This
Data Processing Addendum (DPA) shall
be effective from 25 May 2018 and shall be combined with BriteVerify’s Terms and Conditions to provide the necessary controls
for BriteVerify Users who must comply with terms set forth in the General Data
Protection Regulation. This DPA will
serve as the primary set of data processing controls unless an independent DPA
is required by the User and agreed to by BriteVerify.
- YOU, YOUR
COMPANY and any AFILLIATES approved by you
(“Controller”) will submit
email addresses for the purposes of receiving email verification services.
- ORIGIN ADS,
LLC dba BRITEVERIFY (“BriteVerify”) is
responsible for delivering email verification services under the terms outlined
in this DPA
- This Data Processing Addendum (the “Addendum”), along with the BriteVerify’s Terms and Conditions, reflect the Parties’ agreement with regard to the processing of Personal Data.
- The Parties acknowledge that BriteVerify will process
Controller’s prospective customers’, current customers’ and/or former
customers’
email addresses, (“Personal
Data”)
on behalf of Controller. BriteVerify shall act as a
Data Processor, as defined in the General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or enacting legislation (together being “Applicable Privacy Law”), in relation to the Personal
Data.
- Controller enters into this Addendum
on behalf of itself and, to the extent required
under Applicable Privacy Law, in the name and on behalf of
each of its Group
Companies.
- To
the extent that BriteVerify processes the Personal Data under the instructions
of Controller, BriteVerify will act as a Data Processor as defined by the GDPR.
As such BriteVerify shall:
- only process the Personal
Data on behalf of Controller in accordance with the documented instructions
provided by Controller (either as data controller or lead data processor of the
Personal Data), including with regard to transfers of the Personal Data to a
third country or international organisation. BriteVerify shall not process the
Personal Data for any other purposes. BriteVerify shall not use the Personal
Data for its own purposes under any circumstances, other than as required by
law;
- process the Personal Data in
accordance with Applicable Privacy Law;
- apply
appropriate security measures in accordance with Applicable Privacy Law to the
Personal Data, and in general, implement the appropriate safety, technical and
organisational measures to safeguard the Personal Data from unauthorised or
unlawful amendment, access, processing or accidental or unlawful loss,
destruction or damage;
- keep the Personal Data
confidential and not disclose it to any third party, without the prior written
approval of Controller, except where:
- the
disclosure is necessary for the performance of the processing services set out
in the BriteVerify Agreements or this Addendum and subject to paragraph 3 below;
or
- where
the Personal Data need to be disclosed to a competent public authority to
comply with the BriteVerify’s legal obligations;
-
- process the Personal Data in
accordance with Applicable Privacy Law;
- apply
appropriate security measures in accordance with Applicable Privacy Law to the
Personal Data, and in general, implement the appropriate safety, technical and
organisational measures to safeguard the Personal Data from unauthorised or
unlawful amendment, access, processing or accidental or unlawful loss,
destruction or damage;
- keep the Personal Data
confidential and not disclose it to any third party, without the prior written
approval of Controller, except where:
- ensure
that each of its employees, workers, consultants and agents who will have
access to the Personal Data are made aware of the BriteVerify’s obligations under this Addendum
with regard to the security and protection of the Personal Data. BriteVerify
shall ensure that all employees, workers, consultants and agents who will have
access to the Personal Data have committed themselves to an appropriate
confidentiality obligation with respect to the processing of Personal Data;
- in
the event of exercise by the data subjects of any of their rights under
Applicable Privacy Law relating to Personal Data processed under this Addendum,
inform Controller as soon as possible, and further assist Controller, insofar
as possible, at Controller’s reasonable expense, to comply with such rights of any data subject.
BriteVerify shall not respond directly not to any such request, unless
specifically authorised by Controller in writing;
- taking into account the
nature of the processing and the information available to BriteVerify, assist Controller
in ensuring its compliance with its obligations (including, but not limited to
the following): (i) in respect of security of processing; (ii) notification of
a Data Security Breach to the supervisory authority; (iii) communication of a
Data Security Breach to a data subject; (iv) data protection impact
assessments; and (v) prior consultation with the supervisory authority.
- make
available to Controller all information necessary to demonstrate compliance with
the obligations laid down in Article 28 and allow for and, where possible,
contribute to audits, including inspections, conducted by Controller or another
auditor mandated by Controller;
- BriteVerify shall not
transfer the Personal Data, nor make the Personal Data accessible to a third
country or international organisation without the written consent of Controller
and such consent shall not be unreasonably withheld. For the purposes of the BriteVerify
Agreement, Controller grants specific consent to the transfer of Personal Data
by BriteVerify to Amazon Web Services (AWS) in North Virginia in the USA and in
Ireland provided that: BriteVerify has entered into written terms with AWS that
are no less protective than under this Addendum; and that such transfer
complies with the Applicable Privacy Law; and
- without
prejudice to Controller’s obligations under any BriteVerify Agreement, at any time during the Agreement
or upon termination of the Agreement, Controller may delete all Personal Data processed
pursuant to BriteVerify’s
Agreement. Alternatively, Controller may
request that all Personal Data that has not already been deleted, be either
deleted or returned, by sending written authorization to files@briteverify.com.
In any event, the BriteVerify shall not retain the Personal Data any longer
than required for the performance of any Supplier Agreements.
-
- The
Parties acknowledge and agree that the description of processing as set out in
this paragraph is accurate:
- Subject matter of the processing
The processing of email addresses by the BriteVerify in the provision of the
services under BriteVerify’s Terms
and Conditions.
- Duration of the processing
BriteVerify
shall possess email addresses for as long as necessary to carry out its
obligations under the terms of the Agreement with Controller.
- Nature and purpose of the processing
BriteVerify
will process email addresses as necessary to provide the services pursuant to
the Agreement, paragraph 1(a) (Instructions) above and as further instructed by
Controller.
- Type of Personal Data being processed
The
email addresses which may be processed under the BriteVerify Agreement will be
submitted by Controller under the terms if this Agreement.
- Subject matter of the processing
The processing of email addresses by the BriteVerify in the provision of the
services under BriteVerify’s Terms
and Conditions.
- Categories of data subjects being processed
BriteVerify will process email addresses to the extent to which it is determined and
controlled by Controller, which may include, but is not limited to the
following categories of data subjects: Controller’s prospective customers’, current customers’ and former customers’ email addresses.
- BriteVerify
the Applicable Privacy Law.
-
-
- Notwithstanding the above, the BriteVerify may appoint one or more sub-processors (including a
data centre provider) for the purpose of processing of the Personal Data in
order to provide the services under the BriteVerify Agreements, provided the
following requirements are met before any such appointment is made:
- Controller
does not object to BriteVerify’s
use of Amazon Web Services as a sub-processor;
- the sub-processor commits to
act according to the instructions of Controller (which will be given through
the BriteVerify); and
- BriteVerify enters into a written
data processing agreement with the sub-processor ensuring that the
sub-processor shall abide by data protection requirements no less stringent
than under this Addendum. Such agreement shall be made available to Controller
upon request.
- BriteVerify shall be fully liable for any breach
by its sub-processor(s) of any data protection obligations set out in this
Addendum.
-
-
-
- BriteVerify
shall promptly, and in any event without undue delay, notify Controller if it:
- receives
an inquiry, subpoena or a request for inspection or audit from a competent
public authority relating to the processing of the Personal Data;
- intends
to disclose the Personal Data to a competent public authority; or
- detects
any unauthorised acquisition, access, use, loss, alteration, theft, destruction
or disclosure of the Personal Data or identifies any vulnerability which might
lead to the same (a "Data Security
Breach").
- Such
notice shall be sent by e-mail to the address used by the Controller to create its BriteVerify account and
shall include at least all information which is necessary for Controller to
notify the supervisory authority and/or the data subjects as required by
Applicable Privacy Law.
-
-
-
-
- Controller
shall ensure that its instructions to BriteVerify comply with Applicable
Privacy Laws. BriteVerify shall immediately notify Controller if, in its
opinion, an instruction infringes the Applicable Privacy Law.
- In the event of a Data
Security Breach, the BriteVerify shall promptly take adequate remedial measures
at its own expense and provide Controller with all relevant information
reasonably requested by Controller regarding the Data Security Breach.
BriteVerify shall fully cooperate with Controller and if requested by Controller,
the supervisory authority (if appropriate), to develop and execute a response
plan as agreed between the parties to address the Data Security Breach.
- BriteVerify’s Data
Protection Officer’s contact details are Matthew C. McFee / matt@briteverify.com.
- Controller shall be entitled
to disclose the existence of this Addendum, the fact it complies with
Applicable Privacy Law, and the nature of the Controller’s relationship with BriteVerify in
order to satisfy any of its legal obligations.