Get Started Now LOGIN
Get Started Now LOGIN

DPA and GDPR Statement

Data Processing Addendum and GDPR

This Data Processing Addendum ("DPA") is an integral part of the Agreement between mailcup.net ("mailcup.net") and the "Customer" and becomes effective upon execution by both parties on the date referred to as the "Effective Date." Capitalized terms not explicitly defined herein shall hold the meanings ascribed to them in the Agreement.

1. Definitions

1.1. Affiliate: An entity directly or indirectly Controlled by, Controlling, or under common Control with another entity.

1.2. Agreement: Refers to mailcup.net s Terms of Use, governing the provision of Services to the Customer, subject to updates by mailcup.net.

1.3. Control: Ownership, voting, or similar interests representing fifty percent (50%) or more of the total interests outstanding in the relevant entity. "Controlled" is interpreted accordingly.

1.4. Customer Data: Personal Data processed by mailcup.net as a Data Processor on behalf of the Customer during the provision of Services, as outlined in this DPA.

1.5. Data Protection Laws: All data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including EU Data Protection Law where applicable.

1.6. Data Controller: An entity determining the purposes and means of Personal Data processing.

1.7. Data Processor: An entity processing Personal Data on behalf of a Data Controller.

1.8. EU Data Protection Law: Directive 95/46/EC before 25 May 2018, and from 25 May 2018 onwards, GDPR, along with Directive 2002/58/EC and applicable national implementations.

1.9. EEA: European Economic Area, United Kingdom, and Switzerland for the purposes of this DPA.

1.10. Group: All Affiliates forming part of an entity's corporate group.

1.11. Personal Data: Any information related to an identified or identifiable natural person.

1.12. Privacy Shield: EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program approved by the U.S. Department of Commerce and the European Commission.

1.13. Privacy Shield Principles: Privacy Shield Principles contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016.

1.14. Processing: As defined in the GDPR, with "process," "processes," and "processed" interpreted accordingly.

1.15. Security Incident: Any unauthorized or unlawful security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data.

1.16. Services: Any product or service provided by mailcup.net to the Customer as per the Agreement.

1.17. Sub-processor: Any Data Processor engaged by mailcup.net or its Affiliates to assist in fulfilling obligations related to providing Services, including third parties or members of the mailcup.net Group.

2. Relationship with the Agreement

2.1. The parties mutually agree that this Data Processing Addendum (DPA) supersedes any previously entered DPA pertaining to the Services.

2.2. The Agreement remains intact and fully effective, with this DPA introducing changes. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict.

2.3. Claims arising under or in connection with this DPA shall adhere to the terms and conditions, encompassing exclusions and limitations outlined in the Agreement.

2.4. Claims against mailcup.net or its Affiliates pursuant to this DPA shall be directed solely at the entity party to the Agreement. No party shall limit its liability concerning an individual's data protection rights under this DPA. Customer acknowledges that any regulatory penalties incurred by mailcup.net related to Customer Data due to Customer's non-compliance with obligations under this DPA or applicable Data Protection Laws will offset mailcup.net's liability under the Agreement as if it were a liability to the Customer under the Agreement.

2.5. Only a party to this DPA, its successors, and permitted assignees possess the right to enforce its terms.

2.6. The governance and interpretation of this DPA shall align with the governing law and jurisdiction provisions in the Agreement unless otherwise mandated by applicable Data Protection Laws.

3. Scope and Applicability of this DPA

3.1. This Data Processing Addendum (DPA) is applicable exclusively to the processing of Customer Data by mailcup.net, originating from the European Economic Area (EEA) and/or subject to EU Data Protection Law. Such processing occurs as part of mailcup.net's role as a Data Processor, delivering Services in accordance with the Agreement.

3.2. Part A (encompassing Sections 4 to 8 inclusive, along with Annexes A and B) pertains to the processing of Customer Data covered by this DPA from the Effective Date.

3.3. Part B (encompassing Sections 9 to 12 inclusive) is applicable to the processing of Customer Data within the scope of this DPA from and after May 25, 2018. Notably, Part B is supplementary to, and not a substitute for, the terms outlined in Part A.

Part A: General Data Protection Obligations

4. Roles and Scope of Processing

4.1. Role of the Parties. In the context of data processing, Customer assumes the role of Data Controller for Customer Data, while mailcup.net operates exclusively as a Data Processor, carrying out data processing activities on behalf of Customer.

4.2. Customer Processing of Customer Data. Customer acknowledges and agrees to fulfill its obligations as a Data Controller under Data Protection Laws concerning the processing of Customer Data. Furthermore, Customer commits to providing necessary notices, obtaining consents, and securing rights mandated by Data Protection Laws to enable mailcup.net to process Customer Data and deliver Services in accordance with the Agreement and this DPA.

4.3. mailcup.net Processing of Customer Data. mailcup.net undertakes to process Customer Data solely for the purposes outlined in this DPA and strictly in accordance with the documented lawful instructions issued by Customer. This DPA, in conjunction with the Agreement, represents the comprehensive and definitive instructions provided by Customer to mailcup.net regarding the processing of Customer Data. Any processing beyond these instructions necessitates a prior written agreement between Customer and mailcup.net.

4.4. Details of Data Processing:
(a) Subject matter: The data processing under this DPA pertains to Customer Data.
(b) Duration: The data processing continues until the termination of the Agreement, as per its stipulated terms.
(c) Purpose: The objective of data processing is to provide Services to the Customer and fulfill mailcup.net's obligations under the Agreement, including this DPA, or as mutually agreed upon by the parties.
(d) Nature of the processing: mailcup.net offers email services, automation, marketing platforms, and related services as specified in the Agreement.
(e) Categories of data subjects: Data subjects include individuals accessing and/or using the Services through the Customer's account ("Users") and any individuals falling under the categories of: (i) having email addresses in the Customer's Distribution List; (ii) whose information is stored on or collected via the Services; or (iii) with whom Users engage or communicate via the Services ("Subscribers").
(f) Types of Customer Data:
(i) Customer and Users: This category encompasses identification and contact data (such as name, address, title, contact details, and username), financial information (including credit card details, account information, and payment details), and employment details (employer, job title, geographic location, and area of responsibility).
(ii) Subscribers: For Subscribers, the data includes identification and contact details (name, date of birth, gender, occupation, or other demographic information, address, title, and contact details, including email address), personal interests or preferences (such as purchase history, marketing preferences, and publicly available social media profile information), and IT information (IP addresses, usage data, cookies data, online navigation data, location data, and browser data). Additionally, financial information (credit card details, account information, and payment details) is part of this category.

4.5. Data Use for Business Purposes:
Notwithstanding provisions in the Agreement, including this DPA, Customer acknowledges that mailcup.net retains the right to use and disclose data related to the operation, support, and use of the Services for legitimate business purposes. This includes activities such as billing, account management, technical support, product development, sales, and marketing. If such data is classified as Personal Data under Data Protection Laws, mailcup.net acts as the Data Controller and processes it in compliance with the MailCup Privacy Policy and Data Protection Laws.

4.6. Tracking Technologies:
In the course of service performance, mailcup.net utilizes Tracking Technologies such as cookies, unique identifiers, web beacons, and similar mechanisms. Customer is responsible for maintaining appropriate notice, consent, opt-in, and opt-out mechanisms, as required by Data Protection Laws. This ensures that mailcup.net can lawfully deploy Tracking Technologies on Subscribers' devices, as outlined and described in the MailCup Privacy Policy.

5. Subprocessing:

5.1. Authorized Sub-processors: Customer acknowledges and agrees that mailcup.net may involve Sub-processors in processing Customer Data on behalf of the Customer. The current list of Sub-processors engaged by mailcup.net and authorized by the Customer is detailed in Annex A.

5.2. Sub-processor Obligations: mailcup.net commits to (i) entering into a written agreement with each Sub-processor, establishing data protection terms ensuring the protection of Customer Data in compliance with Data Protection Laws, and (ii) retaining responsibility for its adherence to this DPA's obligations. mailcup.net remains liable for any actions or oversights of the Sub-processor that lead to a breach of its obligations under this DPA.

6. Security:

6.1. Security Measures: mailcup.net shall implement and uphold appropriate technical and organizational security measures outlined in Annex B ("Security Measures") to safeguard Customer Data against Security Incidents. These measures aim to maintain the security and confidentiality of Customer Data in alignment with mailcup.net's security standards.

6.2. Updates to Security Measures: The Customer is obligated to review the data security information provided by mailcup.net, assessing whether the Services align with its requirements and legal obligations under Data Protection Laws. Recognizing that Security Measures may evolve with technical progress, mailcup.net reserves the right to update or modify these measures, ensuring they enhance rather than compromise the overall security of the Services purchased by the Customer.

6.3. Customer Responsibilities: Notwithstanding the above, Customer is accountable for securely using the Services. This includes safeguarding account authentication credentials, ensuring the security of Customer Data during transit to and from the Services, and taking necessary steps to encrypt or back up any Customer Data uploaded to the Services.

7. Security Reports and Audits:

7.1. Security Audits: mailcup.net undergoes regular audits against SSAE 16 and PCI standards conducted by independent third-party auditors and internal auditors. Upon request, mailcup.net will provide a confidential summary copy of its audit report(s) to Customer, allowing verification of compliance with audit standards and this DPA.

7.2. Customer Information Requests: mailcup.net commits to supplying written responses (confidentially) to reasonable information requests from Customer, including responses to security and audit questionnaires. However, Customer is restricted from exercising this right more than once per year.

8. International Transfers:

8.1. Datacenter locations:
mailcup.net reserves the right to transfer and process Customer Data globally, wherever mailcup.net, its Affiliates, or its Sub-processors conduct data processing operations. mailcup.net is committed to maintaining an adequate level of protection for the processed Customer Data at all times, aligning with the requirements of Data Protection Laws.

8.2. Privacy Shield:
If mailcup.net processes Customer Data protected by EU Data Protection Law in a country lacking European Commission or Swiss Federal Data Protection Authority's designation for an adequate level of protection, mailcup.net, having self-certified compliance with Privacy Shield, is deemed to provide sufficient protection. mailcup.net undertakes to safeguard such Personal Data in accordance with Privacy Shield Principles and promptly informs the Customer of any inability to comply.

8.3. Alternative Transfer Mechanism:
The parties acknowledge that the data export solution outlined in Section 8.2 won't apply if mailcup.net adopts an Alternative Transfer Mechanism for lawful Personal Data transfer outside the EEA under EU Data Protection Laws. In such instances, the Alternative Transfer Mechanism will take precedence, limited to territories where it applies.

Part B: GDPR Obligations from 25 May 2018

9. Additional Security:

9.1. Confidentiality of processing:
mailcup.net ensures that any authorized personnel processing Customer Data, including staff, agents, and subcontractors, are bound by an appropriate obligation of confidentiality, be it contractual or statutory.

9.2. Security Incident Response:
In the event of a Security Incident, mailcup.net promptly notifies Customer, providing timely and requested information pertaining to the incident.

10. Changes to Sub-processors:

10.1. Notification and Objection:
mailcup.net commits to furnishing an up-to-date Sub-processor list upon written request from Customer. Any addition or removal of Sub-processors will be communicated to Customer at least 10 days prior. Customer may object in writing within five (5) calendar days based on reasonable data protection grounds. In case of objection, the parties engage in good faith discussions for resolution. If unsuccessful, Customer may suspend or terminate the Agreement, excluding fees incurred before suspension or termination.

11. Return or Deletion of Data:

11.1. Termination or Expiration:
Upon Agreement termination or expiration, mailcup.net, at Customer's discretion, shall either delete or return all Customer Data (including copies) in its possession or control. This obligation excludes Customer Data retention mandated by applicable law or archived on backup systems, which mailcup.net will securely isolate and protect from further processing, except as required by law.