Postie Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms part of and is incorporated into the Master Services Agreement (“Agreement”) available at www.postie.com/MSA. The following obligations set forth in this Addendum shall only apply to the extent required by Data Protection Laws (as defined below). Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement. This Addendum is effective as of the Effective Date set forth in the Agreement.
1. DEFINITIONS.
1.1 “Customer Personal Data” means Personal Data regarding Customer’s customers or prospective customers provided by Customer to Postie as part of the Services.
1.2 “Data Protection Laws” means any data privacy, security, processing or governance Law applicable to Customer Personal Data, including, without limitation, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto, when effective (“CCPA”); (b) the Virginia Consumer Data Protection Act, when effective; (c) the Colorado Privacy Act and its implementing regulations, when effective; (d) the Utah Consumer Privacy Act, when effective; (e) Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring, when effective; and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
1.3 “Data Subject” means any identified or identifiable natural person that is the subject of Customer Personal Data.
1.4 “Personal Data” means information that constitutes “personal data”, “personal information”, “personally identifiable information”, or similar term defined in and governed by Data Protection Laws.
1.5 “Processing” (including its cognate, “Process”) means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.6 “Sensitive Data” means: (a) social security numbers, passport numbers, driver’s license numbers, and similar identifiers (or any portion thereof), credit or debit card numbers (other than the truncated (last four digits) of a credit or debit card), employment, financial, genetic, biometric or health information (including all protected health information, as defined in 45 CFR 160.103), racial, ethnic, political or religious affiliations, citizenship or immigration status, trade union memberships, information about sexual life or sexual orientation, precise geolocation data; account passwords or access credentials; criminal history; the content of mail, emails, texts, direct messages, or other personal messages where Customer is not the intended recipient of the communication, or Personal Data of a child under sixteen (16) years of age; (b) any other information that falls within the definition of “sensitive data,” “sensitive personal information,” “special categories of data,” or similar term under Data Protection Laws; or (c) any information that would trigger data breach notifications under Data Protection Laws.
1.7 “Services” means the services, subscriptions, licenses, data, technology, and other offerings provided by or on behalf of Postie under the Agreement or any Order, including without limitation the Platform, Campaigns, Postie Technology, and Postie Data.
1.8 “Subprocessor” means any third party engaged by Postie to Process Customer Personal Data on behalf of Customer.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1 AUTHORIZATION TO PROCESS DATA; INSTRUCTIONS. Postie shall only Process Customer Personal Data for the purposes specified in the Agreement, this Addendum, Customer’s documented instructions, or as otherwise required or permitted by Data Protection Laws. Customer hereby instructs Postie to Process Customer Personal Data: (a) to provide the Services; (b) to perform its obligations and exercise its rights under the Agreement, this Addendum, and Data Protection Laws; and (c) as necessary to prevent or address technical problems with the Services.
2.2 CUSTOMER OBLIGATIONS. Customer shall be responsible for: (a) ensuring its instructions under the Agreement and this Addendum comply with Data Protection Laws; (b) giving adequate notice, making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Postie’s Processing of Customer Personal Data, and providing Data Subjects with all opt-out rights required under Data Protection Laws including, where applicable, opt-outs relating to “sharing” (as defined under the CCPA) and from targeted advertising; and (c) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Postie to permit the Processing of such Customer Personal Data by Postie as described in this Addendum and the Agreement. Customer shall notify Postie of any changes in, or revocation of, the permission to use Customer Personal Data that would impact Postie’s ability to comply with the Agreement, this Addendum, or Data Protection Laws.
2.3 DETAILS OF PROCESSING. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, the duration of Processing Customer Personal Data, and other details regarding the Processing of Customer Personal Data are as set forth in Schedule 1.
2.4 RESTRICTIONS ON SENSITIVE DATA. Customer expressly acknowledges and agrees that, except as expressly permitted by an Order, it will not submit any Sensitive Data to the Services or use the Services to Process any Sensitive Data. Postie may suspend all or a portion of Customer’s access to the Services upon written notice and without any liability to Postie if Postie has a good faith belief that Customer has breached the restrictions in this Section. Customer acknowledges and agrees that Postie shall have no liability for any Sensitive Data unless and until Customer executes an Order expressly providing for the Services package intended for the storage, processing, and distribution of such Sensitive Data and pays all fees associated therewith. Customer will defend, indemnify and hold harmless Postie, its affiliates and licensors, and each of their respective officers, directors, shareholders, employees, contractors, agents, and representatives from and against all Losses incurred in connection with any Claims brought against any of them by a third party, including a government authority, insofar as the Claim arises out of or relates to Postie’s Processing of Sensitive Data that is provided by Customer in violation of this Section. The foregoing indemnification obligation shall not be subject to any exclusions or limitations of liability set forth in the Agreement.
2.5 PROCESSING SUBJECT TO THE CCPA. Customer acknowledges that the Services may include cross-context behavioral advertising, as such term is defined under the CCPA. With respect to any personal information (as such term is defined under the CCPA) contained in Customer Personal Data (as used in this Section, “Personal Information”), any Personal Information disclosed by Customer to Postie is provided to Postie only for the limited and specified purposes set forth in the Agreement and further specified in Schedule 1. Postie will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that Postie uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 10 (Relevant Records and Audits). Postie will notify Customer if it makes a determination that Postie can no longer meet its obligations under the CCPA. If Postie notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with Postie, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
3. CONFIDENTIALITY. Postie shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Postie shall ensure that such employees or other personnel are subject to a duty of confidentiality with respect to such Customer Personal Data.
4. SECURITY.
4.1 Security Measures. Taking into account the context of the Processing, Postie will implement and maintain reasonable and appropriate administrative, technical, and physical security measures that are designed to protect the confidentiality, integrity, and availability of Customer Personal Data (“Security Measures”). Such Security Measures shall include those measures as set forth in Schedule 2, which is attached hereto and incorporated herein by reference. Customer acknowledges that the Security Measures may be updated from time to time to reflect process improvements or changing practices, provided that the modifications will not materially decrease Postie’s security obligations hereunder.
4.2 Personal Data Breach. Upon becoming aware of a confirmed breach of Postie’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Postie’s possession, custody, or control in violation of this Addendum (a “Personal Data Breach”), Postie will: (a) notify Customer of the Personal Data Breach without undue delay after becoming aware of the Personal Data Breach; and (b) take reasonable steps to identify the cause of such Personal Data Breach, minimize harm, and prevent a recurrence. Postie will take reasonable steps to provide Customer with information available to Postie that Customer may reasonably require to comply with its obligations under Data Protection Laws. Postie’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by Postie of any fault or liability with respect to the Personal Data Breach.
5. SUBPROCESSING.
5.1 Authorization. Customer generally authorizes Postie to engage Subprocessors as Postie considers reasonably appropriate for the Processing of Customer Personal Data. The current list of Subprocessors Postie may use to provide the Services is available at app.postie.com/vendor_list (“Subprocessor List”), which Customer hereby approves and authorizes. Postie may engage additional Subprocessors as Postie considers reasonably appropriate for the Processing of Customer Personal Data, provided that Postie shall notify Customer of the addition or replacement of Subprocessors at least 10 days prior to such addition or replacement by emailing Customer at an email address provided by Customer. Customer may, on reasonable grounds, object to a new Subprocessor by notifying Postie in writing within 10 days of Postie updating the Subprocessor List, giving reasons for Customer’s objection. Upon receiving such an objection, where practicable and at Postie’s sole discretion Postie will use commercially reasonable efforts to: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Customer in its objection and proceed to use the new Subprocessor. If Postie informs Customer that such change or corrective steps cannot be made, Customer may, as its sole and exclusive remedy available under this Section, terminate the relevant portion of the Agreement involving the Services which require the use of the proposed Subprocessor by providing written notice to Postie.
5.2 Obligations Related to Subprocessors. With respect to each Subprocessor, Postie shall enter into a written contract with such Subprocessor containing protection obligations for Customer Personal Data not less protective than those in this Addendum. Customer acknowledges and agrees that the identity of each Postie Subprocessor is confidential and proprietary to Postie and shall be deemed Postie’s Confidential Information under the Agreement.
6. DATA SUBJECT RIGHTS. Postie shall provide reasonable and timely assistance designed to enable Customer to respond to any request from a Data Subject to exercise any of its rights under Data Protection Laws. In the event that any such communication is made directly to Postie by a Data Subject, Postie shall promptly inform Customer providing full details of the same; shall not respond to the communication unless specifically required by Law or authorized by Customer; and shall otherwise immediately provide the information or services necessary for Customer to respond to access, deletion, or change requests in relation to Customer Personal Data.
7. DELETION OF CUSTOMER PERSONAL DATA. The Platform will include functionality for Customer to delete its Customer Personal Data from the Platform. Customer may access and use such functionality during the Term of the Agreement and for 30 days following termination of the Agreement. Postie will delete or return, at Customer’s option, Customer Personal Data: (a) automatically, when delete features within the Platform are utilized by Customer; and (b) in any event, within 182 days following termination of this Agreement, in accordance with Postie’s standard procedures.
8. RELEVANT RECORDS AND AUDITS.
8.1 Review of Information and Records. Upon Customer’s reasonable written request, Postie will make available to Customer all information in Postie’s possession reasonably necessary to demonstrate Postie’s compliance with Data Protection Laws. Such information shall be in the form of a SOC2 report or the substantive equivalent (collectively, the “Reports”). Such Reports will be made available to Customer not more than once per calendar year (unless otherwise required by Data Protection Laws) and subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement. If the Reports are insufficient to demonstrate Postie’s compliance with Data Protection Laws, Customer may submit reasonable written requests for additional information.
8.2 Audits. To the extent that the Reports and the additional information provided by Postie pursuant to Section 8.1 are not sufficient for Customer to confirm Postie’s compliance with Data Protection Laws and this Addendum then, at Customer’s sole cost and expense and to the extent Customer is unable to access the additional information on its own, Postie will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”), provided that: (a) Customer provides Postie with reasonable advance written notice including the anticipated date of the audit (which may not be sooner than 10 business days after Customer’s written notice), the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Postie; (b) Postie approves the Mandated Auditor in writing, which such approval shall not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Postie’s normal business operations; (d) Customer or any Mandated Auditor complies with Postie’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit and any results of such audit will be deemed to be the Confidential Information of Postie and subject to the confidentiality provisions of the Agreement or a mutually-agreed non-disclosure agreement; and (f) Customer may initiate such audit not more than once per calendar year unless otherwise required by Data Protection Laws.
8.3 Results of Audits. Customer will promptly notify Postie of any non-compliance discovered during the course of an audit and provide Postie any reports generated in connection with any audit under this Section. Customer may use the audit reports solely for the purposes of meeting Customer’s audit requirements under Data Protection Laws to confirm that Postie’s Processing of Customer Personal Data complies with this Addendum,
9. GENERAL TERMS. This Addendum will remain in force until the date on which the Agreement terminates or so long as Postie has access to Customer Personal Data. Any liabilities of Postie arising in respect of this Addendum are subject to the limitations of liability under the Agreement. Customer and Postie expressly recognize and agree that this Addendum includes provisions addressed in other portions of the Agreement. This Addendum and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other. In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Agreement in relation to the Processing of Customer Personal Data, this Addendum shall control. Except as expressly indicated in this Addendum, all provisions of the Agreement shall remain in full effect.
Last Updated: March 15, 2023
Previous version is available here https://postie.com/dpa-archive-03152023/
SCHEDULE 1
Details of Processing
1. Nature and purpose of the Processing of Customer Personal Data:
The nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and this Addendum.
With respect to the CCPA, the purposes for which Postie Processes Personal Information (as defined in Section 2.5) include:
• Helping to ensure security and integrity, to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes;
• Debugging to identify and repair errors that impair existing intended functionality;
• Performing the Services as described in the Agreement and carrying out the instructions set forth in Section 2.1, including providing customer service, processing or fulfilling orders and transactions, verifying customer information, providing analytic services, providing storage, and providing similar services on behalf of Customer;
• Providing cross-context behavioral advertising;
• Undertaking internal research for technological development and demonstration; and
• Undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services.
2. The types of Customer Personal Data Processed:
The categories of Customer Personal Data Processed are those categories permitted by the Agreement and this Addendum, and may include name, email address, postal address, IP address, online activity information, and other Personal Data provided or otherwise made available to Postie by Customer in order for Postie to provide the Services.
3. Duration of the Processing of Customer Personal Data:
The duration of the Processing is as described in the Agreement and this Addendum.
SCHEDULE 2
Security Measures
With respect to Customer Personal Data transferred to or received by Postie under the Agreement, Postie has implemented, and will maintain, a written information security program (“Information Security Program”) that includes appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Personal Data. In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Customer Personal Data:
1. Access Controls – Policies, procedures, and physical and technical controls (a) to limit physical access to its information systems in which they are housed to properly authorized persons; (b) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (c) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals; and (d) to reasonably encrypt Customer Personal Data where appropriate.
2. Security Awareness and Training – A security awareness and training program for all relevant members of Postie’s workforce (including management), which includes training on how to implement and comply with its Information Security Program.
3. Security Incident Procedures – Policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect attempted attacks on or intrusions into Customer Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
4. Contingency Planning – Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.
5. Device and Media Controls – Policies and procedures on hardware and electronic media that contain Customer Personal Data, including policies and procedures to address the final disposition of Customer Personal Data, or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
6. Audit Controls – Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
7. Data Integrity – Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security – Technical security measures to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Customer Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
9. Assigned Security Responsibility – Postie will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Postie will inform the Customer as to the person responsible for security upon request.
10. Storage Media – Policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated, or reallocated to another user, Postie will delete such Customer Personal Data, such that the media contains no residual data or, if necessary, physically destroy such storage media.
11. Testing – Postie will regularly test the key controls, systems, and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
12. Adjust the Program – Postie will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or security standards, the sensitivity of the Customer Personal Data, internal or external threats to Postie or the Customer Personal Data, and Postie’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not materially diminish the applicable information security protections applicable to Customer Personal Data.
13. SOC 2 Report. Postie will provide to Customer upon request its annual Service Organization Controls (SOC) 2 Type II report as defined by the American Institute of Certified Public Accountants. Such report should include an opinion by the independent auditor on the adequacy and integrity of Postie’s general controls for security. Postie is responsible for mitigating all material risks identified in such report in a timely manner without unreasonable delay and to continue such mitigation until all such risks have been remediated.