Customer Terms

Part A – Customer Terms

Your Contract with Us

1. Your Customer Contract

‘We’ and ‘Us’ refers to MessageMedia, USA, Inc. 1615 Platte Street, Floor 2, Denver, CO 80202 (“MessageMedia”).

• We supply Services to you under your Customer Contract. Your Customer Contract comprises, in order of precedence from highest (i) to lowest (v):
• (i) your Application Form;
• (ii) the terms of your Plan;
• (iii) the Product Terms;
• (iv) the following Parts of these Customer Terms:

• • Part D (Additional Security Terms applicable to use of our API);
  • if you are subject to the GDPR, Part E (EC Standard Contractual Clauses); and
  • if you are subject to the UK GDPR, Part F (UK International Data Transfer Addendum);
  • Part G – EU and UK Privacy Terms

• (v) if we provide you with Professional Services, Part B; and
• (vi) if you are a Reseller, Part C.

(b) The parties to your Customer Contract are the Customer (you) and the Supplier (we, us).

2. The Term of Your Customer Contract

(a) Your Customer Contract will continue until the end of the Minimum Term. Unless otherwise specified in your Application Form, upon expiry of the Minimum Term your Customer Contract will automatically renew for subsequent periods of the same length as the Minimum Term unless either party gives the other written notice of termination at least thirty (30) days prior to the then-current Term.

(b) Your Customer Contract will commence upon our acceptance of your Application Form or when we commence providing the Services to you, whichever happens first.

Provision of Our Services

3. The Services

(a) We will provide to you a non-exclusive, non-transferable, non-sub-licensable license for the Services subject to the terms of your Customer Contract.

(b) We may provide the Services using such facilities and such Carrier as we choose from time to time.

(c) We may provide the Services using Our Facilities and/or third party facilities. Together, we call those Facilities our Network.

4. Exclusive or Preferred Supplier

If your Application Form states:

(a) that we are to be your preferred supplier then you must not engage a third party to provide to you more than 10% of your total requirements for the Messaging Services or services substantially similar to the Messaging Services; or

(b) that we are to be your exclusive supplier then you must not engage a third party to provide to you any Messaging Services or services substantially similar to the Messaging Services.

(c) Within 14 days of receipt of a written request, you will provide to us assurances (in a form acceptable to us) attesting to your compliance with clause 4(a) or clause 4(b).

5. Periodic Entitlements

(a) If your Plan or Application Form states that you are required to pay a Monthly Access Fee:

(i) you may receive Message Credits as stated in your Plan or Application Form, which may be redeemed by you against Message Fees incurred during that month. We call these Periodic Entitlements; and

(ii)  the Monthly Access Fee is billed in advance for the applicable month for all Plans, including Plans where Charges are payable in arrears.

(b) Unused Periodic Entitlements are not refundable, do not carry forward and are not redeemable for cash or other credit.

(c) If you exceed your Periodic Entitlements, extra Charges may apply or a Service may be limited in some way. Your Plan or Application Form will give details.

6. Compliance with Policies

(a) You must comply with any applicable Acceptable Use Policy we publish on our website or make available to you.

(b) You must comply with any policy we publish on our website or make available to you directed to ensuring that the use of a Service complies with all Laws.

7. Operational Directions

(a) Acting reasonably, we may give Operational Directions about a Service. Operational Directions will be directed to the safety, security or reliability of Facilities, compliance with Laws or dealing with an emergency. We will only give an Operational Direction as and when reasonably necessary.

(b) You must comply with any applicable Operational Direction.

8. Carrier or carriage service provider

You promise that you are not a Carrier or a carriage service provider.

9. Use of Service by others

(a) Unless your Application Form states that we have appointed you as a Reseller, you must not share, resell or resupply a Service for remuneration or reward.

(b) The acts and omissions of your Staff and End Users with respect to a Service are deemed to be your acts and omissions.

(c) You must ensure that your Staff and End Users do not do (or omit to do) anything that would breach your Customer Contract if done (or not done) by you.

10. Payment for third party services

Using a Service may depend on you having goods or services supplied by third parties. For instance, in order to use an email-to-SMS Service, you must have an internet connection. You are solely responsible for the costs of all third party goods and services you acquire.

11. Using a Service

(a) When using a Service, you must comply with:

(i) your Customer Contract (including any applicable Acceptable Use Policy); and

(ii) any applicable Laws.

(b) You must not use a Service, and you must Ensure that your End Users do not use a Service:

(i) to send Restricted Content;

(ii) for publishing, reproducing or advertising any message, information, symbol or other communication which is offensive or abusive or of an indecent, obscene or menacing character or for the purpose of causing annoyance, inconvenience or needless anxiety to any person, or for any unlawful purpose;

(iii) to defame any person;

(iv) to breach the rights of any person;

(v) to infringe copyright;

(vi) to create, transmit or communicate communications which are defamatory, obscene, pornographic, discriminatory, offensive, in breach of confidence, illegal or which bring us or any of our Providers into disrepute;

(vii) to host or transmit Content which contains viruses or other harmful code or data designed to interrupt, damage, destroy or limit the functionality of any software, hardware or computer or communications equipment;

(viii) to send, allow to be sent, or assist in the sending of spam, to use or distribute email harvesting software, or otherwise breach any Privacy Law;

(ix) in a way that is misleading or deceptive, where that is contrary to Law;

(x) in a way that results, or is likely to result, in damage to property or injury to any person;

(xi) to transmit, store or process Cardholder Data; or

(xii) in any way that damages or interferes with our Services to other customers, our Providers or any Facilities or exposes us to liability.

(c) As between you and us, you are solely responsible for all acts or omissions that occur under your Account including any password provided to you by us, and the Content of any Messages transmitted through the Service. You acknowledge and agree that any Messages sent using your Account are deemed to have been sent and/or authorized by you.

(d) You must take steps to prevent unauthorised access to a Service and ensure that best security practices are followed, for example, by using strong passwords, not disclosing your log in credentials, by securing any web APIs, and by implementing multi-factor authentication. You indemnify us against any claim, cost, loss or liability which may arise in connection with your failure to comply with your obligations under this clause 11(d).

(e) If you use or facilitate authentication via any social network in the sign-up and/or sign-in process in the course of using the Services, you indemnify us against any claim, cost, loss or liability which may arise in connection with such use or facilitation.

(f) If you use Alpha-tags and Sender IDs in the course of using the Services, then you warrant and represent that you have a verifiable use case for such use in accordance with applicable Law and you indemnify us against any claim, cost, loss or liability which may arise in connection with your breach of your warranty and representation under this clause 11(f).

(g) If we incur costs (including but not limited to increased Carrier fees and charges, surcharges or taxes) in connection with your failure to comply with your obligations under this clause 11, you acknowledge and agree that you are responsible for these costs and that we may pass these costs onto you by increasing the amount of the Charges in our sole discretion.

(h) If you integrate or request us to integrate your account with a third party application or platform, you are solely responsible for such integration. We have no control over any third party application or platform and we are not liable for any transaction you enter into with them. You are responsible for ensuring you comply with any terms of service relevant to the third party and we are not liable for any suspension or termination of the service resulting from your use of the Services. You warrant that your use of the Messaging Services will not infringe the terms and conditions of any third party applications or platforms.

(i) Messaging content and techniques are regulated by Carriers and the CTIA. You agree to comply with all regulations promulgated by Carriers in their respective codes of conduct and all best practices and guidance promulgated by the CTIA. We may suspend or terminate your Account for any violations of the Carrier codes of conduct or CTIA best practices and guidance.

(j) If we reasonably incur expenses as a result of or in connection with:

• a police request for information or evidence in relation to you or your use of a Service; or
• a Court or other competent authority’s direction for provision of information or evidence in relation to you or your use of a Service; or
• a demand from an attorney for information or evidence in relation to you or your use of a Service;

then you must reimburse such expenses upon request.   Your obligations under this clause 11 survive termination of your Customer Contract.

Confidentiality, Intellectual Property and Privacy

12. Confidentiality

(a) Each party (Recipient) agrees that, in respect of Confidential Information disclosed to the Recipient by the other party (Disclosing Party), it will not disclose Confidential Information except:

(i) for the purpose for which the Confidential Information was disclosed to the Recipient under the terms of your Customer Contract;

(ii) to those employees, officers and agents of the Recipient who need to know the information for the purposes of your Customer Contract, if that person undertakes to keep confidential the Confidential Information;

(iii) to professional advisers and consultants of the Recipient whose duties in relation to the Recipient require that the Confidential Information be disclosed to them;

(iv) with the prior written approval of the Disclosing Party; or

(v) as otherwise required by law to disclose such information.

(b) The parties acknowledge that monetary damages alone would not be adequate compensation for a breach of the obligations of confidentiality under this Customer Contract, and a Disclosing Party is entitled to seek an injunction from a Court of competent jurisdiction on a breach or threatened breach of this clause.

(c) Despite anything else contained in this Customer Contract and in particular in this clause 12, we retain the unconditional and irrevocable right to disclose your identity and address and those of any of your Staff or End Users in the event of any complaint received from any regulatory or Government body or Carrier, in connection with this Customer Contract. In such circumstances, we will use all reasonable efforts to limit such disclosure and to provide notice of such request to you as soon as reasonably practicable.

(d) If either party becomes aware of any actual or perceived breach of or unauthorized access to the other party’s Confidential Information, the party possessing such knowledge shall promptly notify the other party and provide all reasonably requested assistance in addressing such event.

(e) Nothing in this clause 12 prevents us from naming you as a customer and user of our Services in our marketing materials.

13. Intellectual Property

(a) The parties agree that other than as provided in this clause 13, nothing in your Customer Contract transfers ownership in, or otherwise grants any rights in, any Intellectual Property Rights of a party.

(b) If a party provides any material to the other party that contains any Intellectual Property Rights which were developed by or on behalf of, or licensed to, the first party independently of your Customer Contract (Pre-Existing Material), then the first party grants to the other party a non-transferable, non-exclusive, royalty-free licence to use, during the term of your Customer Contract, the Pre-Existing Material solely for the purpose of using or supplying the Services under your Customer Contract.

14. Privacy

(a) If a party is provided with, or has access to, Personal Information in connection with the Services, it must comply, to the extent applicable, with the Privacy Laws in respect of that Personal Information, whether or not it is an organization bound to comply with such laws. Details of our privacy policy can be found on our website.

(b) You acknowledge and agree that where you authorize or require us to collect or otherwise deal with Personal Information in your name or on your behalf in connection with providing the Services, that we do so as your agent.

(c) You acknowledge and agree that except as may be required by this Agreement, we are not required to take steps to ensure that any Personal Information collected by you has been collected in accordance with the Privacy Laws. Further, you indemnify us for any Claim by a third party that it has suffered Loss as a result of a breach of a Privacy Law.

(d) If the Services or the performance of our respective obligations under this Customer Contract involve any processing of any personal data (as defined in the GDPR) of, or sending Messages to, any individuals in the European Union, then we each agree that we shall comply with the additional terms set out in Parts D and E.

Prices, Billing and Payment Terms

15. Charges & payment: Prices

(a) You agree to pay our Charges in accordance with the terms of your Contract.

(b) Except as provided in clause 15(c), our current prices are published on our website or otherwise notified to you at any time, referred to as our ‘Price List’.  The Price List may be amended from time-to-time without further notice to you.

(c) If the price for a service is not listed in your Application Form, for example the price for international SMS, we may charge you a fee equal to the cost to us of providing that service including without limitation the costs associated with carrier surcharges,  plus a reasonable margin. Our international rates change frequently and we reserve the right to adjust our Charges for international services accordingly without notice..

(d) Our Charges may include the charges and costs which we are charged by third parties (including, without limitation, any charges imposed by Providers or by credit card providers or other payment merchants) in connection with the provision of the Services (Third Party Charges).  If any such Third Party Charges increase, then we may pass the increased Third Party Charges on to you by increasing the amount of the Charges accordingly.

(e) Unless specifically provided otherwise in your Application Form or elsewhere in your Customer Contract, our Charges are in US Dollars.   We will calculate any international currency conversions using an exchange rate from a reputable independent provider which we elect to use for currency conversions. Currency conversions will be calculated at or about the time payment of the relevant Charge is made and, as there can be fluctuations in the exchange rates, the amount which you are actually charged may differ to Charge which was previously published or notified to you. If our costs of providing the Services to you are increased due to fluctuations in relevant foreign currency exchange rates, we may pass on those increased costs to you as set out in clause 15(d).

(c) You warrant that you will use the Messaging Services exclusively for the sending of Standard Rate Messages containing Unrestricted Content to End Users and, where the Service supports it, receiving Messages from End Users. We may impose an extra Charge if you send any Messages that are not Standard Rate Messages, equal to the amount charged to us by the Carrier plus a reasonable margin.

(d) Unless otherwise agreed by you and us, you must pay for every Message dispatched using the Messaging Services irrespective of receipt by the intended recipient, provided that we deliver the Message to the relevant Carrier or Provider.

(e) On written request received within 30 days of the Message being dispatched, we will provide evidence that the Message was delivered to the relevant Carrier or Provider.

(f) Any failure by a Carrier to deliver a Message to the intended recipient is beyond our control and you will not hold us liable in respect of any such failure.

(g) Surcharges are payable in addition to our price for the service. Surcharges are subject to change, are passed onto you at cost if applicable, and vary according to the service and carrier supporting the particular service.

(h) Our Charges for multichannel messaging / messaging on social channels (for example Messenger, Instagram Direct, Google Business Messages or WhatsApp) are charged per Conversation.

16. Calculation of number of SMS

Information point: The SMS system allows a maximum message size of 160 characters (or 70 characters if you include any Unicode characters and send via a Unicode supported service). If a user sends a longer message, the system splits it to two or more separate SMS that may be reassembled on delivery so that they appear to be a single message (or, on some handsets, may be delivered as a series of separate SMS). When a longer message is split in this way, the components are no more than 153 characters long (or 67 characters long if you include any Unicode characters and send via a Unicode supported service), because seven characters are used to facilitate re-joining on delivery. For messages sent to End Users in Canada, the maximum message size is 140 characters. When a message longer than 140 characters is sent to an End User in Canada, the system splits the message into two or more components, each of which are no more than 133 characters long (or 67 characters long if you include any Unicode characters and send via a Unicode supported service). As a result, a longer message will result in more than one SMS being transmitted, and charges apply accordingly, as described in this clause.

Charges for an SMS Service will be based on the number of SMS you send, calculated in accordance with the following rules:

(a) If you include any Unicode characters and send via a Unicode supported service, content that contains no more than 70 characters counts as one SMS. In all other cases, content that contains no more than 160 characters (or no more than 140 characters if you send to End Users in Canada) counts as one SMS.

(b) If you include any Unicode characters and send via a Unicode supported service, content that contains more than 70 characters counts as one SMS for each block of 67 characters or part thereof. In all other cases, content that contains more than 160 characters (or more than 140 characters if you send to End Users in Canada) counts as one SMS for each block of 153 characters or part thereof (or each block of 133 characters or part thereof if sending to End Users in Canada).

(c) A ‘character’ includes each individual letter, digit, punctuation and other symbol in the Content.

(d) Each press of a ‘spacebar’ generates a separate character.

(e) Some special symbols and non-English letters may comprise more than one character and you will be charged accordingly.

(f) Where an SMS is sent to multiple End Users, each one is counted separately.

17. Calculation of the size of an MMS

Charges for an MMS Service will be based on the size and number of MMS you send, calculated in accordance with the following rules:

(a) Content that contains no more than 215kB is charged at the Standard Rate (as defined in your Plan or Application Form).

(b) Content that contains between 216kB and 350kB is charged at the First Tier Premium Rate (as defined in your Plan or Application Form).

(c) Content that contains more than 351kB up to 2000kB is charged at the Second Tier Premium Rate (as defined in your Plan or Application Form).

(d) Where an MMS is sent to multiple End Users, each one is counted separately.

18. When we can bill

(a) Your ‘Billing Period’ is the period between Bills. Unless your Application Form states otherwise, our standard Billing Period is monthly.

(b) We can Bill a part-period eg to align your Billing Period with the first day of each month.

(c) We will issue you with a Bill for each Billing Period. Subject to clause 18(d) and (e), our Bills will be issued within 10 Business Days after the end of a Billing Period.

(d) If your Application Form provides for “Sign-up Date Billing”, then:

(i) you will be issued a Bill on the date that the relevant Service commences and on that same day of each following month while your Customer Contract remains in effect; and

(ii) the Charges in each such Bill will be in respect of the period from the date of the Bill until the same day of the next month.

(e) We reserve the right to issue Bills outside of the usual Billing cycle described above, for example if we see an unusual volume in traffic or if we consider there are other unusual circumstances that warrant an out-of-cycle Bill being issued to you.

(f If you are on a Prepaid Plan, then we will issue you a Bill after your prepayment has been made.

19. Extra Charges for Bills and information

(a) We may charge you an extra Charge if:

(i) you request non-standard information about your Bill or Charges; or

(ii) you ask us to deliver a Bill by a method that is not the standard method for a Plan.

(b) If you request a paper Bill when that is not the standard method for a Plan, the extra Charge is $5 per Bill, or as otherwise notified by us to you.

20. Late billing

Some Charges in a Bill may relate to a previous Billing Period, if such Charges were not included in any previous Bill or remain unpaid.  We do not waive our right to require payment of applicable Charges by not including the Charges in a Bill.

21. When you must pay

(a) Where a Direct Debit or credit card arrangement applies, we may debit payment for Charges:

(i) 14 days after they are billed (if we issue a Bill for the Service); or

(ii) 14 days after the end of the current Billing Period (if we do not issue a Bill for the Service).

(b) If any Bill is overdue for payment, you must pay that Bill and any other Bill immediately.

(c) You must pay a Bill within 14 days after the date of the Bill, unless your Application Form or Plan states otherwise.

22. How you can Pay

(a) If your Plan or Application Form specifies ‘Direct Debit only’ (or similar) then:

(i) Direct Debit payment is a precondition to supply of Service to you.

(ii) We may suspend Service if Direct Debit arrangements are not maintained. We are under no obligation to provide any notice of a suspension of Service under this clause 22(a)(ii).   Our right to suspend Service under this clause 22(a)(ii) is not waived or otherwise affected by any notification we provide to you in relation to your failure to maintain Direct Debit arrangements.

(iii) You must not cause to be reversed any Direct Debit payment to us, unless you have our prior written approval. Otherwise, you must pay our reasonable costs (including legal fees if necessary) of reinstating the transaction.

(b) In any other case:

(i) Direct Debit is our preferred payment method and incurs no card surcharges.

(ii) You may pay by MasterCard or Visa (or any other card we notify you that we accept) or direct deposit.

(iii) Payments made using credit cards may be subject to a credit card surcharge. Unless your Application Form states otherwise, non-Direct Debit payments attract a monthly credit card surcharge of $5 and, in addition to our usual credit card processing fee, Amex or Diners Club will attract an extra 2% surcharge.

(c) If any payment you make is dishonored, we may charge you a reasonable payment dishonor fee and recover from you any fees charged by our bank which result from the dishonored payment.

23. Late payment

If a Bill is not paid on time:

(a) you are in breach of your Contract, and

(b) we may also charge:

(i) a reasonable late fee; and

(ii) any collection fees and expenses that we incur, including any costs that we incur in engaging debt collection agencies to recover dishonoured payments.

24. Billing

(a) Our records of what you owe us are deemed to be right unless you show them to be wrong.

(b) If you dispute a Bill, you must pay it on time and without set off. We shall credit you if it is later determined that you are entitled to a credit.

(c) You may not raise a billing dispute more than 12 months after a Bill is issued, and we will not pay a refund or give a credit in respect of a period prior to that.

25. Taxes

(a) Each party shall be responsible for its own Taxes arising out of its performance under this Agreement. Unless otherwise stated, when you pay Charges on your Service, you’ll also pay us an additional amount that’s equal to the Taxes on the Charges or Services.

(b) If you are exempt from any such Taxes for any reason, we will exempt you from such Taxes on a going-forward basis once you deliver a duly executed and dated valid exemption certificate to our tax department and our tax department has approved such exemption certificate. Such exemptions should be sent directly to collections@messagemedia.com.au.

(c) If you are required by law to make any deduction or withholding on account of any Taxes from payments due under this Agreement, you must increase the payment due so that, after deducting or withholding such Tax, we receive an amount equal to the amount we would have received had no deduction or withholding been made.

26. Representations and Warranties

(a) Mutual Representations and Warranties. Each party represents and warrants to the other that (i) this Agreement constitutes a legal, valid and binding obligation, enforceable against it in accordance with its terms; (ii) the party’s obligations under this Agreement do not violate any law or breach any other agreement to which such party is bound; (iii) it has all necessary right, power and ability to execute this Agreement and to perform its obligations therein; and (iv) no authorization or approval from any third party is required in connection with such party’s execution, delivery or performance of this Agreement.

(b) Your Representations and Warranties. You represent and warrant that you are engaged in a lawful business and are duly licensed to conduct such business under the laws of all jurisdictions in which you conduct business. You further represent and warrant that all statements made by you in this Agreement, or in any other document relating hereto by you or on your behalf, are to the best of your knowledge true, accurate and complete. To the extent applicable to you, you will comply with all Applicable Laws, regulations, rules, ordinances and orders of governmental authorities having jurisdiction over you and your business.

(c) Our Representations and Warranties. We represent and warrant that we will provide the Services in a professional manner consistent with the level of care, skill, practice and judgment exercised by other professionals in performing Services of a similar nature under similar circumstances by personnel with requisite skills, qualifications and licenses needed to carry out such work, and in compliance with all applicable laws, regulations, rules, ordinances and orders of governmental authorities having jurisdiction over us and our business, and in a timely and commercially reasonable manner.

Warranties

27. Indemnities and Limitation of Liability

(a) You shall indemnify and hold us, our affiliates, and our respective officers, directors and employees harmless from and against any and all costs (including reasonable attorneys’ fees), expenses, loss, liabilities, suits, actions, damages or claims or proceedings arising or in any other way connected with (a) any wilful or negligent act or omission by you, your employees, agents or contractors; (b) any Messages sent by you whether or not the claim is brought or made by one of our customers, a recipient, or another party; (c) your non-compliance with any terms of this Agreement; or (d) your use of your Account or the Messaging Services, or any other person using you username and password.

(b) We will indemnify and hold you and your affiliates, and your respective officers, directors and employees harmless from and against any and all costs (including reasonable attorneys’ fees), expenses, loss, liabilities, suits, actions, damages or claims or proceedings arising or in any other way connected with (a) any wilful or negligent act or omission by us, our employees, agents or contractors; or (b) any knowing infringement of any other party’s patent or trademark.

(c) An Indemnified Party shall promptly provide the Indemnifying Party with written notice upon learning of any Claims or complaints that may reasonably result in the indemnification of the Indemnified Party, provided, however, that failure by the Indemnified Party to provide prompt notice to the Indemnifying Party shall not relieve the Indemnifying Party of its obligations under this clause 27, unless the Indemnifying Party’s ability to defend the Claim has been materially disadvantaged or compromised.

(d) Any indemnity in this Agreement is a continuing obligation, independent of other obligations under this Agreement and continues after this Agreement ends.

28. Recipient Information and Disclaimers

(a) You, on your own behalf and on behalf of your recipients, hereby grants to us the non-exclusive right to access and use certain recipient information as is necessary for us to provide the Messaging Services. You represent and warrant that you possess all rights, consents and permissions necessary to use and disclose recipient information in connection with the Messaging Services and this Customer Contract and that you have authority to grant us the rights set forth in this clause.

(b) You acknowledge that we exercise no control over, and will have no liability for, any recipient information. You will be responsible at all times for maintaining the accuracy, timeliness and security of your and your recipient’s information, and we bear no liability for the accuracy, loss or damage in part or whole, of such information or failure to store any such information.

(c) EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED HEREIN AND TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DO NOT MAKE ANY REPRESENTATIONS, WARRANTIES, CONDITIONS OR GUARANTIES WITH RESPECT TO THIS CUSTOMER CONTRACT OR THE MESSAGING SERVICES, INCLUDING WITH RESPECT TO THE RESULTS THAT MAY BE OBTAINED FROM YOUR USE OF THE MESSAGING SERVICES OR THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE MESSAGING SERVICES. WE EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, CONDITIONS, REPRESENTATIONS, AND GUARANTEES WITH RESPECT TO THIS CUSTOMER CONTRACT AND THE MESSAGING SERVICES, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW, CUSTOM, PRIOR ORAL OR WRITTEN STATEMENTS, OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, OR ANY IMPLIED WARRANTIES ARISING OUT OF COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE. THE SMS MESSAGING SERVICE IS PROVIDED ON AN “AS-IS” BASIS. NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING, WITHOUT LIMITATION, STATEMENTS REGARDING CAPACITY, SUITABILITY FOR USE OR PERFORMANCE OF THE MESSAGING SERVICES, WHETHER OR NOT CONTAINED IN THIS CUSTOMER CONTRACT SHALL BE DEEMED TO BE A WARRANTY BY US.

(d) IN NO EVENT SHALL WE HAVE ANY LIABILITY TO YOU FOR ANY LOST PROFITS OR FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR SPECIAL DAMAGES OF ANY KIND OR NATURE HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ADDITION, IN NO EVENT SHALL OUR AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS CUSTOMER CONTRACT, WHETHER IN CONTRACT, TORT, OR UNDER ANY THEORY OF LIABILITY EXCEED THE FEES ACTUALLY PAID BY YOU TO US IN THE SIX (6) MONTHS PRECEDING THE INCIDENT GIVING RISE TO THE CLAIM.

(E) YOU MAY NOT BRING A CLAIM AGAINST US AS A CLASS MEMBER IN ANY PURPORTED CLASS ACTION OR REPRESENTATIVE PROCEEDING.

Termination and Suspension

29. Termination by us

We may, by written notice to you, terminate your Contract:

(a) immediately if you are in material breach of your Contract (including but not limited to a failure to pay us on time, a breach of the Acceptable Use Policy or a breach of the Privacy Laws) and you fail to remedy such breach within 7 days of being served notice to do so;

(b) immediately if you breach clause 4(a) (preferred supplier) or 4(b) (exclusive supplier) and you fail to remedy such breach within 14 days of being served notice to do so;

(c) immediately if you suffer an Insolvency Event;

(d) immediately if we become entitled to suspend the Service, and the suspension continues for more than a month;

(e) immediately if we reasonably suspect that you, your Staff or your End User has infringed or attempted to infringe our Intellectual Property Rights;

(f) immediately if you cause to be reversed any Direct Debit or credit card payment to us (except with our prior written agreement);

(g) immediately if it is necessary to do so in order to comply with a warrant or other court order, or as otherwise required or authorized by law;

(h) immediately if we reasonably suspect fraud or attempted fraud involving the Service;

(i) immediately if you are, or become, a carrier or carriage service provider under applicable telecommunications laws; or

(j) in any other circumstances stated elsewhere in your Contract.

30. Termination by you

You may terminate your Contract:

(a) immediately, by giving us written notice, if we are in material breach of your Contract and we fail to remedy that breach within 14 days of being served notice to do so;

(b) immediately, by giving us written notice, if we suffer an Insolvency Event;

(c) by giving us 14 days’ written notice, if an Intervening Event occurs and you are unable to use the Service for more than 30 days;

(d) by giving us 14 days’ written notice, if you reasonably suspect that we have infringed or attempted to infringe your Intellectual Property Rights; or

(e) in any other circumstances stated elsewhere in your Contract.

31. Consequences of Termination

If your Contract ends:

(a) during the period of the Minimum Term then you will be required to immediately pay us the Early Termination Fee (other than if you terminate your Customer Contract pursuant to clauses 30(b), (c) or(d). You acknowledge and agree that any liability to pay us an Early Termination Fee does not prejudice any other right we may have to claim damages as a result of the termination;

(b) our obligations to you under your Contract are at an end;

(c) you must immediately cease use of any of our Services supplied under that Contract;

(d) we may Bill you for any Services we have not yet invoiced and all other amounts we are entitled to under your Customer Contract;

(e) all Bills are payable immediately;

(f) you authorize us to recover any outstanding Charges and Early Termination Fees from any overpayment you have made, or Direct Debit them from your credit card or bank account if you normally pay by Direct Debit;

(g) it does not affect the accrued rights or liabilities of either party; and

(h) it does not affect the provisions which expressly or by implication are intended to operate after termination including, without limitation clauses 12, 13 and 14 and the limitations of liability and rights of indemnity.

32. Suspension of Service

(a) We may suspend a Service or all Services at any time, without liability and without any requirement to provide notice to you, if:

(i) there are problems with the Network, or we or our Providers need to suspend the Services to conduct operational and maintenance work on the Network;

(ii) you fail to pay any amount owing to us in respect of the Service under your Customer Contract (which is not the subject of a bona fide dispute) by the due date, and you fail to pay that amount within the period specified in any subsequent notice we send you;

(iii) you breach your Customer Contract or we reasonably believe you are in breach of your Customer Contract, including terms relating to your use of the Service or any Acceptable Use Policy;

(iv) there is an emergency;

(v) there is a threat or risk to the security of the Service or integrity of the Network;

(vi) the Service may cause death, personal injury or damage to property;

(vii) we are required to do so to comply with any Law or direction of any Regulator;

(viii) an Intervening Event occurs;

(ix) your Account remains inactive for a period of 12 months or more;

(x) we exercise discretion to block a Service in relation to a specific overseas territory, for any reason that we consider appropriate; or

(xi) we are otherwise entitled to do so under your Customer Contract.

Upon written request, we will provide a written explanation of the circumstances surrounding the suspension.

(b) Whilst we are under no obligation to provide any notice of a suspension of Service under clause 32(a), our right to suspend Service under clause 32(a) is not waived or otherwise affected by any notification we provide to you in relation to the circumstances or events that rise to our right to suspend Service.

 

33. Charges during a period of suspension

If we suspend Service:

(a) because of your fault or breach of your Contract – you remain liable for all Charges payable under your Contract during the period of suspension;

(b) otherwise – you are entitled to a pro rata reduction in Charges in respect of the period of suspension.

General

34. General power to vary your Contract

Subject to clause 35 and without limiting our rights under clauses 15 (b) – (e):,

(a) we may vary your Contract from time to time on 14 days’ written notice to you; and

(b) any variations that have been deemed to be accepted pursuant to clause 35 will take effect 15 days after the date of any notice.

35. Customer Right to terminate on Receipt of Notice of Variation

If you do not accept the variation set out in a notice from us pursuant to clause 34 you must notify us in writing within 14 days. If you fail to do so, you will be deemed to have accepted the variation. If you notify us that you do not agree to the variation, then we must discuss the proposed variation in good faith. If no agreement on the variation is achieved within 10 Business Days either party may terminate this Customer Contract by providing 30 days’ written notice to the other party.

36. Acknowledgments

You acknowledge that:

(a) there has been no reliance by you on our skill or judgement or written or oral representations in deciding whether our Service is fit for a particular purpose or meets particular criteria;

(b) the internet is not an inherently secure system and you undertake responsibility for the protection of your information and data;

(c) the internet may contain viruses (including other destructive programs), which may, if not eliminated, destroy parts or all of the data contained within your system, and that we have no control over these viruses; and

(d) we do not provide any filtering or checking of data to eliminate these viruses, and you agree to provide your own mechanism for checking your system for viruses, and to indemnify us against any damage caused by viruses obtained through the Service.

37. Assignment

(a) We may assign all or part of our rights and obligations under your Contract without your consent.

(b) You cannot assign all or part of your rights and obligations under your Contract unless we agree in writing.

38. Governing law

This Agreement shall be governed and interpreted according to the laws of the State of California, except for its conflict of laws principles and any dispute arising out of or relating to this Agreement shall be brought and heard in a state or federal court located in the City and County of San Francisco, California. To the extent permitted by law, each party also waives any right to jury trial in connection with any action or litigation related to this Agreement.

39. Entire agreement

Your Contract is the entire agreement between you and us regarding its subject matter, and you acknowledge that:

(a) your Contract does not include any term, condition, warranty, representation or guarantee that is not expressly set out in it; and

(b) you have not relied on any representation that is not expressly set out in your Contract.

40. Delays

(a) Time is not of the essence in the performance of our obligations, including the provision of Services, under your Contract.

(b) We are not liable to you for any delay in the provision of any Service.

(c) You may not cancel or amend an order for a service on the grounds of any delay in providing it.

41. No waiver

A failure, delay, relaxation or indulgence by us in exercising any power or right conferred under your Contract (such as a right that we have due to your breach of your Contract) does not operate as a waiver of the power or right.

Interpretation and Definitions

42. Interpreting your Contract

(a) If an expression is defined in clause 43, that is what it means.

(b) If an expression is defined in clause 43, grammatical derivatives of that expression have a corresponding meaning. (For instance, if ‘to color’ means ‘to paint blue’, then ‘colored’ means ‘painted blue’.)

(c) Expressions like ‘includes’, ‘including’, ‘eg’ and ‘such as’ are not words of limitation. Any examples that follow them are not to be taken as an exhaustive list.

(d) Headings are only for convenience. They are to be ignored when interpreting our Customer Terms.

(e) A schedule to a document is part of that document.

(f) A reference to the singular includes the plural and vice versa.

(g) There is no significance in the use of gender-specific language.

(h) A ‘person’ includes any entity which can sue and be sued.

(i) A ‘person’ includes any legal successor to or representative of that person.

(j) A reference to a law includes any amendment or replacement of that law.

(k) Anything that is unenforceable must be read down, to the point of severance if necessary.

(l) Anything we can do, we may do through an appropriately authorized representative.

(m) Any matter in our discretion is in our absolute and unfettered discretion.

(n) A reference to a document includes the document as modified from time to time and any document replacing it.

(o) The word ‘month’ means calendar month and ‘year’ means 12 months.

(p) The words ‘in writing’ include any communication sent by letter or email or any other form of communication capable of being read by the recipient.

(q) A reference to all or any part of a statute, rule, regulation or ordinance (statute) includes that statute as amended, consolidated, re-enacted or replaced from time to time.

(r) Money amounts are stated in US currency unless otherwise specified.

43. Definitions

The expression:	means:
Acceptable Use Policy	a policy so titled and issued under clause 6
Account	the Customer’s entitlement to Messaging Services subject to your Customer Contract and, where relevant, includes any Service features, associated usernames or passwords
API	an application programming interface
Application or Application Form	your application to us to access Messaging Services, in a form we specify from time to time which may also contain features, entitlements, Charges and special conditions in connection with a Service
Automatic Direct Debit	a periodic payment that is automatically deducted by us from your nominated financial institution account
Bill	an invoice from us, in the form specified in your Application Form, which advises you of the total of each Charge that is due for payment
Billing Period	see clause 18.1(a)
Business Day	a week day on which trading banks are open for the transaction of banking business in Melbourne, Victoria
Cardholder Data	cardholder name, expiration date, and/or service code and such other cardholder data included in the applicable definition of Cardholder Data in the PCI Security Standards from time to time
Carrier	a telecommunications carrier
Charges	fees and/or charges applicable under your Customer Contract including any Surcharges where applicable
Claim	any claim, demand, action, proceeding or legal process (including by way of set off, cross-claim or counterclaim)
Confidential Information	in relation to each party (for the purposes of this definition, the Discloser’s all information relating to or used by the Discloser, including know-how, trade secrets, ideas, marketing strategies and operational information; all information concerning the business affairs (including products, services, customers and suppliers) or property of the Discloser, including any business, property or transaction in which the Discloser may be or may have been concerned or interested; any other information disclosed by or on behalf of the Discloser which, by its nature or by the circumstances of its disclosure, is or could reasonably be expected to be regarded as confidential; the terms and the actual existence of your Contract; and including any such information made available to the Discloser by any third party, but excluding any information that: is publicly known or becomes publicly known other than by breach of this Contract or any other obligation of confidentiality; is disclosed to the other party without restriction by a third party and without any breach of confidentiality by the third party; or is developed independently by the other party without reliance on any of the Discloser’s Confidential Information
Content	the content of a Message you send or receive
Conversation	for the purposes of clause 15(h) in the context of multichannel messaging / messaging on social channels, means a 24-hour session of unlimited two-way messaging with one End User on one social channel, commencing with the first business-initiated message sent in reply to an End User message
Customer	the customer named in the Application Form
Customer Contract	see clause 1
Customer Terms	the terms and conditions set out in Part A of this document
Direct Debit	a payment that is deducted by us from your nominated financial institution account, including an Automatic Direct Debit
Early Termination Fee	is calculated as follows – (45% of the average amount we have invoiced you from the commencement of the Contract until the date of termination) multiplied by (the number of remaining months (or any part thereof) of the Minimum Term
End User	a person who receives a Message you send using your Account, and a person who sends you a Message via your Account
Equipment	a handset, modem, router or other hardware
Facilities	systems, software, computers, equipment and network infrastructure of all kinds used to provide or in connection with the provision of a Service
GDPR	the General Data Protection Regulation (Regulation (EU) 2016/6790)
Insolvency Event	includes an event where a receiver or receiver and manager is appointed over a party’s property or assets, an administrator, liquidator or provisional liquidator is appointed to the party, the party enters into any arrangement with its creditors, the party becomes unable to pay its debts when they are due, the party is wound up or becomes bankrupt, or any other analogous event or circumstance occurs under the laws of any jurisdiction
Integrations	is defined in Part D
Intellectual Property Rights	Includes all right, title and interest wherever subsisting (now or in the future) throughout the world, and whether registered or not, in and to: copyright, neighboring rights, moral rights and the protection of databases, circuit layouts, topographies and designs; methods, inventions, patents, utility models, trade secrets, confidential information, technical and product information; and trade-marks, business and company names and get ups, and includes the right to apply for registration, grant or other issuance of the rights described in paragraphs (a), (b) and (c) above and any other rights generally falling within this term
Intervening Event	an event beyond our reasonable control which interferes with and prevents us from providing the Services to you. Such events include any act or omission of our Providers, any disruption to our or our Providers’ networks, infrastructure and equipment, failure of any electrical power supply, changes to any laws or regulations, industrial action and acts of God including but not limited to lightning strikes, earthquakes, floods or other natural disaster
Law	laws, Acts of Congress, regulations, mandatory standards and industry codes and including the requirements or directions of any regulatory body
Message	an SMS, MMS or OTT Message
Message Credits	a credit equal to your Monthly Access Fee that may be applied to your Messaging Fees for that month, subject to clause 5
Messaging Fee	a Charge per Message sent or received on your Account
Messaging Service	a telecommunications service for sending and/or receiving and/or processing Messages
Minimum Term	the period specified in your Plan or Application Form, or if your Plan or Application Form does not so specify, means 12 months
MMS	a message including text and/or multimedia content carried by the multimedia messaging service developed by the Open Mobile Alliance, whether it originates or terminates on a mobile phone or another kind of computer
MMS Service	a Messaging Service for MMS
Monthly Access Fee	the charge identified as such in a Plan or Application Form
Network	see clause 3.1(c)
Operational Directions	Any direction we give you in relation to the Services or your Account in accordance with clause 7
OTT Message	is an instant message that uses the internet for transmission
Our Facilities	Facilities we own and/or operate
Personal Information	as defined in Privacy Laws from time to time
Periodic Entitlements	see clause 5
Plan	a particular set of features, entitlements, term of contract, Charges and special conditions in connection with a Service. Many of our Services are available under different Plans, each with its own features, entitlements, contract period, Charges and special conditions. The terms of your Plan form part of your Customer Contract
Privacy Laws	the Telephone Consumer Protection Act (TCPA) and applicable Federal Communications Commission (FCC) regulations; the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN SPAM) and applicable FCC and Federal Trade Commission (FTC) regulations; as such may be amended from time to time
Professional Services	advisory services which may include the design and creation of text and/or images used in an SMS and/or MMS and includes, without limitation, concepts, ideas, innovation and development work to further enhance the Messaging Services. Professional Services may also include the management of the delivery or execution of a process or campaign on behalf of the Customer
Provider	a third party that, under a contract with us, provides (a) access to Facilities they manage or maintain or (b) content or (c) a service – that we resupply to you
Regulator	Includes, but is not limited to the Federal Trade Commission and the Federal Communications Commission and any other government or statutory body or authority with jurisdiction relevant to the activities covered under this Agreement.
Reseller	a Customer whose Application Form states that they are appointed as a reseller of the Supplier’s Services
Restricted Content	Content that: is likely to be offensive to reasonable consumers; is likely to be unsuitable for minors; promotes, incites or instructs in matters of crime; describes, incites or promotes unlawful sexual activity; promotes or incites violence or hatred against any person or group, or incites racial hatred; causes unnecessary alarm, distress or panic or is menacing in character; contains a computer worm or virus; breaches any Law; is in contravention of any privacy rules; infringes the confidentiality, copyright or other intellectual property rights or any other proprietary interest of any person; is false, misleading or deceptive, or likely to mislead or deceive; provides financial advice to any person; is out of date, having regard to information generally available, subsequently published, or released, or made available; or is for the purpose of providing any warning or notification about a serious risk to the safety of persons or property (for example, emergency services)
SDK	a software development kit
Services	a service (including any Equipment) which we provide to you as defined in your Contract
SMS	a text message carried by the short message service that was originally developed for use on the GSM mobile telephone network, whether it originates or terminates on a mobile phone or another kind of computer
SMS Service	a Messaging Service for SMS
Staff	any person, whether your employee, contractor or otherwise, who uses your Account
Standard Contractual Clauses	The EU Standard Contractual Clauses between controller to processor and between processor to processor approved by the European Union, as set out in Part E.
Standard Rate Messages	Messages that are billed by telecommunications carriers at standard rates, and in particular are not premium rate Messages, which are billed by such carriers at premium rates
Supplier	the entity described as such in the Application Form and/or your Plan and/or on the website on which these Customer Terms are published
Surcharges	carrier surcharges as notified to you on our website, or otherwise in writing and set out in your invoice
Taxes	Applicable federal, state and local taxes, fees, charges, telecommunications provider (e.g., carrier) surcharges or other similar exactions, including, without limitation, sales and use taxes, communications service taxes, utility user’s taxes or fees, excise taxes, VAT, GST, other license or business and occupations taxes, 911 taxes, franchise fees and universal service fund fees or taxes. Taxes do not include any Taxes that are imposed on or measured by our net income, property tax, or payroll taxes
Unrestricted Content	Content that is not Restricted Content

 

Part B – Professional Services Service Terms

44. About this Part

This Part applies when we supply you with Professional Services.

45. Quote and Specifications

Prior to providing any Professional Services we will agree:

(a) the specifications and requirements for the Professional Services; and

(b) total estimated cost of the Professional Services.

46. Deposit for Services

We may require you to pay a deposit (of up to 35% of total estimated cost) for any Professional Services that you have asked us to provide to you.

47. Approval of Professional Services

Where we undertake Professional Services or any form of professional services, Customer will not unreasonably withhold signoff and approval of the completed project, where we are able to reasonably demonstrate that we have met the agreed specifications or requirements.

48. Customer Warranty

Customer warrants that all Content provided to us in relation to the provision of the Professional Services is duly licensed or authorized and not in breach of any law, third party rights or trademarks. The Customer further accepts without limitation that any fees, royalties or other payments for use of Content are to be paid by the Customer.

49. Payment

Upon completion of the Professional Services you agree to pay the total cost of the Professional Services within 14 days of receipt of an invoice for such services.

Part C – Reseller Terms

50. About this Part

This Part C applies if your Application Form states that you are a Reseller.

51. Reseller Rights

We grant you the non-exclusive and non-transferable right to market and resell the Services to your customers.

52. Reseller Independence

Your business is an independent business. Accordingly:

(a) you are not, and must not (in any circumstances) hold yourself out as our agent, associate or affiliate;

(b) you must not represent that we are in any way the owner or operator of your business;

(c) your acts or omissions do not bind us;

(d) this Customer Contract does not constitute either you or us as a joint venturer, partner, agent, employee or fiduciary of the other.

53. Provision of Services to Others

You:

(a) will enter in to separate legal agreements with your customers to whom you resell the Services which contain terms and conditions substantially similar to but no less restrictive than the Customer Terms;

(b) expressly acknowledge that we will not, at any time, be responsible for or liable for the Content or the destination of any Content conveyed by or to you;

(c) agree that, if you become aware that any End User does not wish to continue to receive Messages, you will take all necessary steps, including notifying us, to ensure that the End User does not continue to receive Messages; and

(d) must comply with any applicable developer terms, including security terms, in relation to your use of developer APIs.

Part D – Additional Security Terms applicable to use of our API

This Part D applies to all Customers and Resellers who use our API for integrations, including integrations with the Customer’s or Reseller’s systems or other applications and/or to build integrations (“Integrations“).

54. Information Security

(a) In relation to your use of our API in Integrations, without limiting any other obligation you have under your Customer Contract and/or Reseller arrangement, you agree as follows:

(i) you will implement and maintain in place appropriate administrative, physical, and technical data security safeguards and controls, in accordance with best industry standards, that are designed to prevent unauthorized access, use, processing, storage, destruction, loss, alteration, disclosure of Personal Information and other sensitive data and confidential information;

(ii) you will comply with all applicable Laws (including the Privacy Act and all other applicable data security and privacy laws and regulations);

(iii) you will keep all credentials that we issue to you strictly confidential and not disclose them to any third party;

(iv) if you become aware of any data breach or other security deficiency or we notify you of any such breach or deficiency, you will:

(A) follow our reasonable instructions to immediately correct any security deficiency, and will immediately disconnect any intrusions or intruders; and

(B) not release any public statements (including, without limitation, any press release, blog post or social media.) without our prior written approval to the proposed statement;

(b) We do not accept responsibility or liability for any loss or damage arising from your failure to maintain the security of your Integration or login, password or other security or identification credentials.

(c) You agree that we may monitor use of the our API in your Integrations to ensure quality, improve our products and services, identify security issues and verify your compliance with this Part D, which may include us accessing and using your Integration and associated applications for any of the foregoing purposes. You agree not to interfere with our monitoring activities under this clause 54(c) and you agree that we may use any technical means to overcome such interference. We may suspend your access to our API without notice if we reasonably believe that you are in violation of any provision of this Part D.

(d) You agree not to use our API in any Integrations that run applications on our servers.

(e) Your networks, operating system and software of your web servers, routers, databases, and computer systems (collectively, “Developer System”) must be properly configured to Internet industry standards so as to securely operate the application(s) associated with use of our API and protect against unauthorised access to, disclosure or use of any information you receive from us. If you do not completely control any aspect of the Developer System, you will use all practicable measures to procure compliance with this Part D by any relevant third party. You must correct any security deficiency as soon as practicable and disconnect immediately any known or suspected intrusions or intruder.

55. API use restrictions

When using our API, you will, and you will ensure that your employees, agents and service providers will:

(i) only use our API (including SDKs) to develop and distribute applications or content for your use with the Services;

(ii) restrict disclosure of the API credentials, or any part thereof, to your agents, employees, or services providers, who must require access to use, maintain, implement, correct or update your application in accordance with this Part D, and who are subject to confidentiality obligations the same as or greater than those contained in clause 12;

(iii) not distribute, sell, lease, rent, lend, transfer, assign or sublicense any rights granted in relation to our API to any third party;

(iv) not use or access our API or a Service in order to monitor the availability, performance, or functionality of our API or any Service or for any similar benchmarking purposes;

(v) not remove or destroy any copyright notices, proprietary markings or confidentiality notices placed upon, contained within or associated with our API;

(vi) not engage in any activity that interferes with, disrupts, harms, damages, or accesses in an unauthorized manner our servers, security, networks, data, applications or our other properties or services or those of any third party;

(vii) not circumvent technological measures intended to prevent direct database access, or manufacture tools or products to that effect;

(viii) not modify, translate, reverse engineer, disassemble, reconstruct, decompile, copy, or create derivative works of our API or any Service, except to the extent that this restriction is expressly prohibited by applicable law;

(ix) not bypass our API restrictions for any reason, including automating administrative functions;

(x) not, except as authorised by us in writing, substantially replicate our API, a Service or our other products or services or those of any of our Related Bodies Corporate;

(xi) not develop applications that excessively burden our system, distribute spyware, adware or other commonly objectionable programs;

(xii) not develop an application that has the purpose of migrating our customers off our Services;

(xiii) not access or use our API to develop or distribute your application in any way in furtherance of criminal, fraudulent, or other unlawful activity, or otherwise violate the our Acceptable Use Policy;

(xiv) not request more than the minimum amount of data from our API needed by your application to provide the intended functionality of such application, or any data outside any permissions granted by a relevant third party merchant;

(xv) not falsify or alter any unique identifier in, or assigned to your application, or otherwise obscure or alter the source of queries coming from such application; and

(xvi) not include code in any of your applications which performs any operations not related to the services provided by the application, whether or not you have the consent of any relevant merchant or end user to do so. For the avoidance of doubt, this prohibited activity includes, without limitation, embedding or incorporating code into any application which utilises the resources of another computer for the purposes of cryptocurrency mining.

PART E – EC STANDARD CONTRACTUAL CLAUSES

This Part E forms part of your Customer Contract.

If you are located in the European Economic Area or are otherwise subject to the GDPR, the standard contractual clauses approved by European Commission Decision C2021/3972 dated 4 June 2021 (the “Standard Contractual Clauses”) will apply to any transfer of personal data under your Customer Contract, either directly or via onward transfer, to any country outside of the European Economic Area that does not have an adequacy decision under article 45 of the GDPR.  For transfers that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, incorporated into your Customer Contract by reference, and completed as set out below.

Three modules of the Standard Contractual Clauses may apply:

• if you provide us with personal data of your employees and representatives for the purposes of administering the Customer Contract and our business relationship – Module One (controller to controller) will apply to that data;
• if you provide us with personal data of message recipients for the purposes of allowing us to send messages and perform services under your Customer Contract, and you are a controller in relation to that data – Module Two (controller to processor) will apply to that data; and
• if you provide us with personal data of message recipients for the purposes of allowing us to send messages and perform services under your Customer Contract, and you are a processor in relation to that data – Module Three (processor to processor) will apply to that data.

Full details of these transfers are set out in the Appendix to the Standard Contractual Clauses.

SECTION I

Clause 1

Purpose and scope

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)^[1] for the transfer of personal data to a third country.
2. The Parties:
   1. 1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
      2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

   have agreed to these standard contractual clauses (hereinafter: “Clauses”).

3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
   1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
   2. Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
   3. Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
   4. Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
   5. Clause 13;
   6. Clause 15.1(c), (d) and (e);
   7. Clause 16(e);
   8. Clause 18 – Clause 18(a) and (b).
2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Not used

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

 

MODULE ONE: Transfer controller to controller

8.1         Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

1. where it has obtained the data subject’s prior consent;
2. where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
3. where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2         Transparency

1. In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
   1. of its identity and contact details;
   2. of the categories of personal data processed;
   3. of the right to obtain a copy of these Clauses;
   4. where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
2. Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
3. On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
4. Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3         Accuracy and data minimisation

1. Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
2. If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
3. The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4         Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation^[1] of the data and all back-ups at the end of the retention period.

8.5         Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
2. The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
3. The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
5. In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
6. In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
7. The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6         Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7         Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union^[1] (in the same country as the data importer or in another third country, hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

1. it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
3. the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
4. it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
5. it is necessary in order to protect the vital interests of the data subject or of another natural person; or
6. where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8         Processing under the authority of the data importer

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9         Documentation and compliance

1. Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
2. The data importer shall make such documentation available to the competent supervisory authority on request.

 

MODULE TWO: Transfer controller to processor

8.1         Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2         Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3         Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4         Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5         Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6         Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7         Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8         Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union^[1] (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9         Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer processor to processor

8.1         Instructions

1. The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
2. The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
3. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
4. The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter^[1].

8.2         Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3         Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4         Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5         Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6         Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
2. The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7         Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8         Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union^[1] (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9         Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
3. The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
4. The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
5. Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
6. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
7. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

1. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.[1] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

MODULE THREE: Transfer processor to processor

1. The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.[1] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

 

MODULE ONE: Transfer controller to controller

1. The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.^[1] The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
2. In particular, upon request by the data subject the data importer shall, free of charge :
   1. provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
   2. rectify inaccurate or incomplete data concerning the data subject;
   3. erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
3. Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
4. The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter “automated decision”), which would produce legal effects concerning the data subject or similarly significantly affect him / her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
   1. inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
   2. implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
5. Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
6. The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
7. If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

MODULE TWO: Transfer controller to processor

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

 

MODULE THREE: Transfer processor to processor

1. The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
2. The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

 

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
   1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
   2. refer the dispute to the competent courts within the meaning of Clause 18.
4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

 

MODULE ONE: Transfer controller to controller

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
3. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
4. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
5. The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

 

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
   [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
   [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
   1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
   2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards^[1];
   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1       Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
   1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

   [For Module Three: The data exporter shall forward the notification to the controller.]

2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]
4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2       Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
   1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
   2. the data importer is in substantial or persistent breach of these Clauses; or
   3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 18

Choice of forum and jurisdiction

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
2. The Parties agree that those shall be the courts of the Republic of Ireland.
3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
4. The Parties agree to submit themselves to the jurisdiction of such courts.

 

 

APPENDIX

ANNEX I

 

A. LIST OF PARTIES

Data exporter: Customer as shown on the Application Form

Name: Customer’s name as shown on the Application Form

Address: Customer’s address as shown on the Application Form

Contact person’s name, position and contact details: Customer’s contact details as shown on the Application Form

Activities relevant to the data transferred under these Clauses: Using Supplier’s services to send SMS or other messages to data subjects

Signature and date: By entering into the Customer Contract, the data exporter is deemed to have signed this Annex I on the date it entered into the Customer Contract

Role (controller/processor):

Module One and Two: Controller

Module Three: Processor

 

Data importer: Supplier entity name as shown on the Application Form

Name: Supplier entity name as shown on the Application Form

Address: Supplier address as shown on the Application Form

Contact person’s name, position and contact details: Supplier contact name as shown on the Application Form

Activities relevant to the data transferred under these Clauses: Sending SMS or other messages to data subjects on instructions of Customer

Signature and date: By entering into the Customer Contract, the data importer is deemed to have signed this Annex I on the date it entered into the Customer Contract

Role (controller/processor):

Module One: Controller

Modules Two and Three: Processor

 

B. DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

The data subjects are employees or representatives of the data exporter.

Categories of personal data transferred

The personal data transferred will generally include name, job title and business contact details (such as email addresses and phone numbers).

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The collection and transfer of information will occur whenever the data importer interacts with the data exporter, for example, to provide customer support or billing.

Nature of the processing

The data importer collects, uses and stores the personal data in its computer systems, and transmits the personal data over communication networks, as necessary to provide services to the data exporter and communicate with the data exporter in connection with the services.

Purpose(s) of the data transfer and further processing

The purpose of the processing is to enable the data exporter to sign up to the data importer’s services and communicate with the data importer in connection with the services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained for as long as the data exporter remains a customer of the data importer and for a period afterwards in accordance with the data importer’s data retention policy.

 

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred

The data subjects are individuals to whom the data exporter wishes to send SMS or other messages using the data importer’s services. Those individuals may be customers of the data exporter or of another entity to whom the data exporter is providing services.

Categories of personal data transferred

The personal data transferred will generally include: (a) the data subject’s mobile telephone number or other contact details necessary to allow a message to be sent to the data subject; and (b) any personal data of the data subject contained in the message content. The types of personal data which may be included in message content is at the data exporter’s discretion.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The collection and transfer of information will occur whenever the data exporter sends a message to a data subject or uploads contact information of a data subject.

Nature of the processing

The data importer collects, uses and stores the personal data in its computer systems, and transmits the personal data over communication networks, as necessary to send messages to the data subject as requested by the data exporter.

Purpose(s) of the data transfer and further processing

The purpose of the processing shall be the provision of the services to the data exporter under the Customer Contract.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained for as long as the data exporter remains a customer of the data importer and for a period afterwards in accordance with the data importer’s data retention policy.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The data importer uses sub-processors to assist it in providing services to the data exporter under the Customer Contract.  A list of sub-processors used by the data importer is available at https://messagemedia.com/us/legal/sub-processors/

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority will be as determined under clause 13, depending on whether the data exporter is established in an EU Member State, is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, or is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(1) of Regulation (EU) 2016/679.

 

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The data importer’s security measures include, but are not limited to:

• Customers interact with and transmit messages over a secure (encrypted) TLS/SSL connection
• Services interact and transmit to carriers over a secure (encrypted) TLS connections and/or VPN tunnels
• Firewalls protect the data importer’s production network and servers.
• Non-public access to production network and servers as access is restricted by a secure VPN connection
• Measures for ensuring physical security of locations at which personal data are processed – Services are hosted in secure Tier 1 data centers protecting physical servers and devices.
• Measures for internal IT and IT security governance and management including strict protocols and controls governing authorization and access to the data importer’s servers and devices.
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the suitability and success of applied controls; including annual audits by independent security experts, and penetration testing.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

• IT security governance and management, including strict protocols and controls authorising access.
• Measures for ensuring physical security of locations at which personal data is processed.
• Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures.

 

Part F – UK International Data Transfer Addendum

This Part F forms part of your Customer Contract.

If you are located in the United Kingdom or are otherwise subject to the UK GDPR, the the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 (UK) (the “UK International Data Transfer Addendum”) will apply to any transfer of personal data under your Customer Contract, either directly or via onward transfer, to any country outside of the United Kingdom that does not have an adequacy decision under article 45 of the UK GDPR. For transfers that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into, incorporated into your Customer Contract by reference and completed as follows:

1. In Table 1:
   1. The start date is the date the relevant transfer of personal data commences.
   2. The Exporter is the Customer as shown on the Application Form and the details and key contact information of that party are as set out in the Application Form.
   3. The Importer is the Supplier as shown on the Application Form and the details and key contact information of that party are as set out in the Application Form.
2. In Table 2, the version of the approved Standard Contractual Clauses is set out in Part E of your Customer Contract.
3. In Table 3:
   1. Annex IA is as set out in Part E of your Customer Contract.
   2. Annex IB is as set out in Part E of your Customer Contract.
   3. Annex II is as set out in Part E of your Customer Contract.
   4. Annex III is not applicable.
4. In Table 4: the Importer may end the UK International Data Transfer Addendum in accordance with its terms.

 

Part G – EU and UK Privacy Terms

56. About this Part

This Part G applies if the Services or the performance of our respective obligations under this Customer Contract involve the processing of any personal data (as defined in the GDPR) of, or sending Messages to, any individuals in the European Union.

57. Privacy and Electronic Communications and Ecommerce

(a) You warrant and undertake at all times to comply (and to ensure that your Staff and End Users also comply) with your obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Electronic Commerce (EC Directive) Regulations 2002, in particular, you:

(i) warrant and represent that End Users to whom you send Messages have consented or otherwise opted-in to the receipt of such Messages as required by any applicable Law or regulation.

(ii) agree that you will include clear opt-out/unsubscribe information on your Messages when required to do so by any applicable Law or regulation; and

(iii) will adhere to the Consumer Best Practices Guidelines promulgated by the Mobile Marketing Association, if applicable to your messages

(b) You indemnify us for any Claim which results from your breach of paragraph (a) above.

(c) We warrant and represent that the Services include the maintenance of a functioning and effective unsubscribe process that complies with applicable Privacy Laws.

58. Data Protection

(a) The terms ‘data subject’, ‘personal data’, ‘process’, and ‘supervisory authority’ have the meanings given to them in the GDPR.

(b) With effect from 25 May 2018, if a party is provided with, or has access to personal data in connection with the Services, it must comply with the GDPR and any other applicable law in respect of that personal data.

(c) The subject matter of the processing by us shall be the performance of this Customer Contract. The nature and purpose of the processing shall be the provision of the Services. The duration of the processing shall be the duration of this Customer Contract.

(d) We shall:

(i) only process personal data on your behalf in accordance with, your instructions and for the purposes set out in this Customer Contract;

(ii) implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

(iii) ensure that any of our personnel engaged in the processing are subject to a duty of confidentiality.

(iv) co-operate with you if you are required to deal or comply with any assessment, enquiry, notice or investigation by the Information Commissioner, to assist you in complying with such assessment, enquiry, notice or investigation.

(v) notify you if we receive a request from a data subject for access to personal data, and shall provide you with reasonable co-operation and assistance in relation to any such request.

(vi) inform you without undue delay if at any time any personal data is or is suspected to be, lost, corrupted, used or disclosed to a third party except in accordance with this Customer Contract and provide reasonable assistance to you in relation to your obligation to notify data subjects or a supervisory authority.

(e) You acknowledge that in providing the Services, personal data may be transferred outside the European Economic Area under your Customer Contract and each party undertakes to comply with its obligations under the Model Clauses.

(f) You hereby consent to the sub-processing of personal data by a Provider. We shall only appoint additional sub-processors where we have your prior consent to do so and where we have written terms in place with the sub-processor that reflect these terms.

(g) You warrant that you have provided a fair processing notice to End Users that notifies them of our processing activities and that where our processing of personal data on your behalf requires the consent of End Users, you have and will obtain this and provide us with evidence on request.

(h) On termination of this Client Contract, we shall delete all personal data that you have provided to us, unless we are required by law to retain it (in which case, we will not actively process it after the termination date).

(i) You may, not more than once in any 12-month period and on giving at least 30 days’ written notice, conduct an audit of our processing of personal data under this Client Contract. We shall mutually agree on the scope, timing and duration of the audit. The audit shall exclude any personnel records and any data, systems and facilities which are subject to confidentiality obligations to third parties. You shall not be entitled to take copies of any information.

(j) You indemnify us for any Claim by your Staff, End Users or any other third party that it has suffered Loss as a result of your breach of paragraphs (b), (e) or (g) above.