Data Processing Agreement

Date: December 30, 2020

Moxie empowers Instructors on our Platform to directly connect with other Moxie users (“Users”) and create Classes for them. Capitalized terms (“Instructors”, “Classes”, “Platform”) have the definitions given to them in Moxie’s Terms of Service.

To facilitate this direct connection with Users and enable obligations to be fulfilled, Moxie provides the personal data of Users (“User Data”) to Instructors. Instructors then process User Data in order to provide Users any and all products or services as part of that Instructor’s business on Moxie (the “Moxie Services”). Moxie requires all Instructors to agree to this Data Processing Agreement (“DPA”) to ensure that Instructors respect the privacy rights of Users when processing User Data.

This DPA is between Moxie and Instructors, taking effect from the moment the Instructor’s Moxie account is created, and applies exclusively to the User Data collected by Moxie and provided to Instructors for the purpose of facilitating the experience of their Attendees.

This DPA is an extension of Moxie’s Terms of Service and Privacy Policy and will outline certain requirements for Instructors to process User Data during and beyond their relationship with Moxie.

  1. Definitions.
    1. "Data Protection Legislation" means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by the supervisory authorities. Data Protection Legislation includes, but is not limited to, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, including the General Data Protection Regulation (Regulation (EU) 2016/279).
    2. "Good Industry Practice" means exercising the same skill, expertise and judgement and using facilities and resources of a similar quality as would be expected from a person who:(a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with the Data Protection Legislation.
    3. The terms "data controller", "data processor", “subprocessor”, "data subject", "personal data", "processing", and "appropriate technical and organizational measures" shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
  2. Scope. The parties agree that Moxie is a data controller and that Instructor is a data processor in relation to User Data that Instructor processes in the course of providing Moxie Services. The subject matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to, those necessary to carry out the Moxie Services. The processing to which this DPA applies will be carried out by Instructor upon leaving the Moxie platform. The subject matter, duration, nature, and purpose of the processing of the personal data as well as the type of personal data and categories of data subjects covered by this DPA are as follows:
    1. The subject matter of the data processing is User Data.
    2. The duration of the processing is for as long as Instructor holds User Data.
    3. The nature and purpose of the processing under this DPA is limited to a Instructor’s fulfillment of Moxie Services to the User.
    4. The type of personal data covered by this DPA is contact information, including but not limited to First and Last Name, email address, username, number of Classes attended, shipping address and phone number, as well as any information, given by the Attendee to the Instructor when attending, or before attending, a Class on Moxie.
    5. The category of the data subjects are Users who sign up for accounts on Moxie.
  3. Data Protection. Instructor shall adhere to the following requirements:
    1. Processing as Instructed. Instructors will process User Data only in accordance with the Moxie Terms of Service, Privacy Policy and this DPA and only in compliance with Data Protection Legislation. The nature and purpose of the processing shall be limited to that necessary to carry out such instructions, and not for Instructor's own purposes, or for any other purpose except as required by law. If Instructor is required by law to process the personal data for any other purpose, Instructor will inform User of such requirement prior to the processing unless prohibited by law from doing so.
    2. Extent of processing. Instructor will process the personal data only to the extent, and in such manner, as is necessary for the provision of Moxie Services.
    3. Appropriate Technical and Organizational Measures. Instructor will implement and maintain appropriate technical and organizational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice.
    4. Transfer to Third Parties. Instructor will not give access to or transfer any personal data to any third party (including any affiliates, group companies or subcontractors) without the prior consent of Moxie. Instructor must also ensure the reliability and competence of such third parties, its employees or agents who may have access to the personal data processed in the provision of Moxie Services, and must include in any contract with such third party provisions protecting User which are equivalent to those in this DPA and the Terms of Service and as are required by applicable Data Protection Legislation.
    5. Reliability and Competence of Instructor Personnel. Instructor will take reasonable steps to ensure the reliability and competence of any Instructor personnel who have access to User Data. Instructor will ensure that all Instructor personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.
    6. Acknowledgement of Data Protection Legislation and Assistance. Instructor will take all reasonable steps to assist Moxie in complying with applicable Data Protection Legislation. For example, Instructor will promptly inform Moxie in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to User’s obligations under Data Protection Legislation.
    7. Destruction or Return of Property Upon Moxie Services Completion. Instructor will not retain any of the personal data for longer than is necessary to provide Moxie Services. At the end of Moxie Services, or upon a User's request, Instructor will securely destroy or return (at User’s election) the personal data to User.
    8. Loss or Security Breach. If Instructor becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to User Data processed by Instructor in the course of providing Moxie Services, it will do the following:
      1. Provide notice to Moxie. Instructor shall promptly and without undue delay notify Moxie and provide Moxie with: a detailed description of the Loss or Security Breach; the type of data that was the subject of the Loss or Security Breach; the identity of each affected person if known, and the steps Instructor has taken or will take in order to mitigate and remediate such Security Breach, in each case as promptly as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Moxie may reasonably request relating to the Loss or Security Breach); and
      2. Investigate the Matter promptly. Instructor shall promptly take action, at its own expense, to investigate the Loss or Security Breach and to identify, prevent and mitigate the effects of the Loss or Security Breach and to carry out appropriate recovery actions to remedy the Loss or Security Breach.
    9. Compliance with Data Protection Legislation. Instructor shall comply at all times with and assist Moxie in complying with its applicable obligations under Data Protection Legislation. Instructor shall provide reasonable information requested by Moxie to demonstrate compliance with the obligations set out in this DPA. Instructor will notify Moxie immediately if, in Instructor's opinion, an instruction for the processing of personal data given by Moxie violates any country’s data privacy legislation.