Start Free Trial
Start Free Trial

Data Protection and Information Security Addendum

Effective Date: April 19, 2025

This Data Protection and Information Security Addendum (“Addendum”) forms part of the agreement (“Agreement”) between the Client and 365TUNE, a Software as a Service (SaaS) platform provided by Metawise Consulting LLC (“365TUNE”), regarding the provision of Services. This Addendum establishes the parties’ agreement concerning the Processing of Personal Data in compliance with applicable Data Protection Laws.

In the event of any inconsistencies between this Addendum and the Agreement, the terms and conditions of this Addendum will control. In the event of conflict between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail only insofar as they are applicable to a transfer of Personal Data.

Throughout the term of the Agreement and for as long as 365TUNE controls, possesses, stores, transmits, or processes Personal Data as part of the Services and until such time as all Personal Data have been expunged from 365TUNE’s systems and possession post-termination of the Services, 365TUNE and Client will comply with the requirements set forth in this Addendum.

1. DEFINITIONS

Capitalized terms herein shall have the definition ascribed in the Agreement. Capitalized terms not otherwise defined have the meanings set forth in this section:

    • Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

    • Authorized Personnel: 365TUNE’s employees, agents, or contractors who need to access Personal Data to fulfill 365TUNE’s obligations and are bound by confidentiality obligations.

    • Client: The legal entity purchasing the Services from 365TUNE.

    • Controller: The entity which determines the purposes and means of the Processing of Personal Data.

    • Data Protection Laws: All applicable laws and regulations concerning data protection and privacy, including but not limited to the GDPR, CCPA, PIPEDA, LGPD, and similar legislation.

    • Personal Data: Any information relating to an identified or identifiable natural person, as defined under Data Protection Laws.

    • Processing/Process: Any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or deletion.

    • Processor: The entity which processes Personal Data on behalf of the Controller.

    • Security Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

    • Standard Contractual Clauses (SCCs): The standard contractual clauses approved by the European Commission or relevant authority for the transfer of Personal Data to third countries.

    • Sub-Processor: Any third party engaged by 365TUNE to process Personal Data on behalf of the Client.

2. ROLES OF THE PARTIES AND COMPLIANCE WITH DATA PROTECTION LAWS

As between 365TUNE and Client, Client shall be the Controller and 365TUNE shall be the Processor with respect to the Processing of Client’s Personal Data. 365TUNE acknowledges Client may be acting as a Processor to its Affiliates and those Affiliates as Processors to other third parties. Where such circumstances apply, Client represents and warrants that it has the appropriate authority to engage 365TUNE as a subsequent Processor.

By signing up for and using the 365TUNE platform, the Client expressly authorizes and instructs 365TUNE to process Personal Data as necessary for the provision of the Services, in accordance with this Addendum and applicable Data Protection Laws.

Each party shall comply with its obligations under all applicable Data Protection Laws. Specifically:

    • Client shall determine the scope, purpose, and manner in which such Personal Data may be processed by 365TUNE, and 365TUNE will limit its Processing of Personal Data to that which is instructed in the manner necessary to provide the Services, or otherwise to comply with applicable Data Protection Laws.

    • Client is solely responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; securing the account authentication credentials, systems, and devices Client uses to access the Services; securing Client’s systems and devices that 365TUNE uses to provide the Services; and backing up Personal Data.

    • Client is solely responsible for evaluating for itself whether the Services, the security measures and 365TUNE’s commitments under this Addendum will meet Client’s needs, including with respect to any security obligations of Client under applicable Data Protection Laws or other laws.

    • Client warrants that it has established a legal basis for 365TUNE’s Processing of Personal Data contemplated by this Addendum and that all notices have been given to, and necessary consents and rights have been obtained from, the relevant data subjects and any other party as may be required by Data Protection Laws and any other laws for such Processing.

    • 365TUNE will process Client Personal Data to the extent necessary to comply with other documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement and this Addendum. If an instruction provided by Client infringes the GDPR or other applicable Data Protection Laws, 365TUNE shall immediately inform Client.

3. DATA PROCESSING LOCATION

Unless otherwise agreed in writing, the default location for the processing and storage of Personal Data is the United States.

If the Client requires data to be stored or processed in another region, this must be contractually specified. 365TUNE shall implement appropriate safeguards for international data transfers as required by applicable Data Protection Laws.

4. OPTIONAL DATA ENTRY

Purpose: The 365TUNE platform provides Clients with the option to manually enter certain data, including but not limited to per-license pricing, total costs, and related financial information. This feature is designed solely to enable Clients to generate more accurate and comprehensive financial reports and analyses within the platform.

Client Responsibility: The entry of such license cost data is entirely optional and at the sole discretion of the Client. 365TUNE does not verify, validate, or audit the accuracy, completeness, or compliance of any license cost information entered by the Client. The Client is solely responsible for ensuring that any license cost data provided is accurate, up-to-date, and entered in accordance with all applicable contractual, legal, and compliance obligations the Client may have with Microsoft or any other software vendors.

No Vendor Compliance Assumption: By entering license cost information into the platform, the Client represents and warrants that doing so does not violate any agreements or obligations with third-party vendors. 365TUNE’s role in processing this data is limited to providing reporting and analytics functionalities as instructed by the Client, and does not extend to auditing, validating, or enforcing any vendor licensing or financial compliance requirements.

5. SECURITY MEASURES

365TUNE shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR and similar provisions under other Data Protection Laws. Such measures include, as appropriate:

    • Encryption: Data encrypted in transit (TLS) and at rest (AES-256).

    • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for remote access, and unique credentials for each Authorized Personnel.

    • Network Security: Firewalls, intrusion detection/prevention systems, and network segmentation.

    • Monitoring and Logging: System activity logs maintained for at least six months.

    • Vulnerability Management: Regular security assessments and prompt remediation of vulnerabilities.

    • Data Segregation: Client data logically segregated from other clients’ data.

    • Physical Security: Appropriate physical access controls to facilities where Personal Data is processed.

365TUNE shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. SUB-PROCESSORS

365TUNE may engage Sub-Processors to process Personal Data. 365TUNE shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set out in this Addendum, as required by Data Protection Laws.

365TUNE shall inform the Client of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Client the opportunity to object to such changes within fifteen (15) days if the engagement would cause 365TUNE to breach Data Protection Laws.

365TUNE shall remain liable for the acts and omissions of its Sub-Processors to the same extent 365TUNE would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.

7. INTERNATIONAL TRANSFERS

Where 365TUNE processes Personal Data outside the European Economic Area (“EEA”), United Kingdom, or Switzerland, such transfers shall be made in compliance with Data Protection Laws, including the use of SCCs or other approved transfer mechanisms as required by law.

The Client authorizes 365TUNE to enter into SCCs with Sub-Processors on its behalf.

8. DATA SUBJECT RIGHTS

To the extent the Client is unable to independently access, rectify, erase, restrict, or port Personal Data within the Services, 365TUNE shall, upon written request and where required by Data Protection Laws, assist the Client by appropriate technical and organizational measures to fulfill its obligations to respond to requests for exercising the data subject’s rights.

If 365TUNE receives a request directly from a data subject, it will promptly inform the Client and will not respond to the request except as required by law.

9. SECURITY INCIDENT MANAGEMENT

365TUNE shall maintain procedures for the management of Security Incidents. Upon determining that a Security Incident has occurred, 365TUNE shall notify Client without undue delay, and in no case later than seventy-two (72) hours after such determination.

Such notification shall include, to the extent known:

    • The nature of the breach;

    • The categories and approximate number of data subjects and data records concerned;

    • The likely consequences of the breach;

    • The measures taken or proposed to address the breach.

365TUNE shall cooperate with the Client and provide reasonable assistance in the investigation, mitigation, and remediation of the Security Incident, as required by Data Protection Laws.

10. DATA RETENTION AND DELETION

365TUNE will retain Personal Data only for as long as necessary to fulfill its obligations under the Agreement or as required by law.

Upon termination or expiration of the Agreement, at the choice of the Client, 365TUNE shall delete or return all Personal Data to the Client and delete existing copies unless retention of the Personal Data is required by applicable law.

11. AUDIT AND INSPECTION

365TUNE shall make available to the Client all information necessary to demonstrate compliance with this Addendum and Data Protection Laws.

The Client may, upon thirty (30) days’ written notice and during regular business hours, conduct an audit of 365TUNE’s data processing activities relating to Personal Data, limited to once per year unless otherwise required by law or following a Security Incident.

The Client shall bear the costs of any audit, unless the audit reveals a material breach by 365TUNE.

12. LIMITATION OF LIABILITY

365TUNE’s liability under this Addendum shall be subject to the limitations and exclusions of liability set forth in the Agreement, except as otherwise required by Data Protection Laws.

In no event shall 365TUNE’s total liability for all claims arising out of or related to this Addendum exceed the total amount paid by Client to 365TUNE under the Agreement during the twelve (12) months preceding the date on which the claim arose.

365TUNE shall not be liable for any breach or non-compliance resulting from:

    • Client’s failure to secure its account credentials, systems, or devices;

    • Client’s provision of inaccurate or incomplete license cost data or other optional information;

    • Any act or omission by Client or its users that violates this Addendum, the Agreement, or applicable Data Protection Laws.

13. COUNTRY-SPECIFIC TERMS

13.1 European Economic Area (EEA), United Kingdom (UK), and Switzerland

Where the Client is established in the EEA, UK, or Switzerland, or processes Personal Data of data subjects in these jurisdictions, the following additional terms apply:

    • The parties shall comply with the SCCs or other approved transfer mechanisms for international transfers.

    • The competent supervisory authority shall be determined in accordance with the SCCs.

    • The governing law and jurisdiction for disputes arising under the SCCs shall be as set forth in the SCCs.

13.2 California (CCPA)

Where the Client is subject to the CCPA, 365TUNE shall act as a “Service Provider” as defined under the CCPA and shall not:

    • Sell or share Personal Data;

    • Retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA.

14. GENERAL PROVISIONS

14.1 Governing Law

This Addendum shall be governed by the laws specified in the Terms of Service Agreement, or where required by Data Protection Laws, the laws of the EEA, UK, or Switzerland.

14.2 Changes to this Addendum

365TUNE may update this Addendum to reflect changes in Data Protection Laws. In the event of a material change, 365TUNE will provide the Client with at least 30 days’ notice. Continued use of the Services after such notice constitutes acceptance of the updated Addendum.

14.3 Order of Precedence

In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent necessary to comply with Data Protection Laws.

14.4 Severability

If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15. APPENDICES

Appendix A: Standard Contractual Clauses

The SCCs, as adopted by the European Commission and/or the UK Information Commissioner’s Office, are incorporated by reference and form an integral part of this Addendum.

Appendix B: List of Sub-Processors

A current list of Sub-Processors is available upon request.

16. CONTACT INFORMATION

Metawise Consulting LLC
5900 Balcones Drive #8939, Austin, TX 78731
Security Contact: [email protected]

Table of Contents

Features

Who is it for?

Pricing

FAQs

Start 14 days free trial