Postie Data Processing Addendum – Replaced 3/15/2023
This Data Processing Addendum (“Addendum”) forms part of and is incorporated into the Master Services Agreement (“Agreement”) available at www.postie.com/MSA. Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement. This Addendum is effective as of the Effective Date set forth in the Agreement.
1. DEFINITIONS.
1.1 “Data Protection Laws” means any privacy or security Law governing data privacy, data processing data protection, or data security, including, without limitation, the CCPA, that are applicable to Customer Personal Data.
1.2 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto.
1.3 “Customer Personal Data” means Personal Data regarding Customer’s customers or prospective customers provided by Customer to Postie as part of the Services.
1.4 “Data Subject” means any identified or identifiable natural person that is the subject of Customer Personal Data.
1.5 “Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household; or (b) “personal data”, “personal information”, “personally identifiable information”, or similar term defined in and governed by Data Protection Laws.
1.6 “Personal Data Breach” means the unauthorized access or acquisition of Customer Personal Data in violation of this Addendum.
1.7 “Processing” (including its cognate, “Process”) means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8 “Remediation Efforts” means activities designed to mitigate or remedy a Personal Data Breach as required by Data Protection Law.
1.9 “Sensitive Data” means social security numbers, passport numbers, driver’s license numbers, and similar identifiers (or any portion thereof), credit or debit card numbers (other than the truncated (last four digits) of a credit or debit card), employment, financial, genetic, biometric or health information (including all protected health information, as defined in 45 CFR 160.103), racial, ethnic, political or religious affiliations, trade union memberships, or information about sexual life or sexual orientation, account passwords, criminal history, mother’s maiden name, and any other information that falls within the definition of “special categories of data” under Data Protection Laws.
1.10 “Subprocessor” means any third party engaged by Postie to Process Customer Personal Data on behalf of Customer.
2. AUTHORIZATION TO PROCESS DATA. The parties acknowledge and agree that Postie will act as a “Service Provider” as such term is defined in the CCPA, in its provision of the Services and performance of obligations pursuant to the Agreement. Postie shall only Process Customer Personal Data for the purposes specified in the Agreement, this Addendum, Customer’s documented instructions, or its agreement with a Data Subject. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Postie’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Postie to permit the Processing of such Customer Personal Data by Postie for the purposes of performing Postie’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Postie of any changes in, or revocation of, the permission to use Customer Personal Data that would impact Postie’s ability to comply with the Agreement or Data Protection Laws. Customer expressly acknowledges and agrees that it will not submit any Sensitive Data to the Services or use the Services to Process any Sensitive Data. Postie may suspend all or a portion of Customer’s access to the Services upon written notice and without any liability to Customer if Postie has a good faith belief that Customer has breached the restrictions in this Section. Customer acknowledges and agrees that Postie shall have no liability for any Sensitive Data unless and until Customer executes an Order expressly providing for the Services package intended for the storage, processing, and distribution of such Sensitive Data and pays all fees associated therewith.
3. PROCESSING SUBJECT TO THE CCPA. Postie shall not: (1) sell (as defined in the CCPA) any Customer Personal Data; (2) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services and as otherwise permitted by the CCPA, including not retaining, using, or disclosing Customer Personal Data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (3) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Postie and Customer. Postie hereby certifies that it understands its obligations under this Section and will comply with them. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Postie’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
4. CONFIDENTIALITY. Postie shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Postie shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Data in accordance with this Addendum.
5. SECURITY. Postie shall implement and maintain reasonable and appropriate administrative, technical, and physical security measures that are designed to protect the confidentiality, integrity, and availability of Customer Personal Data. Such security measures shall include those measures as set forth on Schedule 1, which is attached hereto and incorporated herein by reference.
6. SUBPROCESSING. With respect to each Subprocessor, Postie shall: (1) require such Subprocessor to agree to take reasonable and appropriate steps, consistent with the terms of this Addendum, to protect Customer Personal Data and to prohibit them from using Customer Personal Data for any purpose other than to assist Postie in fulfilling its obligations under the Agreement and this Addendum; and (2) remain fully liable to Customer for the performance of such Subprocessor’s obligations.
7. DATA SUBJECT RIGHTS. Postie shall provide all reasonable and timely assistance to enable Customer to respond to any request from a Data Subject to exercise any of its rights under Data Protection Laws. In the event that any such communication is made directly to Postie, Postie shall promptly inform Customer providing full details of the same; shall not respond to the communication unless specifically required by Law or authorized by Customer; and shall otherwise immediately provide the information or services necessary for Customer to respond to access, deletion, or change requests in relation to Customer Personal Data.
8. PERSONAL DATA BREACH.
8.1 Notice. If Postie discovers or becomes aware of a Personal Data Breach, then Postie shall promptly (and in any event within the timeframe required by Data Protection Laws) notify Customer and shall provide timely information and cooperation to enable Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Data Protection Laws. Such notification shall, to the extent known at the time of the notification: (a) describe the nature of the Personal Data Breach, the categories and numbers of individuals concerned, and the categories and numbers of Customer Personal Data records concerned; (b) communicate the name and contact details of Postie’s data protection officer or other relevant contact from whom more information may be obtained by Customer; (c) describe the likely consequences of the Personal Data Breach; and (d) describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.2 Remediation. To the extent that a Personal Data Breach is determined to be a result of Postie’s breach of this Addendum, Postie will cooperate in good faith with Customer regarding any Remediation Efforts. Postie will undertake Remediation Efforts at Postie’s sole expense and will reimburse Customer for direct reasonable costs and expenses arising from the Remediation Efforts. The parties agree that such reasonable costs and expenses are direct damages and are subject to the cap on direct damages set forth in the Agreement. To the extent permitted by Data Protection Laws, the timing, content, and manner of any notices shall be determined by Customer in its sole discretion provided Postie shall have a right to review and approve any statements referencing Postie. Postie shall not be responsible for failure of any notice to comply with applicable Law or other damages that result from Remediation Efforts to the extent such actions were requested or directed by Customer.
9. GOVERNMENT DISCLOSURE. Postie shall promptly notify the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by applicable Law or a legally binding order of such body or agency.
10. DELETION OF CUSTOMER PERSONAL DATA. The Platform will include functionality for Customer to delete its Customer Personal Data from the Platform. Customer may access and use such functionality during the Term of the Agreement and for 30 days following termination of the Agreement. Postie will delete Customer Data: (a) automatically, when delete features within the Platform are utilized by Customer; and (b) in any event, within 182 days following termination of this Agreement, in accordance with Postie’s standard procedures.
11. RELEVANT RECORDS. Upon Customer’s request, Postie shall promptly make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum. At Customer’s written request and within 30 days of such request, Postie will provide Customer with a certification signed by an officer of Postie verifying that Postie is using Customer Personal Data in compliance with the Agreement and this Addendum.
12. GENERAL TERMS. This Addendum will remain in force until the date on which the Agreement terminates or so long as Postie has access to Customer Personal Data. Customer and Postie expressly recognize and agree that this Addendum includes provisions addressed in other portions of the Agreement. Customer and Postie hereby agree that the terms and conditions set out herein shall be added as an Addendum to the Agreement. This Addendum and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other.
SCHEDULE 1
Security Measures
With respect to Customer Personal Data transferred to or received by Postie under the Agreement, Postie has implemented, and will maintain, a written information security program (“Information Security Program”) that includes appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Personal Data. In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Customer Personal Data:
1. Access Controls – Policies, procedures, and physical and technical controls (a) to limit physical access to its information systems in which they are housed to properly authorized persons; (b) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (c) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals; and (d) to reasonably encrypt Customer Personal Data where appropriate.
2. Security Awareness and Training – A security awareness and training program for all relevant members of Postie’s workforce (including management), which includes training on how to implement and comply with its Information Security Program.
3. Security Incident Procedures – Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect attempted attacks on or intrusions into Customer Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
4. Contingency Planning – Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.
5. Device and Media Controls – Policies and procedures on hardware and electronic media that contain Customer Personal Data, including policies and procedures to address the final disposition of Customer Personal Data, or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
6. Audit Controls – Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
7. Data Integrity – Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security – Technical security measures to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Customer Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
9. Assigned Security Responsibility – Postie will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Postie will inform the Customer as to the person responsible for security upon request.
10. Storage Media – Policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated, or reallocated to another user, Postie will delete such Customer Personal Data, such that the media contains no residual data or, if necessary, physically destroy such storage media.
11. Testing – Postie will regularly test the key controls, systems, and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
12. Adjust the Program – Postie will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or security standards, the sensitivity of the Customer Personal Data, internal or external threats to Postie or the Customer Personal Data, and Postie’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not materially diminish the applicable information security protections applicable to Customer Personal Data.
13. SOC 2 Report. Postie will provide to Customer upon request its annual Service Organization Controls (SOC) 2 Type II report as defined by the American Institute of Certified Public Accountants. Such report should include an opinion by the independent auditor on the adequacy and integrity of Postie’s general controls for security. Postie is responsible for mitigating all material risks identified in such report in a timely manner without unreasonable delay and to continue such mitigation until all such risks have been remediated.