SendSafely Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and SendSafely covering Customer’s use of the SendSafely encrypted data exchange platform (the “Agreement”) and shall be coterminous with the Agreement. To the extent that any terms set forth in this DPA are inconsistent with the terms of the Agreement, the terms set forth in this DPA shall apply.

1. 1. Definitions. As used in this DPA, the following terms shall have the meanings set forth below (all other capitalized terms shall have the meanings set forth in the Agreement):

   “Applicable Data Protection Law” shall mean: all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the processing of Personal Data under this DPA as amended from time to time.

   “CCPA” shall mean the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., as amended by the California Privacy Rights Act, and its implementing regulations.

   “controller”, “processor”, “service provider”, “data subject” and “processing” (and "process") shall have the meanings given in Applicable Data Protection Law.

   “Data Breach” means an incident occurred in the Services causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

   “EEA” means the European Economic Area.

   “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.

   “GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

   “Personal Data” and “Personal Information” shall have the meanings given in Applicable Data Protection Law; in the context of this Agreement, it refers to any information falling under the definition of Personal Data that the Customer’s clients or the Customer’s end users submit to the Services.

   “Profile Data” shall mean Personal Data that relates to Customer’s relationship with SendSafely, including the names and/or contact information of individuals authorized by Customer to access Customer’s SendSafely account and billing information that Customer has associated with its SendSafely account.

   “Secure Content” shall mean the end-to-end encrypted contents of the secure messages or files exchanged by means of use of the SendSafely Services.

   “Services” shall have the same meaning as in the Agreement.

   “Standard Contractual Clauses” shall mean, as the circumstances may require, either the EU Standard Contractual Clauses alone or the EU Standard Contractual Clauses and the UK Addendum.

   “Sub-processor” means any person or entity engaged by SendSafely or its Affiliates to process Personal Data in the provision of the Services to Customer.

   “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force March 21, 2022.

   “Usage Data” shall mean data processed by SendSafely for the purposes of exchanging Secure Content, including individual data subject’s email, telephone numbers, and IP Address in the context of providing the SendSafely Services.

2. 2. Relationship of the Parties. The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is a controller or processor, as applicable, and SendSafely is a processor.
3. 3. Scope and Applicability.
   1. 3.1 Scope of this DPA. This DPA covers the processing of Personal Data that Customer submits to the Services.
   2. 3.2 Jurisdiction Specific Terms and Cross Border Data Transfer Mechanisms. SendSafely will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Data Protection Laws. To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer Personal Data from a jurisdiction (i.e., the EEA, the United Kingdom or Switzerland) to SendSafely, the provisions set out in Schedule B are incorporated by reference and form an integral part of this DPA.
4. 4. Subject Matter of the Processing. The purpose of SendSafely’s data processing activities under this DPA is to facilitate the Services.
5. 5. Duration of the Processing. SendSafely will process Personal Data as long as required to provide the Services to Customer or as required by applicable law or regulation. Other than in case of expiry or termination of the Agreement, this DPA may only be amended or terminated through an instrument accepted and signed by both parties.
6. 6. Data Subjects. The data subjects whose Personal Data may be processed in connection with the Services may include Customer’s clients, employees, suppliers and/or end users. The data subjects whose Personal Data may be processed by SendSafely are necessarily determined and controlled solely by the Customer.
7. 7. Categories of Personal Data. Any category of Personal Data may be contained within the Secure Content that Customer instructs SendSafely to process through its Services. The precise Personal Data in the Secure Content that Customer transfers to SendSafely for processing is necessarily determined and controlled solely by Customer. The categories of Personal Data within the Profile Data include the names and/or contact information of individuals authorized by Customer to access Customer’s SendSafely account and billing information. The categories of Personal Data within the Usage Data include individual data subject’s email, telephone numbers, and IP Address.
8. 8. SendSafely’s Obligations.
   1. 8.1 SendSafely may process Personal Data provided by Customer only in accordance with Customer’s instructions (a) as set forth in the Agreement, this DPA, or as otherwise necessary to provide the Services to Customer; (b) as necessary to comply with applicable law or regulation; and (c) as otherwise agreed in writing between the parties (collectively, “Customer Instructions”).
   2. 8.2 Unless specifically instructed by the Customer Instructions, SendSafely shall not, under any circumstances try to decrypt, retrieve, view, alter, use, or disclose any Personal Data contained within the Secure Content.
   3. 8.3 SendSafely confirms that it shall take steps to ensure that any natural person acting under the authority of SendSafely who is involved in processing Personal Data shall only process the Personal Data on the Customer Instructions.
   4. 8.4 SendSafely shall promptly inform Customer if, in SendSafely’s opinion, any of the Customer Instructions regarding the processing of Personal Data provided by Customer would cause a breach of any Applicable Data Protection Law. SendSafely shall promptly inform Customer if, in SendSafely’s opinion, any of the Customer Instructions regarding the processing of Personal Data would limit SendSafely’s ability to provide the Services. SendSafely will provide Customer an opportunity to withdraw or modify such instructions. After good faith negotiation, if SendSafely determines that it cannot provide the Services in accordance with Customer’s Instructions, SendSafely may elect to immediately suspend or terminate the Agreement without penalty or further liability.
   5. 8.5 SendSafely shall implement the security measures set out in paragraphs 1 and 2 of art. 32 of GDPR for the protection of Personal Data, as appropriate.
   6. 8.6 Customer accepts and agrees that the technical and organizational measures detailed in this DPA are subject to development and review and that SendSafely may use alternative suitable measures to those detailed in this DPA, provided that in no case such alternative measures would intentionally be less effective than those detailed in this DPA.
9. 9. Rights of Data Subjects
   1. 9.1 SendSafely shall, to the extent legally permitted, promptly notify Customer if SendSafely receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (‘right to be forgotten’), data portability, right to object to the processing, or its right not to be subject to an automated individual decision making (‘Data Subject Request’).
   2. 9.2 Upon reasonable request, SendSafely shall assist Customer by having in place appropriate technical and organizational measures for the fulfillment of Customer’s obligation to assist its own customers in responding to a Data Subject Request and to allow data subjects to exercise their rights under Applicable Data Protection Laws.
   3. 9.3 Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
10. 10. CCPA Terms
    1. 10.1 The terms in this Section 10 apply where SendSafely processes personal data subject to the CCPA.
    2. 10.2 SendSafely will process any Personal Information provided by Customer only for the business purposes set forth in the Agreement, including the purpose of the processing and processing activities set forth in this DPA (“Purpose”). As a service provider under the CCPA, SendSafely will not sell or share Personal Information or retain, use, or disclose Personal Information for any purpose other than the Purpose. For the avoidance of doubt, SendSafely will not retain, use, or disclose Personal Information for a commercial purpose other than the Purpose, or as otherwise permitted by the CCPA.
    3. 10.3 SendSafely will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii) provide Personal Information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Services and its own processing of Personal Information.
    4. 10.4 Customer will have the right to take reasonable and appropriate steps to help ensure that SendSafely uses Personal Information in a manner consistent with Customer’s obligations under the CCPA.
    5. 10.5 SendSafely will notify Customer if SendSafely determines that SendSafely can no longer meet its obligations as a service provider under the CCPA.
    6. 10.6 Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of Personal Information.
    7. 10.7 For any sub-processor used by SendSafely to process Personal Information subject to the CCPA, SendSafely will ensure that SendSafely’s agreement with such sub-processor complies with the CCPA, including, without limitation, the contractual requirements for service providers and contractors.
    8. 10.8 SendSafely will not combine Customer Data that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA.
    9. 10.9 SendSafely certifies that it understands and will comply with its obligations under the CCPA.
11. 11. Data Retention and Backup
    1. 11.1 Subject to Section 11.2, Personal Data provided by Customer to the Services for secure data exchange will be retained for only as long as necessary to provide the Services.
    2. 11.2 SendSafely will perform backup copies for possible restoration requirements. Any data that is erased at the end of its retention period, will be erased using techniques that make it impossible to reconstruct it. The same is true for backup copies after their retention period.
12. 12. Sub-processors
    1. 12.1 Current Sub-processors. Customer consents to SendSafely engaging third party Sub-processors in SendSafely’s performance of its duties as data processor provided that SendSafely maintains an up-to-date list of its Sub-processors here, which contains instructions for Customer to subscribe to notifications of new Sub-processors. Customer agrees to subscribe to such notifications.
    2. 12.2 SendSafely shall impose data protection terms on any Sub-processor it appoints that require such Sub-processor to protect Customer Data consistent with SendSafely’s obligations in this DPA and to the standard required by Applicable Data Protection Law.
    3. 12.3 Customer gives SendSafely a general authorization to replace any of its Sub-processors or to add a new Sub-processor. SendSafely will make available details of any intended addition or replacement of a Sub-processor at least thirty (30) days prior to such addition or replacement. Customer may object prior to the new Sub-processor’s appointment, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, Customer and SendSafely agree to discuss commercially reasonable alternative solutions in good faith. If Customer and SendSafely cannot reach a resolution within the notice period described above, SendSafely shall have the right to proceed with the proposed addition or replacement, and Customer may discontinue the use of the affected Services by providing written notice to SendSafely. If no Customer objection is raised prior to the addition or replacement, the appointment will be considered as accepted.
    4. 12.4 The parties agree that SendSafely shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Sub-processors to the same extent SendSafely would be liable if performing the services of each Sub-processor directly under the terms of this DPA, subject to any limitations on liability set out in the Agreement.
13. 13. Audit Rights of Customer
    1. 13.1 Subject to all the terms of this Section 13.1, Customer may carry out inspections of SendSafely’s business premises for the purpose of verifying SendSafely’s implementation of SendSafely’s compliance with data security requirements set out in the Applicable Data Protection Law and/or in this DPA. Inspections must be requested with reasonable advance notice, and, unless Customer has a legal obligation to perform them frequently, Customer shall not request an inspection more than once in a twelve-month period. SendSafely shall reasonably assist in any such audit or have an appointed representative assist and shall be entitled to charge Customer for providing such assistance on a time and materials basis at its standard professional services fee rates.
    2. 13.2 SendSafely undertakes to provide Customer, upon reasonable request, with information required by Customer necessary to show that the Parties have complied with their respective obligations under Applicable Data Protection Law, and to make available any documentation that might be necessary for this purpose.
14. 14. Management of Data Breaches. Notwithstanding the technical and organizational measures implemented by SendSafely to protect Personal Data from Data Breaches, Customer recognizes that a Data Breach, although unlikely, has a possibility to occur.
    1. 14.1 SendSafely shall notify Customer without undue delay after becoming aware of a Data Breach.
    2. 14.2 Customer shall notify SendSafely without undue delay after becoming aware of a Data Breach.
15. 15. Compliance and Cooperation. When required under the Applicable Data Protection Law, SendSafely will assist Customer in meeting any obligations Customer may have to: (i) keep Personal Data secure; (ii) notify the supervisory authority of a Data Breach; (iii) advise data subjects of Data Breaches; (iv) consult with the supervisory authority in relation to a data protection impact assessment; and (v) carry out a data protection impact assessment, taking into account the nature of processing and the information available to SendSafely.
    1. 15.1 SendSafely will notify Customer promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts Customer, unless such notification is not permitted under applicable law or a relevant court order.
    2. 15.2 Customer and SendSafely, shall cooperate, on request, with a supervisory authority in the performance of their respective obligations under this DPA.
16. 16. Confidentiality Obligations of SendSafely’s Personnel. SendSafely undertakes to employ in the data processing functions performed under this DPA only personnel that has undergone regular training in the obligations associated with security of Personal Data. SendSafely further undertakes to have a written agreement with each of its employees involved in data processing functions performed under this DPA committing the employee to confidentiality regarding Personal Data and to compliance with SendSafely’s obligations under this DPA.

SCHEDULE A

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

SendSafely currently observes the security practices described in this Schedule A. Notwithstanding any provision to the contrary otherwise agreed to by Customer, SendSafely may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices.

1. 1. Access Control.
   1. 1.1 Preventing Unauthorized Product Access.

      Outsourced processing. SendSafely uses third party service providers to provide its services to customers. SendSafely relies on contractual agreements and vendor representations to assure the protection of data processed or stored by these vendors is to the standard required by Applicable Data Protection Law.

      Physical and environmental security. SendSafely hosts its product infrastructure with multi-tenant, outsourced data center providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

      Authentication. SendSafely has implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

      Authorization. Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of SendSafely’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

   2. 1.2 Preventing Unauthorized Product Use. SendSafely implements industry standard access controls and detection capabilities for the internal networks that support its products.

      Access controls. Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented include Virtual Private Cloud (VPC) implementations and security group assignment, along with traditional enterprise firewall and Virtual Local Area Network (VLAN) assignment.

      Intrusion detection and prevention. SendSafely has implemented host-level monitoring on all production servers. The host-level monitoring is designed to identify and detect unauthorized access on these systems.

      Security testing. SendSafely maintains relationships with a third-party security testing and scanning service vendor that performs continuous testing of all perimeter systems. The intent of continuous testing is to identify and resolve potential attack vectors within externally accessible systems on an ongoing basis.

      Bug bounty. A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. SendSafely has implemented a bug bounty program to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.

   3. 1.3 Limitations of Privilege; Authorization Requirements.

      Product access. A subset of SendSafely employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, and to detect and respond to security incidents. Employee roles are reviewed at least once every six months.

      Background checks. All SendSafely employees undergo an extensive 3rd party background check prior to being extended an employment offer. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

2. 2. Transmission Control.

   In-transit. SendSafely mandates use of HTTPS encryption (also referred to as SSL or TLS) on every one of its publicly exposed application interfaces. SendSafely’s HTTPS implementation uses industry standard algorithms and certificates.

   At-rest. SendSafely stores user passwords in accordance with industry standard practices for security.

3. 3. Input Control.

   Detection. SendSafely has designed its infrastructure to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities.

   Communication: If SendSafely becomes aware of unlawful access to Customer data stored within its products, SendSafely will: 1) notify the affected Customers of the incident; 2) provide a description of the steps SendSafely is taking to resolve the incident; and 3) provide status updates to the Customer contact, as SendSafely deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form SendSafely selects, which may include via email or telephone.

4. 4. Availability Control.SendSafely’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists SendSafely operations in maintaining and updating the product applications and backend while limiting downtime.

   Infrastructure availability. SendSafely data center providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

   Fault tolerance. Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure.

   Online replicas and backups. Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

SCHEDULE B

CROSS BORDER DATA TRANSFERS

1. 1. UK International Data Transfer Addendum.
   1. 1.1 The UK Addendum will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for personal data. For such transfers of Personal Data, the UK Addendum will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
      1. (a) In Table 1 of the UK Addendum, the parties’ details and key contact information is located on page one of this DPA.
      2. (b) In Table 2 of the UK Addendum, information about the version of the Approved EU SCCs, modules and selected clauses which the UK Addendum is appended to is located in Section 2 (EU Standard Contractual Clauses) of this Schedule B.
      3. (c) In Table 3 of the UK Addendum:
         1. (i) The list of Parties is located in Section 2.2 (f) of this Schedule B.
         2. (ii) The description of the transfer is set forth in Section 2.2 (g) of this Schedule B.
         3. (iii) Annex II details (technical and organizational measures) are located in Schedule A to this DPA.
         4. (iv) Annex III (the list of Sub-processors) is provided as set forth in Section 12 of this DPA.
      4. (d) In Table 4 of the UK Addendum, Importer and Exporter may end the UK Addendum in accordance with the terms when the Approved Addendum changes.
2. 2. EU Standard Contractual Clauses
   1. 2.1 The EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For such transfers of Personal Data, the EU Standard Contractual Clauses are incorporated into this DPA by reference, and will apply in the following manner:
      1. (a) Module Two (Transfer Controller-to-Processor) will apply where Customer is a controller of Personal Data and SendSafely is a processor of Personal Data; and
      2. (b) Module Three (Transfer Processor-to-Processor) will apply where Customer is a processor of Personal Data and SendSafely is a subprocessor of Personal Data.
   2. 2.2 With regards to the EU Standard Contractual Clauses and Modules outlined in Section 2.1, the parties agree to the following:
      1. (a) SCC Clause 7 (“Docking Clause”) does not apply;
      2. (b) in SCC Clause 9 (a) (“Use of Subprocessors”), Option 2 (“General Written Authorization”) shall apply, and the time period for prior notice of subprocessor changes will be as set forth in Section 12 of this DPA;
      3. (c) in SCC Clause 11 (a) (“Redress”), the optional language will not apply;
      4. (d) in SCC Clause 17 (“Governing Law”), Option 1 will apply, and the Standard Contractual Clauses will be governed by the laws of the Republic of Ireland;
      5. (e) in SCC Clause 18 (b), disputes will be resolved before the courts of the Republic of Ireland;
      6. (f) in SCC Annex I, Part A:
         1. (i) Data Exporter: Customer.
         2. (ii) Contact Details: The email address(es) designated by Customer in Customer’s SendSafely account.
         3. (iii) Activities relevant to the data transferred under these Clauses: Performance of the Services by the data importer to the data exporter in accordance with the Agreement.
         4. (iv) Role: Controller or Processor, as applicable.
         5. (v) Signature and Date: The parties agree that the execution of this DPA shall constitute execution of these Clauses by both parties.
         6. (vi) Data Importer: SendSafely Inc. 40 East Main Street, Suite 897, Newark, DE 19711.
         7. (vii) Contact Details: SendSafely Privacy Team, privacy@sendsafely.com
         8. (viii) Activities relevant to the data transferred under these Clauses: Performance of the Services by SendSafely to Customer in accordance with this DPA and the Agreement.
         9. (ix) Role: Processor.
         10. (x) Signature and Date: The parties agree that the execution of the this DPA shall constitute execution of the Standard Contractual Clauses by both parties.
      7. (g) in SCC Annex I, Part B:
         1. (i) The categories of data subjects and type(s) of Personal Data transferred.
            1. (A) Data subjects contained within Secure Content transferred by SendSafely may include Customer’s customers, employees, suppliers and/or end users, as determined by Customer. Any category of Personal Data may be contained within Secure Content that the Customer instructs SendSafely to process through the Services. The precise Personal Data that Customer will transfer to SendSafely is necessarily determined and controlled solely by Customer. Categories of data within Profile Data include the names and/or contact information of individuals authorized by Customer to access Customer’s SendSafely account and billing information. Personal Data categories contained within Usage Data include an individual data subject’s email address, telephone number, and IP Address.
            2. (B) Special categories of data may from time to time be processed by SendSafely where Customer or its end users choose to include this type of data within the Secure Content exchanged using the Services. SendSafely will not have readable access to any such special categories of personal data and will not, in providing the Services, know that they are present. As such, Customer is solely responsible for ensuring the legality of any special categories of data it or its end users choose to process using the Services.
         2. (ii) The frequency of the transfer is on a continuous basis for the duration of the Agreement.
         3. (iii) The nature and the objective of the processing.
            1. (A) SendSafely may host and process Personal Data in the course of providing the Services to Customer. Personal Data within the Usage Data and Profile Data is processed by SendSafely in order to provide the Services to Customer. Personal Data may be contained within Secure Content exchanged through the Services. Secure Content (including any Personal Data contained therein) is encrypted client-side before being uploaded for transfer and only decrypted client-side after the files are downloaded by the recipient. The Purpose of the data transfer and further processing is end-to-end encrypted secure data transfer on behalf of the Customer.
         4. (iv) The period of retention of Personal Data in relation to the processing.
            1. (A) Personal Data provided by Customer to the Services will be retained for only as long as necessary to provide the Services. SendSafely will perform backup copies for possible restorations requirements. Any data that is erased at the end of its retention period, will be erased using techniques that make it impossible to reconstruct it. The same is true for backup copies after their retention period.
         5. (v) For eventual transfers to Sub-processors, the subject matter and nature of the processing is described as set forth in Section 12 of this DPA. The duration of processing by Sub-processors is the same as by SendSafely.
      8. (h) In SCC Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.
      9. (i) SCC Annex II: Schedule B of this DPA serves as Annex II.