This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and SendSafely covering Customer’s use of the SendSafely encrypted data exchange platform (the “Agreement”) and shall be coterminous with the Agreement. To the extent that any terms set forth in this DPA are inconsistent with the terms of the Agreement, the terms set forth in this DPA shall apply.
“Applicable Data Protection Law” shall mean: all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the processing of Personal Data under this DPA as amended from time to time.
“CCPA” shall mean the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., as amended by the California Privacy Rights Act, and its implementing regulations.
“controller”, “processor”, “service provider”, “data subject” and “processing” (and "process") shall have the meanings given in Applicable Data Protection Law.
“Data Breach” means an incident occurred in the Services causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“EEA” means the European Economic Area.
“EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.
“GDPR” shall mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
“Personal Data” and “Personal Information” shall have the meanings given in Applicable Data Protection Law; in the context of this Agreement, it refers to any information falling under the definition of Personal Data that the Customer’s clients or the Customer’s end users submit to the Services.
“Profile Data” shall mean Personal Data that relates to Customer’s relationship with SendSafely, including the names and/or contact information of individuals authorized by Customer to access Customer’s SendSafely account and billing information that Customer has associated with its SendSafely account.
“Secure Content” shall mean the end-to-end encrypted contents of the secure messages or files exchanged by means of use of the SendSafely Services.
“Services” shall have the same meaning as in the Agreement.
“Standard Contractual Clauses” shall mean, as the circumstances may require, either the EU Standard Contractual Clauses alone or the EU Standard Contractual Clauses and the UK Addendum.
“Sub-processor” means any person or entity engaged by SendSafely or its Affiliates to process Personal Data in the provision of the Services to Customer.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force March 21, 2022.
“Usage Data” shall mean data processed by SendSafely for the purposes of exchanging Secure Content, including individual data subject’s email, telephone numbers, and IP Address in the context of providing the SendSafely Services.
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
SendSafely currently observes the security practices described in this Schedule A. Notwithstanding any provision to the contrary otherwise agreed to by Customer, SendSafely may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices.
Outsourced processing. SendSafely uses third party service providers to provide its services to customers. SendSafely relies on contractual agreements and vendor representations to assure the protection of data processed or stored by these vendors is to the standard required by Applicable Data Protection Law.
Physical and environmental security. SendSafely hosts its product infrastructure with multi-tenant, outsourced data center providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication. SendSafely has implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization. Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of SendSafely’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Access controls. Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented include Virtual Private Cloud (VPC) implementations and security group assignment, along with traditional enterprise firewall and Virtual Local Area Network (VLAN) assignment.
Intrusion detection and prevention. SendSafely has implemented host-level monitoring on all production servers. The host-level monitoring is designed to identify and detect unauthorized access on these systems.
Security testing. SendSafely maintains relationships with a third-party security testing and scanning service vendor that performs continuous testing of all perimeter systems. The intent of continuous testing is to identify and resolve potential attack vectors within externally accessible systems on an ongoing basis.
Bug bounty. A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. SendSafely has implemented a bug bounty program to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.
Product access. A subset of SendSafely employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, and to detect and respond to security incidents. Employee roles are reviewed at least once every six months.
Background checks. All SendSafely employees undergo an extensive 3rd party background check prior to being extended an employment offer. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
In-transit. SendSafely mandates use of HTTPS encryption (also referred to as SSL or TLS) on every one of its publicly exposed application interfaces. SendSafely’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest. SendSafely stores user passwords in accordance with industry standard practices for security.
Detection. SendSafely has designed its infrastructure to log information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities.
Communication: If SendSafely becomes aware of unlawful access to Customer data stored within its products, SendSafely will: 1) notify the affected Customers of the incident; 2) provide a description of the steps SendSafely is taking to resolve the incident; and 3) provide status updates to the Customer contact, as SendSafely deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form SendSafely selects, which may include via email or telephone.
Infrastructure availability. SendSafely data center providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance. Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure.
Online replicas and backups. Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
CROSS BORDER DATA TRANSFERS
LIST OF SUB-PROCESSORS
|Sub-processor Name||Description||Hosting Location|
|Amazon Web Services (AWS)||Platform Hosting||United States (AWS region),
Ireland (AWS region),
Germany (AWS Region),
Australia (AWS Region)
|Ask Nicely||Customer Feedback & Satisfaction Measurement||United States|
|Data Dog||System Metrics and Logging||United States|
|Corporate Email, Business Operations & Website Analytics||United States|
|LunaWeb||PDF Invoice Generation||Germany|
|MailChimp||Email Campaigns||United States|
|NewRelic||Platform Performance Tuning||United States|
|Outreach.io||Sales Email Automation||United States|
|Productboard||Product Roadmap Management & Feature Request Tracking||United States|
|Slack||Internal Team Communication & Collaboration||United States|
|Stripe||Automated Payment, Subscription, & Billing Management||United States|
|Twilio||SMS Delivery||United States|
|Xero||Invoicing & Online Bookkeeping||United States|
|Zapier||Sales Lead Processing & Invoice Generation||United States|
|Zendesk||Customer Support & Ticketing||United States|
|Zendesk Sell||Customer Relationship Management Platform (CRM)||United States|
Prior to engagement, SendSafely analyzes the security practices and credentials of each sub-processor. SendSafely’s data processing agreements with its sub-processors contain contractual safeguards designed to ensure the privacy of personal data. SendSafely regularly reassesses its sub-processors’ security programs to validate compliance with SendSafely’s security policies applicable to the specific categories of data processed.
If you have any questions relating to this data processing addendum you can contact us via email at firstname.lastname@example.org.