(317) 564-7282

Managed Waste Innovations, LLC
Data Processing Addendum

Last modified: December 5, 2025

Introduction

This Data Processing Addendum (“Addendum”) forms part of Terms of Use or other written or electronic agreement (collectively, the “Agreements”) between MANAGED WASTE INNOVATIONS, LLC (“Company”) and Customer. This Addendum applies to Company’s Processing of Personal Data on behalf of the Customer in connection with the Services. Company and Customer are each a “Party” and collectively the “Parties.”

If there is any conflict between this Addendum and the Agreements regarding Processing of Personal Data, this Addendum controls. Any capitalized terms not defined here have the meaning set forth in the Agreement.

Definitions

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of such entity.
  • “Authorized Affiliate” means any Affiliate of Customer that is permitted to use the Services under the Agreement and that has not entered into a separate agreement with Company governing the Processing of Personal Data.
  • “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
  • “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed order forms. Fo the purposes of this Addendum only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates.
  • “Data Protection Laws” means all applicable laws and regulations relating to privacy, Personal Data, and data security, including as applicable: the EU GDPR, UK GDPR, CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and any implementing or successor laws.
  • “Data Subject” means the identified or identifiable person to whom Personal Data relates.
  • “EU GDPR” means Regulation (EU) 2016/679. “UK GDPR” means the retained EU law version of GDPR as defined in the UK Data Protection Act 2018.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Provider on behalf of Customer under the Agreement.
  • “Process/Processing” means any operation performed on Personal Data, as defined by Data Protection Laws.
  • “Sub-processor” means any Processor engaged by Provider to Process Personal Data on behalf of Customer.
  • “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • “Standard Contractual Clauses” or “SCCs” means (as applicable) (a) the EU Commission standard contractual clauses for transfers of Personal Data to processors outside the EEA; and/or (b) the UK International Data Transfer Addendum or other approved transfer mechanism.

Roles of the Parties

Customer is the Controller or Processor of Personal Data Processed by Company under the Agreement. Company will Process Personal Data solely as Processor on behalf of Customer and in accordance with Customer’s documented instructions. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data. Company will inform Customer if it believes an instruction violates Data Protection Laws, and may suspend the relevant Processing unless Customer modifies the instruction. Each Party will comply with the Data Protection Laws applicable to it in its role.

Scope, Purpose, and Duration

This Addendum applies when Customer Processes Personal Data in its capacity as a processor in connection with its Services and the Agreements. Company will process Personal Data as a Processor in order to provide and improve its Services and the Company’s website, and enable the use of various features and functionalities on the Company’s website.
Company will not Process Personal Data for any purpose other than providing the Services, unless required by law or with Customer’s prior written consent.

Customer Instructions

Company will Process Personal Data only on documented instructions from Customer, including as necessary to provide the Services. Any additional or changed instructions must be agreed in writing. If they materially increase Company’s cost or risk, Company may require a reasonable adjustment to fees or security measures. If Company is required by law to Process Personal Data outside Customer’s instructions, Company will notify Customer, unless legally prohibited by law.

Confidentiality

Company ensures that all personnel authorized to Process Personal Data are informed of its confidential nature, subject to appropriate confidentiality obligations, both contractual and statutory, and receive privacy and security training appropriate to their role. Company shall ensure that such confidentiality agreements survive the termination of the personnel engagement and take commercially reasonable steps to ensure the reliability of any Company personnel engaged in the Processing of Personal Data.

Security Measures

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed. Such measures shall be designed to ensure a level of security appropriate to the risks presented by the Processing and may include, as applicable:

  • Access Controls. Company shall limit access to Personal Data to authorized personal with a legitimate business need, implement authentication and role-based access controls, and maintain logs of access to systems that store or Process Personal Data.
  • Physical Security. Company shall secure facilities, equipment, and physical media that contain Personal Data against unauthorized access, damage, or interference.
  • Data Security and Integrity. Company shall encrypt Personal Data in transit and at rest using industry-standard cryptographic protocols, implement measures to protect systems against malware and other malicious activity, and maintain data minimization and retention controls.
  • Network and System Security. Company shall implement network safeguards such as firewalls, intrusion detection and prevention systems, regular vulnerability scanning, and network segmentation to protect Personal Data against unauthorized access or exposure.
  • Incident Response. Company shall maintain written incident response procedures, promptly investigate any suspected security incidents, and notify the Controller of any Personal Data Breach without undue delay after becoming aware of it.
  • Business Continuity and Disaster Recovery. Company shall maintain and regularly test backup, disaster recovery, and business continuity plans designed to ensure the availability and integrity of systems and Personal Data in the event of an interruption.
  • Personnel Practices. Company shall require personnel involved in the Processing of Personal Data to undergo privacy and security training appropriate to their responsibilities and shall ensure that all personnel are bound by confidentiality obligations that survive the termination of their engagement.
  • Vendor and Sub-processor Management. Company shall conduct appropriate due diligence on any Sub-processors, ensure that Sub-processors are contractually required to provide at least the same level of protection for Personal Data as required under this Addendum, and monitor their compliance on an ongoing basis.

Company may update these security measures to improve security or to reflect changes in technology or risk, provided no material decrease in overall security.

Sub-processing

Customer provides Company a general authorization to engage Sub-processors to Process Personal Data for the Services. Company will maintain a list of Sub-processors in at the following link [INSERT LINK TO PAGE LISTING SUB-PROCESSORS], through which Customer may subscribe to receive notifications of new Sub-processors. Company will impose equivalent data protection obligations on Sub-processors and remains responsible for their performance.

Company will provide reasonable prior notice of any new Sub-processor. Customer may object on reasonable data-protection grounds within 30 days of notice. If Customer objects and the Parties cannot resolve the concern, Company may (a) not appoint the Sub-processor, (b) offer a commercially reasonable alternative, or (c) allow Customer to terminate the affected Service with pro-rated refund of prepaid fees.

Assistance to Customer

Company will assist Customer by appropriate technical and organizational measures to respond to verified requests from Data Subjects to exercise rights under Data Protection Laws (e.g., access, deletion, correction), to the extent Customer cannot fulfill the request through self-service tools. Customer is responsible for responding to requests. Company may charge reasonable fees for assistance beyond what the services provide.

Company will provide reasonable information and cooperation needed for Customer to complete data protection impact assessments or consult regulators, to the extent related to the Services, and subject to confidentiality.

Security Incident Notification

Company will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data, and in any event within [72] hours unless a shorter period is required by law. Company will provide information reasonably necessary for Customer to meet any breach notification obligations, and cooperate in investigation and remediation. Company’s notification is not an admission of fault.

Audits and Compliance

Company will make available to Customer information reasonably necessary to demonstrate compliance with this Addendum. Customer may audit Company’s compliance once per year (or more if required by law or following a Security Incident), upon at least 30 days’ notice, during normal business hours, and in a manner that does not unreasonably interfere with Company operations. Audits will be conducted by Customer or a mutually agreed independent auditor bound by confidentiality. Customer bears audit costs unless a material non-compliance is found, as agreed to by both Company and Customer. Company may satisfy audit requests by providing recent SSAE 18 Service Organization Control (SOC) 2 Type II, ISO 27001, or similar third-party audit reports or certifications, unless Customer demonstrates a reasonable need for an on-site audit.

International Transfers

To the extent Company transfers Personal Data from the EEA/UK/Switzerland to a country not deemed adequate, the Parties agree to incorporate the SCCs and/or UK Addendum as applicable. The SCCs are incorporated by reference and completed as set forth in Appendix D. If SCCs apply and conflict with this Addendum, the SCCs control for the limited purpose of international transfers.

Return or Deletion

Upon termination or expiration of Services, Company will, at Customer’s choice and upon written notice, return or delete Personal Data, unless retention is required by law. Company may retain copies in backups for a limited period consistent with its standard retention policies, provided such data remains protected and is not actively Processed.

U.S. State Privacy/CPRA Service Provider Terms

Where Data Protection Laws (including CPRA and other U.S. state privacy laws) apply, Company acts as a “service provider,” “processor,” or equivalent, and Customer acts as a “business”/”controller.” Company will not “sell” or “share” Personal Data (as those terms are defined by CPRA) or retain, use, or disclose Personal Data for any purpose other than providing the Services, except as permitted by Data Protection Laws. Company will not combine Personal Data received from Customer with personal data received from other sources except as permitted by Data Protection Laws (e.g., to perform the Services, ensure security/integrity, or improve services in a permitted way). Company will (a) notify Customer if it can no longer meet applicable obligations; and (b) allow Customer to take reasonable steps to ensure Company uses Personal Data consistent with Customer’s legal obligations.

Liability

Liability under this Addendum is subject to the limitations of liability in the Agreement, unless prohibited by Data Protection Laws. Nothing in this Addendum limits liability for a Party’s gross negligence or willful misconduct.

Miscellaneous

If any provision of this Addendum is held by a court or other tribunal of competent jurisdiction to be invalid, illegal, or unenforceable for any reason, such provision shall be eliminated or limited to the minimum extent such that the remaining provisions of the Addendum will continue in full force and effect.
Company may update this Addendum to comply with changes in Data Protection Laws by providing notice to Customer. If an update materially reduces Customer’s protections. Customer may terminate the affected Services within 30 days of notice.

Appendix A
Details of Processing

Subject Matter and Duration of Processing

The subject matter of the Processing is the Performance of the Services pursuant to the Agreements and as further described in the documents.

The duration of the Processing shall be the term of the Agreements, plus any additional period required to complete data deletion or return obligations and to accommodate required backup retention periods.

Nature and Purpose of Processing

The nature and purpose of the Processing shall consist of activities necessary for the performance of the Services, including but not limited to hosting, account management, customer support, analytics strictly related to service performance, and communications related to the Services.

Categories of Data Subjects

The Personal Data Processed under this Addendum may relate to categories of Data Subjects such as Customer employees, Customer end users, Customer clients, and vendors.

Types of Data

The types of Personal Data Processed may include identifiers such as names, email addresses, telephone numbers, and account IDs; commercial or transaction data such as orders and invoices; user-generated content such as files and text entered into the Services; online identifiers such as IP addresses, device identifiers, and log data; and any other categories of Personal Data specified by Customer.

The Processing may involve Sensitive Data or Special Categories of Data, expressly identified by Customer, including but not limited to health information, biometric data, precise geolocation data, or other categories that require enhanced safeguards.

Processing Operations

The Processing operations performed under this Addendum may include collecting, recording, storing, organizing, accessing, transmitting, and deleting Personal Data, as necessary to provide the Services and in accordance with Customer’s instructions.

Customer Instructions

The Processing shall be performed only in accordance with the documented instructions, restrictions, retention periods, regional limitations, or other constraints specified by Customer.

Back To Top