top of page

 

Model Wiz Data Processing Addendum

v1.0 DPA Effective Date: March 24, 2024
 

This Data Processing Addendum (the “DPA”), is incorporated into and forms part of the Model Wiz Master Subscription Agreement or other agreement (the “Agreement”) pursuant to which Model Wiz Inc. (“Model Wiz”) provides services to the party identified therein as the “Customer”. Capitalized terms used in this DPA but not defined herein shall have the meanings set forth in the Agreement. 

  1. Definitions

“Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable: 

“EU Data Protection Law”: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC), each as implemented and transposed into local law by any EU member states.

“Swiss DPA”: the Swiss Federal Act on Data Protection 1992 (including as amended or superseded).

“UK Data Protection Law”: the UK Data Protection Act and GDPR as incorporated into UK law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

“US Data Protection Law”: all applicable comprehensive state data protection laws and regulations in each case as may be amended or superseded from time to time, including the California Privacy Rights Act (“CPRA”); Colorado Privacy Act; Connecticut Personal Data Privacy and Online Monitoring Act; Delaware Personal Data Privacy Act; Indiana Consumer Data Protection Act; Iowa Consumer Data Protection Act; Montana Consumer Data Privacy Act; Oregon Consumer Privacy Act; Tennessee Information Protection Act; Texas Data Privacy and Security Act; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act.

Applicable Law excludes those laws applicable to Excluded Data as defined in the Agreement.

“Controller” means a “controller” or “business,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that, alone or jointly with others, determines the purposes for and means of Processing.

“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. 

“Personal Data” means any information relating to an identified or identifiable natural person. “Customer Personal Data” shall mean Personal Data that is provided to Model Wiz by or on behalf of Customer. 

“Process” mean any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.

“Processor” means a “service provider” or “processor,” as such terms or analogous variations thereof are defined under Applicable Privacy Laws, that Process personal data or information on behalf of another company.

“Standard Contractual Clauses” or “SCCs” means: (i) where EU Data Protection Law or the Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where UK Data Protection Law applies, standard data protection clauses adopted pursuant to or permitted under UK Data Protection Law (“UK SCCs”).

“Subprocessor” means any third party engaged by Model Wiz for the Processing of Customer Personal Data in connection with the Service and may include Model Wiz’s affiliates and subsidiaries.

  1. Applicability; Model Wiz as Processor or Subprocessor

This DPA applies only to the extent Model Wiz Processes Personal Data of End Users that is subject to Applicable Privacy Laws. Customer is (or represents that it is acting with full authority on behalf of) the Controller and Model Wiz is the Processor with respect to the Customer Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints Model Wiz as Customer’s subprocessor, which shall not change the obligations of either Customer or Model Wiz under this DPA.

  1. Customer’s Instructions to Model Wiz

    1. Purpose Limitation. Model Wiz will not Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA, unless obligated to do otherwise by Applicable Privacy Law. In such case, Model Wiz will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Model Wiz shall only Process Customer Personal Data for the following purposes: (i) Processing as reasonably required to provide the Service and perform Model Wiz's obligations under the Agreement and this DPA, and as otherwise agreed by the Parties; (ii) Processing initiated by Customer and its users in their use of the Service; (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement and Applicable Privacy Laws; and (iv) as otherwise required by Applicable Privacy Laws. Further details regarding Model Wiz’s Processing operations are set forth in Annex A. 

    2. Lawful Instructions. Customer shall, in its use of the Service, Process Customer Personal Data in accordance with the requirements of Applicable Privacy Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will not instruct Model Wiz to Process Personal Data in violation of Applicable Privacy Law. Model Wiz has no obligation to monitor the compliance of Customer’s use of the Service with Applicable Privacy Law, though Model Wiz will immediately inform Customer if, in Model Wiz’s opinion, an instruction from Customer infringes Applicable Privacy Law. The Agreement and this DPA, along with Customer’s configuration and use of the Service, are Customer's complete instructions to Model Wiz in relation to the Processing of Customer Personal Data. 

    3. CPRA Requirements. With respect to Customer Personal Data to which the CPRA applies (capitalized terms used in this section having the meanings provided in CPRA): 

(a) Model Wiz shall act as a Service Provider to Customer and shall collect, access, maintain, use, process, and transfer Customer Personal Data solely for the purpose of performing Model Wiz’s obligations under this Agreement for or on behalf of Customer and for no commercial purpose other than the performance of such obligations. 

(b) Model Wiz shall not Sell or Share, disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another business or third party without Customer’s prior written consent unless and to the extent that such disclosure is made to a Subcontractor for a business purpose, provided that Model Wiz has entered into a written agreement with the Subcontractor which imposes substantively the same obligations on the Subcontractor with regard to their processing of Customer Personal Data as are imposed on Model Wiz under this DPA and the Agreement. Notwithstanding the foregoing, nothing in this DPA shall restrict Model Wiz’s ability to disclose Customer Personal Data to comply with applicable laws; provided that if such disclosure is required, Model Wiz will promptly notify Customer of the request for disclosure unless such notification is prohibited by applicable law or a legally binding order. 

  1. Subprocessing

    1. Subprocessors. Customer acknowledges and agrees that Model Wiz’s affiliates and certain third parties may be retained as Subprocessors to Process Customer Personal Data on Model Wiz’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Service. Model Wiz’s third-party Subprocessors as of the DPA Effective Date are listed at www.modelwiz.com/subprocessors (the “Subprocessor List”). Prior to a Subprocessor’s Processing of Customer Personal Data, Model Wiz will impose contractual obligations on the Subprocessor at least as protective of Customer Personal Data as this DPA. Model Wiz remains liable for its Subprocessors’ performance under this DPA to the same extent Model Wiz is liable for its own performance hereunder. 

    2. Notification. Model Wiz will update the website above with any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. That website includes a self-enrollment system where Customer can add an email address to receive notices of subprocessor changes. The subprocessor agreements to be provided under Clause 5(j) of the Standard Contractual Clauses may have all commercial information or provisions unrelated to the Standard Contractual Clauses redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon written request.

    3. Right to Object. Customer may reasonably object to Model Wiz’s use of a new Subprocessor by notifying Model Wiz promptly in writing within ten business days after receipt of Model Wiz’s notice. In its objection, Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new Subprocessor, Model Wiz will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Customer Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Model Wiz is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate Customer’s subscription to the Service.

    4. Emergency Replacement. Model Wiz may replace a Subprocessor if the need for the change is urgent and necessary to provide the Service. In such instance, Model Wiz shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 4.3 above.

  2. Assistance & Cooperation

    1. Security. Model Wiz will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Applicable Privacy Law relevant to Model Wiz’s role in Processing the Customer Personal Data, taking into account the nature of Processing and the information available to Model Wiz, by implementing technical and organizational measures set forth in the Agreement, without prejudice to Model Wiz’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Personal Data. Model Wiz will ensure that the persons Model Wiz authorizes to Process the Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

    2. Personal Data Breach Notification & Response. Model Wiz will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Privacy Law. Taking into account the nature of Processing and the information available to Model Wiz, Model Wiz will assist Customer by informing it of a confirmed Personal Data Breach without undue delay. Model Wiz will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include Model Wiz’s then-current assessment of the following, which may be based on incomplete information: 

(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned; 

(b) the likely consequences of the Personal Data Breach; and 

(c) measures taken or proposed to be taken by Model Wiz to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

Model Wiz will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Data Incident(s). Nothing in this DPA or in the Standard Contractual Clauses shall be construed to require Model Wiz to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

  1. Responding to Data Subjects 

    1. Data Subjects’ Rights. Model Wiz shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Applicable Privacy Law, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. 

    2. Data Subject Requests. In the event such inquiry, communication or request is made directly to Model Wiz, Model Wiz shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data. 

    3. Data Protection Impact Assessments and Prior Consultation. Model Wiz shall, to the extent required by Applicable Privacy Law, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under Data Protection Laws.

  2. Data Transfers 

    1. Customer authorizes Model Wiz and its Subprocessors to make international transfers of the Customer Personal Data in accordance with this DPA so long as Applicable Privacy Law for such transfers is respected. 

    2. For transfers of Customer Personal Data under this DPA from the EEA to countries which do not ensure an adequate level of data protection within the meaning of Applicable Privacy Law of the foregoing territories, to the extent such transfers are subject to such Applicable Privacy Law, the Standard Contractual Clauses shall apply. In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. 

    3. The Standard Contractual Clauses will be deemed completed as follows: 

(a) The “exporter” is the Customer, and the exporter’s contact information is set forth below. 

(b) The “importer” is Model Wiz, and Model Wiz’s contact information is set forth below. 

(c) Appendices 1 and 2 of the Standard Contractual Clauses are set forth in Annex A below.

By entering into this DPA, the Parties are deemed to be signing the Standard Contractual Clauses and its applicable Appendices.

  1. EU SCCs. Personal Data from the European Union will be governed by the EU SCCs, completed as follows:

  1. Module Two will apply to the extent that Customer is a controller of the Personal Data, and Module Three will apply to the extent that Customer is a processor of the Personal Data on behalf of a third-party controller;

  2. in Clause 7, the optional docking clause will not apply;

  3. in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Clause 9 of this Addendum;

  4. in Clause 11, the optional language will not apply;

  5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;

  6. in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

  7. Annex I will be deemed completed with the information set out in Annex I to this DPA;

  8. Annex II will be deemed completed with the information set out in Annex II to this DPA; and

  9. Annex III will be deemed completed with the information set out in Annex III to this DPA.

  1. UK SCCs. Personal Data transfers from the United Kingdom will be governed by the UK SCCs and the UK International Data Transfer Addendum (the “IDTA”), completed as follows.

    1. In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement and this DPA.

    2. The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA. 

    3. References to the EU, member states and GDPR are amended mutatis mutandis to refer to the United Kingdom and UK Data Protection Law.

    4. In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject my also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.

  2. Swiss SCCs. Personal Data transfers from Switzerland will be governed by the EU SCCs amended as follows: 

    1. references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA; 

    2. references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA, 

    3. references to ‘EU’, ‘Union’, and ‘Member State’ will be deemed replaced with ‘Switzerland’, 

    4. references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable), 

    5. In Clause 17, the EU SCCs will be governed by the laws of Switzerland, and 

    6. Clause 18(b), disputes will be resolved before the competent courts of Switzerland.

  3. If any provision of the Agreement (including this Addendum) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

  1. Audits

Model Wiz shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Model Wiz provide it with documentation, data, and records (“Records”) no more than once annually relating to Model Wiz’s compliance with this DPA on at least 30 days prior written notice (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall conduct its Audit in a manner that will result in minimal disruption to Model Wiz’s business operations and shall not be entitled to receive data or information of other clients of Model Wiz or any other Confidential Information of Model Wiz that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Model Wiz shall take prompt action to correct such non-compliance. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Model Wiz’s premises. Customer shall reimburse Model Wiz for any time expended for an Audit at Model Wiz’s then-current rates, which shall be made available to Customer upon request.

  1. Return or Destruction of Personal Data

At the end of the applicable term of the Agreement, within a reasonable time following Customer’s written request, Model Wiz shall securely destroy or return Customer Personal Data to Customer. Notwithstanding the foregoing, this provision will not require Model Wiz to delete Customer Personal Data from archival and back-up files except as provided by Model Wiz's internal data deletion practices and as required by Applicable Privacy Law. 

  1. Liability

Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each Party and each Party’s affiliates under this DPA or the Standard Contractual Clauses shall be subject to any aggregate limitations on liability set out in the Agreement, except to the extent prohibited by Applicable Privacy Law. 

  1. General

Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

 

Annex I

This Annex forms part of the Standard Contractual Clauses. 

LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

 

Name:

As provided by the Customer

Address:

As provided by the Customer

Contact person’s name, job title and contact details:

As provided by the Customer

Activities relevant to the data transferred under these Clauses:

Model Wiz will process Customer Personal Data in order to provide its excel plugin to Customer

Role (controller/processor):

Controller/processor

 

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

Name:

Model Wiz Inc.

Address:

2 Colgate Rd, Great Neck NY, 11023

Contact person’s name, job title and contact details:

Attn: legal
josh@modelwiz.com

Activities relevant to the data transferred under these Clauses:

Model Wiz will process Customer Personal Data in order to provide its excel plugin service to Customer 

Role (controller/processor):

Processor/Subprocessor


 

В. DESCRIPTION OF TRANSFER 

Categories of data subjects whose Personal Data is transferred:

Customer’s employees and consultants who use Service.

Individuals whose Personal Data is stored in Customer’s data sources and processed by Model Wiz.

Categories of Personal Data transferred:

Model Wiz may have access to Personal Data of Customer’s employees and consultants who use Service.

The types of Customer Personal Data stored in Customer’s data sources are determined and controlled by Customer in its sole discretion, and may include, but are not limited to, identification and contact data (name, address, title, contact details), employment details (employer, job title, geographic location, area of responsibility), and/or information technology information (e.g., IP addresses, usage data, cookies data, location data). The Service do not impose a technical restriction on the categories of Personal Data Customer may provide but the Agreement prohibits Customer from uploading special categories of data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards 

N/A

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Ongoing during the term of Customer agreement

Nature of the processing:

The data processing activities carried out by Model Wiz under the Agreement 

Purpose(s) of the data transfer and further processing:

Model Wiz will process Customer Personal Data in order to provide its excel plugin  to Customer.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

During the term of Customer’s agreement, and for a limited period after termination, so that Customer may export its data from Model Wiz’s systems.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: 

As outlined in Annex 3 below

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs)

Irish Supervisory Authority (DPC)


 

Annex 2 Subprocessor List (as of the DPA Effective Date)

As identified at modelwiz.com

Annex 3 Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons. 

Access Management

Model Wiz has established formal access management processes for the request, review, approval, and provisioning of all personnel who have a legitimate business need to access Model Wiz’s critical resources and if necessary, Customer Data. 

Storage

Model Wiz stores Customer Data, as well as required operational and engineering data necessary to operate the Service, in a minimal amount of locations necessary.

Encryption

Model Wiz utilizes encryptions standards such as TLS 1.2 and AES-256 to encrypt all data in transit and at rest over public internet connections. 

Security Incidents

Model Wiz maintains a Security Incident Response Plan, which details procedures to be followed in the event of (1) actual unauthorized access to or use of Customer Data, including but not limited to disclosure, theft or manipulation of data that has the potential to cause harm to Model Wiz’s systems or data, or (2) a Personal Data Breach. 

Security Threats & Mitigation 

Model Wiz has policies and processes in place designed to ensure risks to Model Wiz’s systems resulting from exploitation of published technical vulnerabilities are reduced and mitigated. This includes, but is not limited to the following:

  • Regular internal risk assessments to identify and prioritize potential risks to the business

  • Use of reputable outside sources for security vulnerability information, such as:

    • Vendor and security mailing lists / forums 

    • Participation in security webinars and industry meetups 

  • For any newly identified vulnerabilities, a risk ranking is assigned using a rating scale based on established criteria, which may include the following:

    • CVSS based scoring

    • Classification by the vendor

    • Type of system (i.e., public-facing, security systems, databases, other systems that store/process customer data)

    • Other independent or internal determination

  • Deployment and management of antivirus software on all systems commonly affected by malicious software

  • Installation of vendor supplied security patches and specialized secure configurations

  • Monitoring of Model Wiz’s infrastructure and the Service utilizing a variety of intrusion detection methods

Secure Disposal

Customer Data and decommissioned media used to store Customer Data are disposed of utilizing one of the following three methods:

  • Overwriting: The software process that replaces the data previously stored on magnetic storage media with a predetermined set of meaningless data, rendering the data unrecoverable.

  • Degaussing: Exposing the media to strong magnetic fields to destroy its contents. 

  • Physical Destruction: This includes shredding and any other method of physical destruction, including extremes of physical force or temperature. 

Logging & Analysis

For applications and systems that access, process, store, and/or transmit Customer Data, Model Wiz generates audit logs detailing use, access, disclosure, theft, manipulation, and reproduction. The audit logs are generated and reviewed on a daily basis. Logs are maintained for at least one (1) year. 

Education & Awareness

Prior to being granted access to any Model Wiz equipment hosting Customer Data, all authorized personnel must undergo appropriate security training. Security training is then repeated annually. Such security training includes, but may not be limited to: acceptable use, social engineering, personnel security, data protection, incident response. 

Additional Terms

Model Wiz shall conduct periodic reviews, at minimum annually, of any system storing Customer Data to evaluate the security risks of such systems and will prioritize any detected vulnerabilities for remediation based on the nature and severity of the identified issue.

Model Wiz shall have established and documented access termination procedures for existing staff with access to Customer Data. 

bottom of page