Data Processing Agreement (DPA)

This Data Processing Agreement (the “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Open-Xchange, Inc. d/b/a Everymail (the “Processor”) on behalf of the subscriber to Everymail services (the “Controller”) in connection with Processor’s services (the “Services”) under the Everymail subscription (the “Agreement”) governing Customer’s use of the Services. The DPA supplements the Agreement and remains active during the entire Subscription term. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

1. DEFINITIONS

a. "Business" means an entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which includes, as applicable, a “Business” as defined under Section 1798.140 of the CCPA, and any analogous variation of such term under U.S. Data Protection Laws.

b. "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations.

c. "Customer Personal Information" means any data processed by Processor on Controller’s behalf, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, to the extent that such information is protected as “personal information” (or an analogous variation of such term) under applicable U.S. Data Protection Laws.

d. "Instructions" means the written, documented instructions issued by a Business to a Service Provider, and directing the same to perform a specific or general action with regard to Customer Personal Information (including, but not limited to, depersonalizing, blocking, deletion, and making available).

e. "Processing" means any operation or set of operations which is performed on Customer Personal Information, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Customer Personal Information. The terms “Process,” “Processes” and “Processed” will be construed accordingly.

f. "Sell", "Selling", and "Sale" have the meanings set forth in Section 1798.140 of the CCPA.

g. "Service Provider" means an entity processing Customer Personal Information on behalf of Customer, including as defined in Section 1798.140 of the CCPA , and any analogous variation of such term under U.S. Data Protection Laws.

h. "Share, Shared, and Sharing" have the meanings set forth in Section 1798.140 of the CCPA.

i. U.S. Data Protection Laws means all U.S. laws and regulations applicable to the processing of personal information, including but not limited to the CCPA, applicable to the processing of personal information (or an analogous variation of such term).

2. ROLES OF THE PARTIES

The parties acknowledge and agree that with regard to the Processing of Customer Personal Information performed on behalf of Customer, Processor is a Service Provider and Customer is a Business. Processor receives Customer Personal Information pursuant to the business purpose of providing the Services to Customer in accordance with the Agreement.

3. CUSTOMER’S INSTRUCTIONS

The parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions to Processor in relation to the Processing of Customer Personal Information, and additional instructions outside the scope of the Instructions shall require prior written agreement between the parties.

4. PROCESSOR’S OBLIGATIONS

With respect to the Processing of Customer Personal Information by Processor on behalf of Customer, Processor agrees to the following.

a. Processor shall adhere to Customer’s Instructions at all times regarding the Processing of Customer Personal Information.
b. Processor shall assist Customer in meeting its obligations under U.S. Data Protection Laws. Such assistance shall include:

1) Taking into account the nature of processing and the information available to Processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill Customer's obligation to respond to consumer privacy requests pursuant to U.S. Data Protection Laws.

2) Taking into account the nature of processing and the information available to Processor, by assisting Customer in meeting its obligations in relation to the security of processing the Customer Personal Information and in relation to the notification of breach of security of the Processor’s system within 5 (five) business days in order to meet Customer’s obligations under this DPA.

3) Providing necessary information to enable Customer to conduct and document data protection assessments pursuant to U.S. Data Protection Laws.

c. Processor will ensure that each person processing Customer Personal Information is subject to a duty of confidentiality with respect to the data.

d. At Customer's selection of the respective functionality in the Service, Processor will delete or return all Customer Personal Information to Customer as requested during or before the end of the provision of the Service, unless retention of the Customer Personal Information is required by law.

e. Upon Customer’s reasonable request, Processor will make available to the Customer all information in its possession necessary to demonstrate Processor's compliance with U.S. Data Protection Laws.

f. Processor will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor; alternatively, Processor may arrange for a qualified and independent assessor to conduct an assessment of Processor's policies and technical and organizational measures in support of Processor’s obligations under U.S. Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The Processor shall provide a report of such assessment to Customer upon request.

g. If Processor engages any other person or entity to assist it in Processing Customer Personal Information on behalf of Customer, or if any other person engaged by Processor engages another person or entity to assist in Processing Customer Personal Information for that business purpose, Processor shall publish that engagement and give Customer the opportunity to object within 10 (ten) business days. The engagement shall be pursuant to a written contract binding the other person or entity to observe all the requirements set forth in this DPA.

h. Processor shall not Sell or Share Customer Personal Information.

i. Processor shall not retain, use, or disclose Customer Personal Information for any purpose other than business purposes specified in the Agreement.

j. Processor shall not retain, use, or disclose the Customer Personal Information outside of the direct business relationship between Processor and Customer.

k. Processor shall not combine the Customer Personal Information that Processor receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.

5. COSTS

Controller shall reimburse Processor for its efforts in responding to requests pertaining to Sections 4.a., 4.b.3), 4.e., and 4.f., at a reasonable hourly rate not to exceed USD 150.00.

6. INDEMNIFICATION

The Controller shall indemnify, defend, and hold harmless the Processor, its affiliates, and their respective officers, directors, employees, agents, and representatives (collectively, the “Processor Indemnified Parties”) from and against any and all claims, demands, actions, suits, proceedings, liabilities, losses, damages, fines, penalties, costs, and expenses, including reasonable attorney’s fees and court costs, arising out of or relating to:

a. Controller’s Instructions: Any Processing of Customer Personal Information by the Processor in accordance with the Controller’s documented instructions, including but not limited to any claims that such instructions violate applicable U.S. Data Protection Laws or other laws.

b. Controller’s Noncompliance: Any failure by the Controller or its affiliates to comply with applicable U.S. Data Protection Laws, regulations, or other laws governing the collection, use, disclosure, or Processing of Customer Personal Information.

c. Data Provided by Controller: Any breach, inaccuracy, or insufficiency in the Customer Personal Information provided by the Controller or its users to the Processor, including claims related to the accuracy, legality, or appropriateness of such data.

d. Third-Party Claims: Any claims brought by a third party, including data subjects, regulatory authorities, or other entities, alleging that the Controller’s actions or omissions violated applicable laws or rights related to Customer Personal Information.

e. Breach by Controller: Any breach of the Agreement, this DPA, or applicable U.S. Data Protection Laws by the Controller, including failure to implement adequate security measures or failure to notify the Processor of changes in legal or regulatory requirements applicable to the Customer Personal Information.

Exclusions: The Controller shall not be liable to the Processor Indemnified Parties to the extent that any liabilities, losses, or expenses result from the Processor’s breach of this DPA, the Agreement, or its own noncompliance with applicable U.S. Data Protection Laws.

To invoke this indemnification, the Processor must:

x. Promptly notify the Controller in writing of any claim for which indemnification is sought.

y. Provide the Controller with reasonable cooperation in the defense and settlement of the claim.

z. Allow the Controller to assume control of the defense of the claim, provided that the Processor retains the right to participate in the defense at its own expense.

The Controller shall not settle any claim without the prior written consent of the Processor if such settlement would impose an obligation or liability on the Processor other than monetary damages.

7. LIABILITY LIMITATION

THE TOTAL AGGREGATE LIABILITY OF THE PROCESSOR, ITS AFFILIATES, AND THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR REPRESENTATIVES, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, ARISING OUT OF OR IN CONNECTION WITH THIS DPA, THE AGREEMENT, OR THE PROCESSING OF CUSTOMER PERSONAL INFORMATION, SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY THE CONTROLLER TO THE PROCESSOR UNDER THE AGREEMENT DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

NOTHING IN THIS DPA SHALL LIMIT OR EXCLUDE LIABILITY FOR DAMAGES CAUSED BY THE PROCESSOR’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, DAMAGES RESULTING FROM THE PROCESSOR’S PROCESSING OF CUSTOMER PERSONAL INFORMATION OUTSIDE THE CONTROLLER’S DOCUMENTED INSTRUCTIONS OR IN BREACH OF ITS OBLIGATIONS UNDER THIS DPA, DAMAGES ARISING FROM A SECURITY BREACH ATTRIBUTABLE TO THE PROCESSOR’S FAILURE TO IMPLEMENT REASONABLE AND APPROPRIATE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES AS REQUIRED UNDER APPLICABLE U.S. DATA PROTECTION LAWS AND ANY LIABILITY THAT CANNOT BE LIMITED OR EXCLUDED UNDER APPLICABLE LAWS.

8. NATURE AND PURPOSE OF PROCESSING

The Processor processes Customer Personal Information only for the purpose of operating, maintaining, developing and providing the Service, to optimize the Service and to provide support services for Controller and its users.

9. CATEGORIES OF PERSONAL INFORMATION PROCESSED

The Processor collects data provided or received by Controller and its users in using and subscribing to the Service, which is an email and collaboration service. The information processed include email address, usernames, Service password, contact information, email content and attachments, calendar schedules and responses, and contacts.

The Processor further automatically collects certain information when the Controller or its users visit, use, or navigate the Services. This information does not necessarily reveal the specific identity of the Controller or its users (such as a name or contact information) but may include device and usage information, such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when the Services are used, and other technical information. This information is primarily needed to maintain the security and operation of the Services and for the Processor’s internal analytics and reporting purposes.

Similar to many other businesses, the Processor collects information through cookies and similar technologies. Further details can be found in the Cookie Policy.

The information collected by the Processor includes:

Log and usage data refers to service-related, diagnostic, usage, and performance information automatically collected by the Processor’s servers when the Controller or its users access or use the Services. This data is recorded in log files and may include information such as IP address, device information, browser type, browser settings, and activity within the Services (e.g., date/time stamps, pages and files viewed, searches performed, and actions taken such as using specific features). This data may also include device event information, such as system activity, error reports (commonly known as “crash dumps”), and hardware settings.

The Processor collects data about the devices used by the Controller or its users, such as computers, phones, tablets, or other devices used to access the Services. Depending on the device, this data may include IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, internet service provider or mobile carrier, operating system, and system configuration information.

The Processor collects location data related to the devices of the Controller or its users, which can be precise or imprecise. The amount of location information collected depends on the type and settings of the device used to access the Services. For instance, the Processor may use GPS or other technologies to determine the current location (e.g., based on IP address). The Controller or its users can opt out of allowing the Processor to collect location information by refusing access to this data or by disabling location settings on their devices. However, disabling location data may impact the ability to use certain features of the Services.

Further information may be processed while using the Service, if set forth in the then-current Privacy Policy.