Data Processing Agreement

Madeium Global Data Processing Agreement

The customer agreeing to these terms (“Customer”), and Madeium, Inc. or any other entity that directly or indirectly controls, is controlled by, or is under common control with Madeium, Inc. (as applicable, “ Madeium”), have entered into an agreement under which Madeium has agreed to provide a marketplace where Clients and Freelancers can identify each other and advertise, buy, and sell Freelancer Services online, with such other services, if any, described in the agreement (the “Service”) to Customer (as amended from time to time, the “Agreement”).

Unless otherwise agreed to in writing by you and Madeium, to the extent Madeium processes any EU personal data for you as a controller ( as defined by the General Data Protection Regulation (EU) 2016/679) in your role as a Customer as defined in this Data Processing Agreement (the “DPA”), this DPA applies. This DPA, including its appendices, supplements the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

1. Introduction

This DPA reflects the parties’ agreement with respect to the processing and security of Customer Data under the Agreement.

2. Definitions

2.1 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

2.2 Unless stated otherwise:

3. Duration of this DPA

This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Data by Madeium as described in this DPA.

4. Data Protection Legislation

5. Processing of Data

6. Data Deletion

7. Data Security

8. Impact Assessments and Consultations

Customer agrees that Madeium will (taking into account the nature of the processing and the information available to Madeium) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the Agreement including this DPA.

9. Data Subject Rights; Data Export

10. Data Transfers

11. Subprocessors

Madeium may add or remove Subprocessors from time to time. Madeium will inform Customer of new Subprocessors via a subscription mechanism described in the list of Subprocessors as described above. If Customer objects to a change, it will provide Madeium with notice of its objection to legal@madeium.com including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from Madeium or, if Customer has not subscribed to receive such notice, within sixty days of Madeium publishing the change. Madeium will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. If Madeium does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to Madeium. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.

12. Privacy Contact; Processing Records

13. Liability

14. Miscellaneous

Notwithstanding anything to the contrary in the Agreement, where Madeium, Inc. is not a party to the Agreement, Madeium, Inc. will be a third-party beneficiary of Section 7.4 (Reviews and Audits of Compliance), Section 11.1 (Consent to Subprocessor Engagement) and Section 13 (Liability) of this DPA.

Appendix 1: Subject Matter and Details of the Data Processing

Subject Matter

Madeium’s provision of the Services to Customer.

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all Customer Data by Madeium in accordance with the DPA.

Nature and Purpose of the Processing

Madeium will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the DPA.

Categories of Data

Data relating to End Users or other individuals provided to Madeium via the Services, by (or at the direction of) Customer or by End Users. The open nature of the Services does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Madeium services; and demographic information.

Data Subjects

Data subjects include End Users and the individuals about whom data is provided to Madeium via the Services by (or at the direction of) Customer or by End Users.

Appendix 2: Security Measures

Madeium will implement and maintain the Security Measures set out in this Appendix 2. Madeium may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Madeium will: