CodeTwo Terms and Privacy
Personal Data Processing Agreement
Published: 2021-01-12. See previous versions (https://www.codetwo.com/regulations/dpa/#previous-versions)
This Data Processing Agreement (“DPA”) is entered into as of the Effective Date by and between CodeTwo sp. z o.o. sp. k., a limited partnership established under the laws of the Republic of Poland (member state of the European Union), with its registered office in Jelenia Gora at Wolnosci Street 16 (“CodeTwo” or simply “we”), with EU VAT ID number PL6112622141, entered in the register of entrepreneurs kept by the District Court for Wrocław-Fabryczna in Wrocław, Poland, IX Commercial Division under KRS number 438398, and the entity or person set forth on the last page hereto (“Customer” or simply “you”). CodeTwo and Customer are sometimes referred to individually as “Party” or collectively as “Parties”.
The “Effective Date” shall be understood by the Parties as the date the Customer expresses their consent to be bound by the provisions of the DPA either by checking the appropriate box on CodeTwo’s website that confirms reading and accepting the terms of the DPA or by signing a copy of this DPA received by email.
This DPA is made with reference to the following facts:
- the Customer is interested in using CodeTwo Email Signatures for Office 365 – a centrally managed, server-side email signature management software consisting of a web-based user panel and associated services, such as CodeTwo Email Azure Service, hosted on Microsoft Azure at a geolocation of your choice (the software and associated services are jointly referred to as “Services”);
- the use of the Services requires that some of personal data controlled by the Customer is processed by CodeTwo;
- under art. 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) before the Customer starts using the Services, a Data Processing Agreement must be concluded between the Customer and CodeTwo.
- You, as the data controller, acknowledge and understand that:
- making use of the Services requires that some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant (“Customer Data”) are associated with the Services;
- making use of the Services requires that emails sent from your Office 365 tenant (“Customer Emails”) are relayed through the Services.
- You, as the data controller, confirm that:
- this DPA along with your use and configuration of the Services are your complete and final instructions to us for the processing of Customer Data. We will immediately inform you, if in our opinion your instructions may infringe the GDPR or other data protection laws;
- Customer Data was and will be obtained in accordance with applicable laws, including the GDPR and that all required consents (if necessary) from people whose personal data is processed using the Services were collected and all information duties fulfilled.
- We, as a data processor, undertake:
- to only process Customer Data and relay Customer Emails through the Services to make it possible for you to make use of the Services, solely on the basis and under the conditions specified in this DPA and applicable provisions of law;
- not to record, register, store, back up, or physically access the content of Customer Emails.
2. Scope of personal data and categories of data subjects
- Customer Data encompasses the following categories of personal data: names, email addresses, company contact details and job titles of people who have accounts in your Office 365 tenant. These people are those who will be concerned by this DPA.
- We use Microsoft Azure to provide our Services to you. This means that Customer Data will be processed in Microsoft Azure datacenters in a geolocation of your choice. You can find a list of currently available geolocations here (https://www.codetwo.com/email-signatures/how-it-works).
- Microsoft Azure datacenters are managed by Microsoft Corporation and its affiliates. Microsoft Corporation uses subcontractors to provide its Microsoft Azure services. You can find the list of subcontractors here (https://www.codetwo.com/regulations/dpa/ms-subcontractors).
- You can find detailed terms and conditions of services provided by Microsoft Corporation and its affiliates here (https://www.codetwo.com/regulations/dpa/ms-terms-and-conditions). These documents describe Microsoft’s obligations regarding the security of data and measures that were implemented in Microsoft datacenters to protect the confidentiality of Customer Data. You can also find information about Microsoft’s Azure security here (https://www.codetwo.com/regulations/dpa/ms-azure-security).
- We confirm that we have entered into an agreement based on EU Standard Contractual Clauses with Microsoft Corporation. The aim of this agreement is to ensure that a level of protection of personal data similar to this ensured by us is maintained when Customer Data is transferred to Microsoft Azure datacenters, including those located outside of the European Economic Area (EEA).
- You acknowledge and agree that we may use Microsoft Corporation, its affiliates and subcontractors, as described above, as subprocessors to provide the Services to you. These entities may be engaged only within the limits and for the purpose of providing the Services to you. The standard of personal data protection applicable to these subprocessors is at least equal to the protection standard provided by us.
4. Copies of data and confidentiality of information
- We will not create copies or duplicates of any data without your knowledge, except for backup copies concerning the following types of data:
- the Services’ settings and configuration details;
- Customer Data (i.e. some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in 1.1 a).
- These backup copies are necessary to ensure smooth functioning of the Services. All backup copies are automatically created by Microsoft Azure and stored on Microsoft Azure in a geolocation that you chose when associating your Office 365 tenant with the Services. We will not use these backup copies outside of Microsoft Azure environment or for any other purposes than those specified above.
- We will not create backup copies of any other types of data than those specified in point 4.1 above. We will not create backup copies of Customer Emails.
- We acknowledge and agree that Customer Emails in some cases may contain information that should reasonably be understood to be a proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical and administrative steps to prevent Customer Emails from being disclosed to any unauthorized person. Because we do not record, register, store, back up, or physically access the content of Customer Emails, we will not disclose it to any third parties and will always refuse all requests to disclose Customer Emails to law enforcement.
- We acknowledge and agree that Customer Data in some cases may contain information that should reasonably be understood to be a proprietary or confidential information of the Customer. We will undertake all reasonable organizational, technical and administrative steps to prevent Customer Data from being disclosed to any unauthorized person. We will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts us with a request for Customer Data, we will attempt to redirect the law enforcement agency directly to you. If compelled to disclose Customer Data to law enforcement, we will promptly notify you and provide a copy of the demand unless we are legally prohibited from doing so.
5. Assistance in fulfillment of the rights of data subjects and performance of other data controller’s obligations
- We will help you fulfill your duty to respond to the requests of data subjects, particularly in relation to the right to be forgotten, the right to data portability, the right to restriction of data processing or the right to object to data processing provided that you inform us immediately of any requests from data subjects that require our assistance. In any event, you should inform us of any requests that you received no later than 3 (three) business days from its receipt. You can do it using this form (https://www.codetwo.com/form/security-officer/).
- We have the right to refuse your request if it is forwarded to us later than 3 (three) business days from its receipt by you and if the request is too difficult or impossible to fulfill. A request may be difficult or impossible to fulfill especially when it is too complex, evidently unjustified, excessive or impossible to fulfill because of technical limitations.
- We will confirm the receipt of your request within 3 (three) business days from its receipt. Within the next 3 (three) business days we will let you know if we are able to assist you and we will inform you of the expected deadline to fulfill your request. In any event, the deadline may not be shorter than 2 (two) weeks.
- If we receive a request from your data subject to exercise one or more of its rights under the GDPR, we will redirect the data subject to make its request directly to you.
- Taking into account available information and the nature of processing, as described in section 1 of this DPA, we will provide you with information necessary for you to perform obligations arising out of article 32 – 36 of the GDPR, including Data Protection Impact Assessments (“DPIA”). If you require our assistance in relation to DPIA, you can contact us any time using this form (https://www.codetwo.com/form/security-officer/).
- Considering the risk of violation of the rights and freedoms of individuals and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing personal data, we declare that in accordance with art. 32 of the GDPR, we have implemented appropriate technical and organizational measures to secure the processing of Customer Data. These measures are described in Appendix 1 to this DPA. You can also use information contained in Appendix 1 to perform DPIA.
- We undertake to protect Customer Data from unauthorized access, unauthorized removal, damage or destruction and we will take all necessary steps to keep personal data confidential and to protect it in accordance with the provisions of the GDPR.
- We declare that all our employees who are authorized to process personal data, are bound to confidentiality and undergo regular trainings regarding data protection provisions relevant to their work.
- We regularly monitor all internal processes and the technical and organizational measures to ensure that processing is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
- We are entitled to implement alternative, suitable measures than those described in this section above and in Appendix 1 to this DPA, especially due to technical advances and developments. Such measures must not fall below the security level of those described above. We will provide you with an up-to-date version of Appendix 1 anytime you request us to do so during the term of this DPA.
7. Data breaches
- We will notify you without undue delay after becoming aware of a personal data breach. Such notice will, at a minimum:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal records concerned;
- communicate the name and contact where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8. Period of processing and return of data
- You acknowledge and understand that we will start the processing of Customer Data after your Office 365 tenant is associated with the Services.
- We will process personal data that you entrust to us for the duration of your license for the Services. The DPA shall remain in force when using the Services with a trial license as well as after the trial period, i.e. after purchasing the license for the Services. Furthermore, the DPA shall remain in force regardless of whether the Services were purchased directly from CodeTwo or through a reseller.
- If your license is terminated or expires, we will erase Customer Data from the Services within 180 days after you cancel your subscription with us, unless the law requires that this data is processed for a longer period.
- After termination or expiration of your license, we will not perform any operations on Customer Data, except for storing it within the Services, unless we are required to do otherwise by law.
9. Auditing rights of the customer
- If you need any additional information regarding how we process and protect Customer Data and fulfill obligations arising out of the GDPR you can contact us at any time using this form (https://www.codetwo.com/form/security-officer/).
- You can also verify security measures implemented by Microsoft Corporation and its affiliates by referencing to their Online Services Terms.
- CodeTwo has implemented the Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm the compliance with ISO/IEC 27001 and ISO/IEC 27018, we conduct the audit once a year, and every third year we undergo the re-certification process. Audits are conducted by the external and independent certifying entities. We will resolve any audit findings immediately in a way that is satisfactory for the certifying agencies in order to stay compliant with ISO/IEC 27001 and ISO/IEC 27018.
- On your demand, we will provide you with proof that CodeTwo holds the ISO/IEC 27001 or ISO/IEC 27018 certificates. If you need any additional information, we will share with you the results from the recent ISO/IEC 27001 or ISO/IEC 27018 audits carried out in CodeTwo to help you verify how we fulfill our obligations regarding the information security arising from these Terms. The report will be restricted by the distribution and confidentiality limitations imposed by the certifying entity. You might be asked to sign an additional Non-Disclosure Agreement before we share the report with you.
10. Control and audits
- You should inform us without undue delay of any control or audit performed by competent supervisory authorities if it relates to Customer Data.
- We will inform you immediately of any inspections and measures conducted by the supervisory authorities if they relate to the Services or Customer Data.
11. Jurisdiction specific data protection clauses
- If you are subject to any data protection laws of jurisdictions listed in Appendix 2, then the terms of Appendix 2 supplement the clauses of sections 1 – 10 of this DPA.
- This DPA can only be modified by a written document signed by both you and us.
- This DPA should be read and construed together with CodeTwo’s Terms and Conditions of Sales and Services (https://www.codetwo.com/regulations/sales-and-services). In case the provisions of CodeTwo’s Terms and Conditions of Sales and Services are contrary to the provisions of this DPA, this DPA should prevail.
- This DPA will be governed by the GDPR and the laws of the Republic of Poland, excluding any conflict of law rules. Any and all disputes relating to this DPA will be settled between you and CodeTwo through good faith negotiations. In case these negotiations are not successful, any subsequent dispute should be litigated in front of the competent courts of the Republic of Poland.
- Should any provision of this DPA be found invalid or unenforceable by a court of competent jurisdiction, the rest of this DPA will remain in full effect.
- This DPA can be signed in one or more counterparts and each counterpart will be considered an original DPA. All of the counterparts will be considered one document and become a binding agreement when one or more counterparts have been signed by each of the Parties and delivered to the other.
- The term of this DPA corresponds with the term of your license for CodeTwo Email Signatures for Office 365.
Appendix 1 – Summary of security measures implemented by CodeTwo
This document describes security measures that we have implemented to ensure that Customer Data is processed in accordance with the law and the DPA. This document is regularly updated to reflect changes made in our security and data privacy compliance program.
1. General organizational measures
- Data Security Officer and Compliance Program. We have appointed at least one Data Security Officer who is responsible for coordinating, monitoring and improving our security and data privacy compliance program (“Compliance Program”). Compliance Program defines clear roles and responsibilities of our personnel. Data Security Officer is responsible for coordinating, monitoring and improving the Compliance Program.
- Security Management System and External Audits. CodeTwo has implemented the Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 27018. To confirm the compliance with ISO/IEC 27001 and ISO/IEC 27018, we conduct the audit once a year, and every third year we undergo the re-certification process. Audits are conducted by the external and independent certifying entities.
- Confidentiality. Our entire personnel are subject to confidentiality obligations and may only access personal data subject to a prior, written authorization issued by CodeTwo.
2. Training and awareness
- Personnel Training. We conduct regular training sessions for our personnel on data protection rules and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.
3. Physical and environmental security
- Physical Access to Datacenters. Customer Data is processed within Microsoft Azure datacenters. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these centers.
- Physical Access to our facilities. Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.
- Monitoring of Facilities. Our facilities are constantly monitored by us and external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed.
- Protection from Disruptions. We use a variety of industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
- Component Disposal. We use industry accepted solutions to delete Customer Data when it is no longer needed.
4. Access control
- Access Authorization. We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 6 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Limitation of privileges. Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.
- Authentication of users. We use industry accepted solutions, such as multifactor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.
- Monitoring. We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.
5. Asset and operations management
- Endpoint protection. All computing endpoints are encrypted and protected against malware.
- Backup copies. We make regular copies of Services’ settings and configuration details and Customer Data (Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in point 1.1 (a) of the DPA). We do not create backup copies of Customer Emails.
- Access to backups. All backups are automatically created by Microsoft Azure and stored on Azure at a geolocation that you chose when associating your Office 365 tenant with the Services. We have processes in place which ensure that access to backup copies is restricted to the necessary minimum, that backups may not be used outside of Microsoft Azure’s environment, and that no data can be restored without the authorization of senior personnel members.
- Integrity and Confidentiality. Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.
- Printing and portable data carriers. We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.
- Network controls. Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.
6. Incident management
- Malicious Software. We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to Customer data and our information systems, including malicious software originating from public networks.
- Incident record. We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.
- Service Monitoring. We verify and monitor logs against irregularities and suspicious activity.
7. Application controls
- Documentation. We maintain documentation which describes the architecture and features of CodeTwo Email Signatures for Office 365.
- Guidelines and policies. We maintain guidelines and policies for developers which ensure that personal data processing principles such as privacy by design and privacy by default principles are observed while developing our applications.
- Code review and patch management. We regularly review application codes for errors and issue patches or fixes.
Appendix 2 – Jurisdiction specific data protection clauses
- This section sets forth specific terms and conditions concerning compliance with the California Consumer Privacy Act (“CCPA”). It only applies if you are a “business” under relevant provisions of the CCPA and you purchase a license for CodeTwo Email Signatures for Office 365. This section does not apply in all other cases.
- Where we process Customer Data and Customer Emails containing California consumers’ personal information we are a “service provider” who processes Customer Data and Customer Emails on your behalf and you are a “business” as defined in the CCPA.
- Unless explicitly stated otherwise, in sections 1 – 10 of this DPA the term “data controller” should be read to include “business”, the term “data processor” should be read to include “service provider”, the term “data subject” should be read to include “consumer” and “Customer Data” and “Customer Emails” should be read to include “personal information”, each as defined under the CCPA.
- As a service provider, we undertake not to retain, use, disclose or otherwise process Customer Data and Customer Emails for any purpose other than making your use of CodeTwo Email Signatures for Office 365 possible or as otherwise may be permitted for “service providers” under the CCPA.
- Our obligations regarding data subject requests contained in section 5 of this DPA apply to consumer’s rights under the CCPA.