Data Processing Addendum (DPA)

This Data Processing Addendum (this "DPA") is part of NotifiedBy’s Terms of Service (the "Principal Agreement") between NotifiedBy and the Customer and is subject to the Principal Agreement. NotifiedBy is the Email business unit of Rezero Consulting Ltd.

  1. Definitions

    For the purposes of this DPA, capitalized terms shall have the meanings below. Capitalized terms not otherwise defined shall have the meaning given to them in the Principal Agreement.

    1. "Customer's Personal Data" means any personal data that is processed by NotifiedBy on behalf of the Customer to perform the Services under the Principal Agreement.
    2. "Applicable Data Protection Laws" refers to the GDPR, as adopted into domestic legislation of each Member State (and the United Kingdom) and as amended, replaced, or superseded from time to time, including laws implementing, replacing, or supplementing the GDPR and all laws applicable to the collection, storage, processing, and use of Customer's Personal Data, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.
    3. "GDPR" means EU General Data Protection Regulation 2016/679.
    4. "NotifiedBy Infrastructure" involves (i) NotifiedBy’s physical facilities; (ii) hosted cloud infrastructure; (iii) NotifiedBy's corporate network and the internal network, software, and hardware necessary to provide the Services and controlled by NotifiedBy; in each case, to the extent used to provide the Services.
    5. "Restricted Transfer" refers to a transfer of the Customer's Personal Data from NotifiedBy to a sub-processor where such transfer would be prohibited by Applicable Data Protection Laws in the absence of proper safeguards required for such transfers under Applicable Data Protection Laws.
    6. "Services" denotes the services provided to the Customer by NotifiedBy according to the Principal Agreement.
    7. "Standard Contractual Clauses" pertains to the latest version of standard contractual clauses for transferring personal data to processors established in third countries under the GDPR (the current version is annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).
    8. "UK Addendum" refers to the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) found at this link.
    9. Terms like "consent", "controller", "data subject", "Member State", "personal data", "personal data breach", "processor", "sub-processor", "processing", "supervisory authority", and "third party" have their meanings ascribed in article 4 of the GDPR.

  2. Compliance with Applicable Data Protection Laws

    NotifiedBy and the Customer shall each adhere to the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall ensure their employees, agents, and contractors observe these provisions.

  3. Details and Scope of the Processing

    1. The Processing of the Customer’s Personal Data within the Agreement's scope shall be carried out following the following stipulations and as mandated under Article 28(3) of the GDPR. The parties may amend this information as deemed necessary to meet those requirements.
      1. Subject matter and duration of the processing of Personal Data: Defined in the Principal Agreement.
      2. Nature and purpose of processing Personal Data: Under the Principal Agreement, NotifiedBy provides certain email and SMS services to the Customer, involving personal data processing for (a) providing the Services, (b) detecting, preventing, and resolving security and technical issues, and (c) responding to Customer's support requests.
      3. Types of Personal Data to be processed: Personal data submitted, determined and controlled by the Controller at their discretion, includes name, email, telephone numbers, IP address, and other data in contact lists and message content.
      4. Categories of data subjects relate to senders and recipients of email and SMS messages.
    2. NotifiedBy shall process the Customer's Personal Data (i) to fulfill its obligations under the Principal Agreement and (ii) based on documented instructions as described in this DPA or as otherwise directed by the Customer. Such instructions shall be documented in the applicable order, services description, support ticket, other written communication, or as directed by Customer using the Services (e.g., through an API or control panel).
    3. If NotifiedBy believes a Customer instruction contradicts the Principal Agreement or this DPA or infringes the GDPR or other applicable data protection provisions, it shall inform the Customer without delay. In both cases, NotifiedBy is authorized to defer executing the relevant instruction until amended by the Customer or mutually agreed upon by both parties.
    4. Customer is solely responsible for using and managing Personal Data submitted or transmitted through the Services, including verifying recipients' addresses, notifying recipients about email's insecurity for transmitting Personal Data, limiting information disclosed, encrypting Personal Data when necessary, and acknowledging unencrypted email transmission in plain text over the Internet. Information uploaded to the Services, including message content, is encrypted when processed by NotifiedBy Infrastructure.

  4. Controller and Processor

    1. For this DPA, the Customer is the controller of the Customer's Personal Data, and NotifiedBy is the processor, except when the Customer acts as a processor, making NotifiedBy a sub-processor.
    2. NotifiedBy shall always have an officer responsible for assisting the Customer with inquiries regarding Data Processing from Data Subjects and legal information and disclosure requirements related to Data Processing. The Data Protection Officer can be contacted at privacy@rezero.net.
    3. The Customer warrants that:
      1. The processing of the Customer's Personal Data is on legal grounds as the Applicable Data Protection Laws require and that it has all necessary rights, permissions, registrations, and consents for NotifiedBy's processing of the Customer's Personal Data under this DPA and the Principal Agreement;
      2. It has all necessary rights, permissions, and consents to transfer the Customer's Personal Data to NotifiedBy, allowing lawful use, processing, and transfer of the data for carrying out Services and performing NotifiedBy's rights and obligations under this DPA and the Principal Agreement;
      3. It will inform Data Subjects about using Processors for Processing their Personal Data, as required under Applicable Data Protection Laws;
      4. It will respond timely and reasonably to Data Subjects' inquiries about Processing their Personal Data and provide Processor with timely, appropriate instructions.

  5. Confidentiality

    NotifiedBy shall ensure its and sub-processors' personnel authorized to process the Customer's Personal Data are subject to confidentiality obligations and trained on relevant security and Data Protection requirements.

  6. Technical and Organizational Measures

    1. NotifiedBy shall, regarding the Customer's Personal Data, (a) implement and document appropriate measures per Article 32 of the GDPR for Sinch Email Infrastructure security and platforms used to provide the Services and (b) reasonably assist the Customer, at the Customer's cost, in ensuring compliance with the Customer's obligations per Article 32 of the GDPR.
    2. NotifiedBy’s internal operations shall comply with effective Data Protection management's specific requirements.

  7. Data Subject Requests

    NotifiedBy provides specific tools to assist customers in responding to requests from data subjects, including APIs and interfaces for searching event data, suppressions, and retrieving message content. When NotifiedBy receives a complaint, inquiry, or request (including requests from data subjects exercising their rights under Applicable Data Protection Laws) related to Customer's Personal Data, NotifiedBy will notify the Customer within fourteen (14) days of receipt. Considering the nature of the processing, NotifiedBy shall assist the Customer, using appropriate technical and organizational measures, as reasonably possible, for fulfilling the Customer's obligation to respond to data subjects' rights requests.

  8. Personal Data Breaches

    NotifiedBy shall notify the Customer without undue delay once it becomes aware of a personal data breach affecting Customer's Personal Data. Considering the nature of the processing and information available, NotifiedBy shall use commercially reasonable efforts to provide the Customer with sufficient information to meet obligations to report or inform regulatory authorities, data subjects, and other entities of such personal data breach, as required under Applicable Data Protection Laws.

  9. Data Protection Impact Assessments

    Considering the nature of the processing and the information available, NotifiedBy shall provide reasonable assistance to the Customer at the Customer's cost, for any data protection impact assessments and prior consultations with supervisory or other competent regulatory authorities, as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.

  10. Audits

    1. NotifiedBy shall make available to the Customer, upon reasonable request, information reasonably necessary to demonstrate compliance with this DPA.
    2. The Customer, or a mandated third-party auditor, may, upon reasonable written request, conduct an inspection related to Processing of Customer’s Personal Data by NotifiedBy, as necessary under Data Protection Laws, without disrupting NotifiedBy’s operations and ensuring confidentiality.
    3. The audit right described in Paragraph 10(b) becomes applicable for the Customer if NotifiedBy has not provided sufficient evidence of compliance with technical and organizational measures. This includes providing either (i) a compliance certification with standards like ISO 27001, ISO 27701, or other standards implemented by NotifiedBy or (ii) an audit or attestation report from an independent third party. Such audits shall be conducted at the Customer's cost and expense.

  11. Return or Destruction of Customer's Personal Data

    1. The Customer may, by written notice to NotifiedBy, request the return and/or certification of deletion of all copies of Customer's Personal Data controlled by NotifiedBy and sub-processors. NotifiedBy shall provide a copy of Customer's Data in a readable and processable format.
    2. Within ninety (90) days following account termination, the Processor shall delete and/or return all Personal Data processed under this DPA. This does not affect possible statutory duties to preserve records for retention periods set by law, statute, or contract. NotifiedBy may retain electronic copies of files containing Customer's Personal Data created through automatic archiving or backup procedures, which cannot reasonably be deleted. In such cases, NotifiedBy ensures Customer's Personal Data is not further actively processed.
    3. Any additional costs for returning or deleting Personal Data after the termination or expiration of the Agreement shall be borne by the Customer.

  12. Data Transfers

    1. The Standard Contractual Clauses and, if needed, the UK Addendum, with NotifiedBy acting as the data importer and Customer as the data exporter, are incorporated into this DPA. If NotifiedBy's arrangement with a sub-processor involves a Restricted Transfer, NotifiedBy ensures that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Principal Agreement, or otherwise entered into with the sub-processor. The Customer agrees to exercise its audit right in the Standard Contractual Clauses by instructing NotifiedBy to conduct the audit set out in Paragraph 10.
    2. The Controller acknowledges and agrees that, in performing the Services under the Agreement, the Processor may transfer Personal Data within its company group. These transfers are necessary to globally provide the Services and are justified for internal administration purposes.
    3. For Personal Data transfers from the European Union, the European Economic Area, and/or their member states, Switzerland, and the United Kingdom to countries that don’t ensure adequate Data Protection levels per relevant Data Protection Laws, the following safeguards are implemented: (i) Standard Contractual Clauses per European Commission's Decision 2021/914/EU of June 4, 2021, (2) UK Addendum, and (3) additional security measures, including data encryption, data aggregation, separation of access controls, and data minimization principles.

  13. Sub-processing

    1. Customer authorizes NotifiedBy to appoint sub-processors under this Paragraph 13, subject to any restrictions in the Principal Agreement. NotifiedBy ensures that sub-processors are bound by written agreements to provide at least the level of data protection required by this DPA. NotifiedBy may continue using sub-processors already engaged at this DPA’s date.
    2. NotifiedBy shall notify the Customer in writing before appointing any new sub-processor. If, within ten (10) business days of notice receipt, the Customer objects on reasonable grounds to the appointment, NotifiedBy shall not appoint the sub-processor until reasonable steps address Customer objections and provide a reasonable written explanation of the steps taken. If NotifiedBy and the Customer cannot resolve the sub-processor appointment, either party may terminate the Principal Agreement for cause.
    3. This paragraph does not apply to ancillary services such as telecommunication, postal, or transport services, maintenance, and user support tools. NotifiedBy shall, however, make appropriate and legally binding arrangements and take appropriate inspection measures to ensure Data protection and Data security of Customer's Data for these outsourced ancillary services.
    4. NotifiedBy shall be responsible for the acts and omissions of any sub-processors like it is toward the Customer for its actions and omissions related to this DPA.

  14. Governing law and jurisdiction

    1. The parties to this DPA submit to the jurisdiction chosen in the Principal Agreement for any disputes under this DPA, including those concerning its existence, validity, termination, or consequences of nullity.
    2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory specified in the Principal Agreement.

  15. Order of precedence

    Regarding this DPA's subject matter, if inconsistencies arise between this DPA and any other agreements, including the Principal Agreement, this DPA takes precedence unless otherwise agreed in writing.

  16. Severance

    If any provision of this DPA is invalid or unenforceable, the remainder of this DPA remains valid. The invalid or unenforceable provision shall be amended or construed to ensure its validity, while preserving the parties' intentions as close as possible.

  17. Termination

    1. This DPA and the Standard Contractual Clauses terminate automatically with the Principal Agreement's termination.
    2. Amendments or variations to this DPA are not binding unless in writing and signed by authorized representatives of each Party.