Data Protection Addendum

This Data Processing Addendum ("DPA") forms part of the Customer Terms (the "Agreement") between the Customer ("Controller") and Metarelic Consulting Inc. ("Processor" or "Metarelic People") and governs the Processing of Personal Data by Metarelic People on behalf of the Customer in the course of providing the Services.

1. Definitions

Unless otherwise defined herein, capitalised terms have the meanings set out in the Agreement.

Applicable Data Protection Law means: the Data Protection Act, 2023 (Grenada), and any other laws or regulations applicable to the Processing of Personal Data

Controller means: the Customer.

Processor means Metarelic Consulting Inc. ("Metarelic People")

Data Subject means any individual whose Personal Data is Processed under this DPA

Personal Data means any information relating to an identified or identifiable natural person.

Processing, Process, Processed means any operation or set of operations performed on Personal Data.

Subprocessor means any third party engaged by Metarelic People to Process Personal Data.

2. Roles and Scope

1. The details of the Processing, including subject matter, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Schedule 1 (Description of Processing).

2. The Customer acts as the Data Controller and Metarelic People acts as the Data Processor with respect to Personal Data processed as part of the Services. Metarelic People shall Process Personal Data only in accordance with documented instructions from the Customer, including those provided through the Agreement, this DPA, or any configuration settings in the Platform. Metarelic People will not Process Personal Data for any purpose other than to provide the Services, unless required to do so by law, in which case Metarelic People shall inform the Customer before such Processing, unless legally prohibited.

3. Confidentiality

Metarelic People shall ensure that persons authorised to Process Personal Data are under an obligation of confidentiality. Metarelic People shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data for the purposes of the Agreement. Metarelic People shall ensure that such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

1. Controls for the Protection of Personal Data

Metarelic People has implemented and will maintain the technical and organisational measures outlined in Schedule 2 to this DPA to protect the confidentiality, integrity, and availability of Customer Personal Data and to protect such data against unauthorised access, disclosure, alteration, and destruction. Metarelic People may update or modify these measures from time to time, provided that such updates and modifications do not materially decrease the overall level of security during the term of the Agreement. The Customer is solely responsible for determining whether these measures meet its compliance obligations under applicable laws.

2. Third-Party Certifications and Audits 

Metarelic People may use independent third-party auditors to assess the adequacy of its security measures and may maintain security certifications or audit reports, such as ISO 27001 or SOC 2. Upon written request at reasonable intervals, and subject to confidentiality obligations, Metarelic People shall provide Customer with a summary of the most recent relevant certifications or audit reports, provided the requesting party is not a competitor of Metarelic People.

5. Sub-processors

1. Appointment of Sub-processors

Customer acknowledges and agrees that Metarelic People may engage Sub-processors in connection with the provision of the Services. Metarelic People will use commercially reasonable efforts to ensure that each Sub-processor is subject to contractual or other legal obligations that provide protections for Personal Data that are no less protective than those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. A current list of authorized Sub-processors is provided in Schedule 3 to this DPA.

2. Sub-processor Lists and Updates

Metarelic People will maintain and update the list of Sub-processors in Schedule 3 as necessary. Customer may request notification of any additions or removals to the Sub-processor list by contacting privacy@metarelic.com. Metarelic People will provide a mechanism to subscribe to such updates.

3. Objecting to New Sub-processors

Customer may object to Metarelic People’s use of a new Sub-processor by notifying Metarelic People in writing within thirty (30) days of being informed. In such case, Metarelic People will work with the Customer in good faith to address the objection through a commercially reasonable change in the Service or Customer’s use of the Service. If no reasonable alternative is available, either party may terminate the affected Services with written notice.

4. Liability

It remains understood between the Parties that the Processor shall remain liable for the actions and omissions of its Sub-Processors and shall contractually ensure that each Sub-Processor complies with the requirements of the Data Protection Laws and the provisions of this DPA.

6. Liability. 

Metarelic People will remain liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing such services directly, except as otherwise provided in the Agreement.

7. Data Subject Rights

Metarelic People shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise rights under Applicable Data Protection Law, including rights of access, rectification, restriction, objection, erasure, portability, or to not be subject to automated decision-making. Metarelic People shall not respond to any such request without the Customer’s prior written consent except to confirm receipt. Metarelic People will provide reasonable assistance to the Customer to fulfil its obligations in responding to such requests.

8. Data Breach Notification

Metarelic People shall notify Customer without undue delay upon becoming aware of a Personal Data Breach, and provide necessary information to allow Customer to meet legal obligations.

9. International Transfers

1. Metarelic People may transfer Personal Data outside Grenada, where necessary to provide the Services. In such cases, Metarelic People shall ensure such transfers are made in compliance with Applicable Data Protection Law and implement appropriate safeguards, such as:

2. Transfers to countries recognised by relevant authorities as providing an adequate level of protection;

3. The use of standard contractual clauses or other approved mechanisms;

4. Binding contractual obligations on Sub-processors; and

5. Technical and organisational measures to ensure security and data minimisation.

6. Metarelic People shall provide information about the applicable safeguards upon the Customer's reasonable request.

10. Retention and Deletion

Upon termination of the Agreement, Metarelic People shall, at Customer’s option, return or delete all Personal Data after a 90-day retention period unless otherwise required by law.

11. Audit and Compliance

Upon reasonable written request and subject to appropriate confidentiality obligations, Metarelic People shall make available documentation or certifications sufficient to demonstrate compliance with this DPA. Where necessary, and no more than once per calendar year, Customer may conduct an on-site or remote audit, or appoint an independent third party to do so, subject to reasonable advance notice and coordination. Customer shall bear the costs of such audit unless a material breach is identified.

12. Liability

Liability arising under this DPA is subject to the limitations of liability set out in the Agreement.

13. Governing Law

This DPA shall be governed by the laws of Grenada.

Schedule 1: Description of Processing

Subject Matter: Processing in connection with Metarelic People’s HR and payroll services

Duration: Duration of the Agreement

Nature and Purpose: HR and payroll administration, employee self-service, analytics

Types of Personal Data: Names, contact information, national IDs, employment and payroll data, login activity

Categories of Data Subjects: Customer employees, contractors, users

Schedule 2: Technical and Organisational Measures

Metarelic People maintains an information security program designed to (a) secure Customer Personal Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Services, and (c) minimize physical and logical security risks to the Services, including through regular risk assessment and testing. Metarelic People designates one or more employees responsible for coordinating and being accountable for the information security program.

Metarelic People’s information security program includes the measures outlined here.

Schedule 3: Authorised Sub-processors

The following Sub-processors are authorised to process Personal Data on behalf of Metarelic People: