DATA PROCESSING ADDENDUM
This Data Processing Addendum and its Schedules (“Addendum” or “DPA”) applies to a Customer that has accepted the terms of the Master Services Agreement (“Agreement”) for the provision of Services by the MetaMap entity identified in the applicable Order Form referencing the Agreement and reflect the party’s agreement with respect to the Processing of Personal Data.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement per its reference. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum shall supersede and control, except as expressly stated in the applicable Order Form. The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
1. Definitions.
“Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, but not limited to the California Consumer Privacy Act, the European Union General Data Protection Regulation, the Brazil Lei Geral de Proteção de Dados, the Nigerian Data Protection Act of 2023, the Federal Law for the Protection of Personal Data Held by Private Parties applicable in Mexico, the Argentine Data Protection Regulations, the Illinois Biometric Information Privacy Act, Washington Biometric Privacy Protection Act, the Texas Capture or Use of Biometric Identifiers Act, and the Washington My Health My Data Act.
“Biometric Information” means data generated by automatic measurements of an individual’s biological characteristics, such as a faceprint, fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.
“Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the European Union General Data Protection Regulation;
“Data Subject Request” as used in this Addendum means a request for access, erasure, rectification, or portability of an individual´s Personal Data; and
“MetaMap API” means the application programming interface offered by MetaMap to Customer pursuant to the Agreement.
“Personal Data” means any information which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Law (including Biometric Information and Sensitive Personal Data).
“Sensitive Personal Data” means any Personal Data that relates to the most intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for the owner.
2. Data Protection Requirements.
2.1 Under the Agreement, MetaMap will process Personal Data relating to Customer´s End Users. Specific details about the Personal Data that will be processed is described in Exhibit A to this Addendum.
2.2 MetaMap will process this Personal Data as a Data Controller and will use this Personal Data solely to provide and improve the Platform and Services.
2.3 When MetaMap processes the Personal Data under the Agreement it will:
2.3.1 Notify Customer if, in MetaMap’s opinion, Customer´s instruction for the Processing of Personal Data infringes applicable Applicable Data Protection Law;
2.3.2 Notify Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to the Processing of Customer´s End Users Personal Data;
2.3.3 Implement reasonable technical and organizational measures enabling Customer to execute Data Subject Requests that Customer is obligated to fulfill;
2.3.4 Upon request, provide reasonable information to help Customer complete Customer’s data protection impact assessments;
2.3.5 Upon request, provide Customer with up-to-date attestations, reports or extracts thereof where available from MetaMap’s security and data protection auditors, to enable Customer to assess MetaMap’s data protection practices;
2.3.6 Ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data to third parties.
2.4 In the course of providing the Services, Customer acknowledges and agrees that MetaMap may use Subprocessors to process Customer´s End Users Personal Data. MetaMap’s use of any specific Subprocessor to process Customer´s End Users Personal Data must be in compliance with Applicable Data Protection Law and must be governed by a contract between MetaMap and Subprocessor imposing data protection terms on the Subprocessors that are consistent with the level of protection provided under this DPA, to the extent applicable to the nature of the services provided by such Subprocessors. A current list of Subprocessors may be provided upon request. All sub-processors engaged by MetaMap on the Effective Date of the Agreement are deemed authorized by Customer. A list of Authorized Sub-Processors will be provided on request. If Customer object to the appointment of a Subprocessor, the parties will discuss Customer´s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached Customer will have the right to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party. Any amount paid will not be reimbursed.
2.5 In the course of providing the Services, Customer acknowledges and agrees that MetaMap may transfer the Personal Data to third countries such as the United States and European Union. Such transfers will be conducted in compliance with Applicable Data Protection Laws.
3. Security Requirements.
3.1 MetaMap will implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
3.2 These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected.
3.3 In the event that MetaMap becomes aware of and confirms any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Customer´s End User Personal Data (a “Security Breach”):
3.3.1 MetaMap will notify the affected Customer within 72 business hours of becoming aware of and confirming the Security Breach;
3.3.2 In such notification, MetaMap will provide the following information, to the extent it has sufficient information to do so: (i) a detailed summary of the Security Breach; (ii) the Personal Data elements and number of records exposed and/or misused; and (iii) the corrective measures to be implemented by MetaMap;
3.3.3 MetaMap will advise Customer if MetaMap believes it is legally required to provide Customers or any other party with a notification of the Security Breach, and will provide Customer with an advanced copy of any such notification;
3.3.4 MetaMap will cooperate with the Customer and any competent authority and shall provide reasonable additional information or documents requested for such purpose in connection with such Security Breach, to the extent it is legally and contractually allowed to do so.
4. Consent in respect of End Users.
To the extent that Customer uses the MetaMap API, Customer agrees to display the consent language included in this section for the duration of the Agreement on its website and/or application to End Users receiving the Services. Such consent language shall be displayed clearly, conspicuously and before the collection of the End User Personal Data via the MetaMap Services, and Customer shall keep a record of written consent (in a manner that constitutes an enforceable e-signature or express and written consent under Applicable Data Protection Law) thereto as a precondition to collection of such data. Customer shall only allow End User to submit Personal Data to the MetaMap API once the End User has consented to the language set forth in section 5.1. (“Consent Language”) of this Addendum. In case Customer disables the consent or unilaterally changes the content of the Consent Language set forth in section 5.1 of this Addendum, MetaMap will be entitled to suspend the Services. Simultaneously with Customer, the Parties agree that MetaMap and its Affiliates shall be entitled to process End User’s Personal Data, including Biometric Information and Sensitive Personal Data (“MetaMap Data”) to improve MetaMap’s, and its Affiliates’, products and services (including its algorithms), which may benefit the Services, through the same Consent Language. Where MetaMap acts as Processor (as defined in Applicable Data Protection Law) in the Agreement, Customer agrees and acknowledges that the processing of End User’s Personal Data, to improve MetaMap’s, and its Affiliates’, products and services is aligned with the purposes for which such Personal Data was collected by Customer, and that such processing will in no case constitute processing that goes beyond the instructions of Customer.
4.1 Consent Language. Customer will integrate via Incode SDK using the consent language that follows:
By clicking “Next” I consent to [Company Name] and its service provider, [MetaMap], obtaining and disclosing a scan of my face geometry and barcode of my ID for the purpose of verifying my identity pursuant to [Company Name] and [MetaMap’s] Privacy Policies and for improving and updating [MetaMap] products or services (including its algorithm). [Company Name] and [MetaMap] shall store biometric data for no longer than 3 years (or as determined by your local regulation).
I can exercise my privacy rights, including withdrawal of my consent, by contacting dataprotection@incode.com.
I have read and agree to MetaMap’s Privacy Policy.
4.2 If the consent wording above needs to be amended for a specific territory, that is Customer’s obligation to determine, however, the Parties will work together in implementing such adjustments, with the understanding that the Services are conditioned on Customer ensuring that any required adjustments are made to comply with Applicable Data Protection Law in such territories. Customer is solely responsible for determining if the Consent Language and consent implementation is sufficient to comply with Applicable Data Protection Laws and any failure to request necessary modifications (which MetaMap shall not unreasonably deny) shall be a material breach of the Agreement.
4.3 Consent Collection. For the collection of the applicable consent as detailed above, Customer agrees as follows:
4.3.1 If Customer uses the MetaMap API, Customer acknowledges, agrees and commits to include within its flow a screen with the applicable consent wording above, prior to the collection of its End Users Personal Data, and to maintain a record of the applicable consent provided by the End User and include such consent record together with the Personal Data sent to MetaMap for processing.
4.3.2 In case any End User does not provide consent to Customer to verify their identity through the Services Customer shall not allow such End User to access the Services and doing otherwise shall be a material breach of this Agreement by Customer in which case Customer shall be solely responsible and liable for any claims and/or damages asserted by such End Users.
4.3.3 Prior to incorporating the Consent Language into the End User sign-up flow, Customer shall complete highlighted fields in the Consent Language set forth in this Addendum.
5. Miscellaneous.
5.1 For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement.
5.2 The terms of this Addendum shall be subject to any choice of law and venue provisions in the Agreement.
EXHIBIT A: Description of Processing
1. SCOPE.
Name: Customer as identified in the applicable invoice.
Contact person’s name, position and contact details: As identified in the applicable documentation or information provided by the Customer.
Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement.
Data Importer: MetaMap entity identified in the applicable Order Form.
2. CATEGORIES OF DATA SUBJECTS.
Customer´s End Users
3. CATEGORIES OF PERSONAL DATA.
Customer can configure the Platform and Services to collect and process different Personal Data, at their discretion. This Personal Data can include:
- Full Name
- Contact information (email, phone, physical address)
- Government Identifiers
- Biometric Information (facial photographs)
- Financial Information
- Professional Information
- Device Information
4. PURPOSE OF THE PROCESSING.
MetaMap will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services.
5. DURATION OF PROCESSING.
MetaMap will Process Personal Data for the duration of the Agreement, as specified in this Addendum, unless otherwise agreed upon in writing by the parties.
6. TECHNICAL AND ORGANIZATIONAL MEASURES.
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services and will make reasonably available descriptions of such safeguards at the request of Customer.