CodeTwo Terms and Privacy
Personal Data Processing Agreement
Published: August 21, 2023. See previous versions (https://www.codetwo.com/regulations/dpa/#previous-versions)
This Data Processing Agreement ("DPA") is entered into as of the Effective Date by and between CodeTwo sp. z o.o. sp. k., a limited partnership established under the laws of the Republic of Poland (member state of the European Union), with its registered office in Jelenia Gora at ul. Wolnosci 16 ("CodeTwo" or simply "we"), with EU VAT ID number PL6112622141, entered in the register of entrepreneurs of the Polish National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, Poland, IX Commercial Division under KRS number 0000438398, and the entity or person set forth on the last page hereto ("Customer" or simply "you"). CodeTwo and Customer are sometimes referred to individually as "Party" or collectively as a "Parties".
This DPA forms an integral part of and is concluded subject to the Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services/).
Whereas:
- the Customer is interested in using CodeTwo Email Signatures 365 (formerly CodeTwo Email Signatures for Office 365) – a software used to centrally manage email signatures, hosted on Microsoft Azure in a region of the Customer's choice (the software and associated services are jointly referred to as "Services");
- Customer's use of the Services requires that Customer Data (as defined below) is processed by CodeTwo;
- the Parties wish to set forth their mutual obligations regarding the processing of Customer Data (as defined below) by CodeTwo;
The parties have agreed as follows:
1. Definitions
- All capitalized terms used in this DPA, unless defined elsewhere in the DPA, shall have the following meaning:
- "Applicable Data Protection Laws" means the GDPR and – where the processing is subject to the CCPA or the US State Privacy Laws (as defined in Appendix 3 to this DPA) – the CCPA and the US State Privacy Laws;
- "Outlook (Client-side) Mode" means a configuration of the Services in which email signature is added to Customer Outgoing Emails without the need to relay Customer Outgoing Emails through the Services;
- "Combo Mode" means a configuration of the Services in which both Outlook (Client-side) Mode and Cloud (Server-side) Mode are used to manage email signatures in Customer Outgoing Emails;
- "Customer Data" means Customer Users' Data, Customer Email Data and Customer Emails;
- "Customer Email Data" means all personal data contained in Customer Incoming Emails and Customer Outgoing Emails; whether CodeTwo processes and/or otherwise gets access to Customer Email Data depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
- "Customer Emails" means Customer Incoming Emails and Customer Outgoing Emails;
- "Customer Incoming Emails" means emails that are sent to mailboxes in Customer's Microsoft 365 tenant; whether CodeTwo processes and/or otherwise gets access to Customer Incoming Emails depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
- "Customer Outgoing Emails" means emails that are sent from mailboxes in Customer's Microsoft 365 tenant; whether CodeTwo processes and/or otherwise gets access to Customer Outgoing Emails depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
- "Customer Users' Data" means personal data, including in particular some Azure Active Directory user attributes and group memberships of people who have accounts in Customer's Microsoft 365 tenant that the Customer provides to CodeTwo in connection with the Customer's use of the Services; the detailed scope and categories of Customer Users' Data processed by CodeTwo based on this DPA depends on how the Customer configures the Services and has been described in detail in Appendix 1 to this DPA;
- "Effective Date" means the date the Customer expresses their consent to be bound by the provisions of the DPA either by checking the appropriate box on CodeTwo's websites that confirms reading and accepting the terms of the DPA or by signing a copy of this DPA received by email;
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- "Cloud (Server-side) Mode" means a configuration of the Services in which Customer Outgoing Emails are relayed through the Services in order to add email signatures.
2. General
- You, as the data controller, acknowledge and understand that in circumstances and to the extent described in Appendix 1 to this DPA:
- making use of the Services requires that Customer Users' Data are processed within the Services;
- making use of the Services in Cloud (Server-side) Mode or Combo Mode requires that Customer Outgoing Emails are relayed through the Services;
- making use of some of the additional features of the Services may require that the Services are granted wider access privileges by the Customer, including access to Customer Incoming Emails, Customer Outgoing Emails or Customer Email Data.
- You, as the data controller, confirm that:
- this DPA along with your use and configuration of the Services and its individual features are your complete and final instructions to us for the processing of Customer Data. We will immediately inform you if in our opinion your instructions may infringe Applicable Data Protection Laws;
- Customer Data was and will be obtained in accordance with Applicable Data Protection Laws and that all required consents (if required) from people whose personal data is processed using the Services were collected and all information duties fulfilled.
- We, as a data processor, undertake:
- to only process Customer Data to make it possible for you to make use of the Services and its individual features, solely on the basis and under the conditions specified in this DPA and Applicable Data Protection Laws;
- not to record, register, store, back up, or physically access the content of Customer Emails, except in circumstances and to the extent described in Appendix 1 to this DPA when it is required to provide the Services to you.
- The scope of personal data subject to the processing based on this DPA, as well as the categories of data subjects affected by the processing, are described in detail in Appendix 1 to this DPA.
- In order to make use of some of the additional features of CodeTwo Email Signatures 365 (e.g. Autoresponder, Sent Items Update or One-click surveys) you must grant the Services some additional access privileges to selected resources in your Microsoft 365 tenant. The scope of the required privileges will be visible to you when configuring such features in CodeTwo Email Signatures 365 admin panel. These privileges vary between each of those features and may include, but are not limited to, a permission to read all user profiles in your Microsoft 365 tenant without a signed-in user as well as a permission to read mail in all mailboxes without a signed-in user or as the signed-in user. These permissions are necessary to apply rules and perform actions that you configure while setting up these additional features. All additional features are turned off by default. All access privileges that you grant to the Services are of technical and functional character.
- Notwithstanding point 2.5. above, CodeTwo Email Signatures 365 has no access to keys required to decrypt encrypted Customer Emails and, therefore, the use of the additional features in regard to encrypted Customer Emails may be limited or not possible at all.
3. Subprocessing
- We use Microsoft Azure to provide our Services to you. This means that Customer Data will be processed in Microsoft Azure datacenters in a region of your choice. You can find a list of currently available regions here (https://www.codetwo.com/email-signatures/how-it-works).
- Microsoft Azure datacenters are managed by Microsoft Corporation and its affiliates. Microsoft Corporation uses subcontractors to provide its Microsoft Azure services. You can find the list of subcontractors here (https://www.codetwo.com/regulations/dpa/ms-subcontractors).
- You can find detailed terms and conditions of services provided by Microsoft Corporation and its affiliates here (https://www.codetwo.com/regulations/dpa/ms-terms-and-conditions). These documents describe Microsoft's obligations regarding the security of data and measures that were implemented in Microsoft datacenters to protect the confidentiality of Customer Data. You can also find information about Microsoft's Azure security here (https://www.codetwo.com/regulations/dpa/ms-azure-security).
- We confirm that we have entered into an agreement based on EU Standard Contractual Clauses with Microsoft Corporation. The aim of this agreement is to ensure that a level of protection of personal data similar to this ensured by us is maintained when Customer Data is transferred to Microsoft Azure datacenters, including those located outside of the European Economic Area (EEA).
- You acknowledge and agree that we may use Microsoft Corporation, its affiliates and subcontractors, as described above, as subprocessors to provide the Services to you. These entities may be engaged only within the limits and for the purpose of providing the Services to you. The standard of personal data protection applicable to these subprocessors is at least equal to the protection standard provided by us.
4. Copies of data and confidentiality of information
- We will not create copies or duplicates of any data without your knowledge, except for backup copies concerning the following types of data:
- the Services' settings and configuration details;
- Customer Users' Data.
- These backup copies are necessary to ensure smooth functioning of the Services. All backup copies are automatically created by Microsoft Azure and stored on Microsoft Azure in a region that you chose when associating your Microsoft 365 tenant with the Services. We will not use these backup copies outside of Microsoft Azure environment or for any other purposes than those specified above.
- We will not create backup copies of any other types of data than those specified in point 4.1. above. In particular, we will not create backup copies of Customer Emails or Customer Email Data.
- We acknowledge and agree that Customer Emails in some cases may contain information that should reasonably be understood to be a proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical, and administrative steps to prevent Customer Emails from being disclosed to any unauthorized person. We will not disclose Customer Emails to any third parties and will always refuse all requests to disclose Customer Emails to law enforcement.
- We acknowledge and agree that Customer Users' Data in some cases may contain information that should reasonably be understood to be a proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical and administrative steps to prevent Customer Users' Data from being disclosed to any unauthorized person. We will not disclose Customer Users' Data to law enforcement unless required by law. If law enforcement contacts us with a request for Customer Users' Data, we will attempt to redirect the law enforcement agency directly to you. If compelled to disclose Customer Users' Data to law enforcement, we will promptly notify you and provide a copy of the demand unless we are legally prohibited from doing so.
5. Assistance in fulfillment of the rights of data subjects and performance of other obligations
- Taking into account the nature of the processing performed on the basis of this DPA, insofar as this is possible, we will assist you by appropriate technical and organizational measures with fulfilling your duty to respond to the requests of data subjects concerning the exercise of their rights described in Chapter III of the GDPR. If you require our assistance, you can request it using this form (https://www.codetwo.com/form/data-protection/).
- We will confirm the receipt of your request within 3 (three) business days from its receipt. Within the next 3 (three) business days we will let you know if we are able to assist you and we will inform you of the expected deadline to fulfill your request. In any event, the deadline may not be longer than 2 (two) weeks.
- If we receive a request from your data subject to exercise one or more of its rights under the GDPR, we will redirect the data subject to make its request directly to you.
- Taking into account available information and the nature of processing performed on the basis of this DPA, we will provide you with information necessary for you to perform obligations arising out of Articles 32 – 36 of the GDPR, including Data Protection Impact Assessments ("DPIA"). If you require our assistance in relation to DPIA, you can contact our Data Protection Officer and Data Security Team at any time using this form (https://www.codetwo.com/form/data-protection/).
6. Security
- Considering the risk of violation of the rights and freedoms of individuals and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing personal data, we declare that in accordance with Article 32 of the GDPR, we have implemented appropriate technical and organizational measures to secure the processing of Customer Data. These measures are described in Appendix 2 to this DPA. You can also use information contained in Appendix 2 to perform DPIA.
- We undertake to protect Customer Data from unauthorized access, unauthorized removal, damage or destruction and we will take all necessary steps to keep personal data confidential and to protect it in accordance with the provisions of the Applicable Data Protection Laws.
- We declare that all our employees who are authorized to process personal data, are bound to confidentiality and undergo regular trainings regarding data protection provisions relevant to their work.
- We regularly monitor all internal processes and the technical and organizational measures to ensure that processing is in accordance with the requirements of Applicable Data Protection Laws and the protection of the rights of the data subjects.
- We are entitled to implement alternative, suitable measures to those described in this section 6 above and in Appendix 2 to this DPA, especially due to technical advances and developments. Such measures must not fall below the security level of those described above. We will provide you with an up-to-date version of Appendix 2 anytime you request us to do so during the term of this DPA.
7. Data breaches
- We will notify you without undue delay after becoming aware of a personal data breach. Such notice will, at a minimum:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal records concerned;
- communicate the name and contact where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where, and insofar as, it is not possible to provide all information described in point 7.1. above at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
8. Period of processing and return of data
- You acknowledge and understand that we will start the processing of Customer Users' Data after your Microsoft 365 tenant is associated with the Services.
- We will process personal data that you entrust to us for the duration of your license for the Services and/or use of the additional features of the Services referred to in point 2.5. of this DPA. The DPA shall remain in force when using the Services with a trial license as well as after the trial period, i.e. after purchasing the license for the Services. Furthermore, the DPA shall remain in force regardless of whether the Services were purchased directly from CodeTwo or through a reseller.
- If your license is terminated or expires, we will erase Customer Users' Data from the Services within 180 days after you cancel your subscription with us, unless the law requires that this data is processed for a longer period.
- After termination or expiration of your license, we will not perform any operations on Customer Users' Data, except for storing it within the Services, unless we are required to do otherwise by law.
9. Auditing rights of the customer
- If you need any additional information regarding how we process and protect Customer Data and fulfill obligations arising out of the Applicable Data Protection Laws you can contact our Data Protection Officer and Data Security Team at any time using this form (https://www.codetwo.com/form/data-protection/).
- You can also verify security measures implemented by Microsoft Corporation and its affiliates by referencing to their Microsoft Products and Services Data Protection Addendum.
- CodeTwo has implemented the Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm the compliance with ISO/IEC 27001 and ISO/IEC 27018, we conduct the audit once a year, and every third year we undergo the re-certification process. Audits are conducted by external and independent certifying entities. We will resolve any audit findings immediately in a way that is satisfactory for the certifying agencies in order to stay compliant with ISO/IEC 27001 and ISO/IEC 27018.
- On your demand, we will provide you with proof that CodeTwo holds the ISO/IEC 27001 or ISO/IEC 27018 certificates. If you need any additional information, we will share with you the results from the recent ISO/IEC 27001 or ISO/IEC 27018 audits carried out in CodeTwo to help you verify how we fulfill our obligations regarding the information security arising from this DPA. The report will be restricted by the distribution and confidentiality limitations imposed by the certifying entity. You might be asked to sign an additional Non-Disclosure Agreement before we share the report with you.
10. Control and audits
- You should inform us without undue delay of any control or audit performed by competent supervisory authorities if it relates to Customer Data.
- We will inform you immediately of any inspections and measures conducted by the supervisory authorities if they relate to the Services or Customer Data.
11. Jurisdiction specific data protection clauses
- If you are subject to any data protection laws of jurisdictions listed in Appendix 3, then the terms of Appendix 3 supplement the clauses of sections 1 – 10 of this DPA.
12. Miscellaneous
- This DPA can only be modified by a written document signed by both you and us.
- This DPA should be read and construed together with CodeTwo's Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services). In case the provisions of CodeTwo's Terms and Conditions of Sales and Services are contrary to the provisions of this DPA, this DPA should prevail.
- This DPA will be governed by the laws of the Republic of Poland, excluding any conflict of law rules. Any and all disputes relating to this DPA will be settled between you and CodeTwo through good faith negotiations. In case these negotiations are not successful, any subsequent dispute should be litigated in front of the competent courts of the Republic of Poland.
- Should any provision of this DPA be found invalid or unenforceable by a court of competent jurisdiction, the rest of this DPA will remain in full effect.
- This DPA can be signed in one or more counterparts and each counterpart will be considered an original DPA. All of the counterparts will be considered one document and become a binding agreement when one or more counterparts have been signed by each of the Parties and delivered to the other.
- The term of this DPA corresponds with the term of your license for CodeTwo Email Signatures 365.
Appendix 1 – Scope and categories of personal data
This document describes the scope and categories of personal data subject to the processing based on this DPA and depending on the features of the Services that the Customer makes use of. All capitalized terms, unless defined below, have the meaning ascribed to them in the DPA. The Autoresponder, Sent Items Update and One-click surveys features are turned off by default.
1. Where the Customer does not make use of Autoresponder and Sent Items Update and One-click surveys:
- Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, as well as any other attributes of those people defined in Customer Microsoft 365 tenant's Azure Active Directory;
- Customer Email Data is not processed by CodeTwo based on this DPA;
- access to Customer Emails and/or granting additional privileges referred to in point 2.5. of this DPA are not required;
- the categories of data subjects concerned by the processing include people who have accounts in your Microsoft 365 tenant.
2. Where the Customer makes use of either Autoresponder or Sent Items Update:
- Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, as well as any other attributes of those people defined in Customer Microsoft 365 tenant's Azure Active Directory;
- Customer Email Data is being processed by CodeTwo based on this DPA;
- access to Customer Emails and/or granting additional privileges referred to in point 2.5. of this DPA are required;
- the categories of data subjects concerned by the processing include people who have accounts in your Microsoft 365 tenant as well as people whose personal data is included in all emails in all mailboxes created within your Microsoft 365 tenant.
3. Where Customer makes use of One-click surveys:
- Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, any other attributes of those people defined in Customer Microsoft 365 tenant's Azure Active Directory, as well as evaluations (reviews) of people who have accounts in Customer's Microsoft 365 tenant made by recipients of emails sent from Customer's domain along with email addresses of people leaving such evaluations (reviews);
- Customer Email Data is not processed by CodeTwo based on this DPA;
- access to Customer Emails and/or granting additional privileges referred to in point 2.5. of this DPA are required;
- the categories of data subjects concerned by the processing include people who have accounts in Customer's Microsoft 365 tenant as well as people who leave evaluations (reviews) of people who have accounts in Customer's Microsoft 365 tenant.
Appendix 2 – Summary of security measures implemented by CodeTwo
This document describes security measures that we have implemented to ensure that Customer Data and – where applicable – Customer Email Data and Customer Emails are processed in accordance with the Applicable Data Protection Laws and the DPA. This document is regularly updated to reflect changes made in our security and data privacy compliance program.
1. General organizational measures
- Data Protection Officer and Compliance Program. We have appointed a Data Protection Officer who is responsible for coordinating, monitoring and improving our security and data privacy compliance program ("Compliance Program"). Compliance Program defines clear roles and responsibilities of our personnel. Data Protection Officer is responsible for coordinating, monitoring and improving the Compliance Program.
- Security Management System and external audits. We have implemented an Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm our compliance with ISO/IEC 27001 and ISO/IEC 27018, we undergo an external audit once a year, and every third year we undergo a re-certification process. All audits are conducted by external and independent certifying entities.
- Confidentiality. Our entire personnel are subject to confidentiality obligations and may only access personal data (personal information) subject to a prior, written authorization issued by CodeTwo.
2. Training and awareness
- Personnel training. We conduct regular training sessions for our personnel on data protection rules and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.
3. Physical and environmental security
- Physical access to datacenters. Customer Data is processed within Microsoft Azure datacenters. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these datacenters.
- Physical access to our facilities. Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.
- Monitoring of facilities. Our facilities are constantly monitored by us and an external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed.
- Protection from disruptions. We use a variety of industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
- Component disposal. We use industry accepted solutions to delete Customer Data when it is no longer needed.
4. Access control
- Access authorization. We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 6 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Limitation of privileges. Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.
- Authentication of users. We use industry accepted solutions, such as multifactor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.
- Monitoring. We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.
5. Asset and operations management
- Endpoint protection. All computing endpoints are encrypted and protected against malware.
- Backup copies. We make regular copies of Services' settings and configuration details and Customer Users' Data, as described in the DPA. We do not create backup copies of Customer Emails.
- Access to backups. All backups are automatically created by Microsoft Azure and stored on Azure in a region that you chose when associating your Microsoft 365 tenant with the Services. We have processes in place which ensure that access to backup copies is restricted to the necessary minimum, that backups may not be used outside of Microsoft Azure's environment, and that no data can be restored without the authorization of senior personnel members.
- Integrity and confidentiality. Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.
- Printing and portable data carriers. We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.
- Network controls. Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.
6. Incident management
- Malicious software. We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to Customer Data and our information systems, including malicious software originating from public networks.
- Incident record. We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.
- Service monitoring. We verify and monitor logs against irregularities and suspicious activity.
7. Application controls
- Documentation. We maintain documentation which describes the architecture and features of CodeTwo Email Signatures 365.
- Guidelines and policies. We maintain guidelines and policies for developers which ensure that personal data processing principles such as privacy by design and privacy by default principles are observed while developing our applications.
- Code review and patch management. We regularly review application codes for errors and issue patches or fixes.
Appendix 3 – US Data Protection Laws Addendum
1. The following terms and conditions apply additionally when we process Customer Data containing California consumers' personal information or otherwise subject to the California Consumer Privacy Act ("CCPA") (hereinafter jointly referred to as "CCPA Covered Data"):
- where we process CCPA Covered Data we are a "service provider" who processes CCPA Covered Data on your behalf and you are a "business", as defined in the CCPA;
- unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term "data controller" shall be read to include "business", the term "data processor" shall be read to include "service provider", the term "data subject" shall be read to include "consumer" and the terms "Customer Data", "Customer Email Data" and "Customer Emails" shall be read to include "personal information", each as defined under the CCPA;
- as a service provider, we will process CCPA Covered Data only for the business purposes set forth in the Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services/), and in this DPA;
- as a service provider, we undertake not to: (i) sell or share CCPA Covered Data; (ii) retain, use or disclose CCPA Covered Data for any purpose other than making your use of CodeTwo Email Signatures 365 possible or as otherwise may be permitted for service providers under the CCPA; (iii) retain, use or disclose CCPA Covered Data outside of the direct business relationship between us; (iv) combine CCPA Covered Data that we receive from you, or on your behalf, with personal information that we receive from, or on behalf of, another person or persons, or collect from our own interactions with consumers, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency;
- we will: (i) comply with obligations applicable to us as a service provider under the CCPA; (ii) provide CCPA Covered Data with the same level of privacy protection as is required by the CCPA, provided, however, that you are responsible for ensuring that you have complied, and will continue to comply, with the requirements of the CCPA in your use of the Services and your own processing of CCPA Covered Data; (iii) notify you without undue delay if we make a determination that we can no longer meet our obligations as a service provider under the CCPA; (iv) provide you with reasonable additional and timely assistance to assist you in complying with your obligations with respect to consumer requests under the CCPA in line with the procedure described in points 5.1. – 5.3. of this DPA; (v) observe the conditions for the engagement of sub-processors including by ensuring that we enter into a written agreement that complies with the CCPA, regarding, without limitation, the contractual requirements for service providers and contractors, with each such sub-processor that we engage to process CCPA Covered Data;
- you have the right to take reasonable and appropriate steps: (i) to help ensure that we use CCPA Covered Data in a manner consistent with your obligations under the CCPA; (ii) to stop and remediate unauthorized use of CCPA Covered Data; to exercise these rights, contact us using this form (https://www.codetwo.com/form/data-protection/);
- you have the right to monitor our compliance with this DPA and the CCPA by using any of the means and methods described in section 9 of this DPA;
- we certify that we understand and will comply with our obligations as a service provider under the CCPA;
- we acknowledge and confirm that we do not receive Customer Data, Customer Email Data or Customer Emails as consideration for any Services provided to you.
2. The following terms and conditions apply additionally when we process Customer Data containing personal data subject to the US State Privacy Laws (as defined below) (all hereinafter jointly referred to as "US State Privacy Laws Covered Data"):
- for the purposes of this Addendum, the term "US State Privacy Laws" means: (i) the Virginia Consumer Data Protection Act; (ii) the Colorado Privacy Act; (iii) the Connecticut Data Privacy Act; (iv) the Utah Consumer Privacy Act; (v) any other applicable US state law relating to the protection of personal data, based on which you are a controller of personal data and we are a processor of personal data, provided that the terms and conditions of this Addendum meet the requirements set forth in such other state laws;
- unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term "data controller" shall be read to include "controller", the term "data processor" shall be read to include "processor", the term "data subject" shall be read to include "consumer" and the terms "Customer Data", "Customer Email Data" and "Customer Emails" shall be read to include "personal data", each as defined under the US State Privacy Laws;
- we will: (i) adhere to your instructions regarding the processing of US State Privacy Laws Covered Data; (ii) provide you with necessary information to enable you to conduct and document data protection assessments as may be required pursuant to the US State Privacy Laws in line with the procedure described in point 5.4. of this DPA; (iii) make available to you, upon your reasonable request, all information in our possession necessary to demonstrate our compliance with our obligations as a processor under the US State Privacy Laws in line with the procedure described in section 9 of this DPA; (iv) undertake that each person processing US State Privacy Laws Covered Data is subject to a duty of confidentiality with respect to such data; (v) delete all US State Privacy Laws Covered Data in line with points 8.3 – 8.4. of this DPA, unless retention of US State Privacy Laws Covered Data is required by law; (vi) arrange for a qualified and independent assessor to conduct an assessment of our policies and technical and organizational measures implemented in support of our obligations under this Addendum, as well as provide a report of such assessment to you upon request in line with points 9.3 – 9.4. of this DPA; (vii) observe the conditions for the engagement of sub-processors including, without limitation, by ensuring that we enter into a written agreement that complies with the US State Privacy Laws with each such sub-processor that we engage to process US State Privacy Laws Covered Data and that we give you the opportunity to object against the involvement of a new sub-processor;
- taking into account the nature of processing and the information available to us, by appropriate technical and organizational measures, insofar as this is reasonably practicable, we will: (i) help you fulfill your obligation to respond to consumer rights requests made pursuant to the US State Privacy Laws in line with the procedure described in points 5.1 – 5.3 of this DPA; (ii) assist you in meeting your obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security regarding the Services, including in particular by providing relevant notices in line with section 7 of this DPA.
Previous versions
- February 16, 2022 (https://www.codetwo.com/regulations/dpa/archive-2022-02-16)
- November 18, 2021 (https://www.codetwo.com/regulations/dpa/archive-2021-11-18)
- January 12, 2021 (https://www.codetwo.com/regulations/dpa/archive-2021-01-12)
- March 21, 2019 (https://www.codetwo.com/regulations/dpa/archive-2019-03-21)