Legal
Data Processing Addendum
1. Introduction
This Data Processing Addendum (“DPA”) sets forth obligations for the Processing and security of Personal Information in connection with Mixpanel’s provision, and Customer’s use, of the Application Services. This DPA is incorporated into the agreement in place between Customer and Mixpanel covering Customer’s use of the Application Services ("Agreement"). The purpose of this DPA is to reflect the Parties’ agreement regarding the Processing of Personal Information in the Application Services, in accordance with Data Privacy Law.
2. General Terms
2.1 Scope. The DPA terms apply to the Processing of Personal Information by Mixpanel, its Affiliates, and Subprocessors in providing the Application Services.
2.2 Compliance with Laws. The Parties shall comply with laws and regulations applicable to the provision and use of the Application Services, including security breach notification laws and Data Privacy Laws as it applies to Mixpanel and Customer respectively.
2.3 Affiliates. Mixpanel and Customer acknowledge and agree that Customer and Mixpanel each enter into the terms set forth herein on behalf of itself and its Affiliates, where such Affiliate is a party to the Agreement and/or Order Form that is governed by the Agreement. For purposes of this DPA, the term “Mixpanel” and “Customer” include their respective Affiliates that are parties to the Agreement and/or Order Form governed by the Agreement.
3. Data Processing Terms
3.1 Roles. The Parties agree that Customer is the “controller” and Mixpanel is the “processor” or “sub-processor” of Customer Content sent to and processed in the Application Service. Schedule 1 and Schedule 2 of this DPA further describe processing activities.
3.2 Purpose of Processing. Mixpanel shall Process Personal Information only (i) as a Processor to provide the Application Services to Customer according to the terms of this DPA, the Agreement, Order Forms, or according to Customer’s written instructions, or (ii) as otherwise required by applicable law. If applicable law requires Mixpanel to Process Personal Information for any other purposes, Mixpanel will inform Customer of such requirement prior to the Processing unless prohibited from doing so by applicable law. A description of this processing activity and the purpose of processing can be found in Schedule 2 below.
3.3 Confidentiality of Processing. Mixpanel will take appropriate measures to ensure the confidentiality of Personal Information as outlined in the Agreement.
3.4 Disclosure of Personal Information. Mixpanel will not disclose or provide access to Personal Information to any third party, unless:
3.4.1 Customer directs Mixpanel to send Personal Information to a third party in writing,
3.4.2 Customer uses Third-Party Services available through the Application Services as described in the Agreement, or
3.4.3 As required by applicable law. Unless prohibited by law, Mixpanel shall promptly notify Customer of any requests from law enforcement for Personal Information and attempt to re-direct such requests to Customer, as described in our Transparency Report. Mixpanel shall only provide Personal Information to law enforcement when compelled to do so by a valid legal process.
3.5 Assistance with Compliance Obligations.
3.5.1 Data Subject Rights Requests. Mixpanel shall assist Customer with Customer’s obligation to respond to requests from Data Subjects to exercise rights under Data Privacy Law (including requests to know, access, correct, erase, or portability of Personal Information). Mixpanel shall promptly redirect all data subject rights requests from Data Subjects to Customer. Customer is solely responsible for responding to Data Subjects to fulfil these requests.
3.5.2 Privacy Impact Assessments. Mixpanel provides Customers with product documentation and a data transfer information sheet to assist in Customer’s Privacy Impact Assessment obligations.
4. Data Security Program
4.1 Mixpanel shall, without limitation of Customer’s security obligations under the Agreement, implement and maintain Appropriate Technical and Organisational Measures designed to protect Personal Information against accidental, unauthorised or unlawful Processing, including, but not limited to destruction, loss, alteration, access or disclosure. These measures shall be designed to provide a level of security appropriate to the risk of harm which might result from such incidents and having regard to the nature of the Personal Information. Mixpanel may make changes to its security program without notifying Customer, provided that the level of security is not materially degredated. These technical and organisational measures shall include:
4.1.1 Information Security Program. Mixpanel has a defined information security program managed by our information security officer that is responsible and accountable for the protection of Mixpanel and our customers. This program includes dedicated security teams, company policies, as well as technical, physical, and administrative controls as described below.
4.1.2 Security Policies. Mixpanel maintains policies documenting our processes and procedures for developing our products, securing Personal Information, and responding to security incidents.
4.1.3 Technical Controls. Mixpanel employs a large number of technical controls to protect Customer Content, including those found at https://mixpanel.com/legal/tom.
4.1.4 Administrative Controls. Mixpanel maintains industry standard administrative controls for the protection of Personal Information, including:
4.4.1. Confidentiality Training of Mixpanel Personnel. Mixpanel ensures that all Mixpanel personnel that require access to Personal Information are informed of its confidential nature, are subject to a duty of confidentiality in respect thereof, and comply with the obligations set out in this DPA and applicable Data Privacy Law,
4.1.4.1 Security Training. Mixpanel periodically provides training regarding common security issues, data security best practices, and data privacy best practices to Mixpanel personnel, and
4.1.4.2 Access Controls and Permissions. Mixpanel restricts access to the Application Services through the use of single sign on (“SSO”) and other role-based security measures.
4.1.5 Physical Security Measures. Mixpanel restricts physical access to its facilities using access cards or “key” cards. Mixpanel further restricts access to servers that store and Process Customer Content to only those employees that require access to perform their jobs.
5. Security Incident
Mixpanel shall notify Customers without undue delay if Mixpanel becomes aware of a breach of its security that has lead to any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to Personal Information that is Processed by Mixpanel in the course of providing the Application Services (“Incident”). Mixpanel shall (i) investigate the Incident; (ii) provide Customer with a description of the Incident and periodic updates about the Incident; and (iii) exercise commercially reasonable efforts to prevent or mitigate the effects of the Incident.
6. Documents & Audits
6.1 Documentation Requests. Upon written request from Customer, no more than once per calendar year, Mixpanel shall provide the following information and documentation to verify its compliance with Data Privacy Law and this DPA: (1) third-party certifications and audit reports on its security, privacy practices and architecture, and (2) written responses to industry standard written audit questionnaires.
6.2 Audits by Customer. Audits of Mixpanel’s privacy and security practices by Customers are only permitted if the information and documentation provided to Customer by Mixpanel in Section 6.1 is insufficient to demonstrate Mixpanel’s compliance with this DPA or where required by Data Privacy Law. Mixpanel and Customer shall jointly select a qualified third party (“Third Party Auditor”) to perform audits at Customer’s expense. Such audits shall be subject to the following limitations:
6.2.1 Third Party Auditors are required to have professional certificates or qualifications that bind said body to a duty of confidentiality,
6.2.2 No access will be granted to any part of Mixpanel’s information technology systems, data hosting sites or centres, or its infrastructure during the course of the audit,
6.2.3 No access will be granted to any Subprocessor facilities,
6.2.4 Any audit shall be conducted at the expense of Customer,
6.2.5 Any audit shall be conducted under mutually agreed notice, scope and duration,
6.2.6 Any audit shall exclude any internal accounting or financial information, trade secret, data or information of any other Mixpanel customer (including its end users), or any information that in Mixpanel’s reasonable opinion could compromise the security of its systems or premises or cause Mixpanel to be in breach of its obligations under Data Privacy Law or its security, confidentiality, or privacy obligations to any other Mixpanel customer or third-party, and
6.2.7 Audits shall be limited to once per calendar year.
6.3 The Parties agree that any audit described in the Standard Contractual Clauses shall be performed pursuant to this provision.
7. Subprocessors
7.1 Mixpanel uses Subprocessors to provide limited services on its behalf as part of the Application Services. Mixpanel’s current Subprocessors list is available at: https://mixpanel.com/legal/subprocessor-list (“Authorised Subprocessors”). Customer hereby confirms its general authorization for Mixpanel’s use of Subprocessors, as described below.
7.1.1 New Subprocessors. At least thirty (30) days prior to the date on which any new Subprocessor shall commence Processing Personal Information, Mixpanel will update the list of Authorised Subprocessors to include the new Subprocessor. To receive updates regarding new Subprocessors or modifications to the Agreement, please complete this form.
7.1.2 Objection to New Subprocessors. Where Customer has reasonable grounds to object to Mixpanel’s appointment of a new Subprocessor, Customer may notify Mixpanel in writing by emailing compliance@mixpanel.com within thirty (30) calendar days of the update or receipt of the notice, whichever is later. Customer is deemed to consent to the new Subprocessor if Customer does not timely object to the new Subprocessor. Customer acknowledges and agrees that (a) Mixpanel’s Affiliates may be retained as Subprocessors through written agreement with Mixpanel and (b) Mixpanel and Mixpanel Affiliates respectively may engage third party subcontractors, pursuant to this clause 7, in connection with the provision of the Application Services.
7.1.3 Processing by Subprocessors. Mixpanel shall enter into written agreements with its Subprocessors requiring the Subprocessor to abide by terms no less protective than this DPA. The Subprocessors will be permitted to Process Personal Information only to deliver the services Mixpanel has retained them to provide, including requirements to comply with Data Privacy Law applicable to the Personal Information they Process. Mixpanel remains responsible for its Subprocessors’ compliance with the obligations of this DPA.
8. Data Transfer and Storage Locations
8.1 Mixpanel stores Personal Information on our servers in the US by default or on our European servers, based on Customer’s selection and configuration of the Application Services. Mixpanel relies on the DPF (as defined below), for lawful transfer purposes, but may also enter into EU Standard Contractual Clauses with Customer as described in Section 8.2 below. Mixpanel only transfers Personal Information to the United States or to other third countries that do not provide an adequate level of legal protection to data subjects according to the safeguards described in this DPA, including:
8.1.1 Data Privacy Framework Certifications. Mixpanel relies on the EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (together, “DPF”) to transfer Personal Information from these jurisdictions to the United States. Mixpanel will continue to certify with the U.S. Department of Commerce and comply with the DPF Principles and applicable Data Privacy Law.
8.1.2 Standard Contractual Clauses. Mixpanel enters into EU Standard Contractual Clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”) as set forth below.
8.1.2.1 Controller to Processor & Processor to Processor Transfers. Where Mixpanel is the Processor of Personal Information subject to GDPR as described in this DPA, Module Two and Module Three of the SCCs shall apply as described below.
8.1.2.1.1 Customer and Mixpanel agree that the optional docking clause in Clause 7 shall apply,
8.1.2.1.2 Customer and Mixpanel agree that the time period for notification of Subprocessor changes under Clause 9 is the period set forth in Section 7 above,
8.1.2.1.3 Customer and Mixpanel agree that the optional language in Clause 11 shall not apply,
8.1.2.1.4 Customer and Mixpanel agree to Option 1 of Clause 17, and that disputes will be resolved before the courts of Ireland, and
8.1.2.1.5 Customer and Mixpanel agree that disputes under Clause 18(b) will be resolved before the courts of Ireland.
8.1.2.2 Controller to Controller. Where Mixpanel is the Controller of Personal Information that is subject to GDPR as described in this DPA, Module One of the SCCs shall apply as described below.
8.1.2.2.1 Customer and Mixpanel agree that the optional docking clause in Clause 7 shall apply,
8.1.2.2.2 Customer and Mixpanel agree that the optional language in Clause 11 shall not apply,
8.1.2.2.3 Customer and Mixpanel agree to Option 1 of Clause 17, and that disputes will be resolved before the courts of Ireland, and
8.1.2.2.4 Customer and Mixpanel agree that disputes under Clause 18(b) will be resolved before the courts of Ireland.
8.1.2.3 Transfers from the UK. The UK Addendum to the SCCs applies to Personal Information protected by the UK GDPR as described below.
8.1.2.3.1 Customer and Mixpanel agree that Tables 1, 2, and 3 of the UK Addendum shall be completed with relevant information from the SCCs attached as Schedule 2 below and information included in this Section 8,
8.1.2.3.2 Customer and MIxpanel agree that “neither party” shall be checked under Table 4, and
8.1.2.3.3 Customer and Mixpanel agree that the start date of the UK addendum shall be the date of this DPA.
8.1.2.4 Transfers from Switzerland. The Swiss SCCs shall apply to the protection of Personal Information protected by the Swiss Federal Data Protection Act as set forth below.
8.1.2.4.1 Customer and Mixpanel agree that Swiss law shall apply in lieu of “EU”, “Member State”, “Union”, and “Member State Law” under the SCCs, and
8.1.2.4.2 Customer and Mixpanel agree that the FDPIC and competent courts in Switzerland shall be the competent supervisory authority for purposes of the Swiss SCCs.
9. Data Retention
Following termination or expiration of the Agreement and/or upon Customer’s written request, Mixpanel shall securely make Personal Information available to Customer for a period of 30 days, then destroy such Personal Information, unless retention is required by law. Customer may request a certificate of destruction necessary to demonstrate compliance with this obligation.
10. Notices
Notices to Mixpanel may be provided by emailing compliance@mixpanel.com.
11. Limitation of Liability
This DPA shall be subject to the limitations of liability agreed between Customer and Mixpanel in the Agreement and such limitation shall apply in aggregate for all claims under the Agreement and this DPA.
12. Incorporation and Precedence
This DPA is hereby incorporated into and forms part of the Agreement. The order of precedence in case of any conflict, exclusively in relation to the processing of Personal Information under this DPA, will be, in order of priority: (i) the Order Form (ii) this DPA; (iii) the Agreement and any schedules or exhibits thereto, unless otherwise agreed in writing.
13. Execution
The parties agree to the terms of this DPA as of the Effective Date (as defined in the Agreement or applicable Order Form).
14. Term
The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement, or at such time that Mixpanel ceases to process Personal Information.
15. Definitions
15.1 “Data Privacy Law” means laws, directives, and accompanying regulations governing the processing of Personal Information, including, as applicable:
15.1.1 the Regulation EU 2016/679 of 27 April 2016 (“GDPR”) and related regulations such as the UK Data Protection Act of 2018 (“UK GDPR”), UK Electronic Communications Regulation of 2003 (“PECR”), Swiss Federal Act on Data Protection of 1992 (“FADP”), and Directive 2002/58/EC on Privacy and Electronic Communications (“ePrivacy”),
15.1.2 “U.S. State Data Privacy Law” means all applicable state laws in effect in the United States of America that involve the processing of Personal Information, including the California Consumer Privacy Act (“CCPA”) inclusive of the California Privacy Rights Act of 2020 (“CPRA”) as set forth in California Civil Code §1798.100 et seq., and other similar state-based privacy laws, and
15.1.3 other applicable laws relating to processing of Personal Information and privacy that may exist in relevant jurisdictions where Mixpanel operates.
15.2 “Appropriate Technical and Organisational Measures”, “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Person”, “Processor”, “Process”, “Processing”, “Sell”, “Service Provider”, “Share”, and “Third Party”, shall be interpreted in accordance with applicable Data Privacy Law.
15.3 “Personal Information” means any Customer Content Processed by Mixpanel in the Application Services pursuant to the Agreement, relating to an identified or identifiable natural person or household; where an “identifiable natural person” means an individual who can be identified, directly or indirectly. Personal Information includes “Personal Data” and “Personally Identifiable Information” within the Customer Content as defined by applicable Data Privacy Law.
15.4 “Subprocessor” or “Sub-processor” means any person (including any third party and any Mixpanel Affiliate, but excluding Mixpanel personnel) appointed by or on behalf of Mixpanel or any Mixpanel Affiliate to process Personal Information on behalf of Customer and/or Customer Affiliate in connection with the Agreement.
15.5 All other defined terms shall have the meaning set forth in the Agreement.
DPA Schedule 1
Jurisdiction and Industry Specific Processing Terms
-
GDPR. Mixpanel shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under the GDPR. This includes Customer’s obligations to comply with Article 32 to 36 of the GDPR taking into account the nature of the Processing under this DPA.
-
US State-Based Laws. Mixpanel shall comply with applicable U.S. State Based Data Privacy Laws, including as defined below.
2.1 California. Mixpanel complies with, and assists Customers in their compliance with, the CCPA. In addition to the terms set forth in this DPA, Mixpanel Processes Personal Information of California residents under the following terms.
2.1.1 Roles. Customer is a “Business” and Mixpanel is its “Service Provider” for the purpose of Mixpanel’s Processing of Personal Information under the Agreement and applicable Order Form. The parties agree to comply at all times with the provisions of the CCPA applicable to their respective obligations as Business and Service Provider, in respect to the Processing of Personal Information.
2.1.2 Business Purpose. Customer agrees that the Business Purpose for which Mixpanel is Processing Personal Information is to provide Customer with the Application Services, as described in the Agreement, applicable Order Form, and as described in Section 3.2 of the DPA. Mixpanel shall not retain, use, or disclose such Personal Information: (i) for a commercial purpose other than for the limited and specified purposes identified in the Agreement, applicable Order Form, and as described in Section 3.2 of the DPA, or (ii) outside the direct business relationship with Customer. Mixpanel shall not combine such Personal Information with personal information that it receives from other sources, except as expressly authorised by Customer and permitted under the CCPA.
2.1.3 No “Sale” & “Sharing” by Mixpanel. Mixpanel shall not “sell” or “share” Personal Information, as defined by the CCPA, unless expressly directed to by Customer.
2.1.4 Audit & Monitoring Rights. Mixpanel complies with requests made by Customer under Cal. Civ. Code §1798.100(d) and Cal. Civ. Code § 1798.140(ag)(1) as set forth in Section 6 of the DPA.
2.1.5 Notification. Mixpanel shall inform Customer if it determines that it can no longer meet its obligations under the CCPA, and allow Customer to take reasonable and appropriate steps to prevent, stop, or remediate any unauthorised processing of Personal Information.
2.2 Virginia. Mixpanel complies with, and assists Customers in their compliance with, the Virginia Consumer Data Privacy Act (“VCDPA”) when processing the Personal Information of residents of Virginia. In addition to the terms set forth in this DPA, Mixpanel Processes Personal Information of Virginia residents under the following terms.
2.2.1 Roles. See Section 3.1 of this DPA.
2.2.2 Purpose of Processing. See Section 3.2 of this DPA.
2.2.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, Mixpanel shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.2.4 Data Protection Assessments. See Privacy Impact Assessments in Section 3.5.2 of this DPA.
2.3 Utah. Mixpanel complies with, and assists Customers in their compliance with, the Utah Consumer Privacy Act of 2021 (“UCPA”) as set forth in the provisions of this DPA.
2.3.1 Roles. See Section 3.1 of this DPA.
2.3.2 Purpose of Processing. See Section 3.2 of this DPA.
2.4 Colorado. Mixpanel complies with, and assists Customers in their compliance with, the Colorado Privacy Act (“CPA”) of 2022 as set forth in this DPA. In addition to the terms set forth in this DPA, Mixpanel processes Personal Information of Colorado residents in the following way.
2.4.1 Roles. See Section 3.1 of this DPA.
2.4.2 Purpose of Processing. See Section 3.2 of this DPA.
2.4.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, Mixpanel shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.4.4 Assistance with Data Protection Assessments. Mixpanel complies with requests made by Customer under CPA §6-1-1305(2)(c) as set forth in Section 3.5.2 above.
2.4.5 Audits & Inspections. Mixpanel complies with reasonable requests for audits and inspections made by Customer under CPA §6-1-1305(5)(d)(II)(A) and (B) as set forth in the Privacy Impact Assessments 3.5.2 of this DPA.
2.5 Connecticut. Mixpanel complies with, and assists Customers with their compliance with, the Connecticut Data Privacy Act (“CTDPA”).
2.5.1 Roles. See Section 3.1 of this DPA.
2.5.2 Purpose of Processing. See Section 3.2 of this DPA.
2.5.3 Deletion of Data Upon Termination. Upon Termination as defined in the Agreement, Mixpanel shall make available, delete or render unusable all Customer Content, including Personal Information, as described in the Agreement.
2.5.4 Data Protection Assessments. See Privacy Impact Assessments in Section 3.5.2 of this DPA.
2.6 US Federal Legislation, Industry Specific Laws, and Restrictions on Processing.
2.6.1 US Healthcare Customers. If Customer is a “covered entity” or “business associate” as described in the Health Insurance Portability and Accountability Act of 1996, as amended and including the regulations promulgated thereunder (“HIPAA”), Customer must enter into a separate Business Associate Agreement with Mixpanel prior to sending Protected Health Information (“PHI”) to the Application Services.
2.6.2 Telecommunications Data. To the extent that Mixpanel Processes traffic, content or other Personal Information in the provision of the Application Services, Mixpanel will comply with applicable telecommunications laws and regulations applicable thereto, including security, security breach notification, and data protection laws. Customer is responsible for providing their end-users with notice and/or consent associated with their use of the Application Services.
DPA Schedule 2
Description of Processing Activities
The following is a description of data Processing and transfer activities by Mixpanel. The Parties acknowledge that the following is a description of Mixpanel’s Processing activities, including the Processing of Personal Information, provided by Mixpanel to Customer as part of the Application Services.
| Mixpanel as Processor: Customer Content (Application Services Data) | |
|---|---|
| Categories of Personal Information | Data collected by the Application Services is variable based on Customer’s configurations. Default settings of the Application Services collect end-user information including:
|
| Sensitive Personal Information | None, unless the Agreement specifically provides for the transfer and processing of such data. |
| Nature of processing | Providing account access to the services as described in the Agreement or accompanying Order Form; configuring and maintaining customer preferences within the Application Services; providing support for services purchased by customer; communicating with customer about products, support, and services; transmitting, structuring, storing, and making available personal information as required to provide the services. |
| Duration of Processing | Data will be stored, processed, and retained for the duration of an active Subscription Plan. Data will be deleted upon customer request for deletion, or within 90 days of Customer’s termination or expiration of the Agreement. |
| Transfer of Personal Information | Data transfer is limited by Customer’s selection of available server location. Data transfer is provided to enable the following:
|
| Mixpanel as Processor: Spark AI Data | |
|---|---|
| Categories of personal information | Data collected by Mixpanel Spark is variable based on Customer’s inputs into Spark. By default, Customer Data and Personal Information are not used in Spark. Customer may turn off the use of Spark AI (https://mixpanel.com/spark-ai/) through their admin accounts. The natural language prompts used by Customer’s Authorized Users may contain personal information, which input returns charts of Customer’s use of Mixpanel’s Application Services. |
| Sensitive personal information | None, unless the Agreement specifically provides for the transfer and processing of such data. |
| Nature of processing | Providing account access to the services as described in the Agreement or accompanying Order Form; configuring and maintaining customer preferences within the Application Services; providing support for services purchased by customer; communicating with customer about products, support, and services; transmitting, structuring, storing, and making available personal information as required to provide the services. |
| Duration of Processing | Data will be stored, processed, and retained for the duration of an active Subscription Plan. Data will be deleted upon customer request for deletion, or within 90 days of Customer’s termination of the Agreement or failure to make payment. |
| Transfer of Personal Information | Data transfer is limited by Customer’s selection of data warehouse location. Data transfer is provided to enable the following:
|