Menu
Menu
- 138 West St, Sandton, Johannesburg, 2031.
- 8375 International dr., Orlando, Fl, 32819
Version 6 – Date of release: 7 July 2023
This Data Processing Agreement (“DPA”) forms part of the Dripcel master services agreement (“Principal Agreement”) between Dripcel and the Customer and is subject to the Principal Agreement.
This Data Processing Agreement (“DPA”) is part of the Dripcel master services agreement (“Principal Agreement”) between Dripcel and the Customer and is subject to the Principal Agreement. For the purposes of this DPA, capitalized terms are defined as follows. Terms not otherwise defined shall have the meaning given in the Principal Agreement.
(a) “Customer’s Personal Data” refers to any personal data processed by Dripcel on behalf of the Customer to perform Services under the Principal Agreement.
(b) “Applicable Data Protection Laws” include the GDPR as implemented in domestic legislation of each Member State (and the United Kingdom) and any amendments, replacements, or supersessions, as well as laws implementing, replacing, or supplementing the GDPR, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”).
(c) “GDPR” refers to the General Data Protection Regulation (EU) 2016/679, concerning the protection of natural persons regarding the processing of personal data and the free movement of such data.
(d) “Dripcel Infrastructure” includes (i) Dripcel’s physical facilities, (ii) hosted cloud infrastructure, (iii) Dripcel’s corporate network, and the non-public internal network, software, and hardware necessary to provide the Services controlled by Dripcel, to the extent used to provide the Services.
(e) “Restricted Transfer” means transferring the Customer’s Personal Data from Dripcel to a sub-processor, which would be prohibited by Applicable Data Protection Laws (or the terms of data transfer agreements established to address the data transfer restrictions of Applicable Data Protection Laws) without appropriate safeguards as required under Applicable Data Protection Laws.
(f) “Services” refer to the services provided to the Customer by Dripcel as per the Principal Agreement.
(g) “Standard Contractual Clauses” means the latest version of the standard contractual clauses for the transfer of personal data to processors in third countries under the GDPR, as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021.
(h) “UK Addendum” refers to the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
(i) The terms “consent”, “controller”, “data subject”, “Member State”, “personal data”, “personal data breach”, “processor”, “sub-processor”, “processing”, “supervisory authority,” and “third party” shall have the meanings assigned to them in Article 4 of the GDPR or the CCPA, where applicable.
(a) Dripcel and the Customer shall comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall ensure their employees and sub-processors do the same.
(a) The Processing of the Customer’s Personal Data under the Agreement shall comply with the following stipulations and Article 28(3) of the GDPR. This information may be amended by the parties as necessary to meet these requirements.
(i) Subject matter and duration of the processing of personal data are outlined in the Principal Agreement.
(ii) Nature and purpose of the processing of personal data: As detailed in the Principal Agreement, Dripcel provides services such as messaging, email, voice calls, and other communication services to the Customer, involving the processing of personal data. Subject to section 3(a)(iv), these activities include (a) providing the Services; (b) detecting, preventing, and resolving security and technical issues; and (c) responding to Customer’s support requests.
(iii) Types of personal data to be processed: The personal data submitted to Dripcel’s network, as determined and controlled solely by the Controller, may include names, emails, telephone numbers, IP addresses, and other personal data in contact lists and message or call content.
(iv) Independent Data Controller Exclusion: Notwithstanding any other provision herein, when processing personal data for communication services, including SMS, email, voice, and other media transmissions, Dripcel acts as an independent data controller, not as a joint controller. This is to provide communication services, prevent spam and fraud, ensure security, maintain its network, manage its business, and comply with applicable laws.
(v) Categories of data subjects: Senders and recipients of emails, SMS messages, voice calls, or other communications.
(b) Dripcel shall process the Customer’s Personal Data (i) to fulfill its obligations under the Principal Agreement and (ii) according to documented instructions described in this DPA or as otherwise instructed by the Customer. Such instructions shall be documented in applicable orders, service descriptions, support tickets, written communications, or as directed by the Customer using the Services (e.g., via an API or control panel).
(c) If Dripcel reasonably believes a Customer instruction contradicts the Principal Agreement or this DPA, or infringes the GDPR or other data protection provisions, it shall inform the Customer without delay. Dripcel may defer the instruction’s performance until amended by the Customer or mutually agreed upon by both parties.
(d) The Customer is solely responsible for managing personal data submitted or transmitted by the Services, including (i) verifying recipient information such as phone numbers or addresses for accuracy, (ii) reasonably notifying recipients of the insecure nature of email or messaging for transmitting personal data (if applicable), (iii) reasonably limiting the amount or type of information disclosed through the Services, and (iv) encrypting personal data transmitted through the Services when appropriate or required by law (e.g., using encrypted attachments, PGP toolsets, or S/MIME). If the Customer opts not to configure mandatory encryption, they acknowledge that the Services may include transmitting unencrypted emails in plain text over public internet and open networks. Information uploaded to the Services, including message content, is stored in an encrypted format when processed by the Dripcel Infrastructure.
(a) For the purposes of this DPA, the Customer is the controller of the Customer’s Personal Data, and Dripcel is the processor of such data, except when the Customer acts as a processor of the Customer’s Personal Data, in which case Dripcel is a sub-processor.
(b) Dripcel shall at all times have an officer responsible for assisting the Customer (i) in responding to inquiries concerning the Data Processing received from Data Subjects, and (ii) in completing all legal information and disclosure requirements associated with the Data Processing. Such assistance may be requested at [email protected].
(c) The Customer warrants that:
(i) The processing of the Customer’s Personal Data is based on legal grounds as required by Applicable Data Protection Laws, and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations, and consents as required by Applicable Data Protection Laws with respect to Dripcel’s processing of the Customer’s Personal Data under this DPA and the Principal Agreement.
(ii) It is entitled to and has all necessary rights, permissions, and consents to transfer the Customer’s Personal Data to Dripcel and otherwise permit Dripcel to process the Customer’s Personal Data on its behalf, so that Dripcel may lawfully use, process, and transfer the Customer’s Personal Data to carry out the Services and perform Dripcel’s other rights and obligations under this DPA and the Principal Agreement.
(iii) It will inform its Data Subjects about its use of Processors in Processing their personal data, to the extent required under Applicable Data Protection Laws.
(a) Dripcel shall ensure its personnel and sub-processors are subject to confidentiality agreements and trained on security and data protection requirements.
(a) Dripcel shall, in relation to the Customer’s Personal Data, (a) take and document reasonable and appropriate measures, as described in Annex 2, in relation to the security of the Dripcel Infrastructure and the platforms used to provide the Services as described in the Principal Agreement, and (b) on reasonable request at the Customer’s cost, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Article 32 of the GDPR.
(b) Dripcel’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.
(a) Dripcel offers specific tools to help customers respond to data subject requests. These tools include APIs and interfaces for searching event data, managing suppressions, and retrieving message content. When Dripcel receives a complaint, inquiry, or request related to the Customer’s Personal Data directly from data subjects, including requests to exercise their rights under Applicable Data Protection Laws, Dripcel will notify the Customer. Considering the nature of the processing, Dripcel will assist the Customer with appropriate technical and organizational measures to the extent reasonably possible, enabling the Customer to fulfill their obligation to respond to such data subject requests.
(a) Dripcel shall notify the Customer without undue delay once it becomes aware of a personal data breach affecting the Customer’s Personal Data. Considering the nature of the processing and the information available, Dripcel will use commercially reasonable efforts to provide the Customer with sufficient information. This will enable the Customer, at their own expense, to meet any obligations to report or inform regulatory authorities, data subjects, and other entities of such a personal data breach as required under Applicable Data Protection Laws.
(a) Dripcel shall, considering the nature of the processing and the information available, provide reasonable assistance to the Customer at the Customer’s expense, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory bodies as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.
(a) Dripcel shall, upon reasonable request, provide the Customer with information necessary to demonstrate compliance with this DPA.
(b) The Customer, or a mandated third-party auditor, may conduct an inspection related to the Processing of the Customer’s Personal Data by Dripcel, upon written reasonable request, to the extent necessary according to Data Protection Laws, without disrupting Dripcel’s business operations and ensuring confidentiality.
(c) The audit right described in Paragraph 10(b) will apply if Dripcel has not provided sufficient evidence of compliance with this DPA. Sufficient evidence includes: (i) a certification of compliance with ISO 27001 or other standards implemented by Dripcel (as defined in the certificate); or (ii) an audit or attestation report by an independent third party. Audits described in this Paragraph 10 shall be conducted at the Customer’s cost and expense.
.
(a) The Customer may, by written notice to Dripcel no later than the time of termination of the Principal Agreement, request the return and/or certification of deletion of all copies of the Customer’s Personal Data held by Dripcel and its sub-processors. Dripcel shall provide a copy of the Customer’s Data in a readable and processable format.
(b) Within ninety (90) days following account termination, Dripcel shall delete all personal data processed under this DPA, unless the Customer requests the return of personal data as described in Paragraph 11(a). This provision does not affect statutory duties of the Parties to preserve records for retention periods set by law, statute, or contract.
(c) Any additional costs arising from the return of personal data after the termination or expiration of the Agreement shall be borne by the Customer.
(a) The Standard Contractual Clauses and, if required, the UK Addendum, with Dripcel acting as the data importer and the Customer as the data exporter, are incorporated into this DPA. If Dripcel’s arrangement with a sub-processor involves a Restricted Transfer, Dripcel shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Principal Agreement, or otherwise agreed upon between Dripcel and the sub-processor. The Customer agrees to exercise its audit right under the Standard Contractual Clauses by instructing Dripcel to conduct the audit set out in Paragraph 10.
(b) The Customer acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Dripcel may transfer personal data within its company group. These transfers are needed to provide the Services globally.
(c) For transfers of personal data from the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to countries that do not ensure an adequate level of data protection as defined by Data Protection Laws, the following safeguards are implemented: (i) Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021, (ii) UK Addendum, and (iii) additional safeguards regarding security measures, including data encryption, data aggregation, separation of access controls, and data minimization principles.
(a) The Customer hereby grants Dripcel general authorization to appoint sub-processors in accordance with this Paragraph 13 and Annex 1. Dripcel will ensure that sub-processors are bound by written agreements that require them to provide a level of data protection at least equivalent to that required of Dripcel under this DPA. The Customer also specifically authorizes Dripcel to continue using the sub-processors already engaged as of the date of this DPA, as referenced in section (b).
(b) The current sub-processors for the Services are listed at Sub-processor List. If the Customer subscribes to notifications of new sub-processors through the subscription mechanism at subscription link, Dripcel shall notify the Customer through this mechanism at least thirty (30) days in advance of any intended changes regarding the addition or replacement of any sub-processor. If the Customer has reasonable objections to the proposed appointment, they must notify Dripcel in writing within ten (10) business days of receiving the notice. Dripcel will not appoint the proposed sub-processor until reasonable steps have been taken to address the Customer’s objections, and the Customer has received a reasonable written explanation of the steps taken. If Dripcel and the Customer cannot resolve the issue within a reasonable period, either party may terminate the Principal Agreement for cause.
(c) Dripcel shall be responsible for the acts and omissions of any sub-processors to the same extent that it is responsible to the Customer for its own acts and omissions under this DPA.
(a) The parties to this DPA agree to submit to the jurisdiction specified in the Principal Agreement for any disputes or claims arising under this DPA, including disputes about its existence, validity, termination, or consequences of its nullity.
(b) This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory specified for this purpose in the Principal Agreement.
(c) Notwithstanding Paragraphs (a) and (b) above, all obligations arising out of or in connection with the Standard Contractual Clauses incorporated into this DPA shall be governed by the laws of the EU Member State specified in Annex 1, as required for the validity of those Standard Contractual Clauses according to European Commission’s Decision 2021/914/EU of June 4, 2021.
(a) In the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement, and agreements entered into or purported to be entered into after the date of this DPA (except where explicitly agreed otherwise in writing and signed on behalf of the parties), the provisions of this DPA shall prevail with regard to the subject matter of this DPA.
(a) If any provision of this DPA is found to be invalid or unenforceable, the remainder of this DPA shall remain in full force and effect. The invalid or unenforceable provision shall either (i) be amended as necessary to ensure its validity and enforceability, while preserving the parties’ original intentions as closely as possible, or (ii) if amendment is not possible, be construed as if the invalid or unenforceable part had never been included.
(a) Upon termination of the Principal Agreement, this DPA and the Standard Contractual Clauses will terminate once Dripcel fulfills its obligation to delete the personal data under processing in accordance with Paragraph 11.
(b) Any amendment or variation to this DPA shall only be binding on the Parties if it is set out in writing and signed by authorized representatives of each Party.
STANDARD CONTRACTUAL CLAUSES
Regarding the Standard Contractual Clauses, the Parties agree as follows:
(a) Module 2 (Controller-to-Processor) shall apply where Dripcel acts as the Customer’s data processor, and Module 3 (Processor-to-Processor) shall apply where Dripcel acts as the Customer’s sub-processor. For each applicable Module:
(b) Clause 7 (Docking clause) is included;
(c) In accordance with Clause 9.a) (Use of sub-processors), Option 2: General written authorization will apply. The data exporter grants the data importer general authorization to engage sub-processors from an agreed list. The data importer must inform the data exporter in writing of any intended changes to that list, including the addition or replacement of sub-processors, at least thirty (30) days in advance;
(d) The optional wording in Clause 11 (Redress) concerning independent resolution bodies is excluded;
(e) For Clause 13 (Supervision), the competent supervisory authority shall be IMY, the Swedish Data Protection Authority;
(f) Option 1 of Clause 17 (Governing law) shall apply, designating the laws of Sweden as governing the Standard Contractual Clauses;
(g) For Clause 18 (Choice of forum and jurisdiction), the courts of Sweden shall resolve any disputes arising from the Standard Contractual Clauses;
(h) Annex IA (List of Parties) and Annex IB (Description of Transfer) shall be completed using the information and details specified in the Principal Agreement and referenced in Paragraph 3 of the DPA;
(i) Annex IB (Description of Transfer) shall be additionally completed by stating that no sensitive data will be transferred. The transfer will occur continuously. For transfers to sub-processors, the subject matter, nature, and duration of the processing will align with that of the data importer;
(j) In Annex IC, the competent supervisory authority under Clause 13 is IMY, the Swedish Data Protection Authority;
(k) Annex II describes the Technical and Organizational Measures, as outlined in Annex 2 of the DPA;
(l) Annex III includes the List of Sub-processors, as detailed in Annex 3 of the DPA.
(i) Annex IB (Description of Transfer) shall further specify that no sensitive data will be transferred. The transfers will occur continuously. For transfers to sub-processors, the subject matter, nature, and duration of the processing shall align with that of the data importer;
(j) For Annex IC, the competent supervisory authority per Clause 13 is IMY, the Swedish Data Protection Authority;
(k) Annex II will describe the Technical and Organizational measures as detailed in Annex 2 of the DPA;
(l) Annex III will include the List of Sub-processors as detailed in Annex 3 of the DPA.
The Technical and Organizational Measures outlined in this Annex apply to the Service(s) provided by Dripcel. If required for the Service, Dripcel may specify additional Technical and Organizational measures within the Service Order or Service.
An inventory of information and associated assets, including their respective owners, is developed and maintained. Each asset in the inventory has an appointed asset owner in accordance with the asset tagging policy.
The allocation and management of authentication information are controlled through a management process, which includes advising personnel on proper handling practices.
Specifically, Dripcel:
Access rights to information and associated assets are provisioned, reviewed, modified, and removed in accordance with the organization’s specific policies and access control rules.
Specifically, at Dripcel:
ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.
Specifically, at Dripcel:
Personnel and relevant interested parties receive appropriate training on information security awareness, education, and regular updates on the organization’s information security policy, topic-specific policies, and procedures relevant to their job functions.
Specifically, at Dripcel:
Resource usage is monitored and adjusted according to current and anticipated capacity requirements.
Measures to protect against malware are implemented and supported by appropriate user awareness. All endpoint devices should include EDR (Endpoint Detection and Response).
Information regarding technical vulnerabilities in use is obtained, Dripcel’s exposure to such vulnerabilities is evaluated, and appropriate measures are taken.
Specifically, at Dripcel:
Configurations, including security configurations for hardware, software, services, and networks, are established, documented, implemented, monitored, and reviewed against standards such as NIST 800-53 and CIS Controls.
Backup copies of information, software, and systems are maintained and regularly tested according to the agreed topic-specific policy on backups.
The backup routine specifies:
Networks, systems, and applications are monitored for anomalous behavior and appropriate actions are taken to evaluate potential information security incidents. These are monitored for unusual and malicious behavior to detect potential security incidents.
Networks and network devices are secured, managed, and controlled to protect information in systems and applications.
For example, Dripcel:
Guidelines for the secure development of software and systems are defined and implemented.
For example, at Dripcel:
Security testing processes are defined and implemented throughout the development life cycle.
For example:
Dripcel has implemented robust physical and environmental security measures.
For example, at Dripcel:
Dripcel has implemented measures to ensure limited retention of personal data.
For example, Dripcel:
Dripcel has implemented appropriate technical and organizational measures to meet accountability requirements.
For example, Dripcel:
Dripcel has measures to allow the exercise of data subject rights.
For example, Dripcel:
Dripcel has implemented measures to minimize data processing.
For example, for each processing activity, Dripcel: