law in the Agreement (State of South Carolina, United States). Notwithstanding the foregoing, where the EU Standard Contractual Clauses (SCCs) apply to transfers of Customer Data from the EEA or the United Kingdom, the governing law and jurisdiction provisions specified in those SCCs (or the applicable addendum) shall apply solely for the purposes of those SCCs and any disputes arising under them. This clause does not affect the governing law of the Agreement for all other purposes.
18. Miscellaneous
This DPA is incorporated into and forms part of the Agreement. In the event of conflict between this DPA and other documents, the DPA governs data processing matters.
ANNEX A — Description of Processing
- Subject matter: Customer Data uploaded or entered into Vitality Index.
- Duration: Term of Agreement and thereafter as required by law and archival/retention schedule.
- Nature: Storage, hosting, indexing, scoring, analysis, export, deletion, backups, support.
- Purpose: To provide the Service, security, support, and Controller's instructions.
- Categories of personal data: Business contact details, professional data, account plan content, usage/telemetry data, device data, authentication data.
- Categories of data subjects: Customer employees, contractors, customers' contacts, prospects, job applicants.
ANNEX B — Technical & Organisational Measures (Summary)
Processor will implement appropriate measures including: RBAC, MFA for privileged accounts; TLS; encryption at rest (AES-256 or equivalent); secure secrets management; centralized logging with redaction; backups and restore testing (~90 days); vulnerability scanning and patching; periodic pen-testing; IR plan and forensic capability; employee confidentiality and training; logical segregation of Customer Data; retention and deletion workflows per the Agreement.
ANNEX C — Subprocessors
Processor will publish a list at /legal/subprocessors and provide notice for new Subprocessors. Processor will require Subprocessors to adhere to protective contractual terms and will cooperate with Controller in the event of Subprocessor issues.