At EnovaPoint we want to protect the personal data of our Customers as well as that of our Staff. This Data Processing Addendum is an addition to our Terms of Service and in it, we set out the ways in which we process personal data in a way that is secure, fair, and transparent.
This Data Protection Addendum is part of the Terms of Service between EnovaPoint (“Us”, “We”, “EnovaPoint”, “Supplier”) and the Customer (“Customer” or “You”) using and/or buying any of EnovaPoint’s Services (JungleMail for Office 365, JungleDocs for Office 365, “The Services” or individually “The Service”, depending on the product(s) You use).
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the existing Terms of Service as is applicable to any and all of EnovaPoint’s Services which are used by the Customer.
This Data Processing Addendum protects the data of all parties. In turn, all have obligations to protect data. The following definitions will give a better idea of what is meant by data in this Addendum.
“EnovaPoint”, “We”, “Us”, or “Our” refers to the company EnovaPoint, i.e. the creator and manager of the Services: JungleMail for Office 365 as well as its related Services, (collectively these are referred to as the “Services” or the “Products”).
“You” or the “Customer” refers to the company or organization that signs up to use, already uses or buys any of the EnovaPoint Services.
“Staff” refers to those individuals who are employed by or are under contract to perform a service on behalf of one of the parties.
“Data Subjects” refers to customers or users of one of EnovaPoint’s Services as well as any staff members of any of the involved parties who reside in the EU, as well as the people whose personal data is uploaded and used in the Service.
The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”. Processing”. “Sub-processor” shall have the same meaning as in the GDPR.
“GDPR” means EU General Data Protection Regulation 2016/679.
Legal Basis for Processing
We process Personal Information as a Data Controller as described in this section, where such processing is in our legitimate interests and is not in conflict with Your data protection interests or any of Your other rights.
Our legitimate interests typically include the following: improving, maintaining, providing, and enhancing Our technology, Products and Services; ensuring the security of the Services and Our Website; and for Our marketing activities.
EnovaPoint uses certain Sub-Processors to assist in providing the services relating to JungleMail for Office 365. We define a Sub-Processor as a third party data processor engaged by EnovaPoint who agrees to receive personal data from EnovaPoint intended for processing activities to be carried out (i) on behalf of EnovaPoint’s customers; (ii) in accordance with customer instructions as communicated by EnovaPoint; and (iii) in accordance with the terms of a written contract between EnovaPoint and the Sub-Processor.
Sub-Processors Used by EnovaPoint
SparkPost (Message Systems, Inc) (www.sparkpost.com) is used as a Sub-Processor to deliver emails when JungleMail Built-in sending account is used.
Customer who uses JungleMail EU, UK or AU app, SparkPost’s datacenter located in Dublin, Ireland (https://www.datacenters.com/amazon-aws-south-dublin).
Customer who uses JungleMail US or CA app, SparkPost’s datacenter located in Oregon, USA.
Details of the Service hosting location are further specified in Annex 2 of this DPA.
Stripe (Stripe Payments Europe, Ltd.) (www.stripe.com) is used as a Sub-Processor to facilitate an electronic payment transactions for using the Services. Stripe Payments Europe, Ltd. is a subsidiary of Stripe, Inc., and is a private company incorporated in Ireland and registered with the Irish Data Protection Commissioner’s Office.
To deliver the Services associated with the JungleDocs for Office365 we do not use any data Sub-Processors.
Treatment of Personal Data by EnovaPoint and You
- All parties bound by our Terms of Service agree that personal data shall be treated as confidential information, as set out in this Addendum and in the other legal documents found on the legal page of our Website. All parties shall also comply with the applicable laws relating to data protection in the relevant jurisdiction with respect to each other’s personal data, in case persons/companies residing in the EU are the parties involved, this will be the GDPR.
- Personal Data remains the property of the disclosing party. EnovaPoint agrees and understands that the Customer is the controller and maintains control over the Data Subject’s personal data.
- EnovaPoint vows to process the Customer’s personal data only to the extent strictly necessary to be able to provide its Services. Detail of the Processing are further specified in Annex 1 to this DPA.
- Aside from the point mentioned above, EnovaPoint will:
- ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the Personal Data of the Customer implement appropriate technical and organizational measures.
- it will not modify, alter, delete, publish or disclose any Customer personal data to any third party, nor allow any third party to process such personal data processed by EnovaPoint on behalf of the Company unless the third party is bound to similar confidentiality and data handling provisions;
- only its personnel who “need-to-know” will be given access to Customer’s personal data and only to the extent necessary to perform obligations and deliver Service. This staff will receive training to ensure they comply with the obligations as set out herein; and
- it will only process personal data to the extent necessary to perform its obligations as set out in the Terms of Service and only in accordance with applicable laws.
Data Processed by Customers through Our Services
EnovaPoint’s Services facilitate the processing of personal data by its Customers. When a Customer processes personal data and uses the Service to do this he is considered to be a Data Controller. It is important that Customers follow the applicable laws, and Our practices as set out below:
- The Customer vows that it has all necessary rights to provide EnovaPoint with personal data for processing in connection with the provision of EnovaPoint’s Services.
- As required by applicable law, the Customer is responsible that consent is given by data subjects (for example for sending newsletters), and that a record of these consents is kept. This includes consent to use personal data that is obtained from third parties. When consent is revoked by a data subject, the Customer is responsible for communicating this to EnovaPoint. We will then be responsible for implementing any instruction with respect to the further processing of that personal data, or, we will adhere to our legal obligations.
- The Customer understands, as a controller, that it is responsible for:
- determining the lawfulness of any processing, which is performed with any required data protection impact assessments, and accounting to regulators and individuals, as may be required;
- making reasonable efforts to verify parental consent when data is collected on a data subject under 16 years of age;
- responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered, corrected, or erased, and providing copies of the actual data processed;
- implementing Your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this Addendum;
- notifying individuals and any relevant regulators or authorities of any incident as may be required by law in Your jurisdiction.
Incidents, Resolutions and Procedures
EnovaPoint tries to avoid incidents, but in the unlikely event that an incident does happen, the following clauses apply to the solving and managing of the incident in question:
- When one of the parties involved becomes aware of an incident (such as a data breach) that impacts the processing of personal data, it will with no delay notify the other about the incident. It shall then cooperate, at a level that is to be expected and is reasonable considering the circumstance of the incident, to enable the investigate the incident, so that a correct response can be given, and also to solve the incident as soon as possible within the bounds of that incident.
- Both parties vow to always be prepared for incidents. They know what to do when an incident happens, the staff has received training, and written procedures which enable them to promptly respond to the other about an incident are readily available. In case the incident would be classified as a data breach under applicable laws, the party responsible for the incident or the one noticing the incident first shall notify the other immediately after having become aware of such an incident.
- When an incident happens, email@example.com should immediately be contacted, if you have a regular point of contact at EnovaPoint you can also address the notification of the incident to this particular person. Such communications should explain the nature of the incident as well as the number of individuals that are harmed / in danger as a result of the incident, as well as the plans already set in motion or about to set in motion to resolve this incident. The parties vow to be responsive in such a case and deal with the incident in unison without forming obstructions to the other party as much as possible following the type of incident that has occurred.
Liability and Indemnity
When as a direct or indirect result of a breach of this Data Processing Addendum costs will be accrued, each party will indemnify the other. On top of that, they will be held harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party.
This Data Processing Addendum will have the same duration as and will be subject to the termination terms of the Terms of Service. The obligations of EnovaPoint to implement appropriate security measures with respect to Personal Data will survive the termination of this Data Processing Addendum and will apply for so long as EnovaPoint retains Personal Data. In the event of a conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum will apply to the extent of the inconsistency.
This Data Processing Addendum and any dispute or claim arising out of or in connection with this Data Processing Addendum or its subject matter shall be governed by, and construed in accordance with, the laws of Lithuania.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
This Data Proccessing Addendum has last been updated on October 1, 2021.
If you would like to sign the document, please send an email to firstname.lastname@example.org.
Annex 1: Description of Processing
This Annex includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
- Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
- Duration of Processing: For the duration of the term of the Terms of Service, plus the period from the expiration of the Terms of Service while Personal Data is retained.
- The nature and purpose of the processing of Personal Data: Personal data will be processed for the purpose of delivering the Services under this Agreement.
- Categories of Personal Data:
Customer may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Users: Office 365 or Active Directory profile data, like First Last names, Email, Job title, Department, Country and other Office 365 user profile data used in the newsletter.
- Financial information: credit card details, account details, payment information.
- Contacts: Customer’s employees contact data, subscription preferences. This data can be used for Mail Merge, to track opens and link click events, for targeted content delivery.
Annex 2: Data Hosting Locality
Customers who purchase the JungleMail for Office 365 Service (Available in the AppSource), have the ability to select the region where their JungleMail for Office 365 data will be stored.
Available regional options:
|Azure Datacenter region||Location|
|JungleMail US app||East US||Virginia|
|JungleMail EU app||West Europe||Netherlands|
|JungleMail AU app||Australia Southeast||Victoria|
|JungleMail UK app||UK South||London|
|JungleMail CA app||Canada Central||Toronto|