Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between Ghost Metrics, LLC ("Ghost Metrics," "we," or "us") and the customer that has entered into it ("Customer") (the "Agreement"), and governs the processing of Personal Data in connection with the Ghost Metrics analytics service (the "Service").
This DPA is designed to work alongside, and not to duplicate, the Business Associate Agreement ("BAA") that applies where Customer is a Covered Entity or Business Associate under HIPAA. Protected health information is governed by the BAA. This DPA governs Personal Data that is not protected health information, and it sets out the data protection commitments required under applicable U.S. state privacy laws. See Section 11 on the order of precedence.
Capitalized terms not defined in this DPA have the meanings given in the Agreement.
1. Definitions
"Personal Data" means information processed by Ghost Metrics on behalf of Customer through the Service that identifies, relates to, describes, or could reasonably be linked with a particular individual or device, and that is not protected health information governed by the BAA.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Business," "Service Provider," "Consumer," "Sell," and "Share" have the meanings given under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA").
"Sub-processor" means a third party engaged by Ghost Metrics to process Personal Data in connection with the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Where the data involved is protected health information, the BAA governs and its breach definitions and timelines apply.
2. Roles of the parties
As between the parties, Customer is the Business and controller that determines the purposes and means of Processing, and Ghost Metrics acts as the Service Provider and processor that processes Personal Data on Customer's behalf and on its documented instructions. Customer is responsible for the lawfulness of the Personal Data it collects through the Service, for providing required notices to individuals, and for obtaining any required consents.
3. Scope and purpose of processing
Ghost Metrics processes Personal Data only to provide, maintain, secure, support, and improve the Service for Customer, and as otherwise instructed by Customer in writing, consistent with the Agreement. The categories of Personal Data and individuals are determined by Customer's configuration of the Service and may include website and application visitors of Customer and data such as IP address (which Customer may configure to be anonymized), pseudonymous visitor identifiers, pages viewed, referring URLs, approximate location derived from IP, device characteristics, and any custom events or dimensions Customer chooses to collect.
4. Ghost Metrics obligations
Ghost Metrics will:
- Process Personal Data only on Customer's documented instructions, including as set out in the Agreement, unless required to do otherwise by law, in which case we will inform Customer unless legally prohibited.
- Not retain, use, or disclose Personal Data for any purpose other than performing the Service, and not outside the direct business relationship with Customer, except as permitted by law.
- Not Sell or Share Personal Data.
- Not combine Personal Data with personal information received from, or on behalf of, another party, or collected from our own interactions, except as permitted under the CCPA to perform the Service.
- Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain the security measures described in Section 5.
- Comply with the applicable obligations of a Service Provider and processor under the CCPA and other applicable U.S. state privacy laws, and provide the same level of privacy protection as those laws require of us.
Ghost Metrics certifies that it understands the restrictions in this Section and will comply with them. Ghost Metrics will notify Customer if it determines that it can no longer meet its obligations under applicable privacy law, and Customer may take reasonable steps to stop and remediate unauthorized Processing.
We do not use Personal Data, Customer Data, or any protected health information to train machine learning models or for advertising.
5. Security
Ghost Metrics maintains a documented information security program aligned with the HIPAA Security Rule and the SOC 2 Trust Services Criteria, including:
- Encryption of Personal Data in transit using TLS 1.2 or higher, and encryption at rest for databases, object storage, file systems, and backups using AES-256 with managed encryption keys.
- Network isolation, including private networking and least-privilege access between application, database, and administrative tiers.
- Access controls, including single sign-on, multi-factor authentication for administrative access, and role-based access scoped to the minimum necessary.
- Logging and monitoring of administrative and infrastructure activity.
- Vulnerability management, including periodic scanning and annual independent penetration testing.
- Backup and recovery, including regular automated backups and tested restoration procedures.
- Logical separation of each customer's data in our multi-tenant environment.
Ghost Metrics hosts the Service on Amazon Web Services in the United States. We may update specific controls over time provided the overall level of protection is not materially reduced.
6. Sub-processors
Customer authorizes Ghost Metrics to engage Sub-processors to process Personal Data in connection with the Service. We maintain a current list of Sub-processors, identifying each Sub-processor, the purpose of Processing, and the location, on our Sub-processors page.
Before engaging a new Sub-processor that will process Personal Data, we will provide at least 30 days advance notice by updating our Sub-processors page and notifying Customer's designated account contact, so that Customer has the opportunity to object. If Customer reasonably objects to a new Sub-processor on data protection grounds, the parties will work in good faith to address the objection, and if it cannot be resolved, Customer may terminate the affected portion of the Service in accordance with the Agreement.
We enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA. Where a Sub-processor will process protected health information, we enter into a BAA with that Sub-processor as required under the BAA.
7. Personal Data Breach notification
Upon becoming aware of a Personal Data Breach affecting Personal Data, Ghost Metrics will notify Customer without undue delay, and will provide information reasonably available to us about the nature of the incident, the data involved, and the measures taken or proposed to address it, supplementing that information as it becomes available.
Where the incident involves protected health information, the notification timelines and procedures in the BAA govern, including notice following discovery of an Unauthorized Use or Disclosure and, where a Breach is determined, notice within the periods specified in the BAA. We will reasonably assist Customer in meeting any breach notification obligations Customer has under applicable law.
8. Assistance with individual rights and compliance
Taking into account the nature of the Processing, Ghost Metrics will provide reasonable assistance to Customer, through appropriate technical and organizational measures and the functionality of the Service, to enable Customer to respond to requests from individuals to exercise their rights under applicable privacy law, such as rights to access, correct, or delete Personal Data. If we receive such a request directly from an individual relating to Customer's data, we will, where permitted, direct the individual to Customer and will not respond except on Customer's instruction.
We will also provide Customer with information reasonably necessary to demonstrate compliance with this DPA, and reasonable assistance with data protection assessments where required by law.
9. Audits
Ghost Metrics maintains a SOC 2 Type II report. Upon Customer's reasonable written request, and subject to a confidentiality or non-disclosure agreement, we will make our then-current SOC 2 Type II report available to Customer. Provision of the SOC 2 Type II report, together with responses to a reasonable security questionnaire no more than once per year, satisfies our audit obligations under this DPA in lieu of on-site audits, except where an on-site audit is required by a data protection authority with jurisdiction.
10. Return and deletion of Personal Data
Upon expiration or termination of the Agreement, Ghost Metrics will, at Customer's election, return or delete Personal Data in our possession, and will delete remaining copies within 30 days, except to the extent retention is required by law or is necessary for backup cycles to expire, in which case the Personal Data remains subject to the protections of this DPA until deleted. Where protected health information is involved, the return and deletion provisions of the BAA govern.
11. Order of precedence
This DPA supplements the Agreement. In the event of a conflict, the following order of precedence applies, consistent with the Agreement: (1) the BAA, (2) this DPA, and (3) the other terms of the Agreement. Notwithstanding the foregoing, any term that prescribes more protective measures for the security, privacy, or confidentiality of protected health information or other Personal Data will govern.
12. Customers subject to Canadian privacy law
Where Customer is subject to Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) or provincial privacy or health-information laws such as Ontario's Personal Health Information Protection Act (PHIPA), Alberta's Health Information Act (HIA), or British Columbia's Personal Information Protection Act (PIPA), the parties will enter into a Canadian Privacy Addendum that addresses the requirements of those laws, including breach reporting to the applicable Privacy Commissioner and affected individuals where a real risk of significant harm exists, and any additional safeguards required for personal health information.
13. Liability
Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
14. Governing law
This DPA is governed by the laws of the Commonwealth of Kentucky, without regard to its conflict of laws provisions, and is subject to the venue provisions of the Agreement.
15. Contact
Ghost Metrics, LLC
2624a New Hartford Rd
Owensboro, KY 42303
Email: [email protected]