DATA PROCESSING ADDENDUM

Effective Date: March 1, 2024

This Data Processing Addendum (“DPA”) forms part of and is subject to the Master Services Agreement (“Agreement”) between Converso Inc. (dba Motion Meetings) (“MOTION”) and Customer.

DEFINITIONS

Customer” means the legal entity or individual who accepted MOTION’s Agreement, which includes this DPA.

Customer Data” means any personal data that is processed by MOTION on behalf of the Customer to perform the Services under the Agreement.

“Applicable Data Protection Laws”means all laws applicable to the collection, storage, processing, and use of Customer Data as amended, replaced or superseded from time to time,

Services” means the use of the MOTION online voting system and related services provided to Customer pursuant to the Agreement.

The terms “consent“, “controller“, “data subject“, “member state“, “personal data“, “personal data breach“, “processor“, “sub-processor“, “processing“, and “supervisory authority“, and “third party” shall have the meanings given to them, under ascribed to them under Applicable Data Protection Laws and may be lowercase or capitalized herein.

  1. ROLES AND PURPOSE

    1. Customer authorizes MOTION to process Customer Data as needed to perform the Services for which Customer is contracting with MOTION in the Agreement, as described in Annex 1.
    2. The parties agree that Customer is the controller, and MOTION is the processor acting on behalf of Customer.
    3. The parties shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws with respect to the processing of Customer Data.
    4. The parties agree that Customer Data shall remain the property of Customer.
    5. For the avoidance of doubt, this DPA shall not apply to personal data for which MOTION is a controller.
  2. OBLIGATIONS OF MOTION

    1. MOTION shall only process Customer Data for the specific purpose of providing the Services to Customer and in accordance with Customer’s instructions. Such Customer’s instructions shall be documented in the applicable services description, support request, other written communication or as directed by Customer using the self-service application interfaces.
    2. MOTION shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of providing the Services to Customer as set out in the Agreement and this DPA.
    3. MOTION shall at all times have in place a Data Protection Officer who is responsible for ensuring compliance with this DPA and who is the primary contact for Customer when seeking assistance in meeting its obligations under Applicable Data Protection Laws.
    4. MOTION shall immediately inform Customer if, in its opinion, Customer’s processing instructions infringe Applicable Data Protection Law. In such event, MOTION is entitled to defer the performance of the relevant instruction until it has been amended by Customer or is mutually agreed by both Customer and MOTION.
  3. OBLIGATIONS OF CUSTOMER

    1. Customer is and shall remain responsible for compliance with all requirements imposed on controllers, including but not limited to confirming the lawful basis for all processing activities conducted by MOTION on Customer’s behalf and obtaining consent from data subjects, where required. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.
    2. Customer agrees to limit any Customer Data it transfers to MOTION or to which MOTION is otherwise given access for processing to only Customer Data needed by MOTION in order to perform the Services.
    3. Customer shall ensure that MOTION’s processing of Customer Data in accordance with Customer’s instructions will not cause MOTION to violate any applicable law, regulation, or rule, including, without limitation, Applicable Data Protection Laws.
  4. SUB-PROCESSING

    1. Customer agrees that MOTION may engage sub-processors to process Customer Data on Customer’s behalf. The sub-processors currently engaged by MOTION and authorized by Customer are listed in Annex 3. MOTION shall notify Customer if it adds or removes sub-processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by emailing [email protected].
    2. If within 5 days of receipt of that notice, Customer notifies MOTION in writing of any objections to the proposed appointment on reasonable grounds relating to data protection, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, either party shall have the right to terminate the Agreement for cause.
    3. MOTION shall enter into a written agreement with each sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA.
    4. MOTION shall be responsible for the acts and omissions of any sub-processors as it is to the Customer for its own acts and omissions in relation to the matters provided in this DPA.
  5. SECURITY

    1. MOTION shall implement and maintain appropriate technical and organizational measures to protect Customer Data against personal data breaches, as described under Annex 2. Notwithstanding any provision to the contrary, MOTION may modify or update the technical and organizational measures at its discretion provided that such modification or update does not result in a material degradation of the overall security of the Services.
    2. MOTION shall ensure that any person who is authorized by MOTION to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
    3. MOTION shall notify Customer in accordance with Applicable Data Protection Laws, without undue delay, but in any event within forty-eight (48) hours, in the event of a confirmed personal data breach affecting Customer Data and shall take appropriate measures to mitigate its possible adverse effects. Upon written request, MOTION shall promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant personal data breaches to competent authorities and/or affected data subjects, if it is required to do so under Applicable Data Protection Laws.
    4. Customer is responsible for reviewing the information made available by MOTION relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.
    5. Customer is responsible for its secure use of the Services, including securing its user authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
  6. SECURITY REPORTS AND AUDIT

    1. MOTION shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section) and any audit rights granted by Applicable Data Protection Laws, by instructing MOTION to comply with the audit measures described in Sections 7.2 and 7.3 below.
    2. Upon written request, MOTION shall supply, on a confidential basis and without charge, a summary copy of its most current audit reports to Customer, so that Customer can verify MOTION’s compliance with the audit standards against which it has been assessed and this DPA.
    3. In addition to the reports described in Section 7.2 above, MOTION shall respond to all reasonable requests for information made by Customer to confirm MOTION’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request, provided that Customer shall not exercise this right more than once per calendar year. Customer shall be responsible for all costs relating to an audit as described within this Section, including for any time MOTION spends on such audit at MOTION’s then-current professional service rates.
  7. DATA SUBJECT REQUESTS

    1. As part of the Services, MOTION provides specific tools in order to assist customers in replying to requests received from data subjects exercising their rights under Applicable Data Protection Laws. These include professional services as well as self-service application interfaces to retrieve, correct, delete, or restrict the use of Customer Data. In addition, MOTION shall (considering the nature of the processing) provide reasonable additional assistance to Customer to the extent possible to enable Customer to comply with its obligations with respect to data subject rights under Applicable Data Protection Laws.
    2. In the event that MOTION receives any such requests directly from a data subject, it shall, unless prohibited by law, direct the data subject to contact Customer (to the extent MOTION is able to associate the data subject with Customer). In the event Customer is unable to address the data subject request, MOTION shall, on Customer’s request, address the data subject directly, as required under Applicable Data Protection Laws.
  8. DATA PROTECTION IMPACT ASSESSMENT

    1. To the extent required under applicable Applicable Data Protection Laws, MOTION shall (considering the nature of the processing and the information available to MOTION) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Applicable Data Protection Laws. MOTION shall comply with the foregoing by: (i) complying with Section 7 above; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-Sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance. Customer shall be responsible for all costs relating to such additional assistance, including for any time MOTION spends on such assistance at MOTION’s then-current professional service rates.
  9. RETURN OR DESTRUCTION OF DATA

    1. Customer may, by written notice to MOTION, request the return of all copies of Customer Data in the control or possession of MOTION and sub-processors. MOTION shall promptly provide a copy of Customer Data in a form that can be read and processed further.
    2. Customer may, by written notice to MOTION, request the certificate of deletion of all copies of the Customer Data in the control or possession of MOTION and sub-processors. Within 30 days of receipt of that notice, MOTION shall delete all Customer Data processed pursuant to this DPA and provide Customer with a certificate of deletion.
    3. Within 15 days following termination of Customer’s account, MOTION shall delete all Customer Data processed pursuant to this DPA.
    4. These provisions shall not apply to the extent MOTION is required by applicable law to retain some or all of Customer Data.
    5. Customer acknowledges and agrees that the certification of deletion of Customer Data described in the Standard Contractual Clauses or any Applicable Data Protection Laws shall be provided by MOTION to Customer only upon Customer’s written request.
  10. INTERNATIONAL TRANSFERS

    1. Customer authorizes the transfer, processing and storage of Customer Data to and in anywhere in the world where MOTION and its sub-processors maintain data processing operations in order to fulfill the purpose of the Services. MOTION shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.
  11. LIMITATION OF LIABILITY

    1. Each party’s liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.
    2. Any claims made against MOTION under or in connection with this DPA shall be brought solely by the Customer entity that is a party to the Agreement.
    3. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
  12. GENERAL PROVISIONS

    1. This DPA shall remain in effect for as long as MOTION processes Customer Data or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 10 above).
    2. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.
    3. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.
    4. If any provision of this DPA is found by a court of competent jurisdiction to be invalid, it is agreed that such court should endeavour to give full effect to the parties’ intentions as reflected in such provision, and it is agreed that other provisions of this DPA remain in full effect.
    5. The governing law and jurisdiction will be governed by the Agreement, unless otherwise stated herein. Any and all disputes concerning the construction and interpretation of this DPA and/or the parties’ obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.

ANNEX 1

A. LIST OF PARTIES

Data Exporter:

  • Name: as provided in the Agreement signature block
  • Role: Controller
  • Address: Customer address – as provided in the Agreement signature block
  • Contact Person: Customer’s Data Protection Office or other legal representative. Customer shall make these details available upon MOTION’s request.
  • Activities Relevant to the Transfer: Consuming the Services as further specified in the Services documentation.

Data Importer: 

  • Name: Converso Inc. (dba Motion Meetings)
  • Role: Processor
  • Address: 1600 – 401 Bay Street, Toronto, Ontario M5H 2Y4 Canada
  • Contact Person: Sean Holt, Data Protection Officer, [email protected]
  • Activities Relevant to the Transfer: Providing the Services as further specified in the Services documentation.

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects

Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of data subjects:

  • Customer’s users authorized by Customer to use the Services
  • Organizers
  • Speakers
  • Attendees

Categories of Personal Data

Customer may submit Customer Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Contact information (e.g., name, email address,organization name, phone number)
  • Member information (e.g. name, email address, organization name, phone number)

Sensitive Data Transferred

  • Customer Data transferred is determined and controlled by the data exporter and may include sensitive data such as political affiliation or trade union membership or any other sensitive data necessary to be processed in order to perform the Services.
  • The technical and organizational security measures described in Annex 2 ensure a level of security appropriate to protect sensitive data.

Frequency of the Transfer

Continuous basis depending on the use of the Services by Customer.

Nature of the Processing

Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to storage and other processing necessary to provide the Services and any related technical support to the Customer.

Purpose of the Transfer and Further Processing

MOTION will process Customer Data as necessary to perform the Services, as further specified in the Services documentation, and as further instructed by Customer in its use of the Services.

Retention Period

Subject to Section 9 of this DPA, Customer Data shall be retained until Customer terminates their account or instructs MOTION to destroy the data earlier, except as otherwise required by applicable law.

Sub-Processor Transfers

Transfers to sub-processors shall be of the same subject matter, nature and duration as the data importer.

ANNEX 2

INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES

MOTION implements the following measures to protect Customer Data.

Physical Access Control

To prevent unauthorized persons from gaining physical access to data processing systems:

  • MOTION leverages industry-leading cloud infrastructure providers. Access to their data centres is strictly controlled. All data centres are equipped with surveillance and access control systems. Additionally, all providers have industry standard certifications.
  • MOTION’s corporate headquarters is equipped with surveillance, intruder alarm, and access control systems. Guests and visitors must be accompanied by authorized MOTION personnel.

System Access Control

To prevent data processing systems from being used without authorization:

  • MOTION personnel are granted system access to internal and externally hosted systems on a need-to-know basis based on job role, and reviews of access are performed quarterly. Onboarding and offboarding processes are documented to ensure access is properly managed.
  • Unique identifiers are utilized and are not permitted to be shared or re-assigned to another person. Where possible, third-party services leverage single sign-on (SSO) functionality which allows for centralized management and enforces two-factor authentication (2FA).
  • MOTION personnel utilize a password management system that enforces minimum password length and complexity, and stores passwords in encrypted form.
  • MOTION applications enforce minimum password length and complexity for Customer users. Customers who interact with the applications must authenticate before accessing non-public Customer Data.
  • Workstations automatically lock after a prolonged period of inactivity. MOTION applications log out users after a prolonged period of inactivity.
  • Firewalls with strict traffic rules are used to limit unwanted ingress and egress traffic to and from MOTION infrastructure. These firewalls include intrusion detection systems (IDS) used to detect and prevent potential unauthorized access.
  • MOTION applications are protected by a web application firewall (WAF) to identify and prevent attacks.
  • Network access is protected by a virtual private network (VPN) and two-factor authentication (2FA).
  • Security patch management and routine vulnerability scanning occurs on all workstations and servers to provide regular deployment of relevant security updates and an expedited response to the disclosure of critical vulnerabilities.
  • Up-to-date antivirus software is utilized to ensure workstations and servers are protected against known viruses.
  • Code stored in MOTION source code repositories is checked for vulnerabilities with an industry recognized static code analysis provider.
  • MOTION engages an industry recognized penetration testing provider for annual penetration tests of the application and infrastructure layers.

Data Access Control

To ensure authorized users entitled to use data processing systems have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing, use, and storage:

  • Customer environments are logically separated at all times. Customers have access only to their own data.
  • Customers access their data via self-service application interfaces. Customers are not allowed direct access to the underlying application infrastructure. The user permissions model is designed to ensure that only the appropriately assigned individuals can access relevant features and data.
  • MOTION personnel require access to Customer Data in order to deliver services, provide effective customer support, product development and research, and to troubleshoot potential problems. Personnel are granted data access on a need-to-know basis based on job role, and reviews of permissions are performed quarterly.

Transmission Control

To ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport:

  • Customer Data is encrypted in transit to and from MOTION systems over public networks. TLS 1.2 with industry standard cipher suites is used to protect against current and future encryption attacks.
  • Customer Data stored in MOTION systems is encrypted at rest using AES-256 encryption.
  • Backups of Customer Data are encrypted in transit and at rest using AES-256 encryption.
  • MOTION is alerted to encryption issues through periodic internal risk assessments, third-party SSL strength tests, and third-party penetration tests.

Input Control

To ensure that it is possible to check and establish whether and by whom personal data have been entered, modified or removed from data processing systems:

  • MOTION infrastructure is designed to log extensive information about the system behaviour, traffic received, system authentication, and other technical events. A log aggregation system centrally stores and indexes system log events and alerts appropriate personnel of malicious, unintended, or anomalous activities.
  • MOTION applications log detailed events including the entering, updating and deletion of Customer Data. Such events include the unique usernames and timestamps to investigate nonconformities or security events.

Availability Control

To ensure personal data is protected from accidental or unauthorized destruction or loss:

  • Data centres are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
  • Network protections have been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
  • MOTION infrastructure is designed to have redundancy and avoid single points of failure.
  • All data is backed up every 15 minutes, and point-in-time recovery is available.
  • Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up offsite and replicated across multiple geographic regions.
  • MOTION maintains and regularly tests a disaster recovery plan to help ensure availability of information following interruption to, or failure of, critical infrastructure.

SecurityCertifications

MOTION holds the following security-related certifications from independent third-party auditors:

  • (COMING SOON) SOC 2 Type 1 report
  • (COMING SOON) PCI-DSS compliance

ANNEX 3

AUTHORIZED SUB-PROCESSORS AS OF THE DPA EFFECTIVE DATE

 

Company

Data Location

Description of Activities

Safeguards for Transfers

Amazon Web Services Canada, Inc.
120 Bremner Blvd, 26th Floor
Toronto, ON M5J 0A8
Canada

Canada

Cloud Storage

& Cloud Compute

SOC 2 Type II
ISO 27001
DPA
SCCs

AWS Cloud Computing Compliance Controls Catalog (C5) attestation, adherence  to Cloud Infrastructure Services Providers in Europe (CISPE) incl. GDPR

Twilio Inc.
101 Spear Street, 5th Floor
San Francisco, California, 94105
USA

USA

Email Processing

SOC 2 Type II
DPA includes

Swiss Federal Act on Data Protection

GDPR
SCCs

Telnyx LLC

205 N Michigan Ave #810

Chicago, IL 60601, USA

USA

Telecom Services

SOC 2 Type II
ISO 27001
DPA EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) ,UK Extension to the EU-U.S. DPF (“UK Extension”), Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”)

GDPR

Pubnub

95 Third Street 2nd Floor
San Francisco, CA 94103

USA

Telecom – Chat

SOC 2 Type II
ISO 27001
DPA

GDPR

8×8

675 Creekside Way

Campbell, CA 95008

USA

Telecom

SOC 2 Type II
ISO 27001

FISMA/NIST SP 800-53 R5
DPA

GDPR