Data Processing Addendum
Data Processing Addendum
Definitions1.1. “Account Data” means information about the Customer that the Customer provides to INBOX in connection with the creation or administration of its INBOX accounts, such as first and last name, user name and email address of an Authorized User or Customer’s billing contact. The Customer shall ensure that all Account Data is current and accurate at all times during the term of the TOU. 1.2. “Authorized User” means an individual employee, agent or contractor of the Customer for whom subscriptions to Services have been granted pursuant to the terms of the TOU. 1.3. “Customer Credentials” means access passwords, keys or other credentials used by the Customer in connection with the Services. 1.4. “Customer Data” means any Personal Data that INBOX Processes on behalf of the Customer as a Data Processor in the course of providing its Services. 1.5. “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data. 1.6. “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller. 1.7. “Data Protection Laws” means all data protection and privacy laws and regulations of the EU, EEA and their member states, applicable to the Processing of Personal Data. 1.8. “Data Subject” means the identified or identifiable person to whom Personal Data relates. 1.9. “EEA” means the European Economic Area, the United Kingdom, and Switzerland. 1.10. “EU” means the European Union. 1.11. “GDPR” means (a) the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), and (b) the United Kingdom General Data Protection Regulation. 1.12. “Personal Data” means any information relating to an identified or identifiable natural person as defined in the GDPR. 1.13. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Process”, “Processes” and “Processed” shall be interpreted accordingly. 1.14. “Processor” means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the Data Controller. 1.15. “SCC” means the standard contractual clauses as approved by the European Commission. 1.16. “Services” means any product or service provided by INBOX pursuant to INBOX’s TOU. 1.17. “Sub-Processor” means any third-party Processor engaged by INBOX.
Scope and Roles2.1. INBOX has agreed to enter into this DPA based on the Customer’s belief that Customer Data may include Personal Data that originates from EU/EEA and/or that is otherwise subject to the GDPR. Accordingly, this DPA supplements the TOU and applies exclusively to INBOX’s Processing of Customer Data in providing Services under the TOU to the Customer. 2.2. INBOX agrees to comply with the following provisions with respect to any Personal Data Processed for the Customer in connection with the provision of the Services. 2.3. The Parties agree that with regard to the Processing of Personal Data, the Customer is the Data Controller and INBOX is a Data Processor, acting on behalf of the Customer, as further described in Annex 1 (“Details of Data Processing”) of this DPA. Each Party will comply with its respective obligations under EU Data Protection Law.
Customer’s Processing of Personal Data3.1. The Customer is responsible for the control of Personal Data and must comply with its obligations as a Data Controller under Data Protection Laws, in particular for justification of any transfer of Customer Data to INBOX and its decisions and actions regarding the Processing and use of Personal Data. 3.2. The Customer agrees that it has provided notice and received all consents and rights necessary under Data Protection Laws for INBOX to Process Customer Data and provide the Services.
INBOX’s Processing of Customer Data4.1. By entering into this DPA, the Customer instructs INBOX to Process Customer Data to provide the Services in accordance with the features and functionality of the Services. 4.2. In connection with INBOX’s delivery of the Services to the Customer, INBOX shall Process certain categories and types of the Customer data, only for the purposes described in this DPA and only in accordance with the Customer’s documented lawful instructions, including with regard to transfers of Customer data to a third country or an international organization, unless required to do so by EU or Member State of the EU law to which INBOX is subject. In such a case, INBOX shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. 4.3. The Parties agree that this DPA sets out the Customer’s complete and final instructions to INBOX in relation to the Processing of Customer Data. The Processing outside the scope of these instructions shall require a prior written agreement between Customer and INBOX. Notwithstanding the foregoing, INBOX will inform the Customer promptly if it becomes aware that the Customer’s instructions may violate applicable EU Data Protection Law.
Customer Responsibilities and Restrictions5.1. Without limiting its responsibilities under the TOU, the Customer is solely responsible for: (a) Account Data, Customer Data and Customer Credentials (including activities conducted with Customer Credentials), subject to INBOX’s Processing obligations under the TOU and this DPA; (b) providing any notices required by EU Data Protection Law to, and receiving any required consents and authorizations required by EU Data Protection Law from, persons whose Personal Data may be included in Account Data, Customer Data or Customer Credentials; and (c) ensuring no Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services.
Security6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, INBOX shall in relation to Customer Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2, “Security Measures“). In assessing the appropriate level of security, INBOX shall take into account the risks that are presented by Processing Customer Data including, in particular, the risks presented by a Customer Data Breach (as defined in Section 10). INBOX may make such changes to the Security Measures as INBOX deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will reduce the overall level of protection for Customer Data. INBOX will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Data have agreed to appropriate obligations of confidentiality. 6.2. The Parties shall take steps to ensure that any natural person acting under the authority of the Customer or INBOX who has access to Personal Data does not Process them except on instructions from the Customer, unless he or she is required to do so by EU or EU Member State law. 6.3. The Customer is responsible for reviewing the information made available by INBOX relating to its data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Data Protection Laws. The Customer acknowledges that INBOX may update or modify INBOX’s security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. 6.4. The Customer agrees it is responsible for its secure use of the Services, including securing its Customer Credentials, protecting the security of Customer Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
Sub-Processors7.1. The Customer acknowledges and agrees that INBOX may engage third-party Sub-Processors in connection with the provision of Services, and hereby consents to INBOX’s use of Sub-Processors. As a condition to permitting a third-party Sub-Processor to Process Customer Data, INBOX will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Data. INBOX will restrict its Sub-Processors’ access to only what is necessary to maintain the Services or to provide the Services to Customers. Subject to this Section 7, INBOX reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall: (a) remain responsible to the Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with INBOX’s performance of this DPA to the same extent INBOX would be liable if performing the Services directly. 7.2. Upon the Customer’s request by email to [email protected], INBOX will provide the Customer with a list of then-current third-party Sub-Processors and the nature of the services they provide. The Customer can find an up-to-date list of Sub-Processors in Annex 4 of this DPA. The Customer may object to any new Sub-Processor on reasonable legal grounds (the “Objection Notice”) relating to the protection of the Customer Data, in which case INBOX shall have the right to satisfy the objection through one of the following: (a) INBOX will cancel its plans to use the Sub-Processor with regard to Customer Data or will offer an alternative to provide the Services without such Sub-Processor; (b) INBOX will take the corrective steps requested by the Customer in its Objection Notice (which removes the Customer’s objection) and proceed to use the Sub-Processor with regard to Customer Data; or (c) INBOX may cease to provide, or the Customer may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Sub-Processor with regard to Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope. 7.3. All Objection Notices under Section 7.2 must be submitted by email to INBOX at [email protected]. If none of the options outlined in Clause (a), (b) or (c) of Section 7.2 are reasonably available and Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of INBOX’s receipt of the Objection Notice, either Party may terminate the affected Services and INBOX will refund to the Customer a pro-rata share of any unused amounts prepaid by the Customer. The refund will be calculated in proportion to what Services have been provided until the time the Customer has informed INBOX on terminating the Services. INBOX does not provide any refunds if the Objection Notice does not have reasonable legal grounds.
Data Subject Rights8.1. If INBOX receives a request from a Data Subject in relation to the Customer Data then, to the extent legally permissible, INBOX will advise the Data Subject to submit their request to the Customer and the Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. The Customer now agrees that INBOX may confirm to a Data Subject that his or her requests relate to the Customer. To the extent the Customer is unable through its use of the Services to address a particular Data Subject request, INBOX will, upon the Customer’s request and taking into account the nature of Customer Data Processed, provide reasonable assistance in addressing the Data Subject request (provided INBOX is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by applicable law, the Customer shall be responsible for any costs arising from INBOX’s provision of such assistance.
Deletion Upon Expiration9.1. Upon termination of the TOU and/or DPA, INBOX will initiate a process upon the Customer’s written request that deletes Customer Data in its possession or control. This requirement shall not apply to the extent INBOX is required by the applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data INBOX shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Customer Data Breach Management10.1. INBOX will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach with respect to Customer Data transmitted, stored or otherwise Processed by INBOX or its Sub-Processors (a “Customer Data Breach”). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address from which the account of Authorized User was created; and/or (3) pursuant to the notice provisions of the TOU. The Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA. INBOX will promptly take all actions relating to its Security Measures (and those of its Sub-Processors) that it deems necessary and advisable to identify and remediate the cause of a Customer Data Breach. In addition, INBOX will promptly provide the Customer with: (i) reasonable cooperation and assistance with regard to the Customer Data Breach, (ii) reasonable information in INBOX’s possession concerning the Customer Data Breach insofar as it affects the Customer, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Customer Data Breach; (b) the categories of Customer Data involved; and (c) the possible consequences to Data Subjects. INBOXs’s notification of or response to a Customer Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Customer Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by the Customer, Authorized Users or providers of Customer components (such as systems, platforms, services, software, devices, etc.). If the Customer decides to notify a Supervisory Authority, Data Subjects or the public of a Customer Data Breach, the Customer will provide INBOX with advance copies of the proposed notices and, subject to applicable law (including any mandated deadlines under EU Data Protection Law), allow INBOX an opportunity to provide any clarifications or corrections to those notices. Subject to applicable law, INBOX will not reference the Customer in any public filings, notices or press releases associated with the Customer Data Breach without the Customer’s prior consent.
Compliance and Reviews11.1. Upon request, INBOX shall supply, on a confidential basis, a copy of its audit reports (if any) to the Customer, so that the Customer can verify INBOX’s compliance with the audit standards and this DPA. 11.2. INBOX shall also provide written responses, on a confidential basis, to all the Customer’s reasonable requests for information to confirm INBOX’s compliance with this DPA. 11.3. Where required by EU Data Protection Law, INBOX will allow the Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of INBOX’s procedures relevant to the protection of Customer Data to verify INBOX’s compliance with its obligations under this DPA. In such case: (a) The Customer shall: (i) provide INBOX at least 30 days’ prior written notice of any proposed audit; (ii) undertake an audit no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Data Breach; and (iii) conduct any audit in a manner designed to minimize disruption of INBOX’s normal business operations. To that end and before the commencement of any such audit, the Customer and INBOX shall mutually agree upon any reimbursement of expenses for which the Customer shall be responsible as well as audit’s participants, schedule and scope, which shall in no event permit the Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure. (b) Representatives of the Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the TOU, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by INBOX’s security policies while on INBOX’s premises. Upon completion of an audit, the Customer agrees to promptly furnish to INBOX any written audit report or, if no written report is prepared, to promptly notify INBOX of any non-compliance discovered during the course of the audit.
Impact Assessment and Additional Information12.1. INBOX shall provide the Customer with reasonable cooperation and assistance needed to fulfill the Customer’s obligation under EU Data Protection Law, to the best of abilities and as far as our resources allow, including: (a) Carrying out a data protection impact assessment related to the Customer’s use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to INBOX. (b) Providing reasonable assistance to the Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
International Transfers13.1. The Customer acknowledges that INBOX may transfer and process Customer Data anywhere in the world where INBOX, its affiliates or its Sub-Processors maintain data processing operations. INBOX shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA. 13.2. To the extent that INBOX is a recipient of Customer Data protected by EU Data Protection Laws (“EU Data”) in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), the parties agree that INBOX shall abide by and process EU Data in compliance with the SCCs in the form set out in Annex 3. For the purposes of the descriptions in the SCCs, INBOX agrees that it is the “data importer” and the Customer is the “data exporter” (notwithstanding that the Customer may itself be an entity located outside Europe). 13.3. Sub-Processors used by INBOX to Process any Customer Data protected by Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) will provide an adequate level of protection for Personal Data and have SCCs integrated in their Data Processing Agreements.
Processing as Controller14.1. The Parties believe INBOX’s role is as a Processor with respect to Customer Data. In relation to the Processing of Account Data, and to the extent (if any) that INBOX may be considered a Controller in relation to certain Processing of Customer Personal Data, each Party will comply with its obligations as a Controller and agrees to provide reasonable assistance as is necessary: (a) to each other to enable each Party to comply with any Data Subject access requests and to respond to any other queries or complaints from Data Subjects in accordance with the EU Data Protection Law; and (b) to each other to facilitate the handling of any Personal Data Breach as required under EU Data Protection Law.
Limitation of Liability and Applicable Law15.1. Each Party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the TOU.
Details of Data Processing
- Subject matter: The subject matter of the data Processing under this DPA is the Customer Data.
- Duration of Processing: INBOX will Process Customer Data for the duration of the Services, as described in the TOU.
- Nature of the Processing: INBOX provides email marketing and automation software as a service and other related services, as described in the TOU.
- Purpose of the Processing: The purpose of the data Processing under this DPA is the provision of the Services.
- Categories of Data subjects:
- Types of Customer Data:
- Data Minimisation, Access Control and Employees Education
- Business Continuity
- Change Control
- Data Security
- Encryption and Key Management
- Data Transfer to Sub-Processors
- LIST OF PARTIES
- Name: INBOX, Inc.
- DESCRIPTION OF TRANSFER