Data Processing Addendum

1. Definitions

1.1 Applicable Data Protection Laws: all privacy/data protection laws applicable to the Processing under the Service Agreement, including (as applicable) GDPR, UK GDPR / Data Protection Act 2018, Swiss FADP, CCPA/CPRA, and other similar U.S. state privacy laws.

1.2 Customer Personal Data: any Personal Data Processed by Monk on Customer’s behalf in connection with the Services.

1.3 Personal Data, Controller, Processor, Processing, Data Subject: as defined under Applicable Data Protection Laws.

1.4 Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

1.5 Subprocessor: a third party engaged by Monk to Process Customer Personal Data on Customer’s behalf.

1.6 SCCs: (i) EU Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 (“EU SCCs”) and (ii) the UK International Data Transfer Addendum (“UK Addendum”), each as applicable.

2. Scope and Roles

2.1 Scope. This DPA applies when Monk Processes Customer Personal Data as a Processor in providing the Services.

2.2 Roles. Customer is the Controller (or, if Customer is a Processor for another Controller, Customer acts as Processor and remains responsible for its upstream obligations). Monk acts as Processor.

2.3 CCPA/CPRA. Where applicable, Customer is a “Business” and Monk is a “Service Provider”/“Contractor” as those terms are defined under CCPA/CPRA.

2.4 Customer responsibility. Customer is responsible for (i) providing required notices and obtaining any consents; (ii) ensuring a lawful basis for Processing; and (iii) ensuring it has rights to disclose Customer Personal Data to Monk.

‍

3. Instructions and Permitted Processing

3.1 Documented instructions. Monk will Process Customer Personal Data only (i) to provide, maintain, and support the Services as described in the ToS Agreement1; (ii) in accordance with Customer’s documented instructions; or (iii) as required by law.

3.2 Inconsistent or unlawful instructions. If Monk reasonably believes an instruction conflicts with Applicable Data Protection Laws, Monk will notify Customer (to the extent permitted) and may pause the impacted Processing until resolved.

3.3 Legal compulsion. If Monk is legally required to Process Customer Personal Data in a manner inconsistent with Customer’s instructions, Monk will notify Customer to the extent legally permitted

‍

4. Confidentiality and Access Controls

4.1 Monk will ensure that persons authorized to Process Customer Personal Data are subject to confidentiality obligations.

4.2 Monk will restrict access to Customer Personal Data to personnel who need access to perform the Services.

‍

5. Security

5.1 Monk will maintain appropriate technical and organizational measures to protect Customer Personal Data, considering the nature of the Processing, state of the art, implementation costs, and risks.

5.2 Measures include, as appropriate: (i) least-privilege access controls (RBAC) and MFA for privileged access; (ii) encryption in transit (TLS) and, where appropriate, at rest; (iii) secure configuration and network protections; (iv) security logging/monitoring and audit trails where supported; (v) secure SDLC, change control, and vulnerability management (patching/testing); (vi) incident response procedures aligned with Section 8; (vii) backups and recovery; and (viii) Subprocessor due diligence and contractual controls per Section 6.

5.3 Monk may update these measures provided overall protection remains appropriate.

5.4 Customer is responsible for credential security and configuring access/permissions appropriately.

5.5 No system is perfectly secure; Monk’s obligation is reasonable, risk-based safeguards.

‍

6. Subprocessors

6.1 General authorization. Customer authorizes Monk to use Subprocessors to support delivery of the Services.

6.2 Flow-down. Monk will enter into a written agreement with each Subprocessor that includes data protection obligations no less protective than this DPA for the relevant Processing.

6.3 Subprocessor list and notice. Monk will maintain a current list of Subprocessors. Contact team@monk.com and or request SOC2 documentation to learn more.

6.4 Objection right. Customer may object on reasonable data protection grounds by written notice within the 30-day period. The parties will work in good faith to address the objection. If unresolved, either party may terminate the affected Service(s) that require the contested Subprocessor upon written notice, and Customer will pay only for Services provided up to the termination date.

‍

7. Assisance with Data Subject Requests

7.1 Customer requests. Considering the nature of the Services, Monk will provide commercially reasonable assistance to help Customer respond to Data Subject requests (access, deletion, correction, portability, objection, etc.) relating to Customer Personal Data.

7.2 Direct requests to Monk. If Monk receives a request from a Data Subject about Customer Personal Data, Monk will notify Customer and will not respond substantively except as instructed by Customer or as required by law (Monk may direct the requester to Customer).

For any questions or feedback on data deletions and data requests please reach out to team@monk.com.

‍

‍

8. Security Incident

8.1 Notice. Monk will notify Customer without undue delay after confirming a Security Incident and will provide information reasonably needed for Customer to meet its legal obligations.

8.2 Cooperation. Monk will provide commercially reasonable assistance with investigation, remediation, and mitigation.

‍

9. Return and Deletion

9.1 During the term. Customer may export or retrieve data through the Services as available.

9.2 At end of Services. Following expiration or termination of the Service Agreement and if requested by Customer, Monk will delete or return Customer Personal Data within 30 days, except to the extent:

• retention is required by law; or
• data persists in backups/archives consistent with Monk’s normal retention cycles, in which case it will be deleted in accordance with those cycles.

9.3 Continued protection. Any retained Customer Personal Data remains subject to confidentiality and security obligations.

For any questions or feedback on data deletions and data requests please reach out to team@monk.com.

TO REQUEST DATA DELETION, PLEASE REACH OUT TO TEAM@MONK.COM

10. Compiance Materials and Audits

10.1 Reports. Upon reasonable written request, Monk will provide available third-party security reports or certifications (e.g., SOC 2 Type II) if maintained by Monk.

TO REQUEST ANY SOC2 MATERIALS, PLEASE RAECH OUT TO TEAM@MONK.COM

‍

11. International Transfers

11.1 Cross-border Processing. Customer acknowledges that Monk and its Subprocessors may Process Customer Personal Data in countries other than where Customer or Data Subjects are located. Monk will ensure that any cross-border transfers are made in accordance with Applicable Data Protection Laws.

‍

‍

12. Terms and General Terms

11.1 This DPA becomes effective on the effective date of the Service Agreement and ends when the Service Agreement ends (except Sections that by their nature should survive, including deletion/return, confidentiality, and transfer safeguards).

11.2 Liability, limitations of liability, and dispute terms are governed by the Service Agreement unless Applicable Data Protection Laws require otherwise.

‍

FOR ANY QUESTIONS OR FEEDBACK RELATED TO SECURITY OR YOUR DATA, PLEASE REACH OUT TO TEAM@MONK.COM

‍

‍