Data Processing Agreement
Effective date: 30-05-2022
Our service processes reports that may contain personal data. Therefore, we must provide a Data Processing Agreement to comply with the General Data Protection Regulation (GDPR). This agreement will document how personal data is processed, filtered, and stored.
This Data Processing Agreement forms an integral part of our general terms and conditions between URIports ("we", "us", "our") and you. If you're using our services for an organization, you agree to our general terms and conditions on behalf of that organization and in the terms and this Data Processing Agreement, "you" or "your" refers to that organization.
|"Terms"||The term of our Services|
|"Agreement"||means this Data Processing Agreement|
|"Personal Data"||means any Personal Data Processed by a us on behalf of you pursuant to or in connection with the Terms|
|"Contracted Processor"||means a Subprocessor|
|"Applicable Data Protection Law"||means GDPR and, to the extent applicable, the data protection or privacy laws of any other country|
|"Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority"||or similar terms shall have the meanings given under Applicable Data Protection Law.|
|"GDPR"||means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).|
|"Sub-processor"||means any person appointed by or on behalf of us to process Personal Data on behalf of you in connection with the Agreement.|
|"EEA"||means the European Economic Area.|
|"Services"||means the Reporting service URIports provides.|
Processing of Personal Data
The Parties acknowledge and agree that with regard to the Processing of Personal Data, you may be either the Controller or the Processor of the Personal Data. Where you are the Controller, we are the Processor and where you are a Processor, we acknowledge that we will be your sub-processor.
Processing of Personal Data by you.
You shall, in your use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Law. Further, your instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you acquired Personal Data.
Processing of Personal Data by us
We shall Process the Personal Data solely as necessary to perform our obligations and strictly in accordance with your instructions and in accordance with Applicable Data Protection Law for the following purposes:
- Processing in accordance with the Terms and this Agreement
- Processing initiated you in the use of the Services
We shall immediately inform you in writing if, in our opinion, an instruction infringes Applicable Data Protection Law in the European Union ("EU"). We shall not be liable for any losses, fines, costs, penalties, damages, etc., arising from or in connection with any processing in accordance with your instructions following your receipt of any information provided by us in accordance with the foregoing sentence. We shall provide reasonable assistance to you to assist you in complying with Articles 32 to 36 of the GDPR. We shall make available to you all information necessary to demonstrate compliance with this Agreement and upon prior written notice, allow for and contribute to audits, including to inspections, by you or another auditor mandated by you for this purpose.
What Personal Data is processed
The following Personal Data is processed by us
- The email address that you have used to create your account.
- The email addresses of team members if team members are invited to your account
- DMARC Failure reports. But only if you have enabled PGP (Pretty Good Privacy) encryption. We encrypt the Personal Data with your key so that no one except the key owner (you) can access the Personal Data. If no public encryption key is uploaded, we strip all Personal Data from DMARC failure reports.
We shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Terms, and to comply with Applicable Data Protection Law in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, we shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.>
We use advanced firewalls and are constantly monitoring network traffic. All connections to our servers are secured with an SSL connection. In addition, all passwords are stored securely using military-grade cryptographic security.
We have taken the following security measures:
- Logical access control, using strong passwords and physical USB keys;
- IP restrictions for databases and file access;
- organizational measures for access security;
- security of network connections via Transport Layer Security (TLS) technology;
- DANE, SPF, DKIM, DMARC, and HTST.
We do not use any third-party services or sub-processors. We shall not appoint (or disclose any Personal Data to) any Sub-processor unless required or authorized by you.
Where the Personal Data is processed
We process your Personal Data in countries within the European Union (EU). Our servers are located solely in the Netherlands. The data centers are subject to Dutch legislation and regulations and comply with the strict GDPR regarding logical and physical access security and continuity.
Data Subject Rights
Taking into account the nature of the Processing, we shall assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
We shall promptly notify you if we receive a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of you or as required by Applicable Data Protection Law to which the we are subject, in which case we shall to the extent permitted by Applicable Data Protection Law inform you of that legal requirement before the we respond to the request.
Personal Data Breach
We shall notify you without undue delay upon becoming aware of a Personal Data Breach in our Services affecting Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. We shall cooperate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
We shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.>
Deletion or return of Personal Data
We shall delete Personal Data forming part of the Services immediately after you have terminated the usage of the Services. You understand that Personal Data, once deleted, cannot be recovered.
We shall, in accordance with Applicable Data Protection Law, make available to you on request in a timely manner such information as is necessary to demonstrate compliance by us with our obligations under the Data Applicable Protection Laws. We shall, upon reasonable notice, allow for and contribute to audits of our Processing of Personal Data, to determine compliance by us with our obligations under Applicable Data Protection Laws, during regular business hours and with minimal interruption to our business operations. Such audits shall be conducted by you, your affiliates or an independent third party on your behalf (which will not be a competitor of our business) that is subject to reasonable confidentiality obligations. You shall pay us reasonable costs of allowing or contributing to audits or inspections where you wish to conduct more than one audit or inspection every twelve (12) months. We undertake to reasonably cooperate with you in our dealings with national data protection authorities and with any audit requests received from national data protection authorities.
We may not transfer or authorize the transfer of Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of you. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of Personal Data.
Governing Law and Jurisdiction
These Terms shall be governed by the laws of The Netherlands. These Terms shall not be governed by the conflict of law rules of any jurisdiction or the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. The respective courts of The Netherlands shall have exclusive jurisdiction for any dispute between the parties, and the parties consent to venue and personal jurisdiction there. THE PARTIES HEREBY WAIVE ANY RIGHTS THEY MAY HAVE TO TRIAL BY JURY. Each party shall have the right, at its election, to seek injunctive or other equitable relief in any court of competent jurisdiction to enforce these Terms, which remedy will be cumulative and not exclusive. If any action is pursued to enforce or obtain compliance with these Terms, the prevailing party shall be entitled to reasonable attorneys' fees and costs, in addition to any other relief to which such party may be entitled.