European Data Processing Addendum

This Data Processing Addendum (this “Addendum”) amends the existing personal data processing terms of the Terms of Service (TOS) agreement (herein the “Agreement”) between 410 Labs, Inc. dba Mailstrom (“Supplier”) and you, under which Supplier provides Services to you. 

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.  Except as modified below, the terms of the Agreement shall remain in full force and effect.   

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

This Addendum is dated 25 May 2018 (“Addendum Effective Date”).

  1. DEFINITIONS AND INTERPRETATION
    1. The following terms shall have the following meanings:  
      1. Data Protection Legislation” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom which are applicable to the processing of Personal Data under this Agreement including but not limited to the EU General Data Protection Regulation (2016/679);
      2. Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Subprocessor” each have the meanings given to them in the Data Protection Legislation;
      3. Processing” has the meaning set out in the Data Protection Legislation and “process” and “processed” shall be construed accordingly;
      4. Services” means those services and other activities to be provided to or carried out by on behalf of Supplier for Customer by Supplier pursuant to the Agreement.
    2. For the purpose of this Addendum, references to clauses shall be deemed to be references to the terms of this Addendum, unless otherwise stated or if the context otherwise requires.
  2. DATA PROTECTION
    1. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
    2. The parties acknowledge that for the purposes of the Data Protection Legislation, Supplier is the Data Processor, and Customer is the Data Controller.
    3. The Customer agrees that Supplier, its affiliates and agents, may process Personal Data on behalf of Customer to perform its obligations for the term of this Agreement. The type of Personal Data and categories of Data Subjects are described more fully in the Agreement and the Privacy Policy.  
    4. Without prejudice to the generality of clause 2.1, Supplier shall, in relation to any Personal Data processed in connection with the performance by Supplier of its obligations under this Agreement:  
      1. process that Personal Data only on the written instructions of Customer unless Supplier is required by the laws of any member state of the European Union or by the laws of the European Union applicable to Supplier to process Personal Data (“Applicable Laws”). Where Supplier is relying on laws of a member state of the European Union or European Union law as the basis for processing Personal Data, Supplier shall notify Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Supplier from so notifying Customer;
      2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (“Personal Data Breach”), appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
      3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 
      4. assist Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators provided that Supplier may charge Customer on a time and materials basis in the event that Supplier considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming; 
      5. notify Customer without delay on becoming aware of a Personal Data Breach and shall provide further information about the Personal Data Breach to Supplier in phases as such information becomes available;  
      6. at the written direction of Customer, delete or return Personal Data and copies thereof to Customer on termination of the Agreement unless required by Applicable Law to store the Personal Data;
      7. maintain records and information to demonstrate its compliance with this clause 2.4 and, at Customer’s expense and subject to clause 2.5, shall permit Customer, or its appointed third-party auditors (collectively, “Auditor”), to audit the architecture, systems and procedures relevant to Supplier's compliance with this Addendum and shall make available to the Auditor all information, systems and staff necessary for the Auditor to conduct such audit. To the extent any such audit incurs in excess of 20 hours of Supplier personnel time, Supplier may charge Customer on a time and materials basis for any such excess hours; and
      8. inform Customer immediately if it considers in its opinion that any of Customer's instructions infringe Data Protection Laws.
    5. Before the commencement of an audit described in clause 2.4, Supplier and Customer will mutually agree upon the reasonable scope, start date, duration of and security and confidentiality controls applicable to the audit. Customer agrees that: 
      1. audits will be conducted during Supplier’s normal business hours;
      2. it will not exercise its on-site audit rights more than once in any twelve (12) calendar months period, unless it has reasonable concerns as to Supplier’s compliance with this Addendum or where it is required or requested to carry out an audit under Data Protection Legislation, or by a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Legislation in any country or territory;
      3. it will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit;
      4. Supplier may object to any third-party auditor appointed by Customer to conduct an audit if the auditor is, in Supplier’s opinion, not suitably qualified or independent, a competitor of Supplier or otherwise manifestly unsuitable. Any such objection by Supplier will require Customer to appoint another auditor or conduct the audit itself;
      5. nothing in this clause 2.5 will require Supplier either to disclose to the Auditor, or to allow the Auditor access to (a) any data processed by the Supplier on behalf of any other organization, (b) any Supplier internal accounting or financial information, (c) any trade secret of Supplier, (d) any information that, in Supplier’s opinion, could (i) compromise the security of any Supplier systems or premises, or (ii) cause Supplier to breach its obligations to Customer or any third party, or (e) any information that Customer seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Applicable Data Protection Law; and
      6. shall provide Supplier with copies of any audit reports completed by Customer’s independent third-party auditors, which reports shall be subject to the confidentiality provisions of this Agreement.
    6. The Customer consents to the use of third-party processors by Supplier to process Personal Data on behalf of Customer in the performance of its obligations under this Agreement, and to provide certain services on behalf of Supplier, such as support services. Supplier confirms that it has entered or (as the case may be) will enter with the third-party processors into written agreements incorporating terms which are substantially similar to, and no less onerous than, those set out in this Addendum. Supplier shall maintain a current list of third-party processors at Mailstrom.co/gdpr. The Customer may object to any new third-party processor by terminating the applicable license with respect only to those services which cannot be provided by Supplier without the use of the objected-to new third-party processor. Such termination will be made by providing written notice to Supplier. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new third-party processor. As between Customer and Supplier, Supplier shall remain liable for all acts or omissions of any third-party processors appointed by it pursuant to this clause 2.6 as if those acts or omissions were of the Supplier.
    7. The Customer acknowledges and agrees that Personal Data will be processed by Supplier outside of the European Union, the European Economic Area or Switzerland (the “EU”) including in the United States of America. Where Personal Data is transferred from the EU to a jurisdiction outside of the EU, Supplier will execute appropriate safeguards in relation to the transfer (unless appropriate safeguards have already been provided by Customer). 
  3. General Terms 

Termination

    1. Subject to clause 3.2, the parties agree that this Addendum shall terminate automatically upon termination of the Agreement.
    2. Any obligation imposed on Supplier under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of this Addendum.

Governing law of this Addendum

    1. This Addendum shall be governed by the governing law of the Agreement.

Choice of jurisdiction

    1. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum.

Order of precedence

    1. Nothing in this Addendum reduces Supplier's obligations under the Agreement in relation to the protection of Personal Data or permits Supplier to process (or permit the processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any inconsistency between this Addendum and any other agreements between the parties, including but not limited to the Agreement, the Addendum shall prevail.

Severance

    1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.