This Data Protection Addendum (this "Addendum) supplements and is incorporated into the service agreement (the "Agreement") pursuant to which Morfius ("Morfius") provides its AI hosted platform ("Hosted Services") to its customers. As used herein, "Customer" means the party subscribing to, and receiving, the Hosted Services.
- 1. Definitions. The following capitalized terms shall have the meanings set forth below:
- 1.1. “Data Breach” means the material unauthorized access, use or disclosure of Customer’s Personal Data verified by Morfius as originating from the Morfius Systems or its Personnel, including incidents whereby notice to individuals, regulators, or others may be required under Data Protection Laws.
- 1.2. “Data Protection Laws” means all international, federal, state and local laws and regulations applicable to Morfius’s use, processing and storage of Personal Data under the Agreement. Data Protection Laws include without limitation the California Consumer Privacy Act of 2018 and implementing regulations, security breach notification laws, and where applicable, international laws and regulations, including without limitation in member states of the European Union, the EU Regulation 2016/679 (“GDPR”) and all relevant member state laws or regulations giving effect to the GDPR, and any equivalent, replacement or similar laws or regulations implemented in the member states; and in the United Kingdom, the Data Protection Act and any equivalent, replacement or similar laws or regulations implemented in the United Kingdom, whether in light of the United Kingdom’s withdrawal from the European Union or otherwise.
- 1.3. “Morfius Systems” means Morfius’s systems, servers, and networks which use, process or store Personal Data.
- 1.4. “Personal Data” has the meanings given to such term under applicable Data Protection Laws and includes information that identifies or can be used to identify an individual and refers to the data which is provided by Customer to Morfius under the Agreement.
- 1.5. “Personnel” means Morfius’s employees, contractors, consultants, agents, service providers, subcontractors or others to whom Morfius has given access to any Personal Data.
- 2. Morfius’s Obligations.
- 2.1. Use of Personal Data. Morfius will not use, process or store any Personal Data except as permitted under the Agreement, including to provide the Hosted Services to Customer under the Agreement.
- 2.2. Compliance with Data Protection Laws. Morfius will comply with all applicable law, including all Data Protection Laws, in its use, processing and storage of Personal Data.
- 2.3. Data Security Program. Morfius has implemented, maintains, and complies with an information security program as required by all applicable laws and regulations governing the collection, use and disclosure of Customer Data used, processed and stored by the Hosted Services, to the extent applicable to the Hosted Services provided by Morfius under this Agreement. Such program shall include appropriate administrative, technical, environmental, logical, and physical safeguards reasonably designed to: (a) maintain the security and confidentiality of Personal Data; (b) protect against reasonably anticipated threats or hazards to the security or integrity of Personal Data; (c) protect against unauthorized access to or use of Personal Data that could result in substantial harm to the applicable data subject, and (d) provide for the secure disposal of Personal Data. Morfius shall document its Security Program and keep it current in light of changes in Data Protection Laws.
- 2.4. Segregation of Personal Data. Morfius shall segregate (logically or otherwise) the Personal Data from other data and information on the Morfius Systems.
- 2.5. Access to Personal Data.
- 2.5.1 Access Limitations. Morfius shall not allow access to Personal Data except to Personnel who have a legitimate need to access Personal Data. Morfius shall be directly liable to Customer for any breach of this Addendum by its Personnel who have access to the Personal Data.
- 2.5.2 Third Party Service Providers. If Morfius uses a third party service provider to use, process or store Personal Data, then Morfius shall require that the third party service provider agree to be bound by the applicable requirements of this Addendum. Morfius shall be directly liable to Customer for a third party service provider’s failure to comply with this Addendum.
- 2.6. Data Breach Incidents.
- 2.6.1. Notice to Customer; Cooperation. Morfius shall notify Customer of a Data Breach as soon as practicable and will endeavor to provide such notice within one (1) business day after Morfius becomes aware of such Data Breach. In addition, Morfius shall provide any additional information reasonably requested by Customer for purposes of investigating the Data Breach and any other available information that Customer may be required to provide to data subject(s) or others under applicable laws. Morfius shall use all commercially reasonable efforts to assist and cooperate with Customer concerning the investigation of the causes and scope of such Data Breach as well as any disclosures to affected entities or individuals, government or regulatory bodies, and other remedial measures undertaken by Customer. Morfius shall reasonably cooperate with Customer in Customer’s response to regulatory inquiries, litigation, and other similar actions arising from such Data Breach.
- 2.6.2. Public Notices. Morfius shall not reference Customer in public communications regarding a Data Breach without Customer’s prior written consent, except as required by applicable law and except to Morfius’s insurers, legal counsel, accountants, consultants and investigators.
- 2.7. Retention of Personal Data. For Personal Data obtained about individuals who are residents of the United States, Morfius shall not store on or transmit any Personal Data any facility outside the United States. Morfius will not retain any Personal Data for any period beyond what is reasonably necessary for Morfius to provide the Hosted Services to Customer under the Agreement unless a longer retention period is permitted or required by applicable law.
- 2.8. Data Subject Requests. Morfius shall reasonably cooperate with Customer in responding to and complying with any data subject requests received by Morfius or Customer regarding Personal Data, including but not limited to requests for access, deletion, opt-out, or information regarding disclosure of the data subject’s information.
- 2.9. Legal Requests to Access Personal Data. If Morfius receives any request, warrant, subpoena, or other legal request with respect to Personal Data, Morfius shall, unless prohibited by applicable law and/or to prevent penalties assessed against Morfius: (a) notify Customer of such legal request; and (b) cooperate with Customer in protecting against any such disclosure and/or obtaining a protective order narrowing the scope of such disclosure of the Personal Data.
- 2.10. Destruction of Personal Data. Within thirty (30) days after the termination or expiration of the Agreement, Morfius shall permanently delete the Personal Data stored by Morfius on the Morfius Systems, unless required under applicable law or retained in system backups made in the ordinary course of business, , in which case such retained copies Personal Data will be subject to the terms of this Addendum for so long as such copies are retained.