Date of release: 5 July 2022.
This Data Protection Agreement (“DPA”) becomes effective the date both parties execute a copy of this DPA.
Customer shall make available to MessageMedia and Customer authorizes MessageMedia to process information including personal data for the provision of the Services under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Data Protection Legislation.
1. Definitions
1.1 For the purposes of this DPA:
- “Agreement” means the agreement between MessageMedia and the Customer under which MessageMedia provides specified services (“Services”).
- “Data Protection Legislation” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data by the Customer as Data Controller, including without limitation all binding (inter)national laws and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;
- “Personal Data” means any information relating to an identified or identifiable natural person (“data subject“); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
- “(Data) Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Special Categories of Personal Data” means information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation or any other special category of data as is indicated within the deviations in Appendix 2 Deviations based on applicable National legislation or in the Agreement;
- “Technical and Organisational Measures” or TOMs means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. This includes the agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1 Technical and organizational measures to this DPA or in the Product Terms or Application Form;
- The terms “data controller” and “data processor“, shall have the meanings given to them under the GDPR.
1.2
Capitalized terms used and not defined in this DPA have the meanings given to such terms in the Agreement.
2. Role of the Parties
The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data:
- (i) the provision of the services (i.e. the database of call data records and the logs created and managed by MessageMedia on behalf and under the supervision of Customer) for which MessageMedia will act as a data processor and agrees to comply with the respective obligations set out in this DPA, and
- (ii) the transmission of messages (i.e. A2P SMS) by MessageMedia and other Service Providers for which MessageMedia will act as a data controller and agrees to comply with the respective obligations set out in clause 14.
3. Subject matter, nature and purpose of MessageMedia’s processing of personal data
3.1
The subject matter, nature and purpose of the processing of personal data under this DPA is MessageMedia performance of the Services pursuant to the Agreement and as further instructed by the Customer in its use of the Services (“Instructions”), unless required to do so otherwise by Data Protection Legislation and/or Relevant Laws. In such case (and if, to the extent permitted by Data Protection Legislation and/or Relevant Laws.
3.2
Instructions of the Customer shall be in written form (including, but not limited to, email) or can be given through settings and use of MessageMedia’s portal(s) and/or software. In exceptional cases, Instructions may be given orally by the Customer. Such oral Instructions will be confirmed by the authorized person of Customer in writing or per email (in text form).
4. Duration
4.1
MessageMedia shall only collect or process personal data for the duration of the Agreement to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and Data Protection Legislation applicable to MessageMedia in its role as data processor.
4.2
The processing of personal data will be carried out by MessageMedia after the Agreement necessary to fulfill the obligations in this DPA or when necessary due to mandatory law unless otherwise agreed upon in writing.
5. Type of personal data processed
The following Categories of personal data may be processed to deliver the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- Contact information (company, email, phone, physical address)
- First and last name
- Title
- Position
- Employer
- Connection data
Other data as is defined within the Agreement as agreed upon between parties.
6. Type of data subjects
The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
- Customers, business partners and vendors of the Customer (who are natural persons)
- Employees of contact persons of the Customer’s customers, business partners and vendors
- Employees, agents, advisors, freelancers of the Customer (who are natural persons)
- Customer’s Service user including any user of the Services, which Customer permits using the Services
7. Sub-processors
7.1
The Customer agrees that MessageMedia may engage MessageMedia Affiliate or third parties to process personal data in order to assist MessageMedia to deliver the Services on behalf of the Customer (“Sub-processors”). MessageMedia has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.
7.2
When required by law, MessageMedia shall conclude additional agreements (for example, but not limited to, Business Associates Agreements as is required by The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or The Health Information Technology for Economic and Clinical Health act (“HITECH”)).
7.3
The current Sub-processors for the Services can be obtained by contacting privacyofficer@messagemedia.com.au (“Sub-processor List”) and the Customer agrees and approves that MessageMedia has engaged such Sub-processors to process personal data as set out in the list. The Customer may also subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe by contacting privacyofficer@messagemedia.com.au, and if the Customer subscribes, MessageMedia shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.
7.4
MessageMedia shall notify the Customer, in accordance with the mechanism set out in clause 7.3, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following MessageMedia’s notification of the intended changes). Should MessageMedia choose to retain the objected to Sub-processor, MessageMedia will notify the customer at least fourteen (14) days before authorizing the Sub-processor to process personal data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. MessageMedia will refund the Customer any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.
7.5
MessageMedia may replace a Subprocessor without advance notice where the reason for the change is outside of MessageMedia’s reasonable control and prompt replacement is required for security or other urgent reasons, such as but not limited to (suspected) non-compliance of a Subprocessor with Data Protection Legislation or the DPA between MessageMedia and the Subprocessor. In this case, MessageMedia will inform the Data Controller of the replacement Subprocessor as soon as possible following its appointment. Section 7.4 applies accordingly.
7.6
For the avoidance of doubt, where any Sub-processor fails to fulfill its obligations under any sub-processing agreement or under applicable law MessageMedia will remain fully liable to the Customer for the fulfillment of its obligations under this DPA.
8. International Transfer
8.1
Whenever MessageMedia (or its sub-processors) processes personal data in other countries than the country in which MessageMedia is established, MessageMedia will ensure an adequate level of protection for personal data by means of organizational, technical and contractual measures as is required by Data Protectional Legislation and this DPA.
8.2
Where (i) Personal Data of an EEA or Swiss-based Data Controller is processed in a country outside the EEA, Switzerland and any country, organization or territory acknowledged by the European Union as safe country with an adequate level of data protection under art. 45 GDPR and no other lawful transfer mechanism such as Binding Corporate Rules (art. 47 GDPR) or Code of Conduct (art. 40 GDPR) is available, or where (ii) Personal Data of another Data Controller is processed internationally and such international processing requires an adequacy means under the laws of the country of the Data Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, the transfer is made pursuant to European Commission approved Standard Contractual Clauses for the transfer of Personal Data. Customer provides a power of attorney for MessageMedia to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 7 in the name and on behalf of the Customer.
8.3
In case that European Commission approved standard contractual clauses are concluded between MessageMedia and the Customer, the following applies until a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (in case if such mechanism applies only to some of the data transfers, the following clauses will remain applicable for the transfers that cannot be covered by this new lawful transfer mechanism):
- (i) Rights granted to data subjects under this DPA and the European Standard Contractual Clauses may be enforced by the data subject against MessageMedia irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. These rights are personal and may not be assigned to others. The data subject may only bring a claim under this DPA and the European Standard Contractual Clauses on an individual basis, and not part of a class, collective, group or representative action.
- (ii) In addition to Clause 5(b) of the Standard Contractual Clauses, MessageMedia agrees that it, at the time of concluding this Agreement, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the customer and its obligations under the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, it will notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
- (iii) For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
- In case MessageMedia receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, MessageMedia will, where possible, redirect the third party to request data directly from Customer.
- In case MessageMedia receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.
9. Technical and organizational measures
MessageMedia has implemented and maintains appropriate technical and organizational measures (to act in accordance Data Protection Legislation, for example but not limited to Article 28.3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR). Such measures include but not limited to physical and IT measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures are described in Appendix 1 Technical and Organisational Measures.
10. Quality assurances and other duties of MessageMedia
10.1
MessageMedia shall comply with the following requirements (often referred to by referencing articles 28 to 33 GDPR) being:
- no processing of personal data except on instructions from the controller, unless required to do so by an authority;
- Implementation of data processing register;
- Implement technical and organizational measures to ensure a level of data security appropriate to the level of risk presented by processing personal data;
- Cooperation with the data protection supervisory authority in performance of its tasks;
- Notification of a personal data breach to the supervisory authority and the data subject;
- Carrying out a data protection impact assessment when necessary according to law and consult the supervisory authority prior to data processing where the data protection impact; assessment indicates that the processing would result in a high risk in absence of measures taken by the controller to mitigate the risk,
and ensures in particular compliance with the following requirements:
- Appoint a data protection officer, who performs his/her duties in compliance with Data Protection legislation. The data protection officer can be contacted at DPO@sinch.com.
- Confidentiality in accordance with Data Protection legislation. MessageMedia entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. MessageMedia and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Data Protection Legislation.
- At the Customer’s cost and expense and taking into account the nature of the processing and the information available to MessageMedia, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Data Protection Legislation which may include assisting the Customer to:
- notify the Customer of any request MessageMedia receives for a data subject relating to personal data processed and notify the data subject to contact the Customer if it wants to use its rights;
- comply with its security obligations;
- discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services); carry out data protection impact assessment and audit data protection impact assessment compliance and consult with the supervisory authority;
- following data protection impact assessment.
- For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
- Unless prohibited by applicable law or a legally binding request of law enforcement, MessageMedia shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data and, if prohibited from notifying Customer, MessageMedia will use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible;
- MessageMedia shall periodically monitor the internal processes and the TOMs to ensure that processing within MessageMedia area of responsibility is in accordance with the requirements of Data Protection Legislation and the protection of the rights of the data subject.
11 Audits and inspections
11.1
In the event that the Customer, a Regulator or data protection authority requires additional information or an audit related to the Services, then, MessageMedia agrees to submit access to its data processing facilities, data files and documentation needed for processing personal data. MessageMedia agrees to provide reasonable cooperation to during such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc., used for the performance of Services, including processing of personal data. For the avoidance of doubt, any audit conducted pursuant to this clause 11.1 is:
(a) subject to clause 11. 2 below;
(b) must occur at MessageMedia’s physical premises; and
(c) cannot involve the removal of any equipment, software, data, files, information systems etc from MessageMedia’s physical premises.
11.2
The audit right as described within clause 11.1 will become applicable for the Customer, in case MessageMedia has not provided sufficient evidence of its compliance with the technical and organizational measures. Sufficient evidence includes providing either:
- (i) a certification as to compliance with ISO 27001 or other standards implemented by MessageMedia (scope as defined in the certificate); or
- (ii) an audit or attestation report of an independent third party. An audit as described within clause 11.1 shall be carried out at the Customer’s cost and expense. An audit can be done by the Customer or any third party reasonably acceptable to the MessageMedia (which shall not include any third party auditors who are either a competitor of MessageMedia or not suitably qualified or independent)) to ascertain compliance with this DPA, subject to being given reasonable notice (30 days), compliance with MessageMedia’s Technical and organizational measures and the auditor entering into a non-disclosure agreement directly with MessageMedia.
12 Notification of a data breach
12.1
In the event that MessageMedia becomes aware of any breach of security that results in the accidental, unauthorized or unlawful destruction or unauthorized disclosure of or access to personal data MessageMedia shall, among other things:
- a) Notify the Customer in writing immediately but not later than 72 hours after becoming aware of the personal data breach;
- b) Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard;
- c) Support the Customer in consultations with data protection authority.
12.2
To the extent legally possible, MessageMedia may claim compensation for support services under this clause 12 which are not attributable to personal data breaches caused by MessageMedia.
13. Deletion of personal data
13.1
MessageMedia is obliged to erase personal data as stipulated in the Agreement and in accordance with the Data Protection Legislation and/or Relevant Laws.
13.2
Customer has the right to request execution of the rights and obligations described in clause 13.1 during the duration of the entire DPA.
13.3
Statutory retention obligations or contractual obligations towards Service Providers of MessageMedia (for example but not limited to operators) remain unaffected by the above provisions. Documentation serving as evidence for an orderly data processing in accordance with the provisions of the DPA shall be retained by MessageMedia after termination of the DPA according to Data Protection Legislation and/or Relevant Laws.
14. MessageMedia’s Obligations as Data Controller
In situations where MessageMedia will act as a data controller, it undertakes to comply with its obligations under applicable Data Protection Legislation in respect of any personal data processed under the SA. It shall process such personal data in connection with the transmission of messages, and to fulfill its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at https://messagemedia.com/us/legal/privacy-policy/ as amended from time to time, if necessary.
15. Customer’s Obligations
The Customer shall comply at all times with Data Protection Legislation in relation to the processing of personal data in connection with the Agreement and the Services. The Customer shall inform MessageMedia in writing in case additional legislation is applicable on the Processing of Personal Data other than the legislation of the country where the Customer is established.
16. Limitation of Liability
16.1
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA.
16.2
Clause 16.1 shall not apply if the damage has been caused by the incorrect implementation of the commissioned service by the Customer or by an instruction given by the Customer. In such case, Customer will be liable for such damage.
17. Miscellaneous
17.1
The DPA forms an integral part of the Agreement between Customer and MessageMedia. In case of conflict between the mandatory provisions in the European Standard Contractual Clauses and this DPA, the European Standard Contractual Clauses shall prevail. In case of other conflicts between other documents (including in case of conflict between the Agreement and this DPA), the DPA will prevail.
17.2
Should any provision of this DPA be or become invalid or contain a gap, the remaining provisions shall remain unaffected. Customer and MessageMedia undertake to replace the invalid provision with legally valid provisions which come the closest to the interest of the invalid provision respectively fills out the gap.
APPENDIX 1 to the Data Protection Agreement – Technical and Organisational Measures
MessageMedia shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the Agreement concluded between the Parties for the processing of data.
The Technical and Organizational measures that are implemented by MessageMedia are based on industry standards. The Technical and Organizational Measures are subject to technical progress and development. In this respect MessageMedia is permitted to implement alternative adequate measures. The level of security must align with standard industry practice. All major changes likely to detrimentally impact the Customer are to be agreed with the Customer in writing.
The Technical and Organizational Measures as are included within this Appendix are measures that are applicable on the Service(s) provided by MessageMedia. If necessary, for the Service, MessageMedia may include further Technical and Organizational measures in the Product Terms or Application Form.
1. Risk management and Procedures for validation, review and evaluation
i) MessageMedia shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
ii) MessageMedia shall have documented processes and routines for handling risks within its operations and when processing personal data on behalf of the Customer.
iii) MessageMedia shall periodically assess the risks related to information systems and processing, storing and transmitting information.
iv) MessageMedia shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by MessageMedia, including inter alia as appropriate:
- a) The encryption of personal data;
- b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- c)The ability to restore the availability and access to the Customer’s Data in the event of a physical or technical incident;
v) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
vi) MessageMedia shall periodically assess the risks related to information systems and processing personal data (e.g. when storing and transmitting personal data).
vii) MessageMedia shall as appropriate monitor, review and audit Sub-processor’s compliance with the Technical and Organizational Measures.
2. Organizational Measures
The internal organization of the processor shall meet the specific requirements of data protection.
- A) Policies and Policy Management
- i) MessageMedia shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by MessageMedia’s management. They shall be published within MessageMedia´s organization and communicated to relevant MessageMedia Personnel.
- ii) MessageMedia shall periodically review MessageMedia’s policies and procedures concerning data protection and information security and update them if required to ensure their compliance with the Technical and Organizational Measures and the data protection agreement.
- B) Organization of Data Protection and Information security
- i) MessageMedia shall appoint at least one data protection officer who has appropriate competence and who functions as the main contact person for data protection. If required by law, MessageMedia shall appoint a data protection officer on a company level.
- ii)MessageMedia shall have defined and documented security roles and responsibilities within its organization.
- C) Organizational Requirements
- i) MessageMedia shall ensure that MessageMedia personnel handles information in accordance with the level of confidentiality required under the DPA and that it has the written commitment of the employees to maintain confidentiality.
- ii) MessageMedia shall ensure that relevant MessageMedia personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities, and systems under the DPA.
- iii) MessageMedia shall ensure that any MessageMedia personnel performing assignments under the DPA is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification (if allowed by applicable law).
- iv) MessageMedia shall ensure that MessageMedia personnel with security responsibilities is adequately trained to carry out security-related duties.
- v) MessageMedia shall provide or ensure periodical awareness training to relevant MessageMedia personnel. Such MessageMedia training shall include, without limitation:
- a) How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
- b) Why information security is needed to protect customers information and systems;
- c) The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
- d) The importance of complying with information security policies and applying associated standards/procedures;
- e) Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).
3. Confidentiality
- A) Access Control (Physical and environmental security)
- i) MessageMedia shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
- ii) MessageMedia shall protect goods from theft, manipulation, and destruction.
- iii) MessageMedia shall specify authorized individuals allowed within its processing facilities and have an access control process.
- B) Access control (Logical)
- i) MessageMedia shall have a defined and documented access control policy for facilities, sites, network, system, application, and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for MessageMedia personnel in place.
- ii) MessageMedia shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
- iii) MessageMedia shall have a joiner-mover-leaver process for its employees.
- iv) MessageMedia shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
- v) MessageMedia shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.
- vi) MessageMedia shall ensure that MessageMedia Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.
- C) Cryptography
- i) MessageMedia shall use cryptography on information classified as confidential and secret (such as personal data).
- ii) MessageMedia shall protect cryptographic keys and store these in accordance with applicable legislation.
- D) Guidelines concerning the admission to the Customer’s premises and/or MessageMedia premises Admission to the premises and property (such as office buildings, technical sites) is subject to the following:
- i) MessageMedia shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement.
- ii) MessageMedia Personnel shall access card or, in case of visitors, a visitor’s badge and be accompanied by an employee of MessageMedia while on premise.
- iii) After employment or completing the assignment, or when MessageMedia personnel is transferred to other tasks, personnel shall without delay inform authorized personnel of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
- iv) Access cards shall be personally signed for.
- v) Loss of access card shall be reported without delay to the authorized personnel.
- viii) MessageMedia Personnel shall not allow unauthorized persons access to the premises.
4. Operations security
- (i) MessageMedia shall test and review systems before changes are implemented.
- (ii) MessageMedia shall implement malware protection to ensure that software used for MessageMedia is protected from malware.
- (iii) The company network is protected from the public network by firewalls.
- (iv) MessageMedia shall make backup copies of critical information.
- (v) MessageMedia shall log and monitor activities relating to our Services. Faults and information security events and regularly review these. Furthermore, MessageMedia shall protect and store (for at least 6 months or such period/s set by Data Protection Legislation) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out below.
- (vi) MessageMedia shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
- (vii) MessageMedia shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
- (viii) MessageMedia shall ensure development is segregated from test and production environment.
5. Integrity
- i) MessageMedia shall implement network security controls such as service level, firewalling and segregation to protect information systems.
- ii) MessageMedia operates a phishing and SPAM detection system with the aim to protect its customers and MessageMedia (and the personal data of which these Parties are the Controller) against unwanted content and the spreading of SPAM/phishing and to comply with operator requirements and applicable legislation..
- iii) Personal data being processed on behalf shall be processed solely in accordance with the Agreement and instructions of the controller to the processor.
- iv) MessageMedia will work according to written instructions or agreements and documents belonging to that agreement.
6. Data breach management
- i) MessageMedia shall have established procedures for data breach management.
- ii) MessageMedia shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 72 hours after the data breach has been identified.
- iii) All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
- iv) The data breach report shall contain at least the following information:
- a) The nature of the data breach,
- b) The nature of the personal data affected,
- c) The categories and number of data subjects concerned,
- d) The number of personal data records concerned,
- e) Measures taken to address the data breach,
- f) The possible consequences and adverse effect of the data breach, and
- g) Any other information the Customer is required to report to the relevant regulator or data subject.
- v) To the extent legally possible, MessageMedia may claim compensation for support services under this clause which are not attributable to failures on the part of MessageMedia
7. Business continuity management
- i) MessageMedia shall identify business continuity risks and take necessary actions to control and mitigate such risks.
- ii) MessageMedia shall have documented processes and routines for handling business continuity.
- iii) MessageMedia shall ensure that information security is embedded into the business continuity plans.
- iv) MessageMedia shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).
8. System/software development and maintenance (when software development or system development is provided to the Customer by MessageMedia)
i) MessageMedia shall implement rules for development lifecycle of software and systems including change and review procedures.
iii) Security patch management is implemented to provide regular and periodic deployment of relevant security updates.
Appendix 2 to the data protection Agreement – Deviations based on applicable National legislation
1. Canada
The definition “Special Categories of Personal Data” in Clause 1 of this DPA shall be amended as follows:
“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life or any other personal that may be considered as sensitive data based on applicable legislation.”
In addition to what is agreed upon in this DPA, the following is applicable concerning the transfer of Data:
“Controller acknowledges that Processor may transfer, store, and process Personal Data to territories outside of Canada, where it will be subject to the laws of the foreign jurisdictions in which it is held. Processor shall not, and shall make sure that any Affiliate or any third party with whom it contracts to Process Personal Data on its behalf in connection with the relevant Service(s) shall not:
- transfer Personal Data to a territory outside of Canada except on terms substantially similar to terms herein, which are agreed to prior to such transfer; or
- operate in relation to that Personal Data in any way which will put Controller in breach of its obligations under applicable privacy laws.”
In addition to what is agreed upon in this DPA:
“Controller acknowledges that it possesses all necessary consents and legal authority from data subjects that would allow Processor to process the data.”
In addition to what is agreed upon in Section 7 of this DPA:
“Parties will also cooperate with respect to any data breach notifications to Canadian regulatory authorities, individuals and other organizations that are required by law or otherwise advisable in the Controller’s sole discretion.”
Without limiting the terms and conditions of the DPA for Canada and the Agreement as far as it is applicable on Canada, the following apply:
“Processor will comply with all Canadian federal and provincial privacy and anti-spam legislation applicable to Controller and Processor in the course of processing any Data in connection with the Services, including all applicable notice, consent, content and unsubscribe requirements in connection with the sending of electronic messages and the installation of computer programs on another person’s device.
Processor will provide that access to the Data is limited only to those employees and authorized agents of Processor who need to have access to the Data solely for the purposes of Processor rendering the Services.”
2. USA
The following definitions in clause 1 of this DPA shall be amended as follows:
“Personal data (in the USA the term Personally Identifiable Information is used): any individual element of information concerning the personal or material circumstances of an identified or identifiable individual;
Sensitive data (also known as “Special Categories of Personal Data”): information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, social security number, driver’s license number or state or federally issues identification card number, account number or credit or debit card number, or an account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other information the unauthorized disclosure of which may require Controller to notify affected individuals.”
Appendix 3 to the data protection Agreement – Standard Contractual Clauses
.Updated 1st July 2022