This Data Processing Agreement (“DPA”) is between your company (“Client” or “Controller”) and the InMoment company (“InMoment”, “Service Provider”, or “Processor”) identified in the Agreement. This DPA applies to the Processing of Personal Data by InMoment while providing Services to the Client as outlined in the Agreement.
1. Definitions
All capitalized terms not defined below will have the meanings given to them in the Agreement.
a. “Agreement” means the master agreement, order form, statement of work, or schedule pursuant to which InMoment provides and the Client uses the Services.
b. “Data Protection Laws” means the applicable privacy and data protection laws, rules, and regulations.
c. “Personal Data” is given the meaning under the Data Protection Laws relating to this term or any similar term including personal information or personally identifiable information. If no laws apply, then Personal Data means any information that by itself or when combined with other information can be used to identify a specific natural person (e.g., name, telephone number, address, etc.).
d. “Process” or “Processing” is given the meaning under the Data Protection Laws. If no laws apply, then Process or Processing means any operation performed on Personal Data such as collecting, storing, altering, analyzing, accessing, using, disclosing, making available, erasing, or destroying.
e. “Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
f. “Services” means the InMoment products and services outlined in the Agreement.
2. Details of Processing
The subject matter, nature, purpose, details of Processing, and the types of Personal Data Processed are outlined in the Agreement and determined by the Client through the Client’s use of the Services. Personal Data may include, without limitation, name, phone number, email address, postal address, IP address, customer loyalty number, employee number, and any other Personal Data the Client chooses to send to InMoment regarding its employees, customers, and/or end users. The duration of Processing will be for the term of the Agreement.
3. InMoment’s Obligations
a. InMoment shall comply with the Data Protections Laws (including any such obligations that relate to InMoment’s use of sub-processors).
b. InMoment shall only Process Personal Data within the scope of the Client’s documented instructions and as permitted in the Agreement or this DPA.
c. InMoment shall inform the Client if InMoment believes, in good faith, that the Client’s instructions violate the Data Protection Laws or any other confidentiality obligations. InMoment shall be entitled to postpone action on such an instruction until the Client has addressed InMoment´s concerns.
d. InMoment, and anyone who Process the Personal Data on InMoment’s behalf, shall maintain the Personal Data with strict confidentiality and shall not disclose Personal Data to any unauthorized third parties.
e. Except as otherwise provided by law, Upon the Client’s request and, if required by the Data Protection Laws, InMoment shall delete, return, or enable the Client to delete and/or download, all Personal Data at the end of the Agreement unless a longer retention period is required by law.
f. InMoment shall not sell or share for targeted advertising, as defined by the Data Protection Laws, Personal Data it receives from or on behalf of the Client.
g. InMoment shall not retain, use, or disclose Personal Data received by or on behalf of the Client outside of its direct business relationship with the Client other than as permitted by the Agreement, this DPA, or the Data Protection Laws.
h. InMoment shall not combine Personal Data received by or on behalf of the Client with Personal Data received by a third party, except as permitted by the Agreement, this DPA, or the Data Protection Laws.
4. Client’s Obligations
a. The Client shall comply with the Data Protection Laws including all requirements for InMoment to Process the Personal Data on the Client’s behalf including, without limitation, giving notifications, obtaining consents, and making any disclosure required under the Data Protection Laws.
b. The Client shall give written instructions to InMoment regarding Processing of Personal Data as agreed by the parties in the Agreement, this DPA, or through its use of the Services. In urgent cases, instructions may be given verbally. These instructions will be immediately confirmed and documented by the Client in writing.
c. The Client shall not instruct InMoment to Process the Personal Data in any way that violates the Data Protection Laws. If the Client believes, in good faith, that a request violates the Data Protection Laws or any other confidentiality obligations, then the Client shall immediately inform InMoment.
d. The Client shall immediately notify InMoment if it finds any error or irregularity when reviewing the Processing.
5. Security
InMoment has implemented and shall maintain reasonable and appropriate technical and organizational measures for the Services as outlined in Exhibit A to this DPA. To keep up with advancing technology and security, InMoment reserves the right to modify the technical and organizational measures provided that the functionality and security is not degraded.
6. Security Incidents
If a Security Incident occurs, then InMoment shall promptly notify the Client of the Security Incident and immediately take reasonable steps to mitigate and remediate the Security Incident including steps to prevent such Security Incident from happening again. InMoment shall reasonably cooperate with the Client to comply with Data Protection Laws related to notification of supervisory authorities or individuals affected by the Security Incident.
To the extent known by InMoment at the time InMoment becomes aware of the Security Incident, InMoment’s notification to the Client shall include:
a. The Personal Data affected (including types, categories, and volumes);
b. The name and contact information of InMoment’s data protection officer or point of contact for further information;
c. The cause and impact of the Security Incident; and
d. The mitigation and remediation efforts already taken and/or will be taken by InMoment.
7. Audits
The Client may audit InMoment’s compliance with this DPA on an annual basis, but audits may occur more frequently if the Client has a good faith belief that InMoment has not materially complied with its obligations herein. InMoment shall make available to the Client any information necessary to demonstrate its compliance with this DPA. An audit may consist of sending InMoment reasonable security questionnaires, requesting evidence of applicable security certifications (e.g., SOC 2 or ISO 27001), and requesting results of assessments and tests performed by InMoment or an independent third party as part of InMoment’s regular processes. If InMoment determines that it can no longer comply with the Data Protection Laws, then InMoment will promptly notify the Client.
8. Sub-Processors
The Client provides general consent for InMoment to work with third parties to provide the Services. Third parties who Process Personal Data are referred to as sub-processors. InMoment shall enter into a written agreement with each sub-processor and ensure, to the extent applicable, that each sub-processor is bound by obligations which are at least as restrictive as those outlined in this DPA. InMoment shall be responsible for the acts or omissions of its sub-processors at all times.
The Client may request a list of InMoment’s sub-processors at any time. A current list of can also be found at https://inmoment.com/subprocessors/. InMoment shall inform the Client of any new or replacement sub-processors in advance by updating the website or by email (where the Client has signed up to receive email notifications via the link on the website).
If the Client has a reasonable objection to a new sub-processor, then the Client shall: (a) send written notice to legal@inmoment.com within 30 days of InMoment’s notice; and (b) articulate reasonable grounds for its objection in the notice. InMoment and the Client shall promptly work together in good faith to resolve any concerns. If notice is not sent to InMoment within the time period specified above, then the Client shall be deemed to have consented to InMoment’s use of the new sub-processor.
9. Individual Personal Data Requests
If InMoment receives a request from an individual related to their Personal Data that InMoment Processes for and on behalf of Client, then InMoment shall promptly inform the Client of the request or InMoment may advise the individual to submit their request directly to the Client. The Client is responsible for ensuring that such requests are handled in accordance with the Data Protection Laws. InMoment shall reasonably cooperate with the Client in fulfilling these requests.
10. Additional Costs
If the Client requests InMoment’s assistance with fulfilling its obligations under the Data Protection Laws and such requests go beyond the standard functionality of the Services, then InMoment may charge the Client for any costs beyond those outlined in the Agreement to the extent that is reasonable (considering factors like time, volume, and complexity of instructions). This includes, without limitation, costs related to erasure, return, storage, or additional retention of Personal Data.
11. General
Except to the extent prohibited by Data Protection Laws, any breach of this DPA is subject to the liability cap in the Agreement. Furthermore, the liability of either party for breach of this DPA will be reduced proportionately to the extent that any act or omission of the other party or any third party acting on its behalf directly caused or contributed to such breach. If there are any conflicts between this DPA and the Agreement, this DPA prevails. This DPA supersedes and replaces any other prior data processing agreement or similar terms which were entered into by the Client and InMoment.
v2024April
Exhibit A
Technical and Organizational Measures
1. Physical Access Control. Unauthorized persons are prevented from gaining access to premises, buildings, rooms, or data processing equipment used to process personal data. Controls include:
- A physical access authorization concept is established, documented and regularly reviewed based on business and information security requirements
- Access to the premises is controlled through facility and office management
- Access points such as delivery and loading areas, and other points where unauthorized persons could enter the premises, are controlled and, if possible, isolated from information processing facilities to avoid unauthorized access
- Locking doors and windows outside business hours
- Access control via batches or tokens.
- Documented key allocation
- Secure areas are protected by additional appropriate access controls
- Visitor and supplier access regulations are in place
- Burglary alarm system / alarm system
- Security also outside working hours, e.g., security firm
2. Logical Access Control. Unauthorized persons are prevented from using data processing equipment.
a. General Access Control and Authentication. Controls include:
- An access control policy is established, documented and regularly reviewed based on business and information security requirements
- The allocation of secret authentication information is controlled through a formal management process
- Access to systems and applications is controlled by a secure log-on procedure
- Functional and/or time-limited assignment of user authorisations
- Use of individual passwords, even initial ones
- Password management systems are interactive and shall ensure quality passwords (e.g. at least 8 digits/upper and lower case, special characters, number (of which at least 3 criteria must be enforced; prevention of trivial passwords)
- A policy regarding teleworking and mobile device usage is established, documented and regularly reviewed based on business and information security requirements
- A clean desk and desktop policy is established, documented and regularly reviewed based on business and information security requirements
- Screen lock (password protection of computer workstations; automated password-protected lock screen after inactivity)
b. Network Security. Controls include:
- Users are only provided with access to the network and network services that they have been specifically authorized to use.
- Networks are managed and controlled to protect information systems and applications.
- Security mechanisms, service levels, and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced.
- Groups of information services, users, and information systems are segregated on networks
c. Secure System Development. Controls include:
- The information security related requirements are included in the requirements for new information systems or enhancements to existing information systems
- Rules for the development of software and systems are established and applied to developments within InMoment
- Access to program source code is restricted
- Principles for engineering secure systems are established, documented, maintained, and applied to any information system implementation efforts
- InMoment appropriately protects secure development environments for system development and integration efforts that cover the entire system development lifecycle.
- InMoment supervises and monitors the activity of outsourced system development
- Test data is carefully selected, protected and controlled
- System acceptance tests are conducted in a planned manner
d. Logging and Log Management. Controls include:
- Event logs recording user activities, exceptions, faults, and information security events are produced, kept, and regularly reviewed
- Logging facilities and log information are protected against tampering and unauthorized access
- System administrator and system operator activities are logged, and the logs protected and regularly reviewed
- A consistent time synchronization ensures proper time-wise logging on all servers, firewalls, routers and further network devices
- Possibility of partial access to databases and functions (read, write, execute)
e. Technical Vulnerability Management and Protection from Malware. Controls include:
- A vulnerability management process is established, documented and regularly reviewed based on business and information security requirements
- Detection, prevention, and recovery controls to protect against malware are implemented (e.g. virus scanner, firewalls, SPAM filter), combined with appropriate user awareness
- Information about technical vulnerabilities of information systems is obtained in a timely fashion, InMoment’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk
3. Data Access Control. Only authorized persons may access Personal Data.
a. Authorization. Controls include:
- An access control policy is established, documented and regularly reviewed based on business and information security requirements
- A formal user registration and de-registration process is implemented to enable assignment of access rights
- A formal user access provisioning process is implemented to assign or revoke access rights for all user types to all systems and services
- The allocation and use of privileged access rights is restricted and controlled
- Asset owners review users’ access rights on a regular basis
- The access rights of all employees and external party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change
- Information involved in application service transactions is protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay
b. Use of Cryptography. Controls include:
- A cryptographic controls policy is established, documented and regularly reviewed based on business and information security requirements
- Use of encrypted data transfer (.e.g. VPN-connection)
- Encryption of mobile data media (e.g., USB, external hard drives, memory cards, etc.), containing the controller’s data
- Encryption of laptop hard drives
- Data transfer with https-connection
c. Asset Management and Information Classification. Controls include:
- An asset management policy is established, documented and regularly reviewed based on business and information security requirements
- Rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented, and implemented
- All employees and external party users return all InMoment-owned assets in their possession upon termination of their employment, contract or agreement
- Information is classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
- An appropriate set of procedures for information labelling is implemented in accordance with the information classification scheme adopted by InMoment
- Procedures for handling assets are implemented in accordance with the information classification scheme adopted by InMoment
- Procedures are implemented for the management of removable media in accordance with the classification scheme adopted by InMoment
- Media is disposed securely when no longer required, using formal procedures. Where hardcopy materials are destroyed, they are destroyed securely using mechanisms such as cross-cut shredding
4. Data Transfer Control. Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during their electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish the points to which personal data are to be transmitted by data transmission facilities. Controls include:
- An acceptable use policy is established, documented and regularly reviewed based on business and information security requirements
- Media containing information is protected against unauthorized access, misuse, or corruption during transportation
- Formal transfer policies, procedures, and controls are in place to protect the transfer of information through the use of all types of communication facilities
- Information transferred via electronic messaging is appropriately protected
5. Input Control. Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered into, modified in or removed from computer systems. Controls include:
- All critical devices, systems, databases and applications must have logging enabled to capture sufficient information to establish a proper verifiability of occurring events
- Log information is protected against unauthorized access
- Access to systems, applications and the regarding data is always based on individual, personally associated user identifiers
- The use of privileged utility software is consistently logged
6. Order Control. Measures to ensure that processing on behalf is done in accordance with the instructions of the controller. Controls include:
- A policy regarding commissioned data processing is established, documented and regularly reviewed based on business and information security requirements
- Contract templates regarding commissioned data processing are established, documented and regularly reviewed based on business and information security requirements
- A supplier security policy and related review processes are established, documented and regularly reviewed based on business and information security requirements
- Contract drafting according to legal requirements (Art. 28 GDPR)
- Recording of existing sub-processors (uniform [formalised] contract/order management [control])
- Regular reviews and inspections of sub-processors [strict controls on the selection; supervisory follow-up checks]
7. Availability Control. Measures to ensure that personal data are protected against accidental destruction or loss.
a. Backup. Controls include:
- Backup copies of information, software, and system images are taken and tested regularly in accordance with an agreed backup policy. Recovery test are performed on a periodic basis
- Records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislative, regulatory, contractual, and business requirements
b. Change Control. Controls include:
- A change management process is established, documented and regularly reviewed based on business and information security requirements
- Changes to systems within the development lifecycle are controlled by the use of formal change control procedures
- When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on operations or security
- Modifications to software packages are discouraged, limited to necessary changes, and all changes are strictly controlled
- Testing of security functionality is carried out during development
- Acceptance testing programs and related criteria is established for new information systems, upgrades, and new versions
- Rules governing the installation of software by users are established and implemented
c. Business Continuity and Disaster Recovery. Controls include:
- A business continuity management policy and a corresponding business continuity program plan are established, documented and regularly reviewed based on business and information security requirements
- An incident management policy and a corresponding incident management process are established, documented and regularly reviewed based on business and information security requirements
d. Operational Aspects. Controls include:
- A secure operations policy is established, documented and regularly reviewed based on business and information security requirements
8. Data Separation. Measures to ensure that data collected for different purposes are processed separately. Controls include:
- Access to information and application system functions is restricted in accordance with the access control policy. This includes the appropriate isolation of Personal Data
- Development, testing, and operational environments are separated to reduce the risks of unauthorized access or changes to the operational environment
- Test data is selected carefully, protected, and controlled. Personal Data is not utilized for testing purposes during the software development lifecycle
9. Data protection by design and by default. Measures to ensure that data-protection principles, such as data minimization, are implemented. Controls include:
- InMoment processes personal data, where possible and useful, in such a way that the data can no longer be assigned to a specific data subject without additional information (Pseudonymization)
- There are data validation processes in place to ensure that processing of personal data is limited to the extent necessary (Data Minimization)
10. Procedures for periodic review and evaluation. InMoment reviews its policies, procedures, and controls on a regular basis and adopts changes where required. This continued process involves internal resources like Information Security, Privacy Compliance, Legal and Product Development as well as external advisers and auditors.