Post a comment
Seen by everyone, do not publish license keys and sensitive personal info!
Effective date: March 18, 2024
This document is an integral part of the Terms of Use.
This Data Processing Agreement applies from March 18, 2024. The previous version of this Data Processing Agreement, available at https://www.ablebits.com/docs/outlook-shared-templates-dpa-archive-2024-01-31/, applies until then.
This Data Processing Agreement ("DPA") is entered into by "Subscriber" and Office Data Apps sp. z o.o. ("Company"), each a "Party" and together "the Parties". DPA is supplemental to, and incorporated into, the Terms of Use ("Terms") (https://www.ablebits.com/docs/outlook-shared-templates-terms-of-use/) between Subscriber and Company.
"Services" mean collectively the Shared Email Templates web application located on https://email-templates.app/, Shared Email Templates add-in for Microsoft Outlook available from Microsoft AppSource (https://www.ablebits.com/go.php?to=shared-email-templates-signup&label=dpa), and Shared Email Templates backend infrastructure located on Amazon Web Services.
"Personal Data", "Personal Data Breach", "processing", "process", "processor", "controller", "data subject", and "Data Subject Request" shall have the same meaning as in the Applicable Data Protection Law and may be lowercase or capitalized herein.
"Applicable Data Protection Law" means, in addition to the regulations applicable to certain jurisdictions referred to in our Privacy Policy, the following data protection law(s), as applicable, including any subsequent amendments, modifications, and revisions thereto:
"Subscriber" means the first party named above. However, in the event Company is required to process Personal Data on the request of an Affiliate of Subscriber, such Affiliate shall also be deemed as "Subscriber". Any reference to Subscriber within this DPA, unless otherwise specified, shall include Subscriber and its Affiliates.
"User Content" means all content that Subscriber uploads, creates, sends, distributes, and/or posts on Services, including, but not limited to, email templates, images, graphics, files, text, document or data files, Personal Data, email messages, HTML code, personalization settings, and other information and/or content that is or may be provided to Company or entered and/or uploaded through Services.
"Sub-processor" means any third-party data processor engaged by Company, who receives Personal Data from Company for processing on behalf of Subscriber and in accordance with Subscriber's instructions (as communicated by Company) and the terms of the written subcontract.
"Supervisor" means any data protection supervisory authority as defined in the GDPR with competence over Subscriber and Company's processing of Personal Data.
—
IN WITNESS WHEREOF, the Parties hereto have executed this DPA by their duly authorized officers or representatives as of the last date of execution below ("Effective Date").
Subscriber has agreed to Terms pursuant to which Subscriber is granted a license to access and use Services during the subscription term. In providing Services, Company will engage on behalf of Subscriber in the processing of Personal Data submitted to and stored within Services by Subscriber.
The terms of this DPA shall only apply to:
The Parties are entering into this DPA to ensure that the processing of Subscriber's Personal Data by Company within Services is done in a manner compliant with Applicable Data Protection Law.
To the extent that any terms of Terms conflict with the substantive terms of this DPA (as they relate to the protection of Personal Data), the terms of this DPA shall take precedence.
As between the Parties, all User Content processed under the terms of DPA and Terms shall remain the property of Subscriber. Under no circumstances will Company act, or be deemed to act, as a "controller" of User Content under any Applicable Data Protection Law.
The Parties agree that the subject matter and duration of processing performed by Company under this DPA, including the nature and purpose of processing, the type of Personal Data, and categories of data subjects, shall be as described in Annex 1 of DPA.
When providing Services to Subscriber under Terms, Company shall comply with the obligations imposed upon it under Article 28-32 of the GDPR and agrees and declares as follows:
Company shall immediately inform Subscriber if, in its opinion, Subscriber's processing instructions infringe any law or regulation. In such event, Company is entitled to refuse processing of Personal Data that it believes to be in violation of any law or regulation.
Subscriber hereby confirms its general written authorization for Company's use of the Sub-processors (Annex 3 to this DPA) in accordance with Article 28 of the GDPR to assist Company in providing Services and processing Personal Data, provided that such Sub-processors:
Company shall remain liable to Subscriber for the subcontracted processing services of any of its Sub-processors under this DPA. Company shall update Sub-processor Policy on its website of any Sub-processor to be appointed at least thirty (30) days prior to such change. Subscriber may sign up to receive email notifications of any such changes to Company's website.
If Subscriber objects to the processing of its Personal Data by any newly appointed Sub-processor as described in the previous paragraph, it shall inform Company within thirty (30) days following the update of Company Sub-processor Policy. In such event, Company will either:
Services provide links to integrations with non-Company services (e.g., Microsoft identity platform) including, without limitation, certain non-Company services which may be integrated directly into Subscriber's account or instance in Services. If Subscriber elects to enable, access, or use such non-Company services, its access and use of such non-Company services is governed solely by the terms and conditions and privacy policies of such non-Company services, and Company does not endorse and is not responsible or liable for, and makes no representations as to any aspect of such non-Company services, including, without limitation, their content, the manner in which they handle User Content (including Personal Data), or any interaction between Subscriber and the provider of such non-Company services. The providers of non-Company services shall not be deemed Sub-processors for any purpose under this DPA.
Upon Subscriber's request, and subject to the confidentiality obligations, Company shall make available to Subscriber (or Subscriber's independent, third-party auditor) information regarding Company's compliance with the obligations set forth in this DPA in the form of the third-party certifications and/or audits set forth in Annex 2.
Subscriber may contact Company to request an audit of Company's procedures relevant to the protection of Personal Data, but only to the extent required under Applicable Data Protection Laws, and Subscriber shall not disrupt Company's business operations during the performance of such audit.
This section applies only to the extent Company is unable to demonstrate compliance with the EU SCCs (as defined hereinafter) through appropriate documentation and information on the processing activities carried out on behalf of Subscriber, considering Company's certifications and audits. By providing a notice to privacy@ablebits.com, Subscriber may ask to exercise the right to perform an audit during normal business hours at Company's premises or physical facilities for the purposes of demonstrating compliance with the EU SCCs (as defined hereinafter) and processing activities and shall be limited to data relevant to Subscriber. Company will make commercially reasonable efforts to comply with such request.
The Parties will mutually agree in advance and in good faith upon the terms of such audit, provided that:
Subscriber acknowledges that Company and its Sub-processors may process Personal Data in countries that are outside of the EEA, United Kingdom, and Switzerland ("European Countries"). This will apply even where Subscriber has agreed with Company to host Personal Data in European Countries in accordance with Regional data hosting rules (Annex 5) if such non-European Countries processing is necessary to provide support-related or other services requested by Subscriber. If Personal Data is transferred to a country or territory outside of European Countries, then such transfer will only take place if:
Standard Contractual Clauses. Where Company processes Personal Data in non-EEA countries, Company shall comply with the EU Commission's Standard Contractual Clauses (annexed to EU Commission Decision 2021/914/EU of 4 June 2021 (http://data.europa.eu/eli/dec_impl/2021/914/oj) (the "EU SCCs")) which shall be entered into and incorporated into this DPA by this reference and completed as follows: Module 2 (Controller to Processor) will apply where Subscriber is a controller of User Content and Company is a processor of User Content; Module 3 (Processor to Processor) will apply where Subscriber is a processor of User Content and Company is a processor of User Content. For each Module, where applicable:
Nothing in the interpretations in this section is intended to conflict with either Party's rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
To the extent any export from or processing of Personal Data outside the United Kingdom is subject to Applicable Data Protection Law in the United Kingdom (including UK GDPR and Data Protection Act 2018 (https://www.legislation.gov.uk/ukpga/2018/12/introduction) ("UK Data Protection Laws"), for so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of Personal Data to processors set out in the European Commission's Decision 2010/87/EU (https://eur-lex.europa.eu/eli/dec/2010/87/oj) ("Prior SCCs"), the Prior SCCs shall apply between Subscriber and Company on the following basis:
When receiving Services under Terms, Subscriber agrees to abide by its obligations under Applicable Data Protection Law.
Upon termination of Subscriber's access to and use of Services, Company will within twelve (12) months following such termination, at the choice of Subscriber:
Following such period, Company shall delete all User Content stored or processed by Company on behalf of Subscriber in accordance with Company's deletion policies and procedures. Subscriber expressly consents to such deletion.
This DPA will remain in force as long as Company processes Personal Data on behalf of Subscriber under Terms.
This DPA shall be subject to the limitations of liability agreed between the Parties set forth in Terms and any reference to the liability of a Party means that Party and its Affiliates in the aggregate. For the avoidance of doubt, Subscriber acknowledges and agrees that Company's total liability for all claims from Subscriber or its Affiliates arising out of or related to Terms and DPA shall apply in aggregate for all claims under both Terms and DPA. For the avoidance of doubt, this section shall not be construed as limiting the liability of either Party with respect to claims brought by data subjects.
This DPA may not be modified except in writing and signed by both Parties. DPA may be executed in counterparts. Each Party's rights and obligations concerning assignment and delegation under this DPA shall be as described in Terms.
Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of, and be enforceable by the Parties.
This DPA, along with Terms, constitute the entire understanding between the Parties with respect to the subject matter herein and shall supersede any other arrangements, negotiations, or discussions between the Parties relating to that subject matter.
This DPA is governed by the laws of the Republic of Poland and is subject to the exclusive jurisdiction of the courts of the Republic of Poland. Notices under this DPA shall be sent in accordance with the notice provisions of Terms.
On behalf of Subscriber: | On behalf of Company: |
---|---|
Legal name: | Legal name: Office Data Apps sp. z o.o. |
Name: | Name: Yuliya Tarasava |
Position: | Position: CEO |
Address: | Address: Warszawska str., 109, office 5, Lomianki, 05-092, Poland |
Email: | Email: privacy@ablebits.com |
Date: | Date: November 18, 2022 |
Company will process Personal Data in the course of providing Services under Terms, which may include operation of a cloud-based backend infrastructure. Additional information about Services is available at https://www.ablebits.com/docs/#shared-email-templates-outlook. Company will process Personal Data as a Processor in accordance with Subscriber's instructions.
Personal Data contained in User Content will be subject to the hosting and processing activities of providing Services.
The processing of Personal Data shall endure for the duration of the subscription term in Terms and DPA on a continuous basis.
Subscriber may, at its sole discretion, submit Personal Data to Services, which may include, but is not limited to, the following categories of data subjects: employees (including contractors and temporary employees), relatives of employees, customers, consumers, prospective customers, service providers, suppliers, business partners, vendors, end-users, users of Services, advisors (all of whom are natural persons) of Subscriber, and any natural persons authorized by Subscriber to use Services.
Subscriber may, at its sole discretion, transfer Personal Data to Services which may include, but is not limited to, the following categories of Personal Data: first and last name, username, email address, position, employer, contact information (company name, email address, phone number, physical address), date of birth, gender, number of users for a company account, team names, team descriptions, team members, email addresses of team members, users access permissions, and customer support service information.
Company does not intentionally collect or process any Special categories of Personal Data, as it is not needed for the purposes of providing Services to Subscriber. However, Special categories of Personal Data may, from time to time, be included in processing via Services where Subscriber chooses to include Special categories of Personal Data within Services.
Subscriber is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing any Special categories of Personal Data via Services.
Company will process and retain Personal Data in accordance with the Return and destruction of Personal Data section of this DPA.
Data Exporter: Subscriber | Data Importer: Office Data Apps sp. z o.o. |
Data Exporter Role: Subscriber is Controller | Data Importer Role: Office Data Apps sp. z o.o. is Processor |
Contact Details: Provided in DPA signature block | Contact Details: Provided in DPA signature block |
This Annex describes an information security program that Company designed and maintains to safeguard its systems, data, and Subscribers' Personal Data.
Company reserves the right to update or modify the security program, its practices, and measures from time to time. However, any updates or modifications will not materially reduce the overall security of Services.
The following measures are maintained to authenticate and authorize internal employees:
The following measures are maintained to prevent unauthorized physical access to Company facilities:
The following measures are maintained to secure Company systems including on-premise infrastructure and mobile devices:
The following measures are maintained to secure Company cloud infrastructure:
The following measures are maintained to prevent unauthorized access to, alteration of, and disclosure of Personal Data:
Special security measures are maintained to authenticate and authorize Subscribers to Services, including:
The following measures are maintained to ensure the separate processing of Personal Data collected for different purposes:
Company maintains a security incident response plan for addressing and resolving events that compromise Services or Personal Data:
Company maintains a business continuity plan (BCP) to ensure continuous operations in the face of major disruptions, including the following measures:
The following measures are maintained to secure Service development process and its source code:
Company is committed to the highest standards of security and data protection for Services and Subscribers' Personal Data. Company continuously adapts its security measures to meet evolving threats and regulatory changes, ensuring a resilient and trustworthy framework.
Subscriber, as Controller, hereby confirms its general written authorization for Company’s use of Sub-processors to assist Company in providing Services and processing User Content.
A list of Sub-processors is published at:
https://www.ablebits.com/docs/outlook-shared-templates-sub-processors/
The parties' authorized signatories have executed this DPA including Annexes as set forth below.
On behalf of Subscriber: | On behalf of Company: |
---|---|
Legal name: | Legal name: Office Data Apps sp. z o.o. |
Name: | Name: Yuliya Tarasava |
Position: | Position: CEO |
Address: | Address: Warszawska str., 109, office 5, Lomianki, 05-092, Poland |
Email: | Email: privacy@ablebits.com |
Date: | Date: November 18, 2022 |
Our Sub-processors, when processing User Content on behalf of Subscriber, shall implement and maintain the following technical and organizational security measures for the processing of such User Content as described below.
Our Sub-processors will take reasonable measures to ensure that User Content is secured to protect against accidental destruction or loss. Our Sub-processors shall ensure that, when hosted by Sub-processor, backups are completed on a regular basis, are secured and encrypted, to ensure that User Content is protected.
Our Sub-processors will take reasonable measures to ensure that User Content is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access User Content only have access to User Content to which they have privilege of access and that User Content cannot be read, copied, modified, or removed without authorization in the course of processing. Sub-processors will implement and maintain an access policy under which access to their system environment, data processing systems, User Content, and other data is restricted to authorized personnel only.
Our Sub-processors will take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to User Content.
Our Sub-processors will take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of User Content by means of data transmission facilities is envisaged so User Content cannot be read, copied, modified, or removed without authorization during electronic transmission.
Our Sub-processors will logically segregate User Content from the data of other parties on their systems to ensure that User Content may be processed separately.
In order to meet the needs of Services' Subscribers around the globe, Company has developed regional data hosting rules.
Services allow Subscribers to host their User Content in selected regions: the United States (US) or the European Countries (EU).
The following regions are currently available:
Region in Services | AWS region code | Location |
---|---|---|
US Region 1 | us-east-1 | US East (Northern Virginia) |
EU Region 1 | eu-central-1 | Europe (Frankfurt, Germany) |
The list of available regions will expand depending on Subscribers' requests.
Subscriber acknowledges that Company and its Sub-Processors may process User Content in countries outside the selected region if such processing is necessary to provide support-related or other services requested by Subscriber pursuant to the DPA.
Subscription billing data may be transferred by payment service provider outside of the selected region.
If Subscriber has an existing account prior to the date Subscriber purchases applicable subscription plans and selects the region, Company may be required to transfer existing User Content to the selected location. To complete this step, Company will make a copy of Subscriber's User Content to ensure that all relevant User Content has been successfully transferred to the selected location in its entirety. Upon completion and confirmation of the migration process, the copy of Subscriber's User Content will be removed from the original location.
Any data transmitted through links to external resources available within Services (for example, Ablebits.com, Microsoft.com, etc.) may leave the selected region after Subscriber clicks on these links.
Post a comment
Seen by everyone, do not publish license keys and sensitive personal info!