This Data Processing Addendum (“DPA”) forms part of the Agreement between the parties, and consists of the terms and conditions set forth below that define the agreement between Valimail Inc. (“Valimail”) and Customer with respect to processing Customer Personal Data (as defined below).
1. DEFINITIONS
a. “Agreement” means, as applicable, the master services agreement, or similar commercial agreement by and between Valimail and Customer with respect to the use of the Service.
b. “Applicable Privacy Laws” means all applicable laws concerning privacy, data protection and the cross border transfer of data, including, where applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) in respect of the United Kingdom any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union (“UK GDPR”); and (iii) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. as modified by the California Privacy Rights Act (together, the “CCPA”), in each case each as such laws are amended, superseded, or replaced. The term “Applicable Privacy Laws” excludes any laws of the Russian Federation or the People’s Republic of China.
c. “Business Purpose” has the meaning assigned to under CCPA.
d. “CCPA Consumer” means a “consumer” as such term is defined in the CCPA.
e. “Controller” has the meaning assigned to under GDPR and other Applicable Privacy Laws using such terminology, and also means “business” as defined in the CCPA or other Applicable Privacy Laws using such terminology.
f. “Customer Data” means any data, information or other material provided, uploaded, submitted, or made available by Customer to the Service in the course of using the Service.
g. “IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK Information Commissioner’s Office, a current version found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
h. “Personal Data” means the Personal Data included within Customer Data.
i. “Data Subject” an identifiable natural person is one who can be identified, directly or indirectly, including without limitation a CCPA Consumer.
j. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway and Liechtenstein.
k. “Personal Data” means (a) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (b) is defined as “Personal Information” or “Personal Data” by Applicable Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).
l. “processor” and “subprocessor” have the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also mean “service provider” to the relevant party as defined in the CCPA or other Applicable Privacy Laws using such terminology.
m. “processing” or “process” shall have the meaning as set forth in the Applicable Privacy Law.
n. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Valimail.
o. “selling” or “sell” have the meaning assigned to them in the CCPA.
p. “Sensitive Data” means data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or other data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Valimail and Customer operate, such as (by way of example only) the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, any personal data regarding children under 16, and the standards promulgated by the PCI Security Standards Council.
q. “Service” means the Valimail Subscription Service received by Customer under the Agreement as set forth in the corresponding ordering document agreed to in writing by Valimail.
r. “Standard Contractual Clauses” or “SCCs”means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”) incorporated into this Addendum as described in Exhibit A.
2. SCOPE AND APPLICATION.
a. To the extent Valimail processes Personal Data on behalf of Customer in connection with the Agreement, the parties agree to comply with the provisions set forth in this DPA. In this context, Customer may act as “controller” and Valimail may act as “processor” respectively with respect to the Personal Data. Customer shall act as the “data exporter” and Valimail shall act as the “data importer” for the purposes of the Standard Contractual Clauses. Valimail shall be prohibited from selling, retaining, using, or disclosing Personal Data for any purpose other than to perform the Service in accordance with the Agreement and DPA and shall further refrain from collecting, selling or using any Personal Data except as necessary to perform its Business Purpose. For avoidance of doubt, Valimail does not receive any Personal Data as consideration for any Service or other items provided or performed by Valimail. For the purposes of the CCPA, the parties acknowledge and agree that Valimail will act as a “Service Provider” and not as a “Third Party,” as such terms are defined in the CCPA, in its performance of its obligations pursuant to the Agreement.
3. DATA PROCESSING
a. Instructions for Data Processing. Valimail will process Personal Data only in accordance with Customer’s lawful instructions and in compliance with the Agreement, unless otherwise required by applicable law to which Valimail is subject. Customer hereby instructs Valimail to process Personal Data to provide, maintain, and improve the Service in accordance with the Agreement and this DPA, as such processing initiated by Customer and its users in the use of the Service. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing. Upon notice, Valimail will take reasonable and appropriate steps to stop and remediate unauthorized processing of Personal Data. Notwithstanding anything to the contrary, Customer agrees that it shall not provide, or make available to Valimail any Personal Data except as strictly necessary for Valimail to provide the Services under the Agreement. Notwithstanding anything to the contrary, Valimail shall have no liability or obligation under the Agreement, this DPA, or otherwise, in connection with any Personal Data provided to, disclosed to, or otherwise made available to Valimail in breach of the foregoing.
b. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including Applicable Privacy Laws) in its performance of this DPA. Customer shall be responsible for the accuracy, quality, integrity, and legality of the Personal Data. Valimail certifies that it understands the requirements under this DPA, including without limitation requirements under CCPA and that it will abide by it. For the avoidance of doubt, Valimail expressly disclaims any compliance with any laws of the Russian Federation or the People’s Republic of China.
c. Consents. Customer represents and warrants that it has first obtained all necessary consents under Applicable Privacy Law with respect to the processing or transfer of Personal Data.
d. Processing. The categories and type of data, as well as the description of the Processing procedures are specified in Annex I to the Standard Contractual Clauses, attached to Exhibit A hereto. Customer shall not provide (or cause to be provided) any Sensitive Data to Valimail for processing under the Agreement, and Valimail will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise.
4. TRANSFER
a. Valimail will not transfer Personal Data originating from the EEA, the United Kingdom and/or Switzerland, as applicable; and/or relating to natural persons of the EEA, the United Kingdom and/or Switzerland, as applicable, except in accordance with the following: (i) between States of the EEA, the United Kingdom and/or Switzerland, as applicable; or (ii) to the United States as governed by the Standard Contractual Clauses as incorporated by reference to this Agreement. Notwithstanding anything herein to the contrary, the Standard Contractual Clauses and the IDTA shall only apply to transfers of personal data expressly governed by the GDPR or UK GDPR, respectively, or another applicable law or regulation that expressly requires the application of the Standard Contractual Clauses.
5. SECURITY
a. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, Valimail shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity and confidentiality of the Personal Data, as set forth in Annex II to the Standard Contractual Clauses, attached to Exhibit A hereto.
b. Valimail Personnel. Valimail shall restrict access by Valimail personnel to Personal Data (i) to only those personnel who need to access the Personal Data in order to provide the Service; and (ii) to those personnel who have committed themselves to, or are otherwise under, an obligation of confidentiality concerning the Personal Data.
c. Records; Audit Standards. Valimail shall maintain relevant records with respect to Valimail’s information security practices. Upon Customer’s request, Valimail will make available to Customer, up to once per year, a copy of a third-party audit or assessment reports, such as a Service Organization Controls Type 2 or 3 (“SOC”) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 (“Assessments”); or (b) if Valimail is not able to provide such Assessments, Valimail shall provide responses to any questions that Customer may reasonably submit for purposes of verifying Valimail’s compliance with this DPA (“Questionnaires”). For avoidance of doubt, any such Assessments and completed Questionnaires will constitute Confidential Information and may not be disclosed to a third party without Valimail’s written consent, except as otherwise required by law.
d. Security Incident Notification. If Valimail becomes aware of any Security Incident, then Valimail shall, without undue delay but in any event in no more than 72 hours, notify Customer of such access, and provide to Customer timely information and cooperation, as Customer may be required to address Customer’s reporting obligations under the Applicable Privacy Law. Any such notification shall not be construed as an acknowledgement by Valimail of any fault or liability with respect to the unauthorized access.
6. SUBPROCESSORS
a. Authorized Subprocessors. Customer agrees that Valimail may use subprocessors to fulfil its obligations under the Agreement. The current list of subprocessors for the Service who process Personal Data is available upon request. Before authorizing any new subprocessor, Valimail will provide notification to Customer. Customer may object to the change by notifying Valimail within 10 days after the notice and describing the rationale for the objection. Such objection notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, Valimail will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening Customer.
b. Subprocessor Obligations. Where Valimail authorizes a subprocessor to process Personal Data as described in this DPA, Valimail will enter into a written agreement with each such subprocessor consistent with Applicable Privacy Laws. For avoidance of any doubt, Valimail shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of this DPA and the Agreement.
7. COOPERATION
a. Valimail shall notify Customer of any requests received directly by Valimail from Data Subjects and shall provide to Customer such reasonable assistance as is required for Customer to comply with such Data Subject requests. Valimail shall only respond directly to such Data Subject requests on receiving Customer’s written request and consent, provided that (to the extent permitted by Applicable Privacy Law) Customer shall be responsible for all reasonable costs arising from Valimail’s provision of such assistance, and the requests do not disrupt Valimail’s business operation.
b. To the extent required under Article 28(3) GDPR, Valimail will assist Customer to comply with Articles 35 & 36 of the GDPR; in particular, Valimail will promptly notify Customer if it believes that its processing of Customer Personal Data is likely to result in a high risk to the privacy rights of Data Subjects, and upon reasonable request, will assist Customer to carry out data protection impact assessments and to consult where necessary with data protection authorities.
c. Following Customer’s request, Valimail shall destroy all Personal Data in its possession. This requirement shall not apply to the extent that Valimail is required by any applicable law to retain some or all of the Personal Data, in which case, Valimail shall use reasonable efforts to isolate and protect the Personal Data from any further processing except to the extent required by such law.
8. GENERAL
a. Liability. Each party’s liability arising out of or in relation to this Addendum (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement.
b. Compensation. To the extent legally permitted, Customer shall be responsible for any costs arising from Valimail’s provision of any assistance and cooperation required to be provided by Valimail hereunder, including any fees associated with the provision of additional functionality.
c. Intentionally omitted
d. Termination. This DPA will terminate automatically upon the later of (i) termination of the Agreement; or (ii) Valimail ceasing to process Personal Data.
e. Conflict. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will take precedence to the extent of the conflict.
f. Severability. If any part of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
g. Modification. This DPA may not be modified except by a subsequent written instrument signed by both parties.
Exhibit A
Applicable Standard Contract Clauses and Supplemental Terms
1. The Parties agree that the SCCs are hereby incorporated by reference into this Addendum as follows: Module 2: Transfer controller to processor, as to Customer Personal Data originating in the EEA, UK, or Switzerland.
2. Cross-Border Transfers Mechanisms – EU and Switzerland. If the Agreement requires the transfer of personal data of Data Subjects who reside in or based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Two (Transfer controller to processor) of the EU SCCs. Where the EU SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
a. In Clause 7 (Docking Clause) (Module 2) – the Optional provision shall apply;
b. In Clause 9(a) (Use of subprocessors) (Module 2) – Option 2 shall apply with the specified time period being 10 days.
c. In Clause 11(a) (Redress) (Module 2) – the Optional provision shall NOT apply;
d. In Clause 17 (Governing Law) (Module 2) – Option 1 shall apply with the laws of Ireland shall govern; and
e. In Clause 18 (Choice of forum and jurisdiction) (Module 2) – the courts of Ireland shall have jurisdiction.
3. Cross-Border Transfers Mechanisms–UK. If the Agreement requires the transfer of personal data of Data Subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of personal data, then such transfers will be made pursuant to the EU SCCs detailed in Sections 1 and 2 of this Attachment and as amended by the IDTA. With respect to Table 1 of the IDTA, the “Exporter” is the Data Exporter and the “Importer” is the Data Importer, as both are identified in Annex I of the SCC (below)). By entering and signing the Agreement, Addendum or Order Form, Importer and Exporter are deemed to have signed the IDTA.
a. With respect to Table 2 of the IDTA:
(i) the optional provisions of Clause 7 (Docking Clause) (Module 2) shall apply;
(ii) Option 2 in Clause 9(a) (Use of subprocessors) (Module 2) shall apply with the specified time period being 10 business days;
(iii) and Clause 11(a) (Redress) (Module 2) shall NOT apply.
b. With respect to Table 3 of the IDTA, the information is provided in Section 2 of this Attachment.
c. With respect to Table 4 of the IDTA, only Exporter (aka Subscriber) may end the IDTA as is detailed in Section 19 of the IDTA if the UK ICO issues new changes to IDTA.
4. Annex 1 to the SCCs is appended to this Exhibit A.
5. Data Importer will at a minimum institute the technical and organizational measures set forth in n Annex II to the SCC, attached hereto.
6. Supplementary Terms:
a. This Addendum and the Agreement are Customer’s complete and final instructions for the processing of Customer Personal Data as of the date of entry into the current version of the Agreement and the current version of this Addendum. Any different instructions must be consistent with the current version of this Agreement and the current version of this Addendum. For the purposes of clause 8.1(a) of the SCC, the instructions for the processing of personal data include onward transfers to third parties located outside of Europe for the provision of the Services.
b. For the purposes of clause 8.6(a) of the SCC, Customer is solely responsible for determining whether the technical and organizational measures set forth in Annex II to the SCC, attached hereto, and as otherwise described to Customer by Valimail meet Customer’s requirements, and agrees that such technical and organisational measures provide an appropriate level of security, taking due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing the Customer Personal Data and the risks to individuals.
c. For the purposes of clause 8.6 of the SCC, Valimail shall delete Customer Personal Data in accordance with respective data deletion and certification of deletion provisions set out in the Agreement. For the avoidance of doubt, if no such provisions are set out in the Agreement, Valimail shall delete all Customer Personal Data within 30 days of termination of the Agreement. Any certification of deletion of Customer Personal Data from Valimail as described in the SCC shall be provided only upon Customer’s written request.
d. For the purposes of clause 8.6(c) of the SCC, personal data breaches will be addressed in accordance with Section 5(d) of this Addendum.
e. The audits permitted to be carried out under clause 8.9 of the SCC shall be conducted in accordance with, and satisfied by, the procedures set forth in Section 5(c) of this Addendum.
f. For the purposes of clause 9 of the SCC, Customer grants Valimail a general authorization to engage subprocessors, subject to the procedures set forth in Section 6 of this Addendum, and further grants such subprocessors a general authorization to engage further sub-processors, and the authority to add or replace such further sub-processors.
g. For the purposes of clause 11 of the SCC, Valimail will without undue delay inform Customer if it received a complaint by or on behalf of an individual concerning Customer Personal Data, and shall not otherwise have any obligation to address such request except as agreed between Valimail and Customer.
h. Valimail’s liability under the SCC under clause 12 shall be limited to any damage caused by its processing of Customer Personal Data only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to of Customer’s lawful instructions, and to the extent permitted under the SCC, each party’s liability under the SCC shall be subject to the provisions of the Agreement concerning limitation of liability.
i. For notices required under clause 15.1(a), Valimail will provide notice only to Customer, and Customer shall be responsible for notifying any affected individuals.
j. The Parties acknowledge and agree that where Valimail is required by the SCCs to notify the competent Supervisory Authority, Valimail shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires and is able to do so without delaying the timing of the notification unduly.
k. The Data Exporter may enforce the terms of the SCCs against the Data Importer (and vice versa).
l. Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature page of the SCCs actually being signed by the parties, it is agreed that the execution of the Agreement is deemed to constitute each party’s execution of the SCCs as Data Exporter or Data Importer (as applicable), and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
m. The provisions in this Addendum shall be without prejudice to the parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.
ANNEX 1
A. LIST OF PARTIES
Data exporter(s):
Name: As set forth in the Order Form or the Agreement between Customer and Valimail.
Address: As set forth in the Order Form or the Agreement between Customer and Valimail.
Contact person’s name, position and contact details: As set forth in the Order Form or the Agreement between Customer and Valimail.
Activities relevant to the data transferred under these Clauses: Data exporter is a customer of data importer, and is exporting data related to data exporter’s use of data importer’s products and services under the Agreement, as more fully described below and as specified in the applicable Order Form.
Signature and date: As set forth in the Order Form or the Agreement between Customer and Valimail.
Role (controller/processor): Controller
Data importer(s):
Name: Valimail Inc.
Address: 1942 Broadway St. Ste. 314C, Boulder, CO 80302
Contact person’s name, position and contact details: Sam McMahon – IT, Security, & Compliance Manager – privacy@valimail.com.
Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and the applicable Order Form.
Signature and date: As set forth in the Order Form or the Agreement between Customer and Valimail.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred.
“Enforce” Subscription Service: Employee(s) or consultant(s) of Customer
“Mailbox Connector” Subscription Service: Employee(s) or consultant(s) of Customer, recipients of emails sent by employees or consultants of Customer
“RUF+” Subscription Service: Employee(s) or consultant(s) of Customer, recipients of emails sent by employees or consultants of Customer, third parties identified in email content or attachments in emails sent by employees or consultants of Customer and rejected by destination email gateway
2. Categories of personal data transferred
“Enforce” Subscription Service: Name, email address
“Mailbox Connector” Subscription Service: Name, email address, technical email header information, subject line of emails (accessible to Valimail, but not accessed or transferred)
“RUF+” Subscription Service: Name, email address, subject line of emails, technical email header information, information concerning third parties (if any) identified in email content or attachments in emails sent by employees or consultants of Customer and rejected by destination email gateway
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous – As needed to access the Services described in the Agreement.
5. Nature of the processing
Valimail provides automated service identification, configuration and management of authentication controls enabling our customers to send authenticated email to reach DMARC Enforcement. The nature of the processing varies depending on the specific services selected by customers.
“Enforce” Subscription Service:
Valimail does not require having access to Customer’s systems, and Valimail has no access to email or other personal identifiable information (No Scope Data), other than the very limited use case described below. Valimail has access to the Account Administrator (internal) user contact information (e.g., name(s) and corporate e-mail address(es)), information which is only used to effectuate a license check validation. Valimail may have access to IP addresses, which are provided in the form of DMARC aggregate reports. These IP addresses are not from the individual senders, but from the sending service attempting to deliver the email. The information is only accessed to assist in identifying the service provider utilized for the sending of the e-mail messages.
The Valimail email authentication offering operates based on data automatically forwarded to Valimail’s servers regarding email purporting to be sent from or to the Internet domains that Valimail services. This data is primarily generated and received using common technical standards and protocols known as Domain-based Message Authentication, Reporting & Conformance (DMARC), Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). This data includes DMARC aggregate reports, DMARC failure reports, and logs of DNS requests for DMARC, DKIM and SPF records. Reports such as DMARC failure reports, which inform Valimail of failed email transmissions, may contain some header information or content from the affected email message (depending on the receiving domain’s email system settings), but Valimail does not collect DMARC failure reports in connection with this service. Valimail only collects DMARC aggregate reports. The other DMARC and DNS related reports and logs do not provide any information that Valimail considers personal data, although some of this data does allow Valimail to determine the originating or delivering domain, the originating IP address of the service provider, and/or the service provider used to send an email message. Valimail logs this information and uses it for operational and analytics purposes.
“Mailbox Connector” Subscription Service:
In order to provide this service, Valimail requires API access to customer’s cloud mail system (Microsoft 365 or Google Workspace). Valimail has developed a read-only connector that parses the email headers of inbound messages to identify services that are sending into the cloud mail system on behalf of the organization, using the organization’s domains. The connector provides inbound email authentication visibility, while ensuring that only the minimum permissions need be granted to the Valimail application.
For the Mailbox Connector service, Valimail accesses the list of mailbox users in the customer cloud mail system, which includes the user’s email address. For each mailbox user, Valimail then accesses the emails in the mailbox. This allows Valimail access to the email addresses of senders and recipients, various elements of technical data in the email header (primarily concerning the email server and transmission routing information). Due to limitations in the APIs of the cloud mail systems, the subject line of the email is also available, but Valimail never retrieves the subject line.
“RUF+” Subscription Service:
In order to provide this service, Valimail collects and delivers to the customer the DMARC failure reports which are excluded from Valimail’s standard “Enforce” service. Depending on the email settings of the reporting service or email service provider, DMARC failure reports may contain some header information or content from the affected email message, including sender and recipient names and emails, the subject line, technical header information, and potentially some or all of the body of the email or attachments. For “false positive” reports, which are those emails that were actually sent by or on behalf of a customer, that information is customer personal data.
6. Purpose(s) of the data transfer and further processing
As needed to perform the Agreement and service under an Order Form between the parties.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Valimail shall possess personal data for as long as necessary to carry out its obligations under the terms of the Agreement.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
Valimail uses cloud infrastructure providers as subprocessors to provide its service and process all personal data under the Agreement. Those subprocessors will retain the personal data, under Valimail’s control, for as long as necessary to enable Valimail to carry out its obligations under the terms of the Agreement
Valimail may engage subprocessors to assist with support services. Such subprocessors may have access to the name and contact information (e.g., email address) of the person(s) initiating the support request.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The Data Protection Commission of Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Third Party Attestations
Valimail maintains and renews an independent, third-party audit which attests to the effectiveness of its security controls. Upon request, Valimail may provide such certification or audit results to Customer.
- SOC 2 Type 2 and SOC 3 Reports (“SOC”)
- FedRAMP Authorization (Li)
Policies and Procedures
Valimail maintains a formal security program materially in accordance with industry standards that is designed to: (i) ensure the security and integrity of the services (ii) protect against threats or hazards to the security or integrity of confidential information and (iii) prevent unauthorized access to confidential information (“Security Program”).
Valimail maintains written security management policies and procedures to identify, prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, availability, and security of confidential information. Such policies and procedures: (a) assign specific data security responsibilities and accountabilities to specific individual(s); (b) include a formal risk management program which includes periodic risk assessments; and (c) provide an adequate framework of controls that safeguard the security of our offerings.
Access Controls
Valimail ensures that all authorized personnel having access to the network and/or systems are authenticated using a unique identifier, strong password, and multi-factor authentication (MFA). Valimail practices role-based access control based on the principle of least privilege and assigns unique user accounts to all system users. Super-user, or administrative access, is granted only following approval from IT and/or Engineering leadership. These controls are in place to ensure the following: (i) to limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to prevent those workforce members and others who should not have access from obtaining access; and (iii) to remove employee access in a timely basis in the event of a change in job responsibilities or job status.
Network-Level Requirements; Penetration Testing
Valimail uses firewalls to protect its infrastructure. The firewalls are able to effectively perform the following functions: stateful inspection, logging, support for all IPSec standards and certificates, support for strong encryption and hashing, SNMP based monitoring and anti-spoofing. A third-party network penetration test is done at least annually. Valimail also engages in continuous monthly monitoring scanning, as required to meet the FedRAMP Authorization requirements.
Physical and Environmental Security
Valimail is a fully remote company. Physical and environmental controls protecting customer data and production environments are managed by Amazon Web Services (AWS) and Microsoft Azure. SOC 2 Type II reports for cloud hosting providers are reviewed annually to ensure compliance with physical and environmental security best practices.
IT Change and Configuration Management
Valimail employs reasonable processes, consistent with industry practices, for change management, code inspection, repeatable builds, separation of development and production environments, and testing plans. Code inspections include a process to identify vulnerabilities and malicious code.
Systems and Services Acquisition
Valimail develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
Encryption
Customer Data is encrypted in transit using TLS v1.2. Key management procedures are employed that assure the confidentiality, integrity, and availability of cryptographic key material. AES 256 bit is used for data at rest.
Training and Personnel
Valimail provides an annual Security Awareness training to all personnel. Security Awareness training addresses security topics to educate users about the importance of information security and safeguards against data loss, misuse, or breach through physical, logical, and social engineering mechanisms. Valimail performs background checks on employees and candidates where applicable prior to employment. Employees, consultants, and contractors are required to sign a non-disclosure or confidentiality agreement prior to accessing customer’s protected information.
Disaster Recovery Plan (DRP)
This plan has been designed and written to be used in the event of a disaster affecting Valimail email operations. Email operations is defined as the ability to authorize, process, service, and monitor the Valimail email platform product. The ability to sell and market Valimail services is out of scope. This plan is structured around teams, with each team having a set of specific responsibilities. The decision to initiate disaster recovery procedures will be taken by the Chief Operating Officer, the Vice President of Engineering or other designated personnel after assessing the situation following a disaster or crisis.
Business Continuity Plan (BCP)
Valimail maintains a BCP for its essential business functions. Valimail’s BCP includes information necessary to plan for the recovery of the business functions. Valimail’s BCP documents the requirements necessary to execute the recovery strategy and includes strategies to achieve the essential business function recovery timelines determined in the associated business impact analysis. Valimail reviews the recovery strategies annually or when there is a change to the business functions, applications or recovery plans that would render the existing recovery strategy not able to meet the requirement.
Data Retention Policy
The period of time any data we collect depends on the type of information, the purpose for which it is used, how sensitive it is, and similar factors. In general, Valimail retains data for the length of time reasonably needed to fulfill the purposes outlined in this privacy policy (including for as long as needed to provide you or our customer with products and services), unless a longer retention period is required or permitted by law. We will also retain and use your information for as long as necessary to resolve disputes and/or enforce our rights and agreements. Anonymous and aggregated information may be stored indefinitely.
Security Incident
Valimail maintains a security incident response plan that includes procedures to be followed in the event of any Security Incident affecting Customer Confidential Information or any Security Incident of any application or system directly associated with the accessing, processing, storage, communication and/or transmission of Customer Confidential Information.
Password Policy
Valimail maintains a documented password policy based on NIST standards that covers applicable systems, applications and databases. Password best practices are deployed to protect against unauthorized use of passwords. Passwords user accounts are salted and hashed using industry standard encryption algorithms before storage.
