Data Processing Agreement
Last updated: December 11, 2020
1.1 In accordance with clause 6 of the Agreement, this Data Processing Addendum ("DPA") sets out the basis on which you process Customer Personal Data (as defined below).
1.2 In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
2.1 In this DPA, the terms "personal data", "Data Subject", "Process" and "Supervisory Authority" shall have the same meaning as set out in the GDPR (as defined below), and the following words and expressions shall have the following meanings unless the context otherwise requires:
(a) "Agreement" means the Matterport Service Partner Program Terms and Conditions;
(b) "Customer Personal Data" means the personal data described in ANNEX 1, and any other personal data that Service Provider processes on behalf of Matterport or Matterport's affiliate in connection with Service Provider's provision of the Services;
(c) "Commencement Date" means the date of the Agreement, or such earlier effective date as specified in the Agreement;
(d) "Data Protection Laws" means the Directive, any applicable national implementing legislation including, and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data;
(e) "Directive" means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(f) "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
(g) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data;
(h) "Services" means scanning services;
(i) "Subprocessor" means any processor engaged by the Service Provider who agrees to receive from the Service Provider Customer Personal Data.
3. DATA PROCESSING
3.1 Instructions for Data Processing. Service Provider will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Services to Matterport, and (b) Matterport's written instructions, unless Processing is required by applicable European Union or Member State law to which the Service Provider is subject, in which case Service Provider shall, to the extent permitted by European Union or Member State law, inform Matterport of that legal requirement before Processing that Customer Personal Data.
3.2 Processing outside the scope of this DPA will require prior written agreement between Matterport and Service Provider on additional instructions for Processing.
4. TRANSFER OF PERSONAL DATA
4.1 Service Provider shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without the prior written consent of Matterport and unless Service Provider enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on the Service Provider under this DPA.
“Customer acknowledges and agrees that Matterport may retain Subprocessors for the purpose of providing services under the Agreement, and hereby provides general authorization to the use of Subprocessors for such purposes and to all Subprocessors retained by Matterport as of the DPA Effective Date. A copy of the current list of Subprocessors will be provided upon request by the Customer. Before a Subprocessor begins Processing Personal Data, Matterport shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement, ensure that the arrangement between Matterport and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR, and ensure that (where applicable) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Matterport and the Subprocessor. Matterport shall also ensure that each Subprocessor performs the applicable obligations under this DPA, as they apply to Processing of Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Matterport.”
4.2 Liability of Subprocessors. Service Provider shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to Matterport for the acts and omissions of any Subprocessor approved by Matterport as if they were the acts and omissions of Service Provider.
4.3 Prohibition on Transfers of Personal Data. Service Providers located in the EEA shall transfer the Customer Personal Data to Matterport based outside the EEA (e.g., to the USA) ("Transfer"). Matterport is a member of a compliance scheme recognised by the European Commission as offering adequate protection for the rights and freedoms of data subjects such as the EU-U.S. Privacy Shield. Other than this Transfer, Service Providers shall not transfer Customer Personal Data outside the EEA without Matterport's prior written consent.
5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
5.1 Service Provider Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Service Provider shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this DPA to protect the Customer Personal Data against any Security Incident.
5.2 Service Provider Security Audits. Matterport may audit (by itself or using independent third party auditors) Service Provider's compliance with the security measures set out in this DPA (including the technical and organizational measures as set out in ANNEX 2), including by conducting audits of Service Provider's (and Suprocessors') data processing facilities and such audits may be performed at least once annually.
5.3 Where applicable by virtue of Article 28(3)(h) of the GDPR, Service Provider shall make available to Matterport on request all information necessary to demonstrate compliance with this DPA. Service Provider shall immediately inform Matterport if, in its opinion, an instruction pursuant to this clause 5 infringes applicable Data Protection Laws.
5.4 Security Incident Notification. If Service Provider or any Subprocessor becomes aware of, or has reason to suspect that there has been, a Security Incident, Service Provider will promptly (a) notify Matterport of the Security Incident in any case within 72 hours, (b) investigate the Security Incident and fully co-operate with Matterport's (and any law enforcement or regulatory official's) investigation of the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
5.5 Service Provider Employees and Personnel. Service Provider shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Service Provider shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data in accordance with the provisions of this DPA.
6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
6.1 Data Subject Requests. Service Provider shall promptly notify Matterport of any request received by Service Provider or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
6.2 Service Provider shall, where possible, assist Matterport with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
(a) provide Matterport with the ability to correct, delete, block, access or copy the personal data of a Data Subject, or
(b) promptly correct, delete, block, access or copy Customer Personal Data within the Services at Matterport's request.
6.3 Government Disclosure. Service Provider shall promptly notify Matterport of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
7.1 The Service Provider shall provide the Matterport with any information or assistance reasonably requested by the Matterport for the purpose of complying with any of the Matterport's obligations under applicable Data Protection Laws, including:
(a) where applicable by virtue of Article 28(3)(e) of the GDPR, taking into account the nature of the Processing, assisting the Matterport by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Matterport’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR;
(b) where applicable by virtue of Article 28(3)(f) of the GDPR, providing reasonable assistance to Matterport with any data protection impact assessments which are referred to in Article 35 of GDPR and with any prior consultations to any Supervisory Authority of Matterport which are referred to in Article 36 of GDPR, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Service Provider.
8. DURATION AND TERMINATION
8.1 Deletion of data. Subject to 8.2 and 8.3 below, Service Provider shall promptly and in any event within 90 (ninety) days of the date of termination of the Agreement:
(a) return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by Matterport to Service Provider; and
(b) delete and procure the deletion of all other copies of Customer Personal Data processed by Service Provider or any Subprocessors.
8.2 Subject to section 8.3 below, Matterport may in its absolute discretion notify Service Provider in writing within 30 (thirty) days of the date of termination of the Agreement to require Service Provider to delete and procure the deletion of all copies of Customer Personal Data processed by Service Provider or any Subprocessors. Service Provider shall comply with any such written request within 90 (ninety) days of the date of termination of the Agreement and, where this section 8.2 applies, Service Provider shall not be required to provide a copy of the Customer Personal Data to Matterport.
8.3 Service Provider may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Service Provider shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
8.4 Service Provider shall provide written certification to Matterport that it has fully complied with this section 8 within 90 days (ninety) days of the date of termination of the Agreement.
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
This ANNEX 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Data Subjects are individuals who have requested Services, or have been identified as potential customers for Services from the Service Provider.
Categories of Customer Personal Data
The personal data transferred concerns the following categories of data:
- Direct identifying information (First and last name, email address and phone number);
- Indirect identifying information (Company name, location of property, type of property);
- Device identification and traffic data (IP address, data logs); and
- Any personal data supplied by data subjects in relations to the Services.
Special Categories of Data
No special categories of data are processed.
Personal data transferred will be subject to the following basic processing activities:
- For the provisioning of Services by Service Provider;
- To enable the billing of Data Subjects for Services.
TECHNICAL AND ORGANISATIONAL MEASURES
Service Provider shall maintain technical and organizational controls designed to project Customer Personal Data, consistent with generally accepted business standards.
Specifically, Service Provider will implement the following measures:
- Use unique passwords per Matterport Cloud user, consisting of combinations of letters, number and special characters that cannot be easily guessed. Service Providers will not share passwords with other individuals.
- Maintain personal computer(s) with updated operating systems and anti-virus / anti-malware software, consistent with industry best-practices.
- Maintain personal computer(s) with encrypted hard drives.
- Physically secure all computers, tables, phones, or other computing devices that are used to process Customer Personal Data in a manner consistent with industry best-practices.
- Dispose of computers, tables, phones, or other computing devices that are used to process Customer Personal Data when systems are no longer in use, for example by shredding hard drives, or wiping with a multi-pass disk erase utility.
- Prohibit the transmission Customer Personal Data in bulk through unencrypted email, file sharing sites, or by other unsecured methods.