DATA PROCESSING AGREEMENT

This Data Processing Policy forms part of and is subject to the provisions of, Melingo Privacy Policy.

  1. Definitions
    • In this DPA, unless the context otherwise requires or expressly stated otherwise: singular terms include the plural and vice versa; the use of any gender shall be applicable to all genders; the words “include” and “including” will not be construed as terms of limitation; the words “day”, “month” and “year” mean respectively, calendar day, calendar month and calendar year. Any use of a defined verb includes other tenses. References to any legislation or regulations include references to any amendments or re-enactments thereof from time to time.
    • When used in this DPA, the capitalized terms below have the following meanings:

Business Contact Data” means Personal Data which may be included in a Party’s contact data Processed by the other Party for the purpose of facilitating the Services and maintaining the business relationship, excluding Customer Personal Data.

Chat Visitor” – means your end-customer or visitor to your website (or any another communciation channel) who begins an interaction, and by which prompts use of our Services.

Customer Data Subject” means a Customer End User whose related End User Data will be Processed by Melingo hereunder, as provided in Exhibit A.

Customer End User” means a natural person given permission to use Melingo Services in accordance with the Services Agreement.

Customer Personal Data” means any End User Data that Melingo Processes on behalf of Customer via the Services, as more particularly described in this DPA.

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Personal Data.

Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor” means the natural or legal person, public authority or other body that processes Personal Data on behalf of the Data Controller.

Data Protection Laws” mean all applicable laws and regulations relating to the processing of Personal Data that may exist in the relevant jurisdictions, including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation, “GDPR”); the California Consumer Privacy Act (the “CCPA”); and any other privacy law or regulation applicable to the Processing of Customer Personal Data under the Services Agreement.

Data Subject Request(s)” means Data Subjects’ rights as set out in applicable Data Protection Law

End User Data” means any Personal Data related to the Customer End Users, collected by Melingo through the Customer’s use of the Services.

Personal Data” means any information relating to an identified or identifiable natural person, as applicable under Data Protection Laws.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Services” means Melingo’s services to be provided to Customer in accordance with the Services Agreement.

Services Agreement” means the Services Agreement made and entered into between Melingo and the Customer, including all the exhibits attached hereto, including Melingo’s Terms of Use and Privacy Policy, as updated from time to time with their last version to be found on Melingo’s website at www.melingo.com, and any other written or electronic agreement, which govern the provision of the Services to Customer.

Standard Contractual Clauses” or “SCC”, refers to the written commitments between parties that can be used as a ground for data transfers from the European Economic Area (“EEA”) to third countries by providing appropriate data protection safeguards as set out in Article 46 of the GDPR. SCC which have been approved by the European Commission and cannot be modified by the parties using them can be found here, or any formal updated version adopted by the European Commission.

Supervisory Authority” shall have the meaning set forth in the GDPR.

  • Capitalized terms that are not defined have the meanings assigned to them in the Services Agreement or Applicable Law (as defined in the Services Agreement).
  1. Purpose of Processing
    • The nature, purpose, and duration of the Processing of Customer Personal Data, the types of Customer Personal Data collected and categories of Customer Data Subjects, are described in Exhibit A
    • In connection with Business Contact Data, each Party is an independent Data Controller.
    • Subject to the terms of the Services Agreement, Customer is the Data Controller of Customer Personal Data or has been instructed by and obtained all formal authorizations of the relevant Data Controller to enter into this DPA on behalf of such Data Controller.
  • Customer, as the Data Controller, hereby appoints Melingo as the Data Processor in respect of all Processing operations required to be carried out by Melingo on Customer Personal Data to provide the Services in accordance with the terms of the Services Agreement. Customer also acknowledges that in most cases, the Processing of Customer Personal Data conducted during the provision of the Services will be done in accordance with Customer’s configurations and registration processes, which Melingo does not monitor.
  • Customer hereby instructs Melingo to Process Customer Personal Data for the following purposes: (a) to provide its Services in accordance with the Services Agreement; (b) to comply with any legal requirements under applicable laws, competent authorities’ requirements, etc.; and (c) for analytical purposes and product and services improvement.
  • Melingo may, from time to time, be required to perform additional Processing activities not expressly set forth in the Services Agreement. In such cases, the Customer will provide written instructions to Melingo detailing the additional Processing activities.
  1. Rights and Obligations of the Customer
    • Customer retains control of the Personal Data and is and remains responsible for obtaining all the necessary authorizations, consents, and approvals to enter, use, provide, store, disclose to Melingo for the purpose of Processing subject to this DPA, and otherwise Process Customer Personal Data within the Services. All said authorizations shall be in accordance and subject to, but not limited to, Melingo’s Terms of Use and Privacy Policy.
    • Customer shall be responsible for compliance with its obligations under the applicable statutory requirements on data protection according to Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Melingo. In that regard, You may be required to inform Chat Visitor(s) about the processing taking place. You will make sure you prepare any required privacy notices, collect and manage consents or any other regulatory or other obligations imposed on that regard.
    • Customer shall not include any Personal Data of minors under the age of 16. 
    • Customer has the obligation to provide accurate and up-to-date Customer Personal Data to Melingo for the purposes of Processing.
    • Customer shall refrain from providing or otherwise making available any Sensitive Data to Melingo, and Melingo shall bear no liability for Sensitive Data, either for Processing, adequate security measures, Data Breach, or any other obligation which exists or may arise with relation to Sensitive data.
    • Customer will not configure the Services in a way that requires Melingo to Process Customer Personal Data in ways that do not comply with Data Protection Laws.
    • Customer hereby represents and warrants that, on an ongoing basis, it holds written documented legal basis for the Processing of Personal Data by Melingo in relation with this DPA and the Services Agreement.
    • Customer shall notify Melingo without undue delay, and comprehensively, of any defect or irregularity or incompetence regarding data protection detected by it, with relation to the Services Agreement or Melingo’s Processing therein.
  2. Rights and Obligations of Melingo
    • Melingo will only Process Customer Personal Data (a) as needed to provide the Services, (b) in accordance with the written instructions of the Customer, as set forth in this DPA and the Services Agreement, and (c) as need to comply with Applicable Law.
    • Melingo will maintain the confidentiality of Customer Personal Data and will not disclose Customer Personal Data to any third party without the prior written consent of the Customer. Notwithstanding the above, Melingo may be required to share Customer Personal Data with competent authorities upon demand, in such case and where possible, Melingo shall reasonably notify Customer prior to any disclosure of Customer Personal Data.
    • Melingo will reasonably assist the Customer (at Customer’s sole cost and expense) in responding to any Data Subject Requests, including, where applicable, requests for access, rectification, objection, or erasure of Customer Personal Data.
    • Melingo shall notify the Customer as soon as reasonably possible after receiving any request by a Customer Data Subject, or any other request regarding the Customer’s obligations under Data Protection Laws. Melingo will provide reasonable cooperation and assistance to the Customer (at Customer’s sole cost and expense) to ensure an appropriate and lawful response to any request, complaint, or data protection related communication from a Customer Data Subject.
    • Upon reasonable request, Melingo shall make available to Customer information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audit by Customer, as mandated by a competent Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor, as agreed upon by the Parties in writing. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption to Melingo.
  1. Security Measures
    • Melingo shall implement reasonable appropriate technical and organizational measures to protect Customer Personal Data against unauthorized access, disclosure, alteration, or destruction, considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
    • Melingo will ensure that all of Melingo’s personnel who have access to Customer Personal Data are trained and made aware of their obligations under this DPA and applicable Data Protection Laws.
    • Melingo shall implement reasonable and appropriate measures to ensure the secure disposal of Customer Personal Data when it is no longer needed for the purposes set forth in this DPA.
    • Customer is responsible for its secure use of the Services, including creating and properly securing its account authentication credentials, and implementing access controls on Customer end.
    • Customer acknowledges that the security measures are subject to changes, which may reflect technological developments and industry practices. Melingo shall ensure that such changes do not result in overall objective degradation to the security level of Customer Personal Data.
  2. Data Breaches
    • In the event of a Data Breach, Melingo shall (a) notify the Customer of the Data Breach; (b) provide the Customer with relevant information reasonably requested in relation to the Data Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage to Customer Personal Data resulting from the Data Breach.
    • In the event of a Data Breach, Melingo shall provide the Customer with reasonable further assistance in responding the Data Breach, including meeting any notification requirements, to a competent Supervisory Authority or to Data Subjects.

For that purpose, Melingo shall provide with the following information, as reasonably possible: (a) description of the nature of the Data Breach including the categories and approximate number of Customer Data Subjects concerned; (b) the likely consequences of the Data Breach; and (c) description of the measures taken or to be taken by Melingo to address the Data Breach.

Melingo will bear reasonable expenses incurred as a result of the performance of its obligations under this Section 6.2, provided, however, that if the Data Breach was caused as a result of Melingo’s adherence to Customer’s specific instructions, and/or as a result of Customer’s negligence and/or breach of this DPA, then, without prejudice to Melingo’s other rights and remedies hereunder and/or under Applicable Law, the Customer will bear and pay and/or reimburse Melingo with all expenses associated therewith.

  1. Sub-Processors
    • Melingo may engage sub-processors in the processing of Customer Personal Data, as presented in the sub processors list provided within Exhibit A. Upon engagement with any new Sub Processors, Melingo shall inform the Customer regarding the details of such sub processor, including the essence and purpose of the engagement. If Customer wishes to object to said new sub processor, it shall notify Melingo, in writing, detailing the reasons for such objection, and the Parties shall discuss in good faith a way to resolve such reasons. If such resolution will not be achieved, the Customer shall have the right to terminate the Services Agreement, according to the termination terms within.
    • Melingo shall reasonably ensure that such sub-processors are committed to similar data protection obligations as set forth in this DPA. Where the use of such sub-processors involves the transfer of Customer Personal Data to a third country, it shall comply with the obligations set forth in Section 8 below.
  2. International Data Transfers
    • Melingo may transfer and Process Customer Personal Data outside of the country it originated from, inter alia to and in the United States and anywhere else in the world where Melingo or its sub-processors maintain Processing operations.
    • The Customer hereby authorizes the transfer of Customer Personal Data to Melingo and Melingo’s sub-processors which are located outside the EEA, subject to the provisions of Sections 8.3 and 8.4 below.
    • Where Melingo transfers Customer Personal Data which originated from the EEA to another country, it shall ensure that such transfers are made in accordance with the requirements of applicable Data Protection Laws, and Company hereby consents to such transfer.
    • Where Melingo is a recipient of Customer Personal Data originating from the EEA, and is in a country that is not recognized as providing an adequate level of protection for Personal Data, as described in the GDPR, the Parties shall abide by the Standard Contractual Clauses as follows:
      • Melingo is the “data importer” and Customer is the “data exporter”.
      • To the extent that Customer is acting as a Data Controller of Customer Personal Data and Melingo is acting as a Data Processor of Customer Personal Data, Module Two of the Standard Contractual Clauses shall apply.

To the extent that Customer is acting as a Data Processor of Customer Personal Data and Melingo is acting as a Data Processor of Customer Personal Data, Module Three of the Standard Contractual Clauses shall apply.

Each Party’s signature to this DPA will be considered a signature to the Standard Contractual Clauses (including its annexes).

  • The Customer hereby acknowledges and agrees that in such cases, the Standard Contractual Clauses will automatically apply to the Processing of Personal Data by Melingo outside of the EEA.
  1. Duration and Termination
    • This DPA shall come into effect on the effective date of the Services Agreement, and shall remain in full force and effect until the expiration or termination for any reason of the Services Agreement, except where the DPA stipulates obligations that come or continue in force after expiration or termination of the Services Agreement in order to protect Customer Personal Data.
    • Upon termination of this DPA, Melingo will return to Customer or destroy all Customer Personal Data in its possession or control, except as required by law.
  2. Limitation of Liability
    • Each Party’s and all its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses) will be subject to the exclusions and limitations of liability set forth in the Services Agreement, to the extent permitted by applicable Data Protection Laws.
    • Any claims made against Melingo, under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) will be brought solely by Customer entity that is a Party to the Services Agreement.
  3. Notices

Any notice or other communication to be provided by Melingo or the Customer to the other under this DPA, shall be provided in accordance with the notices provision of the Services Agreement.

  1. Governing Law and Jurisdiction
    • This DPA will be governed by and construed in accordance with the laws of the United States and the State of Delaware, without regard to conflict of law principles.
    • Any dispute arising out or relating to this DPA (including, but not limited to, the validity, enforceability, interpretation, performance, breach, or termination thereof) shall be referred to the competent courts in the State of Delaware, which shall have exclusive jurisdiction with respect to any such disputes. Both Parties hereby submit to the exclusive jurisdiction of the aforementioned courts.
  2. Miscellaneous
    • Priority. In the event of any inconsistency or contradiction between the provisions of this DPA and the provisions of the Services Agreement, the provisions of this DPA will prevail with respect to the subject matter of such inconsistency or contradiction.

In the event of any inconsistency or contradiction between the provisions of this DPA and the provisions of any SCC executed by the Parties, the provisions of the executed SCC will prevail with respect to the subject matter of such inconsistency or contradiction.

  • Preamble and Headings. The preamble to this DPA forms an integral part thereof. The headings of the Sections in this DPA are for reference only and shall not be considered in the interpretation hereof. All references in this DPA to Sections and Exhibits shall, unless otherwise provided, refer to Sections and Exhibits attached hereto.
  • Entire Agreement. This DPA, together with the Services Agreement and any Exhibits (as defined below) attached hereto, contains the complete agreement between the Parties with respect to the subject matter hereof. This DPA supersedes any prior understandings, agreements or representations by or among the Parties which relate to the subject matter of this DPA. The exhibits attached to this DPA form an integral part hereof and are expressly incorporated herein by this reference.
  • Severability. In the event that any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be construed, limited, modified or deleted, to the extent necessary to eliminate any invalidity or unenforceability, and the remaining provisions of this DPA remain in full force and effect.

EXHIBIT A

DETAILS OF DATA PROCESSING

Duration of ProcessingMelingo shall Process Customer Personal Data in accordance with the periods required for the Processing purposes as detailed in the Services Agreement and this DPA.

Nature of ProcessingProvision of content services as described in the Services Agreement, including inter alia, monitoring, utilizing, operating, and improving the Services.

  • Analyze Data Controller’s customer service messages.
  • provide automatic customer service answer suggestions based on customer service messages.
  • Provide automated customer service responses and workflows; and/or
  • Provide analytics on customer service cases and product performance via a web dashboard.

Categories of Data SubjectsCustomer’s End Users.

Categories of Personal Data: user credentials –

  • Users – e-mail addresses used for log-in, names, organization name, logged information – usage data.
  • Chat visitors – communications (conversations and timestamps); and/or customer service information.

Categories of Sensitive Data: None.

Subprocessor’s list:

  • Amazon Web Services – Western Europe
  • Azure OpenAI
  • Active trail