MightyCall Mobile MightyCall Mobile AppGoogle Play
MightyCall is named Digital Innovator by the U.S. Chamber of Commerce!
MightyCall
Submit a Ticket

Thanks for your request! We'll get back to you shortly

Please fill in the field

Please fill in the field

Enter a correct email address

You can attach one supporting file with a 10 Mb size limit in .png, .jpg, or .pdf format

File size limit 10 Mb (.png,.jpg,.jpeg,.pdf)

File size more than 10 Mb

Play video
Book demo

Data Processing Addendum

MIGHTYCALL
Data Processing Addendum

This Data Processing Addendum (“DPA”) is made by and between MightyCall and Customer (each a “Party“, together the “Parties“), and is supplemental to the Terms of Service executed between the Parties to which it is attached (“Agreement”) for the provision of the Services to Customer.

Definitions

For the purposes of this DPA:

(a) “Affiliate” means a person or entity that is controlled by a Party hereto, controls a Party hereto, or is under common control with a Party hereto, and “control” means beneficial ownership of greater than fifty percent (50%) of an entity’s then-outstanding voting securities or ownership interests.

(b) “Agreement” means the Terms of Use between MightyCall and Customer for the purchase of Services.

(c) “Applicable Data Protection Laws” means all data protection and privacy laws applicable to MightyCall in the processing of Personal Data under this DPA.

(d) “Controller” shall have the same meaning under Applicable Data Protection Law.

(e) “Customer Personal Data” means any Personal Data that MightyCall processes as a Processor under the Agreement.

(f) “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law.

(g) “Processor” shall have the same meaning under Applicable Data Protection Law.

(h) “Security Incident” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data that compromises the privacy, security, or confidentiality of such Personal Data.

(i) “Services” means the MightyCall services.

Scope of DPA

This DPA will apply to the extent that MightyCall processes Customer Personal Data on behalf of a Customer as a Processor, where such processing is further detailed in Annex 1. Any processing of Personal Data as a Controller by MightyCall is out of scope of this DPA.

Role of the Parties

As between the Parties and for the purposes of this DPA, Customer shall be the Controller of the Customer Personal Data processed by MightyCall under the Agreement as a Processor. MightyCall will comply with the obligations of a Controller to the extent it processes Personal Data as a Controller for MightyCall’s legitimate business purposes, including as necessary for the operation of the Services, and as necessary to comply with applicable law.

Processing of personal data

Customer’s Processing of Personal Data. Customer determines the purposes and means of the Processing of Personal Data, and ensures the Processing of Personal Data shall comply with Applicable Data Protection Laws.

Obligations of the Customer. Customer undertakes to:

(a) Ensure that it may lawfully disclose the Customer Personal Data to MightyCall for the purposes set out in the Agreement.

(b) Comply with applicable data protection laws in its use of the Services, and its own collection and processing of Personal Data including Customer Personal Data. Customer acknowledges and confirms that Customer has informed its employees (current and future) and its works council as applicable, that as part of the Services, Customer has access to the traffic data; and

(c) Process special categories of Personal Data or sensitive data (as defined by Applicable Data Protection Laws), or Personal Data concerning children or minors, or related to criminal convictions and offenses, lawfully and relying on a valid legal basis in accordance with Applicable Data Protection Laws. The Parties acknowledge that the Services are not designed to recognize and/or classify such data.

Customer’s Instructions. Customer instructs MightyCall to Process Personal Data for the provision of Services. The Parties agree that this DPA, the Agreement, instructions provided via configuration tools incorporated in MightyCall’s platform and instruction provided via MightyCall’s dedicated customer support portal constitute Customer’s complete and final instructions to MightyCall for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

Purpose Limitation. Except where otherwise required by applicable law, MightyCall shall process the Customer Personal Data (i) in accordance with Customer’s instructions, (ii) for the purposes of providing, monitoring, supporting, improving, and maintaining the Services.

MightyCall shall not engage in the sale of any Personal Data.

Confidentiality of Processing. MightyCall shall ensure that any person that it authorizes to process the Customer Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty).

Security of personal data

Technical and Organizational Measures. MightyCall will maintain appropriate technical and organizational security measures to safeguard the security of Customer Personal Data. MightyCall will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Customer Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices.

Reviews and Updates. The technical and organizational measures shall be reviewed and updated by MightyCall where and when necessary. The Customer agrees that MightyCall may unilaterally update the technical and organizational measures from time to time provided that such updates do not result in a material reduction of the level of protection of the Personal Data.

Rights of data subjects and other regulatory actions

Data subjects’ right to information. It is the Customer’s responsibility to respond to any data subject request.

Regulatory Action. If MightyCall receives notice (whether or not from the Customer) of, any claim, complaint, request, direction, query, investigation, proceeding or other action of any Data Subject, court, regulatory or supervisory authority, or any body, organization or association in each case which relates in any way to the Personal Data Processed by MightyCall under this DPA (collectively, “Regulatory Action”), then MightyCall shall, if and to the extent required by the Applicable Data Protection Laws:

a) Notify the Customer via email sent to the Admin User Email Address with reasonable detail of the Regulatory Action, including copies of any relevant correspondence so that the Customer can deal with the Regulatory Action;

b) Provide the Customer with reasonable cooperation and assistance by appropriate technical and organizational measures with respect to any Regulatory Action; and

c) Not answer to a Regulatory Action, unless instructed otherwise by the Customer in writing or unless MightyCall is required to answer under the Applicable Data Protection Laws, in which case, where reasonably necessary, the Customer will provide MightyCall with reasonable cooperation and assistance in respect of the Regulatory Action.

Subprocessors

Customer agrees that MightyCall engages Subprocessors in connection with the provision of MightyCall’s Services. Therefore, by entering to this DPA, Customer authorizes MightyCall to engage the Subprocessors. Depending on the scope and the nature of the subprocessing, MightyCall shall impose data protection terms on such Subprocessors that protect Customer Personal Data to an equivalent standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Subprocessor.

General authorization. By executing the DPA, the Customer further grants MightyCall with a general authorization to engage new Subprocessors, add or replace current Subprocessors.

Subprocessor Notification. MightyCall may, by giving reasonable notice to the Customer, add or replace the Subprocessors. If the Customer objects to the appointment of an additional Subprocessor within ten (10) calendar days of such notice on reasonable grounds relating to the protection of the Customer Personal Data, then the Parties will discuss such concerns with a view to achieving resolution. If such resolution cannot be reached, then Customer will be entitled to suspend or terminate the affected MightyCall Service without penalty with a thirty (30) day written notice to MightyCall. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a MightyCall Subprocessor failure) that can provoke a degradation or interruption of the Service, MightyCall reserves the right to immediately change the failing Subprocessor in order to maintain or restore the standard conditions of the Service. In this situation, the notification of Subprocessor change may be exceptionally sent after the change.

International data transfers

Locations of Processing. MightyCall may transfer and process Customer Personal Data outside the European Economic Area (“EEA”), Switzerland, or the United Kingdom to locations where MightyCall or its Subprocessors maintain data processing operations.

European Personal Data transfers subject to appropriate safeguards. The locations described hereinabove may include countries, which are located outside the EEA, UK and Switzerland and, for the purposes of the applicable European Data Protection Law, (i) have not been recognized by the relevant authority as providing an adequate level of protection for personal data (as described in the applicable European Data Protection Law) or (ii) are not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data (“Locations Subject to Appropriate Safeguards”). Where the Processing of Personal Data is subject to the European Data Protection Law, the Parties shall not transfer Personal Data to any Location Subject to Appropriate Safeguards, unless the Parties have taken measures necessary to ensure that the transfer complies with the applicable European Data Protection Law.

EEA and Swiss Personal Data transfers to MightyCall. Where the Processing of Personal Data consists of or includes a transfer of Personal Data from the Customer, whose activities are subject to the EU GDPR or the FADP, to MightyCall, who is in a Location Subject to Appropriate Safeguards and whose activities are not subject to the EU GDPR or the FADP, the following applies: (i) where Personal Data is received by CallCurrent, Inc. in the U.S., MightyCall commits to subject the Processing of Personal Data to the EU-U.S. DPF or respectively the Swiss-U.S. DPF and adhere to the DPF Principles with regard to the processing of Personal Data, and (ii) to the extent that MightyCall processes (or causes to be processed) any Customer Personal Data originating from the EEA, Switzerland, or the United Kingdom in a country that has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data, MightyCall will put in place such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, which include the execution of the applicable EU Commission’s Standard Contractual Clauses, and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the putting in place of any other valid transfer mechanism.

Data breaches

Notification. MightyCall will notify Customer of any Data Breach promptly after detection of such Data Breach by MightyCall. Where a European Data Protection Law applies, MightyCall will notify Customer no later than 24 hours after such detection. The notification shall be carried out via email sent to Admin User Email Address.

Provided information. MightyCall undertakes to provide the Customer with all reasonable cooperation and assistance, as well as all details of the Data Breach required for the Customer to comply with its obligations under the Applicable Data Protection Laws in relation to the Data Breach.

Customer assistance. Where MightyCall has independent obligations in relation to the Data Breach under the applicable Data Protection Laws, the Customer undertakes to provide MightyCall with all reasonable cooperation and assistance, as well as information relevant to the Data Breach required for MightyCall to comply with its obligations under the Applicable Data Protection Laws in relation to the Data Breach.

Audit rights

Customer audit right. If and to the extent such right is granted to the Customer by the Applicable Data Protection Laws, Customer or its independent third-party auditor reasonably acceptable to MightyCall (which shall not include any third-party auditors who are either a competitor of MightyCall or not suitably qualified or independent) may audit practices relevant to Personal Data Processing by MightyCall, if:

a) The Customer has reasonable grounds, proved in advance to MightyCall, to believe that MightyCall does not Process Personal Data in compliance with this DPA or the Applicable Data Protection Laws or that a Data Breach has occurred; or

b) The audit is formally requested by Customer’s data protection authority; or

c) Applicable Data Protection Laws provide Customer with a direct audit right.

Audit frequency. The Customer shall conduct the audit at maximum once in any twelve month period, unless Applicable Data Protection Laws require more frequent audits.

Notice. The Customer shall provide at least thirty (30) days advance notice of any audit unless mandatory Data Protection Law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith.

Cost of Audits. Each Party shall bear its costs of audits hereunder.

Return and deleting of Customer’s data

Return (export) right and deletion. Upon the termination of the Agreement, MightyCall will permit the Customer to export the Personal Data Processed under this DPA, at its expense, in accordance with the capabilities of the Service, within the period of thirty (30) days following such termination. After the expiry of such period, MightyCall will delete all Personal Data stored or Processed by MightyCall exclusively on behalf of the Customer and their copies, unless an applicable law requires storage of the personal data. The Customer expressly consents to such deletion and acknowledges that following the period stated in the first sentence of this Section, MightyCall shall not be able to facilitate any export of the Personal Data to the Customer, as such Personal Data shall be either deleted or archived by MightyCall as a Data Controller for the purpose(s) and for the period(s) stated in MightyCall’s Privacy Policy.

Term and amendments

Unless the above explicitly states otherwise the terms and conditions of the Agreement shall apply to the DPA. In case of any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA prevail with regard to data processing activities.

The governing law and forum that apply to the Agreement also apply to this DPA.

The customer explicitly acknowledges and agrees that this DPA may be amended in the same way as agreed by the parties for amendments of the Agreement, including MightyCall’s right to update the terms of the Agreement, any of its policies and this DPA from time to time, as decided by MightyCall in its sole discretion, subject to notice to Customer at the Admin User Email Address.

Contacting us

If you have any questions, comments or concerns about this Addendum, you may contact us at:

CallCurrent, Inc.
919 North Market Street
Suite 950
Wilmington, DE, 19801

email: support@mightycall.com