Legal
数据处理地址
Addendum
定义,定义
数据保护技术
-
Shall Process Personal Data:(i)in accordance with the documented instructions from Customer as set in this DPA,the Agreement,or(if applicable)the Ordering Document; (ii)shared or transmitted by Customer in connection with Customer’s use of the Application Services; and(iii)to comply with other written, reasonable instructions provided by Customer where such instructions are consistent with the terms of this DPA,the Agreement,and Data Protection Legislation.If Mixpanel is required to Process Personal Data for any other purpose provided by applicable law to which it subject, 公共公共接口,公共接口,公共接口; -
Shall notify Customer without undue delay if,in Mixpanel’s opinion,an instruction of Personal Data provided by Customer through the Application Services infringes applicable Data Protection Legislation; -
Shall,without limitation of Customer’s security obligations under the Agreement,implement and maintain Appropriate Technical and Organisational Measures designed to protect Personal Data against accidental,unauthorised or unlawful destruction,loss,alteration,disclosure, or access.These measures shall be designed to provide a level of security appropriate to the risk of harm which might result from such incidents and having regard to the nature of the Personal Data which is to be protected; -
May hire and has hired other companies to provide limited services on its behalf,provided that Mixpanel complies with the provisions of this clause.Current hereby confirms its general authorization for Mixpanel’s use of Subprocessors.Mixpanel’s current Subprocessors list is availableat: https://mixpanel.com/legal/subprocessor-list/ (the“” 授权子进程 ”)。 Subprocessors will be permitted to Process Personal Data only to deliver the services Mixpanel has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose.Mixpanel remains responsible for its Subprocessors’compliance with the obligations of this DPA.Any Subprocessors to whom Mixpanel transfers Personal Data wive entered into written agreements with Mixpanel requiring that the Subprocessor abider by with the requirements of this DPA.At least thirty(30)days prior to the date on which any new Subprocessor shall commence Processing Personal Data, ixpanel will update the list of Authorized Subprocessors to include the new Subprocessor.If Customer would like to receive notification of such an update to the list,Customer may sign up to receive such notice by emailing compliance@mixpanel.com .If Customer has a legitimate objection to Mixpanel’s appointment of a new Subprocessor, 客户自备费用 compliance@mixpanel.com within fourteen(14)calendar days of receiving the notice。 Legitimate objections must contain reasonable and documented grounds relating to a Subprocessor’s non-compliance with applicable Data Protection Legislation.If,in Mixpanel’s reasonable opinion,such objections are legitimate,the Customer may,by providing written notice to Mixpanel, terminate the Agreement.Customer acknowledges and agrees that(a)Mixpanel’s Affiliates may be retained as Subprocessors through written agreement with Mixpanel and(b)Mixpanel and Mixpanel Affiliates respectively may engage third party subcontractors, pursuant to this clause4,in connection with the provision of the Application Services; -
Shall ensure that all Mixpanel personnel required to access the Personal Data are informed of the confidential nature of the Personal Data,are subject to a duty of confidentiality in respet thereof,and comply with the obligations set out in this in this DPA and applicable Data Protection Legislation; -
Shall,at Customer’s written request,assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from Data Subjects to exercise rights under Data Protection Legislation(including requests for infor relating to the Processing, 和requests relating to access,rectification,erasure or portability of Personal Data)provided that Mixpanel reserves the right to reimbursement from Customer for the reasonable cost of any time,expenditures or fees incurred in connection with such assistance; -
Shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the GDPR taking into account the nature of the Processing under this DPA;provided,however,that Mixpanel reserves the right to reimbursement from Custore for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance; -
Shall,at the end of the applicable term of the Application Services and upon Customer’s written request,securely destroy or return such Personal Data to Customer,unless retention is required by law,and,if requested by Customer,provide Customer with information necessary to demonstrate compliance with this this obligation; -
Agrees,where Mixpanel Processor permits any Subprocessor to ProcessPersonal Data in any country not deemed to provide an adequate level of protection of Personal Data by Data Protection Legislation, transfer such Personal Data across international borders as follows:(i)for the European Union and the European Economic Area in compliance with the Standard Contractal Clauses which shall be incorporated in full by reference and form an integral part of this DPA,and which are set forth in Schedule2 below(“ 标准Contractal Clauses “or” SCCs “”, provided that in the event of a conflict between the DPA and the Standard Contractal Clauses,the Standard Contractal Clauses shall control, (ii)for the United Kingdom,in compliance with the Standard Contractal Clauses as amended in accordance with guidance from the United Kingdom’s Information Commissioner’s Office as set forth in Schedule3;and(iii)for Switzerland, 在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内,在规定的时间内; -
Shall,upon written request,either provide information regarding its compliance in the form of third-party certifications and audits reports on its security,privacy and architecture or respond with industry stard written audit questionnaires, provided that the purpose of such audit is to verify that Mixpanel is Processing Personal Data in accordance with its obligations under the DPA.Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of requireed professional certificates or qualifications that that bisaid bond to duty of onfidentiality,and for the avoidance of doubt,no access to any part of Mixpanel’s information technology systems,data hosting sites or centers,or its infrastructure will be permitted.Only to the extent that such audit of Mixpanel’s third-party certifications, audit reports and/or industry standard written audit questionnaires cannot reasonably demonstrate Mixpanel’s compliance with its obligations under the DPA, may Customer or an inspection body composed of independent members elected by Customer that is bound by a duty of confidentiality conduct an on-site audit of Mixpanel.Any on-site audit rights of Customer will not include access to any Subprocessor’s faclities.Any on-site audit shall:(i)be conducted the expenser of; (ii)be conducted under mutually agreed notice, scope and duration; (iii)exclude any internal accounting or financial information,trade secret,data or information of any other Mixpanel customer(including its end users), 该系统或premises或cause Mixpanel to be in breach of its obligations under Data Protection Legislation or its security,confidentiality, 或privacy obligations to any other Mixpanel customer or third-party; and(iv)be limited to once per calendar year。 The Parties agree that any audit described in the Standard Contractal Clauses shall be performed pursuant to this provision; -
Shall notify Customer without undue delay if Mixpanel becomes aware of a breach of its security leading to any accidental,unauthorised or unlawful destruction,loss,alteration,disclosure of,or access to Personal Data that is Processed by Mixpanel in the course of providing the Application Services “Incident” )under the Agreement and provide Customer with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Personal Data.Mixpanel shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effect of the Incident;and -
Shall provide relevant information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA。
DPA Schedule1
详细数据处理
-
城市,城市 -
区域,区域 -
Country -
时间间隔,时间间隔 -
Browser -
浏览器版本设备 -
当前URL Initial Referrer -
初始Reverring Domain Operating System Mixpanel Library Reverrer -
Referring Domain Screen Height Screen Width Search Engine Search Keyword -
UTM参数(i.e。, any UTM tags associated with the link a customer clicked to arrive at the domain) -
Last Seen(the last time a property was set or updated)。
DPA Schedule2
标准Contractal Clauses(Processors)
分段I
Clause 1
-
(i)the natural or legal person(s),public authority/ies,agency/ies or other body/ies(hereinafter‘entity/ies’)transferring the personal data,as listed in Annex I.A(hereinafter each‘data exporter’),and -
(ii)the entity/ies in a third country receiving the personal data from the data exporter,directly or indirectly via another entity also Party to these Clauses,as listed in Annex I.A(hereinafter each‘data importer’)have agreed to these standard contractual clauses(hereinater:Clauses)。
Clause 2
Clause 3
-
(i)Clause1, Clause2,Clause3,Clause6,Clause7; -
(ii)Clause8.1(b),8.9(a),(c),(d)and(e); -
(iii)Clause9(a),(c),(d)and(e); -
(iv)Clause12(a),(d),and(f); -
(v)Clause13; -
(vi)Clause 15.1(c),(d)and(e); -
(vii)Clause16(e); -
(viii)Clause18(a)and(b)。
Clause 4
Clause 5
Clause 6
Clause 7-Optional
第二部分–外部分区
Clause 8
-
(i)the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation(EU)2016/679 that covers the onward transfer; -
(ii)(EU)2016/679 with respect to the processing in question; -
(iii)the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative,regulatory or judicial proceedings;or -
(iv)the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person。
Clause 9
Clause 10
Clause 11
-
(i)lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; -
(ii)refer the dispute to the competent courts within the meaning of Clause18。
Clause 12
Clause 13
Section III–Local Laws and Obligations in Case of Access by Public Authorities
Clause 14
-
(i)the specific circumstances of the transfer, including the length of the processing chain,the number of actors involved and the transmission channels used;intended onward transfers;the type of recipient;the purpose of processing;the categories and format of the transferred personal data;the economic sector in which the transfer occurs;the storage location of the datansferred; -
(ii)the laws and practices of the third country of destination–including those requiring the disclosure of data to public authorities or authorising access by such authorities–relevant in light of the specific circumstances of the transfer, and可应用limitations and safeguards; -
(iii)any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses,including measures applied during transmission and to the processing of the personal data in the country of destination。
Clause 15
-
(i)receives a legally binding request from a public authority, including judicial authorities,under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses;such notification shall include information about the personal data requested,the requesting authority,the legal basis for the request and the response provided -
(ii)becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer。
分段IV–Final Provisions
Clause 16
-
(i)the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph(b)and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; -
(ii)the data importer is in substantial or persistent breach of these Clauses; 或,或 -
(iii)the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses。
Clause 17
Clause 18
标准Contractal Clauses
Annex I
A.LIST OF PARTIES
B.DESCRIPTION OF TRANSFER
-
Where it has appointed an EU representative(Art 27 of the GDPR), supervisory authority is the one of the European Economic Area countries in which the Data Exporter’s representative is located; -
Where it does not have to appoint an EU representative,the supervisory authority is that of one of the European Economic Area country in which the data subjects whose data are being transferred pursuant to these Standard Contractual Clauses are located。
标准Contractal Clauses
Annex II
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
标准Contractal Clauses
Annex III
子进程列表
-
(i)The 已修复的子进程可操作: https://mixpanel.com/legal/subprocessor-list/ 打开; and,and -
(ii)To receive notification of updates to the list of Subprocessors, 数据导出器must first submit a request for such notifications in writing to Mixpanel by emailing compliance@mixpanel.com .Data Importer will then provide Data Exporter with updates to such Subprocessor list(if any)in accordance with the DPA。
DPA Schedule3
UK Addendum to Standard Contractal Clauses(Processors)
国际转移协议
DPA Schedule4
处理到标准Contractal Clauses
-
Swiss Federal Data Protection and Information Commissioner(the Swiss Federal Data Protection and Information Commissioner) “FDPIC” )will be the competent supervisory authority, in Annex I.C under Clause 13 of the SCCs; -
SCCs,SCCs shall be as set for actions between the Parties under Clauses 17 and 18 of the SCCs shall be as set forth in the SCCs, provided that that the term“member state”must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence(Switzerland)in accordance with Clause18(c)of the SCCs; -
references to the“GDPR”should be understood as references to the“FADP;”and -
where the FADP protects legal entities as Data Subjects,the SCCs will apply to data relating to identified or identifiable legal entities。