This Data Processing Addendum, including the Standard Contractual Clauses (as defined below) attached hereto (collectively, the “DPA” or “Addendum”), is made and entered into as of the effective date of the applicable customer’s (“Customer”) acceptance of the Terms of Service between PristineSend (“Company” or “PristineSend”) and Customer. This Addendum shall become legally binding upon Customer entering into the Agreement or upon execution of this Addendum.
The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, Company is a processor. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws.
Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data.
Company shall not process Personal Data for purposes other than those set forth in the Agreement, in a manner inconsistent with the terms and conditions set forth in this DPA, or in violation of Data Protection Laws.
Following completion of the Services, at Customer’s choice, Company shall return or delete Customer’s Personal Data, unless further storage of such Personal Data is required or authorized by applicable law.
Except with respect to Company Account Data and Company Usage Data, the parties acknowledge and agree that Company is a service provider for the purposes of the CCPA and is receiving personal information from Customer in order to provide the Services, which constitutes a business purpose. Company shall not sell any such personal information.
Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company’s confidentiality obligations in the Agreement. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Additional information about Company’s technical and organizational security measures is set forth in Exhibit C.
The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer.
The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA. The EU SCCs will be governed by Ireland law, and disputes will be resolved before the courts of Ireland.
The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum.
The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with appropriate modifications to reflect the Federal Act on Data Protection and the authority of the Federal Data Protection and Information Commissioner (“FDPIC”).
As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported. The Company will not voluntarily disclose Personal Data to any public authority in the absence of a valid and binding legal requirement.
Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making.
If Company receives a Data Subject Request in relation to Customer’s data, Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the Company commits to resolve DPF Principles-related complaints. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact the Company at legal@pristinesend.com.
Company shall, taking into account the nature of the processing and the information available to Company, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR.
Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3) years after the termination of the Agreement.
Upon Customer’s written request at reasonable intervals, Company shall either (i) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards, or (ii) allow Customer’s independent third party representative to conduct an audit or inspection of Company’s data security infrastructure and procedures. Any such audit shall occur no more than once per calendar year and shall be restricted to data relevant to Customer.
In the event of a Personal Data Breach, Company shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation.
The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller to manage the relationship with Customer, carry out Company’s core business operations, monitor and prevent fraud, and to comply with legal or regulatory obligations. Any processing by the Company as a controller shall be in accordance with the Company’s privacy policy.
The Company complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom.
The Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Under certain conditions, Customers have the right to invoke binding arbitration to address residual complaints that have not been resolved through other recourse mechanisms. This arbitration is conducted in accordance with the terms set forth in Annex I of the DPF Principles at no cost to the Customer.
In the context of onward transfers to third parties, the Company remains responsible for the processing of personal data it receives under the DPF and subsequently transfers to an agent on its behalf.
In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) the Company’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
Data subjects are the recipients of emails the Customer sends using our Services — typically their customers. Where the Customer is a processor, data subjects are their customers and end users. PristineSend also transfers the personal data of the representatives of the Customer and those who enter into this agreement and anyone they allow to access their account.
The categories of personal data transferred relate to the sending and receiving of email messages. At a minimum, this includes metadata, email address and message content. Message content may also include name and other information decided and added by the sender. The Customer also has the option to enable open/link tracking and other analytics, which could include IP address, location, operating system, browser, device, email client and spam complaints.
Not applicable.
Continuous, until the agreement comes to an end.
Application emails sent through PristineSend are categorized as transactional or marketing electronic messages. The nature of the processing relates to facilitating sending and receiving such email messages, including hosting/storage of contact lists and message content, and analytics services.
To allow the Customer to reliably deliver application emails to their users/customers.
We process personal data on behalf of the Customer for as long as the Agreement is active. When the Customer terminates their use of the Services, we delete their user/customer data within 90 days of the account termination.
PristineSend maintains an information security program designed to: (a) help our customers secure their data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access, and (c) minimize security risks, including through risk assessment and regular testing.
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on all our interfaces. Our HTTPS implementation uses industry-standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
PristineSend products are designed to ensure redundancy and seamless failover. The server instances that support the products are architected with a goal to prevent single points of failure. PristineSend has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
Questions about this DPA: legal@pristinesend.com.
PristineSend, 7511 Greenwood Ave North Unit 4125, Seattle, WA 98103