Effective as of September 13, 2023
Mailmeteor SAS ("Mailmeteor") and the counterparty agreeing to these terms ("Customer") have entered into a written or electronic agreement for the provision of Services by Mailmeteor to Customer (the "Main Agreement"). This Data Processing Addendum, including the appendices (the "DPA"), forms part of the Main Agreement.
This DPA will be effective, and will replace and supersede any previously applicable terms relating to their subject matter (including any data processing amendment, agreement or addendum relating to the Services), from the date on which Customer agreed to the Main Agreement or the parties otherwise agreed to this DPA.
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1. "Personal Data" means all data which is defined as ‘personal data', ‘personal information', or ‘personally identifiable information' (or analogous term) under Applicable Data Protection Laws.
1.1.2. "Customer Personal Data" means any Personal Data Processed by Mailmeteor on behalf of Customer pursuant to or in connection with the provision of the Services;
1.1.3. "Applicable Data Protection Laws" means all laws and regulations that are applicable to the processing of Personal Data under the Main Agreement, including European Data Protection Laws and the United States Data Protection Laws.
1.1.4. "Service(s)" means the services provided by Mailmeteor to the Customer as indicated in the Main Agreement, including, but not limited to, Mailmeteor's email marketing platform;
1.1.5. "Sub-processor" means any person appointed by or on behalf of Mailmeteor to process Personal Data on behalf of the Customer in connection with the provision of the Services;
2. Purpose of this DPA
2.1. The purpose of this DPA concerns the Processing of Personal Data to allow the performance of the Services
2.2. The parties hereby explicitly determine Mailmeteor to be the Processor and the Customer to be the Controller for the Processing of Personal Data, as those terms are defined in the European Union General Data Protection Regulation 2016/679.
2.3. As part of their contractual relations, the parties shall undertake to comply with the Applicable Data Protection Laws.
3. Mailmeteor obligations
3.1. With respect to all Personal Data it processes in its role as a Processor or Sub-processor, Mailmeteor warrants that it shall:
3.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
3.1.2. only process Personal Data for the limited and specified business purpose of providing the Services;
3.1.3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data and document them at mailmeteor.com/security;
3.1.4. ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under contractual or statutory obligations of confidentiality;
3.1.5. notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform data subjects of the Personal Data Breach under the Data Protection Laws.
4.1. Mailmeteor will disclose Personal Data to Sub-processors only for the specific purpose of providing the Services.
4.2. Mailmeteor will ensure that any Sub-processor it engages to provide an aspect of the Services on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such Sub-processor terms (i.e., data protection obligations) that are no less protective of Personal Data than those imposed on Mailmeteor in this DPA.
4.3. The Customer grants a general written authorization to Mailmeteor to appoint third party data center operators, and business, engineering and customer support providers as Sub-processors to support the performance of the Services.
4.4. Mailmetor will maintain a list of Sub-processors at mailmeteor.com/legal/subprocessors/ and will add the names of new and replacement Sub-processors to the list at least thirty (30) days prior to the date on which those Sub-processors commence processing of Personal Data.
4.4.1. If Customer objects to any new or replacement Sub-processor on reasonable grounds related to data protection, it shall notify Mailmeteor of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If Mailmeteor is reasonably able to provide the Services to the Customer in accordance with the Main Agreement without using the Sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this clause 4.4 in respect of the proposed use of the Sub-processor. If Mailmeteor, in its discretion, requires use of the Sub-processor and is unable to satisfy Customer's objection regarding the proposed use of the new or replacement Sub-processor, then Customer may terminate the applicable Main Agreement effective upon the date Mailmeteor begins use of such new or replacement Sub-processor solely with respect to the Services that will use the proposed new Sub-processor for the processing of Personal Data.
4.4.2. If Customer does not provide a timely objection to any new or replacement Sub-processor in accordance with this clause 4.4, Customer will be deemed to have consented to the Sub-processor and waived its right to object.
5. Audit and records
5.1. Mailmeteor shall, in accordance with Applicable Data Protection Laws, make available to the Customer the necessary documentation, in Mailmeteor's possession or control as Customer may reasonably request, to demonstrate Mailmeteor's compliance with its obligations under the Applicable Data Protection Laws.
5.2. Mailmeteor may fulfill Customer's right of audit under Applicable Protection Laws in relation to Personal Data, by providing, (a) a yearly audit report prepared by an independent external auditor demonstrating Mailmeteor's technical and organizational measures are in accordance with an accepted industry standard (b) enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Mailmeteor's compliance with its obligations under this DPA in accordance with clause 5.3.
5.3. The following additional terms shall apply to audits the Customer requests:
5.3.1. Customer must send any requests for reviews of Mailmeteor's audit reports to [email protected].
5.3.2. Mailmeteor may charge a fee (based on industry standard reasonable costs) for any audit under clause 5.2(b).
6. Data transfer
6.1. In connection with the provision of the Services, the parties anticipate that Mailmeteor (and its Sub-processors) may transfer and/or process data between different regions of the world, including but not limited to, from and outside of the European Economic Area ("EEA"), Switzerland, and the United Kingdom.
6.2. These transfers are necessary to globally provide the Services. Consequently, Mailmteor and Customer shall ensure the existence of appropriate regulations to allow this transfer in compliance with the Applicable Data Protection Laws.
6.3. In the event Customer seeks to conduct any assessment of the adequacy of Mailmeteor's transfers to any particular countries or regions, Mailmeteor shall, to the extent it is able, provide reasonable assistance to Customer for the purpose of any such assessment, provided Customer shall cover all costs incurred by Mailmeteor in connection with its provision of such assistance.
7.1. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the parties changing address.
7.2. Mailmeteor's liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Main Agreement. In no event does Mailmeteor limit or exclude its liability towards data subjects or competent data protection authorities.
7.3. Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
7.4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Main Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Main Agreement.
7.5. If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that clause 7.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.
7.6. This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.