This Data Processing Addendum (“DPA”) forms part of each agreement with PostPilot, Inc., a Delaware corporation with a principal office at 110 Commercial Road, Suite C, Spartanburg SC 29303 (“PostPilot”) that incorporates this DPA by reference (“Agreement”). References to “Customer” in this DPA refer to the counterparty to the applicable Agreement. This DPA applies only to PostPilot’s Services and does not apply to any service the Customer purchases from any third party other than PostPilot. 

Unless otherwise expressly defined herein, the capitalized terms used in this DPA have the meanings assigned to them in the Agreement.

"Adequate Jurisdiction" means the UK, EEA, or a country, territory, specified sector or international organization which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in:

  a) with respect to personal data relating to data subjects in the EEA, a decision of the European Commission;

  b) with respect to personal data relating to data subjects in the UK, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018.

"Approved Addendum" the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Approved Addendum.

“Attribution Purposes” shall have the meaning set out in Section 5 of this DPA.

“Business” or “Controller” shall mean an entity that determines the purposes and means of Processing of Personal Data.

"Covered Data" means the Customer Personal Data, Customer Interaction Data and PostPilot Personal Data.

"Customer Personal Data" means the Personal Data, including the compilation of records, each consisting of an email address of a customer, which is shared by Customer with PostPilot in connection with the provision of the Services (which may include Personal Data that Customer has obtained from third-party data providers).

“Customer Interaction Data” means Log Data collected by PostPilot or PostPilot’s third party data providers through pixels or other tracking technologies placed on Customer’s website.

“Data Protection Laws” means any applicable laws, rules and regulations or governmental requirements in the United States, EU and/or UK, relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other Processing or Personal Data, as they may be amended or updated from time to time.

"Data Subject" means a natural person whose Personal Data is Processed.

"EEA" means the European Economic Area including the European Union ("EU").

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as defined in Section 3 of the UK Data Protection Act 2018.

"Log Data” means data collected on Customer’s websites by third parties using cookies, pixels, web beacons and/or other technology for advertising purposes and a description of the data to be collected, including, at a minimum, IP Address, the advertising IDs, and other unique identifiers that are linked or reasonable linkable to a particular computer or device (such as DII), date and time stamps, header and referrer URL data, and information about the visitor’s activities on the site.

“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under applicable Data Protection Laws.

“PostPilot Personal Data” means Third-Party Licensed Personal Data and any other Personal Data generated, sourced, combined, created, supplemented, or maintained by PostPilot as may be shared with Customer in connection with the Services.

“Process” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on information or on sets of information, such as the collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification of information.

"Security Incident" means a confirmed or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

"Sell”, “Sale" and "Sold" have the meaning set out in the California Consumer Privacy Act.

“Service Provider” or “Processor” shall mean an entity that Processes Personal Data on behalf of a Business or Controller.

“Services” means the services to be provided by PostPilot to Customer under the Agreement.

"Share" has the meaning set out in the California Consumer Privacy Act.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as set out in detail in Schedule 1 and Schedule 2 to this DPA.

"Sub-processor" means an entity appointed by Processor to Process Covered Data on its behalf.

"Supervisory Authority" has the meaning given in the GDPR.

“Third-Party Licensed Personal Data” means Personal Data contained in the Third-Party Licensed Data.

"UK" means the United Kingdom of Great Britain and Northern Ireland.

The Parties agree as follows:

1. Details of Processing and transfer

1.1. The details of the Processing of Covered Data under the Agreement and this DPA (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) and the roles of the Parties, are described in the Agreement and in Schedule 1 and Schedule 2 to this DPA (each, as applicable).

2. Compliance with Laws and third-party licenses.

2.1. Each Party will comply with its obligations under Data Protection Laws with respect to its Processing of Covered Data. Without limiting the foregoing, where a Party (the "Discloser") shares or otherwise makes Covered Data with the other Party (the "Recipient"): (i) Discloser will have the right to take reasonable and appropriate steps to ensure that Recipient uses Covered Data in a manner consistent with Recipient's obligations under Data Protection Laws; and (ii) Recipient will notify Discloser promptly if Recipient determines that it can no longer meet its obligations under Data Protection Laws.

2.2. Customer shall provide all applicable notices to Data Subjects, and obtain any consents from Data Subjects, in each case as required under Data Protection Laws with respect to the Processing of Covered Data by Customer and PostPilot in connection with the provision of the Services.

2.3. To the extent that Customer Personal Data contains Personal Data obtained by the Customer from a third-party data provider, pursuant to an agreement between Customer and such third-party data provider:

     2.3.1. Customer is solely responsible for ensuring compliance with its obligations under such third-party agreements to which it is a party and with Data Protection Laws applicable to such activity in relation to Customer’s use of the Services.

    2.3.2. Customer represents and warrants that it has all necessary rights and consents needed to share such Customer Personal Data with PostPilot.

3. Data Sharing Obligations

3.1. This Section 3 applies to the extent that Discloser and Recipient each act as a Controller in respect of the Covered Data.

3.2. The Parties acknowledge and agree that Covered Data is made available to, Sold to, or Shared with Recipient, and Recipient shall Process and/or use Covered Data, solely for the purposes set out in Schedule 1.

3.3. Recipient shall notify Discloser promptly if it receives any enquiry or complaint from a Supervisory Authority, Data Subject or other person relating to Recipient's Processing of Covered Data received from Discloser, and shall: (i) not respond to the enquiry or complaint without Discloser's consent (which shall not be unreasonably withheld or delayed) unless required to do so under applicable law; (ii) make such reasonable changes to any response as requested by Discloser.

3.4. PostPilot Personal Data

    3.4.1. Customer shall use and retain any PostPilot Personal Data, if made available by PostPilot as part of the Services, solely for internal analytics and attribution purposes (“Attribution Purposes”), and for no other purpose, commercial or otherwise, including for marketing purposes. Customer shall have no right to share, disclose or sell PostPilot Personal Data to any third party without prior written approval from PostPilot.

    3.4.2. Customer warrants and agrees that it shall erase or otherwise destroy any PostPilot Personal Data within thirty (30) days from the completion of the Services for which such data was provided, unless retention of such PostPilot Personal Data is required under applicable law or otherwise permitted by PostPilot and (where applicable) the third-party data provider in writing.

3.5. Covered Data

    3.5.1. Customer shall: (a) ensure that any Customer Personal Data and Customer Interaction Data Sold to, Shared with, or otherwise licensed to, PostPilot does not contain any Personal Data relating to a Data Subject that has exercised their rights to opt out of or object to such Sale or Sharing under Data Protection Laws; (b) notify PostPilot promptly of any request by a Data Subject to whom any Customer Personal Data or Customer Interaction Data relates to opt out of or object to the Sale or Sharing of their Personal Data or to exercise any rights to delete such Personal Data.

4. Data Processing Obligations

4.1. This Section 4 applies to the extent that PostPilot Processes Customer Personal Data as a Processor.

4.2. PostPilot will Process Customer Personal Data for the purpose of providing the Services set forth in the Agreement and in accordance with Customer’s instructions set forth in the Agreement or in writing. Without limiting the foregoing, PostPilot is prohibited from: (i) selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration; (ii) sharing Customer Personal Data with any third party for cross-context behavioral advertising; (iii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in this Agreement or as otherwise permitted by Data Protection Laws; (iv) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; (v) to the extent prohibited by Data Protection Laws, combining Customer Personal Data with other information that PostPilot receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject. Notwithstanding the foregoing, PostPilot is permitted to anonymize Customer Personal Data through a reliable state of the art anonymization procedure and use such anonymized data for its own business and commercial purposes, including for research, development of new products and services, and security and fraud prevention purposes.

4.3. PostPilot will limit access to Customer Personal Data to personnel and independent contractors who have a business need to have access to such Customer Personal Data and will ensure that such personnel and independent contractors are subject to obligations at least as protective of the Customer Personal Data as the terms of this DPA and the Agreement.

4.4. Notwithstanding the foregoing, PostPilot may share Customer Personal Data: (i) with a Sub-processor for a business purpose; (ii) with a third party as necessary to comply with applicable laws; or (iii) as otherwise permitted by the Data Protection Laws.

4.5. Customer grants PostPilot general authorization to engage Sub-processors, as well as Processor's current Sub-processors listed in Schedule 4. The Parties agree that:

    4.5.1. PostPilot will provide Customer with at least fifteen (15) days' notice of any proposed changes to the Sub-processors it uses to Process Customer Personal Data. Controller may object to Processor's use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs if applicable) by providing PostPilot with written notice of the objection within ten (10) days after PostPilot has provided notice to Customer of such proposed change (an "Objection"). If Customer does not object to the engagement within the Objection period, consent regarding the engagement will be assumed. In the event Customer objects to PostPilot's use of a new Sub-processor, Customer and PostPilot will work together in good faith to find a mutually acceptable resolution to address such Objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either Party may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the other Party. During any such Objection period, PostPilot may suspend the affected portion of the Services.

    4.5.2. PostPilot will be liable to Customer for the acts or omissions of any Sub-processor or other third party to whom PostPilot has disclosed or permitted to access Customer Personal Data as if they were acts or omissions of PostPilot. PostPilot will not permit any Sub-processor to Process Customer Personal Data, unless PostPilot and the Sub-processor have entered into an agreement that imposes obligations on the Sub-processor that are no less restrictive and at least equally protective of Customer Personal Data as those imposed on PostPilot under this DPA.

     4.5.3. PostPilot is responsible for ensuring the compliance of Sub-processor with applicable Data Protection Laws in connection with the Processing of Customer Personal Data.

4.6. PostPilot agrees to reasonably cooperate with Customer, at Customer’s expense, to assist Customer with ensuring its compliance with Data Protection Laws, including to respond to Data Subject requests for access, knowledge, deletion, or rectification in relation to Customer Personal Data (each, a “Data Subject Request”). If and to the extent Customer instructs PostPilot to delete Customer Personal Data in response to a Data Subject Request received by Customer, PostPilot agrees to delete or de-identify such information within thirty (30) days of receipt of the request. For the avoidance of doubt, PostPilot shall have no obligation to delete information that has been de-identified, anonymized or aggregated such that the information is no longer Personal Data under Data Protection Laws.

4.7. Upon termination or expiration of the Agreement or earlier as requested by Customer, PostPilot shall delete or return to Customer (at Customer’s election) all Customer Personal Data in its possession, custody and control, except for Customer Personal Data as must be retained under applicable law (which PostPilot shall delete once it is no longer required under applicable law to retain).

4.8. Customer may audit PostPilot's compliance with this Section 4. The Parties agree that all such audits will be conducted:

    4.8.1. no more than once a year;

    4.8.2. upon reasonable written notice to PostPilot;

    4.8.3. only during PostPilot's normal business hours;

    4.8.4. at Customer's cost.

4.9. With respect to any audits conducted in accordance with Section 4.8, Customer may engage a third-party auditor to conduct the audit on its behalf. PostPilot shall notify Customer if it objects to the appointment of the third-party auditor in accordance with this Section 4.9.

4.10. Customer shall promptly notify PostPilot of any non-compliance discovered during an audit.

4.11. PostPilot may, in response to an audit request by Customer, provide to Customer: (i) data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or (ii) such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards. Customer agrees that the provision of such certifications and documentation shall satisfy any of Customer's rights to conduct audits under this DPA or Data Protection Laws.

5. Other Data Obligations.

5.1. Customer shall not, without PostPilot’s prior written approval (which PostPilot may withhold or condition at its discretion), submit or cause to be submitted to PostPilot any data that includes: (i) a social security number, passport number, driver’s license number, or similar identifier, credit card or debit card number, employment, financial or health information; (ii) Personal Data relating to an individual under eighteen (18) years of age; (iii) Personal Data relating to any individual that has withdrawn consent or exercised a right to opt-out under Data Protection Laws; (iv) any special category data referred to in Article 9 of the GDPR or data relating to criminal offences referred to in Article 10 of the GDPR; or (v) any other information which may be subject to additional protections under applicable laws or regulations including, but not limited to, the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA).

5.2. Other than where expressly permitted in Schedule 1, Customer shall not submit or cause to be submitted to PostPilot any Personal Data to the extent the GDPR applies to the Customer's Processing of such Personal Data (such Personal Data being "GDPR Personal Data"). PostPilot may amend the permissions to upload GDPR Personal Data in Schedule 1 from time to time by written notice to the Customer, provided that any amendments that withdraw any permissions to upload GDPR Personal Data shall take effect not less than thirty (30) days from the date of such notice.  

6. Standard Contractual Clauses

6.1. The SCCs shall, as further set out in Schedule 3, apply to the transfer of Covered Data from Discloser to Recipient, and form part of this DPA, to the extent that the Recipient is not in an Adequate Jurisdiction and:

    6.1.1. the GDPR applies to the Discloser's Processing of Covered Data when it makes that transfer;

    6.1.2. the Data Protection Laws that apply to the Discloser when making that transfer (the "Exporter Data Protection Laws") prohibit the transfer of Covered Data to the Recipient under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:

  a) the relevant authority with jurisdiction over the Discloser’s transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or

  b) such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or

  c) entering into standard contractual clauses approved by the European Commission would reasonably satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or

     6.1.3. the transfer is an "onward transfer" (as defined in the applicable module of the SCCs).

6.2. The Parties agree that execution Agreement shall have the same effect as signing the SCCs.

6.3. In the event of any conflict between the SCCs and this DPA or the Agreement, the SCCs shall prevail.

7. Data Security.

7.1. Each Party shall implement appropriate technical and organizational measures designed to safeguard Covered Data against unauthorized or unlawful Processing, and against accidental loss, destruction or damage. Details of these technical and organizational measures are included at Schedule 2 to this DPA. Each Party shall document those measures in writing and periodically review them to ensure they remain current and complete, at least annually.

7.2. Each Party shall notify the other without undue delay in the event it becomes aware of a Security Incident.

7.3. To the extent a Security Incident affects Customer Personal Data Processed by PostPilot as a Processor: (i) PostPilot shall provide Customer with reasonable assistance in the investigation of the Security Incident; and (ii) Customer shall have sole responsibility for the content, timing and method of distribution of any notice of the Security Incident required under Data Protection Laws to regulators or Data Subjects.

7.4. To the extent a Security Incident affects PostPilot Personal Data Processed by Customer, Customer shall not (unless required to do so under applicable law) notify any regulator or Data Subject of the Security Incident without PostPilot's prior approval as to the submission, timing and content of such notification.

8. Termination and Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, either Party processes or retains Covered Data.

9. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

10. Applicable Law and Jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA, save that, in respect of any transfers to which Section 6 applies, the applicable law and jurisdiction shall be the law and jurisdiction applicable to the SCCs as set out in Schedule 3.

Schedule 1: Details of Processing

1. Party Details

Party: Customer
Contact person: As provided when signing up for the Services under the Agreement.
Activities relevant to the transfer: The receipt of Services under the Agreement, as further set out in this Schedule 1.

Party: PostPilot
Contact person: privacy@postpilot.com
Activities relevant to the transfer: The provision of Services under the Agreement, as further set out in this Schedule 1.

2. Customer authorized users

2.1 Customer Personal Data shared by Customer with PostPilot:

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Processor/Service Provider

GDPR Personal Data Permitted: Yes

Categories of data subjects: Customer's employees, agents and other individuals that the Customer authorizes to access the Services.

Categories of personal data: Name, email address, mailing address, role at Customer, access permissions, support requests, and online network and usage information including but not limited to IP address, device type and device ID, mouse clicks, and pages visited.

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The provision of the Services to Customer and its authorized users, including the provision of technical support.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

3. Direct mailings (Campaign Automation,CSV Importing, Turning “On” Shopify or Similar Integrations)

3.1 Customer Personal Data shared by Customer with PostPilot:

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Processor/Service Provider

GDPR Personal Data Permitted: Yes

Categories of data subjects: Customer's existing customers and prospective target customers identified by Customer ("Mailing Targets").

Categories of personal data: Name, mail address, email, customer tags, and general transaction information, including, but not limited to, amount spent, orders placed and details of such orders, such as currency, email, phone, shipping address, products ordered, price, date, browser IP, browser details, and landing site.

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The distribution of mail marketing to Mailing Targets.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

4. MailMatch

4.1 Customer Personal Data shared by Customer with PostPilot:

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Customer's existing customers and prospective target customers identified by Customer ("Mailing Targets").

Categories of personal data: Name, mail address

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The identification of mail addresses associated with Mailing Targets.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

4.2 PostPilot Personal Data shared by PostPilot with Customer.

Role:
- PostPilot (Data Exporter): Controller/Business
- Customer (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Customer's existing customers and prospective target customers identified by Customer ("Mailing Targets").

Categories of personal data: Name, mail address

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The identification of mail addresses associated with Mailing Targets.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

5. Prospecting and Dropswaps

5.1 Customer Personal Data shared by Customer with PostPilot:

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Customer's existing customers and prospective target customers identified by Customer ("Mailing Targets").

Categories of personal data: Name, mail address, email, customer tags, and general transaction information, including, but not limited to, amount spent, orders placed and details of such orders, such as currency, email, phone, shipping address, products ordered, price, date, browser IP, browser details, and landing site.

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The creation of lookalike audiences based on Mailing Targets' characteristics (individuals falling within such lookalike audiences being "Lookalike Mailing Targets"). The distribution of mail marketing to Mailing Targets and Lookalike Mailing Targets. The distribution of co-branded mail marketing to Mailing Targets.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

5.2. PostPilot Personal Data shared with or made available to Customer by PostPilot with Customer.

Role:
- PostPilot (Data Exporter): Controller/Business
- Customer (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Prospective target customers identified by Customer ("Mailing Targets") and lookalike audiences based on Mailing Targets' characteristics (individuals falling within such lookalike audiences being "Lookalike Mailing Targets").

Categories of personal data: Name, mail address, demographic information, approximate location.

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The distribution of mail marketing to Mailing Targets and Lookalike Mailing Targets or attribution purposes.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

6. SiteMatch

6.1. Customer Interaction Data collected by PostPilot from Customer's website.

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Visitors to Customer's website

Categories of personal data: IP Address, the advertising IDs, and other unique identifiers that are linked or reasonable linkable to a particular computer or device (such as DII), date and time stamps, header and referrer URL data, and information about the visitor’s activities on the site (including products browsed, clicked on, placed in cart and purchased, duration on the website).

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: The identification of individuals and retrieval of their mail address based on Customer Interaction Data. The distribution of mail marketing to such individuals. The development of enhanced individual profiles across clients.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer.

7. PostPilot AI

7.1. Customer Personal Data and Customer Interaction Data shared by Customer with PostPilot.

Role:
- Customer (Data Exporter): Controller/Business
- PostPilot (Data Importer): Controler/Business

GDPR Personal Data Permitted: No

Categories of data subjects: Name, mail address, information about any purchases made from PostPilot AI End User, and demographic information, approximate location, IP Address, the advertising IDs, and other unique identifiers that are linked or reasonable linkable to a particular computer or device (such as DII), date and time stamps, header and referrer URL data, and information about the visitor’s activities on the site (including products browsed, clicked on, placed in cart and purchased).

Categories of personal data: IP Address, the advertising IDs, and other unique identifiers that are linked or reasonable linkable to a particular computer or device (such as DII), date and time stamps, header and referrer URL data, and information about the visitor’s activities on the site (including products browsed, clicked on, placed in cart and purchased, duration on the website).

Special categories of personal data (if applicable): None

Frequency of the transfer: Continuous

Purpose(s) of the data transfer and further processing: Combining Personal Data relating to PostPilot AI End User from Customer and other customers of the Services in order to:

• Identify the PostPilot AI End User purchases and browsing habits to determine products and services of interest to the PostPilot AI End User in order to identify audiences for distribution of mail marketing from Customer and other customers of the Services;

• Identify the mail address of the PostPilot AI End User for distribution of mail marketing from Customer and other customers of the Services;

• Enhance individual profiles to provide the PostPilot Services; and

• Create lookalike audiences based on PostPilot AI End User’s characteristics for distribution of mail marketing from Customer and other customers of the Services.

Duration: PostPilot may retain the Customer Data in accordance with the PostPilot Privacy Notice.

Schedule 2: Technical and Organizational Measures

The Recipient has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

1. Governance and Policies

(a) The Recipient assigns personnel who have responsibility for the determination, review and implementation of security polices and measures.

(b) The Recipient:

(i) has documented the security measures they have implemented in a security policy and/or other relevant guidelines and documents;

(ii) reviews their security measures and policies to ensure they continue to be appropriate for the Personal Data being transferred.

(c) The Recipient establishes and follows secure configurations for systems and software and ensures that security measures are considered during project initiation and the development of new IT systems.

2. Breach response

The Recipient has a breach response plan that has been developed to address data breach events, which is tested and updated.

3. Intrusion, anti-virus, and anti-malware defenses

The Recipient’s IT systems used to process Personal Data have appropriate data security software installed on them, including as follows:

(a) IT systems have antivirus, anti-spyware and anti-malware software installed, which is updated, and scans are carried out for threats and malicious programs.

(b) The Recipient performs penetration tests on its IT systems.

(c) The Recipient performs vulnerability scans.

(d) The Recipient collects, maintains, and reviews event logs.

(e) The Recipient deploys data loss prevention tools.

4. Access controls

The Recipient limits access to Personal Data by implementing appropriate access controls, including:

(a) limiting administrative access privileges and use of administrative accounts;

(b) changing default passwords before deploying operating systems, assets, or applications;

(c) requiring authentication and authorization to gain access to IT systems (i.e., require users to enter a user ID and password before they are permitted access to IT systems);

(d) only permitting user access to Personal Data which the user needs to access for his/her job role or the purpose for which they are given access to the Recipient’s IT systems (i.e., the Recipient implements measures to ensure least privilege access to IT systems);

(e) having in place appropriate procedures for controlling the allocation and revocation of Personal Data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;

(f) enforcing password policies that require users to use strong passwords;

(g) use of multi-factor authentication;

(h) automatic timeout and locking of user terminals if left idle;

(i) access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;

(j) monitoring and logging access to IT systems; and

(k) monitoring and logging amendments to data or files on IT systems.

5. Availability and Back-up personal data

(a) The Recipient has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident, which is tested and updated.

(b) The Recipient back-ups information on IT systems, keeps back-ups in separate locations and tests the validity of the back-ups.

6. Segmentation of personal data

The Recipient separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of Personal Data collected and used for different purposes.

7. Disposal of IT equipment

The Recipient:

(a) has in place processes to securely remove all Personal Data before disposing of IT systems; and

(b) uses appropriate technology to purge equipment of data and/or destroy hard disks.

8. Encryption

(a) The Recipient uses encryption technology to protect Personal Data at rest and in transit.

(b) Encryption keys are stored separately from the encrypted information and are subject to appropriate security measures.

9. Transmission or transport of personal data

Appropriate controls are implemented by the Recipient to secure Personal Data during transmission or transit, including:

(a) encryption in transit;

(b) logging personal data when transmitted electronically.

10. Asset and Software management

(a) The Recipient maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.

(b) The Recipient:

(i) documents and implements rules for acceptable use of IT assets;

(ii) deploys automated patch management tools and software update tools for operating systems and software;

(iii) proactively monitors software vulnerabilities and implements any out of cycle patches; and

(iv) permits the use of the latest versions of fully supported web browsers and email clients.

(c) The Recipient stores all API keys securely, including as follows:

(i) the Recipient stores API keys directly in its environment variables;

(ii) the Recipient does not store API keys on client side;

(iii) the Recipient does not publish API key credentials in online code repositories (whether private or not)

11. Physical security

The Recipient implements physical security measures to safeguard Personal Data.  

12. Staff training and awareness

(a) The Recipient’s agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.

(b) The Recipient carries out:

(i) staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); and

(ii) appropriate screening and background checks on individuals that have access to sensitive Personal Data.

(c) The Recipient ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.

(d) Staff are subject to disciplinary measures for breaches of the Recipient's policies and procedures relating to data privacy and security.

13. Selection of service providers and commission of services

(a) The Recipient assesses service providers’ ability to meet their security requirements before engaging them.  

(b) The Recipient has written contracts in place with service providers which require them to implement appropriate security measures to protect the Personal Data they have access to and limit the use of Personal Data in accordance with the Parties instructions.

14. Assistance with Data Subject Rights Requests

The Recipient has implemented appropriate policies and measures to identify and address data subject rights requests, including:

(a) the data processed on behalf of the Discloser is stored separately from data processed by the Recipient;

(b) the Recipient maintains records to enable it to identify quickly Personal Data processed on behalf of the Discloser; and

(c) back-ups of Personal Data processed by the Recipient on behalf of the Discloser are overwritten on a regular basis to ensure deletion and rectification requests are fully actioned.

Schedule 3: Standard Contractual Clauses

1. Standard Contractual Clauses

With respect to any transfers referred to in Section 6, the SCCs shall be completed as follows:

1.1. Module One (Controller to Controller) of the SCCs shall apply to any transfers of Customer Personal Data from Customer (as data exporter) to PostPilot (as data importer) and any transfers of PostPilot Personal Data from PostPilot (as data exporter) to Customer (as data importer) to the extent that each of Customer and PostPilot acts as a Controller, as set out in Schedule 1.

1.2. Module Two (Controller to Processor) of the SCCs shall apply to any transfers of Customer Personal Data from Customer (as data exporter) to PostPilot (as data importer) to the extent that PostPilot acts as a Processor, as set out in Schedule 1.

1.3. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.

1.4. Option 2 of Clause 9 (Subprocessors) shall apply and the period for notifying any changes to the Sub-processors engaged shall be thirty (30) days. The approved list of Sub-processors as at the date of this DPA is set out in Schedule 4.

1.5. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

1.6. Option 1 of Clause 17 of the Standard Contractual Clauses (Governing Law) shall apply, and the laws of Ireland shall apply to the Standard Contractual Clauses.

1.7. Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction) shall refer to the courts of Ireland.

1.8. Annex I.A (List of Parties) shall be deemed to incorporate the information in Schedule 1. The nature and subject matter of the Processing are the collection, storage, retrieval, and disclosure by transfer of Covered Data for the purposes set out in Schedule 1.

1.9. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Schedule 1.

1.10. Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the Irish Data Protection Commissioner.

1.11. Annex II (Technical and Organizational Measures) shall be deemed to incorporate the information in Schedule 2.

2. Transfers of Covered Data subject to the UK GDPR.

2.1. The Approved Addendum shall apply to any transfers of applicable Covered Data from Discloser to Recipient to the extent that:

2.1.1. the UK data protection laws apply to the Customer when making that transfer; and

2.1.2. there is an "onward transfer" as defined in the Approved Addendum.

2.2. The Parties agree that the Approved Addendum forms part of this DPA and execution of the Agreement shall have the same effect as signing the Approved Addendum.

2.3. The Approved Addendum shall be completed as follows:

2.3.1. the "Addendum EU SCCs" shall refer to the relevant Standard Contractual Clauses as they are incorporated into, and applied to transfers of personal data between the Parties as set out in this DPA;

2.3.2. the "Appendix Information" shall refer to the information set out in Schedule 1 and Schedule 2 to this DPA; and

2.3.3. for the purposes of Table 4 of the Approved Addendum, neither the Customer nor PostPilot may end the Approved Addendum as set out in Section 19 of the Approved Addendum.

3. Transfers of Covered Data subject to other laws

3.1. With respect to any transfers of Covered Data referred to in Section 6.1.2 (each a "Global Transfer"), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.

3.2. For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:

3.2.1. for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter's Processing when making that transfer; and

3.2.2. to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.

3.3. The amendments referred to in clause paragraph 3.2 include (without limitation) the following:

3.3.1. references to the "GDPR" and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;

3.3.2. reference to the "Union", "EU" and "EU Member State," are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the "Exporter Jurisdiction");

3.3.3. the "competent supervisory authority" shall be the applicable supervisory in the Exporter Jurisdiction; and

3.3.4. Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.

3.4. Where, at any time during the Recipient's Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by Customer to the Recipient, the Parties shall promptly enter into a supplementary agreement that:

3.4.1. incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;

3.4.2. incorporates the details of Processing set out in Schedule 1;

3.4.3. shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.

Schedule 4: Approved list of Sub-processors

Name of Sub-processor - Jurisdiction - Description of Processing

Amazon Web Services, Inc. - United States of America - File, application, and database hosting
Salesforce, Inc.- United States of America - File, application, and database hosting
Aurigma, Inc.- United States of America - Print file rendering software
Google LLC- United States of America - File, application, and database hosting. Collaboration and email  software.
Snowflake Inc.- United States of America - Database hosting
Citipost Limited- United Kingdom - Direct mail production
Metabase, Inc.- United States of America - Business intelligence
Lorton Data, Inc.- United States of America - Direct mail address validation and sorting software
United States Postal Service- United States of America - Direct mail processing, delivery, and tracking
Pitney Bowes Presort Services, LLC- United States of America - Direct mail processing and tracking
Microsoft Corporation- United States of America - File, application, and database hosting
United Business Mail, Inc. - United States of America- Direct mail process and tracking
MongoDB, Inc.- United States of America- Database hosting
FlatFile Inc.- United States of America- CSV data importer
Print Partner Network- United States of America- Direct mail production and delivery