This Data Processing Agreement (" DPA") is between the user ("User" or "Company") agreeing to the Terms of Service of Matterloom Inc. ("Agreement or "Terms") currently hosted at lo.app or on Matterloom’s website currently hosted at matterloom.com and (2) Matterloom Inc. ("Matterloom" or "Service Provider") as the provider of the Services under the Agreement. User and Matterloom together are referred to as the "Parties" and each is also referred to as a "Party". The DPA applies to all Processing of User Personal Data by Matterloom. 

1. Definitions. In this DPA, the following terms shall have the meanings set out below:

"Applicable Laws" means all statutes, laws, rules, regulations, ordinances, and the like of any federal, international, city, state, provincial, or local government or governmental agency applicable to Services under the Agreement including without limitation Data Protection Laws.

"User Personal Data" means any Personal Data provided by or made available by User to Service Provider or collected by Service Provider on behalf of User, which Service Provider Processes to perform the Services.

"Data Breach" means unauthorized acquisition of, access to, disclosure of, or use of, User Personal Data.

"Data Protection Laws" means Applicable Laws relating to privacy, security, or protection of Personal Data, as may be defined by such laws, including, for example and to the extent applicable, the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); the California Consumer Protection Act ("CCPA"), regulations and official guidance adopted thereunder, and any subsequent supplements, amendments, or replacements to the same; and similar legislation in other jurisdictions. 

"Data Subject" means an identified or identifiable natural person about whom Personal Data is Processed under this Agreement or as otherwise defined (including under similar terms such as "consumer") under Data Protection Laws.

"Personal Data" means data that that relates to an identified or identifiable natural person or as otherwise defined under Data Protection Laws.

"Process, processed, or processing" means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.

"Sell" or "selling" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.  

"Services" means services provided by Service Provider under the Agreement and all schedules, order forms, and statements of work thereunder. 

"Share" or "sharing" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for cross-context behavioural advertising (as that term is defined in the CCPA), whether or not for monetary or other valuable consideration.

"Sub-processor" means any person or entity engaged by Service Provider that Processes User Personal Data.

The terms "Controller," "Processor," "Data Processor," and "Business," shall have the same meaning as in Data Protection Laws. 

2. Data Ownership/Licenses 

Ownership. For purposes of this DPA, as between the parties, User retains all right, title, and interest in User Personal Data. 

License. Subject to its compliance with the Agreement and DPA, User grants to Service Provider a worldwide, perpetual, fully paid-up right and license under all applicable intellectual property laws to make, use, copy, distribute, display, organize, create derivative works from, and otherwise Process, the User Personal Data, and to sublicense all the foregoing rights to Sub-processors, as necessary for the Services, rights, and obligations under the Agreement and this DPA.

3. Scope of Processing 

Roles of Parties. The parties acknowledge and agree that with respect to processing of User Personal Data, Service Provider is a Processor and a service provider (as that term is defined in Data Protection Laws) and User is a Controller and Business, except that if User is a Processor in which case Service Provider is a Sub-processor. If User is a Processor of User Personal Data, User represents and warrants that User’s instructions and Processing of User Personal Data, including its appointment of Service Provider as a Sub-processor, have been authorized by the respective Controller.  

3. User Instructions and Restrictions on Processing

Instructions. Service Provider will use, retain, and disclose User Personal Data solely for the specific business purpose of providing the Services and in accordance with User’s instructions, which are as set forth in the Agreement, DPA, and other agreements between the parties for the Services. Service Provider will inform User if any of User’s instructions infringes any Data Protection Laws.

Processing by Service Provider. Service Provider will Process User Personal Data in compliance with Data Protection Laws. 

Service Provider will not: 

• Sell or Share User Personal Data; 
• use, retain, or disclose User Personal Data outside of its direct business relationship with the User; 
• use, retain, or disclose User Personal Data for any other purpose (including any other commercial purpose) other than as set forth in the Agreement and DPA, except as authorized by User or as required by law or by order of a court or authorized governmental agency (provided that prior notice first be given to the User unless such notice is prohibited by law or court order); or 
• combine User Personal Data with Personal Data that it (a) receives from or on behalf of third parties, or (b) collects from Service Provider’s own interactions with Data Subjects unrelated to the Services. 

Service Provider may Process User Personal Data as necessary or appropriate: 

• to perform its rights and obligations under the Agreement and this DPA; 
• to operate, manage, test, maintain and enhance the Services including as part of its business operations; 
• to deidentify or aggregate User Personal Data in a manner that prevents individual identification of the User, or Data Subjects;  
• protect the Service from a threat to the Services, Users, User Personal Data, and Service Provider’s systems; and 
• as otherwise expressly authorized by the User.

Employees and Agents. Service Provider will take commercially reasonable steps so that all Service Provider employees, contractors, and Sub-processors that Process User Personal Data are subject to written confidentiality agreements that provide substantially the same level of protection for User Personal Data as provided in this DPA and as required by Data Protection Laws.

Unauthorized Processing. User may take reasonable and appropriate steps to stop unauthorized Processing of User Personal Data, including without limitation, by instructing Service Provider to cease any such Processing.  

Deidentification. Where Service Provider is permitted by applicable Data Protection Law or this DPA to use User Personal Data for its internal business purposes in a de-identified manner, Service Provider agrees to take reasonable measures designed to ensure that the Personal Data cannot be associated with an individual (or, household, where applicable), publicly commits to maintain and use the information in de-identified form only and make no attempt to re-identify the information except where necessary to test its de-identification processes, and contractually obligates any authorized recipients to comply with these obligations. 

4. Data Security

Data Security Obligations. Service Provider will implement and maintain commercially reasonable administrative, technical, and physical safeguards.

4.2 Data Breach.

• If Service Provider learns of a Data Breach affecting User Personal Data, Service Provider shall take reasonable, appropriate, and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach; (b) notify User of such Data Breach without unreasonable delay consistent with timing under applicable laws; (c) furnish to User necessary and relevant details of the Data Breach as may be available; (d) assist User, as needed, in its investigation, mitigation, and remedying of the Data Breach; and (e) provide information and assist User, as needed, in meeting User’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach.
• Unless prohibited by Applicable Laws or court order, Service Provider will notify User if Service Provider learns of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
• Service Provider’s cooperation or obligation to report or respond to Data Breaches under this DPA shall not be deemed an acknowledgment by Service Provider of any fault or liability of Service Provider with respect to a Data Breach.
• Service Provider shall not be identified in any notifications provided publicly or to third parties (such as to government entities or Data Subjects) unless the contents of the notifications are approved by Service Provider.  Service Provider agrees to cooperate in promptly reviewing any notifications and will not unreasonably withhold approval. If such reviews and approvals are expressly prohibited by Applicable Law, User can provide them without review and approval. 

5. Data Protection Audits and Assistance. Upon User request, but no more than once per year, Service Provider will provide reasonable assistance and information to User regarding its Processing of User Personal Data to support compliance with its obligations and data protection impact assessments, where the information sought is not provided in the Agreement or this DPA or otherwise accessible to User.  Service Provider will also provide reasonable assistance and information to User to support responses to regulatory enquiries and Data Subject Rights where such means and assistance are not provided in the Agreement or this DPA or otherwise accessible to User through an Admin Portal.

6. Notice Regarding Third Party Requests and Inquiries. Service Provider will take reasonable steps to notify User if Service Provider receives the following in connection with its Processing of User Personal Data: (i) any requests from a Data Subject, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any request from a government entity or regulator provided such notice is not prohibited by law or court order.

7. Location of Processing. Service Provider will only Process User Personal Data in the countries and regions listed in Exhibit 1 and at trust.Matterloom.com ("Approved Regions"), or such other countries and regions as instructed or authorized by User (where User instruction or authorization received by email or other electronic means is acceptable).

8. Cross-Border Data Transfers. With regard to countries, regions, or territories with Data Protection Laws requiring a mechanism for valid export of User Personal Data (such countries, regions, or territories, are "Limited Transfer Region(s)" and such data is "Limited Transfer Data"), Service Provider may not transfer, export, receive, or Process such Limited Transfer Data outside of such Limited Transfer Regions unless it or its sub-processors take measures to adequately protect such data consistent with applicable Data Protection Laws. Such measures may include (to the extent consistent with Data Protection Laws):  

• Processing User Personal Data in a country, a territory, or one or more specified jurisdictions that are considered under Data Protection Laws as providing an adequate level of data protection).

9. Retention and Deletion of User Personal Data. Upon User’s written request, or upon termination or expiration of the Agreement, Service Provider will delete all User Personal Data under Service Provider’s possession or control or provide User ability to delete such User Personal Data directly through tools or functionality made available by Service Provider. Service Provider will not delete to the extent that: (a) deletion is not permitted under Applicable Laws or the order of a governmental or regulatory body; (b) where Service Provider retains such data for internal record keeping, compliance with any legal obligations, and other lawfully permitted purposes; or (c) while Service Provider’s then-current data retention or similar back-up system stores User Personal Data provided such data will remain protected in accordance with the measures described in the Agreement and this DPA.

10. General Terms 

Limitation of Liability. In no event will either party: (a) be liable for any indirect, incidental, consequential, punitive, special, or exemplary damages, whether or not such damages are foreseeable or a party has been advised of the possibility thereof, arising from or relating to this DPA; and (b) have aggregate liability for damages arising from or relating to this DPA in excess of the amount paid for the Services provided. 

Indemnification. Service Provider and User shall each indemnify, defend and hold harmless each other, and their respective directors, officers, employees and agents (and successors, heirs and assigns) against any liability, damage, loss, fine, penalty, or expense (including reasonable attorneys’ fees and costs) incurred by such indemnifying party as a result of any claim, demand, lawsuit, investigation, or regulatory enforcement proceeding arising from a breach of any obligations or restrictions of this DPA by the indemnitor ("Claim"). The indemnified party will provide the indemnitor with prompt notice of any Claim (provided that the failure to promptly notify shall only relieve indemnitor of its obligation to the extent it can demonstrate material prejudice from such failure) and at the indemnitor’s expense, provide assistance reasonably necessary to defend such Claim. The indemnitor will not enter into a settlement that would result in liability to the indemnified party without the indemnified party’s prior written consent, which shall not be unreasonably withheld or delayed.

Termination and Survival.  This DPA can be terminated as set forth in the Agreement. 

Governing Law; Conflicts of Law; Severance. The parties to this DPA agree to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims relating to or arising under this DPA.

Service Provider:

Matterloom
38-2482 Yonge Street
Toronto ON M4P 2H5
Canada

Service Provider Contact:

contact@matterloom.com