MPM’s Privacy Commitment
MPM has and always will hold it’s customer and user data privacy in the utmost regard. We ask for only the least amount of information necessary, gathering only what we believe is essential for doing business, or for the specific transaction at hand. We let customers know the information we have on them and allow them to opt out of specific engagements.
The goal of this policy is to make explicit the information we gather on our customers and users, how we will use it, and how we will not. This policy is unfortunately longer than we would like, but we must unambiguously address all the relevant cases. Included within this is a Data Processing Addendum which specifically relates to how we comply with the rules and regulations of GDPR.
This part deals with how MPM collects and uses information about website visitors, potential customers, users of MPM’s products and services, and others who contact MPM through forms or email addresses published on or linked to our websites.
This part deals with how MPM handles data that you entrust to MPM when you use our products and services, or when you share any personal or confidential information with us while requesting customer support.
Part I – Information MPM collects and controls
What information MPM collects
We collect information about you only if we need the information for some legitimate purpose. MPM will have information about you only if (a) you have provided the information yourself, (b) MPM has automatically collected the information, or (c) MPM has obtained the information from a third party. Below we describe the various scenarios that fall under each of those three categories and the information collected in each one.
Information that you provide us
i. Account signup : When you sign up for an account to access one or more of our services, we ask for information like your name, contact number, email address, company name and country to complete the account signup process. You’ll also be required to choose a unique username and a password for accessing the created account. You may also provide us with more information such as your photo, time zone and language, but we don’t require that information to sign up for an account.
ii. Event registrations and other form submissions: We record information that you submit when you (i) register for any event, including webinars or seminars, (ii) subscribe to our newsletter or any other mailing list, (iii) submit a form in order to download any product, whitepaper, or other materials, (iv) participate in contests or respond to surveys, or (v) submit a form to request customer support or to contact MPM for any other purpose.
iii. Payment processing : If you submit payment information in connection with your use of the Service, we utilize a third party PCI DSS Compliant credit card processing company to collect payment information, including your credit card number, billing address, and phone number. In such circumstances, the third-party service provider, and not MPM, stores your payment information in their secured servers, in an encrypted format on our behalf.
For quick processing of future payments, if you have given us your approval in the payment process, your credit card information or other payment information captured will be utilised by that processing company to take those future payments.
iv. Testimonials : When you authorize us to post testimonials about our products and services on websites, we may include your name and other personal information in the testimonial. You will be given an opportunity to review and approve the testimonial before we post it. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org
v. Interactions with MPM: We may record, analyse and use your interactions with us, including email, telephone, and chat conversations with our sales and customer support professionals, for improving our interactions with you and other customers.
Information that we collect automatically
Information that we collect from third parties
i. Referrals: If someone has referred any of our products or services to you through any of our referral programs, that person may have provided us your name, email address and other personal information. You may contact us at email@example.com to request that we remove your information from our database. If you provide us information about another person, or if another person gives us your information, we will only use that information for the specific reason for which it was provided to us.
ii. Information from our reselling partners and service providers: If you contact any of our reselling partners, or otherwise express interest in any of our products or services to them, the reselling partner may pass your name, email address, company name and other information to MPM. If you register for or attend an event that is sponsored by MPM, the event organizer may share your information with us. MPM may also receive information about you from review sites if you comment on any review of our products and services, and from other third-party service providers that we engage for marketing our products and services.
iii. Information from social media sites and other publicly available sources: When you interact or engage with us on social media sites such as LinkedIn, Facebook, Twitter, and Instagram through posts, comments, questions and other interactions, we may collect such publicly available information, including profile information, to allow us to connect with you, improve our products, or better understand user reactions and issues. We must tell you that once collected, this information may remain with us even if you delete it from the social media sites. MPM may also add and update information about you, from other publicly available sources.
Purposes for using information
In addition to the purposes mentioned above, we may use your information for the following purposes:
- To keep you posted on new products and services, upcoming events, offers, promotions and other information that we think will be of interest to you;
- To ask you to participate in surveys, or to solicit feedback on our products and services;
- To set up and maintain your account, and to do all other things required for providing our services, such as enabling collaboration, providing website and mail hosting, and backing up and restoring your data;
- To understand how users use our products and services, to monitor and prevent problems, and to improve our products and services;
- To provide customer support, and to analyze and improve our interactions with customers;
- To detect and prevent fraudulent transactions and other illegal activities, to report spam, and to protect the rights and interests of MPM, MPM’s users, third parties and the public;
- To update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you;
- To analyze trends, administer our websites, and track visitor navigations on our websites to understand what visitors are looking for and to better help them;
- To monitor and improve marketing campaigns and make suggestions relevant to the user.
Legal bases for collecting and using information
Legal processing bases applicable to MPM: If you are an individual from the United Kingdom, our legal basis for information collection and use depends on the personal information concerned and the context in which we collect it. Most of our information collection and processing activities are typically based on (i) contractual necessity, (ii) one or more legitimate interests of MPM or a third party that are not overridden by your data protection interests, or (iii) your consent. Sometimes, we may be legally required to collect your information, or may need your personal information to protect your vital interests or those of another person.
Withdrawal of consent: Where we rely on your consent as the legal basis, you have the right to withdraw your consent at any time, but this will not affect any processing that has already taken place.
Legitimate interests notice: Where we rely on legitimate interests as the legal basis and those legitimate interests are not specified above, we will clearly explain to you what those legitimate interests are at the time that we collect your information.
Opt out of non-essential electronic communications: You may opt out of receiving newsletters and other non-essential messages by using the ‘unsubscribe’ function included in all such messages. However, you will continue to receive notices and essential transactional emails.
Disable cookies: You can disable browser cookies before visiting our websites. However, if you do so, you may not be able to use certain features of the websites properly.
Optional information: You can choose not to provide optional profile information such as your photo. You can also delete or change your optional profile information. You can always choose not to fill in non-mandatory fields when you submit any form linked to our websites.
Who we share your information with
Third-party service providers : We may need to share your personal information and aggregated or de-identified information with third-party service providers that we engage, such as marketing and advertising partners, event organizers, web analytics providers and payment processors. These service providers are authorized to use your personal information only as necessary to provide these services to us.
Reselling partners : We may share your personal information with our authorized reselling partners in your region, solely for the purpose of contacting you about products that you have downloaded or services that you have signed up for. We will give you an option to opt out of continuing to work with that partner.
Other cases : Other scenarios in which we may share the same information covered under Parts I and II are described in Part III.
Your rights with respect to information we hold about you as a controller
If you are in the UK, you have the following rights with respect to information that MPM holds about you. MPM undertakes to provide you the same rights no matter where you choose to live.
Right to access: You have the right to access (and obtain a copy of, if required) the categories of personal information that we hold about you, including the information’s source, purpose and period of processing, and the persons to whom the information is shared
Right to rectification: You have the right to update the information we hold about you or to rectify any inaccuracies. Based on the purpose for which we use your information, you can instruct us to add supplemental information about you to our records.
Right to erasure: You have the right to request that we delete your personal information in certain circumstances, such as when it is no longer necessary for the purpose for which it was originally collected.
Right to restriction of processing: You may also have the right to request to restrict the use of your information in certain circumstances, such as when you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Right to data portability: You have the right to transfer your information to a third party in a structured, commonly used and machine-readable format, in circumstances where the information is processed with your consent or by automated means.
Right to object: You have the right to object to the use of your information in certain circumstances, such as the use of your personal information for direct marketing.
Right to complain: You have the right to complain to the Information Commissioner’s Office (ICO) if you have any grievance against the way we collect, use or share your information.
Retention of information
Part II – Information that MPM processes on your behalf
Information entrusted to MPM and purpose
Information provided in connection with services: You may entrust information that you or your organization (“you”) control, to MPM in connection with use of our services or for requesting technical support for our products. This includes information regarding your customers and your employees (if you are a controller) or data that you hold and use on behalf of another person for a specific purpose, such as a customer to whom you provide services (if you are a processor). The data may either be stored on our servers when you use our services, or transferred or shared to us as part of a request for technical support or other services.
(All the information entrusted to MPM is collectively termed “service data”)
How we use service data
We process your service data when you provide us instructions through the various modules of our services.
Who we share service data with
MPM group and third party sub-contractors: In order to provide services and technical support for our products, the contracting entity within the MPM group engages other third parties.
Employees and independent contractors: We may provide access to your service data to our employees and individuals who are independent contractors of the MPM group entities involved in providing the services (collectively our “employees”) so that they can (i) identify, analyze and resolve errors, (ii) manually verify emails reported as spam to improve spam detection, or (iii) manually verify scanned images that you submit to us to verify the accuracy of optical character recognition. We ensure that access by our employees to your service data is restricted to specific individuals, and is logged and audited. Our employees will also have access to data that you knowingly share with us for technical support or to import data into our products or services. We communicate our privacy and security guidelines to our employees and strictly enforce privacy safeguards within the MPM group.
Third-party integrations you have enabled: Some of our products and services support integrations with third party products and services. If you choose to enable any third-party integrations, you may be allowing the third party to access your service information and personal information about you. We encourage you to review the privacy practices of the third-party services and products before you enable integrations with them.
Other cases: Other scenarios in which we may share information that are common to information covered under Parts I and II are described in Part III.
Retention of information
We hold the data in your account as long as you choose to use MPM Services. Once you terminate your MPM user account, your data will eventually get deleted from active database during the next clean-up that occurs once in 6 months. The data deleted from active database will be deleted from backups after 3 months.
Part III – General
Locations and international transfers
We share your personal information and service data within the MPM Group. By accessing or using our products and services or otherwise providing personal information or service data to us, you consent to the processing, transfer, and storage of your personal information or Service Data within the United Kingdom, United States of America, the European Economic Area (EEA) and other countries where MPM operates. Such transfer is subject to a group company agreement that is based on EU Commission’s Model Contractual Clauses which the ICO has also adopted.
Blogs and forums
We offer publicly accessible blogs and forums on our websites. Please be aware that any information you provide on these blogs and forums may be used to contact you with unsolicited messages. We urge you to be cautious in disclosing personal information in our blogs and forums. MPM is not responsible for the personal information you elect to disclose publicly. Your posts and certain profile information may remain even after you terminate your account with MPM. To request the removal of your information from our blogs and forums, you can contact us at firstname.lastname@example.org.
Social media widgets
Our websites may include social media widgets such as Facebook “like” buttons and Twitter “tweet” buttons that let you share articles and other information. These widgets may collect information such as your IP address and the pages you navigate in the website, and may set a cookie to enable the widgets to function properly. Your interactions with these widgets are governed by the privacy policies of the companies providing them.
Disclosures in compliance with legal obligations
We may be required by law to preserve or disclose your personal information and service data to comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements.
Enforcement of our rights
We may disclose personal information and service data to a third party if we believe that such disclosure is necessary for preventing fraud, investigating any suspected illegal activity, enforcing our agreements or policies, or protecting the safety of our users.
We do not intend to sell our business. However, in the unlikely event that we sell our business or get acquired or merged, we will ensure that the acquiring entity is legally bound to honour our commitments to you. We will notify you via email or through a prominent notice on our website of any change in ownership or in the uses of your personal information and service data. We will also notify you about any choices you may have regarding your personal information and service data.
Notification of changes
Data Processing Addendum (DPA)
MPM are committed to ensuring the security and protection of the personal information that we process and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law and abides by the data protection principles. However we recognise our obligations in updating and expanding this programme to meet the demands of the GDPR and the Data Protection Bill.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and MPM, but has not signed its own Order Form with MPM and is not a “Customer” as defined under the Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Data” means what is defined in the Agreement as “Customer Data” or “Your Data.” “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
“MPM” means MPM LTD the entity which is a party to this DPA
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties.
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, MPM is the Processor
2.2 Customer’s processing of Personal Data.
Customer shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 MPM’s processing of Personal Data.
MPM shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes:
(i) Processing in accordance with the Agreement and applicable Order Form(s);
(ii) Processing initiated by Users in their use of the Services; and
(iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request.
MPM shall, to the extent legally permitted, promptly notify the Customer if MPM receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).
Taking into account the nature of the Processing, MPM shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, MPM shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent MPM is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
To the extent legally permitted, the Customer shall be responsible for any costs arising from MPM’s provision of such assistance.
4. MPM PERSONNEL
MPM shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. MPM shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
MPM shall take commercially reasonable steps to ensure the reliability of any MPM personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access.
MPM shall ensure that MPM’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
5.1 Controls for the Protection of Customer Data.
MPM shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy sections of the master subscription agreement. MPM regularly monitors compliance with these measures. MPM will not materially decrease the overall security of the Services during a subscription term.
5.2 Third-Party Certifications and Audits.
MPM has obtained the third-party certifications and audits set forth in the Security, Privacy section of the master subscription agreement. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, MPM shall make available to the Customer that is not a competitor of MPM (or Customer’s independent, third-party auditor that is not a competitor of MPM) a copy of MPM’s then most recent third-party audits or certifications, as applicable.
6. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
MPM maintains security incident management policies and procedures specified in the Security section of the master subscription agreement and shall, notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise processed by MPM. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
7. RETURN AND DELETION OF CUSTOMER DATA
MPM shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security, Privacy and Architecture Documentation.
8. AUTHORIZED AFFILIATES
8.1 Contractual Relationship.
The parties acknowledge and agree that, by executing an Agreement, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between MPM and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with MPM under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
9.1. Each Party agrees to hold the other Party, its Affiliates, and its respective agents, officers, directors, shareholders, partners, employees and licensees, and each of their successors and permitted assigns (collectively, the “Indemnified Parties”) harmless and defend them (“defend” only at the Indemnified Parties` option) from and against any and all claims and demands (collectively, “Claims”), brought by a third party based upon or arising in any manner, directly or indirectly, out of or in connection with such Party’s breach of its obligations under these Data Processing Terms.
9.2. The indemnifying Party shall pay all damages and reimburse the Indemnified Parties for the incurred costs, including without limitation, reasonable legal fees arising out of and in connection with any such Claims.
9.3. The Indemnified Parties must notify the indemnifying Party promptly in writing of any claim for indemnification hereunder, and provide, at the indemnifying Party’s expense (to the extent of out-of-pocket expenses only), all reasonably necessary assistance, information and authority to allow the indemnifying Party to control the defense and settlement of such claim should the Indemnified Parties have chosen this option. Notwithstanding the foregoing, the indemnifying Party shall not enter into any settlement of the defense of such action, other than with respect to the payment of monies, without the Indemnified Parties’ prior written consent.
10. EUROPEAN SPECIFIC PROVISIONS
With effect from 25 May 2018, MPM will Process Personal Data in accordance with the GDPR requirements directly applicable to MPM’s provision of its Services.
10.2 Data Protection Impact Assessment.
With effect from 25 May 2018, upon Customer’s request, MPM shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to MPM.
MPM shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 11.2 of this DPA, to the extent required under the GDPR.
11. LEGAL EFFECT
This DPA shall only apply when an agreement is executed between Customer and MPM.