CodeTwo Terms and Privacy

Data Processing Agreement

Published: December 19, 2024. See previous versions (https://www.codetwo.com/regulations/dpa/#previous-versions)

This Data Processing Agreement ("DPA") is entered into as of the Effective Date by and between CodeTwo sp. z o.o. sp. k., a limited partnership established under the laws of the Republic of Poland (member state of the European Union), with its registered office in Jelenia Gora at ul. Wolnosci 16 ("CodeTwo" or simply "we"), with EU VAT ID number PL6112622141, entered in the register of entrepreneurs of the Polish National Court Register kept by the District Court for Wrocław-Fabryczna in Wrocław, Poland, IX Commercial Division under KRS number 0000438398, and the entity or person set forth on the last page hereto ("Customer" or simply "you"). CodeTwo and Customer are sometimes referred to individually as "Party" or collectively as a "Parties".

This DPA forms an integral part of and is concluded subject to the Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services).

Whereas:

the Customer is interested in using CodeTwo Email Signatures 365 (formerly CodeTwo Email Signatures for Office 365) – a software used to centrally manage email signatures, hosted on Microsoft Azure in a region of the Customer's choice (the software and associated services are jointly referred to as "Services");
Customer's use of the Services requires that Customer Data (as defined below) is processed by CodeTwo;
the Parties wish to set forth their mutual obligations regarding the processing of Customer Data (as defined below) by CodeTwo;

The parties have agreed as follows:

1. Definitions

All capitalized terms used in this DPA, unless defined elsewhere in the DPA, shall have the following meaning:
1. "Applicable Data Protection Laws" means the GDPR and – where the processing is subject to the CCPA or the US State Privacy Laws (as defined in Appendix 4 to this DPA) – the CCPA and the US State Privacy Laws;
2. "Outlook (Client-side) Mode" means a configuration of the Services in which email signature is added to Customer Outgoing Emails without the need to relay Customer Outgoing Emails through the Services;
3. "Combo Mode" means a configuration of the Services in which both Outlook (Client-side) Mode and Cloud (Server-side) Mode are used to manage email signatures in Customer Outgoing Emails;
4. "Customer Data" means Customer Users' Data, Customer Email Data and Customer Emails;
5. "Customer Email Data" means all personal data contained in Customer Incoming Emails and Customer Outgoing Emails; whether CodeTwo processes and/or otherwise gets access to Customer Email Data depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
6. "Customer Emails" means Customer Incoming Emails and Customer Outgoing Emails;
7. "Customer Incoming Emails" means emails that are sent to mailboxes in Customer's Microsoft 365 tenant; whether CodeTwo processes and/or otherwise gets access to Customer Incoming Emails depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
8. "Customer Outgoing Emails" means emails that are sent from mailboxes in Customer's Microsoft 365 tenant; whether CodeTwo processes and/or otherwise gets access to Customer Outgoing Emails depends on how the Customer configures the Services – see Appendix 1 to this DPA for details;
9. "Customer Users' Data" means personal data, including in particular some Entra ID (Azure Active Directory) user attributes and group memberships of people who have accounts in Customer's Microsoft 365 tenant that the Customer provides to CodeTwo in connection with the Customer's use of the Services; the detailed scope and categories of Customer Users' Data processed by CodeTwo based on this DPA depends on how the Customer configures the Services and has been described in detail in Appendix 1 to this DPA;
10. "Effective Date" means the date the Customer expresses their consent to be bound by the provisions of the DPA either by checking the appropriate box on CodeTwo's websites that confirms reading and accepting the terms of the DPA or by signing a copy of this DPA received by email;
11. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
12. "Cloud (Server-side) Mode" means a configuration of the Services in which Customer Outgoing Emails are relayed through the Services in order to add email signatures.

2. General

You, as the data controller, acknowledge and understand that in circumstances and to the extent described in Appendix 1 to this DPA:
1. making use of the Services requires that Customer Users' Data are processed within the Services;
2. making use of the Services in Cloud (Server-side) Mode or Combo Mode requires that Customer Outgoing Emails are relayed through the Services;
3. making use of some of the additional features of the Services may require that the Services are granted wider access privileges by the Customer, including access to Customer Incoming Emails, Customer Outgoing Emails or Customer Email Data.
You, as the data controller, confirm that:
1. this DPA along with your use and configuration of the Services and its individual features are your complete and final instructions to us for the processing of Customer Data. We will immediately inform you if in our opinion your instructions may infringe Applicable Data Protection Laws;
2. Customer Data was and will be obtained in accordance with Applicable Data Protection Laws and that all required consents (if required) from people whose personal data is processed using the Services were collected and all information duties fulfilled.
We, as a data processor, undertake:
1. to only process Customer Data to make it possible for you to make use of the Services and its individual features, solely on the basis and under the conditions specified in this DPA and Applicable Data Protection Laws;
2. not to record, register, store, back up, or physically access the content of Customer Emails, except in circumstances and to the extent described in Appendix 1 to this DPA when it is required to provide the Services to you.
The details of the processing operations, scope of personal data subject to the processing based on this DPA, as well as the categories of data subjects affected by the processing, are described in detail in Appendix 1 to this DPA.
In order to make use of some of the additional features of CodeTwo Email Signatures 365 (e.g. Autoresponder, Sent Items Update or One-click surveys) you must grant the Services some additional access privileges to selected resources in your Microsoft 365 tenant. The scope of the required privileges will be visible to you when configuring such features in CodeTwo Email Signatures 365 admin panel. These privileges vary between each of those features and may include, but are not limited to, a permission to read all user profiles in your Microsoft 365 tenant without a signed-in user as well as a permission to read mail in all mailboxes without a signed-in user or as the signed-in user. These permissions are necessary to apply rules and perform actions that you configure while setting up these additional features. All additional features are turned off by default. All access privileges that you grant to the Services are of technical and functional character.
Notwithstanding point 2.5 above, CodeTwo Email Signatures 365 has no access to keys required to decrypt encrypted Customer Emails and, therefore, the use of the additional features in regard to encrypted Customer Emails may be limited or not possible at all.

3. Subprocessing

By entering into this DPA you give us a general consent to engage subprocessors indicated in Appendix 2. We will inform you of any intended changes to the list of subprocessors in Appendix 2 by sending an email notification. We will send this notification to the contact person indicated by your organization as authorized to receive communication regarding our Services at least 14 days before the engagement of the concerned subprocessor(s), thereby giving you sufficient time to be able to object to such changes. You acknowledge that refusing to accept a change to the list of subprocessors may result in the inability to continue providing the Services to you.
We will observe the rules for the engagement of subprocessors, as described in Applicable Data Protection Laws, including those described in Article 28(2) and 28(4) of the GDPR.
We will enter into a written agreement with each subprocessor prior to their engagement. Such agreement will impose on them, in substance, the same data protection obligations as the ones imposed on us in accordance with this DPA. We will ensure that subprocessors comply with their respective obligations under Applicable Data Protection Laws, in particular by verifying that they have implemented appropriate technical and organizational measures necessary to ensure that subprocessing meets the requirements of this DPA and Applicable Data Protection Laws.
At your request we will provide you a copy of such subprocessing agreement(s) and any subsequent amendments thereof. To the extent necessary to protect business secrets or other confidential information, including personal data, we may redact the text of the agreement(s) prior to sharing its copy with you.
We remain liable to you for the performance of the subprocessors’ obligations in accordance with subprocessing agreements.
Notwithstanding points 3.1 – 3.5 above, in exceptional and unforeseeable circumstances where the security of data and systems is at risk, and where adherence to the procedure outlined in point 3.1 would significantly impede the necessary safeguarding of such security, we reserve the right to engage a subprocessor without following the aforementioned procedure. In such cases, we will ensure that the engagement of the subprocessor is strictly necessary for the protection of the data and systems, we will adhere to obligations set forth in point 3.3 and we will provide you with a relevant notice of engagement at the earliest possible opportunity.

4. Copies of data and confidentiality of information

We create backup copies of:
1. the Services' settings and configuration details;
2. Customer Users' Data.
These backup copies are necessary to ensure smooth functioning of the Services. All backup copies are automatically created by Microsoft Azure and stored on Microsoft Azure in a region that you chose when associating your Microsoft 365 tenant with the Services. We will not use these backup copies outside of Microsoft Azure environment or for any other purposes than those specified above.
We will not create backup copies of any other types of data than those specified in point 4.1 above. In particular, we will not create backup copies of Customer Emails or Customer Email Data.
We acknowledge and agree that Customer Emails or Customer Users’ Data in some cases may contain information that should reasonably be understood to be a proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical, and administrative steps to prevent Customer Emails and Customer Users’ Data from being disclosed to any unauthorized person. We will not disclose Customer Emails nor Customer Users’ Data to any third parties.
We will not disclose Customer Emails nor Customer Users’ Data to law enforcement unless required by law. If law enforcement contacts us with a request to disclose Customer Emails or Customer Users’ Data, we will attempt to deny such request or redirect the law enforcement agency directly to you, unless it is impossible or legally inadmissible, in which case we will use commercially reasonable efforts to consult you before disclosing such data. If compelled to disclose Customer Emails or Customer Users’ Data to law enforcement, we will promptly notify you and provide a copy of the demand unless we are legally prohibited from doing so. In each case, we will also inform you about making Customer Email Messages and Customer Users’ Data available to the authorities – if legally permissible.

5. Assistance in fulfillment of the rights of data subjects and performance of other obligations

Taking into account the nature of the processing performed on the basis of this DPA, insofar as this is possible, we will assist you by appropriate technical and organizational measures with fulfilling your duty to respond to the requests of data subjects concerning the exercise of their rights described in Chapter III of the GDPR. If you require our assistance, you can request it using this form (https://www.codetwo.com/form/data-protection).
We will let you know without undue delay if we are able to assist you and will inform you of the expected deadline to fulfill your request. In any event, the deadline may not be longer than 2 (two) weeks from the moment we receive all the information from you that is necessary to fulfill your request.
If we receive a direct request from your data subject to exercise one or more of its rights under the GDPR, we will redirect the data subject to make its request directly to you. We will not respond to any such requests on your behalf.
Taking into account available information and the nature of processing performed on the basis of this DPA, we will provide you with information necessary for you to perform obligations arising out of Articles 32 – 36 of the GDPR, including Data Protection Impact Assessments ("DPIA"). If you require our assistance in relation to DPIA, you can contact our Data Protection Officer and Data Security Team at any time using this form (https://www.codetwo.com/form/data-protection).

6. Security

Considering the risk of violation of the rights and freedoms of individuals and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing personal data, we declare that in accordance with Article 32 of the GDPR, we have implemented appropriate technical and organizational measures to secure the processing of Customer Data. These measures are described in Appendix 3 to this DPA. You can also use information contained in Appendix 3 to perform DPIA.
We undertake to protect Customer Data from unauthorized access, unauthorized removal, damage or destruction and we will take all necessary steps to keep personal data confidential and to protect it in accordance with the provisions of Applicable Data Protection Laws.
We declare that all our employees who are authorized to process personal data, are bound to confidentiality and undergo regular trainings regarding data protection provisions relevant to their work.
We regularly monitor all internal processes and the technical and organizational measures to ensure that processing is in accordance with the requirements of Applicable Data Protection Laws and the protection of the rights of the data subjects.
We are entitled to implement alternative, suitable measures to those described in this section 6 above and in Appendix 3 to this DPA, especially due to technical advances and developments. Such measures must not fall below the security level of those described above. We will provide you with an up-to-date version of Appendix 3 anytime you request us to do so during the term of this DPA.

7. Data breaches

We will notify you without undue delay after becoming aware of a personal data breach. Such notice will, at a minimum:
1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal records concerned;
2. communicate the name and contact where more information can be obtained;
3. describe the likely consequences of the personal data breach; and
4. describe the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all information described in point 7.1 above at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

8. Period of processing and return of data

We will start the processing of Customer Users’ Data at the moment you conclude this DPA and your Microsoft 365 tenant is associated with the Services.
This DPA will remain in force for the duration of your license for the Services and/or use of the additional features of the Services referred to in point 2.5 of this DPA. The DPA shall remain in force when you use the Services with a trial license as well as after the trial period if you purchase a license for the Services. Furthermore, the DPA shall remain in force regardless of whether the Services were purchased directly from CodeTwo or through a reseller.
If your license is terminated or expires, this DPA will be automatically terminated. We will permanently delete Customer Users' Data from the Services within 180 days after the termination or expiry of your license, unless the law requires that this data is processed for a longer period.
After termination or expiration of your license, we will not perform any operations on Customer Users' Data, except for storing it within the Services, unless we are required to do otherwise by law.
We are entitled to terminate this DPA without notice if your instructions infringe Applicable Data Protection Laws, provided that you were notified of this fact and you did not change your instructions despite our notification of infringement. In case this DPA is terminated, we will not be able to provide the Services to you and your license will be terminated without a right to any refund.

9. Auditing rights of the customer

If you need any additional information regarding how we process and protect Customer Data and fulfill obligations arising out of Applicable Data Protection Laws you can contact our Data Protection Officer and Data Security Team at any time using this form (https://www.codetwo.com/form/data-protection/).
CodeTwo has implemented the Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm our compliance with ISO/IEC 27001 and ISO/IEC 27018, we conduct the audit once a year, and every third year we undergo the re-certification process. Audits are conducted by external and independent certifying entities. We will resolve any audit findings immediately in a way that is satisfactory for the certifying agencies in order to stay compliant with ISO/IEC 27001 and ISO/IEC 27018.
On your demand, we will provide you with proof that CodeTwo holds the ISO/IEC 27001 or ISO/IEC 27018 certificates. If you need any additional information, we will share with you the results from the recent ISO/IEC 27001 or ISO/IEC 27018 audits carried out in CodeTwo to help you verify how we fulfill our obligations regarding the information security arising from this DPA. The report will be restricted by the distribution and confidentiality limitations imposed by the certifying entity. You might be asked to sign an additional Non-Disclosure Agreement before we share the report with you.
Notwithstanding the foregoing, we will make available to you all other information reasonably necessary to demonstrate compliance with the obligations that are set out in Applicable Data Protection Laws.

10. Control and audits

You should inform us without undue delay of any control or audit performed by competent supervisory authorities if it relates to Customer Data.
We will inform you immediately of any inspections and measures conducted by the supervisory authorities if they relate to the Services or Customer Data.

11. Jurisdiction specific data protection clauses

If you are subject to any data protection laws of jurisdictions listed in Appendix 4, then the terms of Appendix 4 supplement the clauses of sections 1 – 10 of this DPA.

12. Liability

We will be liable towards data subjects for the damage caused by processing only to the extent that it is established by a final and binding court judgment, resulting from legal proceedings initiated by the data subject that we have failed to comply with the obligations of the GDPR specifically directed to processors or where we have acted outside or contrary to lawful instructions of the controller and only to the extent that our own fault in causing the damage has been determined.
Regardless of other agreements concluded between you and CodeTwo, and subject to mandatory provisions of law, our aggregate limit of liability to you on any basis in connection with this DPA and the processing of Customer Data, in any case shall not exceed total fees paid by you to us for the Services during the one-year period immediately preceding the event giving rise to the claim. We are not liable for lost profits, data, or any other consequential, incidental, or indirect damages related to the performance of this DPA or otherwise connected with the Services, regardless of whether the likelihood of such damage was foreseen by either you or us.

13. Miscellaneous

We may amend this DPA from time to time, in particular to reflect changes in Applicable Data Protection Laws or to accommodate changes in our products or software. All new versions will be published here (https://www.codetwo.com/regulations/dpa) and will be effective immediately on publication. If you do not wish to be bound by the new version of the DPA you can cancel your subscription within 14 days of publication by contacting us using this form (https://www.codetwo.com/form/data-protection).
This DPA should be read and construed together with CodeTwo's Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services). In case the provisions of CodeTwo's Terms and Conditions of Sales and Services are contrary to the provisions of this DPA, this DPA should prevail.
This DPA will be governed by the laws of the Republic of Poland, excluding any conflict of law rules. Any and all disputes relating to this DPA will be settled between you and CodeTwo through good faith negotiations. In case these negotiations are not successful, any subsequent dispute should be litigated in front of the competent courts of the Republic of Poland.
Should any provision of this DPA be found invalid or unenforceable by a court of competent jurisdiction, the rest of this DPA will remain in full effect.
This DPA can be signed in one or more counterparts and each counterpart will be considered an original DPA. All of the counterparts will be considered one document and become a binding agreement when one or more counterparts have been signed by each of the Parties and delivered to the other.

Appendix 1 – Details of processing, scope and categories of personal data

This document describes the details of processing, as well as the scope and categories of personal data subject to the processing based on this DPA and depending on the features of the Services that the Customer makes use of. All capitalized terms, unless defined below, have the meaning ascribed to them in the DPA. The Autoresponder, Sent Items Update and One-click surveys features are turned off by default.

1. Where the Customer does not make use of Autoresponder and Sent Items Update and One-click surveys:

Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, as well as any other attributes of those people defined in Customer Microsoft 365 tenant's Entra ID (Azure Active Directory);
Customer Email Data is not processed by CodeTwo based on this DPA;
access to Customer Emails and/or granting additional privileges referred to in point 2.5 of this DPA are not required;
the categories of data subjects concerned by the processing include people who have accounts in your Microsoft 365 tenant.

2. Where the Customer makes use of either Autoresponder or Sent Items Update:

Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, as well as any other attributes of those people defined in Customer Microsoft 365 tenant's Entra ID (Azure Active Directory);
Customer Email Data is being processed by CodeTwo based on this DPA;
access to Customer Emails and/or granting additional privileges referred to in point 2.5 of this DPA are required;
the categories of data subjects concerned by the processing include people who have accounts in your Microsoft 365 tenant as well as people whose personal data is included in all emails in all mailboxes created within your Microsoft 365 tenant.

3. Where Customer makes use of One-click surveys:

Customer Users' Data encompasses: names, email addresses, company contact details and job titles of people who have accounts in Customer's Microsoft 365 tenant, any other attributes of those people defined in Customer Microsoft 365 tenant's Entra ID (Azure Active Directory), as well as evaluations (reviews) of people who have accounts in Customer's Microsoft 365 tenant made by recipients of emails sent from Customer's domain along with email addresses and IP addresses of people leaving such evaluations (reviews);
Customer Email Data is not processed by CodeTwo based on this DPA;
access to Customer Emails and/or granting additional privileges referred to in point 2.5 of this DPA are required;
the categories of data subjects concerned by the processing include people who have accounts in Customer's Microsoft 365 tenant as well as people who leave evaluations (reviews) of people who have accounts in Customer's Microsoft 365 tenant.

Our Services are not designed with the intention to process sensitive categories of personal data, such as: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. No such data will be processed based on this DPA unless it is included in Customer Email Data in non-encrypted form.

Appendix 2 – List of subprocessors

CodeTwo currently uses only one subprocessor to provide the Services.

Subprocessor:	Microsoft Ireland Operations Limited
Subprocessor’s role:	Provider of Microsoft Azure service (datacenter).
Location of data processing:	In the region of your choice. You can find a list of currently available regions here (https://www.codetwo.com/email-signatures/how-it-works). If a datacenter within the EEA is chosen, Customer Data will not be transferred outside of the EEA. The choice of the region is managed exclusively by the Customer.

Appendix 3 – Summary of security measures implemented by CodeTwo

This document describes security measures that we have implemented to ensure that Customer Data and – where applicable – Customer Email Data and Customer Emails are processed in accordance with Applicable Data Protection Laws and the DPA. This document is regularly updated to reflect changes made in our security and data privacy compliance program.

1. General organizational measures

Data Protection Officer and Compliance Program. We have appointed a Data Protection Officer who is responsible for coordinating, monitoring and improving our security and data privacy compliance program ("Compliance Program"). Compliance Program defines clear roles and responsibilities of our personnel. Data Protection Officer is responsible for coordinating, monitoring and improving the Compliance Program.
Security Management System and external audits. We have implemented an Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm our compliance with ISO/IEC 27001 and ISO/IEC 27018, we undergo an external audit once a year, and every third year we undergo a re-certification process. All audits are conducted by external and independent certifying entities.
Confidentiality. Our entire personnel are subject to confidentiality obligations and may only access personal data (personal information) subject to a prior, written authorization issued by CodeTwo.

2. Training and awareness

Personnel training. We conduct regular training sessions for our personnel on data protection rules and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.

3. Physical and environmental security

Physical access to datacenters. Customer Data is processed within Microsoft Azure datacenters. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these datacenters.
Physical access to our facilities. Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.
Monitoring of facilities. Our facilities are constantly monitored by us and an external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed.
Protection from disruptions. We use a variety of industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
Component disposal. We use industry accepted solutions to delete Customer Data when it is no longer needed.

4. Access control

Access authorization. We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 6 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
Limitation of privileges. Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.
Authentication of users. We use industry accepted solutions, such as multifactor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.
Monitoring. We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.

5. Asset and operations management

Endpoint protection. All computing endpoints are encrypted and protected against malware.
Backup copies. We make regular copies of Services' settings and configuration details and Customer Users' Data, as described in the DPA. We do not create backup copies of Customer Emails.
Access to backups. All backups are automatically created by Microsoft Azure and stored on Azure in a region that you chose when associating your Microsoft 365 tenant with the Services. We have processes in place which ensure that access to backup copies is restricted to the necessary minimum, that backups may not be used outside of Microsoft Azure's environment, and that no data can be restored without the authorization of senior personnel members.
Integrity and confidentiality. Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.
Printing and portable data carriers. We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.
Network controls. Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.

6. Incident management

Malicious software. We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to Customer Data and our information systems, including malicious software originating from public networks.
Incident record. We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.
Service monitoring. We verify and monitor logs against irregularities and suspicious activity.

7. Application controls

Documentation. We maintain documentation which describes the architecture and features of CodeTwo Email Signatures 365.
Guidelines and policies. We maintain guidelines and policies for developers which ensure that personal data processing principles such as privacy by design and privacy by default principles are observed while developing our applications.
Code review and patch management. We regularly review application codes for errors and issue patches or fixes.

Appendix 4 – US Data Protection Laws Addendum

1. The following terms and conditions apply additionally when we process Customer Data containing California consumers' personal information or otherwise subject to the California Consumer Privacy Act ("CCPA") (hereinafter jointly referred to as "CCPA Covered Data"):

where we process CCPA Covered Data we are a "service provider" who processes CCPA Covered Data on your behalf and you are a "business", as defined in the CCPA;
unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term "data controller" shall be read to include "business", the term "data processor" shall be read to include "service provider", the term "data subject" shall be read to include "consumer" and the terms "Customer Data", "Customer Email Data" and "Customer Emails" shall be read to include "personal information", each as defined under the CCPA;
as a service provider, we will process CCPA Covered Data only for the business purposes set forth in the Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services), and in this DPA;
as a service provider, we undertake not to: (i) sell or share CCPA Covered Data; (ii) retain, use or disclose CCPA Covered Data for any purpose other than making your use of CodeTwo Email Signatures 365 possible or as otherwise may be permitted for service providers under the CCPA; (iii) retain, use or disclose CCPA Covered Data outside of the direct business relationship between us; (iv) combine CCPA Covered Data that we receive from you, or on your behalf, with personal information that we receive from, or on behalf of, another person or persons, or collect from our own interactions with consumers, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency;
we will: (i) comply with obligations applicable to us as a service provider under the CCPA; (ii) provide CCPA Covered Data with the same level of privacy protection as is required by the CCPA, provided, however, that you are responsible for ensuring that you have complied, and will continue to comply, with the requirements of the CCPA in your use of the Services and your own processing of CCPA Covered Data; (iii) notify you without undue delay if we make a determination that we can no longer meet our obligations as a service provider under the CCPA; (iv) provide you with reasonable additional and timely assistance to assist you in complying with your obligations with respect to consumer requests under the CCPA in line with the procedure described in points 5.1 – 5.3 of this DPA; (v) observe the conditions for the engagement of subprocessors including by ensuring that we enter into a written agreement that complies with the CCPA, regarding, without limitation, the contractual requirements for service providers and contractors, with each such subprocessor that we engage to process CCPA Covered Data;
you have the right to take reasonable and appropriate steps: (i) to help ensure that we use CCPA Covered Data in a manner consistent with your obligations under the CCPA; (ii) to stop and remediate unauthorized use of CCPA Covered Data; to exercise these rights, contact us using this form (https://www.codetwo.com/form/data-protection);
you have the right to monitor our compliance with this DPA and the CCPA by using any of the means and methods described in section 9 of this DPA;
we certify that we understand and will comply with our obligations as a service provider under the CCPA;
we acknowledge and confirm that we do not receive Customer Data, Customer Email Data or Customer Emails as consideration for any Services provided to you.

2. The following terms and conditions apply additionally when we process Customer Data containing personal data subject to the US State Privacy Laws (as defined below) (all hereinafter jointly referred to as "US State Privacy Laws Covered Data"):

for the purposes of this Addendum, the term "US State Privacy Laws" means: (i) the Virginia Consumer Data Protection Act; (ii) the Colorado Privacy Act; (iii) the Connecticut Data Privacy Act; (iv) the Utah Consumer Privacy Act; (v) the Oregon Consumer Privacy Act; (vi) the Texas Data Privacy And Security Act; (vii) the Montana Consumer Data Protection Act; (viii) any other applicable US state law relating to the protection of personal data, based on which you are a controller of personal data and we are a processor of personal data, provided that the terms and conditions of this Addendum meet the requirements set forth in such other state laws;
unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term "data controller" shall be read to include "controller", the term "data processor" shall be read to include "processor", the term "data subject" shall be read to include "consumer" and the terms "Customer Data", "Customer Email Data" and "Customer Emails" shall be read to include "personal data", each as defined under the US State Privacy Laws;
we will: (i) adhere to your instructions regarding the processing of US State Privacy Laws Covered Data; (ii) provide you with necessary information to enable you to conduct and document data protection assessments as may be required pursuant to the US State Privacy Laws in line with the procedure described in point 5.4 of this DPA; (iii) make available to you, upon your reasonable request, all information in our possession necessary to demonstrate our compliance with our obligations as a processor under the US State Privacy Laws in line with the procedure described in section 9 of this DPA; (iv) undertake that each person processing US State Privacy Laws Covered Data is subject to a duty of confidentiality with respect to such data; (v) delete all US State Privacy Laws Covered Data in line with points 8.3 – 8.4 of this DPA, unless retention of US State Privacy Laws Covered Data is required by law; (vi) arrange for a qualified and independent assessor to conduct an assessment of our policies and technical and organizational measures implemented in support of our obligations under this Addendum, cooperate with the assessor in their assessment, as well as provide a report of such assessment to you upon request in line with points 9.3 – 9.4 of this DPA; (vii) observe the conditions for the engagement of subprocessors including, without limitation, by ensuring that we enter into a written agreement that complies with the US State Privacy Laws with each such subprocessor that we engage to process US State Privacy Laws Covered Data and that we give you the opportunity to object against the involvement of a new subprocessor in line with section 3 of this DPA;
taking into account the nature of processing and the information available to us, by appropriate technical and organizational measures, insofar as this is reasonably practicable, we will: (i) help you fulfill your obligation to respond to consumer rights requests made pursuant to the US State Privacy Laws in line with the procedure described in points 5.1 – 5.3 of this DPA; (ii) assist you in meeting your obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security regarding the Services, including in particular by providing relevant notices in line with section 7 of this DPA.