MochaDocs’s Processor Rules for the Processing of Personal Data ('DPA')

1. Introduction

MochaDocs B.V. and its affiliates are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters.

In accordance with the EU Data Protection Directive and implementing national legislation, the MochaDocs Processor Rules (BCR) is intended to provide an adequate level of protection for Personal Data during international transfers within the MochaDocs Group made on behalf of Customers and under their instructions.

2. Definitions

• Controller means controller, as defined in the EU Data Protection Directive. The term “controller” is defined in the EU Data Protection Directive as “the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.
• Customer means (i) a legal entity with whom MochaDocs Group has executed a contract to provide the Services (or a legal entity placing an order under such contract) and such contract incorporates by reference the MochaDocs Processor BCR or (ii) a legal entity with whom the MochaDocs Group has executed a contract under which the legal entity is entitled to resell the Services to its end customers and such contract incorporates by reference the MochaDocs Processor BCR.
• Data Subject means an individual to whom Personal Data relates.
• EU Data Protection Directive means European Union Directive 95/46/EC dated 24 October 1995.
• Personal Data means personal data, as defined in the EU Data Protection Directive, when such data is submitted to the Services. The term “personal data” is defined in the EU Data Protection Directive as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
• Processor means processor, as defined in the EU Data Protection Directive. The term “processor” is defined in the EU Data Protection Directive as “a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.”
• MochaDocs Group means MochaDocs, inc., MochaDocs B.V. and its affiliate sub-processors of Personal Data, available here.
• MochaDocs Processor BCR means MochaDocs’s Processor Rules for the Processing of Personal Data.
• Services means the online services provided to Customer by the MochaDocs Group, as listed in Appendix A.

3. Scope and Application

The purpose of the MochaDocs Processor BCR is to govern cross-border transfers of Personal Data to and between members of the MochaDocs Group, and to third-party sub-processors (in accordance with written agreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.

The MochaDocs Processor BCR applies to Personal Data submitted to the Services by:

(a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and

(b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply. The MochaDocs Group may update the MochaDocs Processor BCR with approval from the MochaDocs Group’s appointed privacy leader, general counsel and/or compliance officer. All changes to the MochaDocs Processor BCR shall be communicated to members of the MochaDocs Group.

The MochaDocs Group’s appointed compliance officer shall be responsible for keeping a fully updated list of the members of the MochaDocs Group and third-party sub-processors and making appropriate notifications to Customers in its capacity as lead authority for the MochaDocs Processor BCR. The MochaDocs Group shall not transfer Personal Data to a new member of the MochaDocs Group until such member is appropriately bound by and complies with the MochaDocs Processor BCR.

The MochaDocs Group shall make the most current version of the MochaDocs Processor BCR, including the members of the MochaDocs Group, available at http://www.mochadocs.com/en/legal. Significant changes to the MochaDocs Processor BCR and/or the list of members of the MochaDocs Group will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.

4. Responsibilities Towards Customers

A. General Obligations

The MochaDocs Group and its employees shall comply with the MochaDocs Processor BCR, process Personal Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.

B. Transparency and Cooperation with Customers

The MochaDocs Group undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data.

C. Data Subject Rights Members of the MochaDocs Group act as Processors on behalf of Customers.

As between the MochaDocs Group and Customers, Customers have primary responsibility for interacting with Data Subjects, and the role of the MochaDocs Group is generally limited to assisting Customers as needed.

i. Access, Correction, Amendment or Deletion Requests

The MochaDocs Group shall promptly notify a Customer if the MochaDocs Group receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. The MochaDocs Group shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer. The MochaDocs Group shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent. Customers do not have access to such Personal Data through their respective uses of the Services.

ii. Handling of Complaints

The MochaDocs Group’s Privacy department shall be responsible for handling complaints related to compliance with the MochaDocs Processor BCR. Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the MochaDocs Processor BCR by contacting the relevant Customer or the MochaDocs Group’s Privacy department at the email address bcr@mochadocs.com. The MochaDocs Group shall promptly communicate the complaint to the Customer to whom the Personal Data relates.

Customers shall be responsible for responding to all Data Subject complaints forwarded by the MochaDocs Group except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where the MochaDocs Group is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority).

D. Regulatory Inquiries and Complaints

The MochaDocs Group shall, to the extent legally permitted, promptly notify a Customer if the MochaDocs Group receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, the MochaDocs Group shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving the MochaDocs Group’s processing of Personal Data. 

5. Description of Processing Operations and Transfers

A. Purpose Limitation

The MochaDocs Group shall process Personal Data only for the following purposes:

(i) processing in accordance with a Customer’s instruction set forth in the Customer’s contract with a member of the MochaDocs Group; and

(ii) processing initiated by the Customer in its use of the Services. If the MochaDocs Group cannot comply with such purpose limitation, a member of the MochaDocs Group shall promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate the applicable order form(s) in respect to only those Services which cannot be provided by the MochaDocs Group in accordance with such Customer’s instructions. On the termination of the provision of such Services, the MochaDocs Group and third-party sub-processors shall, at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer contract.

B. Data Quality

Customers have access to, and control of, Personal Data in their use of the Services. To the extent, a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, the MochaDocs Group shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent the MochaDocs Group is legally permitted to do so. The MochaDocs Group will, to the extent reasonably required for this purpose, inform each member of the MochaDocs Group to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, the MochaDocs Group shall communicate such request to the applicable third-party sub-processor(s).

C. Sub-processing

i. Sub-processing

Within the MochaDocs Group as set forth in applicable contracts with Customers, members of the MochaDocs Group may be retained as sub-processors of Personal Data, and depending on the location of the MochaDocs Group member, processing of Personal Data by such sub-processors may involve transfers of Personal Data. The MochaDocs Processor BCR extends to all members of the MochaDocs Group. 

ii. Sub-processing by Third Parties

As set forth in applicable contracts with Customers, members of the MochaDocs Group may retain thirdparty sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party subprocessors shall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with a member of the MochaDocs Group; or (ii) if processing is initiated by the Customer in its use of the Services. The current list of third-party sub-processors engaged in processing Personal Data, including a description of their processing activities, is available at here. Such third-party sub-processors have entered into written agreements with a member of the MochaDocs Group in accordance with the applicable requirements of Articles 16, 17, 25 and 26 of EU Data Protection Directive and Sections 3 – 10 of the MochaDocs Processor BCR as applicable to the third-party subprocessor’s processing activities. 

iii. Notification of New Sub-processors and Objection Rights

As set forth in applicable contracts with Customers, the MochaDocs Group shall provide Customers with prior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to the MochaDocs Group’s use of a new sub-processor subject to the following:

• It would be unreasonable for a Customer to object to a new sub-processor that is a member of the MochaDocs Group if (a) the sub-processor is subject to the MochaDocs Processor BCR; and (b) has achieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unless the Customer demonstrates reasonable suspicion that the new sub-processor will not be able to comply with its obligations under the MochaDocs Processor BCR.

• Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processor introduces unreasonable risk to the protection of Personal Data (e.g., a history of security breaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if (a) the new third-party sub-processor is located in a country that provides an adequate level of protection per the European Commission or has entered into a contract with a member of the MochaDocs Group containing the applicable requirements of the European Commission’s controller-to-processor standard contractual clauses; and (b) the new third-party sub-processor has passed the MochaDocs Group’s vendor security evaluation based on a third-party, internationally-recognized security framework

In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under the standards described above, the MochaDocs Group will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If the MochaDocs Group is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable order form(s) in respect only to those Services which cannot be provided by the MochaDocs Group without the use of the objected-to new sub-processor by providing written notice to the member of the MochaDocs Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

6. Confidentiality and Security Measures

A. Confidentiality and Training

The MochaDocs Group shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, the MochaDocs Group shall ensure that its personnel responsible for the development of tools used to process Personal Data have received appropriate training on their responsibilities. The MochaDocs Group shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform the MochaDocs Group’s obligations under applicable contracts with Customers.

B. Data Security

The MochaDocs Group shall maintain appropriate administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. The MochaDocs Group regularly monitors compliance with these safeguards. The MochaDocs Group will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.

C. Security Breach Notification In the event a member of the MochaDocs Group becomes aware of any unauthorized access to or disclosure of Personal Data, the MochaDocs Group will promptly notify affected Customers to the extent such notification is permitted by applicable law.

D. Audits The MochaDocs Group shall maintain an audit program to help ensure compliance with the MochaDocs Processor BCR, including the following third-party audits and certifications, internal verification and audits by Customers. The audit program covers all aspects of the MochaDocs Processor BCR, including methods for ensuring non-compliance is addressed.

i. Third-Party Audits and Certifications

The following third-party audits and certifications are applicable to the Services. The MochaDocs Group agrees to maintain such audits and certifications, or their successors.

• ISO 27001 certification: The MochaDocs Group is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. Members of the MochaDocs Group have achieved ISO 27001 certification on May 25th 2019 for their ISMS from an independent third party. The scope of the MocaDocs Group’s ISO 27001 certification is set forth in the Security, Privacy and Architecture Documentation for the Services, available at the certification area of the MochaDocs websites.

ii. Internal Verification

The MochaDocs Group has appointed a network of privacy personnel responsible for overseeing and ensuring compliance with the MochaDocs Group’s data protection responsibilities at a local and global level, including compliance with this MochaDocs Processor BCR, advising management on data protection matters, liaising with data protection authorities, and handling data protection-related complaints. Each member of the MochaDocs Group shall be assigned such a member of network of privacy personnel. Such privacy personnel are primarily responsible for privacy-related matters and report to the MochaDocs Group’s appointed privacy leader, who reports to the MochaDocs Group’s general counsel, and benefits from the support of the MochaDocs Group’s top management. The MochaDocs Group’s appointed privacy leader is responsible for the MochaDocs Group’s compliance with applicable privacy and data protection laws and leads the MochaDocs Group’s network of privacy personnel. The MochaDocs Group’s network of privacy personnel have regional responsibility for the MochaDocs Group’s compliance with applicable privacy and data protection laws. The MochaDocs Group’s compliance department shall conduct an annual assessment of the MochaDocs Group’s compliance with the MochaDocs Processor BCR, which is provided to the MochaDocs Group’s appointed privacy leader, compliance officer and/or MochaDocs B.V. ’s board of directors. Such an assessment shall include any necessary corrective actions, timeframes for completing such corrective actions, and follow up by MochaDocs’s compliance department to ensure such corrective actions have been completed.

iii. Customer Audits

Upon a Customer’s request, and subject to appropriate confidentiality obligations, the MochaDocs Group shall make available to the Customer (or such Customer’s independent, third-party auditor that is not a competitor of the MochaDocs Group) information regarding the MochaDocs Group’s and third-party subprocessors’ compliance with the data protection controls set forth in this MochaDocs Processor BCR. This includes providing the requesting Customer a report of the MochaDocs Group’s audits of third-party processors, which Customers instruct the MochaDocs Group to conduct in their applicable contracts.

A Customer (or such Customer’s independent, third-party auditor that is not a competitor of the MochaDocs Group) may also request to conduct an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at the locations where Personal Data is stored, including applicable members of the MochaDocs Group and third-party sub-processors, by following the instructions set forth in its applicable contract. Customers shall reimburse the MochaDocs Group for any time expended by the MochaDocs Group or its third-party sub-processors for such on-site audit at the MochaDocs Group’s then-current professional service rates, which shall be made available to Customers upon their request. Before any such on-site audit commences, the requesting Customer and the MochaDocs Group shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the MochaDocs Group or its third-party subprocessors. As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance with this Section must promptly provide the MochaDocs Group with information regarding any non-compliance discovered during the course of an audit. A customer requested audit may never result in the disruption of MochaDocs activities or services. If such an event may appear MochaDocs has the authority to immediately stop the requested audit till further notice. 

7. Third-Party Beneficiary Rights

Data Subjects may directly enforce against third-party sub-processors breaches of the written agreement with members of the MochaDocs Group which relate to the third-party sub-processors’ obligations to comply with Sections 3-10 of the MochaDocs Processor BCR, as applicable to the third-party sub-processor’s processing activities, as third-party beneficiaries. Such third-party beneficiary rights shall be limited to those situations where a Data Subject is unable to bring a claim against the relevant Customer and members of the MochaDocs Group because such entities have factually ceased to exist in law or become insolvent and have not named successor entities to assume their respective legal obligations. Such third-party liability of third-party sub-processors shall be limited to their own processing operations. In accordance with Section 8 of the MochaDocs Processor BCR, a Data Subject’s third-party beneficiary rights, if applicable, shall cover judicial remedies for any breach of the rights provided in the MochaDocs Processor BCR and the right to receive compensation for damages. To enforce the above rights, a Data Subject shall, in addition to the right to lodge a complaint as set forth in Section 4.C of the MochaDocs Processor BCR, be entitled to lodge a complaint before the competent data protection authority and/or, at the Subject’s choice, to commence claims within the jurisdiction of the EU-based member of the MochaDocs Group at the origin of the transfer. In case no member of the MochaDocs Group is established in the EU, the Data Subject shall be entitled to lodge a complaint before the data protection authorities or courts of his or her place or residence. If more favorable solutions for Data Subjects exist according to national law, then they would be applicable. 

8. Liability and Enforcement

MochaDocs’s contracts with Customers shall include a reference to the MochaDocs Processor BCR. In accordance with such contracts, Customers shall have the right to enforce the MochaDocs Processor BCR against the MochaDocs Group, including judicial remedies and the right to receive compensation. The MochaDocs Group has appointed MochaDocs, Inc. to accept responsibility for and agree to remedy the acts of other members of the MochaDocs Group and third-party sub-processors for breaches of the MochaDocs Processor BCR or of third-party sub-processors for breaches of the corresponding provisions of the written agreements with members of the MochaDocs Group.

To the extent a Customer (or a Data Subject, if Section 7 of the MochaDocs Processor BCR applies) demonstrates that a Data Subject has suffered damages and establishes facts showing that it is likely that such damages have occurred because of the MochaDocs Group’s breach of Sections 4-10 of the MochaDocs Processor BCR or a third-party sub-processor’s breach of a contract with a member of the MochaDocs Group, the MochaDocs Group shall be responsible for providing that it – or its third-party sub-processor – was not responsible for the breach giving rise to the damages or that no such breach took place. If another member of the MochaDocs Group can prove that the MochaDocs Group and its third-party sub-processors are not responsible for the act leading to the damages suffered by the Data Subject, the MochaDocs Group may discharge itself from any responsibility.

9. Cooperation with Data Protection Authorities

The MochaDocs Group shall cooperate with member country or state data protection authorities with jurisdiction over the MochaDocs Group or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant member country or state data protection authorities regarding the interpretation and application of the MochaDocs Processor BCR.

Upon request and subject to duties of confidentiality, the MochaDocs Group shall provide relevant member country or state data protection authorities with jurisdiction over the MochaDocs Group or competent for Customers (i) a copy of the MochaDocs Group’s annual assessment of compliance with the MochaDocs Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of the MochaDocs Group’s architecture, systems and procedures relevant to the protection of Personal Data.

10. Local Law Requirements

As set forth in applicable contracts with Customers, the MochaDocs Group shall comply with applicable law in its processing of Personal Data. Where applicable law requires a higher level of protection for Personal Data than provided for in the MochaDocs Processor BCR, the local applicable law shall take precedence.

Where the MochaDocs Group reasonably believes that applicable law prevents it from fulfilling its obligations under the MochaDocs Processor BCR or the instructions of a Customer, it shall promptly notify the MochaDocs Group’s Privacy department in addition to affected Customers and the data protection authority competent for the Customer. In such a case, the MochaDocs Group shall use reasonable efforts to make available to the affected Customers a change in the Services or recommend a commercially reasonable change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law without unreasonably burdening Customers. If the MochaDocs Group is unable to make available such change within a reasonable period of time, Customers may terminate the applicable order form(s) in respect to only those Services which cannot be provided by the MochaDocs Group in accordance with applicable law by providing written notice to the member of the MochaDocs Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

In accordance with applicable contracts with Customers, the MochaDocs Group shall communicate any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body to the impacted Customer unless the MochaDocs Group is prohibited by law from providing such notification.

To the extent the MochaDocs Group is prohibited by law from providing such notification, the MochaDocs Group shall (1) review each request on a case-by-case basis; (2) use best efforts to request that the confidentiality requirement be waived to enable the MochaDocs Group to notify the appropriate data protection authority competent for the Customer in its capacity as lead authority for the MochaDocs Processor BCR; and (3) maintain evidence of any such attempt to have a confidentiality requirement waived.

On an annual basis, the MochaDocs Group shall provide the appropriate data protection authorities competent for impacted Customers with general information about the types of legally binding requests for disclosure of Personal Data the MochaDocs Group receives by law enforcement authorities.

11. Changes to this MochaDocs's Processor Rules (BCR)

MochaDocs reserves the right to change this BCR. Customer may find on MochaDocs’s website a mechanism to subscribe to notifications of any change in the BCR for each applicable Service, to which Customer shall subscribe, and if Customer subscribes, MochaDocs shall provide notification of the material changes to this BCR through the subscribed contacts at least thirty (30) business days prior to the change taking effect. To subscribe click here.

Appendix A – Services to which the MochaDocs Processor BCR Applies

The MochaDocs Processor BCR applies to the services branded as the following:

• The MochaDocs Services, which provide contract lifecycle management applications. The MochaDocs Services consist of:

o MochaDocs Cloud, a contract management automation tool that enables Customers to streamline their contract management processes

o Customer Service, a customer service support center and self-service tool that enables Customers to provide better service to their customers

12. Contacting us
 
To exercise your rights regarding your Personal Data, or if you have questions regarding this Privacy Statement or our privacy practices please fill out this form or mail us at:

MochaDocs Security Officer (MochaDocs Privacy Team)

Mr. Huib van der Struik

Roomweg 167-F, 1st Floor
7523 BM Enschede, the Netherlands

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.