Data Processing Addendum
Data Processing Addendum Effective Date: 04/09/2025
This Data Processing Addendum ("DPA") forms part of the Mandala Terms of Service and Privacy Policy (the "Agreement") between Mandala For Us, Inc. ("Mandala," "Processor," "we," "us," or "our") and the entity agreeing to this DPA ("Customer" or "Controller"), including any of its Affiliates.
1. Definitions
1.1 "Affiliate" means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party, where “control” means ownership of more than 50% of the voting interests of the subject entity.
1.2 "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act of 2018 ("CCPA"), and any other relevant privacy laws.
1.3 "Customer Data" means any data, content, or information (including Personal Data) that the Customer submits to the Services or otherwise provides to Mandala for processing on the Customer's behalf in connection with the Services. Mandala will process Customer Data as the Customer’s Data Processor solely to provide and maintain the Services and in accordance with this DPA, the Agreement, and any applicable instructions provided by the Customer.
1.4 "Data Controller" means the entity that determines the purposes and means of the processing of Personal Data.
1.5 "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
1.6 "Data Subject" means the identified or identifiable person to whom Personal Data relates.
1.7 "Personal Data" means any Customer Data that relates to an identified or identifiable natural person and is protected as personal data under Applicable Data Protection Laws.
1.8 "Processing" means any operation performed on Customer Data, including collection, recording, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
1.9 "Standard Contractual Clauses (SCCs)" means the standard contractual clauses adopted by the European Commission or the UK Information Commissioner's Office, as applicable, for the lawful transfer of personal data outside of the European Economic Area or UK.
1.10 "Subprocessor" means any third party that processes Customer Data on behalf of Mandala.
1.11 "Supervisory Authority" means an independent public authority established pursuant to Applicable Data Protection Laws, including but not limited to the GDPR, UK GDPR, or Swiss law, that is responsible for monitoring the application of such laws.
2. Processing Of Personal Data
2.1 Roles of the Parties.
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Mandala is the Data Processor, and Mandala may engage Subprocessors pursuant to the requirements set forth in Section 4 “Sub-processors” below.
2.2 Customer’s Processing of Personal Data.
Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 Mandala’s Processing of Personal Data.
As Customer’s Data Processor, Mandala shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable documentation; (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). Mandala acts on behalf of and on the instructions of Customer in carrying out the Purpose.
2.4 Details of the Processing.
The subject-matter of Processing of Personal Data by Mandala is the Purpose. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are as generally described in the Privacy Policy and may be further clarified in any applicable commercial agreement.
2.5 No Sale of Personal Information under CCPA.
Mandala will not “sell” any “personal information” (as those terms are defined in the CCPA) it processes on Customer’s behalf or “share” such information for purposes of “cross-context behavioral advertising” (as those terms are defined in the California Privacy Rights Act or “CPRA”).
3. Mandala's Security Responsibilities
3.1 Security Measures.
Mandala will implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity, and confidentiality of the Personal Data described in this DPA.
3.2 Notice of Investigation, Complaint or Subpoena.
Mandala will, to the extent legally permitted, promptly inform Customer if it (i) receives any notice or inquiry from a Supervisory Authority relating to the processing of Personal Data, (ii) receives any complaint by a data subject regarding the processing of Personal Data, or (iii) receives any legally binding request for disclosure of Personal Data by a law enforcement authority. Additional provisions relating to government demands for Personal Data may be provided upon request.
3.3 Disclosure.
Mandala will not disclose the Personal Data to any third party except (a) as directed by Customer, (b) if such disclosure is made by Mandala in response to a court order, subpoena, or other legal process, and provided that Mandala has given Customer reasonable notice of such process if permitted, or (c) to Sub-processors as described in this DPA.
3.4 Mandala Personnel.
Mandala will restrict access to Personal Data to only those personnel who need to access such data to provide the Services and are subject to confidentiality obligations.
3.5 Records.
Mandala will maintain relevant records regarding its information security practices and will provide copies of such records as reasonably required by Customer to verify Mandala’s compliance with this DPA.
3.6 Data Subject Requests.
Mandala will promptly notify Customer if it receives a Data Subject Request relating to Personal Data processed on behalf of Customer and will provide reasonable assistance required for Customer to comply. Mandala will only respond directly to such requests upon receiving Customer's written instruction.
3.7 Security Incident Notification.
Mandala will notify Customer within forty-eight (48) hours after discovery of any unauthorized disclosure of or access to Personal Data while in the possession or control of Mandala or its Sub-processors (a "Security Incident"). Any such notification will not be construed as an acknowledgement by Mandala of fault or liability. Mandala will provide Customer with all relevant information in its possession or control regarding the Security Incident, including, to the extent known: the nature of the incident, the categories and approximate number of data subjects affected, the types of data involved, the scope of the impact, Mandala’s designated point of contact, and the measures taken or proposed to address the incident and mitigate its effects. Unless required by law, Mandala will not make any public announcement or notify any data subject without Customer’s prior written approval.
3.8 Cooperation.
Upon request, Mandala will provide Customer with a summary of its security and privacy policies and cooperate with any Supervisory Authority inquiries relevant to Mandala’s Processing of Personal Data under this DPA.
4. Subprocessors
4.1 Authorized Subprocessors.
Customer agrees that Mandala may use Subprocessors to fulfill its obligations under the Agreement. The Subprocessors currently authorized by Mandala to process Personal Data are listed at https://www.mandalaforus.com/legal/subprocessors, which also provides customers with the ability to subscribe to updates regarding new sub-processors. Customer hereby consents to Mandala’s use of Subprocessors as described in this Section.
4.2 New or Different Subprocessors.
If Customers subscribe to the public facing subprocessors webpage, Customer will receive advance notification of any new sub-processor before such subprocessor is authorized to process Personal Data in connection with the provision of the applicable Service. Customer may reasonably object to Mandala’s use of a new sub-processor (e.g., if making Personal Data available to the new sub-processor may violate Applicable Data Protection Law or weaken the protections for such Personal Data) by notifying Mandala promptly in writing within ten (10) business days after receipt of Mandala’s notice in accordance with the mechanism set out in Section 4.2. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Mandala will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Mandala is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, either party may terminate without penalty the applicable Agreement with respect only to those Services which cannot be provided by Mandala without the use of the objected-to new sub-processor by providing written notice to Mandala.
4.3 Subprocessor Obligations.
Where Mandala authorizes a Subprocessor to process Personal Data as described in this Section, Mandala will enter into a written agreement with each such Subprocessor consistent with Applicable Data Protection Laws. Except as set forth in this DPA or as otherwise authorized in writing by Customer, Mandala will not permit any Subprocessors to process Personal Data. Mandala will be liable for the acts and omissions of its Subprocessors to the same extent it would be liable if performing the services of each Subprocessor directly under the terms of the Agreement and this DPA.
5. Rights Of Data Subjects
5.1 Data Subject Requests.
Mandala shall, to the extent legally permitted, promptly notify Customer if Mandala receives any requests from a Data Subject to exercise the following rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision-making (each, a “Data Subject Request”). Taking into account the nature of the Processing, Mandala shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Mandala shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Mandala is legally permitted to do so and the response to such Data Subject Request is required under Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Mandala’s provision of such assistance, including any fees associated with provision of additional functionality.
6. Customer Responsibilities
6.1 Authority and Consents.
Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents, and authorizations to provide the Customer Data to Mandala and to authorize Mandala to use, disclose, retain, and otherwise process Customer Data as contemplated by this DPA, the Agreement, and/or any processing instructions provided to Mandala.
6.2 Accuracy, Legality, and Processing Instructions.
Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Mandala by or on behalf of Customer, (ii) the means by which Customer acquired such Personal Data, and (iii) the instructions it provides to Mandala regarding the processing of such Personal Data. Customer shall ensure that such instructions do not cause Mandala to be in breach of Applicable Data Protection Laws. Customer shall comply with all Applicable Data Protection Laws.
6.3 Data Subject Cooperation.
Customer shall reasonably cooperate with Mandala to assist Mandala in performing any of its obligations with regard to any requests from Customer’s Data Subjects.
6.4 No Sale or Share of Data.
Customer shall not take any action that would (i) render the provision of Personal Data to Mandala a “sale” under Applicable Data Protection Laws or a “share” under the CCPA (or equivalent concepts under Applicable Data Protection Laws); or (ii) render Mandala not a “service provider” under the CCPA or “processor” under Applicable Data Protection Laws.
6.5 Prohibited Data Types.
Customer acknowledges that Mandala is not designed to process Customer Data subject to specialized regulations (e.g., data subject to the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the Children’s Online Privacy Protection Act (COPPA), or any similar U.S. or foreign laws), and agrees not to submit such data unless otherwise agreed to in writing by Mandala.
6.6 Indemnification.
Customer shall indemnify and hold harmless Mandala from all claims, liabilities, damages, and expenses (including reasonable legal fees) arising out of or related to Customer’s breach of its obligations under this Section 6, including any unauthorized or unlawful provision of Customer Data to Mandala.
7. Compliance With Laws
Each party shall comply with all applicable laws, rules, and regulations, including Applicable Data Protection Laws. Mandala will notify Customer if (i) it can no longer meet its obligations under Applicable Data Protection Laws, (ii) it has breached this DPA and will cooperate to remediate such breach, or (iii) in Mandala’s opinion, a processing instruction from Customer violates Applicable Data Protection Laws. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including use not authorized under this DPA. Mandala may suspend processing of Personal Data where it determines that continued processing would violate Applicable Data Protection Laws and no alternative instructions are provided.
8. Data Transfers
Mandala currently processes and stores all Customer Data in the United States. Customer agrees that Mandala may access and Process Customer Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Customer Data may be transferred to and Processed by Mandala in the United States and in other jurisdictions where Mandala or its Subprocessors operate. Wherever Customer Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws, including by implementing appropriate safeguards such as Standard Contractual Clauses where required.
9. Data Retention And Deletion
9.1 Retention Period. Mandala retains Customer Data for as long as necessary to provide the Services, unless otherwise agreed in writing, or unless required by Applicable Data Protection Laws to retain it longer. This approach is intended to comply with the data minimization principles of Applicable Data Protection Laws while ensuring continuity and performance of the Services.
9.2 Return or Destruction of Personal Data. Upon the termination or expiration of the Agreement, at Customer’s request, and where technically feasible using commercially reasonable means, Mandala shall return or delete Personal Data, unless further storage of such Personal Data is required or authorized by Applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule or regulation, Mandala shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Mandala have entered into Standard Contractual Clauses as described in Section 13 (Standard Contractual Clauses), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.1(d) and Clause 8.5 of the EU SCCs (as applicable) shall be provided by Mandala to Customer only upon Customer’s request.
10. Liability
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between the Customer and Mandala (and their respective Affiliates), whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
11. Audits
Where required by Applicable Data Protection Laws and upon reasonable notice and subject to appropriate confidentiality obligations, Mandala shall cooperate with assessments, audits, or other steps performed by or on behalf of Customer, at Customer’s sole expense, and in a manner that is reasonable, proportionate, and not unduly disruptive to Mandala’s business, that are necessary to confirm that Mandala is processing Customer Data in accordance with this DPA.
12. Standard Contractual Clauses
To the extent required by Applicable Data Protection Laws, including in connection with the transfer of Personal Data of European Economic Area ("EEA"), United Kingdom ("UK"), or Swiss data subjects to Mandala in a jurisdiction outside of the EEA, UK or Switzerland, the Standard Contractual Clauses set forth in Schedule 1 shall apply.
Schedule 1: Standard Contractual Clauses.
Mandala and Customer agree that the European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor), as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”), and, where applicable, the UK International Data Transfer Addendum issued by the Information Commissioner’s Office, are hereby incorporated by reference into this DPA and shall apply to the transfer of Personal Data from the EEA, UK, or Switzerland to Mandala in the United States or other third countries.
Links to the full texts:
Where required, the parties agree that:
- Mandala is the "data importer" and the Customer is the "data exporter";
- The competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs;
- The parties elect Option 2 of Clause 9 (general authorization) with a ten (10) business day notice period;
- The optional docking clause in Clause 7 shall not apply;
- Clause 17 (governing law) shall be the law of the State of Delaware, United States; and
- The parties agree to the use of electronic signatures for this DPA and incorporated SCCs.
