At EnovaPoint we want to protect the personal data of our Customers as well as that of our Staff. This Data Processing Addendum is an addition to our Terms of Service and in it, we set out the ways in which we process personal data in a way that is secure, fair, and transparent.
This Data Protection Addendum is part of the Terms of Service between EnovaPoint (“Us”, “We”, “EnovaPoint”) and the Customer (“Customer” or “You”) using and/or buying any of EnovaPoint’s Services (JungleMail for Office 365, JungleDocs for Office 365, “The Services” or individually “The Service”, depending on the product(s) You use).
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the existing Terms of Service as is applicable to any and all of EnovaPoint’s Services which are used by the Customer.
This Data Processing Addendum protects the data of all parties. In turn, all have obligations to protect data. The following definitions will give a better idea of what is meant by data in this Addendum.
“EnovaPoint”, “We”, “Us”, or “Our” refers to the company EnovaPoint, i.e. the creator and manager of the Services: JungleDocs and JungleMail for Office 365 as well as its related Services, (collectively these are referred to as the “Services” or the “Products”).
“You” or the “Customer” refers to the company or organization that signs up to use, already uses or buys any of the EnovaPoint Services.
“Staff” refers to those individuals who are employed by or are under contract to perform a service on behalf of one of the parties.
“Data Subjects” refers to customers or users of one of EnovaPoint’s Services as well as any staff members of any of the involved parties who reside in the EU, as well as the people whose personal data is uploaded and used in the Service.
The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”. Processing”. “Sub-processor” shall have the same meaning as in the GDPR.
Legal Basis for Processing
We process Personal Information as a Data Controller as described in this section, where such processing is in our legitimate interests and is not in conflict with Your data protection interests or any of Your other rights.
Our legitimate interests typically include the following: improving, maintaining, providing, and enhancing Our technology, Products and Services; ensuring the security of the Services and Our Website; and for Our marketing activities.
EnovaPoint uses certain Sub-Processors to assist in providing the services relating to JungleMail for Office 365. We define a Sub-Processor as a third party data processor engaged by EnovaPoint who agrees to receive personal data from EnovaPoint intended for processing activities to be carried out (i) on behalf of EnovaPoint’s customers; (ii) in accordance with customer instructions as communicated by EnovaPoint; and (iii) in accordance with the terms of a written contract between EnovaPoint and the Sub-Processor.
Sub-Processors Used by Us
SparkPost (Message Systems, Inc.) (www.sparkpost.com) is used as a Sub-Processor to send the emails in campaigns which are created with JungleMail for Office 365. SparkPost is located in London, UK and San Fransisco, US.
Microsoft (www.microsoft.com) is used as a Sub-Processor when You use Outlook in combination with JungleMail for Office 365. Microsoft is headquartered in Washington, US.
To deliver the Services associated with JungleDocs for Office365 we do not use any data Sub-Processors.
Treatment of Personal Data by EnovaPoint and You
- All parties bound by our Terms of Service agree that personal data shall be treated as confidential information, as set out in this Addendum and in the other legal documents found on the legal page of our Website. All parties shall also comply with the applicable laws relating to data protection in the relevant jurisdiction with respect to each other’s personal data, in case persons/companies residing in the EU are the parties involved, this will be the GDPR.
- Personal Data remains the property of the disclosing party. EnovaPoint agrees and understands that the Customer is the controller and maintains control over the Data Subject’s personal data.
- EnovaPoint vows to process the Customer’s personal data only to the extent strictly necessary to be able to provide its Services.
- Aside from the point mentioned above, EnovaPoint will:
- ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the Personal Data of the Customer implement appropriate technical and organizational measures.
- it will not modify, alter, delete, publish or disclose any Customer personal data to any third party, nor allow any third party to process such personal data processed by EnovaPoint on behalf of the Company unless the third party is bound to similar confidentiality and data handling provisions;
- only its personnel who “need-to-know” will be given access to Customer’s personal data and only to the extent necessary to perform obligations and deliver Service. This staff will receive training to ensure they comply with the obligations as set out herein; and
- it will only process personal data to the extent necessary to perform its obligations as set out in theTerms of Service and only in accordance with applicable laws.
Data Processed by Customers through Our Services
EnovaPoint’s Services facilitate the processing of personal data by its Customers. When a Customer processes personal data and uses the Service to do this he is considered to be a Data Controller. It is important that Customers follow the applicable laws, and Our practices as set out below:
- The Customer vows that it has all necessary rights to provide EnovaPoint with personal data for processing in connection with the provision of EnovaPoint’s Services.
- As required by applicable law, the Customer is responsible that consent is given by data subjects (for example for sending newsletters), and that a record of these consents is kept. This includes consent to use personal data that is obtained from third parties. When consent is revoked by a data subject, the Customer is responsible for communicating this to EnovaPoint. We will then be responsible for implementing any instruction with respect to the further processing of that personal data, or, we will adhere to our legal obligations.
- The Customer understands, as a controller, that it is responsible for:
- determining the lawfulness of any processing, which is performed with any required data protection impact assessments, and accounting to regulators and individuals, as may be required;
- making reasonable efforts to verify parental consent when data is collected on a data subject under 16 years of age;
- responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered, corrected, or erased, and providing copies of the actual data processed;
- implementing Your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this Addendum;
- notifying individuals and any relevant regulators or authorities of any incident as may be required by law in Your jurisdiction.
Incidents, Resolutions and Procedures
EnovaPoint tries to avoid incidents, but in the unlikely event that an incident does happen, the following clauses apply to the solving and managing of the incident in question:
- When one of the parties involved becomes aware of an incident (such as a data breach) that impacts the processing of personal data, it will with no delay notify the other about the incident. It shall then cooperate, at a level that is to be expected and is reasonable considering the circumstance of the incident, to enable the investigate the incident, so that a correct response can be given, and also to solve the incident as soon as possible within the bounds of that incident.
- Both parties vow to always be prepared for incidents. They know what to do when an incident happens, the staff has received training, and written procedures which enable them to promptly respond to the other about an incident are readily available. In case the incident would be classified as a data breach under applicable laws, the party responsible for the incident or the one noticing the incident first shall notify the other immediately after having become aware of such an incident.
- When an incident happens, help@enovapoint should immediately be contacted, if you have a regular point of contact at EnovaPoint you can also address the notification of the incident to this particular person. Such communications should explain the nature of the incident as well as the number of individuals that are harmed / in danger as a result of the incident, as well as the plans already set in motion or about to set in motion to resolve this incident. The parties vow to be responsive in such a case and deal with the incident in unison without forming obstructions to the other party as much as possible following the type of incident that has occurred.
Liability and Indemnity
When as a direct or indirect result of a breach of this Data Processing Addendum costs will be accrued, each party will indemnify the other. On top of that, they will be held harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party.
This Data Proccessing Addendum has last been updated on May 29, 2018.