Data Use and Processing 

​

• Data Processing Arrangement: The Customer assumes one of two roles: either as the Controller of Customer Personal Data or as a Processor, handling Customer Personal Data on behalf of a third-party Controller (such as an end customer of the Customer). In either scenario, both parties recognize and agree that Mvue has been designated by the Customer to process Customer Personal Data as a Processor (or sub-Processor, when applicable) on the Customer's behalf. If the Customer acts as a Processor on behalf of a third-party Controller, the Customer will ensure that any Processing instructions given to Mvue under this Data Processing Agreement are in alignment with the directives issued by the Controller to the Customer. 

​

​

• Stipulated Instructions: Mvue shall process Customer Personal Data exclusively for the following purposes: (1) to fulfill its commitments to Customer as outlined in the Agreement, including this Data Processing Agreement (DPA); (2) on behalf of Customer; and (3) in full compliance with Data Protection Laws. Mvue shall process Customer Personal Data strictly for the business purpose(s) mutually agreed upon by the parties, as specified in the Agreement, this DPA, and any written instructions explicitly endorsed by both parties (collectively referred to as the "Business Purpose(s)"). Customer shall not issue instructions to Mvue that contravene applicable laws, including Data Protection Laws. Mvue is not obligated to oversee Customer's use of the services to ensure compliance with applicable laws, including Data Protection Laws, and Mvue will not be held accountable for any harm or damages resulting from Mvue's adherence to unlawful instructions from Customer. Nonetheless, Mvue shall, unless legally prohibited, (i) notify Customer in writing if it reasonably believes there is a conflict between Customer's instructions and applicable laws, including Data Protection Laws, or if it is required to process Customer Personal Data in a manner inconsistent with Customer's instructions, and (ii) in either case, halt all processing of the affected Customer Personal Data (excluding storage and security maintenance) until Customer issues new instructions that Mvue can adhere to. In the event this provision is invoked, Mvue will not be held liable to Customer under the Agreement for failing to perform the services until new instructions are mutually agreed upon. Customer retains the right, upon notification, to take appropriate measures to halt and rectify any unauthorized use of Customer Personal Data, including any use not sanctioned in this DPA. 

​

​

• Certification by Service Provider: Mvue will not engage in the following activities: (a) "selling" Customer Personal Data (as defined in quotation marks under the CCPA); (b) "sharing" or processing Customer Personal Data for the purposes of "cross-context behavioral advertising" or "targeted advertising" (as defined in quotation marks under the CCPA); (c) retaining, using, or disclosing Customer Personal Data for any purposes other than those related to the Business Purpose(s), which includes refraining from retaining, using, or disclosing Customer Personal Data for any commercial purpose other than performing its services under the Agreement; (d) retaining, using, or disclosing Customer Personal Data beyond the direct business relationship between Customer and Mvue. Mvue (i) will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Customer Personal Data without obtaining Customer's explicit written consent; and (iii) will adhere to any applicable restrictions imposed by Data Protection Laws regarding the combination of Customer Personal Data with personal data obtained from another person or entity on behalf of Mvue. Mvue confirms its understanding of the limitations outlined in this Section 3.3 and pledges to abide by them. 

​

​

• Authorization to Use Sub-processors: The Customer hereby grants Mvue authorization to enlist its affiliates and other Sub-processors for the purpose of processing Customer Personal Data, in accordance with the stipulations outlined in this Data Processing Agreement (DPA) and in compliance with Data Protection Laws.  Below is the current list of Mvue’s Sub processors. Refer Appendix (1) for the list of Mvue's subprocessors.‍ 

​

​

• Mvue and Sub-processor Compliance: Mvue commits to (i) establishing a written agreement with Subprocessors pertaining to the processing of Customer Personal Data, imposing data protection obligations on these Sub-processors that are consistent with the provisions of this Data Processing Agreement (DPA); and (ii) retaining accountability towards the Customer for any lapses by Mvue's Sub-processors in fulfilling their responsibilities concerning the processing of Customer Personal Data. 

​

​

• Notification and Right to Object Regarding New Sub-processors: Mvue will maintain an updated list of its Sub-processors, which can be found in the Section 1.d above in this agreement. The Customer is encouraged to regularly consult the Mvue Sub-processor List. Additionally, the Customer has the option to subscribe to notifications about new Sub-processors by sending an email to info@mvue.com with the subject "Subscribe to New Sub-processors." Once the Customer has subscribed to receive notifications about new Sub-processors, Mvue will provide advance notice of any new Sub-processor before permitting such Sub-processor to process Customer Personal Data. The Customer will have a period of ten (10) days from the receipt of Mvue's notice to submit a valid, good-faith objection to the involvement of such new Sub-processor(s). The Customer's objection should include a clear explanation of the reasonable grounds for the objection. If an objection is raised, both parties will engage in good-faith efforts to address the concerns raised in the objection. In the event that the objection cannot be resolved within a reasonable timeframe, not exceeding thirty (30) days, either party may terminate the Agreement by providing written notice to the other party. Mvue reserves the right to replace a Sub-processor in cases of urgent necessity to ensure the provision of Services. In such circumstances, Mvue will notify the Customer of the substitution as promptly as possible, and the Customer will retain the right to raise objections to the replacement Sub-processor. 

​

​

• Confidentiality: Mvue will ensure that any individual authorized by Mvue to handle Customer Personal Data on its behalf is bound by confidentiality obligations concerning such Customer Personal Data. 

​

​

• Handling Customer Personal Data Inquiries and Requests: In situations where the Customer, while using the Services, lacks the capability to address a request from a data subject exercising their rights under relevant Data Protection Laws (such as requests for access or deletion), Mvue will, upon the Customer's request, make commercially reasonable efforts to aid the Customer in responding to such data subject requests. If a request concerning Customer Personal Data is directly sent to Mvue, Mvue will use commercially reasonable efforts to promptly inform the Customer within five (5) business days of receiving such request. Mvue will not respond to the request unless explicitly authorized to do so by the Customer. To the extent permitted by law, the Customer will be responsible for covering any reasonable costs incurred by Mvue in providing assistance as outlined in this section. The Customer acknowledges that Mvue relies on the Customer for guidance regarding the extent to which Mvue is allowed to process Customer Personal Data on the Customer's behalf when delivering the Services. Consequently, Mvue will not be held liable under the Agreement for any claims brought by a data subject as a result of any actions or omissions by Mvue, to the extent that such actions or omissions stem from the Customer's instructions or the Customer's failure to fulfill its obligations under applicable law. 

​

​

• Data Protection Impact Assessment and Consultation: To the extent mandated by Data Protection Laws, Mvue commits to offer the Customer reasonable assistance and cooperation for the Customer's execution of a data protection impact assessment related to the processing or proposed processing of Personal Data, as required by relevant Data Protection Laws. This assistance will be provided at the Customer's reasonable expense. 

​

​

• Limitation on Customer Personal Data Disclosure: To the extent legally permissible in each instance, Mvue shall: (i) promptly inform the Customer in writing upon receiving an order, demand, subpoena, warrant, legal request, or any similar document seeking to compel the release of Customer Personal Data to any non-data-subject third party, including, but not limited to, regulatory authorities and the United States government for surveillance or other purposes; and (ii) refrain from disclosing Customer Personal Data to the third party until the Customer has been given at least forty-eight (48) hours' notice, allowing the Customer to take action, at its own expense, to exercise any rights it may have under applicable laws to prevent, contest, or restrict such disclosure to the extent permitted by applicable laws. If Mvue is legally prohibited by applicable Data Protection Laws from divulging the specifics of a government request to the Customer, Mvue will notify the Customer that it cannot continue to follow the Customer's instructions under this Data Processing Agreement (DPA) without furnishing further details and will await additional instructions from the Customer. Mvue will employ all reasonable and legally available means to challenge any requests for data access under national security processes, including any accompanying non-disclosure provisions.

​

Information Security Program 

​

• Security Measures: Mvue will establish and maintain commercially reasonable administrative, technical, and physical safeguards as outlined in the Mvue Security Standards to safeguard Customer Personal Data. These measures are subject to regular monitoring for compliance. Mvue will not significantly reduce the overall security of the Service during any Subscription Term. 


​

Audits

​

• Third-Party Audit Reports: Upon the Customer's request, subject to the confidentiality terms stipulated in the Agreement and the execution of specific non-disclosure agreements, Mvue will provide the Customer (or the Customer's independent, reputable, third-party auditor) with information concerning Mvue's compliance with the obligations outlined in this Data Processing Agreement (DPA). This information will include summaries of the most recent third-party audit reports referenced in the Mvue Security Standards. All such summaries, unless generally available to the public on Mvue's website, constitute Mvue's Confidential Information.  

​

• Audit of Mvue: In situations where Data Protection Laws grant the Customer an audit privilege, the Customer (or the Customer's independent, reputable, third-party auditor) may contact Mvue, following the procedures outlined in the "Notices" section of the Agreement, to request an audit of Mvue's policies, procedures, and records relevant to the processing of Customer Personal Data. This audit is to confirm Mvue's adherence to this DPA, provided that the items subject to audit are within Mvue's control and Mvue is not prohibited from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party. The Customer will reimburse Mvue for its costs and expenses associated with this audit, including any time spent, at Mvue's prevailing rates, which will be disclosed to the Customer upon request. Prior to commencing the audit, the Customer and Mvue will mutually agree on the audit's scope, timing, duration, and reimbursement terms, all of which will be reasonable, taking into account Mvue's resources. Under no circumstances is Mvue obligated to disclose information that it is legally prohibited from revealing, pursuant to applicable law, a confidentiality duty, or any other obligation to a third party. Any audit must adhere to the following conditions: (i) conducted during Mvue's regular business hours; (ii) conducted with reasonable prior notice to Mvue; (iii) carried out in a manner that does not unduly disrupt Mvue's operations; and (iv) subject to reasonable confidentiality procedures. Furthermore, such audits are limited to once per year, except when conducted at the direction of a government authority with proper jurisdiction. If the Customer discovers any non-compliance with this DPA during the audit, the Customer will promptly notify Mvue, and Mvue will make commercially reasonable efforts to address any confirmed non-compliance. 

​

Data Deletion 

​

• In the event of the termination or expiration of the Agreement, Mvue will, upon the Customer's request, and subject to the constraints specified in the Agreement and the Mvue Security Standards, either return to the Customer (or make available for export as per the Agreement) all Customer Personal Data within Mvue's possession or securely destroy such Customer Personal Data. This excludes any backup or archival copies, which will be deleted in accordance with Mvue's data retention schedule. However, if Mvue is obligated to retain copies under applicable laws, Mvue will restrict its processing of such Customer Personal Data to the extent mandated by applicable laws.  

​​

​​