Data Processing Addendum
Last update on 10th, October, 2023
For a signed version of this addendum please visit security.meetgeek.ai
MeetGeek Data Processing Addendum
This Data Processing Addendum (“DPA”) governs MeetGeek’s processing of Customer Data provided by Customer to MeetGeek through MeetGeek’s API or any MeetGeek services for businesses (“Services”) under the terms of the MeetGeek Terms of Use, Enterprise Agreement, or other agreement between Customer and MeetGeek governing Customer’s use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control. Capitalized terms not defined in this DPA have the meaning set forth in the Agreement. For purposes of this DPA only, “Customer” includes any affiliate entity of Customer’s that (a) has entered into an Order Form with MeetGeek and that (b) directly or indirectly, through one or more intermediaries controls, is controlled by, or is under common control with Customer.
MeetGeek and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and applicable subordinate legislation and regulations implementing those laws.
In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas MeetGeek processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” also mean the equivalent concepts under Data Protection Laws. For purposes of the Agreement and this DPA, (i) “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws; and (ii)“Customer Data” means Personal Data that Customer provides to MeetGeek that MeetGeek processes on behalf of Customer to provide the Services. MeetGeek will process Customer Data as Customer’s Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between Customer and MeetGeek.
1. Processing Requirements. As a Data Processor, MeetGeek agrees to:
a. process Customer Data only (i) on Customer’s behalf for the purpose of providing and supporting MeetGeek’s Services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring);; (ii) in compliance with the written instructions received from Customer; and (iii) in a manner that provides no less than the level of privacy protection required by Data Protection Laws;
b. promptly inform Customer in writing if MeetGeek cannot comply with the requirements of this DPA;
c. not provide Customer with remuneration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer
Data to MeetGeek;
d. not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA)
Personal Data;
e. inform Customer promptly if, in MeetGeek’s opinion, an instruction from Customer violates applicable
Data Protection Laws;
f. require (i) persons employed by it and (ii) other persons engaged to perform on MeetGeek’s behalf to be subject to a duty of confidentiality with respect to the Customer Data and to comply with the data protection obligations applicable to MeetGeek under the Agreement and this DPA;
g. engage the organizations or persons listed at https://meetgeek.ai/subprocessors to process Customer Data (each a “Subprocessor,” and the list at the foregoing URL, the “Subprocessor List”) to help MeetGeek satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. If Customer subscribes to email notifications as provided on the Subprocessor List website, then MeetGeek will notify Customer of any changes MeetGeek intends to make to the Subprocessor List at least 15 days before the changes take effect (which may be via email, a posting, or notification on an online portal for our services or other reasonable means). In the event that Customer does not wish to consent to the use of such additional Subprocessor, Customer may notify MeetGeek that Customer does not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting [email protected]. In such case, MeetGeek shall have the right to cure the objection through one of the following options: (i) MeetGeek will cancel its plans to use the Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such Subprocessor; (ii) MeetGeek will take the corrective steps requested by Customer in Customer objection notice and proceed to use the Subprocessor; (iii) MeetGeek may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the MeetGeek Services or services that would involve the use of such Subprocessor; or (iv) Customer may cease providing Customer Data to MeetGeek for processing involving such Subprocessor. If none of the above options are commercially feasible, in MeetGeek’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of MeetGeek’s receipt of Customer’s objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services that cannot be provided without the use of the new Subprocessor for cause and in such case, Customer will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor. MeetGeek shall enter into contractual arrangements with each Subprocessor binding them to provide a comparable level of data protection and information security to that provided for herein.
h. upon reasonable request no more than once per year, provide Customer with MeetGeek’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws;
i. where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to MeetGeek’s business that are necessary to confirm that MeetGeek is processing Customer Data in a manner consistent with this DPA. Where permitted by law, MeetGeek may instead make available to customer a summary of the results of a third-party audit or certification reports relevant to MeetGeek’s compliance with this DPA. Such results, and/or the results of any such assessments, audits, or other steps shall be the Confidential Information of MeetGeek;
j. to the extent that Customer permits or instructs MeetGeek to process Customer Data subject to U.S. Privacy Laws in a deidentified, anonymized, and/or aggregated form as part of the Services, MeetGeek, MeetGeek shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) not attempt to reidentify the information, except that MeetGeek may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes comply with Data
Protection Laws or are functioning as intended; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision;
k. where the Customer Data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process
Customer Data except as necessary for the business purposes specified in the Agreement or this DPA; (ii) retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between MeetGeek and Customer; or (iii) combine any Customer Data with Personal Data that MeetGeek receives from or on behalf of any other third party or collects from MeetGeek’s own interactions with individuals, provided that MeetGeek may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA;
l. where required by law, grant Customer the rights to (i) take reasonable and appropriate steps to ensure that MeetGeek uses Customer Data in a manner consistent with Data Protection Laws by exercising the audit provisions set forth in this DPA above; and (ii) stop and remediate unauthorized use of Customer Data, for example by requesting that MeetGeek provide written confirmation that applicable Customer Data has been deleted.
2. Notice to Customer. MeetGeek will inform Customer if MeetGeek becomes aware of:
a. any legally binding request for disclosure of Customer Data by a law enforcement authority, unless MeetGeek is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;
b. any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Data; or
c. any complaint or request (in particular, requests for access to, rectification or blocking of Customer Data) received directly from Customer’s data subjects. MeetGeek will not respond to any such request without Customer’s prior written authorization.
3. Assistance to Customer. MeetGeek will provide reasonable assistance to Customer regarding:
a. information necessary, taking into account the nature of the processing, to respond to requests received pursuant to Data Protection Laws from Customer’s data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Data that
MeetGeek processes for Customer. In the event that a data subject sends such a request directly to
MeetGeek, MeetGeek will promptly send such request to Customer;
b. the investigation of any breach of MeetGeek’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by
MeetGeek for Customer (a “Personal Data Breach”); and
c. where appropriate, the preparation of data protection impact assessments with respect to the processing of Customer Data by MeetGeek and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.
4. Required Processing. If MeetGeek is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, MeetGeek will inform Customer of this requirement in advance of any such processing, unless legally prohibited.
5. Security. MeetGeek will:
a. maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of
Customer Data and to protect the rights of the subjects of that Customer Data;
b. take appropriate steps to confirm that MeetGeek personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA; and
c. notify Customer of any Personal Data Breach by MeetGeek, its Subprocessors, or any other third parties acting on MeetGeek’s behalf without undue delay after MeetGeek becomes aware of such Personal Data Breach.
6. Obligations of Customer.
a. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to MeetGeek and to authorize MeetGeek to use, disclose, retain and otherwise process Customer Data as contemplated by this DPA, the Agreement and/or other processing instructions provided to MeetGeek.
b. Customer shall comply with all applicable Data Protection Laws.
c. Customer shall reasonably cooperate with MeetGeek to assist MeetGeek in performing any of its obligations with regard to any requests from Customer’s data subjects.
d. Without prejudice to MeetGeek’s security obligations in Section 5 of this DPA, Customer acknowledges and agrees that it, rather than MeetGeek, is responsible for certain configurations and design decisions for the services and that Customer, and not MeetGeek, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws.
e. Customer shall not provide Customer Data to MeetGeek except through agreed mechanisms. For example, Customer shall not include Customer Data other than technical contact information, or in technical support tickets, transmit user Customer Data to MeetGeek by email. Without limitation to the foregoing, Customer represents, warrants and covenants that it shall only transfer Customer Data to MeetGeek using secure, reasonable and appropriate mechanisms, to the extent such mechanisms are within Customer’s control.
f. Customer shall not take any action that would (i) render the provision of Customer Data to MeetGeek a
“sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render MeetGeek not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.
7. Standard Contractual Clauses.
a. MeetGeek will process Customer Data that originates in the European Economic Area in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
i. Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and MeetGeek is processing Customer Data as a processor.
ii. Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and MeetGeek is processing Customer Data as a sub-processor.
b. For each module of the EU SCCs, where applicable, the following applies:
i. The optional docking clause in Clause 7 does not apply;
ii. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 1(g) of this DPA.
iii. In Clause 11, the optional language does not apply; iv. All square brackets in Clause 13 are hereby removed;
v. In Clause 17 (Option 1), the EU SCCs will be governed by the EU member state where the data exporter is located;
vi. In Clause 18(b), disputes will be resolved before the courts of the EU member state where the data exporter is located;
vii. Exhibit A to this DPA contains the information required in Annex I and Annex III of the EU
SCCs; viii. Exhibit B to this DPA contains the information required in Annex II of the EU SCCs; and
c. Customer Data originating from Switzerland shall be processed in accordance with the EU SCCs with the following amendments:
i. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
ii. “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.
iii. The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
iv. The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.
v. The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP
d. With respect to Customer Data originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this
DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.
8. Term; Data Return and Deletion. This DPA shall remain in effect as long as MeetGeek carries out Customer Data processing operations on Customer’s behalf or until the termination of the Agreement (and all
Customer Data has been returned or deleted in accordance with this DPA). MeetGeek will retain Customer Data sent through the API for a maximum of thirty (30) days, after which it will be deleted, except where MeetGeek is required to retain copies under applicable laws, in which case MeetGeek will isolate and protect that Customer Data from any further processing except to the extent required by applicable laws. On the termination of the DPA, MeetGeek will direct each Subprocessor to delete the Customer Data within thirty (30) days of the DPA’s termination, unless prohibited by law. For clarity, MeetGeek may continue to process information derived from Customer Data that has been deidentified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under applicable Data Protection Laws and in a manner that does not identify individuals or Customer to improve MeetGeek’s systems and services.
Exhibit A
A. LIST OF PARTIES
Data exporter(s): the Services customer identified on the applicable Services registration documents
Data importer(s):
Name: MeetGeek,
Address: Calea Vacaresti 203A, Bucharest, EU
Contact Person’s name, position and contact details:
Dan Huru
Head of Commercial Legal
Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.
Signature and date:
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred Users of data exporters applications.
Categories of personal data transferred
Name, contact information, demographic information, or other information provided by the user in unstructured data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred unless the user includes it unexpectedly in unstructured data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous.
Nature of the processing
The performance of the services described in the agreement to which this appendix is attached.
Purpose(s) of the data transfer and further processing
The performance of the services described in the agreement to which this appendix is attached.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the term of the agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The performance of the services described in the agreement to which this appendix is attached.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data protection authority of the EU Member State in which the exporter is established.
Exhibit B
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
INTRODUCTION
MeetGeek maintains an information security program designed to safeguard its systems, data, and Customer Data. This Addendum describes the information security program and security standards that MeetGeek maintains with respect to the Services and handling of data submitted by or on behalf of Customer the Services (the “Customer Data”). Capitalized terms not defined in this Annex II have the meanings given in the DPA or Agreement.
To learn more about MeetGeek’s technical and organizational security measures to protect Customer Data, see the MeetGeek Security Portal at https://security.meetgeek.ai (the “Security Portal”). The Security Measures below include the subset of the information available in the Security Portal which applies to this DPA.
SECURITY MEASURES
Corporate Identity, Authentication, and Authorization Controls. MeetGeek maintains industry best practices for authenticating and authorizing internal employee and service access, including the following measures:
○ MeetGeek uses single sign-on (SSO) to authenticate to third-party services used in the delivery of the Services. Role Based Access Controls (RBAC) are used when provisioning internal access to the Services;
○ Mandatory multi-factor authentication is used for authenticating to MeetGeek’s identity provider.
○ Unique login identifiers are assigned to each user;
○ Established review and approval processes for any access requests to services storing Customer Data;
○ Periodic access audits designed to ensure access levels are appropriate for the roles each user performs;
○ Established procedures for promptly revoking access rights upon employee separation;
○ Established procedures for reporting and revoking compromised credentials such as passwords and API keys); and
○ Established password reset procedures, including procedures designed to verify the identity of a user prior to a new, replacement, or temporary password.
Customer Identity, Authentication, and Authorization Controls. MeetGeek maintains industry best practices for authenticating and authorizing customers to the Services, including the following measures:
○ Use of a third-party identity access management service to manage Customer identity, meaning MeetGeek does not store user-provided passwords on users’ behalf; and
○ Logically separating Customer Data by organization account using unique identifiers. Within an organization account, unique user accounts are supported.
Cloud Infrastructure and Network Security. MeetGeek maintains industry best practices for securing and operating its cloud infrastructure, including the following measures:
○ Separate production and non-production environments; ○ Primary backend resources are deployed behind a VPN.
○ The Services are routinely audited for security vulnerabilities.
○ Application secrets and service accounts are managed by a secrets management service;
○ Network security policies and firewalls are configured for least-privilege access against a preestablished set of permissible traffic flows. Non-permitted traffic flows are blocked; and ○ Services logs are monitored for security and availability.
System and Workstation Control. MeetGeek maintains industry best practices for securing MeetGeek’s corporate systems, including laptops and on-premises infrastructure, including:
○ Endpoint management of corporate workstations;
○ Endpoint management of mobile devices;
○ Automatic application of security configurations to workstations;
○ Mandatory patch management; and
○ Maintaining appropriate security logs.
Data Access Control. MeetGeek maintains industry best practices for preventing authorized users from accessing data beyond their authorized access rights and for preventing the unauthorized input, reading, copying, removal, modification, or disclosure of data. Such measures include the following:
○ Employee access to the Services follows the principle of least privilege. Only employees whose job function involves supporting the delivery of Services are credentialed to the Services environment; and
○ Customer Data submitted to the Services is only used in accordance with the the terms of the DPA, Agreement, and any other applicable contractual agreements in place with Customer.
Disclosure Control. MeetGeek maintains industry best practices for preventing the unauthorized access, alteration, or removal of data during transfer, and for securing and logging all transfers. Such measures include:
○ Encryption of data at rest in production datastores using strong encryption algorithms;
○ Encryption of data in transit;
○ Audit trail for all data access requests for production datastores;
○ Full-disk encryption required on all corporate workstations;
○ Device management controls required on all corporate workstations; ○ Restrictions on use of portable or removable media; and ○ Customer Data can be deleted upon request.
Availability control. MeetGeek maintains industry best practices for maintaining Services functionality through accidental or malicious intent, including:
○ Ensuring that systems may be restored in the event of an interruption;
○ Ensuring that systems are functioning and faults are reported; and
○ Anti-malware and intrusion detection/prevention solutions implemented comprehensively across our environment
Segregation control. MeetGeek maintains industry best practices for separate processing of data collected for different purposes, including:
○ Logical segregation of Customer Data;
○ Restriction of access to data stored for different purposes according to staff roles and responsibilities;
○ Segregation of business information system functions; and
○ Segregation of testing and production information system environments.
Risk Management. MeetGeek maintains industry best practices for detecting and managing cybersecurity risks, including:
○ Threat modeling to document and triage sources of security risk for prioritization and remediation;
○ Penetration testing is conducted on the Services at least annually, and any remediation items identified are resolved as soon as possible on a timetable commensurate with the associated risk. Upon request, MeetGeek will provide summary details of the tests performed and whether the identified issues have been resolved;
○ Annual engagements of a qualified, independent external auditor to conduct periodic reviews of MeetGeek’s security practices against recognized audit standards, including SOC 2 Type II certification audits. Upon reasonable request, MeetGeek will provide summary details; and
○ A vulnerability management program designed to ensure the prompt remediation of vulnerabilities affecting the Services.
Personnel. MeetGeek maintains industry best practices for vetting, training, and managing personnel with respect to security matters, including:
○ Background checks, where legally permissible, of employees with access to Customer Data or supporting other aspects of the Services;
○ Annual security training for employees, and supplemental security training as appropriate.
Physical Access Control. MeetGeek maintains industry best practices for preventing unauthorized physical access to MeetGeek facilities, including:
○ Physical barrier controls including locked doors and gates;
○ 24-hour on-site security guard staffing;
○ 24-hour video surveillance and alarm systems, including video surveillance of common areas and facility entrance and exit points;
○ Access control systems requiring biometrics or photo-ID badge and PIN for entry to all MeetGeek facilities by MeetGeek personnel;
○ Visitor identification,sign-in and escort protocols; and ○ Logging of facility exits and entries.
Third Party Risk Management. MeetGeek maintains industry best practices for managing third party security risks, including with respect to any subprocessor or subcontractor to whom MeetGeek provides Customer Data, including the following measures:
○ Written contracts designed to ensure that any agent agrees to maintain reasonable and appropriate safeguards to protect Customer Data; and
○ Vendor Security Assessments: All third parties undergo a formal vendor assessment process maintained by MeetGeek’s Security team.
Security Incident Response. MeetGeek maintains a security incident response plan for responding to and resolving events that compromise the confidentiality, availability, or integrity of the Services or Customer Data including the following:
○ MeetGeek aggregates system logs for security and general observability from a range of systems to facilitate detection and response; and
○ If MeetGeek becomes aware that a Personal Data Breach has occurred, MeetGeek will notify Customer in accordance with the DPA.
Security Evaluations. MeetGeek performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective as measured against industry security standards and its policies and procedures and to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the security of Customer Data as well as the maintenance and structure of MeetGeek’s information systems.
Get Started with Meetgeek
Turn meetings from a necessary evil into a positive and rewarding experience