Data Processing Agreement

Metasecurity Solutions®, INC. Data Processing Agreement 


This Data Processing Agreement (“Agreement”) is made between you (“Data Controller”), and Metasecurity Solutions Inc., with its principal office located in the state of Delaware (“Data Processor”).


WHEREAS, the Data Processor agrees to process Personal Data on behalf of the Data Controller in connection with Managed Cybersecurity Services and Consulting;
AND WHEREAS, both Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).;
IT IS AGREED as follows:

1. Definitions

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Personal Data” means any Personal Data Processed by a Data Processor on behalf of Controller pursuant to or in connection with the Principal Agreement;

1.1.3 “Processor” means Metasecurity Solutions, insofar as it Processes Personal Data on behalf of the Controller.;

1.1.4 “Processing” includes any operation performed on Personal Data, such as collection, storage, use, and transmission.

1.1.5 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.6 “EEA” means the European Economic Area;

1.1.7 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.8 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.9 “Data Transfer” means: a transfer of Controller Personal Data from the Controller to the Processor; or an onward transfer of Personal Data from the Processor to a Subcontracted Processor, or between two establishments of the Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.10 “Services” means the cybersecurity consulting and managed services the Processor provides.

1.1.11 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement.

2. Scope and Purpose

  • The Data Processor shall process Personal Data solely for the purpose of providing cybersecurity services, including but not limited to Cybersecurity Awareness Training, Cybersecurity Maturity Assessment Reports, Endpoint Detection and Response, Monitoring of Technology Systems, and providing support.

3. Processor Obligations

  • The Data Processor agrees to:

  • Process Personal Data in accordance with the documented instructions of the Data Controller.

  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.

  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

  • Assist the Data Controller in ensuring compliance with its obligations under the GDPR.

  • Delete or return all Personal Data to the Data Controller after the end of the provision of services, unless required by law to store the Personal Data.

3.1 Security Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

3.1.1 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

3.2 Processor Personnel. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3.3 Processor shall:

3.3.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

3.3.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

4. Data Controller Obligations

  • The Data Controller agrees to:

  • Ensure that the Processing of Personal Data under this Agreement is lawful.

  • Provide the Data Processor with clear and documented instructions regarding the Processing of Personal Data.

  • Inform the Data Processor without undue delay about any inaccuracies in the Personal Data.


5. Subprocessors

  • The Data Processor shall not engage another processor (Subprocessor) without prior specific or general written authorization of the Data Controller.

6. Data Transfer

6.1 Processor will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

  1. Data Subject Rights

7.1 Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.