BriteVerify
Data Processing Addendum

PARTIES:

1. YOU, YOUR COMPANY and any AFILLIATES approved by you (“Controller”) will submit email addresses for the purposes of receiving email verification services.
2. ORIGIN ADS, LLC dba BRITEVERIFY (“BriteVerify”) is responsible for delivering email verification services under the terms outlined in this DPA

Background:

1. This Data Processing Addendum (the “Addendum”), along with the BriteVerify’s Terms and Conditions, reflect the Parties’ agreement with regard to the processing of Personal Data.
2. The Parties acknowledge that BriteVerify will process Controller’s prospective customers’, current customers’ and/or former customers’ email addresses, (“Personal Data”) on behalf of Controller. BriteVerify shall act as a Data Processor, as defined in the General Data Protection Regulation 2016/679 (“GDPR”) together with any amending or enacting legislation (together being “Applicable Privacy Law”), in relation to the Personal Data. 
3. Controller enters into this Addendum on behalf of itself and, to the extent required under Applicable Privacy Law, in the name and on behalf of each of its Group Companies. 

Agreed Terms:

1. To the extent that BriteVerify processes the Personal Data under the instructions of Controller, BriteVerify will act as a Data Processor as defined by the GDPR. As such BriteVerify shall:
2. 1. only process the Personal Data on behalf of Controller in accordance with the documented instructions provided by Controller (either as data controller or lead data processor of the Personal Data), including with regard to transfers of the Personal Data to a third country or international organisation. BriteVerify shall not process the Personal Data for any other purposes. BriteVerify shall not use the Personal Data for its own purposes under any circumstances, other than as required by law;
   2. process the Personal Data in accordance with Applicable Privacy Law;
   3. apply appropriate security measures in accordance with Applicable Privacy Law to the Personal Data, and in general, implement the appropriate safety, technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful amendment, access, processing or accidental or unlawful loss, destruction or damage;
   4. keep the Personal Data confidential and not disclose it to any third party, without the prior written approval of Controller, except where:
   5. 1. the disclosure is necessary for the performance of the processing services set out in the BriteVerify Agreements or this Addendum and subject to paragraph 3 below; or
      2. where the Personal Data need to be disclosed to a competent public authority to comply with the BriteVerify’s legal obligations;
   1. ‍
   2. process the Personal Data in accordance with Applicable Privacy Law;
   3. apply appropriate security measures in accordance with Applicable Privacy Law to the Personal Data, and in general, implement the appropriate safety, technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful amendment, access, processing or accidental or unlawful loss, destruction or damage;
   4. keep the Personal Data confidential and not disclose it to any third party, without the prior written approval of Controller, except where:
   5. ensure that each of its employees, workers, consultants and agents who will have access to the Personal Data are made aware of the BriteVerify’s obligations under this Addendum with regard to the security and protection of the Personal Data. BriteVerify shall ensure that all employees, workers, consultants and agents who will have access to the Personal Data have committed themselves to an appropriate confidentiality obligation with respect to the processing of Personal Data;
   6. in the event of exercise by the data subjects of any of their rights under Applicable Privacy Law relating to Personal Data processed under this Addendum, inform Controller as soon as possible, and further assist Controller, insofar as possible, at Controller’s reasonable expense, to comply with such rights of any data subject. BriteVerify shall not respond directly not to any such request, unless specifically authorised by Controller in writing;
   7. taking into account the nature of the processing and the information available to BriteVerify, assist Controller in ensuring its compliance with its obligations (including, but not limited to the following): (i) in respect of security of processing; (ii) notification of a Data Security Breach to the supervisory authority; (iii) communication of a Data Security Breach to a data subject; (iv) data protection impact assessments; and (v) prior consultation with the supervisory authority.
   8. make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and, where possible, contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller;
   9. BriteVerify shall not transfer the Personal Data, nor make the Personal Data accessible to a third country or international organisation without the written consent of Controller and such consent shall not be unreasonably withheld. For the purposes of the BriteVerify Agreement, Controller grants specific consent to the transfer of Personal Data by BriteVerify to Amazon Web Services (AWS) in North Virginia in the USA and in Ireland provided that: BriteVerify has entered into written terms with AWS that are no less protective than under this Addendum; and that such transfer complies with the Applicable Privacy Law; and
   10. without prejudice to Controller’s obligations under any BriteVerify Agreement, at any time during the Agreement or upon termination of the Agreement, Controller may delete all Personal Data processed pursuant to BriteVerify’s Agreement. Alternatively, Controller may request that all Personal Data that has not already been deleted, be either deleted or returned, by sending written authorization to files@briteverify.com. In any event, the BriteVerify shall not retain the Personal Data any longer than required for the performance of any Supplier Agreements.

1. ‍
2. The Parties acknowledge and agree that the description of processing as set out in this paragraph is accurate:
3. 1. Subject matter of the processing
      
      
      
      ‍The processing of email addresses by the BriteVerify in the provision of the services under BriteVerify’s Terms and Conditions.
      
   2. Duration of the processing
      
      
      
      ‍BriteVerify shall possess email addresses for as long as necessary to carry out its obligations under the terms of the Agreement with Controller.
      
   3. Nature and purpose of the processing
      
      
      
      ‍
      ‍BriteVerify will process email addresses as necessary to provide the services pursuant to the Agreement, paragraph 1(a) (Instructions) above and as further instructed by Controller.
      
   4. Type of Personal Data being processed
      
      
      ‍
      ‍The email addresses which may be processed under the BriteVerify Agreement will be submitted by Controller under the terms if this Agreement.
      
   5. Subject matter of the processing
      
      
      
      ‍The processing of email addresses by the BriteVerify in the provision of the services under BriteVerify’s Terms and Conditions.
      
   6. Categories of data subjects being processed
      
      
      
      ‍
      
      ‍BriteVerify will process email addresses to the extent to which it is determined and controlled by Controller, which may include, but is not limited to the following categories of data subjects: Controller’s prospective customers’, current customers’ and former customers’ email addresses.
      
   7. BriteVerify
      
      the Applicable Privacy Law.
      

1. ‍
2. ‍
3. Notwithstanding the above, the BriteVerify may appoint one or more sub-processors (including a data centre provider) for the purpose of processing of the Personal Data in order to provide the services under the BriteVerify Agreements, provided the following requirements are met before any such appointment is made:
4. 1. Controller does not object to BriteVerify’s use of Amazon Web Services as a sub-processor;
      
   2. the sub-processor commits to act according to the instructions of Controller (which will be given through the BriteVerify); and
      
   3. BriteVerify enters into a written data processing agreement with the sub-processor ensuring that the sub-processor shall abide by data protection requirements no less stringent than under this Addendum. Such agreement shall be made available to Controller upon request.
      
5. BriteVerify shall be fully liable for any breach by its sub-processor(s) of any data protection obligations set out in this Addendum.

1. ‍
2. ‍
3. ‍
4. BriteVerify shall promptly, and in any event without undue delay, notify Controller if it:
5. 1. receives an inquiry, subpoena or a request for inspection or audit from a competent public authority relating to the processing of the Personal Data;
      
   2. intends to disclose the Personal Data to a competent public authority; or
      
   3. detects any unauthorised acquisition, access, use, loss, alteration, theft, destruction or disclosure of the Personal Data or identifies any vulnerability which might lead to the same (a "Data Security Breach").
      
6. Such notice shall be sent by e-mail to the address used by the Controller to create its BriteVerify account and shall include at least all information which is necessary for Controller to notify the supervisory authority and/or the data subjects as required by Applicable Privacy Law.

1. ‍
2. ‍
3. ‍
4. ‍
5. Controller shall ensure that its instructions to BriteVerify comply with Applicable Privacy Laws. BriteVerify shall immediately notify Controller if, in its opinion, an instruction infringes the Applicable Privacy Law.
6. In the event of a Data Security Breach, the BriteVerify shall promptly take adequate remedial measures at its own expense and provide Controller with all relevant information reasonably requested by Controller regarding the Data Security Breach. BriteVerify shall fully cooperate with Controller and if requested by Controller, the supervisory authority (if appropriate), to develop and execute a response plan as agreed between the parties to address the Data Security Breach.
7. BriteVerify’s Data Protection Officer’s contact details are Matthew C. McFee / matt@briteverify.com.
8. Controller shall be entitled to disclose the existence of this Addendum, the fact it complies with Applicable Privacy Law, and the nature of the Controller’s relationship with BriteVerify in order to satisfy any of its legal obligations.