This Data Processing Addendum (“DPA”) modifies and amends the the MNTN Terms and Conditions located at https://www.mountain.com/terms-and-conditions/, the MNTN Master Services Agreement and/or other written or electronic agreement between MNTN and the Customer (together, the “Parties”) for the provision of online services from MNTN to Customer (the “Master Agreement”). This DPA sets forth Customer’s instructions for the processing of Personal Data in connection with the Services under the Master Agreement and the rights and obligations of both Parties. Except as expressly set forth in this DPA, the Master Agreement shall remain unmodified and in full force and effect. In the event of any conflicts between this DPA and the Master Agreement, this DPA will govern to the extent of the conflict.
Definitions. For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms used but not defined in this DPA shall have the meanings given in the Master Agreement. All other terms in this DPA not otherwise defined in the Master Agreement shall have the corresponding meanings given to them in applicable US Privacy Laws.
“Personal Data” means any information provided by or on behalf of the Customer for use within the Services that identifies, relates to, describes, is reasonably capable of being associated with, or is linked or reasonably linkable, directly or indirectly, to an identified or identifiable individual or household. For the avoidance of doubt, “Personal Data” does not include de-identified data, aggregated data, or publicly available information as such or similar terms are defined in applicable US Privacy Laws.
“US Privacy Laws” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”).
Roles of the Parties. The Parties acknowledge that for purposes of applicable US Privacy Laws, Customer is the “service provider,” “controller,” “business,” or any similar term provided under applicable US Privacy Laws, and MNTN is the “service recipient,” “processor,” “contractor,” or any similar term provided under applicable US Privacy Laws.
Details of Processing. The Parties agree that the following details of processing describe the MNTN’s processing of Personal Data:
a. Nature and purpose of the processing: To provide the Services described in the Master Agreement and any additional agreements, order forms or invoices between the Parties initiated by the Customer from time to time.
b. Types of Personal Data subject to the processing: IP address, if an IP address is linked with other information to identify an individual by MNTN, email addresses and any other Personal Data that the Customer shares with or instructs MNTN to process.
c. Duration of the processing: For the Term of the Master Agreement.
4. Customer Obligations. Customer shall comply with all applicable US Privacy Laws in providing Personal Data to MNTN. Customer represents and warrants that all such Personal Data was collected and at all times processed and maintained by or on behalf of Customer in compliance with all applicable US Privacy Laws, including with respect to any applicable obligations to provide notice to and/or obtain consent from individuals. Customer shall notify MNTN without undue delay if Customer makes a determination that the processing of Personal Data under the Master Agreement does not or will not comply with applicable US Privacy Laws, in which case, MNTN shall not be required to continue processing such Personal Data. To the extent required by applicable US Privacy Laws, Customer shall notify MNTN of a rights request made pursuant to such US Privacy Law that MNTN must comply with and provide the information necessary for MNTN to comply with the request.
Use of Personal Data. MNTN shall only process Personal Data under the Master Agreement for the limited and specific purpose of performing the Services, comply with applicable sections of US Privacy Laws, provide the same level of privacy protection as is required by applicable US Privacy Laws and notify Customer without undue delay if MNTN makes a determination that it can no longer meet its obligations under applicable US Privacy Laws. If MNTN provides such notification, Customer shall have the right to (a) take reasonable and appropriate steps to help ensure that MNTN uses the Personal Data in a manner consistent with Customer’s obligations under applicable US Privacy Laws, and (b) stop and remediate any unauthorized use of the Personal Data. MNTN shall require that each employee or other person processing Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
Prohibitions. To the extent required by applicable US Privacy Laws, MNTN agrees that it shall not:
a. sell the Personal Data;
b. share the Personal Data for cross-context behavioral advertising purposes;
c. retain, use, or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services;
d. retain, use, or disclose the Personal Data outside of the direct business relationship between MNTN and Customer; and
e. combine the Personal Data received from Customer with any Personal Data that is collected from MNTN’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources.
De-Identified Data. To the extent MNTN receives de-identified data (as such term is defined under applicable US Privacy Laws) from Customer, MNTN shall: (i) take commercially reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (ii) maintain and use the data only in a de-identified fashion; and (iii) not attempt to re-identify the data.
Use of Subcontractors. MNTN shall only engage subcontractors to process Personal Data on its behalf after providing Customer with an opportunity to object and pursuant to a written contract that requires the subcontractor to materially comply with the MNTN’s obligations with respect to the Personal Data. At MNTN’s choice, MNTN may notify Customer of new subcontractors by adding the subcontractor to a list of subcontractors maintained on MNTN’s public-facing website. Following the addition of a new subcontractor to such list, Customer shall have ten days to object to MNTN’s use of such subcontractor.
Security Measures. The Parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement such measures.
Access and Audits. Upon reasonable request of Customer, MNTN shall make available to Customer all information in its possession necessary to demonstrate MNTN’s compliance with its obligations under applicable US Privacy Laws. MNTN shall allow and cooperate with reasonable assessments by Customer or Customer’s designated auditor, at Customer’s expense, of MNTN’s compliance with its obligations under this DPA and applicable US Privacy Laws, including through measures such as ongoing manual reviews, automated scans, and regular assessments, audits or other technical and operational testing. Customer shall be permitted to conduct such an assessment no more than once every twelve months, upon thirty days’ advance written notice to MNTN, and only after the Parties come to agreement on the scope of the audit. As an alternative to an audit performed by or at the direction of Customer, MNTN may arrange for a qualified and independent auditor to conduct, at MNTN’s expense, an assessment of MNTN’s policies and technical and organizational measures in support of its obligations under applicable US Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and will provide a report of such assessment to Customer upon reasonable request. Notwithstanding the foregoing, in no event shall MNTN be required to give Customer access to information, facilities, or systems to the extent doing so would cause MNTN to be in violation of confidentiality obligations owed to other customers or its legal obligations.
Deletion of Personal Data. At Customer’s written direction, MNTN shall delete or return all Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law.
Amendment. MNTN may need to update this DPA from time to time, including to accurately reflect or comply with US Privacy Laws and other laws applicable to the parties. MNTN shall use commercially reasonable efforts to provide prior notice to Customer of any material updates to this DPA designed to reflect or comply with such laws. By instructing the processing of Personal Data under the Master Agreement, Customer agrees to review and comply with the latest version of this DPA, and Customer waives any objection to the means and manner of Customer’s acceptance of this DPA that may be specified in or required by the Master Agreement.