This Data Processing Addendum (“DPA”) forms part of the Agreement between the parties, and consists of the terms and conditions set forth below that defines how Valimail Inc. (“Valimail”) and the entity party of the Agreement (“Customer”) to reflect the agreement between the parties with respect to processing Customer Personal Data (as defined below).
1. DEFINITIONS
a.“Agreement” means, as applicable, the master services agreement, or similar commercial agreement by and between Valimail and Customer with respect to the use of the Service.
b.”Applicable Privacy Law” means: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) a in respect of the United Kingdom any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union); and (iii) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”).
c. “Business Purpose” has the meaning assigned to under CCPA.
d. “CCPA Consumer” means a “consumer” as such term is defined in the CCPA.
e.”Controller” has the meaning assigned to under GDPR.
f. “Customer Data” means any data, information or other material provided, uploaded, or submitted by Customer to the Service in the course of using the Service.
g. “Customer Personal Data” means the Personal Data included within Customer Data. h. “data subject” an identifiable natural person is one who can be identified, directly or indirectly, including without limitation a CCPA Consumer.
i. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway and Liechtenstein.
j. “Personal Data” has the meaning given to it in the Applicable Privacy Law.
k. “processor“, “processing” or “process” shall have the meaning as set forth in the Applicable Privacy Law.
l. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Personal Data on systems managed or otherwise controlled by Valimail.
m. “selling” or “sell” have the meaning assigned to them in the CCPA.
n. “Sensitive Data” means data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
o. “Service” means the Valimail services received by Customer as set forth in the corresponding ordering document agreed to in writing by Valimail.
p. “Standard Contractual Clauses” means the Standard Contractual Clauses for Controller- to-Processor Transfers approved by the European Commission Decision of 5 February 2010, also available at https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.
q. “subprocessor” has the meaning asset for thin the Applicable Privacy Law.
2. SCOPE AND APPLICATION.
a. To the extent Valimail processes Customer Personal Data on behalf of Customer in connection with the Agreement, the parties agree to comply with the provisions set forth in this DPA. In this context, Customer may act as “controller” and Valimail may act as “processor” respectively with respect to the Customer Personal Data. Customer shall act as the “data exporter” and Valimail shall act as the “data importer” for the purposes of the Standard Contractual Clauses. Valimail shall be prohibited from selling, retaining, using, or disclosing Customer Personal Data for any purpose other than to perform the Service in accordance with the Agreement and DPA and shall further refrain from collecting, selling or using any Customer Personal Data except as necessary to perform its Business Purpose. For avoidance of doubt, Valimail does not receive any Personal Data as consideration for any Service or other items provided or performed by Valimail. For the purposes of the CCPA, the parties acknowledge and agree that the Valimail will act as a “Service Provider” and not as a “Third Party,” as such terms are defined in the CCPA, in its performance of its obligations pursuant to the Agreement.
3. DATA PROCESSING
a. Instructions for Data Processing. Valimail will process Customer Personal Data only in accordance with Customer’s lawful instructions and in compliance with the Agreement, unless otherwise required by applicable law to which Valimail is subject to. Customer hereby instructs Valimail to Process Customer Personal Data to provide the Service in accordance with the Agreement and this DPA and as initiated by Customer and its users in the use of the Service. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing. Upon notice, Valimail will take reasonable and appropriate steps to stop and remediate unauthorized processing of Customer Personal Data.
b. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including Applicable Privacy Law) in its performance of this DPA. Customer shall be responsible for the accuracy, quality, integrity, and legality of the Customer Personal Data. Valimail certifies that it understands the requirements under this DPA, including without limitation requirements under CCPA and that it will abide by it.
c. Data Exports. Customer represents and warrants that it has first obtained all necessary consents under Applicable Privacy Law with respect to the processing or transfer of Customer Personal Data.
d. Processing. The categories and type of data, as well as the description of the Processing procedures are specified in Annex 1 attached hereto. Customer shall not provide (or cause to be provided) any Sensitive Data to Valimail for processing under the Agreement, and Valimail will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
4. TRANSFER
a. Valimail complies with the EU-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. Valimail has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. Valimail will not transfer Customer Personal Data originating from the EEA, the United Kingdom and/or Switzerland, as applicable; and/or relating to natural persons of the EEA, the United Kingdom and/or Switzerland, as applicable, except in accordance with the following: (i) between States of the EEA, the United Kingdom and/or Switzerland, as applicable; or (ii) to the United States under Valimail’s self-certification to the Privacy Shield. To the extent the transfer is not covered by the above mechanisms, the relevant transfer will be governed by an unmodified set of EU Model Clauses of which the body is incorporated by reference to this Agreement. Customer may provide this DPA the U.S. Department of Commerce upon its request (as required under the Accountability for Onward Transfer Principle of the Privacy Shield programs).
5. SECURITY
a. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Customer Personal Data relates, Valimail shall implement and maintain appropriate technical and organizational security measures designed to protect and preserve the security, integrity and confidentiality of the Customer Personal Data.
b. Valimail Personnel. Valimail shall restrict access by Valimail personnel to Customer Personal Data (i) to only those personnel who need to access the Customer Personal Data in order to provide the Service; and (ii) to those personnel who have committed themselves to, or are otherwise under, an obligation of confidentiality concerning the Customer Personal Data.
c. Records; Audit Standards. Valimail shall maintain relevant records with respect to Valimail’s information security practices. Upon Customer’s request, Valimail will make available to Customer, up to once per year, a copy of a third-party audit or assessment reports, such as a Service Organization Controls Type 2 or 3 (“SOC”) in accordance with auditing standards in the Statements on Standards for Attestation Engagements No. 16 (SSAE16)) or such other alternative standards that are substantially equivalent to ISO 27001 (“Assessments”); or (b) if Valimail is not able to provide such Assessments, Valimail shall provide responses to any questions that Customer may reasonably submit for purposes of verifying Valimail’s compliance with this DPA (“Questionnaires”). For avoidance of doubt, any such Assessments and completed Questionnaires will constitute Confidential Information and may not be disclosed to a third party without Valimail’s written consent, except as otherwise required by law.
d. Security Incident Notification. If Valimail becomes aware of any Security Incident, then Valimail shall, without undue delay, notify Customer of such access, but in any event no more than 72 hours, and provide to Customer timely information and cooperation, as Customer may be required to address Customer’s reporting obligations under the Applicable Privacy Law. Any such notification shall not be construed as an acknowledgement by Valimail of any fault or liability with respect to the unauthorized access.
6. SUBPROCESSORS
a. Authorized Subprocessors. Customer agrees that Valimail may use subprocessors to fulfil its obligations under the Agreement. The current list of subprocessors for the Service who process Customer Personal Data is available upon request. Before authorizing any new subprocessor, Valimail will provide notification to Customer. Customer may object to the change by notifying Valimail within 10 days after the notice and describing the rationale for the objection. Such objection notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, Valimail will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid processing of Customer Personal Data by the objected-to new subprocessor without unreasonably burdening Customer.
b. Subprocessor Obligations. Where Valimail authorizes a subprocessor to process Customer Personal Data as described in this DPA, Valimail will enter into a written agreement with each such subprocessor that contains provisions that are consistent to those contained in this DPA. For avoidance of any doubt, Valimail shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of this DPA and the Agreement.
7. COOPERATION
a. Valimail shall notify Customer of any requests received directly by Valimail from data subjects and shall provide to Customer such reasonable assistance as is required for Customer to comply with such data subject requests. Valimail shall only respond directly to such data subject requests on receiving Customer’s written request and consent, provided that (to the extent permitted by Applicable Privacy Law) Customer shall be responsible for all reasonable costs arising from Valimail’s provision of such assistance, and the requests do not disrupt Valimail’s business operation.
b. Following Customer’s request, Valimail shall destroy or return to Customer all Customer Personal Data in its possession. This requirement shall not apply to the extent that Valimail is required by any applicable law to retain some or all of the Customer Personal Data, in which case, Valimail shall use reasonable efforts to isolate and protect the Customer Personal Data from any further processing except to the extent required by such law.
8. GENERAL
a. Termination. This DPA will terminate automatically (i) upon termination of the Agreement; or (ii) until Valimail ceases to process Customer Personal Data.
b. Conflict. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will take precedence to the extent of the conflict.
c. Severability. If any part of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
d. Modification. This DPA may not be modified except by a subsequent written instrument signed by both parties.
ANNEX 1
DESCRIPTION OF PROCESSING
Data Subjects
Current, and former employees and other workers of Customer.
Nature and Purpose
Valimail processes Customer Personal Data for the purposes set forth in the Agreement, and as initiated by the Customer from time to time.
Duration
Valimail shall possess Customer Personal Data for as long as necessary to carry out its obligations under the terms of the Agreement.
Type of Personal Data
• Categories of Personal Data (Scope Data): n/a
• User Information: Name, e-mail addresses
Sensitive Data
None
