Mentionwell

Legal · B2B

Data Processing Addendum

Last updated

This Data Processing Addendum ("DPA") supplements the Mentionwell Terms of Service. It applies whenever you use the Service to process Personal Data of EU/UK/Swiss data subjects under GDPR or equivalent regimes. By accepting the Terms, you also accept this DPA on behalf of your organization.

1. Scope

This DPA governs Personal Data that we process on your behalf in providing the Service. It is between you ("Customer," "Controller") and ZipLyne d/b/a Mentionwell ("Processor"). To the extent of any conflict, this DPA prevails over the Terms of Service.

2. Definitions

"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. "Subprocessor" means any third party we engage to process Personal Data on our behalf. "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Roles

You are the Controller; we are the Processor. We will process Personal Data only on your documented instructions, as set out in the Terms, this DPA, and any additional written instructions you give us.

4. Scope of processing

  • Subject matter: provision of the Service.
  • Duration: for the term of your subscription, plus the deletion period in section 12.
  • Nature and purpose: hosting, generation, retrieval, and transmission of articles and configuration through the Service.
  • Categories of data subjects: end-users you authorize to use your account; readers of the websites you publish.
  • Categories of Personal Data: account credentials, contact info, IP addresses, usage logs, content you upload or generate.

5. Subprocessors

You give general authorization for us to engage subprocessors. The current list is published at /subprocessors and is incorporated by reference. We will give you advance notice (by email or in-product) of any intended addition or replacement at least 14 days before the change takes effect. If you object on reasonable data-protection grounds, we will work with you in good faith to resolve the issue or — failing that — let you terminate the affected portion of the Service without penalty.

We remain liable to you for the acts and omissions of our subprocessors to the same extent we would be for our own.

6. Security measures

We maintain appropriate technical and organizational measures designed to protect Personal Data, as described in our Security overview, including (without limitation):

  • Encryption in transit (TLS) and at rest provided by our database and storage subprocessors.
  • Authentication, authorization, and least-privilege access controls for our personnel.
  • Logging and monitoring for anomalous activity.
  • Regular dependency review and patching.
  • Background checks and confidentiality obligations for personnel with access to Personal Data.

7. Data subject rights

We will assist you, taking into account the nature of the processing and the information available, to fulfil your obligation to respond to data-subject requests under applicable law. If a Data Subject contacts us directly about your data, we will redirect them to you.

8. International transfers

Where we process Personal Data outside the EEA, UK, or Switzerland, we will do so under an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK addendum, and the Swiss adequacy framework, all incorporated by reference.

9. Audits

On reasonable prior written notice, and no more than once per year (more often if we have a Security Incident), you may request information necessary to demonstrate our compliance with this DPA. Where reasonable, we will respond with a current third-party audit report or similar artifact in lieu of an on-site audit.

10. Incident notification

We will notify you without undue delay (and within 72 hours where feasible) after becoming aware of a Security Incident affecting your Personal Data. Notice will include, to the extent then known, the nature of the incident, categories and approximate number of records affected, likely consequences, and measures taken or proposed.

11. Term

This DPA takes effect on your acceptance of the Terms and continues for as long as we process Personal Data on your behalf.

12. Return or deletion

On termination of the Service, we will, at your election, delete or return all Personal Data within 30 days, except as required by law to retain. Back-ups containing Personal Data will be deleted on the next regular back-up rotation.

13. Contact

If your procurement team needs a counter-signed PDF of this DPA on letterhead, email legal@mentionwell.com with the legal name and address of your contracting entity.

See also

Privacy Policy Subprocessors Security overview Terms of Service