Data Processing Addendum – v1

This is the previous version of our Data Processing Addendum, valid until 2023-01-20.
The current version is available here.

Data Processing Addendum

This Data Protection Addendum is part of the Terms of Service between EnovaPoint (“Us”, “We”, “EnovaPoint”, “Supplier”) and the Customer (“Customer” or “You”) using and/or buying any of EnovaPoint’s Services (JungleMail for Office 365, JungleDocs for Office 365, “The Services” or individually “The Service”, depending on the product(s) You use).

In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the existing Terms of Service as is applicable to any and all of EnovaPoint’s Services which are used by the Customer.

Definitions

This Data Processing Addendum protects the data of all parties. In turn, all have obligations to protect data. The following definitions will give a better idea of what is meant by data in this Addendum.

“EnovaPoint”, “We”, “Us”, or “Our” refers to the company EnovaPoint, i.e. the creator and manager of the Services: JungleMail for Office 365 as well as its related Services, (collectively these are referred to as the “Services” or the “Products”).

“You” or the “Customer” refers to the company or organization that signs up to use, already uses or buys any of the EnovaPoint Services.

 “Staff” refers to those individuals who are employed by or are under contract to perform a service on behalf of one of the parties.

“Customer data” refers to any Personal Data that EnovaPoint processes on behalf of the Customer as a Data Processor in the course of providing its Services.

“Data Subjects” refers to customers or users of one of EnovaPoint’s Services as well as any staff members of any of the involved parties who reside in the EU, as well as the people whose personal data is uploaded and used in the Service.

The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”. Processing”. “Sub-processor” shall have the same meaning as in the GDPR.

“GDPR” means EU General Data Protection Regulation 2016/679.

“EU” means the European Union.

“Incident” means: (a) a complaint or a request with respect to the exercise of an individual’s rights under the GDPR (also see our Privacy Policy); (b) an investigation into or seizure of the personal data by government officials, or a specific indication that such an investigation or seizure is imminent; or (c) any breach of the security and/or confidentiality as set out in this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data, or any indication of such breach having taken place or being about to take place.

Scope and Roles

EnovaPoint agrees to comply with the following provisions with respect to any Personal Data Processed for the Customer in connection with the provision of the Services.

The parties understand and agree that with regard to the processing of Personal Data, Customer is the Data Controller and EnovaPoint is the Data Processor, acting on behalf of the Customer. Between the parties, Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.

EnovaPoint will process Personal Data only as described in this DPA, and any other written instructions from Customer. Accordingly, this DPA supplements the Terms of Service and applies exclusively to EnovaPoint’s Processing of Customer Data in providing Services under the Terms of Service to the Customer.

Sub-Processors

EnovaPoint uses certain Sub-Processors to assist in providing the services relating to JungleMail for Office 365. We define a Sub-Processor as a third party data processor engaged by EnovaPoint who agrees to receive personal data from EnovaPoint intended for processing activities to be carried out (i) on behalf of EnovaPoint’s customers; (ii) in accordance with customer instructions as communicated by EnovaPoint; and (iii) in accordance with the terms of a written contract between EnovaPoint and the Sub-Processor.

List of subprocessors used by EnovaPoint

Treatment of Personal Data by EnovaPoint and You

  1. All parties bound by our Terms of Service agree that personal data shall be treated as confidential information, as set out in this Addendum and in the other legal documents found on the legal page of our Website. All parties shall also comply with the applicable laws relating to data protection in the relevant jurisdiction with respect to each other’s personal data, in case persons/companies residing in the EU are the parties involved, this will be the GDPR.
  2. Personal Data remains the property of the disclosing party. The parties agree and understand that with regard to the Processing of Personal Data, the Customer is the Data Controller and maintains control over the Data Subject’s Personal data, and EnovaPoint is a Data Processor, acting on behalf of the Customer.
  3. In connection with EnovaPoint’s delivery of the Services to the Customer, EnovaPoint shall process the certain categories and types of the Customer’s Data only for the purposes described in this DPA. Detail of the Processing are further specified in Annex 1 to this DPA.
  4. Aside from the point mentioned above, EnovaPoint will:
    1. ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the Personal Data of the Customer implement appropriate technical and organizational measures.
    2. it will not modify, alter, delete, publish or disclose any Customer personal data to any third party, nor allow any third party to process such personal data processed by EnovaPoint on behalf of the Company unless the third party is bound to similar confidentiality and data handling provisions;
    3. only its personnel who “need-to-know” will be given access to Customer’s personal data and only to the extent necessary to perform obligations and deliver Service. This staff will receive training to ensure they comply with the obligations as set out herein; and
    4. it will only process personal data to the extent necessary to perform its obligations as set out in the Terms of Service and only in accordance with applicable laws.
  5. Upon termination of Your User Account EnovaPoint will delete, destroy, or anonymize the personal data in accordance with our standard backup and retention policy as stated in our Privacy Policy unless we are required by law to retain personal data due to jurisdiction of a European Member State or the United States.

Data Processed by Customers through Our Services

EnovaPoint’s Services facilitate the processing of personal data by its Customers. When a Customer processes personal data and uses the Service to do this he is considered to be a Data Controller. It is important that Customers follow the applicable laws, and Our practices as set out below:

  1. The Customer vows that it has all necessary rights to provide EnovaPoint with Personal Data for processing in connection with the provision of EnovaPoint’s Services.
  2. As required by applicable law, the Customer is responsible that consent is given by Data Subjects (for example, for sending newsletters), and that a record of these consents is kept. This includes consent to use Personal Data that is obtained from third parties. When consent is revoked by a data subject, the Customer is responsible for communicating this to EnovaPoint. We will then be responsible for implementing any instruction with respect to the further processing of that Personal Data, or, we will adhere to our legal obligations.
  3. The Customer understands, as a Controller, that it is responsible for:
    1. determining the lawfulness of any processing, which is performed with any required data protection impact assessments, and accounting to regulators and individuals, as may be required;
    2. making reasonable efforts to verify parental consent when data is collected on a data subject under 16 years of age;
    3. the provision of relevant privacy notices to data subjects as may be required in your jurisdiction, including notice of their rights and provide the mechanisms for individuals to exercise those rights (see our Privacy Policy);
    4. responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered, corrected, or erased, and providing copies of the actual data processed;
    5. implementing Your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this Addendum;
    6. notifying individuals and any relevant regulators or authorities of any incident as may be required by law in Your jurisdiction.

Incidents, Resolutions and Procedures

  1. EnovaPoint tries to avoid incidents, but in the unlikely event that an incident does happen, the following clauses apply to the solving and managing of the incident in question:
    1. When one of the parties involved becomes aware of an incident (such as a data breach) that impacts the processing of Personal Data, it will with no delay notify the other party about the incident. It shall then cooperate, at a level that is to be expected and is reasonable considering the circumstance of the incident, to enable the investigate the incident, so that a correct response can be given, and also to solve the incident as soon as possible within the bounds of that incident.
    2. Both parties vow to always be prepared for incidents. They know what to do when an incident happens, the staff has received training, and written procedures which enable them to promptly respond to the other about an incident are readily available. In case the incident would be classified as a Data Breach under applicable laws, the party responsible for the incident or the one noticing the incident first shall notify the other immediately after having become aware of such an incident.
    3. When an incident happens, support@enovapoint.com should immediately be contacted, if you have a regular point of contact at EnovaPoint you can also address the notification of the incident to this particular person. Such communications should explain the nature of the incident as well as the number of individuals that are harmed / in danger as a result of the incident, as well as the plans already set in motion or about to set in motion to resolve this incident. The parties vow to be responsive in such a case and deal with the incident in unison without forming obstructions to the other party as much as possible following the type of incident that has occurred.
    4. If EnovaPoint becomes aware of the Personal Data Breach with respect to Customer Data, it will notify the Customer undue delay, and in any event within 48 hours. Such notice may be provided by posting a notification in the Service app; by sending an email to the email address provided in Customer Profile of the Service; and additionally, to the email addresses of Service licensed Users. The Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA.

Compliance and Reviews

Upon request, EnovaPoint shall supply, on a confidential basis, a copy of its audit reports (if any) to the Customer, so that the Customer can verify our compliance with this DPA.

Where required by EU Data Protection Law, EnovaPoint will allow the Customer under the written confidentiality obligations to conduct an audit of EnovaPoint’s procedures relevant to the protection of Customer Data. In such case, Customer shall:

  1. provide at least 30 days’ prior written notice of any proposed audit;
  2. undertake an audit no more than once in any 12-month period, except where required due to a Customer Data Breach or by a competent Supervisory Authority;
  3. conduct any audit in a manner designed to minimize disruption of EnovaPoint’s normal business operations;
  4. protect the confidentiality of all information obtained through such audits;
  5. provide any written audit report to EnovaPoint or notify EnovaPoint of any non-compliance discovered during the audit.

Liability and Indemnity

When as a direct or indirect result of a breach of this Data Processing Addendum costs will be accrued, each party will indemnify the other. On top of that, they will be held harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party.

Termination

This Data Processing Addendum will have the same duration as and will be subject to the termination terms of the Terms of Service. The obligations of EnovaPoint to implement appropriate security measures with respect to Personal Data will survive the termination of this Data Processing Addendum and will apply for so long as EnovaPoint retains Personal Data. In the event of a conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum will apply to the extent of the inconsistency.

Governing Law

This Data Processing Addendum and any dispute or claim arising out of or in connection with this Data Processing Addendum or its subject matter shall be governed by, and construed in accordance with, the laws of Lithuania.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

This Data Processing Addendum has last been updated on October 10, 2022.

If you would like to sign the document, please send an email to legal@enovapoint.com.

Annex 1: Description of Processing

This Annex includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.

  1. Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
  2. Duration of Processing: For the duration of the term of the Terms of Service, plus the period from the expiration of the Terms of Service while Personal Data is retained.
  3. The nature and purpose of the processing of Personal Data: Personal data will be processed for the purpose of delivering the Services under this Agreement.
  4. Categories of Personal Data:
    Customer may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:

    • Users: Office 365 or Active Directory profile data, like First Last names, Email, Job title, Department, Country and other Office 365 user profile data used in the newsletter.
    • Financial information: credit card details, account details, payment information.
    • Contacts: Customer’s employees contact data, subscription preferences. This data can be used for Mail Merge, to track opens and link click events, for targeted content delivery.

Annex 2: Data Hosting Locality

Customers who purchase the JungleMail for Office 365 Service (Available in the AppSource), have the ability to select the region where their JungleMail for Office 365 data will be stored.

Available regional options:

  Azure Datacenter region Location
JungleMail US app East US Virginia
JungleMail EU app West Europe Netherlands
JungleMail AU app Australia Southeast Victoria
JungleMail UK app UK South London
JungleMail CA app Canada Central Toronto

More information about our Security measures can be found in our Security Statement.