Delivra Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (the “DPA”) is incorporated by reference into any and all operative agreements and forms a part of the Terms of Service agreement located at https://www.delivra.com/trust/terms-of-service, or if the Parties execute a superseding written agreement for use of the Services, then this DPA forms part of that executed agreement (collectively, the “Agreement”), between the individual, company, organization, or other entity identified in the Customer Account (“Customer”) and Delivra Inc. (“Delivra”). This DPA (a) establishes the Parties’ relationship and obligations with respect to personal data and/or personal information accessed in accordance with the services provided by Delivra to Customer under the Agreement (the “Services”); and (b) replaces and supersedes any existing data processing addendum, attachment, exhibit, or standard contractual clauses that Customer and Delivra may have entered into previously in connection with the Agreement. References to the Agreement will be construed as including this DPA. Certain capitalized terms used in this DPA and not otherwise defined in the Agreement shall be defined in Section 1 below. Delivra and Customer are each from time to time referred to herein as a “Party” and collectively as the “Parties”. Capitalized terms used but not defined herein have the meanings given in the Agreement.
The Parties agree as follows:
1. DEFINITIONS.
For the purposes of this DPA, any terms defined by Applicable Data Law (including any capitalized terms herein) shall have the same meaning as in the Applicable Privacy Law. If Applicable Privacy Law does not define such terms then definitions given in Applicable Privacy Law for functionally similar terms will apply. References to “Sections” in this DPA are to sections of this DPA, excluding the Standard Contractual Clauses. References to “Clauses” in this DPA will be to clauses of the Standard Contractual Clauses. All other capitalized terms used herein, but not otherwise defined, shall have the meanings assigned to them in the Agreement. In addition to terms defined elsewhere in this DPA, the following definitions will apply to capitalized words in this DPA:
- “Applicable Data Law” means all data protection and privacy laws, regulations and self-regulatory codes applicable to the personal data in question, including, where applicable and without limitation, the CPRA, the CPA, the CTDPA, the UCPA, the VCDPA, European Data Law, the LGPD, Israeli Law, and all FTC guidelines and any other applicable laws, rules and regulations with respect to data privacy. “CPRA” as used herein means the California Privacy Rights Act (formerly, CCPA (California Consumer Privacy Act)), as amended, including without limitation any and all applicable implementing regulations. “CPA” as used herein means the Colorado Privacy Act, as amended, including without limitation any and all applicable implementing regulations. “CTPDA” as used herein means the Connecticut Data Protection Act, as amended, including without limitation any and all applicable implementing regulations. “UCPA” as used herein means the Utah Consumer Privacy Act, as amended, including without limitation any and all applicable implementing regulations. “VCDPA” as used herein means the Virginia Consumer Data Protection Act, as amended, including without limitation any and all applicable implementing regulations. “European Data Law” as used herein shall mean, without limitation, (i) the EU General Data Protection Regulation (“EU GDPR”); (ii) the EU e-Privacy Directive; (iii) the United Kingdom’s European Union (Withdrawal) Act (“UK GDPR”); (iv) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (v) any and all applicable national laws made under or pursuant to (i), (ii), (iii) and (iv); in each case as may be amended or superseded from time to time. “LGPD” as used herein means the Lei Geral de Proteção de Dados, as amended, including without limitation any and all applicable implementing regulations, as may be amended or superseded from time to time. “Israeli Law” means Israeli Privacy Protection Law, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), and other related privacy regulations, as may be amended or superseded from time to time.
- “Customer Data” means any personal data that Delivra processes as a processor on behalf of the Customer in the course of providing the Services under an Ordering Document.
- “Delivra Data” means data related to the operation, performance, support, provisioning, and/or use of the Services, including, but not limited to information related to: (i) invoicing, billing and other business inquiries, (ii) information on usage of the Services, and (iii) contract management.
- “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; (iii) where the Swiss FADP applies, a transfer of personal data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable); and (iv) where another Applicable Data Law applies, a cross-border transfer of personal data from that jurisdiction to any other country which is not based on adequacy regulations pursuant to that Applicable Data Law.
- “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Delivra.
- “Sensitive Information” means: (a) protected health information (“PHI”), as that term is defined under the Health Insurance Portability and Accountability Act (“HIPAA”); (b) "non-public personal information" as defined under the Gramm-Leach-Bliley Financial Modernization Act of 1999 (“GLBA”); (c) data on any minor under the age of thirteen that would be subject to the Children Online Privacy Protection Act (“COPPA”); (d) card holder data under the Payment Card Industry Data Security Standard; (e) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (the “special categories of personal data” identified in Article 9 of GDPR); or (f) social security numbers, driver’s license or state identification number or other government related identifier, financial account numbers (i.e., credit card, checking account, savings account, etc.), medical, employment, criminal records, or insurance numbers, passport numbers, or other sensitive personally identifiable information.
- “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses implemented by the European Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Counsel (as updated, amended, or superseded from time to time by the European Commission), a version which is currently available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en which may be amended, updated, replaced, or superseded from time to time.
- "Sub-processor" means any third party (including applicable Delivra Affiliates) engaged directly or indirectly by Delivra to process any personal data relating to this DPA and/or the Agreement.
- “Sub-processor DPA” means an agreement entered into by and between Delivra and its Sub-processors that incorporates the Standard Contractual Clauses and defines the terms and conditions of personal data processing by the Sub-processor.
- “Tracking Technologies” means cookies, tags, web beacons, pixels and/or other similar technologies.
- “business”, “consumer”, “controller”, “data subject”, “personal data”, “personal information”, “processor”, “processing” (“process”, “processes” and “processed”), “recipient”, “sale”, “service provider”, “sharing” (and “share(s)”), and “third party” shall have the meanings given in Applicable Data Law.
2. ROLES AND RESPONSIBILITIES
- Each Party shall disclose or make available personal data to the other Party for the sole purpose provided in Schedule 1 to this DPA (the “Purpose”). The Parties shall be treated as separate data controllers and not as joint controllers. If Applicable Data Law applies to either Party’s processing of Customer Data, the Parties acknowledge and agree that with regard to the processing of Customer Data, Delivra is a processor acting on behalf of Customer (whether itself a controller or a processor). For the avoidance of doubt, this DPA shall not apply to instances where Delivra is the controller (as defined by Applicable Data Law) unless otherwise described in this DPA.
- Each Party shall be individually and separately responsible for complying with the obligations that apply to it under Applicable Data Law in respect of the performance of their respective obligations under this DPA and the Agreement. Without limiting the foregoing, each Party shall (i) maintain a publicly accessible privacy policy on its website that satisfies the requirements of Applicable Data Law, and in particular advises data subjects of their rights and remedies under Applicable Data Law; (ii) conduct and document a data protection assessment that satisfies the requirement of Applicable Data Law; and (iii) implement and maintain appropriate technical and organizational measures for processing of personal data appropriate to the risk and designed to be adequate under Applicable Data Law.
- Each Party (the “Discloser”) may disclose personal information of data subjects to a Sub-processor in order to fulfill the Purpose, provided the Discloser prohibits the Sub-processor from (i) selling or sharing such personal information to any third party in violation of Applicable Data Law; (ii) retaining, using, or disclosing such personal information for any reason other than for the Purpose, including without limitation, detecting data security incidents, and/or protecting against fraudulent or illegal activity; (iii) combining such personal information with other personal information unless permitted by Applicable Data Law; (iv) in the case of a contractor, accessing such personal information without first certifying that said contractor understands the restrictions and requirements of Applicable Data Law; (v) accessing such personal information unless the Parties can monitor the Sub-processor’s compliance. Without limiting the foregoing, each Party will ensure that any Sub-processor that may receive such personal information first executes a written agreement compatible with Applicable Data Law.
- Delivra shall process Customer Data only in accordance with this DPA and Customer’s documented lawful instructions, as necessary to comply with Laws, Applicable Data Law, or as otherwise agreed in writing: (i) to perform the Services; (ii) to perform any steps necessary for the performance of the Agreement and this DPA; (iii) to perform any processing initiated by Users in their use of the Services; and/or (iv) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) provided such instructions are consistent with the terms of the Agreement and this DPA. The Parties agree that the Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Service (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to Delivra in relation to the processing of Customer Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties.
- Customer understands and acknowledges that the Services are not configured to process, receive, and/or store Sensitive Information. As such, Customer agrees not to, and not to permit Users to, include, request, provide Delivra with access to, submit, store, and/or transmit any Sensitive Information through the Services. Customer agrees that Delivra may terminate the Agreement and/or Ordering Document immediately, without refund, if Customer is in violation of this clause.
- Customer represents and warrants that (i) it has complied, and will continue to comply (and shall cause each User to comply) with all Laws, including Applicable Data Law, in respect of its obligations as a Controller and the processing of Customer Data and any processing instructions it issues to Delivra; (ii) Delivra’s processing of the Customer Data in accordance with Customer’s instructions will not cause Delivra to violate any Laws and/or Applicable Data Law; and (iii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Law for Delivra to collect and process Customer Data for the purposes of performing and providing the Services as described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, collection, and processing of Customer Data. Customer agrees that it shall be responsible for complying with all Laws (including Applicable Data Law) applicable to any Ordering Document, Customer’s use of the Services, and Customer Content created, sent, or managed through the Services, including without limitation, obtaining consents (where required) to send email messages, SMS Messages, and the content of and deployment practices therein.
- Customer understands and acknowledges that the Services enable Customer to track engagement data and other personal data of individuals. Delivra and/or its Sub-processors may use Tracking Technologies to provide such Services to Customer. Customer shall maintain appropriate notice and consent mechanisms as required by Applicable Data Law and industry best practices, or as Delivra may reasonably request from time to time, to enable Delivra and/or its Sub-processors to deploy such Tracking Technologies lawfully on, and collect data from, the devices of individuals whose personal data is processed via the Services by virtue of Customer’s use of the Services. Delivra shall provide Customer with all details about the Tracking Technologies reasonably requested by the Customer. Customer shall promptly notify Delivra if it is unable to comply with its obligations under this DPA with respect to Delivra’s use of Tracking Technologies.
3. SUB-PROCESSING
- Customer hereby provides its consent to the processing of Customer Data by the Sub-processors listed at https://support.delivra.com/hc/en-us/articles/19919231654171-Data-Transfers/. As permitted by Clause 9 under Section II of the Standard Contractual Clauses, Delivra may engage additional Sub-processors by entering into Sub-processor agreements with such Sub-processors. To receive notices of intended updates to Sub-processors, Customer must sign up to receive Sub-processor update notifications (“Sub-processor Updates”) at http://editor.ne16.com/Subscribe/delivra-customer/subprocessorsignup.html after executing this DPA.
- If Customer objects, on reasonable data protection grounds, to the appointment or replacement of a Sub-processor, Customer must notify Delivra in writing within ten (10) days of receiving the Sub-processor Updates notification of such change(s) from Delivra (the “Objection Period”). In such event, the Parties shall discuss in good faith commercially reasonably alternative solutions. If the Parties cannot reach resolution within thirty (30) days of the Objection Period (the “Resolution Period”), Delivra will either not appoint or replace the Sub-processor or, if this is not possible, Customer may terminate the Agreement and/or the applicable Ordering Document (in whole or in part), by providing written notice to Delivra within ten (10) days following the Resolution Period.
- Where Customer acts as a processor on behalf of a third-party controller (or other intermediary to the ultimate controller), Customer represents and warrants that its processing instructions as set out in the Agreement and this DPA, including any authorizations granted to Delivra for the processing of any Customer Data, have been authorized by the applicable third-party controller. Customer shall be responsible for forwarding any notifications received under this DPA to the applicable third-party controller, where appropriate.
- All Sub-processor DPAs shall include the Standard Contractual Clauses which shall include the Docking Clause, Clause 7 (the “Docking Clause”). By entering into this DPA and as permitted by the Docking Clause, Customer hereby accedes to the Standard Contractual Clauses included in such Sub-processor DPAs which incorporates by reference the terms of the Appendix and Annex I.A of any such Sub-processor DPAs.
4. SECURITY
- Customer acknowledges that the Security Measures described in Annex II are subject to technical progress and development and that Delivra may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Notwithstanding Delivra’s obligations under Annex II, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to the Services, protecting the security of Customer Data during any transit from the Services unless the Customer Data is transferred using technology developed by Delivra, and taking any appropriate steps to protect account passwords and/or backup any Customer Data uploaded to the Services.
- Upon becoming aware of a Security Incident, Delivra shall: (i) notify Customer without undue delay; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Any notification of or response to a Security Incident shall not be construed as an acknowledgment by Delivra of any fault or liability with respect to the Security Incident.
5. AUDIT
- Upon Customer's request, Delivra will provide Customer with copies of any relevant data protection audit report summaries and/or certifications and/or responses to questionnaires as reasonably required by Customer to verify Delivra's compliance with Applicable Data Law ("Audit Information"). Customer agrees to leverage any existing documentation and certifications provided by Delivra to the extent such documentation satisfies the requirements of Applicable Data Law. Delivra shall further provide written responses to all reasonable written requests for information made by Customer related to data protection that Customer may have in connection with the Audit Information. If Customer determines in its reasonable discretion that the Audit Information does not provide all information necessary to demonstrate compliance with Applicable Data Law, upon prior written request by Customer, Delivra shall contribute to further audits to the extent required by Applicable Data Law. Customer acknowledges that the Audit Information and any information collected or derived from any audit constitutes Delivra's confidential information and it will protect such information in accordance with confidentiality provisions of the Agreement.
6. INTERNATIONAL TRANSFERS
- Delivra may, in the provision of the Services, process Customer Data that is protected by European Data Law. To that end, the Parties hereby enter into the Standard Contractual Clauses which are an integral part of this DPA. For the purposes of this DPA and the Standard Contractual Clauses, Delivra and any Sub-processors shall be the "data importer" (notwithstanding that Delivra and/or the Sub-processor may be located inside or outside the European Economic Area, Switzerland and/or the United Kingdom) and Customer (and/or the Customer Affiliates, as applicable) is the "data exporter" (notwithstanding that Customer may be located inside or outside the European Economic Area, Switzerland and/or the United Kingdom). It is not the intention of either Party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail. In no event does this DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority.
- Delivra may transfer and process personal data to the United States and anywhere else in the world where Delivra, its Affiliates, or its Sub-processors maintain data processing operations, provided that Delivra complies with the terms of this DPA. A list of current locations of processing can be found within Delivra’s Privacy Hub located at https://support.delivra.com/hc/en-us/articles/19919231654171-Data-Transfers/.
- Delivra and/or its Sub-processors shall not process or transfer any personal data in or to a territory other than the territory in which the personal data was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Law (including such measures as may be communicated by Customer to Delivra). Delivra shall inform Customer of any international transfers of personal data in advance of making the transfer and shall assist Customer in assessing the Parties' respective obligations to comply with Applicable Data Law.
- The Parties agree that when the transfer of personal data under the Agreement is a Restricted Transfer, the SCCs shall be incorporated into this DPA by this reference, with each Party being deemed to have entered into the SCCs in its own name and on its own behalf as follows:
- EU SCCs. In relation to personal data that is protected by the EU GDPR, the EU SCCs shall apply completed as follows:
(i) Module One of Section II on controller to controller transfers shall apply;
(ii) Module Two of Section II on controller to processor transfers shall apply;
(iii) Modules Three and Four shall not apply;
(iii) Delivra shall ensure that the information called for by Section II, Clause 8.2(a) of the EU SCCs, as well as a copy of the EU SCCs, are supplied free of charge to all data subjects;
(iv) In Section I, Clause 7, the optional docking clause shall not apply;
(v) For the purposes of Section 2, Clause 8, Module 2, Clauses 8.9(c) and (d) of the Standard Contractual Clauses, audits will be performed in accordance with Section 5 of this DPA;
(vi) For the purposes of Section II, Clause 9 of the Standard Contractual Clauses, Customer consents to Delivra appointing Sub-processors in accordance with Section 3 of this DPA;
(vi) In Section II, Clause 11, the optional redress language and clause shall not apply;
(vii) In Section IV, Clause 17, Option 1 shall apply, and the EU SCCs shall be governed by the laws of Ireland;
(viii) In Section IV, Clause 18(b), disputes shall be resolved before the courts of Ireland;
(ix) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
(x) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA. - UK SCCs. In relation to personal data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) as set out above in Section 6.5(a) of this DPA, the EU SCCs shall be deemed amended as specified by Part 2 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK Addendum”) in respect of the transfer of such personal data; and
(ii) tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at Section 6.5(a) (as applicable), in Schedule 1 and Schedule 2 of this DPA and table 4 in Part 1 shall be deemed completed by selecting “neither party”. - Swiss SCCs. In relation to personal data that is protected by the Swiss DPA, the EU SCCs shall apply as set out in Section 6.5(a) of this DPA amended as follows:
(i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs shall be deemed to refer to the Swiss DPA;
(ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be deemed replaced with the equivalent article or section of the Swiss DPA;
(iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be deemed replaced with ‘Switzerland’;
(iv) references to the ‘competent supervisory authority’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’; and
(v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland. - LGPD. In respect of data subjects whose personal data is processed in the course of providing the Services, Delivra will be responsible for providing notice in accordance with the LGPD, including but not limited to notice as required under Article 18 of the LGPD. Each Party shall separately be responsible for fulfilling requests they receive from data subjects to exercise their rights under the LGPD.
- United States. To the extent either Party collects and shares the personal information of California residents, each Party (i) shall be considered a business under the CPRA; and (ii) will only process personal information in furtherance of the Purpose, unless required by Applicable Data Law. In the event that Delivra is deemed to process personal data of a data subject for the Purpose, it will be regarded as a service provider and Delivra will process such personal data solely to provide the Services to Customer. Such processing does not constitute a sale under the CPRA.
- Other jurisdictions. In relation to personal data that is protected by another Applicable Data Law, the Parties agree that such SCCs shall automatically apply to the transfer of personal data from Customer to Delivra and, where applicable shall be deemed completed on a mutatis mutandis basis to the completion of the SCCs as described above.
- EU SCCs. In relation to personal data that is protected by the EU GDPR, the EU SCCs shall apply completed as follows:
7. CUSTOMER AFFILIATES
- Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Customer Affiliates, thereby establishing a separate DPA between Delivra and each such Customer Affiliate and for the purposes of such DPA, wherever the DPA references “Customer” or “data exporter” it shall mean “Customer Affiliate”. Customer represents and warrants that it has the power and authority to bind each Customer Affiliate to the terms and conditions of this DPA. Any breach by Customer Affiliate of this DPA shall be deemed a breach by Customer.
- Customer shall remain responsible for coordinating all communication with Delivra under this DPA and is entitled to make and receive any communication in relation to this DPA on behalf of its Customer Affiliates.
- If a Customer Affiliate becomes a party to this DPA, it shall, to the extent required under Applicable Data Law, also be entitled to exercise its rights and seek remedies under this DPA, provided that: (i) solely the Customer (that is the contracting party to the Ordering Document) shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate; and (ii) the Customer (that is the contracting party to the Ordering Document) shall exercise any such rights under this DPA only in the aggregate on behalf of itself and all of its Customer Affiliates. The foregoing shall not apply to the extent Applicable Data Law require the Customer Affiliate to exercise a right or seek any remedy under this DPA against Delivra directly by itself.
8. MISCELLANEOUS
- Conflicts. In the event of any inconsistency between the Agreement, this DPA and/or any SCCs, the superiority of governing terms and conditions are: first, the SCCs for the relevant jurisdiction; second, this DPA; and third, the Agreement.
- Regulatory Changes. If changes to Applicable Data Law, or their interpretation or implementation, arise through legislation, claim or regulator guidance or action, which in Delivra’s reasonable opinion make changes to this DPA necessary or prudent, Delivra may, on written notice to Customer, make such changes to this DPA, which Customer agrees will be binding on Customer.
- Return/Deletion of Data Upon Termination. Return or deletion of all personal data pursuant to Section II, Module Two, Clause 8.5 shall be initiated by Delivra only after receipt of Customer’s written request. In the absence of a specific written request from Customer to delete Customer Data, the Customer Data will be deleted in accordance with Delivra’s established data retention policies.
- Entire agreement. This Addendum is the Parties’ entire agreement as it relates to the Parties’ obligations under Applicable Data Law and supersedes all related prior and contemporaneous oral understandings, representations, prior discussions, letters of intent, or agreements (executed or otherwise).
- No further amendment. Except as modified by this DPA, the Agreement remains unmodified and in full force and effect.
SCHEDULE 1
ANNEX I
A. LIST OF PARTIES
Data exporter(s): Same as Customer (see information in the Customer’s Account or as defined in the Ordering Document).
Signature and date: See above. The Parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on December 27, 2022, where the effective date of the Agreement is before December 27, 2022.
Role (controller/processor): Controller
Data importer(s): Delivra
Signature and date: See above. The Parties agree that execution of the Agreement by the data importer and the data exporter constitutes execution of these Clauses by both parties as follows: (a) on the effective date of the Agreement; or (b) on December 27, 2022, where the effective date of the Agreement is before December 27, 2022.
Role (controller/processor): Controller and/or Processor
B. DESCRIPTION OF TRANSFER
- Categories of data subjects whose personal data is transferred:
Users of data exporter: personal data transferred in relation to individual employees, contractors, agents, Contacts, Subscribers, customers, website visitors, or suppliers. - Categories of personal data transferred:
Contact information, including without limitation, name, email address, phone number, physical address, online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, geo-location, cookie identifiers or other identifiers such as radio frequency identification tags; and any other personal data submitted by, sent to, or received by Delivra via the Services.
Other data:
Data exporter’s general marketing and transactional communications and personal data use may span broad categories of any data relevant to data exporter’s relationship with the data subject, and may vary from time to time. - Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
None. - The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Daily. Personal data is transferred on a continuous basis. - Nature of the processing:
For the data importer to provide the Services and the processing of personal data of end users, Users, Contacts, and Subscribers of data exporter. Personal data will be processed in accordance with the Agreement (including this DPA). - Purpose(s) of the data transfer and further processing:
For the data importer to provide the Services, including but not limited to the following:- Storage and other processing necessary to provide, maintain and improve the Services provided to Customer; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by Law and/or Applicable Data Law.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The greater of the Term or twelve (12) months. - For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Not applicable to the extent each party is an independent data controller. Notwithstanding the foregoing, each Party shall for all personal data exchanged as part of this Agreement and independently enter into an agreement with their respective processors specifying subject matter, nature, and duration of the processing. In the event of the use of processors and/or sub-processors, each Party shall be responsible for complying with the requirements of Article 28 of the EU GDPR. Accordingly, each Party shall, inter alia: use only processors that can provide the necessary guarantees that they implement appropriate technical and organizational measures in such a way as to ensure that processing complies with the requirements of Applicable Data Law and safeguards the rights of the data subject; ensure that a valid data processing arrangement is in place between the relevant Party and the processor; and ensure that there is a valid sub-processor arrangement between the processor and any sub-processor.
SCHEDULE 1
ANNEX II
1. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA:
Each Party shall be responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that processing is in compliance with the EU GDPR; taking into account the nature, scope, context and purposes of the processing involved, as well as the risks of varying degrees of likelihood and severity for the rights and freedoms of natural persons. The measures shall be reviewed and updated as necessary (Article 24 of the EU GDPR). This may involve, for example, each Party establishing procedures for dealing with security breaches, access requests or compliance with the obligation to provide information. Such measures shall include but not be limited to encryption of personal data; ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; ensuring availability of and access to personal data in a timely manner in the event of a physical or technical incident; and maintaining a process for regularly testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of processing.
2. PROTECTING DATA STORED
Personal, private, confidential, and Sensitive Information, including but not limited to user data, employee data, research and market data, and customer, vendor, and partner proprietary data, are all considered “protected data”. Each Party shall reasonably prevent unauthorized access to protected data by employing industry standard technical safeguards.
3. PROTECTING TRANSMITTED DATA
All protected data transferred past the boundaries of each Party’s infrastructure must use either authenticated and encrypted communication protocols (SCP, SFTP, and SSL) or internal private networks, point to point external networks, or a combination thereof wherever practically possible, to protect the data in transit.
SCHEDULE 2
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1; Tables:
Table 1; Parties:As in Schedule 1, Annex I(A)
Table 2; Selected SCCs, Modules and Selected Clauses:As set forth under Section 3(a) of this Addendum. Addendum SCCs – The version of the Approved EU SCCs which this Schedule 2 is appended to, detailed below, including the Appendix Information:
Date: The parties agree that execution of the DPA by the data importer and the data exporter constitutes execution of these Clauses by both parties on the effective date of the DPA
Reference (if any): Module One: Controller to Controller as incorporated into the Agreement. Module Two: Controller to Processor as incorporated into the Agreement.
Other identifier(s) (if any): N/A
Table 3; Appendix Information:
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex I(A): List of Parties: Schedule 1, Annex I(A)
Annex I(B): Description of Transfer: Schedule 1, Annex I(B)
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 1, Annex II
Annex III: List of Sub processors (Modules 2 and 3 only): N/A
Table 4: Ending this DPA when the Approved Addendum Changes
Ending this DPA when the Approved Addendum changes – Which Parties may end the Approved Addendum as set out in Section 19:
✔ Importer
✔ Exporter
▢ neither Party
Part 2; Mandatory Clauses:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.