Data Processing Agreement
Madeium Global Data Processing Agreement
The customer agreeing to these terms (“Customer”), and Madeium, Inc. or any
other entity that directly or indirectly controls, is controlled by, or is under common
control with Madeium, Inc. (as applicable, “ Madeium”), have entered into an
agreement under which Madeium has agreed to provide a marketplace where Clients and Freelancers can identify each other and advertise, buy, and sell Freelancer Services online, with such other services, if any, described in the agreement (the “Service”) to Customer (as amended from time to time, the “Agreement”).
Unless otherwise agreed to in writing by you and Madeium, to the extent Madeium
processes any EU personal data for you as a controller ( as defined by the General Data Protection Regulation (EU) 2016/679) in your role as a Customer as defined in this Data Processing Agreement (the “DPA”), this DPA applies. This DPA, including its
appendices, supplements the Agreement. To the extent of any conflict or inconsistency
between this DPA and the remaining terms of the Agreement, this DPA will govern.
This DPA reflects the parties’ agreement with respect to the processing and security of
Customer Data under the Agreement.
2.1 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in the GDPR, and
the terms “data importer” and “data exporter” have the meanings given in the Model
Contract Clauses, in each case irrespective of whether the European Data Protection
Legislation or Non-European Data Protection Legislation applies.
2.2 Unless stated otherwise:
- “Affiliate” means any entity that controls or is under common control with a specified
- “Agreed Liability Cap” means the maximum monetary or payment-based amount at
which a party’s liability is capped under the Agreement.
- “Alternative Transfer Solution” means a solution, other than the Model Contract
Clauses, that enables the lawful transfer of personal data to a third country in
accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy
- “Customer Data” means the data entered into the Service by or on behalf of any
- “End User” means an authorized user of the Service under Customer’s account.
- “Customer Personal Data” means the personal data contained within the Customer
- “Data Incident” means a breach of Madeium’s security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
Customer Data on systems managed by or otherwise controlled by Madeium. “Data
Incidents” will not include unsuccessful attempts or activities that do not compromise
the security of Customer Data, including unsuccessful log-in attempts, pings, port
scans, denial of service attacks, and other network attacks on firewalls or networked
- “EEA” means the European Economic Area.
- “European Data Protection Legislation” means, as applicable: (a) the GDPR;
and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing
- “Model Contract Clauses” or ”MCCs” mean the standard data protection clauses
for the transfer of personal data to processors established in third countries which do
not ensure an adequate level of data protection, as described in Article 46 of the
- “Non-European Data Protection Legislation” means data protection or privacy
laws, regulations, and other legal requirements other than the European Data
- “Notification Email Address” means the contact email address that you provided to
Madeium for the purpose of receiving notices from Madeium.
- “Security Measures” has the meaning given in Section 7.1.1 (Madeium’s Security
- “Subprocessors” means third parties authorized under this DPA to have logical
access to and process Customer Data in order to provide parts of the Services. For
clarity, freelancers that clients engage via Madeium are not Subprocessors under this
- “Term” means the period from the DPA’s effective date until the end of Madeium’s
provision of the Services, including, if applicable, any period during which provision
of the Services may be suspended and any post-termination period during which
Madeium may continue providing the Services for transitional purposes.
3. Duration of this DPA
This DPA will remain in effect until, and automatically expire upon, deletion of all
Customer Data by Madeium as described in this DPA.
4. Data Protection Legislation
- 4.1 Application of European Legislation. The parties acknowledge that the European
Data Protection Legislation will apply to the processing of Customer Personal Data to
the extent provided under the European Data Protection Legislation.
- 4.2 Application of Non-European Legislation. The parties acknowledge that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.
- 4.3 Application of DPA . Except to the extent this DPA states otherwise, this DPA will
apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Customer
5. Processing of Data
- 5.1 Roles and Regulatory Compliance; Authorization.
- 5.1.1 Processor and Controller Responsibilities. If the European Data Protection
- Legislation applies to the processing of Customer Personal Data, the parties
acknowledge and agree that:
- a. Customer is a controller (or processor, as applicable), of the Customer
Personal Data under European Data Protection Legislation;
- b. Madeium is a processor (or subprocessor, as applicable) of the Customer
Personal Data under the European Data Protection Legislation; and
- c. each party will comply with the obligations applicable to it under the
European Data Protection Legislation with respect to the processing of
that Customer Personal Data.
- 5.1.2 Responsibilities under Non-European Legislation. If Non-European Data
Protection Legislation applies to either party’s processing of Customer Personal
Data, the parties acknowledge and agree that the relevant party will comply with
any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.
- 5.1.3 Authorization by Third Party Controller. If Customer is a processor, Customer
warrants to Madeium that Customer’s instructions (defined below) and actions with respect to that Customer Personal Data, including its appointment of Madeium as another processor, have been authorized by the relevant controller to the extent required by applicable law.
- 5.2 Scope of Processing.
- 5.2.1 The subject matter and details of the processing are described in Appendix 1.
- 5.2.2 Customer’s Instructions. By entering into this DPA, Customer instructs Madeium to process Customer Personal Data only in accordance with applicable law: (a) to
provide the Services; (b) as further specified through Customer’s use of the
Services; (c) as documented in the Agreement, including this DPA; and (d) as
further documented in any other written instructions given by Customer and
acknowledged by Madeium as constituting instructions for purposes of this DPA
(each and collectively, “Customer’s Instructions”). Madeium may condition the
acknowledgement described in (d) on the payment of additional fees or the
acceptance of additional terms.
- 5.2.3 Madeium’s Compliance with Instructions. With respect to Customer Data subject to European Data Protection Legislation, Madeium will comply with the instructions described in Section 5.2.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Madeium is subject requires other processing of Customer Personal Data by Madeium, in which case Madeium will inform Customer (unless that law prohibits Madeium from doing so on important grounds of public interest) via the Notification Email Address.
6. Data Deletion
- 6.1 Deletion by Customer. Madeium will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Madeium to delete the relevant Customer Data from Madeium’s systems in accordance with applicable law. Madeium will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage.
- 6.2 Deletion on Termination. On expiry of the Term, Customer instructs Madeium to
delete all Customer Data (including existing copies) from Madeium’s systems in
accordance with applicable law. Madeium will comply with this instruction as soon as
reasonably practicable, unless applicable law requires storage. Without prejudice to
Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer
acknowledges and agrees that Customer will be responsible for exporting, before the
Term expires, any Customer Data it wishes to retain afterwards.
7. Data Security
- 7.1 Madeium’s Security Measures, Controls and Assistance.
- 7.1.1 Madeium’s Security Measures. Madeium will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Madeium’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Madeium may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade the overall security of the Services.
- 7.1.2 Security Compliance by Madeium Staff. Madeium will take appropriate steps to
ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 7.1.3 Madeium’s Security Assistance. Customer agrees that Madeium will (taking into
account the nature of the processing of Customer Personal Data and the
information available to Madeium) assist Customer in ensuring compliance with
any of Customer’s obligations in respect of security of personal data and
personal data breaches, including if applicable Customer’s obligations pursuant
to Articles 32 to 34 (inclusive) of the GDPR, by:
- a. implementing and maintaining the Security Measures in accordance with
Section 7.1.1 (Madeium’s Security Measures);
- b. complying with the terms of Section 7.2 (Data Incidents); and
- c. providing Customer with the information contained in the Agreement
including this DPA.
- 7.2 Data Incidents
- 7.2.1 Incident Notification. If Madeium becomes aware of a Data Incident, Madeium will: (a) notify Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
- 7.2.2 Details of Data Incident. Notifications made pursuant to this section will describe,
to the extent practicable, details of the Data Incident, including steps taken to
mitigate the potential risks and any steps Madeium recommends Customer take to address the Data Incident.
- 7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to
the Notification Email Address or, at Madeium’s discretion, by direct
communication (for example, by phone call or an in-person meeting). Customer
is solely responsible for ensuring that the Notification Email Address is current
- 7.2.4 No Assessment of Customer Data by Madeium. Madeium will not assess the
contents of Customer Data in order to identify information subject to any specific
legal requirements. Customer is solely responsible for complying with legal
requirements for incident notification applicable to Customer and fulfilling any
third party notification obligations related to any Data Incident(s).
- 7.2.5 No Acknowledgement of Fault by Madeium. Madeium’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) is not an
acknowledgement by Madeium of any fault or liability with respect to the Data
- 7.3 Customer’s Security Responsibilities and Assessment.
- 7.3.1 Customer’s Security Responsibilities. Customer agrees that, without prejudice to
Madeium’s obligations under Section 7.1 (Madeium’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):
- a. Customer is solely responsible for its use of the Services, including
- i. making appropriate use of the Services to ensure a level of security
appropriate to the risk in respect of the Customer Data;
- ii. securing the account authentication credentials, systems and devices
Customer uses to access the Services;
- iii. backing up its Customer Data; and
- b. Madeium has no obligation to protect Customer Data that Customer elects
to store or transfer outside of the Service.
- 7.3.2 Customer’s Security Assessment.
- a. Customer is solely responsible for reviewing Madeium’s security processes
and evaluating for itself whether the Services, the Security Measures, and
Madeium’s commitments under this Section 7 (Data Security) will meet
Customer’s needs, including with respect to any security obligations of
Customer under the European Data Protection Legislation or
Non-European Data Protection Legislation, as applicable.
- b. Customer acknowledges and agrees that (taking into account the state of
the art, the costs of implementation and the nature, scope, context and
purposes of the processing of Customer Personal Data as well as the
risks to individuals) the Security Measures implemented and maintained
by Madeium as set out in Section 7.1.1 (Madeium’s Security Measures)
provide a level of security appropriate to the risk in respect of the
- 7.4 Reviews and Audits of Compliance
- 7.4.1 Customer’s Audit Rights.
- a. If the European Data Protection Legislation applies to the processing of
Customer Personal Data, Madeium will allow Customer or an independent
auditor appointed by Customer to conduct audits (including inspections) to
verify Madeium’s compliance with its obligations under this DPA in
accordance with Section 7.4.2 (Additional Business Terms for Reviews
and Audits). Madeium will contribute to such audits as described in this
Section 7.4 (Reviews and Audits of Compliance).
- b. If Customer has entered into Model Contract Clauses as described in
Section 10.2 (Transfers of Data Out of the EEA), Madeium will, without
prejudice to any audit rights of a supervisory authority under such Model
Contract Clauses, allow Customer or an independent auditor appointed by
Customer to conduct audits as described in the Model Contract Clauses in
accordance with Section 7.4.2 (Additional Business Terms for Reviews
- 7.4.2 Additional Business Terms for Reviews and Audits.
- a. If the European Data Protection Legislation applies to the processing of
Customer Personal Data, Customer may exercise its right to audit Madeium
under Sections 7.4.1(a) or 7.4.1(b): (1) where there has been a Data
Incident within the previous six (6) months or there is reasonable
suspicion of a Data Incident within the previous six (6) months or (2)
where Customer will pay all reasonable costs and expenses incurred by
Madeium in making itself available for an audit. Any third party who will be
involved with or have access to the audit information must be mutually
agreed to by Customer and Madeim and must execute a written
confidentiality agreement acceptable to Madeium before conducting the
- b. To request an audit under Section 7.4.1(a) or 7.4.1(b), Customer must
submit a detailed audit plan to Madeium’s Privacy Contact as described in
Section 12 (Privacy Contact; Processing Records) at least thirty (30) days
in advance of the proposed audit date, describing the proposed scope,
duration, and start time of the audit. The scope may not exceed a review
of Madeium’s compliance with the Model Contract Clauses or its
compliance with the European Data Protection Legislation, in each case
with respect to the Customer Data. The audit must be conducted during
regular business hours at the applicable facility, subject to Madeium
policies, and may not interfere with Madeium business activities.
- c. Following receipt by Madeium of a request for an audit under Section
7.4.1(a) or 7.4.1(b), Madeium and Customer will discuss and agree in
advance on: (i) the reasonable date(s) of and security and confidentiality
controls applicable to any review of documentation; and (ii) the reasonable
start date, scope and duration of and security and confidentiality controls
applicable to any audit under Section 7.4.1(a) or 7.4.1(b).
- d. Customer will be responsible for any fees it incurs, including any fees
charged by any auditor appointed by Customer to execute any such audit.
- e. Customer will provide Madeium any audit reports generated in connection
with any audit under this section, unless prohibited by law. Customer may
use the audit reports only to meet its regulatory audit requirements and to
confirm compliance with the requirements of the Model Contract Clause or
European Data Protection Legislation. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of Madeium under the terms of the Agreement.
- f. Madeium may object in writing to an auditor appointed by Customer if the
auditor is, in Madeium’s reasonable opinion, not suitably qualified or
independent, a competitor of Madeium, or otherwise unsuitable. Any such
objection by Madeium will require Customer to appoint another auditor or
conduct the audit itself.
- g. Nothing in these Data Processing Terms will require Madeium either to
disclose to Customer [or its auditor], or to allow Customer [or its auditor] to
- i. any data of any other customer of Madeium;
- ii. Madeium’s internal accounting or financial information;
- iii. any trade secret of Madeium;
- iv. any information that, in Madeium's reasonable opinion, could: (A)
compromise the security of Madeium systems or premises; or (B) cause
Madeium to breach its obligations under applicable law or its security
and/or privacy obligations to Customer or any third party; or
- v. any information that Customer [or its third party auditor] seeks to
access for any reason other than the good faith fulfilment of
Customer’s obligations under the Model Contract Clauses or European
Data Protection Legislation.
- 7.4.3 No Modification of MCCs. Nothing in this Section 7.4 (Reviews and Audits of
Compliance) varies or modifies any rights or obligations of Customer or Madeium
under any Model Contract Clauses entered into as described in Section 10.2
(Transfers of Data Out of the EEA).
8. Impact Assessments and Consultations
Customer agrees that Madeium will (taking into account the nature of the processing and the information available to Madeium) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior
consultation, including if applicable Customer’s obligations pursuant to Articles 35 and
36 of the GDPR, by providing the information contained in the Agreement including this
9. Data Subject Rights; Data Export
- 9.1 Access; Rectification; Restricted Processing; Portability. During the Term, Madeium
will, in a manner consistent with the functionality of the Services, enable Customer to
access, rectify and restrict processing of Customer Data, including via the deletion
functionality provided by Madeium as described in Section 6.1 (Deletion by Customer),
and to export Customer Data.
- 9.2 Data Subject Requests
- 9.2.1 Customer’s Responsibility for Requests. During the Term, if Madeium receives any
request from a data subject under GDPR in relation to Customer Personal Data,
Madeium will advise the data subject to submit their request to Customer, and
Customer will be responsible for responding to any such request including, where
necessary, by using the functionality of the Services.
- 9.2.2 Madeium’s Data Subject Request Assistance. Customer agrees that Madeium will
(taking into account the nature of the processing of Customer Personal Data)
reasonably assist Customer in fulfilling an obligation to respond to requests by
data subjects described in Section 9.2.1 (Customer’s Responsibility for Requests), including, if applicable, Customer’s obligation to respond to requests
for exercising the data subject’s rights laid down in Chapter III of the GDPR, by
complying with the commitments set out in Section 9.1 (Access; Rectification;
Restricted Processing; Portability) and Section 9.2.1 (Customer’s Responsibility
10. Data Transfers
- 10.1 Data Storage and Processing Facilities. Madeium may, subject to Section 10.2
(Transfers of Data Out of the EEA), store and process the relevant Customer Data
anywhere Madeium or its Subprocessors maintain facilities.
- 10.2 Transfers of Data Out of the EEA.
- 10.2.1 Madeium’s Transfer Obligations. If the storage and/or processing of Customer
Personal Data (as set out in Section 10.1 (Data Storage and Processing
Facilities)) involves transfers of Customer Personal Data out of the EEA, and the
European Data Protection Legislation applies to the transfers of such data
(“Transferred Personal Data”), Madeium will
- a. maintain its membership in and comply with the EU-U.S. and Swiss-U.S.
Privacy Shield Frameworks with respect to such data or, at Madeium’s
election, offer and comply with another Alternative Transfer Solution and
make appropriate information available to Customer about such
Alternative Transfer Solution; or
- b. enter into and comply with Model Contract Clauses, with Customer listed
as the data exporter of such data and Madeium as the importer of such
data. Appendix I of such Model Contract Clauses shall be completed using
the details in Appendix I of this DPA and appropriate descriptions of the
parties. Appendix II of the Model Contract Clauses shall consist of a
reference to Section 7 of this DPA.
- 10.2.2 Data Transfer Details.
- a. Madeium will not be required to enter into Model Contract Clauses with
Customer unless (i) European Data Protection Legislation requires either
Customer or Madeium to enter into such Model Contract Clauses due to the
invalidity or unavailability of the options set forth in 10.2.1(a) or (ii)
Customer is required to enter into Model Contract Clauses with Madeium
because Customer, as a processor of the Transferred Personal Data, is
itself an importer under Model Contract Clauses and Madeium is
Customer’s subprocessor under such Model Contract Clauses. If
Customer is a member of the EU-U.S. or Swiss-U.S. Privacy Shield
Frameworks and is transferring data subject to such Frameworks onward
to Madeium, or if Customer has a contractual obligation to protect such data
as if it were subject to such Frameworks: (i) Madeium will provide at least
the same level of protection for the data as is required under the EU-U.S.
and Swiss-U.S. Privacy Shield programs, and (ii) if Madeium determines
that it can no longer provide this level of protection, Madeium will promptly
notify Customer of this determination, and (iv) in that case, or upon notice,
Madeium will take reasonable and appropriate steps to stop and remediate
unauthorized processing of the data.
10.3 Disclosure of Confidential Information Containing Personal Data. If Customer has
entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data
Out of the EEA), Madeium will, notwithstanding any term to the contrary in the
Agreement, ensure that any disclosure of Customer's Confidential Information
containing personal data, and any notifications relating to any such disclosures, will be
made in accordance with such Model Contract Clauses.
Madeium may add or remove Subprocessors from time to time. Madeium will inform
Customer of new Subprocessors via a subscription mechanism described in the list
of Subprocessors as described above. If Customer objects to a change, it will provide Madeium with notice of its objection to firstname.lastname@example.org including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from Madeium or, if Customer has not subscribed to receive such notice, within sixty days of Madeium publishing the change. Madeium will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. If Madeium does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to Madeium. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.
12. Privacy Contact; Processing Records
- 12.1 Madeium’s Privacy Contact. Privacy inquiries related to this DPA can be submitted
to email@example.com (and/or via such other means as Madeium may provide from
time to time).
- 12.2 Madeium’s Processing Records. Customer acknowledges that Madeium is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Madeium is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to Madeium via the Service or other means provided by Madeium, and will use the Service or such other means to ensure that all information provided is kept accurate and up-to-date.
- 13.1 Liability Cap. For clarity, the total combined liability of either party and its Affiliates
towards the other party and its Affiliates under or in connection with the Agreement
(such as under the DPA or any Model Contract Clauses) will be limited to the Agreed
Liability Cap for the relevant party, subject to Section 13.2 (Liability Cap Exclusions).
- 13.2 Liability Cap Exclusions. Nothing in Section 13.1 (Liability Cap) will affect the
remaining terms of the Agreement relating to liability (including any specific exclusions
from any limitation of liability).
Notwithstanding anything to the contrary in the Agreement, where Madeium, Inc.
is not a party to the Agreement, Madeium, Inc. will be a third-party beneficiary of
Section 7.4 (Reviews and Audits of Compliance), Section 11.1 (Consent to
Subprocessor Engagement) and Section 13 (Liability) of this DPA.
Appendix 1: Subject Matter and Details of the Data
Madeium’s provision of the Services to Customer.
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all Customer Data
by Madeium in accordance with the DPA.
Nature and Purpose of the Processing
Madeium will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the DPA.
Categories of Data
Data relating to End Users or other individuals provided to Madeium via the Services, by
(or at the direction of) Customer or by End Users. The open nature of the Services does
not impose a technical restriction on the categories of data Customer may provide. The
personal data transferred may include: name, username, password, email address,
telephone and fax number, title and other business information, general information
about interest in and use of Madeium services; and demographic information.
Data subjects include End Users and the individuals about whom data is provided to
Madeium via the Services by (or at the direction of) Customer or by End Users.
Appendix 2: Security Measures
Madeium will implement and maintain the Security Measures set out in this Appendix 2.
Madeium may update or modify such Security Measures from time to time provided that
such updates and modifications do not result in the degradation of the overall security of
the Services. Madeium will:
- Conduct information security risk assessments at least annually and whenever
there is a material change in the organization’s business or technology practices
that may impact the privacy, confidentiality, security, integrity or availability of
Customer Personal Data.
- Regularly and periodically train personnel who have access to Customer
Personal Data or relevant Madeium Systems.
- Maintain secure user authentication protocols, secure access control methods,
and firewall protection for Madeium Systems that Process Customer Personal
- Maintain policies and procedures to detect, monitor, document and respond to
actual or reasonably suspected Information Security Incidents.
- Implement and maintain tools that detect, prevent, remove and remedy malicious
code designed to perform an unauthorized function on or permit unauthorized
access to Madeium Systems.
- Implement and maintain up-to-date firewalls.
- Implement and use cryptographic modules to protect Customer Personal Data in
transit and, when commercially reasonable, at rest.
- Maintain reasonable restrictions on physical access to Customer Personal Data
and relevant Madeium Systems.