Data Processing Agreement
_{The DPA of Mida A/B testing platform}

Processing personal data in a secure, fair, and transparent way is extremely important to us at Equals One Ventures, the company of the creators of Mida.

To better protect individuals’ personal data, we are providing this agreement to govern Equals One Ventures and your handling of personal data (the “Data Processing Agreement” or “DPA”).

If you are accepting this DPA on behalf of Customer, you warrant that:

(a) you have full legal authority to bind Customer to this DPA;

(b) you have read and understand this DPA; and

(c) you agree, on behalf of Customer, to this DPA.

If you do not have the legal authority to bind Customer, please do not accept this DPA.

‍

The Parties agree that Customer is the Data Controller and that Equals One Ventures is its Data Processor in relation to Personal Data that is processed in the course of providing the Service.

‍

1. Definitions

‍

“You” or “Customer” refers to the company or organization that signs up to use Equals One Ventures Service to improve the user experience of Customer's website, applications or other digital products.

‍

“Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law as defined in GDPR, or other relevant data protection legislation in respect of the Personal Data.

‍
“User Data” means Personal Data related to the Users, more specifically as detailed in Annex A to this DPA.

‍
“Customer Account Data” means any Personal Data other than User Data that is provided by the Customer or collected by Equals One Ventures from the Customer, during the Services and includes any Personal Data of any employee or other personnel of the Customer relating to the Customer’s relationship with Equals One Ventures, including but not limited to, Personal data collected for Customer’s account, billing or payment information of individuals that Customer has associated with its account, contact data required for managing its relationship with Customer, or as otherwise required by applicable laws and regulations.

‍

"Controller" means an entity that determines the purposes and means of the processing of Personal Data.

‍

"Processor" means an entity that processes Personal Data on behalf of the Controller.

‍

“Data Protection Laws” means the relevant and applicable data protection and data privacy laws, rules, and regulations applicable to Personal Data. Data Protection Law(s) shall include but not be limited to, the GDPR.

‍
“Data Subjects” shall have such meaning as provided under the GDPR.

‍
"EU Data Protection Law" means (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).

‍
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.

‍
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

‍
"Services" means the services provided to the Customer or any other activities performed on behalf of the Customer by Equals One Ventures, pursuant to the Agreement.

‍
"Sub-Processor" means any third-party appointed by or on behalf of Equals One Ventures to Process Personal Data on behalf of the Customer in connection with the Agreement.

‍

2. Data Processing

2.1 User Data Collection

The Services collect User Data as specified in Annex A. User Data is processed in an anonymized or pseudonymized form in accordance with industry standards to ensure that individual data subjects cannot be identified. Equals One Ventures shall not Process any other User Data other than those specified in Annex A.

‍
2.2 Consents

Customer shall ensure compliance with all Data Protection Laws while collecting and providing any Personal Data to Equals One Ventures, including without limitation, ensuring that all required consents, to the extent applicable, have been taken from Users and/or other data subjects.

‍
2.3 Customer Processing Instructions

Equals One Ventures shall comply with, and Process all User Data according to, the written and documented instructions received from the Customer and in the manner described under this DPA (including Annex A). Equals One Ventures shall endeavour to inform the Customer if it reasonably believes that any of the instructions received from the Customer violate any of the Data Protection Laws. Such notification will not constitute a general obligation on part of Equals One Ventures to monitor and interpret the laws applicable to the Customer, and such notification will not constitute legal advice to the Customer.

‍
2.4 Use of User Data

Unless otherwise instructed to by the Customer, the User Data shall be used only for the following purposes:
(i) Processing and storage necessary to provide the Services;
(ii) to provide product support to the Customer; and/or
(iii) disclosures as required by law or otherwise as set forth in the Agreement.

‍
2.5 Use of Customer Account Data

Customer Account Data shall be used only for the following purposes:
(i) to provide product support to the Customer; and/or
(ii) disclosures as required by law, necessary to enforce any rights of Equals One Ventures under the Agreement, or otherwise as set forth in the Agreement.

‍

3. Equals One Ventures Responsibilities

‍
3.1 Compliance with Data Protection Laws

Equals One Ventures shall comply with all applicable Data Protection Laws in the Processing of any User Data.

‍
3.2 Technical & Organisational Security Measures

Equals One Ventures shall maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, integrity, and privacy of User Data. For a complete list of our Technical & Organizational Security Measures, please email privacy@mida.so. Equals One Ventures monitors compliance with these safeguards. Customer acknowledges that such security & privacy measures are subject to technical progress and development and that Equals One Ventures may update or modify the security & privacy measures at its sole discretion from time to time, provided that such updates and modification do not result in the degradation of the overall security & privacy of the Services used by the Customer.

‍
3.3 Personnel

Equals One Ventures shall ensure that its personnel engaged in the Processing of User Data are informed of the confidential nature of the User Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that person’s engagement with Equals One Ventures. Equals One Ventures shall take commercially reasonable steps to ensure the reliability of any Equals One Ventures personnel engaged in the Processing of User Data. Equals One Ventures shall ensure that access to User Data and Personal Data is limited to those personnel who require such access to perform the Services.

‍

3.4 Data Protection Officer

Equals One Ventures has appointed an EU representative and a Data Protection officer to monitor Equals One Ventures’s data privacy compliance globally. The appointed person can be reached by email via privacy@mida.so.

‍

4. Sub-processors

‍
4.1 Authorized Sub-Processors

Customer agrees that Equals One Ventures may engage Sub-Processors to Process User Data on Customer’s behalf or provide the Services as listed in Annex B.

The engagement of additional sub-processors within the scope of contractual obligations is permissible, provided that: (a) Equals One Ventures has notified the Customer in advance in writing or in text form, specifying the intended start date of the outsourcing, and (b) Equals One Ventures has not received an objection from the Customer within 14 days of gaining knowledge of all relevant information.

‍
4.2 Obligations of Sub-Processors

Equals One Ventures shall (i) enter into written agreement with the Sub-Processor imposing data protection terms that require the Sub-Processor to protect the User Data to the standard required by Data Protection Laws, and (ii) remain responsible for its compliance with the obligations of the DPA and for any acts or omissions of the Sub-processor that cause Equals One Ventures to breach any of its obligations under this DPA.

‍

5. International Transfers

‍

Equals One Ventures stores and processes EU Data (defined below) in data centers located inside and outside the European Union. All User Data may be transferred and processed in the United States and anywhere in the world where the Customer and/or its Sub-processors maintain data processing operations. Equals One Ventures shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of the relevant Data Protection Laws.

‍

6. Security Reports and Audits

‍

Equals One Ventures shall maintain records of its security standards. Upon Customer’s request, Equals One Ventures shall provide (on confidential basis) copies of relevant external third-parties audit report summaries, certification and/or other documentation reasonably required by Customer to verify Equals One Ventures’s compliance with this DPA. Equals One Ventures shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer reasonably considers necessary to confirm Equals One Ventures’s compliance with this DPA, provided that the Customer shall not exercise this right more than once per year.

‍

7. Incident Responses and Communications

‍
7.1 Notice of Non-Compliance

If Equals One Ventures cannot provide compliance or foresees that it cannot comply with its obligations as set out in this DPA, it agrees to promptly inform the Customer of the same. Upon such notice, the Customer is entitled to suspend the transfer and processing of any User Data or Customer Account Data.

‍
7.2 Notice of Personal Data Breach

Equals One Ventures will notify Customer promptly and without undue delay of an actual or potential Personal Data Breach or any security exposure of Customer system or data relating to the Personal Data Breach as it becomes known or as is reasonably requested by Customer. Equals One Ventures’s notification of a Personal Data Breach will describe, to the extent possible, the nature of the Personal Data Breach, the measures taken to mitigate the potential risks and the measures that Equals One Ventures recommends Customer take to address the Personal Data Breach.

‍
7.3 Consequences of a Personal Data Breach Notification

Equals One Ventures shall promptly take reasonable steps to minimize harm and secure User Data in the event of a Personal Data Breach. Equals One Ventures’s notification of or response to a Personal Data Breach will not be construed as an acknowledgment by Equals One Ventures of any fault or liability with respect to the Personal Data Breach.

‍
7.4 Data Subject Requests

Any request from a data subject directly to Equals One Ventures shall be directed to the Customer. Upon instruction by the Customer, Equals One Ventures shall correct, rectify, or block any Customer Account Data to the extent they can be done by Equals One Ventures. Equals One Ventures shall cooperate to the necessary extent and provide the Customer with appropriate support wherever possible in the fulfilment by the Customer of the rights of the Data Subjects pursuant to Articles 12 to 22 GDPR, in the preparation of records of processing activities, and in the case of necessary data protection impact assessments by the Customer. Except as specified above, Equals One Ventures has no obligation to assess any Personal Data in order to identify information subject to any specific legal requirements.

‍
7.5 Confidentiality

Information that may be disclosed in any form between Parties with respect to, or as a result of this DPA, shall be deemed to be Confidential Information. Information relating to Equals One Ventures’s database, procedures, and processes shall be considered Confidential Information.

‍
8. Disposal and Retention of User Data

‍
8.1 Disposal of User Data

Equals One Ventures shall promptly and in any event between 45 to 90 days of the date of termination/expiry of the Agreement, or upon request, delete all User Data in accordance with Equals One Ventures’s procedure.

‍
8.2 Retention of User Data

Equals One Ventures may retain User Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws, provided that the provisions of this DPA will continue to apply in respect of any User Data retained during the duration of such retention.

‍
9. Liability

‍
9.1 Limitation of Liability

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to the Agreement or this DPA, whether in contract, tort, or under any other theory of liability, is subject to the “Limitation of Liability,” as mentioned in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the entire Agreement, including this DPA.

‍

Annex A: Categories of User Data

At Equals One Ventures, we prioritize the privacy and security of your User Data. The data is processed in accordance with applicable data protection laws and the principles of privacy by design and default.

‍

1. Geolocation Data

• Information Stored: Country, Region, and City name.
• Examples: San Francisco, California, US.
• Nature and Purpose of Processing: Geolocation data is used for country-based data segmentation and to optimize content delivery based on the user's location.
• Identifiability: This data does not allow for the identification of individual data subjects.

‍

2. Internet Protocol (IP) Address

• Information Stored: Anonymized IP address by removing last octet.
• Examples: 192.168.100.0
• Nature and Purpose of Processing: The IP address is anonymized using a de-identification mechanism that masks the last portion of each visitor’s IP address. This ensures that no individual can be identified solely via their IP address.
• Identifiability: This data does not allow for the identification of individual data subjects.

‍

3. Cookies (Online Identifier)

• Information Stored: A pseudonymous unique identifier (hashed identifier).
• Examples: ef12dcdc5616f537547ad41203f393e0c57006d0e9c4afed6f.
• Nature and Purpose of Processing: To ensure a seamless user experience while upholding privacy, we generate a unique identifier for each session. This identifier is derived from non-personal browser and device attributes (such as browser type, language settings, timezone, screen resolution, etc.) and is processed using a secure one-way SHA-256 hash. The resulting hexadecimal string is stored as a cookie, ensuring that no personally identifiable information (PII) is stored or transmitted.
• Identifiability: The hashed identifier is pseudonymized, making it computationally infeasible to reverse-engineer the original data or identify an individual user. It is used solely for operational purposes.

‍

4. Browser and Device Information

• Information Stored: Information about the user’s browser and device.
• Examples: Browser type, version, device type, and operating system.
• Nature and Purpose of Processing: This information is used to optimize content delivery based on the user’s device and browser characteristics, ensuring a consistent and optimized user experience.
• Identifiability: This data does not allow for the identification of individual data subjects.

‍

5. Log Data

• Information Stored: Metadata about network events, such as requests to websites, applications, or APIs.
• Examples: Timestamps, request types, and response codes.
• Nature and Purpose of Processing: Log data is used for monitoring, troubleshooting, and improving the performance and security of the service.
• Identifiability: This data does not allow for the identification of individual data subjects.

‍

‍

Annex B:

‍Sub-processors involved in processing of User Data

“User Data” means Personal Data related to the end-user of Customer’s Properties or platform, more specifically as detailed in Annex A to the DPA.

‍

1. Cloudflare, Inc

• Role: For CDN, Cloudflare, Inc. (“Cloudflare”) provides content distribution, security and DNS services for web traffic transmitted to and from the Services. OR secure and manage traffic to the Services, with access to URL interactions and IP addresses.
• Location: Global, depending on the location of the user

2. Microsoft Azure

• Role: Cloud infrastructure, data storage (SOC 1, SOC 2 Type 2, SOC 3, ISO 27001, 27017, 27018 Certified)
• Location: US

‍

Processors involved in processing of Customer Data

“Customer Data” means any Personal Data other than User Data that is provided by the Customer during the Services, and includes any Personal Data related to any employee or other personnel of the Customer.

‍

1. Fresh Desk

• Role: Customer support platform
• Location: US

2. Customer.io

• Role: Customer engagement platform
• Location: US

3. ChartMogul

• Role: Subscription analytics
• Location: EU (Germany)

4. Bigin

• Role: CRM
• Location: US

5. Trevor.io

• Role: Data analytics
• Location: US
  

6. Stripe

• Role: Payment processing
• Location: US

7. Lemon Squeezy

• Role: Merchant of Record
• Location: US
  

8. Plausible

• Role: Privacy-focused analytics
• Location: EU (Germany)