GDPR DATA PROCESSING AGREEMENT
This GDPR Data Processing Agreement (Agreement) is effective as of May 25, 2018.
“Mojo” shall mean Mojo Networks, Inc., including its Affiliates.
“Affiliate” shall mean any entity that directly, or through one or more intermediaries, controls or is controlled by or is under common control with Mojo.
“Mojo Cloud” shall mean software-as-a service network management platform provided by Mojo.
“Mojo Device” shall mean an access point, sensor or switch that is managed from Mojo Cloud.
“You” or “Your” shall mean any person, entity or organization that is responsible to operate a network comprising Mojo Device(s), or any person, entity or organization that obtains account to access Mojo Cloud.
“Administrator” shall mean Your person who access Mojo Cloud functionality.
“Mojo Administrator” shall mean Mojo person who accesses Mojo Cloud functionality that is associated with Mojo Device(s) installed in Your network, users of Your network, or Administrators.
“Data” means information that may be personally identifiable to You or users of Your network.
“Data Processing” means any operation or set of operations which is performed on Data such as receiving, storing and processing.
“Data Subject” means an identified or identifiable natural person to whom Data relates.
“Controller” means any person, entity or organization that determines the purposes and means of Data Processing.
“Processor” means any person, entity or organization that performs Data Processing on behalf of the Controller.
1. Data Processing Roles
This Data Processing Agreement (“Agreement”) applies when You install Mojo Device(s) in Your network and/or obtain account to access Mojo Cloud. Mojo will act as a Processor to You and You will act as a Controller for Data Processing in Mojo Cloud. Mojo performs Data Processing with Your consent. You have a right to withdraw consent at any time for future processing by unsubscribing from Mojo Cloud and removing Mojo Device(s) from Your network.
2. Subject Matter, Nature, Purpose, Types, Instruction
The scope of Data Processing in Mojo Cloud is outlined below.
Mojo Cloud performs Data Processing involving Medium Access Control (MAC) addresses and Internet Protocol (IP) addresses of devices in the wired portion of Your network where Mojo Device is installed, and of devices that are visible in radio frequency (RF) proximity of the Mojo Device, referred herein as wired devices and wireless devices, respectively. Mojo Cloud also incorporates additional information about the wireless devices in Data Processing, such as their activity times, configurations, locations, and any labels You may specify to identify them. For the wireless devices (wireless clients) that access Your network through the Mojo Devices (acting as Access Points), additional information such as host names, WPA2 login identities, volume of traffic transacted, applications used, and websites accessed, is also included in Data Processing. Information about the wired and wireless devices described above is referred herein as “Device Profiles”. Inclusion of Device Profiles in Data Processing in Mojo Cloud is required for the purpose of providing wireless connectivity, monitoring and security for Your network. You acknowledge and agree that the act of installing any Mojo Device in Your network or obtaining account to access Mojo Cloud constitutes Your instruction to Mojo to perform Data Processing in Mojo Cloud involving Device Profiles in Your network.
Data Processing in Mojo Cloud may also include additional information depending on optional functionality that You choose to enable. If You enable any functionality in Mojo Cloud, that obtains information about user identities accessing Your wireless network over captive portal (“Portal Identities”), then Data Processing in Mojo Cloud needs to include Portal Identities for the purpose of delivering the functionality selected by You. For example, Portal Identities are included in Data Processing if You enable captive logins using user accounts, social media credentials, SMS, paid access or web form filling. Data Processing also includes correlating Portal Identities with Device Profiles.
You acknowledge and agree that the act of enabling a specific captive portal functionality for Your network constitutes Your instruction to Mojo to include Portal Identities associated with that functionality in Data Processing in Mojo Cloud.
Data Processing in Mojo Cloud needs to include identities of Administrators (“Administrator Identities”) for the purpose of identification and authentication of Administrators, and for auditing of actions performed by the Administrators.
3. Duration and Deletion
Mojo will perform Data Processing as long as You operate Mojo Devices in Your network or maintain account to access Mojo Cloud. During this period, Administrators can search Data elements on online servers using menu options provided. They can generate search report in structured, commonly used and machine-readable format. They can manually delete a number of types of Data elements on online servers using menu options provided. You must make use of these search, report and manual deletion options to perform Data operations according to Your requirements and Your obligations to Data Subjects. For types of Data elements on online servers that cannot be manually deleted by Administrators, Mojo sets time based automatic deletion threshold of 30 days.
Mojo regularly performs backups of online servers in Mojo Cloud. These backups are used for failure or disaster recovery. The backups are not accessible to You. Mojo automatically deletes each backup (including Data) 30 days after it is taken.
Upon termination of Your subscription to Mojo Cloud, Data on online servers is deleted within 30 days. The last backup containing Data will be automatically deleted 30 days after it is taken.
4. International Transfers
Data Processing in Mojo Cloud occurs within Amazon Web Services (AWS) data centers and facilities of Mojo, located in geographical territories of the European Union, the United States and India. In particular, Data Processing involving Device Profiles and Captive Portal Identities for European customers is performed in the AWS data centers in the European Union. Data Processing involving Administrator Identities is performed in the AWS data centers in the United States. For the purposes of providing technical support to You, Mojo Administrators may access Data from the European Union, the United States or India.
If You choose to use Mojo Cloud, You acknowledge and agree that Mojo may transfer Data outside of Your home country and outside of the European Union for Data Processing as outlined above and that the “standard contractual clauses” for the transfer of Personal Data to processors, in accordance with Article 26(2) of Directive 95/46/EC are incorporated herein by reference where You are the data exporting organization and Mojo is the data importing organization. A copy of the standard contractual clauses may be found at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087.
Mojo does not disclose Data in Mojo Cloud to any person or entity, other than its employees, consultants, agents and service providers who are bound by agreements, obligations or duties respecting Data confidentiality. Reciprocally, You agree not to disclose any Mojo confidential information that you may receive during performance of this Agreement to any third party.
Mojo Cloud is hosted in Amazon Web Services (AWS) data centers. AWS adopts the Shared Responsibility Model (“SRM”) for cloud security. In this model, AWS manages security of the data centers, including physical security, environmental protection, administrative controls, technical controls, and redundant infrastructure. Mojo inherits data center security controls from AWS and does not have ability to influence their implementation, and does not have ability to monitor or audit them. AWS provides information about the data center security on its website.
According to SRM, Mojo manages security of Mojo Cloud applications and application data, including network boundary protection, host firewalls, application hardening, vulnerability assessment, data encryption in transit and at rest, logical access control, availability monitoring, change management, and disaster recovery. Mojo continuously performs monitoring and evaluation of security controls in Mojo cloud. This includes internal audits and independent third party assessments.
Mojo shall notify You without undue delay upon becoming aware of any Data breach.
7. Another Processor
Mojo currently does not engage any sub-Processor for Data Processing. In the event Mojo decides to engage a sub-Processor for Data Processing in future, Mojo will notify You at least 30 days prior to providing access to Data to the sub-Processor. In case you have objection to Mojo’s planned engaging of the sub-Processor and You communicate Your objection to Mojo within 30 days of the above mentioned notification and using communication means prescribed in the notification, Mojo will work with You to keep Your Data outside the scope of such sub-Processor.
8. Data Subject's Right
Communication with Data Subjects
In Your role as Controller, You are responsible for information provision to Data Subjects regarding Data Processing and their rights, using Your own communication tools and communication methods. In certain cases, you may be able to use any tools provided by Mojo Cloud to complement Your own information provision to Data Subjects. For example, Mojo Cloud provides customizable captive portal, which You can configure and populate to provide information to Data Subjects prior to collecting Portal Identities. You acknowledge and agree that, in its role as Processor, Mojo does not engage in information provision regarding Data Processing and regarding rights of Data Subjects to Data Subjects in Your network.
Access, Erasure, Restriction, Rectification
You can use tools provided in Mojo Cloud to search for Data elements of interest on online servers to meet any requests from Data Subjects. You may erase Data elements of interest from online servers in Mojo Cloud as described in Section 3.
The backed up data in Mojo Cloud is automatically deleted after 30 days as described in Section 3. Mojo does not provide facility to search for Data elements of interest in backups. However, if requested by You, Mojo can provide backed up data to You within 30 days of You making such request to Mojo technical support at https://www.mojonetworks.com/support, so that You can do the necessary searching on Your own.
Mojo does not provide tools for Data rectification and recommends deleting the relevant Data elements in lieu of rectification.
9. Certifications and Audit
Mojo has established Information Security Management System (“ISMS”) in accordance with ISO 27001:2013 standard. It will continue to maintain its ISMS according ISO 27001:2013 or other alternative equivalent standard. Upon Your request, Mojo will make available to You an audit report of its ISMS which You acknowledge is Mojo confidential information. You agree to maintain in confidence the audit report provided by Mojo and not disclose such report to any third party.
Mojo will make reasonable and good faith efforts to facilitate any audits or inspections that You may want to carry out in Mojo Cloud. The audit or inspection plan will need to be mutually agreed between You and Mojo at least 30 days in advance of the commencement of the audit or inspection. If the audit or inspection requires significant resources from Mojo, You agree to reasonably compensate Mojo for such resources. The compensation details will be included in the audit or inspection plan. Mojo will not provide any information to You that is associated with its customers other than You during the audit or inspection.
10. Cooperation with Supervisory Authority
The parties to this agreement agree that the parties, and where applicable their representatives, will cooperate, on request, with the competent supervisory authority in the performance of its tasks, with respect to Data Processing in Mojo Cloud.