This Data Processing Agreement (âDPAâ) forms part of the Modash Terms of Service (the âAgreementâ) entered into between Modash OĂ (âModashâ, âProcessorâ) and the customer entity agreeing to the Agreement (âCustomerâ, âControllerâ).
By entering into the Agreement, Customer agrees to this DPA.
This DPA applies only to the extent that Modash processes Personal Data on behalf of Customer as a Processor under applicable Data Protection Laws.
âData Protection Lawsâ means the GDPR, UK GDPR, and any applicable data protection legislation.
âPersonal Dataâ, âControllerâ, âProcessorâ, âData Subjectâ, and âPersonal Data Breachâ have the meanings given in the GDPR.
âSubprocessorâ means any third party engaged by Modash to process Personal Data on behalf of Customer.
Customer acts as Controller.
Modash acts as Processor.
This DPA does not apply to processing activities for which Modash acts as an independent Controller, including but not limited to processing of publicly available creator data as describedin Modashâs Privacy Policy.
Modash shall process Personal Data:
â
â Only on documented instructions from Customer (including as set forth in the Agreement);
â For the purpose of providing the Services;
â In accordance with Data Protection Laws.
Nature and Purpose
âModash provides influencer discovery, campaign management, analytics, outreach, and related services.
âCategories of Data Subjects
âMay include Customer representatives, end users, influencers engaged by Customer, and campaign participants.
âCategories of Personal Data
âMay include names, business contact information, account data, campaign data, communication data, and usage data submitted to or processed through the Services.
Modash does not intentionally process special category personal data on behalf of Customer.
Customer agrees not to upload or submit special category data unless explicitly agreed inwriting.
Modash implements appropriate technical and organizational measures designed to ensure alevel of security appropriate to the risk, including:
â Encryption of Personal Data in transit and at rest;
â Access controls based on least privilege principles;
â Strong authentication and identity management controls;
â Secure software development lifecycle practices;
â Regular vulnerability scanning and security testing;
â Backup and disaster recovery procedures;
â Incident response procedures with designated security personnel;
â Ongoing monitoring of system confidentiality, integrity, and availability.
Modash reviews and updates its security measures periodically.
Customer authorizes Modash to engage Subprocessors listed at:
modash.io/legal/subprocessors
âModash shall:
â
â Enter into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA;
â Remain responsible for the performance of its Subprocessors;
â Update the Subprocessor list from time to time.
Modash will provide reasonable notice of material changes to Subprocessors via updates to theSubprocessor webpage. Customers may object to a new Subprocessor on reasonable dataprotection grounds.
Customer authorizes Modash to transfer Personal Data to Subprocessors located outside the EEA/UK, provided that appropriate safeguards are implemented in accordance with Article 46 GDPR.
Where required, Modash relies on:
â
â The European Commissionâs Standard Contractual Clauses (2021/914/EU);
â The UK International Data Transfer Addendum or other approved safeguards;
â Supplementary technical and organizational measures where appropriate.
Taking into account the nature of processing, Modash shall provide reasonable assistance to Customer to enable compliance with Data Protection Laws, including:
â Assistance with responding to Data Subject rights requests;
â Providing information necessary to conduct Data Protection Impact Assessments where required;
â Assistance with supervisory authority consultations where applicable.
Modash shall notify Customer without undue delay and, where feasible, no later than 48 hoursafter becoming aware of a Personal Data Breach affecting Customer Personal Data.
Notification shall include, to the extent available:
â
â A description of the nature of the breach;
â Categories and approximate number of affected Data Subjects and records;
â Likely consequences;
â Measures taken or proposed to address the breach.
Upon reasonable request, Modash shall make available information necessary to demonstrate compliance with this DPA.
Where available, Modash may satisfy audit obligations by providing:
â
â Relevant third-party audit reports (e.g., SOC 2);
â Security certifications;
â Security documentation.
On-site audits shall be permitted only where required by applicable Data Protection Laws andsubject to reasonable confidentiality and security safeguards.
Upon termination of the Services, Customer may request export of Personal Data within thirty (30) days.
After such a period, Modash shall delete Personal Data unless retention is required by law.
Liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.
This DPA shall be governed by the governing law specified in the Agreement.
