DATA PROCESSING AGREEMENT
20 January 2023
Customer (“You”) hereinafter referred to as “Controller“, and EnovaPoint, UAB, a private company with limited liability, incorporated under the laws of Lithuania, having its statutory seat in Vilnius and its principal place of business at P.Vileisio str. 19a-43, Vilnius 10300, Lithuania, registered with the State Enterprise Centre of Registers under juridical person register code 300691229; hereinafter referred to as “Processor“, referred to collectively as “Parties”, applicable to TERMS OF SERVICE AGREEMENT hereinafter the “Principal Agreement” regarding the JUNGLEMAIL FOR OFFICE 365 (Newsletter Platform) hereinafter the “Service”.
This Data Processing Agreement (“DPA”) is made as of and for the duration of the Principal Agreement by and between the Parties. This DPA is applicable in relation to the Principal Agreement.
Save as provided in the Principal Agreement, the Controller and the Processor have concluded this DPA for the Processing of Personal Data.
A description of the Service is included in Schedule 1.
Organizational and technical measures taken by the Processor are described in Schedule 2.
An overview of the type of Personal Data, categories of data subjects, the purposes of Processing is included in Schedule 3.
This DPA forms an integral part of the Principal Agreement. This DPA is effective upon and subject to the conclusion of the Principal Agreement by both Parties.
The duration, term and termination of this DPA follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement or within the relevant Data Protection Laws.
The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the General Data Protection Regulation (GDPR), as well as the Swiss and UK Data Protection laws.
In consideration of the Principal Agreement, the Parties hereto agree as follows.
2. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Controller” shall mean the company or organization (Customer) that determines the purposes and means of the Processing of Personal Data; in accordance with the EU, Swiss, UK Data Protection Laws;
“Processor” shall mean the company that processes Personal Data on behalf of the Controller;
“Personal Data” means any personal data processed by the Processor on the Controller’s behalf pursuant to or in connection with the Principal Agreement;
“Data Protection Laws” means EU Data Protection Laws, UK Data Protection Laws, and Swiss Data Protection Laws to the extent applicable, the data protection or privacy laws of any other country;
“EU Data Protection Laws” means the GDPR and European or national laws supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Data Transfer” means:
- a transfer of Personal Data from the Controller to the Processor or a Subprocessor;
- an onward transfer of Personal Data from the Processor to a Sub-processor, or between several establishments of a Sub-processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“Sub-processor” means any third party appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Principal Agreement.
The list of Sub-processors https://www.enovapoint.com/legal/sub-processors
Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “profiling” and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether GDPR applies, and their cognate terms shall be construed accordingly.
3. Processing of Personal Data
Processor represents and warrants that the Controller is the supplier of Personal Data while Processor is the Processor of such data, except when Customer acts as a Processor of Personal Data, in which case Processor is a Sub-processor; or as stated otherwise in the Principal Agreement or this DPA.
The Processor shall:
- comply with all applicable Data Protection Laws in the Processing of Personal Data; and
- not process Personal Data other than on the Controller’s documented instructions.
The Controller instructs the Processor to process Personal Data in relation to and for the execution of the Principal Agreement. The Processor undertakes to process Personal Data only for the purpose of the activities referred to in this DPA and/or in the Principal Agreement. The Processor guarantees that it will not use the Personal Data that it processes in the context of this DPA for its own or third-party purposes without the Controller’s express written consent, unless a mandatory legal provision requires the Processor to do so. In such case, the Processor shall immediately inform the Controller of that legal requirement before processing such information, unless the law explicitly prohibits such disclosure.
The Processor may use and otherwise process Personal Data for its legitimate business operations as detailed in Schedule 3 and within the boundaries set forth in the said Schedule.
4. Disclosure of Personal Data
The Processor will not disclose Personal Data except:
- as the Controller directs;
- as described in this DPA; or
- as imposed by mandatory legal provisions.
The Processor will not disclose Personal Data to law enforcement bodies unless required by law. If law enforcement contacts Processor with a demand for Personal Data, Processor will attempt to redirect the law enforcement agency to request that data directly from The Controller. If compelled to disclose Personal Data to law enforcement, the Processor will promptly notify the Controller and provide a copy of the demand unless legally expressely prohibited from doing so.
Upon receipt of any other third-party request for Personal Data, the Processor will promptly notify the Controller unless prohibited by law. The Processor will reject the request unless required by law to comply. If the request is valid, the Processor will attempt to redirect the third party to request the data directly from the Controller.
The Processor will not provide any third party:
- direct, indirect, blanket, or unfettered access to Personal Data;
- encryption keys used to secure Personal Data or the ability to break such encryption; or
- access to Personal Data if the Processor is aware that such data is to be used for purposes other than those stated in the third party’s request.
In support of the above, the Processor may provide the Controller’s basic contact information to the third party.
5. Processor Personnel
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-processor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, irrespective of whether GDPR applies.
In assessing the appropriate level of security, the Processor shall take into account in particular of the risks that are presented by the processing, in particular from a Personal Data Breach.
7. Data Transfer
The Processor may not transfer or authorize the transfer of Data to countries outside Switzerland or the European Economic Area without the prior written consent of the Controller. If Personal Data processed under this DPA is transferred from Switzerland or a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
For the Service, the Processor will store Personal Data at rest in Microsoft Azure datacenter (e.g. Netherlands (EU), UK, US, CA, AU) selected by Controller.
For the Service, the Processor will otherwise process Personal Data in Controller selected location and other countries used by sub-processors (GDPR-compliant), depending on Controller settings.
The Controller acknowledges and agrees that Processor may engage third-party Sub-Processors in connection with the provision of Services, and hereby consents to Processor’s use of Sub-Processors. As a condition to permitting a third-party Sub-Processor to Process Customer Data, Processor will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Personal Data. Processor will restrict its Sub-Processors’ access to only what is necessary to maintain the Services or to provide the Services to customers. Subject to this Section 7, Processor reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall: (a) remain responsible to the Controller for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Processor ’s performance of this DPA to the same extent Processor would be liable if performing the Services directly.
List of Sub-processors: https://www.enovapoint.com/legal/sub-processors
9. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
The Processor shall:
- promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of the Controller or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the Processor responds to the request.
10. Personal Data Breach
If the Processor becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Controller Data or Personal Data while processed by the Processor (each a “Security Incident”), the Processor without undue delay, and in any event within 48 hours, will notify the Controller of the Security Incident, investigate the Security Incident and provide the Controller with detailed information about the Security Incident and take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Such notice may be provided by posting a notification in the Service app; by sending an email to the Contact Person provided in the Service; and/or additionally, to the email addresses of Service licensed Users. The Controller shall ensure that its contact information is current and accurate at all times during the terms of this DPA.
The Processor shall make reasonable efforts to assist the Controller in fulfilling its obligation under applicable laws to notify the relevant authorities and data subjects about such Security Incident.
The Processor’s notification of or response to a Security Incident under this section is not an acknowledgement by the Processor of any fault or liability with respect to the Security Incident.
The Controller must promptly notify the Processor about any possible misuse of its accounts, authentication credentials, or any security incident related to the Service.
11. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the processing of Personal Data by, and taking into account the nature of the processing and information available to, the Processor.
12. Deletion or return of Personal Data
Upon termination of the Principal agreement and/or DPA, Processor will initiate a process that deletes the personal data in accordance with our standard backup and retention policy or in accordance with Controller’s written request. This requirement shall not apply to the extent Processor is required by the applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Processor shall securely isolate and protect from any further processing, except to the extent required by applicable law.
13. Audit rights
The Processor shall allow for and not interfere with audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, to verify compliance with the terms of this DPA and the applicable data protection laws. Such audits may be conducted no more than once in any 12-month period, except where required due to a Customer Data Breach or by a competent Supervisory Authority, at the Controller’s expense, and upon at least 30 days prior notice.
The Processor shall provide reasonable assistance and access to all information, systems, and facilities as may be reasonably necessary for the purpose of such audits.
The controller shall protect the confidentiality of all information obtained through such audits, and provide any written audit report to the Processor or notify the Processor of any non-compliance discovered during the audit.
14. General Terms
Each of the Controller, Processor and/or Sub-processor must keep any information it receives confidential according to the relevant confidentiality provisions set forth in the Principal Agreement.
Notwithstanding the foregoing, in addition to the applicable provisions set forth in the Principal Agreement, all notices and communications given under this DPA must be in writing and will be sent by email. The Controller shall be notified by email sent to the Account Owner’s email address provided in the Service. The Processor shall be notified by email sent to the address: email@example.com
Regarding the termination of this DPA the specific provisions of the Principal Agreement apply.
15. Governing Law and Jurisdiction
The choice of law and competent court comply with the applicable provisions of the Principal Agreement.
If you would like to sign the document, please send an email to firstname.lastname@example.org
Schedule 1: Service Description
JungleMail for Office 365 (JungleMail 365) is an email service app for the Microsoft Office 365 platform, hosted in Microsoft Azure and distributed through the Microsoft Office 365 app store (AppSource) or provided directly by EnovaPoint together with its related services.
JungleMail 365 is built to enhance internal communications, create personalized, engaging emails newsletters quickly, and review analytics. Additional features include:
- Send directly to your Azure AD groups, Distribution Lists
- Drag & Drop builder
- Populate newsletters with SharePoint content
- Send targeted newsletters based on recipients’ subscription preferences
- Extensive Newsletter analytics to track engagement
- Archive newsletters in SharePoint
Schedule 2: Technical and Organizational Measures
- Dedicated Security Team
- Physical Security at HQ
- Protection of equipment
- Data encryption at rest and in transit
- Penetration testing conducted by the third party
- Certifications & attestations
- Security program is covered by the ISO 27001 and SOC 2
- Periodic mandatory education and awareness for all personnel and hired staff
- Assigned Data Protection Officer
- Vendor Due Diligence
- Periodic data privacy awareness and mandatory education for all employees and hired personnel
- Vendor Due Diligence
- Pre-employment screening on personnel and similar requested from our sub-contractors
- The Processor servers are hosted in England in UK South Microsoft Azure Datacenter.
- Security through strict IP whitelisting and logical controls for data segregation
- Tested and implemented Business Continuity and Disaster Recovery plan based on Business Impact Analysis
- Backup and Retention Policy
- Point in Time restore backups will be kept for 35 days.
- Differential backups occur every 12 hours.
- Storage replication type: Geo-redundant storage.
- Backup restoration testing is performed at least annually to help ensure the recoverability of application data
- Numerous policies including Code of Conduct and Information Security Policy
- Non-Disclosure Agreements (including third parties)
- Clear procedures on reporting incidents to security & privacy team
- Clean Desk policy
Schedule 3: Overview of Personal Data
The subject matter of the Processing of the Personal Data is set out in the Principal Agreement and this DPA.
The duration of the Processing shall be in accordance with the Principal Agreement, the Controller’s instructions, and the terms of this DPA.
The nature and purpose of the processing is delivering the Service under the Principal Agreement:
- Delivering functional capabilities as licensed, configured, and used by the Controller, including providing personalized user experiences;
- Troubleshooting (preventing, detecting, and repairing problems); and
- Ongoing improvement (installing the latest updates and making improvements to user productivity, reliability, efficacy, and security)
For purposes of this DPA, the Processor’s legitimate business operations consist of the following:
- improving, maintaining, providing, and enhancing Processor’s technology, Products and Services; ensuring the security of the Services and Processor’s Website; and for Processor’s marketing activities.
When processing for its legitimate business operations, the Processor will not use or otherwise process Personal Data for profiling, or advertising or similar commercial purposes. In addition, where the Processor is processing this data for legitimate business operations, the Processor will process it only for the purposes set out above. To the extent the Processor uses or otherwise processes Personal Data in connection with its legitimate business operations, the Processor will be an independent data Controller for such use and will be responsible for complying with all applicable laws and Controller obligations.
The categories of data subjects are:
- Customer or Users of Services as well as any staff members of any of the involved parties who reside in the EU, as well as the people whose personal data is uploaded and used in the Service.
The following categories of Personal Data may be processed:
Customer may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Users: Office 365 or Active Directory profile data, like First and Last names, Email, Job title, Department, Country, and other Office 365 user profile data used in the newsletters.
- Financial information: credit card details, account details, payment information.
- Contacts: Customer’s employees’ contact data, subscription preferences. This data can be used for Mail Merge, to track opens and link click events, for targeted content delivery.
The prior Data Processing Agreement is available here.