Foundry is now Mithril 🚀
Read the announcement

Data Processing Agreement

DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “DPA”) made available by Foundry Technologies, Inc. (“Mithril”) is entered into between Customer and Processor, as defined below. Capitalized terms not defined in context in this DPA will have the meanings set forth in the attached Appendix 1.

For purposes of this DPA: (a) “Customer” means the customer of Mithril that uses the Platform to purchase the right to use compute resources made available by a Compute Provider for the processing of Customer Material; (b) “Compute Provider” means the applicable provider of such compute resource, which provider may be a third party or Mithril; and (c) “Processor” means, alternatively, (i) the Compute Provider (if a third party) or (ii) Mithril (as the Platform provider and, where applicable, as the Compute Provider).

For clarity, this DPA serves as a direct and separate agreement between (1) Customer and Mithril (as Platform provider, and where applicable, as Compute Provider), and (2) Customer and any third-party Compute Provider. The term “Processor” refers to the relevant party in the alternative (i.e., Mithril or the third-party Compute Provider) rather than jointly and is designed to enable the Customer to utilize a single DPA for these separate engagements. Mithril will not be liable for the acts or omissions of any third-party Compute Provider and the third-party Compute Provider will not be liable for the acts or omissions of Mithril.

  1. Data Processing and Protection.

    1. Scope. This DPA applies when Personal Data is processed by Processor.

    2. Use Limitations. Processor will not: (a) Process the Personal Data for any purpose other than as a Processor on behalf of Customer for the specific purpose of performing the Services for Customer in accordance with this DPA; (b) Process the Personal Data for a commercial purpose other than as necessary to provide the Services to Customer; (c) “sell” or “share” (each as defined by Data Protection Law) any Personal Data; (d) Process the Personal Data outside of the direct business relationship between Processor and Customer; or (e) combine Personal Data with any other personal data or information it collects (directly or via any third party) other than as expressly permitted under Data Protection Law for Processors.

    3. Instructions. Processor will Process Personal Data only: (a) as authorized or permitted under the Services Agreement and this DPA and pursuant to any other reasonable and documented instructions provided by Customer and agreed to by Processor in writing; and (b) as required by Data Protection Law, provided that Processor will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.

    4. Compliance. In connection with its Processing of any Personal Data, Processor will comply with all obligations applicable to it in its role as a processor (or service provider) under Data Protection Law and provide the same level of privacy protection as is required by Data Protection Law. Processor will promptly notify Customer if Processor determines it can no longer meet its obligations under this DPA. Customer reserves the right, upon notice to Processor, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

    5. Confidentiality. Processor will ensure that persons authorized by Processor to Process any Personal Data are subject to appropriate confidentiality obligations.

    6. Security. Processor will implement and maintain security measures in accordance with generally accepted industry standards designed to protect Personal Data against Personal Data Breach and that meet or exceed requirements under Data Protection Law.

    7. Return or Disposal. Customer elects that Processor will delete all Personal Data after the end of the provision of the Services, unless Data Protection Law requires the storage of such Personal Data by Processor.

  2. Assistance.

    1. Data Subject’s Rights Assistance. Taking into account the nature of Processor’s Processing of Personal Data, Customer acknowledges that the controls made available via Mithril’s Platform offer Customer the ability to fulfill Customer’s obligation to respond to requests for exercising data subject's rights under Data Protection Law (“Data Subject Requests”). Customer acknowledges that no other assistance is required by Processor help Customer fulfill its Data Subject Requests.

    2. Other Compliance Assistance. Taking into account the nature of Processing and the information available to Processor, Processor will provide assistance to Customer to facilitate Customer’s compliance with requirements under Data Protection Law, including any requirements related to data security, data protection assessments, and consultations with supervisory authorities, by providing the information identified in Section 3 below.

    3. Personal Data Breach Notice and Assistance. Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of the Processing and the information available to Processor, Processor will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any of its notification obligations imposed under Data Protection Law in connection with any Personal Data Breach.

  3. Audits.

Processor will procure independent audits by a nationally recognized third-party auditor, on an annual or more frequent basis, to assess Processor’s adherence to the following standards and requirements: SSAE 18 Service Organization Control (SOC) 2 reports or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent. Customer may choose to audit Processor by requesting a copy of such results. Upon Customer’s request, Processor will provide Customer a copy of any such audit results. Processor will use commercially reasonable efforts to remediate any material deficiencies identified by those audits. Customer will treat such results as the confidential information of Processor and not disclose them to any third party unless required by law.

  1. Subprocessors.

Customer provides Processor with general authorization to use subprocessors to Process Personal Data in connection with the provision of the Services to Customer (each, a “Subprocessor”). Processor will only add or remove a Subprocessor after providing Customer with reasonable prior notice and an opportunity to object within 10 days. Processor will enter into a written contract with each Subprocessor imposing data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Processor will remain liable for any acts or omissions of its Subprocessors.

  1. Data Transfers.

Processor may Process the Personal Data in regions specified via the Platform by Customer, or, if none, then in regions where Processor conducts its Services. Subject to Section 6, any Personal Data subject to the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”) that is transferred to Processor in a third country not deemed adequate will be conducted pursuant to Module 2 or Module 3, depending on Customer’s role, of the standard contractual clauses for the transfer of Personal Data to processors in third countries according to Decision (EU) 2021/914 of the EU Commission of 4 June 2021 (the “Standard Contractual Clauses”) (the text of which is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914).

The Standard Contractual Clauses will be deemed executed by Processor and Customer and the following terms will apply:

  1. If there is any conflict between this DPA or the Services Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail;

    1. Customer will be referred to as the “Data Exporter” and Processor will be referred to as the “Data Importer” in the Standard Contractual Clauses;

    2. Details in Attachment 1 of this DPA will be used to complete Annex I and III of the Standard Contractual Clauses;

    3. Details in Section 1.5 will be used to complete Annex II of the Standard Contractual Clauses;

    4. For the purposes of the Standard Contractual Clauses:

      1. The Parties agree to retain Clause 7;

      2. The Parties select option 2 in Clause 9 and agree on 10 days as the notice period for additions or replacements of new Subprocessors;

      3. The optional language in Class 11(a) is omitted;

      4. Clause 13(a) reads as follows “The data exporter’s competent supervisory authority to be determined in accordance with the GDPR”;

      5. The parties select option 2 of Clause 17; and

      6. For Clause 18(b), the Parties select the courts of country of the data exporter’s competent supervisory authority to be determined in accordance with the GDPR.

    5. In addition to the Standard Contractual Clauses, the Parties agree that any Personal Data subject to the UK GDPR that is transferred to Processor will be subject to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0, in force 21 March 2022 (the “UK Addendum”) (the text of which is available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf). The UK Addendum will be deemed executed by the Parties as of the effective date of this DPA, and the information in this DPA will be used to fill out the relevant sections of the UK Addendum.

    6. The parties agree to complete the Standard Contractual Clauses as follows for Personal Data subject to the FADP that is transferred to Processor: (i) the Parties agree to abide by the GDPR standard in relation to all Processing of Personal Data that is governed by the FADP; (ii) the term ‘Member State’ in the Standard Contractual Clauses will not be interpreted to exclude data subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses; and (iii) references to the ‘GDPR’ and ‘Member State’ in the Standard Contractual Clauses will be understood as references to the FADP and Switzerland, respectively.

  2. Liability.

Except for liability arising from a party’s gross negligence or willful misconduct or any other matter for which liability cannot be excluded or limited under applicable law: (a) Processor will not have any liability arising out of or relating to the DPA for indirect, special, incidental, or consequential damages; and (b) Processor’s aggregate liability arising out of or relating to the DPA will not exceed the amounts paid by Customer for the applicable Services for the 12 months preceding the date on which the first claim giving rise to the liability arose.

Attachment 1 Definitions; Description of Processing; Subprocessors

  1. Definitions.

For purposes of this DPA, the following terms will have the meaning:

  1. Customer Material” means (a) any material, including data, files, software, text or audio, that is submitted by or on behalf of Customer through the Platform for processing on Compute Provider resources, and (b) any computational results generated by any such material while hosted on those resources.

    1. Data Protection Law” means any and all privacy, security, and data protection laws and regulations that apply to the Personal Data Processed by Processor under the Services Agreement, in each case as amended.

    2. Platform” means Mithril’s platform-as-a-service solution designed to allow the purchase and use of Compute Provider resource capacity.

    3. GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and (b) such law as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (“UK GDPR”) (each as amended, superseded, or replaced).

    4. Personal Data” means any of the Customer Material that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law.

    5. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

    6. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    7. Services” means the applicable services of the Processor, as further described in Section 2 below.

    8. Services Agreement” means the applicable agreement Customer enters into to use Mithril’s services.

  2. Description of Processing

    1. Subject-Matter and Duration of Processing: Processor Processes Personal Data for the subject-matter specified under the Services Agreement and until the Services Agreement terminates or expires, unless otherwise agreed upon by the parties in writing.

    2. Nature and Purpose of Processing: Mithril Processes Personal Data as the provider of the Platform for the purpose of providing those Services to Customer, as further described in the Services Agreement. The Compute Provider makes compute resources available for Customer to Process Personal Data.

    3. Types of Personal Data: Customer is in control of and determines the types of the Personal Data it submits for Processing.

    4. Categories of Data Subjects: Customer is in control of and determines the types of the Personal Data it submits for Processing, including the types of data subject to whom that data relates. The data subjects could include Customer’s customers, employees, suppliers or end users.

    5. Frequency of Transfer: One-time or ongoing basis, as determined by Customer

    6. Retention Period: The duration of Processing is determined by Customer.

    7. Competent Supervisory Authority: The data exporter’s competent supervisory authority to be determined in accordance with the GDPR, except that: (a) the Swiss Federal Data Protection and Information Commission will act as the competent supervisory authority for transferred Personal Data subject to the FADP; and (b) the Information Commissioner’s Office will be the competent supervisory authority for transferred Personal Data subject to the UK GDPR.

PreviousAcceptable Use Policy