Data processing agreement

a. "Agreement" means, as applicable, the master services agreement, or similar commercial agreement by and between Suped and Customer with respect to the use of the Service.

b. "Applicable Privacy Laws" means all applicable laws concerning privacy, data protection and the cross border transfer of data, including, where applicable: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) in respect of the United Kingdom any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union ("UK GDPR"); and (iii) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. as modified by the California Privacy Rights Act (together, the "CCPA"), in each case each as such laws are amended, superseded, or replaced. The term "Applicable Privacy Laws" excludes any laws of the Russian Federation or the People's Republic of China.

c. "Business Purpose" has the meaning assigned to under CCPA.

d. "CCPA Consumer" means a "consumer" as such term is defined in the CCPA.

e. "Controller" has the meaning assigned to under GDPR and other Applicable Privacy Laws using such terminology, and also means "business" as defined in the CCPA or other Applicable Privacy Laws using such terminology.

f. "Customer Data" means any data, information or other material provided, uploaded, submitted, or made available by Customer to the Service in the course of using the Service.

g. "IDTA" means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK Information Commissioner's Office.

h. "Personal Data" means the Personal Data included within Customer Data.

i. "Data Subject" an identifiable natural person is one who can be identified, directly or indirectly, including without limitation a CCPA Consumer.

j. "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway and Liechtenstein.

k. "Personal Data" means (a) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (b) is defined as "Personal Information" or "Personal Data" by Applicable Privacy Laws.

l. "processor" and "subprocessor" have the meaning set forth in the GDPR and other Applicable Privacy Laws using such terminology, and also mean "service provider" to the relevant party as defined in the CCPA or other Applicable Privacy Laws using such terminology.

m. "processing" or "process" shall have the meaning as set forth in the Applicable Privacy Law.

n. "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Suped.

o. "selling" or "sell" have the meaning assigned to them in the CCPA.

p. "Sensitive Data" means data revealing a Data Subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or other data that is subject to heightened restrictions relating to the transmission or processing of data for the jurisdictions in which Suped and Customer operate.

q. "Service" means the Suped DMARC Monitoring Service received by Customer under the Agreement as set forth in the corresponding ordering document agreed to in writing by Suped.

r. "Standard Contractual Clauses" or "SCCs" means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs") and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA ("UK SCCs") incorporated into this Addendum as described in Exhibit A.

a. The parties acknowledge and agree that depending on the nature of the Customer Data, Customer may act as either a Controller or a Processor.

b. Where Customer is a Controller: Suped will act as a Processor on behalf of Customer.

c. Where Customer is a Processor: Suped will act as a Sub-processor on behalf of Customer. Customer warrants that its instructions and actions with respect to the Personal Data, including its appointment of Suped as a Sub-processor, have been authorized by the relevant Controller.

d. The specific role of the Customer for the purposes of the Agreement and this DPA shall be determined in the main Agreement or applicable Order Form.

a. To the extent Suped processes Personal Data on behalf of Customer in connection with the Agreement, the parties agree to comply with the provisions set forth in this DPA. In this context, Customer acts as a "processor" for its own clients ("Controllers"), and Suped acts as a "sub-processor" respectively with respect to the Personal Data. Customer shall act as the "data exporter" and Suped shall act as the "data importer" for the purposes of the Standard Contractual Clauses. Suped shall be prohibited from selling, retaining, using, or disclosing Personal Data for any purpose other than to perform the Service in accordance with the Agreement and DPA and shall further refrain from collecting, selling or using any Personal Data except as necessary to perform its Business Purpose. For the purposes of the CCPA, the parties acknowledge and agree that Suped will act as a "Service Provider" in its performance of its obligations pursuant to the Agreement.

a. Instructions for Data Processing. Suped will process Personal Data only in accordance with Customer's lawful instructions and in compliance with the Agreement, unless otherwise required by applicable law to which Suped is subject. Customer hereby instructs Suped to process Personal Data to provide, maintain, and improve the Service in accordance with the Agreement and this DPA. Processing outside of the scope of the Agreement will require the prior written agreement of the parties on the additional instructions for processing. Upon notice, Suped will take reasonable and appropriate steps to stop and remediate unauthorized processing of Personal Data.

b. Compliance with Laws. Each party will comply with all applicable laws, rules, and regulations (including Applicable Privacy Laws) in its performance of this DPA. Customer shall be responsible for the accuracy, quality, integrity, and legality of the Personal Data.

c. Consents. Customer represents and warrants that it has first obtained all necessary consents under Applicable Privacy Law with respect to the processing or transfer of Personal Data.

d. Processing. The categories and type of data, as well as the description of the Processing procedures are specified in Annex I to the Standard Contractual Clauses, attached to Exhibit A hereto. Customer shall not provide (or cause to be provided) any Sensitive Data to Suped for processing under the Agreement, and Suped will have no liability whatsoever for Sensitive Data.

a. Suped will not transfer Personal Data originating from the EEA, the United Kingdom and/or Switzerland, except in accordance with the Standard Contractual Clauses as incorporated by reference to this Agreement. Notwithstanding anything herein to the contrary, the Standard Contractual Clauses and the IDTA shall only apply to transfers of personal data expressly governed by the GDPR or UK GDPR, respectively.

a. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Suped shall implement and maintain appropriate technical and organizational security measures designed to protect the security, integrity and confidentiality of the Personal Data, as set forth in Annex II hereto.

b. Suped Personnel. Suped shall restrict access by Suped personnel to Personal Data to only those personnel who need to access the Personal Data in order to provide the Service and who have committed themselves to an obligation of confidentiality.

c. Records; Audit Standards. Upon Customer's request, Suped will make available to Customer, up to once per year, a copy of a third-party audit or assessment report or provide responses to a reasonable security questionnaire to verify Suped's compliance with this DPA.

d. Security Incident Notification. If Suped becomes aware of any Security Incident, then Suped shall, without undue delay but in any event in no more than 72 hours, notify Customer of such incident, and provide to Customer timely information and cooperation as Customer may require to address its reporting obligations under the Applicable Privacy Law.

a. Authorized Subprocessors. Customer agrees that Suped may use subprocessors to fulfil its obligations under the Agreement. The current list of subprocessors for the Service who process Personal Data is available to Customer upon written request. Before authorizing any new subprocessor, Suped will provide notification to Customer. Customer may object to the change by notifying Suped within 10 days after the notice and describing the rationale for the objection.

b. Subprocessor Obligations. Where Suped authorizes a subprocessor, Suped will enter into a written agreement with each such subprocessor containing data protection obligations no less protective than those in this DPA. Suped shall be liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the services of each subprocessor directly under the terms of this DPA.

a. Suped shall notify Customer of any requests received directly by Suped from Data Subjects and shall provide to Customer such reasonable assistance as is required for Customer to comply with such Data Subject requests.

b. To the extent required, Suped will assist Customer to comply with its obligations under Articles 35 & 36 of the GDPR, such as carrying out data protection impact assessments.

c. Following Customer's request upon termination of the Agreement, Suped shall destroy all Personal Data in its possession in accordance with the retention period specified in Annex I.

a. Liability. Each party's liability arising out of or in relation to this Addendum is subject to the limitations of liability set forth in the Agreement.

b. Conflict. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will take precedence.

c. Modification. This DPA may not be modified except by a subsequent written instrument signed by both parties.

1. The Parties agree that the SCCs are hereby incorporated by reference into this Addendum. The applicable module of the SCCs shall be determined by Customer's role as set forth in Section 2 of this DPA and the main Agreement.

2. Where Customer is a Controller (Module 2 Applies). If the Agreement requires the transfer of personal data where Customer is the Data Exporter acting as a Controller, such transfers will be made pursuant to Module Two (Transfer controller to processor) of the EU SCCs.

3. Where Customer is a Processor (Module 3 Applies). If the Agreement requires the transfer of personal data where Customer is the Data Exporter acting as a Processor, such transfers will be made pursuant to Module Three (Transfer processor to processor) of the EU SCCs.

4. Application to the UK. For transfers of personal data from the United Kingdom, the applicable EU SCC Module as determined above shall be amended by the IDTA.

• The governing law for the purpose of the IDTA shall be the laws of England and Wales and the courts of England and Wales shall have jurisdiction.

5. Cross-Border Transfers Mechanisms – EU and Switzerland. If the Agreement requires the transfer of personal data of Data Subjects who reside in or based out of the EU or Switzerland to countries that are not recognized by the European Commission as providing an adequate level of protection of Personal Data, then such transfers will be made pursuant to the transfer mechanisms outlined in Module Three (Transfer processor to processor) of the EU SCCs. Where the EU SCCs identify optional provisions, the following shall apply:

• In Clause 7 (Docking Clause) (Module 3) – the Optional provision shall apply;
• In Clause 9(a) (Use of subprocessors) (Module 3) – Option 2 shall apply with the specified time period being 10 days.
• In Clause 11(a) (Redress) (Module 3) – the Optional provision shall NOT apply;
• In Clause 17 (Governing Law) (Module 3) – Option 1 shall apply with the laws of Ireland shall govern; and
• In Clause 18 (Choice of forum and jurisdiction) (Module 3) – the courts of Ireland shall have jurisdiction.

6. Cross-Border Transfers Mechanisms–UK. If the Agreement requires the transfer of personal data of Data Subjects who reside in the UK to countries that are not recognized by the UK ICO as providing an adequate level of protection of personal data, then such transfers will be made pursuant to the EU SCCs as amended by the IDTA.

• With respect to Table 2 of the IDTA: (i) the optional provisions of Clause 7 (Docking Clause) (Module 3) shall apply; (ii) Option 2 in Clause 9(a) (Use of subprocessors) (Module 3) shall apply with the specified time period being 10 business days; (iii) and Clause 11(a) (Redress) (Module 3) shall NOT apply.
• With respect to Table 3 of the IDTA, the governing law shall be the laws of England and Wales and the courts of England and Wales shall have jurisdiction.

7. The execution of the Agreement is deemed to constitute each party's execution of the SCCs as Data Exporter or Data Importer (as applicable).

1. Categories of data subjects whose personal data is transferred. Employees of our client's customers, and Senders and recipients of emails from our client's customers' domains.

2. Categories of personal data transferred. Email addresses, names, IP addresses in DMARC reports, and email header information.

3. Sensitive data transferred (if applicable). None.

4. The frequency of the transfer. Continuous – As needed to access the Services described in the Agreement.

5. Nature of the processing. To ingest and analyze DMARC aggregate and forensic reports to provide the client with visibility into their customers' email sending sources, identify threats, and help them achieve DMARC enforcement. By default, the message body of DMARC forensic reports is stripped and only the headers are stored.

6. Purpose(s) of the data transfer and further processing. As needed to perform the Agreement and service under an Order Form between the parties.

7. The period for which the personal data will be retained. Personal data will be retained for the duration of the Agreement. Upon termination of the Agreement, all personal data will be deleted within 90 days, unless otherwise required by applicable law.

8. For transfers to (sub-) processors. Suped uses cloud infrastructure providers as subprocessors to provide its service. The current list of subprocessors is available to the data exporter upon written request.

Policies and Procedures Suped maintains a formal information security program designed to ensure the security and integrity of the services, protect against security threats, and prevent unauthorized access to customer data. The program includes a formal risk management program and an incident response plan.

Access Controls Suped enforces access control to customer data based on the principle of least privilege. Access is secured by role-based access control (RBAC), and all access to production environments requires authentication with unique user identifiers, strong passwords, and multi-factor authentication (MFA).

Encryption Customer Data is encrypted in transit using industry-standard protocols (TLS 1.2 or higher). All Customer Data is encrypted at rest using strong cryptographic standards (AES-256).

Network Security & Penetration Testing Suped's infrastructure is protected by firewalls and other network security controls. Suped conducts regular automated vulnerability scanning and engages independent third parties to perform network and application penetration tests at least annually.

Physical and Environmental Security Suped uses major cloud infrastructure providers. Physical and environmental security controls protecting customer data are managed by these providers, whose compliance certifications are reviewed regularly.

Training and Personnel All Suped personnel undergo mandatory security and privacy training upon hiring and annually thereafter. Personnel with access to customer data are subject to confidentiality obligations.

Business Continuity and Disaster Recovery Suped maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure the availability of its services.