This Data Processing Addendum (“DPA”) forms part of and is subject to the Service Agreement (the “Agreement”) between MigrateX Inc. (“MigrateX” or “Processor”) and the entity identified on the applicable Order Form (“Customer” or “Controller”). This DPA sets forth the parties’ obligations with respect to the processing of personal data by MigrateX on behalf of Customer in connection with the Service Agreement.
1. Definitions
- “Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Customer Personal Data, including the GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA.
- “CCPA/CPRA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
- “Customer Personal Data” means any Personal Data that MigrateX processes on behalf of Customer in connection with the Services.
- “EU SCCs” means the Standard Contractual Clauses approved by the European Commission for the transfer of personal data to third countries.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
- “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
2. Roles
For the purposes of this DPA, Customer is the Controller and MigrateX is the Processor with respect to Customer Personal Data. MigrateX shall process Customer Personal Data only on documented instructions from Customer, unless required by applicable law. The subject matter of processing is the provision of the data migration SaaS service as described in the Agreement.
3. Customer Responsibilities
Customer is responsible for:
- Ensuring the accuracy and lawfulness of Customer Personal Data provided to MigrateX;
- Obtaining all necessary consents and authorizations from data subjects for the processing contemplated under this DPA;
- Providing MigrateX with valid credentials and access to source and target platforms as necessary for the Services;
- Complying with all applicable data protection laws in connection with its use of the Services.
4. Confidentiality
MigrateX ensures that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, and are trained on applicable data protection requirements.
5. Security Measures
MigrateX implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. A description of MigrateX’s current security measures is set forth in Annex II to this DPA.
In the event of a Security Incident, MigrateX shall notify Customer without undue delay (and in any event within 72 hours of becoming aware of the incident) and shall provide sufficient information to enable Customer to meet its obligations under Applicable Data Protection Law.
Customer is responsible for maintaining the security of its own systems, credentials, and network configurations.
6. Sub-Processing
Customer authorizes MigrateX to engage sub-processors for the processing of Customer Personal Data. MigrateX has entered into written agreements with all sub-processors that impose data protection obligations no less protective than those set forth in this DPA. A list of current sub-processors is set forth in Annex III.
7. Assistance
MigrateX shall assist Customer, taking into account the nature of processing, in responding to data subject rights requests, including requests for access, rectification, erasure, restriction, portability, and objection. MigrateX shall also provide reasonable assistance with data protection impact assessments (DPIAs) and consultations with supervisory authorities, to the extent required by Applicable Data Protection Law. Where such assistance requires material effort beyond the scope of the Services, MigrateX may charge professional services rates.
8. International Data Transfers
8.1 EU Transfers
For transfers of Customer Personal Data from the European Economic Area to the United States or other countries not recognized as providing an adequate level of data protection, the parties agree to the EU Standard Contractual Clauses (Module 2: Controller to Processor and/or Module 3: Processor to Processor, as applicable). The governing law for the EU SCCs shall be the law of Ireland.
8.2 UK Transfers
For transfers of Customer Personal Data from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum (IDTA) to the EU SCCs. The governing law for the UK IDTA shall be the law of England and Wales.
8.3 Swiss Transfers
For transfers of Customer Personal Data from Switzerland, the EU SCCs apply with the modifications required by the Swiss Federal Act on Data Protection (FADP), including references to the competent Swiss supervisory authority.
8.4 Onward Transfers
MigrateX shall ensure that any onward transfer of Customer Personal Data to sub-processors is subject to appropriate transfer mechanisms as required by Applicable Data Protection Law.
9. Audits
MigrateX shall make available to Customer, upon reasonable request and no more than once per twelve (12) month period, information necessary to demonstrate compliance with its obligations under this DPA. Audits shall be conducted during regular business hours, with reasonable prior notice, and shall not unreasonably interfere with MigrateX’s operations.
10. Return and Deletion of Data
Upon termination or completion of the applicable Migration Project, MigrateX shall, at Customer’s election, return or delete Customer Personal Data. If Customer does not provide instructions within thirty (30) days after termination or completion, MigrateX shall delete Customer Personal Data, except to the extent retention is required by applicable law.
11. CCPA/CPRA Provisions
To the extent that Customer Personal Data includes personal information subject to the CCPA/CPRA, MigrateX acts as a “service provider” as defined under the CCPA/CPRA. MigrateX shall not:
- Sell or share Customer Personal Data as those terms are defined under the CCPA/CPRA;
- Process Customer Personal Data for any purpose other than the specific business purposes set forth in this DPA and the Agreement;
- Combine Customer Personal Data with personal information received from other sources, except as expressly permitted by the CCPA/CPRA.
MigrateX shall provide the same level of protection for Customer Personal Data as required by the CCPA/CPRA and shall notify Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA.
12. Miscellaneous
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA is governed by the laws of the State of Delaware, without regard to conflict of law principles. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect. MigrateX may update this DPA from time to time to reflect changes in applicable law or its processing practices, provided that such updates do not materially reduce the level of data protection afforded to Customer Personal Data.