Data Processing Agreement

GEMINDS LLC’s DATA PROCESSING AGREEMENT FOR “GLOCKAPPS”

This Data Processing Agreement (the “Agreement”) reflects the parties’ agreement with respect to the processing of Personal Data by Geminds LLC (the “Processor”) on behalf of the Customer in connection with the GlockApps Subscription Services under the GlockApps Customer Terms of Use between GlockApps and the Customer.

1. Definitions
2. Customer Responsibilities
3. Processor Obligations
4. Data Subject Requests
5. Data Transfers
6. Details of Processing
7. Security Measures
8. General Provisions
9. Consequences of Termination
10. Confidentiality
11. Other

1. Definitions

Terms defined in this Agreement shall have the following meaning:

“GDPR” means the General Data Protection Regulation, a regulation with the intent to strengthen and unify data protection for individuals within the European Union (EU), which replaces the Data Protection Directive (95/46/EC) from 1995. Unless otherwise specified, all references to the GDPR shall be understood to be references to the applicable local equivalent which implements said reference into the local law.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within the Customer’s Data and is protected similarly as the personal data, personal information or personally identifiable information under the applicable Data Protection Laws.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation the European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom the Personal Data relates.

“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of the European Data Protection Laws.

“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

“Instructions” means the written, documented instructions issued by the Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, change, blocking, deletion, making available). The Instructions are available at https://glockapps.com/privacy-policies/

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

2. Customer Responsibilities

In particular but without prejudice to the generality of the foregoing, the Customer acknowledges and agrees that it shall be solely responsible for:

(i) the accuracy, quality, and legality of the Customer Data and the means by which the Customer acquired the Personal Data;

(ii) complying with all necessary transparency and lawfulness requirements under the applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations;

(iii) ensuring it has the right to transfer, or provide access to, the Personal Data to Geminds LLC for Processing in accordance with the terms of the Agreement (including this DPA);

(iv) complying with all laws (including the Data Protection Laws) applicable to any emails or other content created, tested, collected or managed through the Subscription Services, including those relating to obtaining consents (where required) to test emails, track bounce emails, and collect DMARC data.

The Customer shall inform Geminds LLC without undue delay if it is not able to comply with its responsibilities under this section or the applicable Data Protection Laws.

3. Processor Obligations

a. Compliance with the Instructions.

Geminds LLC shall only process Personal Data for the purposes described in this Agreement or as otherwise agreed within the scope of the Customer’s lawful Instructions, except where and to the extent otherwise required by the applicable law. Geminds LLC is not responsible for compliance with any Data Protection Laws applicable to the Customer or the Customer’s industry that are not generally applicable to Geminds LLC.

b. Conflict of Laws.

If Geminds LLC becomes aware that it cannot Process Personal Data in accordance with the Customer’s Instructions due to a legal requirement under any applicable law, Geminds LLC will (i) promptly notify the Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new Instructions with which Geminds LLC is able to comply. If this provision is invoked, Geminds LLC will not be liable to the Customer under the Agreement for any failure to perform the applicable Subscription Services until such time as the Customer issues new lawful Instructions with regard to the Processing.

c. Security.

Geminds LLC shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches. Notwithstanding any provision to the contrary, Geminds LLC may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

d. Confidentiality.

Geminds LLC shall ensure that any personnel whom Geminds LLC authorizes to process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

e. Personal Data Breaches.

Geminds LLC will notify the Customer without undue delay after it becomes aware of any Personal Data Breach and shall provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by the Customer. At the Customer’s request, Geminds LLC will promptly provide the former with such reasonable assistance as necessary to enable the Customer to notify the relevant data protection authorities and/or affected Data Subjects about such Personal Data Breaches , if the Customer is required to do so under the Data Protection Laws.

f. Deletion of Personal Data.

Geminds LLC will delete all Personal Data (including copies thereof) processed pursuant to this Agreement in accordance with the procedures and timeframes set out in the Agreement. This requirement shall not apply to the extent Geminds LLC is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which data Geminds LLC shall securely isolate and protect from any further processing and delete in accordance with its deletion practices.

4. Data Subject Requests

The Subscription Service provides the Customer with a number of controls that the Customer may use to retrieve Personal Data, which the Customer may use to assist it in connection with its obligations under the Data Protection Laws, including its obligations relating to responding to requests from the Data Subjects to exercise their rights under the applicable Data Protection Laws (“Data Subject Requests”).

To the extent that the Customer is unable to independently address a Data Subject Request through the Subscription Service, then upon the Customer’s written request Geminds LLC shall provide reasonable assistance to the Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement.

5. Data Transfers

Customer acknowledges and agrees that Geminds LLC may access and process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data will be transferred to and processed by Geminds LLC in the United States and to other jurisdictions where Geminds LLC has operations. Geminds LLC shall ensure such transfers are made in compliance with the requirements of Data Protection Laws.

6. Details of Processing

a. Nature and Purpose of Processing

Geminds LLC will process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by the Customer in its use of the Subscription Services.

b. Duration of Processing

Geminds LLC will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

c. Categories of Data Subjects

The Customer may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Customer’s Contacts and other end users including Customer’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.

d. Categories of Personal Data

The following categories of Customer’s Personal Data will be collected, processed and used by the Processor under the Agreement:

IP address
browser type
operating system
“cookie” information
page URL
login date and time
first name
last name
email address
username
email messages and headers submitted for testing
spam test reports
bounce email analytics
bounce email reports

e. Special Categories of Data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

f. Processing operations

Personal Data will be processed in accordance with the Agreement and may be subject to the following processing activities:

(i) Storage and other processing necessary to provide, maintain and improve the Subscription Services provided to the Customer; and/or

(ii) Disclosure in accordance with the Agreement and/or as compelled by applicable laws.

7. Security Measures

Geminds LLC currently observes the Security Measures described in this section. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

a. Access Control

(i) Preventing Unauthorized Service Access

Outsourced processing: Geminds LLC hosts its service with outsourced cloud infrastructure providers. Additionally, Geminds LLC maintains contractual relationships with vendors in order to provide the service in accordance with the Agreement. Geminds LLC relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Authentication: Geminds LLC implemented a password policy for its customer accounts. Customers who interact with the service via the user interface must authenticate before accessing non-public customer data.

Authorization: The authorization model is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Data Storage: Customer Data such as personal Customers’ accounts, spam test reports, message headers, and DMARC reports are stored on a secure AWS server in the US East (N. Virginia) region. Geminds LLC stores the reports of spam tests for 12 months after the date of the test triggering. Geminds LLC stores the message headers for 30 days after the date of the test triggering. Geminds LLC stores the Sender Score history in the IP Reputation Monitor for 30 days. Geminds LLC stores DMARC reports for 90 days and XML files of DMARC reports received from ISP – for 30 days.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

(ii) Limitations of Privilege & Authorization Requirements

Service access: A subset of Geminds LLC’s employees have access to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.

Background checks: All Geminds LLC employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b. Transmission Control

In-transit: Geminds LLC makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Geminds LLC’s HTTPS implementation uses industry standard algorithms and certificates. Any payment transactions are carried out by the third party over encrypted connections using SSL technology.

At-rest: Geminds LLC stores user accounts following policies that follow industry standard practices for security. Geminds LLC has implemented technologies to ensure that stored data is encrypted at rest.

c. Input Control

Detection: Geminds LLC designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Geminds LLC’s personnel are responsive to known incidents.

Response and tracking: Geminds LLC maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Geminds LLC will take appropriate steps to minimize service and the Customer’s damage or unauthorized disclosure. Notifications to the Customer will be made in accordance with the terms of the Agreement.

d. Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

8. General Provisions

a. Amendments. Geminds LLC reserves the right to make any updates and changes to the Agreement.

b. Severability. If any individual provisions of the Agreement are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of the Agreement shall not be affected.

c. Governing Law. The Agreement shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by the Data Protection Laws.

9. Consequences of Termination

The parties agree that on the termination of the provision of the services, the Processor shall destroy all the Personal Data.

10. Confidentiality

Any information of whatever kind (whether technical, commercial, financial, operational or otherwise) and in whatever form (whether oral, written, recorded or otherwise), including Personal Data, (hereafter referred to as “Confidential Information”) which may be disclosed in any form or matter by one Party to the other Party, with respect to, or as a result of the Agreement, shall be deemed to be of a confidential nature.

11. Other

Agreed by the parties through their duly authorized representatives on the date.

If you need a signed copy of the Agreement, contact us at glockappssupport@glocksoft.com.