This Data Processing Addendum (this "DPA") forms part of CPEio, LLC ("CPEio") Terms of Service (the "Principal Agreement") by and between CPEio and the Customer and is subject to the Principal Agreement.
For the purposes of this DPA, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined shall have the meaning given to them in the Principal Agreement.
(a) "Customer's Personal Data" means any personal data that is processed by CPEio on behalf of the Customer to perform the Services under the Principal Agreement.
(b) "Applicable Data Protection Laws" means the GDPR, as transposed into domestic legislation of each Member State (and the United Kingdom) and as amended, replaced or superseded from time to time, and laws implementing, replacing or supplementing the GDPR and all laws applicable to the collection, storage, processing, and use of Customer's Personal Data, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.
(c) "GDPR" means EU General Data Protection Regulation 2016/679.
(d) "CPEio Infrastructure" means (i) hosted cloud infrastructure; (ii) CPEio corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by CPEio; in each case to the extent used to provide the Services; (iii) CPEio does not maintain physical facilities for data processing.
(e) "Restricted Transfer" means a transfer of the Customer's Personal Data from CPEio to a subprocessor where such transfer would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Laws) in the absence of appropriate safeguards required for such transfers under Applicable Data Protection Laws.
(f) "Services" means the services provided to the Customer by CPEio pursuant to the Principal Agreement.
(g) "Standard Contractual Clauses" means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).
(h) "UK Addendum" means the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
(i) The terms "consent", "controller", "data subject", "Member State", "personal data", "personal data breach", "processor", "sub processor", "processing", "supervisory authority" and "third party" shall have the meanings ascribed to them in article 4 of the GDPR.
(a) CPEio and the Customer shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall procure that their employees, agents and contractors observe the provisions of the Applicable Data Protection Laws.
(a) The Processing of the Customer’s Personal Data within the scope of the Agreement shall be carried out in accordance with the following stipulations and as required under Article 28(3) of the GDPR. The parties may amend this information from time to time, as the parties may reasonably consider necessary to meet those requirements.
(i) Subject matter and duration of the processing of Personal Data: The subject matter and duration of the processing of the Personal Data are set out in the Principal Agreement.
(ii) The nature and purpose of the processing of Personal Data: Under the Principal Agreement, CPEio provides certain email services to the Customer which involves the processing of personal data. Such processing activities include (a) providing the Services; (b) the detection, prevention and resolution of security and technical issues; and (c) responding to Customer's support requests.
(iii) The types of Personal Data to be processed: The personal data submitted, the extent of which is determined and controlled by the Controller in its sole discretion, includes name, email, telephone numbers, physical address, IP address, and other personal data included in the contact lists and message content.
(iv) The categories of data subjects to whom the Personal Data relates: Senders and recipients of email messages.
(b) CPEio shall only process the Customer's Personal Data (i) for the purposes of fulfilling its obligations under the Principal Agreement and (i) in accordance with the documented instructions described in this DPA or as otherwise instructed by the Customer from time to time. Such Customer's instructions shall be documented in the applicable order, services description, support ticket, other written communication or as directed by Customer using the Services (such as through an API, control panel, email, or post marked letter).
(c) Where CPEio reasonably believes that a Customer instruction is contrary to the provisions of the Principal Agreement or this DPA, or that it infringes the GDPR or other applicable data protection provisions, it shall inform the Customer without delay. In both cases, CPEio shall be authorized to defer the performance of the relevant instruction until it has been amended by Customer or is mutually agreed by both Customer and CPEio.
(d) Customer is solely responsible for its utilization and management of Personal Data submitted to or transmitted by the Services, including: (i) verifying recipient names and addresses and that they are correctly entered into the Services (ii) reasonably notifying any recipient of the insecure nature of email as a means of transmitting Personal Data (as applicable), (iii) reasonably limiting the amount or type of information disclosed through the Services. Information uploaded to the Services, including message content, is stored in an encrypted format when processed by the CPEio Email Infrastructure. The Customer acknowledges that the Services include the transmission of unencrypted email in plain text over the public internet and open networks.
(a) For the purposes of this DPA, the Customer is the controller of the Customer's Personal Data and CPEio is the processor of such data, except when the Customer acts as a processor of the Customer's Personal Data, in which case CPEio is a sub-processor.
(b) CPEio shall at all times have in place an officer who is responsible for assisting the Customer (i) in responding to inquiries concerning the Data Processing received from Data Subjects; and, (ii) in completing all legal information and disclosure requirements which apply and are associated with the Data Processing. The Data Protection Officer may be contacted directly at [email protected].
(c) The Customer warrants that:
(i) The processing of the Customer's Personal Data is based on legal grounds for processing, as may be required by Applicable Data Protection Laws and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations and consents in accordance with and as required by Applicable Data Protection Laws with respect to CPEio's processing of the Customer's Personal Data under this DPA and the Principal Agreement;
(ii) it is entitled to and has all necessary rights, permissions and consents to transfer the Customer's Personal Data to CPEio and otherwise permit CPEio to process the Customer's Personal Data on its behalf, so that CPEio may lawfully use, process and transfer the Customer's Personal Data in order to carry out the Services and perform CPEio's other rights and obligations under this DPA and the Principal Agreement;
(iii) it will inform its Data Subjects about its use of Processors in Processing their Personal Data, to the extent required under Applicable Data Protection Laws; and,
(iv) it will respond in a reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data, and to give appropriate instructions to the Processor in a timely manner.
(a) CPEio shall ensure that each of its, and sub-processors', personnel that is authorized to process the Customer's Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and are trained with the relevant security and Data Protection requirements.
(a) CPEio shall, in relation to the Customer's Personal Data, (a) take and document, as appropriate, reasonable and appropriate measures required pursuant to Article 32 of the GDPR in relation to the security of the CPEio Email Infrastructure and the platforms used to provide the Services as described in the Principal Agreement, and (b) on reasonable request at the Customer's cost, assist the Customer in ensuring compliance with the Customer's obligations pursuant to Article 32 of the GDPR.
(b) CPEio’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.
(a) CPEio provides specific tools in order to assist customers in replying to requests received from data subjects. These include our APIs and interfaces to search event data, suppressions, and retrieve message content. When CPEio receives a complaint, inquiry or request (including requests made by data subjects to exercise their rights pursuant to Applicable Data Protection Laws) related to the Customer's Personal Data directly from data subjects CPEio will notify the Customer within fourteen (14) days from the receipt of the complaint, inquiry or request. Taking into account the nature of the processing, CPEio shall assist the Customer, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of the Customer's obligation to respond to requests for exercising such data subjects' rights.
(a) CPEio shall notify the Customer without undue delay once CPEio becomes aware of a personal data breach affecting the Customer's Personal Data. CPEio shall, taking into account the nature of the processing and the information available to CPEio, use commercially reasonable efforts to provide the Customer with sufficient information to allow the Customer at the Customer's cost, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such personal data breach to the extent required under Applicable Data Protection Laws.
(a) CPEio shall, taking into account the nature of the processing and the information available, provide reasonable assistance to the Customer at the Customer's cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.
(a) CPEio shall make available to the Customer on reasonable request and signed non-disclosure agreement, internal infrastructure and process control documentation to reasonably demonstrate compliance with this DPA.
(b) Upon Customer’s request, CPEio will, no more than once per calendar year, shall either (i) make available for Customer’s review information that is reasonably necessary to demonstrate compliance with this DPA (copies of certifications or reports demonstrating compliance), or if the provision of reports or certifications pursuant to (i) is not obtained by CPEio or is not reasonably sufficient under Data Protection Laws, (ii) allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of CPEio data security infrastructure and procedures that is sufficient to demonstrate CPEio compliance with its obligations under this Addendum, provided that Customer will provide reasonable prior written notice of any such request for an audit and such inspection will not be unreasonably disruptive to CPEio business and ensuring confidentiality.
(c) The audit right as described in Paragraph 10(b) above will become applicable for the Customer, in case CPEio has not provided sufficient evidence of its compliance with the technical and organizational measures. Customer will be responsible for all costs of any such audits or inspections, including, without limitation, a reimbursement to CPEio for any time expended for audits. Any such audit will be subject to CPE' security and confidentiality terms and guidelines. If CPEio declines to follow any reasonable instruction requested by Customer regarding audits, Customer is entitled to terminate this DPA and the Agreement.
(a) The Customer may, by written notice to CPEio, request the return and/or certificate of deletion of all copies of the Customer's Personal Data in the control or possession of CPEio and sub-processors. CPEio shall provide a copy of the Controller's Data in a form that can be read and processed further.
(b) Within ninety (90) days following termination of the account, the Processor shall delete and/or return all Personal Data processed pursuant to this DPA. This provision shall not affect potential statutory duties of the Parties to preserve records for retention periods set by law, statute or contract. CPEio may retain electronic copies of files containing Customer's Personal Data created pursuant to automatic archiving or back-up procedures which cannot reasonably be deleted. In these cases, CPEio shall ensure that the Customer's Personal Data is not further actively processed.
(c) Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by the Customer.
(a) The Standard Contractual Clauses and, if required, the UK Addendum, having CPEio act as data importer with the Customer acting as data exporter are incorporated as part of this DPA. If CPEio's arrangement with a sub-processor involves a Restricted Transfer, CPEio shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Principal Agreement, or otherwise entered into, between CPEio and the sub-processor. The Customer agrees to exercise its audit right in the Standard Contractual Clauses by instructing CPEio to conduct the audit set out in Paragraph 10.
(b) Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Processor may transfer Personal Data within its company group. These transfers are necessary to globally provide the Services, and are justified for internal administration purposes.
(c) For transfers of Personal Data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of Data Protection within the meaning of Data Protection Laws of the foregoing territories, to the extent such transfers are subject to Data Protection Laws and Regulations and in order to implement appropriate safeguards, the following safeguards are taken: (i) Standard Contractual Clauses as per European Commission's Decision 2021/914/EU of June 4, 2021, (2) UK Addendum, and (3) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls and data minimization principles.
(a) The Customer hereby authorizes CPEio to appoint sub-processors in accordance with this Paragraph 13 and Annex 1, subject to any restrictions in the Principal Agreement. CPEio will ensure that new sub-processors are bound by written agreements that require them to provide at least the level of data protection required of CPEio by this DPA.
(b) CPEio shall give the Customer prior written notice of the appointment of any new sub-processor. If, within ten (10) business days of receipt of that notice, the Customer notifies CPEio in writing of any objections on reasonable grounds to the proposed appointment, CPEio shall not appoint that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If CPEio and the Customer are not able to resolve the appointment of a sub-processor within a reasonable period, either party shall have the right to terminate the Principal Agreement for cause.
(c) This paragraph does not apply to the following ancillary services, namely telecommunication services, postal or transport services, maintenance and user support tools. CPEio shall, however, be obligated to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the Data protection and Data security of the Customer's Data even for these outsourced ancillary services.
(d) CPEio shall be responsible for the acts and omissions of any sub-processors as it is to the Customer for its own acts and omissions in relation to the matters provided in this DPA.
(a) The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
(b) This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
(a) With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
(a) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
(a) This DPA and the Standard Contractual Clauses will terminate contemporaneously and automatically with the termination of the Principal Agreement.
(b) Any amendment or variation to this DPA shall not be binding on the Parties unless set out in writing and signed by authorised representatives of each of the Parties.
IN WITNESS WHEREOF, this DPA and the Annexes are entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
Where personal data is processed or used automatically, CPEio’s internal organization ensures that it meets specific requirements of data protection by utilizing security best practices. In particular, CPEio implements the following measures to protect personal data or other sensitive data categories.
To prevent unauthorized persons from gaining access to data processing systems with which personal data is processed or used:
CPEio does not own or operated data centers. CPEio leverages industry-leading data center and cloud infrastructure providers. Access to all data centers is strictly controlled. All data centers are equipped with 24x7x365 surveillance and biometric access control systems. Additionally, all providers have industry standard certifications.
To prevent data processing systems from being used without authorization:
Administrative access to CPEio systems and services follows the principle of least privilege. Access to systems is based on job role and responsibilities. CPEio utilizes unique usernames/identifiers that are not permitted to be shared or re-assigned to another person.
Security groups are used to limit ingress and egress traffic from production infrastructure. Network protections have been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
To ensure authorized users entitled to use data processing systems have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage:
CPEio utilizes a password management system that enforces minimum password length, complexity, expiration time, and minimum last used.
Employee workstations automatically lock after a prolonged period of inactivity. Systems log out users after a prolonged period of inactivity.
The CPEio patch management process ensures that systems are patched at least once every month. Monitoring, alerting, and routine vulnerability scanning occurs to ensure that all product infrastructure is patched consistently.
Industry-standard antivirus software is utilized to ensure internal assets that access personal data are protected against known viruses. Antivirus software is updated regularly.
Updated June 13, 2023