1.1 Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.
• "Australian Privacy Law" means the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
• "Control" means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.
• "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
• "Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including but not limited to: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("Swiss DPA"); the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles; the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"); and any other applicable privacy or data protection legislation.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "EEA" means the European Economic Area.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by CampaignLark on behalf of Customer in the course of providing the Services, including but not limited to: email addresses of senders and recipients; names and contact information; email content, subject lines, and metadata; IP addresses and device information; and email engagement data (opens, clicks, bounces).
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, dissemination, erasure, or destruction.
• "Processor" means the entity which processes Personal Data on behalf of the Controller.
• "Restricted Transfer" means a transfer of Personal Data from a jurisdiction with comprehensive data protection laws (such as the EEA, UK, or Switzerland) to a jurisdiction not recognized as providing adequate protection.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission (Decision 2021/914), as may be updated from time to time.
• "Sub-processor" means any Processor engaged by CampaignLark to process Personal Data on behalf of Customer in connection with the Services.
• "Supervisory Authority" means any local, national, or supranational agency, authority, department, official, parliament, or public or statutory body exercising authority or functions regarding data protection.

1.2 Interpretation

Terms not otherwise defined in this DPA shall have the meanings given to them in the Agreement or, if not defined in the Agreement, the meanings given in applicable Data Protection Laws. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency with respect to the processing of Personal Data.

2.1 Scope of Processing

This DPA applies to the Processing of Personal Data by CampaignLark on behalf of Customer in connection with the provision of the Services. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are further described in Annex 1 (Details of Processing) to this DPA.

2.2 Roles of the Parties

The parties acknowledge and agree that:

• Customer is the Controller of the Personal Data and determines the purposes and means of Processing
• CampaignLark is the Processor and processes Personal Data only on behalf of and in accordance with Customer's documented instructions
• Customer is solely responsible for ensuring that its instructions comply with Data Protection Laws and that it has a lawful basis for processing Personal Data
• This DPA does not reduce any obligations Customer may have under Data Protection Laws

2.3 Customer Instructions

Customer instructs CampaignLark to process Personal Data to provide the Services in accordance with the Agreement and this DPA, to comply with other documented instructions provided by Customer consistent with the terms of the Agreement, and as necessary to comply with applicable law to which CampaignLark is subject.

The parties agree that this DPA and the Agreement constitute Customer's complete and final instructions to CampaignLark regarding the Processing of Personal Data. Additional instructions outside the scope of this DPA require prior written agreement between the parties. CampaignLark shall immediately inform Customer if, in CampaignLark's opinion, an instruction infringes Data Protection Laws.

3.1 Compliance with Instructions

CampaignLark shall process Personal Data only in accordance with Customer's documented instructions unless required to do otherwise by applicable law, immediately inform Customer if CampaignLark becomes aware that Customer's instructions infringe Data Protection Laws, and not process Personal Data for any purpose other than as instructed by Customer.

3.2 Confidentiality

CampaignLark shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory), receive adequate training on data protection, privacy, and security, and process Personal Data only as necessary to provide the Services or as instructed by Customer. These confidentiality obligations shall survive the termination of employment or engagement and the termination of this DPA.

3.3 Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects, CampaignLark shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breaches, including:

Technical Security Measures:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent
• Secure authentication mechanisms, including multi-factor authentication for administrative access
• Role-based access controls and the principle of least privilege
• Regular security testing, including vulnerability assessments and penetration testing
• Network security controls, including firewalls and intrusion detection/prevention systems
• Secure data backup and disaster recovery procedures
• Comprehensive logging and monitoring of system access and activities
• Secure development practices and code review procedures

Organizational Security Measures:

• Documented information security policies and procedures
• Employee background checks for personnel with access to Personal Data
• Regular security awareness training for all personnel
• Incident response and breach notification procedures
• Access controls limiting personnel access to Personal Data on a need-to-know basis
• Secure disposal of equipment and media containing Personal Data
• Regular review and update of security measures
• Third-party security assessments and certifications (where available)

A detailed description of the technical and organizational security measures is set out in Annex 2 (Security Measures) to this DPA. CampaignLark may update or modify these measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Services.

3.4 Sub-processors

Customer provides general written authorization for CampaignLark to engage Sub-processors to process Personal Data, subject to the following conditions:

• Current Sub-processors: CampaignLark maintains a current list of Sub-processors, including their names, locations, and services provided in Annex 3 to this DPA.
• Notification of Changes: CampaignLark shall notify Customer via email at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor.
• Right to Object: Customer may object to CampaignLark's appointment or replacement of a Sub-processor on reasonable data protection grounds by notifying CampaignLark in writing within fifteen (15) days of receiving notification. Such objection must include detailed reasons relating to data protection concerns.
• Resolution: If Customer objects, the parties shall work together in good faith to find a commercially reasonable solution. If the parties cannot reach a resolution within thirty (30) days, Customer may terminate the affected Services without penalty by providing written notice to CampaignLark.

CampaignLark shall impose data protection obligations on Sub-processors that are materially equivalent to those in this DPA, conduct appropriate due diligence before engagement, monitor Sub-processor compliance, and remain fully liable to Customer for the performance of any Sub-processor's obligations.

3.5 Data Subject Rights

CampaignLark shall provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate Personal Data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making and profiling

CampaignLark shall promptly notify Customer (within two (2) business days) if CampaignLark receives a request directly from a Data Subject, and shall not respond to such requests directly without Customer's prior written authorization. Customer acknowledges that assistance beyond the functionality of the Services may be subject to additional fees.

3.6 Personal Data Breach Notification

CampaignLark shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. CampaignLark shall provide Customer with sufficient information to enable Customer to meet any obligations to report or inform Data Subjects and Supervisory Authorities, including:

• A description of the nature of the Personal Data Breach
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The likely consequences of the Personal Data Breach
• The measures taken or proposed to be taken to address the Personal Data Breach
• Measures to mitigate potential adverse effects
• Contact details for obtaining more information

Notification shall be made to the email address associated with Customer's account. Customer acknowledges that CampaignLark's notification of a Personal Data Breach does not constitute an acknowledgment by CampaignLark of fault or liability with respect to the breach.

3.7 Data Protection Impact Assessments and Prior Consultation

CampaignLark shall provide reasonable assistance to Customer with data protection impact assessments (DPIAs) required under Data Protection Laws, prior consultations with Supervisory Authorities where required, and assessment of the privacy and security implications of the Services. Customer acknowledges that assistance beyond providing standard documentation and information may be subject to additional fees.

3.8 Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer's earlier written request, CampaignLark shall, at Customer's election, delete all Personal Data (including copies) in CampaignLark's possession or control, or return a complete copy of all Personal Data to Customer in a commonly used, machine-readable format. Following such deletion or return, CampaignLark shall certify in writing to Customer that it has complied with this Section 3.8.

Unless otherwise instructed by Customer or required by law, CampaignLark applies the following standard retention periods:

• Email content and attachments: Up to 14 days from transmission
• Email metadata and delivery logs: Up to 14 days from transmission
• Email analytics and engagement data: Up to 2 years or as configured in Customer's account settings
• Billing and transaction records: Minimum 7 years (as required by tax and accounting regulations)
• Backup data: Up to 30 days in encrypted backup systems

3.9 Audit Rights and Compliance

CampaignLark shall make available to Customer, upon written request and subject to confidentiality obligations, information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws, including current copies of relevant security certifications (such as SOC 2 Type II, ISO 27001, or similar), summary audit reports from independent third-party auditors, and attestations of compliance with this DPA upon reasonable request.

Customer may, upon reasonable written request, conduct audits or inspections of CampaignLark's data processing activities subject to: at least sixty (60) days' prior written notice; audits conducted no more than once per year (unless required by a Supervisory Authority, required in response to a Personal Data Breach, or required by applicable law); audits conducted during normal business hours without unreasonably interfering with CampaignLark's operations; use of an independent third-party auditor reasonably acceptable to CampaignLark; and Customer bearing all costs associated with the audit.

4.1 Compliance with Data Protection Laws

Customer represents, warrants, and covenants that it has and will maintain a lawful basis under Data Protection Laws for Processing Personal Data, has provided and will provide all notices and obtained all consents and authorizations required under Data Protection Laws, and that its instructions to CampaignLark comply with Data Protection Laws. Customer has implemented and will maintain appropriate security measures for Personal Data in its possession or control.

4.2 Instructions to CampaignLark

Customer shall provide clear, lawful, and documented instructions regarding the Processing of Personal Data, ensure that Customer personnel and end-users who access the Services are authorized to do so and comply with this DPA, and promptly notify CampaignLark of any changes to instructions or any concerns regarding CampaignLark's Processing activities.

4.3 Prohibited Data

Customer acknowledges that the Services are not designed or intended for the Processing of Special Categories of Personal Data (as defined in GDPR Article 9), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation. The Services are also not intended for Personal Data relating to criminal convictions, Personal Data of children under 16 without verified parental consent, government-issued identification numbers (except as necessary for account verification), or financial account information (except as necessary for payment processing).

If Customer transmits any prohibited data through the Services, Customer shall immediately notify CampaignLark in writing and shall indemnify and hold harmless CampaignLark from and against any claims, damages, costs, or liabilities arising from such transmission. CampaignLark may suspend the Services or terminate the Agreement in accordance with its terms.

4.4 Data Subject Rights Requests

Customer is responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws. CampaignLark provides tools and features within the Services to assist Customer in responding to such requests. CampaignLark's assistance beyond the standard functionality of the Services may be subject to additional fees.

5.1 Data Location and Transfers

CampaignLark's primary data processing facilities are located in the EU. Personal Data may be transferred to, stored, and processed in Germany, Netherlands and Finland, and other countries where CampaignLark or its Sub-processors maintain facilities or data centers. Customer acknowledges and agrees that CampaignLark may make such transfers as necessary to provide the Services.

5.2 Transfers from the EEA, UK, and Switzerland

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide adequate protection, the parties agree to rely on the following transfer mechanisms:

• Standard Contractual Clauses (EU): The parties agree to be bound by the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 as set out in Annex 4 to this DPA. Module Two (Controller to Processor) shall apply. In Clause 9(a), Option 2 (General written authorisation) applies with a notice period of thirty (30) days. In Clause 17, the law of Ireland shall apply. In Clause 18(b), disputes shall be resolved before the courts of Ireland.
• UK International Data Transfer Addendum: For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office shall apply. Neither party may end the UK Addendum when the Approved Addendum changes.
• Swiss Data Protection Act: For transfers from Switzerland, references to the "GDPR" shall be interpreted as references to the Swiss FADP, references to "EU Member State" shall be interpreted as references to Switzerland, and the Swiss FDPIC shall have jurisdiction for data protection supervision.

5.3 Additional Safeguards

In addition to the Standard Contractual Clauses and related addenda, CampaignLark implements the following supplementary measures: encryption of Personal Data in transit and at rest; robust access controls and authentication mechanisms; contractual obligations on Sub-processors regarding data protection and security; regular security assessments and audits; incident response and breach notification procedures; and employee training on data protection and privacy.

5.4 Alternative Transfer Mechanisms

If the Standard Contractual Clauses or other transfer mechanisms referenced in this Section 5 are invalidated, replaced, or amended, the parties agree to cooperate in good faith to implement such alternative mechanisms as are necessary to ensure lawful transfers and minimize disruption to the Services during any transition.

5.5 Australian Cross-Border Disclosures

For transfers of Personal Data from Australia to overseas recipients, CampaignLark agrees to comply with Australian Privacy Principle 8 (Cross-border disclosure of personal information), take reasonable steps to ensure that overseas recipients do not breach the Australian Privacy Principles, and enter into contractual arrangements with Sub-processors requiring compliance with the Australian Privacy Principles or substantially similar standards.

6.1 Liability Allocation

Each party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall exclude or limit either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, gross negligence or willful misconduct, breach of confidentiality obligations, violations of Data Protection Laws to the extent such limitations are prohibited by applicable law, or any other liability that cannot be excluded or limited under applicable law.

6.2 CampaignLark's Indemnification

CampaignLark shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: CampaignLark's Processing of Personal Data in material violation of this DPA; CampaignLark's failure to implement and maintain security measures as required by Section 3.3; a Personal Data Breach caused by CampaignLark's negligence, willful misconduct, or failure to comply with this DPA; or CampaignLark's breach of its obligations under Data Protection Laws or this DPA. This indemnification is subject to Customer promptly notifying CampaignLark of the claim, giving CampaignLark sole control of the defense, and providing reasonable cooperation at CampaignLark's expense.

6.3 Customer's Indemnification

Customer shall indemnify, defend, and hold harmless CampaignLark and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: Customer's Processing of Personal Data in violation of Data Protection Laws; Customer's instructions that violate Data Protection Laws or this DPA; Customer's transmission of prohibited data as specified in Section 4.3; Customer's failure to obtain necessary consents or provide required notices to Data Subjects; or Customer's breach of its representations, warranties, or obligations under this DPA. This indemnification is subject to CampaignLark promptly notifying Customer of the claim, giving Customer sole control of the defense, and providing reasonable cooperation at Customer's expense.

6.4 Mitigation

Each party shall take reasonable steps to mitigate damages arising from any breach of this DPA.

7.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect until the earlier of: termination or expiration of the Agreement; or deletion or return of all Personal Data by CampaignLark in accordance with Section 3.8.

7.2 Effect of Termination

Upon termination of this DPA, CampaignLark shall cease all Processing of Personal Data (except as necessary to comply with Section 3.8, as required by applicable law, or to the extent Personal Data has been anonymized or aggregated such that it no longer constitutes Personal Data) and shall delete or return Personal Data in accordance with Section 3.8. Sections 3.2, 3.8, 6, and 8 shall survive termination.

7.3 Termination for Breach

Either party may terminate this DPA (and, if applicable, the Agreement) if the other party materially breaches this DPA and fails to remedy such breach within thirty (30) days of receiving written notice, or if the other party's Processing of Personal Data poses an immediate and serious threat to Data Subjects' rights and freedoms (in which case immediate termination may be effected upon written notice).

8.1 Amendments and Updates

CampaignLark may amend this DPA from time to time to reflect changes in Data Protection Laws, guidance from Supervisory Authorities, industry best practices, changes to the Services or Sub-processors, or to address security or compliance requirements. Material changes will be communicated to Customer by email, through a notice in Customer's account dashboard, or by posting an updated version on our website, with at least thirty (30) days' notice before material changes take effect. Customer's continued use of the Services after such changes constitutes acceptance of the amended DPA.

8.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision.

8.3 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, without regard to conflicts of law principles. This choice of law shall not affect the protection granted to Data Subjects under Data Protection Laws that cannot be derogated from by contract, nor shall it override the governing law and jurisdiction provisions in the Standard Contractual Clauses (where applicable).

8.4 Order of Precedence

In the event of any conflict or inconsistency between documents, the following order of precedence shall apply (from highest to lowest): Standard Contractual Clauses and related addenda (where applicable); this Data Processing Addendum and its Annexes; the Agreement (Terms and Conditions); and other policies referenced in the Agreement.

8.5 Third-Party Beneficiaries

For the Standard Contractual Clauses only, Data Subjects are third-party beneficiaries to the extent provided in the Standard Contractual Clauses. Except as expressly provided in the Standard Contractual Clauses, there are no third-party beneficiaries to this DPA.

8.6 Entire Agreement

This DPA, together with the Agreement and the Annexes to this DPA, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements, understandings, negotiations, and discussions relating to such subject matter.

8.7 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay by either party in exercising any right, power, or remedy shall operate as a waiver thereof.

8.8 Assignment

Neither party may assign or transfer this DPA without the prior written consent of the other party, except that CampaignLark may assign this DPA to an Affiliate (provided that CampaignLark remains liable for performance) or in connection with a merger, acquisition, or sale of all or substantially all of its assets. Any attempted assignment in violation of this provision is void.

8.9 Notices

All notices under this DPA shall be in writing and shall be deemed given when delivered personally, when sent by confirmed email, five (5) business days after being sent by registered or certified mail, or two (2) business days after being sent by recognized international courier. Notices to CampaignLark shall be sent to: legal@maileroo.com.

8.10 Language

This DPA is executed in English. If this DPA is translated into any other language, the English version shall prevail in the event of any conflict.

A. List of Parties

Data Exporter (Controller):

• Name: Customer (as identified in the Agreement)
• Address: As provided in Customer's account information
• Contact person: Account administrator
• Activities: Use of CampaignLark's email delivery and marketing services
• Role: Controller

Data Importer (Processor):

• Name: Maileroo Group Pty Ltd
• Address: Level 10, 440 Collins Street, Melbourne VIC 3000, Australia
• Contact person: Data Protection Officer — legal@maileroo.com
• Activities: Provision of email API, SMTP relay, email marketing platform, email validation, tracking, analytics, and related services
• Role: Processor

B. Description of Transfer

Categories of Data Subjects:

• Customer's employees, contractors, and authorized users of the Services
• Recipients of emails sent through the Services
• Individuals whose email addresses are stored in Customer's contact lists or databases
• Website visitors who interact with emails sent through the Services (e.g., open, click tracking)
• Subscribers to Customer's email marketing campaigns

Categories of Personal Data:

• Contact information: email addresses, names (from email headers or content)
• Communication data: email subject lines, message bodies, attachments, email headers, timestamps, message IDs
• Technical data: IP addresses of senders and recipients, device identifiers, browser type and version, operating system
• Usage data: email engagement metrics (opens, clicks, bounces, unsubscribes, spam complaints)
• Location data: geographic location derived from IP addresses
• Account data: usernames, account settings, preferences
• Metadata: date and time information, email routing information

Nature and Purpose of Processing:

• To send, deliver, and track emails on behalf of Customer
• To validate email addresses and improve deliverability
• To provide analytics and reporting on email campaign performance
• To provide customer support and troubleshooting
• To detect, prevent, and address fraud, spam, and abuse
• To comply with legal obligations and enforce our policies

Retention Periods:

• Email content and attachments: Up to 14 days from transmission
• Email metadata and delivery logs: Up to 14 days from transmission
• Email analytics and engagement data: Up to 2 years or as configured by Customer
• Billing and transaction records: Minimum 7 years (as required by law)
• Backup data: Up to 30 days in encrypted backup systems

C. Competent Supervisory Authority

• For data transfers from the EEA: The supervisory authority of the EU Member State where the data exporter is established
• For data transfers from the UK: The UK Information Commissioner's Office
• For data transfers from Switzerland: The Swiss Federal Data Protection and Information Commissioner

1. Physical Security

• Tier III or higher certified data centers with 24/7 security monitoring
• Physical access controls including biometric authentication and security badges
• Video surveillance and recording systems; visitor logs and escort requirements
• Environmental controls (fire suppression, temperature and humidity monitoring, flood detection)
• Redundant power supplies (UPS and backup generators) and network connectivity
• Secure equipment disposal and destruction procedures

2. Network and System Security

• Next-generation firewalls with stateful inspection and intrusion detection/prevention systems (IDS/IPS)
• Network segmentation and isolation (DMZ, internal zones)
• DDoS protection and mitigation services
• Virtual Private Networks (VPNs) for remote administrative access
• Hardened server configurations; regular security patches (critical patches within 48 hours)
• Antivirus and anti-malware software; SIEM systems with automated monitoring and alerting

3. Access Controls

• Multi-factor authentication (MFA) required for all administrative access
• Role-based access control (RBAC) with principle of least privilege
• Strong password policies; SSO capabilities for enterprise customers
• Secure API authentication using API keys and OAuth 2.0
• Regular access reviews and immediate revocation upon termination of employment or contract
• Comprehensive logging of all access to Personal Data with real-time monitoring and alerting

4. Data Encryption

• TLS 1.2 or higher for all data transmissions; HTTPS enforced for all web interfaces
• Secure SMTP with STARTTLS support and Perfect Forward Secrecy (PFS) enabled
• AES-256 encryption for all databases containing Personal Data; full disk encryption on all servers
• Encrypted backups with secure key management, key rotation, and HSMs where applicable

5. Application Security

• Security-focused SDLC with code reviews, SAST/DAST, and dependency scanning
• Protection against OWASP Top 10 vulnerabilities
• Input validation, output encoding, SQL injection prevention, XSS and CSRF protection
• Secure session management, rate limiting, and throttling to prevent abuse

6. Incident Response and Business Continuity

• Documented incident response plan with a dedicated incident response team and 24/7 monitoring
• Forensic investigation capabilities, post-incident analysis, and breach notification procedures
• Regular encrypted backups (daily incremental, weekly full) with geographically distributed storage
• Recovery Time Objective (RTO): 4 hours for critical systems; Recovery Point Objective (RPO): 24 hours maximum data loss
• Regular testing of backup restoration (quarterly)

7. Organizational Security

• Background checks for all employees with access to Personal Data
• Confidentiality and non-disclosure agreements for all personnel
• Regular security awareness training (at least annually) and specialized data protection training
• Clear separation of duties; offboarding procedures including immediate access revocation
• Comprehensive information security policy, data protection policy, acceptable use policy, and change management procedures
• Data classification and handling standards; secure disposal and destruction procedures

8. Compliance and Audit

• Regular internal security audits and third-party penetration testing (at least annually)
• Ongoing pursuit of relevant security certifications (SOC 2 Type II, ISO 27001)
• Regular assessment against NIST Cybersecurity Framework
• Participation in responsible disclosure programs

9. Data Minimization and Retention

• Collection of only necessary Personal Data for service provision
• Pseudonymization and anonymization where appropriate
• Defined retention periods with automated deletion processes upon expiration
• Secure deletion methods ensuring data cannot be recovered; certificates of destruction for physical media

Module Two: Controller to Processor

• Clause 7 – Docking Clause: The optional docking clause applies. An entity not party to these Clauses may accede to them at any time by executing an addendum.
• Clause 9 – Use of Sub-processors: Option 2 (General written authorisation) applies. The data importer has the data exporter's general authorisation for the engagement of Sub-processors. The notice period is thirty (30) days.
• Clause 11 – Redress: Option 1 applies. The optional requirement for independent dispute resolution is NOT selected.
• Clause 13 – Supervision: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 shall act as competent supervisory authority.
• Clause 17 – Governing Law: These Clauses shall be governed by the law of Ireland.
• Clause 18 – Choice of Forum and Jurisdiction: Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

The Appendix to the Standard Contractual Clauses is completed as follows: Annex I (List of Parties and Description of Transfer) as set out in Annex 1 to this DPA; Annex II (Technical and Organisational Measures) as set out in Annex 2 to this DPA; Annex III (List of Sub-processors) as set out in Annex 3 to this DPA.

UK International Data Transfer Addendum

For transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner's Office applies, with the following specifications:

• Table 1 (The Parties): As specified in the Agreement and Annex 1 to this DPA
• Table 2 (Selected SCCs, Modules and Selected Clauses): The Approved EU SCCs, Module Two (Controller to Processor), with the specifications noted above
• Table 3 (Appendix Information): As set out in Annexes 1, 2, and 3 to this DPA
• Table 4 (Ending this Addendum when the Approved Addendum Changes): Neither party may end this Addendum on this basis

Swiss Data Protection Law Modifications

For transfers from Switzerland, the parties agree to the following modifications to the Standard Contractual Clauses:

• References to "Regulation (EU) 2016/679" or "GDPR" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP)
• References to "EU", "Union", and "Member State" shall be interpreted as references to Switzerland
• References to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the competent courts in Switzerland
• The FDPIC shall have jurisdiction for data protection supervision
• To the extent required by Swiss law, the law of Switzerland shall govern data protection matters

Accessing the Full Text

The full text of the Standard Contractual Clauses and related addenda can be accessed at the EUR-Lex Official Journal (EU Standard Contractual Clauses) and the ICO Website (UK International Data Transfer Addendum). Copies of these documents are also available upon request by contacting legal@maileroo.com.