Mangomint Data Processing Addendum
This Data Processing Addendum (“Addendum”) supplements and forms part of the Mangomint Terms of Service (the “Agreement”) between Mangomint and Account Owner and governs Mangomint’s Processing of Personal Information, as defined herein, that is included in Account Data.
- Definitions. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. As used in this Addendum, the following capitalized terms shall have the following meanings:
- “Controller” means an entity that determines the purposes and means of the Processing of Personal Information, and includes the terms “Controller” and “Business” as defined under the Privacy Laws.
- “Deidentified Data” means data that does not identify, and cannot reasonably be used to identify, infer information about, or otherwise be linked to, a Data Subject.
- “Personal Information” means any information that is included in Account Data processed by Mangomint on behalf of Account Owner in connection with the Services and that relates to an identified or identifiable natural person (a “Data Subject”), including such information that constitutes “personal information” or “personal data” under applicable Privacy Laws. Personal Information does not include Deidentified Data.
- “Privacy Laws” means, as applicable: (1) United States federal or state laws or regulations that relate to the privacy, confidentiality, integrity, availability, or security of Personal Information, including without limitation and as appliable the California Consumer Privacy Act as amended by the California Privacy Rights Act, Cal. Civ. Code 1798.100 et seq.; the Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-575 et seq.; the Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq.; the Connecticut Data Privacy Act, Conn. Gen. Stat. §§ 42-515 et seq.; and the Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq.; and (2) Canada’s Personal Information Protection and Electronic Documents Act, and any Canadian provincial legislation deemed substantially similar thereto.
- “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, including collection, use, retention, and disclosure, and “Process,” “Processes,” and “Processed” shall be interpreted accordingly.
- “Processor” means an entity that Processes Personal Information on behalf of a Controller, and includes the term “Processor” and “Service Provider” as defined under the Privacy Laws.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Information Processed by Mangomint or its subcontractors.
- “Services” means the products and services described in the Agreement and any Order Form.
- Roles of the Parties; Processing of Personal Information by Account Owner and Mangomint.
- As between Mangomint and Account Owner, Account Owner is the Controller of Personal Information and Mangomint is the Processor of Personal Information. Mangomint shall process Personal Information as a Processor acting at Account Owner’s direction and in accordance with Account Owner’s instructions as set forth in the Agreement and this Addendum.
- Mangomint may Process Personal Information, and Account Owner hereby instructs Mangomint to Process Personal Information: (1) as necessary to provide the Services; (2) to facilitate Account Owner’s use of Third-Party Services; (3) to otherwise fulfill its obligations under the Agreement and this Addendum; and (4) for internal uses relating to Mangomint’s operation and support of the Services such as billing, account management, technical support, and the improvement and development of the Services.
- The nature and purpose of the Processing is Mangomint’s provision of the Services to facilitate (1) Account Owner’s booking of appointments for, sale of goods and services to, and communication with, its Clients, and (2) Account Owner’s management of its staff, including employees and independent contractors. The types of Personal Information subject to the Processing include: (a) personal and contact information including names, telephone numbers, and email addresses; (b) payment and billing information; and (c) professional and employment information, including work experience, scheduling and timesheet information, and compensation and payroll information. The duration of the Processing is the Term of the Agreement.
- Mangomint shall not: (1) “sell” or “share” Personal Information, as those terms are defined in the Privacy Laws; (2) retain, use, or disclose Personal Information for any purpose other than for the purposes specified in the Agreement and this Addendum, including retaining, using, or disclosing the Personal Information for a commercial purpose other than the purposes specified in the Agreement and this Addendum, or as otherwise permitted by the Privacy Laws; (3) retain, use, or disclose the Personal Information outside of the direct business relationship between Mangomint and Account Owner; or (4) except as permitted by the Privacy Laws, combine Personal Information that Mangomint receives from or on behalf of Account Owner with personal information that Mangomint receives from or on behalf of another person, or collects from its own interaction with an individual.
- Mangomint shall comply with its obligations under the Privacy Laws and provide a level of privacy protection for Personal Information consistent with the Privacy Laws. If Mangomint becomes aware of any unauthorized Processing of Personal Information, or otherwise determines that it is unable to comply with its obligations under this Addendum, Mangomint shall promptly notify Account Owner, and Account Owner shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Personal Information.
- Account Owner agrees that (1) it shall comply with its obligations under the Privacy Laws in respect of its Processing of Personal Information and any Processing instructions it issues to Mangomint, and (2) it has provided any notices, and obtained any consents or rights, that are necessary under the Privacy Laws for Mangomint to Process Personal Information in connection with Mangomint’s performance of the Services. Account Owner represents and warrants that its Processing of Personal Information, including through use of the Services, and its Processing instructions to Mangomint, will at all times fully comply with the Privacy Laws and with any applicable obligations or limitations imposed by third parties and shall not infringe on any of their rights in such Personal Information. Account Owner shall immediately notify Mangomint and cease Processing Personal Information through the Services in the event any required authorization or legal basis for its Processing is revoked or terminates.
- Mangomint may de-identify or aggregate Personal Information to create Deidentified Data as part of performing the Services, in which case Mangomint shall: (a) implement technical safeguards that prohibit re-identification of any Data Subject to whom the information may pertain; (b) implement business processes that specifically prohibit re-identification of the Deidentified Data and prevent the inadvertent release of Deidentified Data; and (c) make no attempt to reidentify the Deidentified Data. Mangomint may otherwise use or disclose Deidentified Data for any lawful purpose.
- Data Security. Mangomint shall implement technical and organizational measures that are reasonably designed to ensure a level of security for Personal Information appropriate to the risk and to protect Personal Information against unauthorized or unlawful destruction, loss, alteration, disclosure or access. Notwithstanding the foregoing, Account Owner agrees that it is responsible for its secure use of the Services and its Account, including securing its access credentials, protecting the security of Personal Information when in transit, and managing its Users’ access privileges.
- Confidentiality of Processing. Mangomint shall ensure that any person who is authorized by Mangomint to Process Personal Information (including its staff, agents, and subcontractors) is subject to an appropriate obligation of confidentiality.
- Security Incident Response. Mangomint shall promptly notify Account Owner after becoming aware of any Security Incident. Mangomint shall make reasonable efforts to identify the cause of the Security Incident and shall undertake such steps as Mangomint deems necessary and reasonable in order to remediate the cause of such Security Incident. Mangomint shall provide information related to the Security Incident to Account Owner and as reasonably necessary for Account Owner to maintain compliance with applicable Privacy Laws.
- Return or Deletion of Personal Information. Upon termination or expiration of the Agreement, Mangomint shall make available to Account Owner all Personal Information remaining in its possession or control for retrieval by Account Owner for a period of at least 30 days, and thereafter shall delete such Personal Information, provided that this deletion requirement shall not apply: (1) to the extent Mangomint is required by applicable law to retain some or all of the Personal Information; (2) if Mangomint is reasonably required to retain some or all of the Personal Information for limited operational and compliance purposes; or (3) to Personal Information Mangomint has archived on back-up systems in accordance with Mangomint’s standard backup and record retention policies. In all such cases, Mangomint shall maintain the Personal Information securely and limit Processing to the purposes that prevent deletion or return of the Personal Information. The terms of this Addendum shall survive for so long as Mangomint continues to retain any Personal Information.
- Subcontracting. Account Owner agrees that Mangomint may engage agents and subcontractors, including its affiliates, to Process Personal Information in connection with the Services, provided that the agent or subcontractor is obligated under a written contract to provide protections for Personal Information that are substantially equivalent to those set forth in this Addendum. Mangomint will remain fully responsible for the performance of the Services in compliance with the Agreement and this Addendum.
- Responses to Individual Requests. Account Owner shall be responsible for responding to and fulfilling individuals’ requests to exercise any rights available to them under the Privacy Laws in relation to Personal Information, including rights to access, amend, or delete their Personal Information. To the extent Account Owner does not have the ability to fulfill those requests through the Services, then at Account Owner’s written request, Mangomint shall reasonably cooperate with Account Owner to facilitate such actions. Mangomint shall, to the extent legally permitted, promptly notify Account Owner if it receives a request from an individual for access to, correction of, amendment of, or deletion of that person’s Personal Information, and except as otherwise required by applicable Privacy Laws will not respond to such requests other than as needed to direct the individual to submit their request directly to Account Owner.
- Data Protection Assessments. Upon Account Owner’s written request, Mangomint shall provide Account Owner with reasonable cooperation and assistance as needed to fulfil Account Owner’s obligation under any Privacy Laws to carry out a data protection assessment or other similar assessment related to Account Owner’s use of the Services, to the extent Account Owner does not otherwise have access to the relevant information and such information is available to Mangomint.
- Information to Demonstrate Compliance. Mangomint shall allow for and contribute to reasonable assessments by Account Owner or Account Owner’s designated auditor of Mangomint’s compliance with this Addendum by providing written responses (on a confidential basis) to all commercially reasonable requests for information made by Account Owner regarding the Processing of Personal Information and Mangomint’s technical and organizational security measures.
- Miscellaneous
- Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall prevail.
- Any claims brought under or in connection with this Addendum, whether in contract, tort, or other theory of liability, are subject to the exclusions and limitations of liability set forth in the Agreement.
- Mangomint may make changes to this Addendum from time to time where (1) such change is required to comply with Privacy Laws, or (2) the change: (a) is commercially reasonable; (b) does not expand the scope of or remove any restrictions on Mangomint’s Processing of Personal Information, as set forth in the Addendum, and (c) does not otherwise have a material adverse impact on Account Owner's rights under the Addendum. If Mangomint makes a change to the Addendum in accordance with this section, Mangomint will post the change at the webpage containing this Addendum.