Data Processing Addendum
Last updated: September 27th 2025
This data processing addendum (“DPA”) supplements the Subscription Agreement, or other agreement in place between Subscriber and MTech covering Subscriber’s use of MTech’s Subscription Services.
Capitalized terms not defined herein shall have the meaning set forth in the Subscription Agreement. Terms defined under Applicable Data Protection Laws, including “data subject”, “personal data”, “processing”, and “third-country” that are used in this DPA will have the same meaning as set out in Applicable Data Protection Laws.
1. Definitions
“Applicable Data Protection Laws” means all laws applicable to the processing of personal data under the Subscription Agreement.
“Brazilian General Data Protection Law” or “LGPD” means Law No. 13, 709/2018 of August 18th, 2018.
“Brazilian SCCs” means the contractual clauses set out in Annex II of the Brazilian Regulation on International Transfer of Personal Data of the Brazilian National Data Protection Authority (Resolution CD/ANPD No. 19/2025), as amended, superseded, or replaced from time to time.
“EU Data Protection Laws” includes (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded, or replaced from time to time.
“EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.
“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber personal data processed by MTech and/or its sub-processors.
“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded, or replaced from time to time.
“UK Data Protection Laws” means the Data Protection Act 2018 and the GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded, or replaced from time to time.
“US State Privacy Laws” means all applicable state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.
2. Scope and Term
2.1 Roles of the Parties. For the purposes of the Subscription Agreement, the parties agree that:
(a) Subscriber is either a controller of personal data or a processor of personal data acting on another controller’s behalf (e.g. Subscriber’s affiliate) while passing down relevant processing instructions to MTech. Processing details are stated in Schedule 1 (Description of Processing).
(b) MTech is a processor (or respectively, a sub-processor) of personal data. Processing details are stated in Schedule 1 (Description of Processing).
2.2 Term of the DPA. The term of this DPA coincides with the term of the Subscription Agreement and terminates upon expiration or earlier termination of the Subscription Agreement (or, if later, the date on which MTech ceases all processing of Subscriber personal data).
2.3 Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence from highest to lowest will be (1) the applicable terms stated in Schedule 2 (Region-Specific Terms), (2) Schedule 1 (Description of Processing), (3) the main body of this DPA, and (4) the Subscription Agreement.
3. Processing of Personal Data
3.1 Subscriber Instructions.
(a) This DPA, the Subscription Agreement, the relevant SOWs, and Subscriber’s use of the Subscription Services (including related technical support services) and Professional Services constitute Subscriber’s documented instructions regarding MTech’s processing of Subscriber personal data (the “Documented Instructions”).
(b) MTech will process Subscriber personal data solely in accordance with the Documented Instructions, as further stated in Section 6 of Schedule 1 (Description of Processing). Subscriber: (i) must ensure its Documented Instructions comply with Applicable Data Protection Laws. MTech is not responsible for monitoring Subscriber’s compliance with Applicable Data Protection Laws; and (ii) is responsible for determining whether the Subscription Services and Professional Services are appropriate for the processing of Subscriber personal data under Applicable Data Protection Laws.
3.2 Confidentiality. MTech will treat Subscriber personal data as Confidential Information under the Subscription Agreement. MTech will ensure personnel authorized to process personal data are bound by written or statutory obligations of confidentiality.
4. Security
4.1 Security Measures. MTech has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity, and availability of Subscriber Data and protect against Security Incidents. Subscriber is responsible for configuring the Subscription Services and using features and functionalities made available by MTech to maintain appropriate security in light of the nature of Subscriber Data. MTech’s current technical and organizational measures are described at https://mtechsystems.io/legal/security-measures/. Subscriber acknowledges that the security measures are subject to technical progress and development and that MTech may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Subscription Services during the Subscription Term.
4.2 Security Incidents. MTech will notify Subscriber without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident involving personal data processed under this DPA. MTech will make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within MTech’s reasonable control. Upon Subscriber’s request and taking into account the nature of the processing and the information available to MTech, MTech will assist Subscriber by providing information reasonably necessary for Subscriber to meet its Security Incident notification obligations under Applicable Data Protection Laws.
5. Sub-processors
5.1 General Authorization. By entering into this DPA, Subscriber provides general authorization for MTech to engage sub-processors to process Subscriber personal data. MTech will (i) enter into a written agreement with each sub-processor imposing data protection terms that require the sub-processor to protect Subscriber personal data to the standard required by Applicable Data Protection Laws and this DPA, and (ii) remain liable to Subscriber if such sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Subscription Agreement.
5.2 Notice of New Sub-processors. MTech maintains an up-to-date list of its sub-processors at https://mtechsystems.io/legal/sub-processor-list, which contains a mechanism for Subscriber to subscribe to notifications of new sub-processors. MTech will provide notice of any changes to the list to those emails which are subscribed (excluding changes where any sub-processor is removed from the list).
5.3 Objection to New Sub-processors. Subscriber may object to MTech’s appointment of a new sub-processor within thirty (30) days of receipt of a change notice. The parties will discuss the objection in good faith. If the parties are unable to reach a solution, MTech may provide an alternative arrangement to exclude the sub-processor, even if doing so has an adverse effect on the provisioning of the Subscription Services or is at Subscriber’s expense, or if an alternative arrangement is not reasonably practicable for MTech, terminate the Subscription Agreement. Subscriber’s sole remedy if it does not agree with an alternate arrangement will be to terminate the Subscription Agreement without any liability for MTech.
6. Assistance and Cooperation Obligations
6.1 Data Subject Rights. Taking into account the nature of the processing, MTech will provide reasonable and timely assistance to Subscriber to enable Subscriber to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Subscriber personal data.
6.2 Cooperation Obligations. Upon Subscriber’s reasonable request, and taking into account the nature of the processing, MTech will provide reasonable assistance to Subscriber in fulfilling Subscriber’s obligations under Applicable Data Protection Laws (including data protection impact assessments and consultations with regulatory authorities), provided that Subscriber cannot reasonably fulfill such obligations independently with the help of available documentation.
6.3 Third Party Requests. Unless prohibited by applicable law, MTech will promptly notify Subscriber of any valid, enforceable legal process or governmental request compelling MTech to disclose Subscriber personal data. In the event that MTech receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the processing of Subscriber personal data, MTech will redirect such inquiries to Subscriber, and will not provide any information unless required to do so under applicable law.
7. Deletion and Return of Subscriber Personal Data
7.1 During Subscription Term. During the Subscription Term, Subscriber and its end users may, through the features of the Subscription Services, access and retrieve Subscriber personal data. Subscriber may also request deletion of Subscriber personal data. Please note that certain system or security logs may be retained for operational integrity, security, and compliance purposes, even after a deletion request.
7.2 Post Termination. Following expiration or termination of the Subscription Agreement, MTech will, after a limited grace period, discontinue the processing of all Subscriber personal data that it has received as part of the Subscription Services. Notwithstanding the foregoing, MTech may retain personal data (i) as required by Applicable Data Protection Laws, or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, MTech will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained personal data and not further process it except as required or permitted by Applicable Data Protection Laws.
8. Audit
8.1 Audit Reports. MTech is regularly audited by independent third-party auditors and/or internal auditors, including as described at https://mtechsystems.io/trust-center/. Upon request, and on the condition that Subscriber has entered into an applicable non-disclosure agreement with MTech, MTech will supply a summary or copy of the relevant audit report(s) to Subscriber, so Subscriber can verify MTech’s compliance with the audit standards against which it has been assessed and this DPA. If Subscriber cannot reasonably verify MTech’s compliance with the terms of this DPA, MTech will provide written responses (on a confidential basis) to all reasonable requests for information made by Subscriber related to MTech’s processing of personal data, provided that such right may be exercised no more than once every twelve (12) months.
8.2 On-site Audits. Only to the extent Subscriber cannot reasonably confirm MTech’s compliance with this DPA through the exercise of its rights under Section 8.1 above, or where required by Applicable Data Protection Laws or a regulatory authority, Subscriber, or its authorized representatives, may, at Subscriber’s expense, conduct audits during the term of the Subscription Agreement to assess MTech’s compliance with the terms of this DPA. Any audit must (i) be conducted during MTech’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Laws or a regulatory authority requires a shorter notice period), (ii) be subject to reasonable confidentiality controls obligating Subscriber (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential, (iii) occur no more than once every twelve (12) months, and (iv) restrict its findings to only information relevant to Subscriber.
9. International Transfers
International Provisions. To the extent MTech processes personal data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of personal data (directly or via onward transfer).
Schedule 1 - Description of Processing
1. Categories of Data Subjects. Subscriber end users (employees, administrators, contractors).
2. Categories of Personal Data. Account and contact information (including name, job title, email, phone number, etc.), Subscriber Data (including any personal data contained therein), device and technical data (including IP addresses, device identifiers, etc.), usage data (including logs, usage metrics, performance data, etc.), support and communication data (including information provided to MTech in support tickets, emails and chats, feedback or survey responses, etc.), location data, security and authentication data (including authentication tokens, security logs, etc.).
3. Sensitive Data. The Subscription Services are not designed to process special categories of personal data or similarly sensitive information. Subscriber and its end users must not upload or submit any content that includes any such categories of data as defined under Applicable Data Protection Laws.
4. Frequency. Continuous, as necessary to provide services during the Subscription Term.
5. Nature of the Processing. MTech processes personal data as necessary to provide the Subscription Services and any Professional Services under the Subscription Agreement. The processing may include activities such as collection, organization, storage, transmission, access in connection with support, and making personal data available by automated means.
6. Purpose(s) of the Processing. MTech will process personal data as a processor in accordance with Subscriber’s Documented Instructions to: (a) provide and improve the Subscription Services and related Professional Services for Subscriber, and enable the use of various features and functionalities in the Subscription Services, as well as to investigate security incidents, and resolve issues, bugs, and errors; (b) enforce the Subscription Agreement (including the AUP); and (c) comply with MTech’s legal obligations. MTech is a controller of personal data as specified in MTech’s privacy policy available at https://mtechsystems.io/legal/privacy-policy/. For the sake of clarity, this DPA does not limit or prohibit MTech from acting in that capacity.
7. Duration of Processing. MTech will process personal data for the term of the Subscription Agreement as outlined in Section 7.
8. Transfers to Sub-processors. MTech will transfer personal data to sub-processors as permitted in Section 5. This may also involve transfers to other countries or jurisdictions as set out in the sub-processor list.
Schedule 2 - Region-Specific Terms
1. EU/EEA, United Kingdom, and Switzerland
1.1 EU/EEA Transfers. Where personal data protected by the EU Data Protection Laws is transferred, either directly or via onward transfer, to a country outside of the EU/EEA that is not subject to an adequacy decision, the following applies:
(a) The EU SCCs are hereby incorporated into this DPA by reference as follows:
(i) Subscriber is the “data exporter” and MTech is the “data importer”.
(ii) Module Two (Controller to Processor) applies where Subscriber is a controller of Subscriber personal data and MTech is processing Subscriber personal data as a processor.
(iii) Module Three (Processor to Processor) applies where Subscriber is a processor of Subscriber personal data and MTech is processing Subscriber personal data as another processor.
(iv) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Subscription Agreement.
(b) For each Module, where applicable:
(i) In Clause 7, the optional docking clause does not apply.
(ii) Clause 9, Option 2 applies, and the time period for prior notice of sub-processor changes is stated in Section 5 of this DPA.
(iii) In Clause 11, the optional language does not apply.
(iv) In Clause 17, Option 1 applies, and the EU SCCs are governed by Swedish law.
(v) In Clause 18(b), disputes will be resolved before the courts of Sweden.
(vi) The Appendix of EU SCCs is populated as follows:
(A) The information required for Annex I(A) is located in the Subscription Agreement and/or relevant SOWs.
(B) The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.
(C) The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law.
(D) The information required for Annex II is located https://mtechsystems.io/legal/security-measures/.
1.2 Swiss Transfers. Where personal data protected by Swiss Data Protection Laws is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in Section 1.1 (EU/EEA Transfers) above with the following modifications:
(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to Swiss Data Protection Laws, and references to specific articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of Swiss Data Protection Laws. All references to the EU Data Protection Laws in this DPA will be interpreted as references to Swiss Data Protection Laws.
(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(c) In Clause 17, the EU SCCs are governed by the laws of Switzerland.
(d) In Clause 18(b), disputes will be resolved before the courts of Switzerland.
(e) All references to member state will be interpreted to include Switzerland and data subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
1.3 United Kingdom Transfers. Where personal data protected by the UK Data Protection Laws is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
(a) The EU SCCs apply as set forth in Section 1.1 (EU/EEA Transfers) above with the following modifications:
(i) Each party shall be deemed to have signed the UK Addendum.
(ii) For Table 1 of the UK Addendum, the parties’ key contact information is located in the Subscription Agreement and/or relevant SOW.
(iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.1 (EU/EEA Transfers).
(iv) For Table 3 of the UK Addendum:
(A) The information required for Annex 1A is located in the Subscription Agreement and/or relevant SOW.
(B) The information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA.
(C) The information required for Annex II is located at https://mtechsystems.io/legal/security-measures/.
(D) The information required for Annex III is located in Section 5 of this DPA.
(b) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.
2. United States of America
2.1 Applicability. The following terms apply where MTech processes personal data subject to US State Privacy Laws.
2.2 US Processing. To the extent Subscriber personal data includes personal information protected under US State Privacy Laws that MTech processes as a service provider or processor on behalf of Subscriber, MTech will process such personal information in accordance with the US State Privacy Laws, including by complying with applicable sections of US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Subscriber's Documented Instructions, as necessary for the limited and specified purposes identified in Section 6 of Schedule 1 (Description of Processing) of this DPA. MTech will not:
(a) retain, use, disclose, or otherwise process such personal information for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Subscription Agreement, and/or any relevant SOWs, or for internal operations, service improvement, security, fraud prevention, legal compliance, or the creation of de-identified or aggregated data;
(b) “sell” or “share” such personal information within the meaning of the US State Privacy Laws; and
(c) retain, use, disclose, or otherwise process such personal information outside the direct business relationship with Subscriber and not combine Subscriber personal information with personal information that it receives from other sources, except as necessary to provide the Subscription Services or as permitted under US State Privacy Laws.
2.3 Duty To Inform. MTech will inform Subscriber if it determines that it can no longer meet its obligations under US State Privacy Laws.
2.4 Reasonable and Appropriate Steps. Subscriber may take reasonable and appropriate steps to stop and remediate any unauthorized processing of Subscriber personal information.
2.5 De-identified Data. To the extent Subscriber discloses or otherwise makes available de-identified data to MTech or to the extent MTech creates de-identified data from Subscriber Data and personal information, in each case in its capacity as a service provider, MTech will:
(a) adopt reasonable measures to prevent such de-identified data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
(b) maintain such de-identified data in a de-identified form and to not attempt to re-identify the de-identified data, except that MTech may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and
(c) before sharing de-identified data with any third party, including sub-processors, contractors, or other third parties, ensure such recipients are contractually obligated to comply with requirements substantially similar to those set out in this Section 2.
3. Brazil
3.1 LGPD Applicability. The parties warrant and guarantee that they will process personal data in accordance with applicable law, including but not limited to LGPD and any other legislation and rules applicable to the processing of personal data whose extraterritorial effects affect the parties and/or the transactions included by the Subscription Agreement solely and exclusively aiming to offer the services to the Subscriber.
3.2 Brazilian Transfers. Where personal data protected by LGPD is transferred, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the Brazilian Data Protection Authority (“ANPD”), the following applies:
(a) The Brazilian SCCs are hereby incorporated into this DPA by reference as follows:
(i) Subscriber is the “data exporter” and MTech is the “data importer”.
(ii) By entering into this DPA, each party is deemed to have signed the Brazilian SCCs as of the commencement date of the Subscription Agreement.
(b) The Brazilian SCCs are populated as follows:
(i) Clause 1 (Identification of the Parties) of the SCCs shall be deemed completed with the information set out in the Subscription Agreement.
(ii) Clause 2 (Object) of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA.
(iii) Clause 3 (Onward Transfers) of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA.
(iv) Clause 4 (Responsibilities of the Parties) of the SCCs: Option A shall apply, and the data exporter shall be responsible for complying with the obligations set out in clause 4.1 (a)-(c).
(v) Section III (Security Measures) of the SCCs shall be deemed completed with the information set out in Section 4 of this DPA.