Data Processing Addendum

Data Processing Addendum

Last Updated: February 28, 2025

This Data Processing Addendum (this “Addendum”) is incorporated into and forms part of the Service Terms (the “Agreement”) between Mogli Technologies, LLC a Delaware Limited Liability Company (“Company”) and the Client identified in the Agreement (“Client”).

Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Client Personal Data (defined below), if applicable.

• 1.1  "Client Personal Data” means the Personal Data found in Client Data that is covered by Data Protection Laws.

• 1.2  "Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

• 1.3  “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Client Personal Data, including, in each case to the extent applicable, European Data Protection Laws and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (the “CCPA”).

• 1.4  "Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

• 1.5  “European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Client Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.

• 1.6.  “Personal Data” means information that constitutes “personally identifiable information,” “personal information,” “personal data,” or similar term under Data Protection Laws.

• 1.7  “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

• 1.8  “Processor” means an entity that Processes Personal Data on behalf of a Controller.

• 1.9  “Security Incident” means a breach of Company’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data in Company’s possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

• 1.10  “Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 or the European Parliament and of the Council (available at: http://data.europa.eu/eli/dec_impl/2021/914/oj), as supplemented or modified by Appendix 3.

• 1.11  “Subprocessor” means any Processor appointed by Company to Process Client Personal Data on behalf of Client under the Agreement.

• 1.12  “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

• 2.1.  Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Client Personal Data under the Agreement, Client is a Controller and Company is a Processor. In some circumstances, the parties acknowledge that Client may be acting as a Processor to a third-party Controller in respect of Client Personal Data, in which case Company will remain a Processor with respect to Client in such an event. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Client Personal Data. Notwithstanding the foregoing, Client acknowledges that in connection with receiving Company’s messaging services, certain Client Personal Data (e.g., the sending gateway (Client’s sending phone number), the recipient’s phone number, the message content) is disclosed to electronic communication service providers for routing and connectivity purposes. These communication service providers process such data as independent Controllers.

• 2.2  Client Instructions. Company will Process Client Personal Data only in accordance with Client’s documented instructions unless otherwise required by applicable law, in which case Company will inform Client of such Processing unless notification is prohibited by applicable law. Client hereby instructs Company to Process Client Personal Data: (a) to provide the Services to Client; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services. Company will notify Client if, in its opinion, an instruction of Client infringes upon Data Protection Laws. Client’s instructions for the Processing of Client Personal Data shall comply with Data Protection Laws. Client shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Client’s use and disclosure and Company’s Processing of Client Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Client Personal Data to Company to permit the Processing of such Client Personal Data by Company for the purposes of performing Company’s obligations under the Agreement or as may be required by Data Protection Laws. Client shall notify Company of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Client Personal Data that would impact Company’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.

• 2.3  Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Client Personal Data, the types of Client Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Client Personal Data are as set forth in Appendix 1.

• 2.4  Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Client Personal Data. Company will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Client and Company; or (c) combine Personal Information received from, or on behalf of, Client with Personal Data received from or on behalf of any third party, or collected from Company’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. Company hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information disclosed by Client to Company is provided to Company only for the limited and specified purposes set forth in the Agreement and this Addendum. Company will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Client has the right to take reasonable and appropriate steps to help ensure that Company uses the Personal Information transferred in a manner consistent with Client’s obligations under the CCPA by exercising Client’s audit rights in Section 8. Company will notify Client if it makes a determination that Company can no longer meet its obligations under the CCPA. If Company notifies Client of unauthorized use of Personal Information, including under the foregoing sentence, Client will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Company, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.

• 2.5  De-identified Data. With respect to any de-identified data created by Company from Client Personal Data, Company will: (i) take any necessary measures to ensure that such de-identified data cannot be associated with a Data Subject; (ii) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; (iii) comply with the requirements of Data Protection Laws with respect to the creation of such de-identified data; and (iv) contractually obligate any recipients of the de-identified data to comply with restrictions substantially similar to those set forth in this Section 2.5. 

3. CONFIDENTIALITY. Company shall take reasonable steps to ensure that Company personnel who Process Client Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Client Personal Data. 

4. SECURITY.

• 4.1  Security Measures. Client agrees that the Platform includes particular features that Client may elect to use which when used increase the security of Client Personal Data. Client and Company each have an obligation to protect the security of Client Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Client and Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For Company, such measures shall be in accordance with the security standards in Appendix 2 (the “Security Measures”). Client acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Client to reflect process improvements or changing practices, provided that the modifications will not materially decrease Company’s security obligations hereunder. 

• 4.2  Security Incidents. Upon becoming aware of a confirmed Security Incident, Company will: (a) notify Client of the Security Incident without undue delay after becoming aware of the Security Incident and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Company will take reasonable steps to provide Client with information available to Company that Client may reasonably require to comply with its obligations under Data Protection Laws. Company’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Incident.

• 4.3  Client Responsibilities. Client agrees that, without limitation of Company’s obligations under this Section 4, Client is solely responsible for its and its Users’ use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Client Personal Data and (b) securing any account authentication credentials, systems, and devices Client uses to access or connect to the Services. Without limiting Company’s obligations hereunder, Client is responsible for reviewing the information made available by Company relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws.

5. SUBPROCESSING. Subject to the requirements of this Section 5, Client generally authorizes Company to engage Subprocessors as Company considers reasonably appropriate for the Processing of Client Personal Data. A list of Company’s Subprocessors, including their functions and locations, is available upon Client’s request and may be updated by Company from time to time in accordance with this Section. Company will notify Client of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement. Client may object to such changes on reasonable data protection grounds by providing Company written notice of such objection within ten (10) days. Company will use commercially reasonable efforts to: (a) work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Client in its objection and proceed to use the new Subprocessor. If Company informs Client that such change or corrective steps cannot be made, Client may, as its sole and exclusive remedy available under this Section 5, terminate the relevant portion of the Agreement involving the Services which require the use of the proposed Subprocessor by providing written notice to Company. When engaging any Subprocessor, Company will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum. Company shall be liable for the acts and omissions of the Subprocessor to the extent Company would be liable under the Agreement and this Addendum.

6. DATA SUBJECT RIGHTS. Company will, taking into account the nature of the Processing of Client Personal Data and the functionality of the Services, provide Client with self-service functionality through the Services or other reasonable assistance as necessary for Client to fulfill its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. Company reserves the right to charge Client on a time and materials basis in the event that Company considers that such assistance is onerous, complex, frequent, or time consuming. If Company receives a request from a Data Subject under any Data Protection Laws with respect to Client Personal Data, Company will advise the Data Subject to submit the request to Client and Client will be responsible for responding to any such request. 

7. ASSESSMENTS AND PRIOR CONSULTATIONS. In the event that Data Protection Laws require Client to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with Company’s Processing of Client Personal Data, following written request from Client, Company shall use reasonable commercial efforts to provide relevant information and assistance to Client to fulfill such request, taking into account the nature of Company’s Processing of Client Personal Data and the information available to Company. Company reserves the right to charge Client on a time and materials basis in the event that Company considers that such assistance is onerous, complex, frequent, or time consuming. 

8. RELEVANT RECORDS AND AUDIT RIGHTS.

• 8.1  Review of Information and Records. Upon Client’s reasonable written request, Company will make available to Client all information in Company’s possession reasonably necessary to demonstrate Company’s compliance with Data Protection Laws and Company’s obligations set out in this Addendum. Such information will be made available to Client no more than once per calendar year and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. 

• 8.2  Audits. At the request of Customer, during the term of the Agreement, if available, Company will provide a copy of its most recent SOC report or similar industry certification or any successor standards (“Report”) for information security management. If Company’s Report is not dated within a year of such request by Client or otherwise not available, or if Client requires information for its compliance with Data Protection Laws in addition to the information provided by the Report or under Section 8.1, at Client’s sole expense and to the extent Client is unable to access the additional information on its own, Company will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Client or an auditor mandated by Client (“Mandated Auditor”), provided that (a) Client provides Company with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Company; (b) Company approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Company’s normal business operations; (d) Client or any Mandated Auditor complies with Company’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Company and subject to a nondisclosure agreement to be provided by Company; and (f) Client may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws.

• 8.3  Results of Audits. Client will promptly notify Company of any non-compliance discovered during the course of an audit and provide Company any audit reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Client may use the audit reports solely for the purposes of meeting Client’s audit requirements under Data Protection Laws to confirm that Company’s Processing of Client Personal Data complies with this Addendum.

• 9.1  Data Processing Facilities. Company may, subject to Sections 9.2 and 9.3, Process Client Personal Data in the United States or anywhere Company or its Subprocessors maintains facilities. Client is responsible for ensuring that its use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws. 
• 9.2  European Transfers. If Client transfers Client Personal Data to Company that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Client (as “data exporter”) and Company (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (a) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Agreement effective date; (b) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (c) the Standard Contractual Clauses shall automatically terminate once the Client Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis.
  
  
• 9.3  Other Jurisdictions. If Client transfers Client Personal Data to Company that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Client Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 9.2.

10. DELETION OR RETURN OF CLIENT PERSONAL DATA. The Platform may include functionality for Client to delete its Client Personal Data from the Platform. Client may access and use any such functionality during the term of the Agreement. To the extent Client is unable to delete Client Personal Data through such functionality of the Platform, following termination or expiration of the Agreement, Company shall, at Client's option, delete or return Client Personal Data and all copies to Client, subject to Company’s standard data backup and recovery policies, except as required by applicable law. If Company retains Client Personal Data pursuant to applicable law, Company agrees that all such Client Personal Data shall continue to be protected in accordance with this Addendum.

11. GENERAL TERMS. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Company’s deletion or return of all Client Personal Data. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Client Personal Data, this Addendum will govern. Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

APPENDIX 1

Details of Processing of Client Personal Data

The subject matter and duration of the Processing of Client Personal Data

The subject matter and duration of the Processing of Client Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing of Client Personal Data

The nature and purposes of Processing shall be those activities reasonably required to facilitate or support the provision of the services as is described in any Statement of Work or Software Order Form that makes reference to, is incorporated under, or is subject to the Agreement.

The categories of Data Subject to whom Client Personal Data relates

The categories of Data Subjects shall be as is contemplated or related to the Processing described in any Statement of Work or Software Order Form that makes reference to, is incorporated under, or is subject to the Agreement, which may include Client’s Users (i.e., employees, independent contractors, and other individuals who are authorized by Client to use the Services on behalf of Client), and third-party individuals that engage with Customer and its Users through certain Services.

The categories of Client Personal Data 

The categories of Client Personal Data shall be as is contemplated or related to the Processing described in any Statement of Work or Software Order Form that makes reference to, is incorporated under, or is subject to the Agreement, which may include commercial data, first and last names, phone numbers, email addresses, IP address, device ID, device operating system, location information, scheduling/calendar information, and the content of messages.

The sensitive data included in Client Personal Data

The categories of sensitive Client Personal Data are those categories contemplated in and permitted by the Statement of Work or Software Order Form and the Agreement, if any.  The restrictions or safeguards applied to such data are described in Appendix 2.

The frequency of Client’s transfer of Client Personal Data to Company

On a continuous basis for the term of the Agreement or applicable Statement of Work or Software Order Form.

The period for which the Client Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

As set forth in the Agreement, applicable Statement of Work or Software Order Form, and this Addendum.

For transfers to Subprocessors, the subject matter, nature, and duration of the Processing of Client Personal Data 

For the same subject matter, nature, and duration as set forth above.

APPENDIX 2

Security Measures

APPENDIX 3

Standard Contractual Clauses

1. Application of Modules. If Client is acting as a Controller with respect to Client Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply. If Client is acting as a Processor to a third-party Controller with respect to Client Personal Data, Company is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply. 

2. Sections I-V. The parties agree to the following selections in Sections I-IV of the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 5 of the Addendum; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland.

3. Annexes. The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the Addendum shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Appendix 1 to the Addendum shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 5 or 6 of this Appendix 3. If such determination is not clear, then the competent supervisory authority shall be the Irish Data Protection Authority. The technical and organizational measures in Annex II of the Standard Contractual Clauses shall be the measures set forth in Appendix 2 to the Addendum.

• (a)  Instructions. The instructions described in Clause 8.1 are set forth in Section 2.2 of the Addendum.

• (b)  Protection of Confidentiality. In the event a Data Subject requests a copy of the Standard Contractual Clauses or the Addendum under Clause 8.3, Client shall make all redactions reasonably necessary to protect business secrets or other confidential information of Company.

• (c)  Deletion or Return. Deletion or return of Client Personal Data by Company under the Standard Contractual Clauses shall be governed by Section 10 of the Addendum. Certification of deletion of Client Personal Data under Clause 8.5 or Clause 16(d) will be provided by Company upon the written request of Client.

• (d)  Audits and Certifications. Any information requests or audits provided for in Clause 8.9 shall be fulfilled in accordance with Section 8 of the Addendum.

• (e)  Liability. The relevant terms of the Agreement which govern indemnification or limitation of liability shall apply to Company’s liability under Clauses 12(a), 12(d), and 12(f).

• (f)  Termination. The relevant terms of the Agreement which govern termination shall apply to a termination pursuant to Clauses 14(f) or 16.