Moralis Web3 Technology AB Data Processing Agreement (the "DPA")

1. Subject matter and purpose of the DPA

Applicable data protection law sets out that when a Data Processor Processes, “Processor”, Personal Data on behalf of a Data Controller, “Controller”, such relationship shall be governed by a contract.  This DPA has been established to comply with the requirements on such contract and shall apply only when Moralis act as Processor on behalf of Customer as Controller. 

The Subject matter of the DPA regarding the processing of Personal Data is the execution of the services and tasks described in the Moralis General Terms and Conditions and sets out to reflect the parties’ agreement related to processing of Personal Data by Processor on behalf of Controller. 

Processor’s processing activities comprise hosting in the SaaS product, including offsite backup, disaster recovery redundant storage, and customer support. All data including Personal Data of users is provided by the Controller to the services.

The undertaking of the contractually agreed Processing of Personal Data shall be carried out in accordance with this DPA and Moralis General Terms and Conditions. The provisions shall apply to all services of data processing provided by the Processor on behalf of the Controller, especially with regards to art. 28 of the EU 2016/679 (GDPR).

Processor’s liability for damages in processing Personal Data under this DPA shall be governed by the limitation of liability clauses in Moralis General Terms and Conditions. 

2. Processor’s general obligations as Processor

2.1 When Processing Personal Data under this DPA, Processor shall comply with applicable data protection legislation.

2.2 Processor shall ensure that individuals authorized to process, on behalf of Processor, the Personal Data processed under this DPA, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.3 Taking into account the nature of the Processing and the information available to Processor, Processor shall assist Controller in ensuring compliance with Controller’s obligations pursuant to applicable data protection law.

2.4 Processor may only Process Personal Data on behalf of Controller in accordance with the documented instructions in the Moralis General Terms and Conditions and this DPA. 

Insofar a data subject contacts the Processor directly to exercise its rights as a registered, Processor will immediately forward the data subject’s request to the Controller.

2.5 Processor will notify Controller without undue delay after becoming aware of a data breaches. 

3. Scope of Processing activities

Processor will process Personal Data by hosting, and store information in the product and services described in Moralis General Terms and Conditions. Beginning and duration of the processing starts with the closing of this DPA and ends whenever the Controller terminates this agreement or the services under Moralis General Terms and Conditions.

4. Categories of Personal Data

The Controller acknowledges Processor is providing a SaaS-product whereas the Controller is providing to the product whatever data preferred, including Personal Data. 

5. Technical and Organizational measures 

Technical and Organizational measures to be taken shall guarantee a data protection level appropriate to the risk concerning confidentiality and integrity of the Controller and its users, in accordance with availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons determine the actions taken into account. 

Technical and Organizational measures include:

(a) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; 

(b) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; 

(c) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and

(d) maintaining, updating and storing logs regarding the Personal Data, maintaining a secure IT environment, and establishing and maintaining physical safety measures and routines. 

6. Sub-processors 

Sub-processing for the purpose of this DPA is to be understood as meaning services which relate directly to the provision of the principal service under the Moralis General Terms and Conditions. 

Sub-processors that process parts of the services are disposed globally. The Processor may commission Sub-processors to fulfill the services under the Moralis General Terms and Conditions. The Controller agrees to the commissioning of Sub-processors under condition of a contractual agreement is entered into between the Processor and the Sub-processor, stipulating relevant  requirements as the Processor is subject to with regards to Personal Data. 

Should Processor wish to appoint or replace a sub-processor, Processor will notify Controller who may object to such measures within ten (10) days. Controller’s objection must be based on reasonable grounds, for example if Controller can show that the use of the intended sub-processor causes significant risks in relation to the protection of the Personal Data. If Processor and Controller  are unable to settle the objection, Processor has the right to immediately terminate its services governed under the Moralis General Terms and Conditions including for the avoidance of doubt also this DPA, by giving Controller written notice to that effect.

Processor is fully liable to the Controller for the performance of the Sub-processors processing activities related to the Controllers Personal Data. 

7. Processing of Personal Data in countries outside EU/EEA

Unless otherwise agreed, Processor may Process Personal Data in a country outside of the EU/EEA. Processor shall then ensure that such Processing at all times complies with applicable data protection law. This may e.g. be achieved by establishing a binding agreement, in accordance with the applicable EU Commission Model Contracts for the transfer of Personal Data to third countries, be-tween Processor and any sub-processors. Processing in a country outside the EU/EEA may also take place on the basis of a valid adequacy decision, supplementary security measures or on the basis of binding corporate rules that have been approved by the relevant supervisory authorities.

8. Privacy Contact

Processor has designated a Personal Data Manager authorized to respond to inquiries concerning Processing of Personal Data and shall reasonably cooperate with Controller concerning all such inquiries if so requested.  The Personal Data Manager can be contacted at [email protected].

9. Governing law 

This DPA is governed by the law of Sweden and any dispute between the parties is to be handled as set out in the Moralis General Terms and Conditions.