This Data Processing Agreement applies to Sie if you signed up for MessageBird’s Dienstleistungen (including through any of its Affiliates) on or after 28 February, 2022 and before 1st of January, 2024. Gültig ab dem 15. April 2022, this Data Processing Agreement will also apply to customers who signed up for MessageBird's Services before 28 February 2022. Our archived Data Processing Agreement is available here.
Data Processing Agreement
This data processing agreement including the appendices (the "DPA") is part of the Agreement between Kunde and the contracting entity listed in Abschnitt 15 (Contracting Entity) of the Allgemeine Bedingungen und Konditionen, unless otherwise stated on Ihr Order Form. In this DPA, the terms "you", "your", or "Customer" refer to you (subject to Section 1.2 below), and the terms "we", "us," "our" or “MessageBird" refer to us.
1. Geltungsbereich, verbundene Kunden und Laufzeit
1.1 Umfang. This DPA governs processing of Persönliche Kundendaten by MessageBird as a processor.
1.2 Kunden-Affiliates. Customer enters into this DPA on behalf of itself and, zum extent required under Gesetzgebung zum Datenschutz, in the name and on behalf of its Affiliates (as defined in the Begriffs), if and zum extent you provide such Affiliates with access to the Services and we process Customer Persönliche Daten for which such Affiliates qualify as the data controller (“Kunden-Affiliates”). For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer” and “you” shall include Customer and Affiliates.
1.3 Term. This DPA shall remain in effect so long as MessageBird processes Customer Personal Data subject to this DPA, notwithstanding the expiration or termination of the Agreement.
2. Begriffsbestimmungen
Großgeschriebene Begriffe, die in dieser DPA verwendet, aber nicht definiert werden, haben die Bedeutung, die ihnen in der Vereinbarung gegeben wird. Die folgenden definierten Begriffe werden in dieser DPA verwendet:
2.1 “CCPA” means the California Consumer Datenschutz Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
2.2 “Daten der Kunden” means any data and other information or content submitted by you or for you (or by a user of your Customer Application) under the Agreement and processed or stored by the Services.
2.3 “Customer Personal Data” means Personal Data contained in Customer Data. Account data is not Customer Personal Data. Account data is any data provided by or for you to MessageBird in connection with the entering into and administration of the Agreement and of your account, including but not limited to contact information, Customer billing details and correspondence about the entering into and administration of the Agreement.
2.4 “Data Protection Legislation” means all laws and regulations of any jurisdiction applicable to the confidentiality, privacy, security, or processing of Personal Data under the Agreement, including, where applicable, the GDPR, the CCPA and all other laws and regulations relating to privacy, direct marketing or data protection.
2.5 “EEA” means, for the purposes of this DPA, the European Economic Area and Switzerland.
2.6 “EU-Standardvertragsklauseln zwischen für die Verarbeitung Verantwortlichen und Auftragsverarbeitern” means the “Controller to Processor” (Module 2) modules of the Standardvertragsklauseln für die Übermittlung personenbezogener Daten in Drittländer pursuant to GDPR and the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.7 “EU-Standardvertragsklauseln zwischen Auftragsverarbeitern und Unterauftragsverarbeitern” means the “Processor to Processor” (Module 3) modules of the Standardvertragsklauseln für die Übermittlung personenbezogener Daten in Drittländer pursuant to GDPR and the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.8 “GDPR” means either (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation); or (ii) solely with respect to the United Kingdom, the Data Protection Act 2018.
2.9 “LGPD” means the Lei Geral de Proteção de Dados of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
2.10 “Personal Data” means any information relating to a directly or indirectly identified or identifiable natural person.
2.11 “PDPA” means the Personal Data Protection Act of 2012 and any regulations promulgated thereunder, in each case, as amended from time to time.
2.12 “Erklärung zum Datenschutz” means the then-current Datenschutz Statement for the Services available at https://messagebird.com/en/legal/privacy.
2.13 “Verletzung des Schutzes personenbezogener Daten” means any accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, access to Customer Personal Data.
2.14 “Services” means all products and services provided by us or our Affiliates that are (a) ordered by you under any Order Form; or (b) used by you.
2.15 “Standardvertragsklauseln” means either (i) the EU Controller-to-Processor Standard Contractual Clauses; or (ii) the EU Processor-to-Subprozessor Standard Contractual Clauses, either individually or collectively, as applicable.
2.16 “Subprocessor” means the entity which processes Customer Personal Data on behalf of an entity acting as a data processor or a Subprocessor.
2.17 “UK Standardvertragsklauseln für die Zusammenarbeit zwischen Verantwortlichen und Auftragsverarbeitern” means the standard contractual clauses for the transfer of Personal Data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU, as may be amended, modified or superseded by the European Commission.
Begriffe wie "Verarbeitung", "für die Datenverarbeitung Verantwortlicher", "Datenverarbeiter", "betroffene Person" usw. haben die ihnen in der DSGVO zugewiesene Bedeutung. Die Definition von "Datenverantwortlicher" umfasst "Unternehmen", "Controller" und "Organisation"; "Datenverarbeiter" umfasst "Dienstleister", "Verarbeiter" und "Datenvermittler"; "betroffene Person" umfasst "Verbraucher" und "Einzelperson"; und "personenbezogene Daten" umfasst "personenbezogene Informationen", jeweils wie im CCPA, LGPD oder PDPA definiert.
3. Verarbeitung personenbezogener Kundendaten
3.1 Verwendungszwecke. We will process Customer Personal Data only to the extent necessary (i) to provide the Services, including transmission of communication, ensuring the security of the services, providing technical and delivery reports, providing support and developing and implementing improvements and updates in accordance with your documented instructions to us as a data processor as specified in Section 3.2 of this DPA, and (ii) for our legitimate business purposes as specified in Section 3.4 of this DPA as a data controller. We do not sell any Personal Data, including Customer Personal Data, and do not share Personal Data with third parties for compensation or for those third parties’ own business interests.
3.2 Anweisungen. Die Agreement and this DPA constitute your complete instructions to us as a data processor am time of signature of this DPA. We will comply with other reasonably documented instructions provided that those instructions are consistent with the terms of the Agreement.
3.3 Einzelheiten der Verarbeitung. Annex I, Part B. (Beschreibung der Übertragung) of this DPA further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of Personal Data and categories of data subjects by us as a data processor or Subprocessor.
3.4 Legitime Geschäftszwecke. You acknowledge that we process Customer Personal Data as an independent data controller to the extent necessary for the following legitimate business purposes: billing, account management, financial and internal reporting, combatting and preventing security threats, cyber attacks, and cybercrime that may affect us or our services, business modeling (e.g. forecasting, capacity and revenue planning, product strategy), fraud, spam, and abuse prevention and detection, product improvement, and to comply with our legal obligations.
4. Verpflichtungen des Kunden
4.1 Rechtmäßigkeit. Where you act as a data controller of Customer Personal Data, you guarantee that all processing activities are lawful, have a specific purpose, and any required notices and consents or other appropriate legal basis are in place to enable lawful transfer of the Customer Personal Data. If you are a data processor (in which case we will act as a Subprocessor), you will ensure that the relevant data controller guarantees that the conditions listed in this Section 4.1 are met.
4.2 Einhaltung der Vorschriften. You are solely responsible for (a) ensuring that you comply with the Data Protection Legislation applicable to your use of the Services and to your own processing of Customer Personal Data, (b) making an independent assessment whether the technical and organizational measures of the Services meet your requirements, and (c) implementing and maintaining privacy and security measures for components that you provide or control (including but not limited to passwords, devices used with the Services and Customer Applications).
5. Sicherheit
5.1 Sicherheitsmaßnahmen. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Personal Data Breaches and to preserve the security, integrity, availability, resiliency and confidentiality of the Customer Data our systems use for processing Customer Data. Die security measures applied by us are described in Appendix II.
5.2 Aktualisierungen der Sicherheitsmaßnahmen. You are responsible for reviewing the information made available by us relating to Customer Personal Data security and making an independent determination as to whether such information meets your requirements and legal obligations under Data Protection Legislation. You acknowledge that the security measures are subject to technical progress and development, and that we may update or modify our security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Customer Personal Data.
5.3 Zugangskontrollen. We apply the principles of “need to know “and least privilege.
5.4 Vertraulichkeit der Verarbeitung. We will ensure that any person or party who is authorized by us to process Customer Personal Data (including our staff, agents and Subprocessors) are informed of the confidential nature of such Customer Personal Data and will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) that survives termination of their engagement.
5.5 Reaktion auf und Benachrichtigung bei Verletzungen des Schutzes personenbezogener Daten. Upon becoming aware of a Personal Data Breach, we will without undue delay (i) notify you, (ii) investigate the Personal Data Breach, (iii) provide timely information relating to the Personal Data Breach as it becomes known or as it is reasonably requested by you, and (iv) take commercially reasonable steps to mitigate the effects and prevent recurrence of the Personal Data Breach.
6. Unterstützung
6.1 Unterstützung beim Datenschutz. We shall provide you with reasonably requested assistance in order to allow you to comply with your obligations under the Data Protection Legislation, including the notification of a Personal Data Breach, assessing the appropriate level security of processing, and assisting you with the performance of a relevant data protection impact assessment.
6.2 Unterstützung bei Anfragen von Betroffenen. We will provide you with reasonable assistance in order to allow you to comply with your obligations to data subjects who exercise their rights under the Data Protection Legislation by making available technical and organizational measures via your account. For the avoidance of doubt, you as the data controller are responsible for processing any request or complaint from data subjects with respect to the Customer Personal Data of a data subject.
7. Offenlegung und Auskunftsersuchen
7.1 Beschränkungen der Offenlegung und des Zugangs. We will not provide access to or disclose Customer Personal Data except (i) as directed by you, (ii) as set out in the Agreement and this DPA, or (iii) as required by law.
7.2 Anträge auf Offenlegung. We will notify you as soon as reasonably possible if we receive a request from a governmental or regulatory body to disclose Customer Personal Data, unless such notice is prohibited by law. We will handle disclosure requests in accordance with the disclosure request policy available at https://messagebird.com/en/legal/disclosure-requests.
8. Unterauftragsverarbeiter
8.1 Derzeitige Unterauftragsverarbeiter. You agree to the engagement of the Subprocessors listed at https://www.messagebird.com/en/legal/privacy#processorList under the header “End User Personal Data”, which contains a procedure for you to subscribe to notifications of changes to our use of Subprocessors. If you subscribe to such notifications, and taking into account Section 8.3 of this DPA, we will share details of any change in Subprocessors as soon as reasonably possible.
8.2 Einsatz von Unterauftragsverarbeitern. By means of this DPA, you provide a general written authorization to us to engage Subprocessors for the processing of Customer Personal Data, subject to Section 8.3 of this DPA and the following requirements:
a. Wir beschränken den Zugriff von Unterauftragsverarbeitern auf personenbezogene Kundendaten auf das, was unbedingt erforderlich ist, um die in der Unterauftragsverarbeitungsvereinbarung festgelegten Dienstleistungen zu erbringen;
b. Wir werden mit dem Unterauftragsverarbeiter Datenschutzverpflichtungen vereinbaren, die im Wesentlichen mit den Verpflichtungen aus dieser DSGVO übereinstimmen; und
c. Wir bleiben Ihnen gegenüber im Rahmen dieser DPA für die Erfüllung der Datenschutzverpflichtungen des Unterauftragsverarbeiters haftbar.
8.3 Mitteilung von Änderungen an Unterauftragsverarbeiter und Recht auf Widerspruch. Before replacing or engaging new Subprocessors (“Subprozessor ändern”), we will give you the option to object to the Subprocessor Change.
Sie können gegen einen Wechsel des Unterauftragsverarbeiters Einspruch erheben, sofern (i) der Einspruch innerhalb von zehn (10) Werktagen nach unserer Mitteilung über den Wechsel des Unterauftragsverarbeiters schriftlich eingereicht wird und (ii) der Einspruch auf angemessenen Gründen in Bezug auf den Schutz der personenbezogenen Daten des Kunden beruht und diese klar erläutert. Wenn Sie einem vorgeschlagenen Wechsel des Unterauftragsverarbeiters widersprechen, arbeiten wir mit Ihnen nach Treu und Glauben zusammen, um eine wirtschaftlich sinnvolle Änderung bei der Erbringung der Dienste vorzunehmen, die den Einsatz des betreffenden Unterauftragsverarbeiters vermeidet. Wenn eine solche Änderung nicht innerhalb von dreißig (30) Werktagen nach Eingang Ihres Widerspruchs bei uns vorgenommen werden kann oder wenn die Änderung für uns wirtschaftlich unzumutbar ist, kann jede Partei die betreffenden Funktionen der Dienste, die ohne die Verwendung des betreffenden Subverarbeiters nicht bereitgestellt werden können, kündigen. Dieses Kündigungsrecht ist Ihr einziges und ausschließliches Rechtsmittel, wenn Sie einem Wechsel des Unterauftragsverarbeiters widersprechen.
9. Grenzüberschreitende Übertragungen von personenbezogenen Kundendaten
9.1 Übermittlung von personenbezogenen Kundendaten. We may transfer Customer Personal Data on the condition that all appropriate safeguards required by Data Protection Legislation are in place. This may include a prior data transfer impact assessment, the adoption, monitoring and evaluation of supplementary technical, organizational and legal measures, enforceable data subject rights, and that effective legal remedies for data subjects are available.
9.2 Standardvertragsklauseln für Unterauftragsverarbeiter. Unless an adequacy decision or alternative transfer mechanism applies, we have entered into and shall maintain Standardvertragsklauseln with Subprocessors (including our Affiliates) located outside the EEA, subject to the terms set out in Section 9.1 of this DPA.
9.3 Übermittlungsmechanismen für die Übermittlung personenbezogener Kundendaten. To the extent your use of the Services requires a cross border data transfer mechanism to lawfully export Customer Personal Data from a jurisdiction (e.g. the EEA, California, Singapore, Switzerland, the or the United Kingdom) to us located outside of that jurisdiction this section will apply. If, in the performance of the Services, Customer Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies to this DPA is transferred to MessageBird located in countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Legislation, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the Data Protection Legislation:
9.3.1 The parties agree that the Standard Contractual Clauses will apply to Customer Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to a MessageBird entity located in a country outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data.
9.3.1.1 Wenn Sie als Datenverantwortlicher handeln und MessageBird ein Datenverarbeiter ist, gelten die EU-Standardvertragsklauseln für die Übermittlung personenbezogener Kundendaten aus dem EWR an den Datenverarbeiter. Wenn Sie als Datenverarbeiter agieren und MessageBird ein Unterverarbeiter ist, gelten die Standardvertragsklauseln für die Übermittlung personenbezogener Kundendaten aus dem EWR an den Unterverarbeiter (Processor-to-Subprocessor Standard Contractual Clauses).
9.3.1.2 MessageBird gilt als Datenimporteur und Sie als Datenexporteur gemäß den Standardvertragsklauseln. Die Unterzeichnung dieser DPA durch jede Partei wird als Unterzeichnung der anwendbaren Standardvertragsklauseln behandelt, die als in diese DPA aufgenommen gelten. Die nach Anhang 1 und Anhang 2 der Standardvertragsklauseln erforderlichen Einzelheiten sind in Anlage I und Anlage II dieser DPA enthalten. Im Falle eines Widerspruchs oder einer Unstimmigkeit zwischen dieser DPA und den Standardvertragsklauseln haben die Standardvertragsklauseln ausschließlich in Bezug auf die Übermittlung personenbezogener Kundendaten aus dem EWR Vorrang.
9.3.1.3 In den Fällen, in denen die Standardvertragsklauseln von den Parteien verlangen, zwischen fakultativen Klauseln zu wählen und Angaben zu machen, haben die Parteien dies wie nachstehend beschrieben getan:
Die Fakultativklausel 7 "Andockklausel" wird nicht angenommen.
Für Klausel 9 "Einsatz von Unterauftragsverarbeitern" wählen die Parteien die folgende Option: "Option 2 Allgemeine schriftliche Genehmigung: Der Datenimporteur hat die allgemeine Genehmigung des für die Verarbeitung Verantwortlichen für die Beauftragung von Unterauftragsverarbeitern aus einer vereinbarten Liste. Der Datenimporteur unterrichtet den für die Verarbeitung Verantwortlichen mindestens zehn Arbeitstage im Voraus schriftlich über jede beabsichtigte Änderung dieser Liste durch Hinzufügung oder Ersetzung von Unterauftragsverarbeitern, so dass der für die Verarbeitung Verantwortliche genügend Zeit hat, um vor der Beauftragung des/der Unterauftragsverarbeiter(s) Einspruch gegen diese Änderungen zu erheben. Der Datenimporteur stellt dem Datenexporteur die erforderlichen Informationen zur Verfügung, damit der Datenexporteur sein Widerspruchsrecht ausüben kann. Der Datenimporteur unterrichtet den Datenexporteur über die Beauftragung des/der Unterauftragsverarbeiter(s)".
Für Klausel 11 (a) "Abhilfe" nehmen die Parteien die Option nicht an.
Für Klausel 17 "Anwendbares Recht" wählen die Parteien die folgende Option: "Option 1. Diese Klauseln unterliegen dem Recht eines der EU-Mitgliedstaaten, sofern dieses Recht Rechte von Drittbegünstigten zulässt. Die Parteien vereinbaren, dass dies das Recht der Niederlande sein soll."
Für Klausel 18 (b) "Wahl des Gerichtsstandes und der Gerichtsbarkeit": "Die Parteien vereinbaren, dass dies die Gerichte der Niederlande sind."
9.3.2 The parties agree that the UK Standardvertragsklauseln für die Zusammenarbeit zwischen Verantwortlichen und Auftragsverarbeitern will apply to Customer Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to a MessageBird entity located in a country outside the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data.
9.3.2.1 MessageBird gilt als Datenimporteur und Sie als Datenexporteur gemäß den Standardvertragsklauseln für die Zusammenarbeit zwischen Verantwortlichen und Auftragsverarbeitern in Großbritannien. Die Unterzeichnung dieser DPA durch beide Parteien wird als Unterzeichnung der UK Controller-to-Processor Standard Contractual Clauses behandelt, die als Bestandteil dieser DPA gelten. Die in den Anhängen 1 und 2 der Standardvertragsklauseln zwischen Verantwortlichen und Auftragsverarbeitern im Vereinigten Königreich geforderten Einzelheiten sind in Anlage I und Anlage II dieser DPA enthalten. Im Falle eines Widerspruchs oder einer Unstimmigkeit zwischen dieser DPA und den Standardvertragsklauseln zwischen Verantwortlichen und Auftragsverarbeitern des Vereinigten Königreichs haben die Standardvertragsklauseln zwischen Verantwortlichen und Auftragsverarbeitern des Vereinigten Königreichs ausschließlich in Bezug auf die Übermittlung von personenbezogenen Kundendaten aus dem Vereinigten Königreich Vorrang.
10. Prüfung
10.1 Audit-Bericht. Our communication platform shall be regularly audited against the ISO 27001:2013 standard (or equivalent). The audit may, in our sole discretion, be an internal audit, or an audit performed by a third party. Upon written request, we will provide you with a summary of the audit report(s) (“Audit-Bericht”), so that you can verify our compliance with the audit standards and this DPA. Such Audit Reports, as well as any conclusions or findings specified therein, are our Confidential Information.
10.2 Informationsanfragen von Kunden. We will make available to you all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. We will provide written responses to reasonable requests for information made by you, including responses to information security and audit questionnaires that are reasonable in scope and necessary to confirm compliance with this DPA, provided that you (i) have first made a reasonable effort to obtain the requested information from the Dokumentation, Audit Reports and other information provided or made public by us, and (ii) will not exercise this right more than once per year, unless a Personal Data Breach or significant change in our processing activities in relation to the Services require that an additional questionnaire is executed. All responses provided are our Confidential Information.
10.3 Kunden-Audit. If an Audit Report provided by us to you gives you substantiated reasons to believe that we are in breach of our obligations under this DPA, related to the Customer Personal Data provided by you, we will allow an independent and qualified third party auditor appointed by you and approved by us, to audit the relevant applicable Personal Data processing activities, provided that the following requirements are met:
a. Sie müssen uns mindestens sechzig (60) Tage im Voraus benachrichtigen, bevor Sie von Ihrem Recht auf Prüfung Gebrauch machen;
b. Der Prüfer verpflichtet sich gegenüber uns zur marktüblichen Vertraulichkeit;
c. Sie und der Prüfer ergreifen Maßnahmen, um die Störung unseres Geschäftsbetriebs zu minimieren;
d. Die Prüfung wird während der üblichen Geschäftszeiten durchgeführt;
e. Wir sind nicht verpflichtet, Zugang zu Kundendaten anderer Kunden oder zu Systemen zu gewähren, die nicht an der Erbringung der Dienste beteiligt sind; und
f. Sie tragen alle Kosten des Audits pay .
11. Löschung und Rückgabe von persönlichen Daten des Kunden
Nach Beendigung oder Ablauf der Vereinbarung werden wir (nach Ihrer Wahl) alle personenbezogenen Kundendaten (einschließlich Kopien), die sich in unserem Besitz oder unter unserer Kontrolle befinden, löschen oder an Sie zurückgeben, mit der Ausnahme, dass diese Anforderung nicht gilt, soweit wir gesetzlich verpflichtet sind, einige oder alle personenbezogenen Kundendaten aufzubewahren. Wenn Sie uns anweisen, personenbezogene Kundendaten zu löschen, werden die auf unseren Sicherungssystemen archivierten personenbezogenen Kundendaten vor weiterer Verarbeitung geschützt und nach Ablauf der erforderlichen Aufbewahrungsfrist gelöscht.
12. Kommunikation und Rechte der Kundenpartner
Der Abschluss dieser DPA im Namen und im Auftrag eines verbundenen Kunden, wie in Abschnitt 1.2 dargelegt, stellt eine separate DPA zwischen uns und diesem verbundenen Kunden dar, vorbehaltlich der folgenden Bestimmungen:
12.1. Kommunikation. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with us under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Customer Affiliates.
12.2 Rechte der mit dem Kunden verbundenen Unternehmen. Where a Customer Affiliate becomes a party to the DPA with us, it shall to the extent required under Data Protection Legislation be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
(i) Sofern die Datenschutzgesetzgebung nicht vorschreibt, dass der verbundene Kunde ein Recht oder einen Rechtsbehelf im Rahmen dieser DPA gegenüber MessageBird direkt selbst ausüben muss, vereinbaren die Parteien, dass (i) ausschließlich der Kunde, der Vertragspartner der Vereinbarung ist, ein solches Recht oder einen solchen Rechtsbehelf im Namen des verbundenen Kunden ausübt, und (ii) der Kunde, der Vertragspartner der Vereinbarung ist, solche Rechte im Rahmen dieser DPA nicht für jeden verbundenen Kunden einzeln, sondern für sich selbst und alle seine verbundenen Kunden zusammen ausübt.
(ii) Die Parteien vereinbaren, dass der Kunde, der Vertragspartner der Vereinbarung ist, bei einer Vor-Ort-Prüfung der für den Schutz der personenbezogenen Daten des Kunden relevanten Verfahren in seinem Namen gemäß Abschnitt 10.3 dieser DSGVO alle angemessenen Maßnahmen ergreift, um die Auswirkungen auf uns zu begrenzen, indem er, soweit dies vernünftigerweise möglich ist, mehrere Prüfungsanfragen, die in seinem Namen und im Namen aller mit ihm verbundenen Unternehmen durchgeführt werden, zu einer einzigen Prüfung zusammenfasst.
Zur Klarstellung: Ein verbundener Kunde wird nicht Vertragspartei des Abkommens.
13. Kalifornisches Verbraucherschutzgesetz
Wir gehen Ihnen gegenüber die folgenden zusätzlichen Verpflichtungen in Bezug auf die Verarbeitung personenbezogener Kundendaten im Rahmen des CCPA ein.
13.1 Unsere Verpflichtungen. We shall comply with the CCPA and treat all Customer Personal Data subject to the CCPA (“CCPA Persönliche Daten”) in accordance with the provisions of the CCPA. With respect to CCPA Personal Data, we are a service provider under the CCPA. We will not (a) sell CCPA Personal Data; (b) retain, use or disclose any CCPA Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing CCPA Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose CCPA Personal Data outside of our direct business relationship with you. The Processing of CCPA Personal Data authorized by your instructions in die Bedingungen and this DPA is integral to our provision of the Services. You acknowledge and agree that our access to Customer Data does not constitute part of the consideration exchanged under the Agreement. To the extent that any usage data is considered CCPA Personal Data, we are the business with respect to such data and will Process that data in accordance with our Privacy Statement. The terms “business”, “commercial purpose”, “service provider”, and “sell” as used in this Section 13.1 have the meanings given to them in the CCPA. Both parties certify that they understand and will comply with the obligations and restrictions set forth in this DPA and the Agreement as required under the CCPA.
13.2 Verpflichtungen des Kunden. You represent and warrant that you have provided notice to the End-User that the Personal Data is being used or shared in accordance with the terms and conditions envisaged in Section 1798.140(t)(2)(C)(i) of the CCPA. You are responsible for compliance with the requirements of the CCPA applicable to you as a data controller.
14. Geltendes Recht und Streitbeilegung
Abschnitt 13 der Bedingungen shall apply to any Disputes arising out of or related to this DPA, unless required otherwise by Data Protection Legislation.
ANHANG I - DETAILS DER VERARBEITUNG
Where applicable, this Schedule 1 will serve as Annex I to the EEA Standard Contractual Clauses.
Anhang I, Teil A. Liste der Parteien
Datenexporteur: Customer
Kontaktdaten des Datenexporteurs: The address listed in Customer’s account, or Customer’s account owner email address, or to the email address(es) for which Customer elects to receive notices under the Agreement.
Rolle des Datenexporteurs: The data exporter’s role is outlined in Section 4 of the DPA.
Unterschrift und Datum: If and when applicable, data exporter is deemed to have signed the Standard Contractual Clauses incorporated herein as of the Effective Date of the DPA.
Datenimporteur: MessageBird B.V.
Kontaktdaten des Datenimporteurs: Trompenburgstraat 2-C, 1079TX, Amsterdam, The Netherlands, Data Protection Officer - privacy@messagebird.com
Rolle des Datenimporteurs: The data importer acts as data processor.
Unterschrift und Datum: If and when applicable, data importer is deemed to have signed the Standard Contractual Clauses incorporated herein as of the Effective Date of the DPA.
Anhang I, Teil B. Beschreibung der Übertragung
1. Kategorien von betroffenen Personen, deren personenbezogene Daten übermittelt werden:Benutzer. Customer’s contact persons (natural persons) or employees, contractors or temporary workers (current, prospective, former) using the Services through the Customer’s account (“Users”);Endverbraucher. Any individual (i) whose contact details are included in the Customer's contacts list(s); (ii) whose information is stored on or collected via the Services, or (ii) to whom Customer sends communications or otherwise engage or communicate with via the Services (collectively, “End-Users”). You as the Customer solely determine the categories of data subjects included in the communication sent over our communication platform.
2. Kategorien der übermittelten personenbezogenen Daten:Customer Personal Data contained in, communication content, traffic data, Endnutzerdaten und Daten zur Kundennutzung.Communication content, which may include Personal Data or other personalized characteristics, depending on the communication content as determined by you as the Customer.Traffic data, which may include Customer Personal Data about the routing, duration or timing of a communication such as voice call, SMS or email, whether it relates to an individual or a company.End-User data, such as phone number, email address, first name, last name, profile name, country, channel identifier.Customer usage data, may contain data that can be linked to you as an individual included in statistical data and information related to your account and service activities, service related insights and analytic reports regarding communication sent and customer support.
3. Übermittlung sensibler Daten (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
(a) Inhalt der Mitteilung. Sensitive data may, from time to time, be processed via the Services where you or your End-Users choose to include sensitive data within the communications that are transmitted using the Services. You are responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting your End-Users to transmit or process any sensitive data via the Services, in accordance with Section 3.2 of the Agreement.
(b) Verkehrsdaten, Endnutzerdaten und Daten zur Kundennutzung. No sensitive data is contained in traffic data, End-User data, or customer usage data.
4. Die Häufigkeit der Übertragung (e.g. whether the data is transferred on a one-off or continuous basis): Customer Personal Data is transferred on a continuous basis for the duration of the Agreement.
5. Art der Verarbeitung: We will process Customer Personal Data to the extent necessary to provide the Services under the Agreement. We do not sell any Personal Data, including Customer Personal Data, and do not share Personal Data with third parties for compensation or for those third parties’ own business interests.
6. Zweck(e) der Datenübermittlung und Weiterverarbeitung: We will process Customer Personal Data as a data processor in accordance with instructions of Customer as set forth in this DPA, unless processing is necessary for compliance with a legal obligation to which we are subject, in which case we will classify as a data controller.
Kommunikationsinhalte, Verkehrsdaten, End-User data, and customer usage data. Personal Data contained in communication content, traffic data, End-User data, and customer usage data will be subject to the following basic processing activities:
(a) Inhalt der Mitteilung. The provision of programmable communication products and services, offered in the form of application programming interfaces (APIs) or via the Dashboard, to Customer, including transmittal to or from Customer’s software application from or to our communication platform, and other communications networks.
(b) Verkehrsdaten. Traffic data is processed for the purpose of transmitting communication on an electronic communications network or for the billing in respect of that communication. This may include Customer Personal Data about the routing, duration or timing of a communication such as voice call, SMS or email, whether it relates to an individual or a company.
(c) Daten von Endverbrauchern. Personal Data of End-Users is required in order to perform the Services and will only be processed for the purposes of communication transmission, customer support, and ensuring compliance with legal obligations of MessageBird.
(d) Daten zur Kundennutzung. Personal Data contained in customer usage data will be subject to the processing activities of providing the Services under the Agreement, with the aim of providing Customer with Services related insights and analytic reports regarding the communication sent, customer support, and continuous improvement of the Services.
7. Der Zeitraum, für den die personenbezogenen Daten aufbewahrt werden, or, if that is not possible, the criteria used to determine that period:
(a) Kommunikationsinhalte und Verkehrsdaten. For customer content and traffic data contained in the SMS and Voice Services a retention period of six months applies;
For the Services of 24sessions customer content and traffic data are retained for a minimum of 30 days up to the duration as agreed upon with you;
For all other services, customer content and traffic data are retained for the duration of the Services, except if you delete customer content or traffic data via the technical and organizational measures provided to you via the Services.
(b) Daten von Endverbrauchern. End-User data will be processed for the duration determined by the Customer, when End-User data is included in your contact profiles the default retention period is for the duration of the Services, subject to Section 6(c) of this Annex I, Part B.
(c) Daten zur Kundennutzung. Upon termination of the Agreement, we may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 6(d) of this Annex I, Part B, subject to the confidentiality obligations set forth in the Agreement. We will anonymize or delete customer usage data when we no longer require it for the purposes set forth in Section 6(d) of this Annex I, Part B.
8. Für Überweisungen an (Unter-)Verarbeiter, also specify subject matter, nature and duration of the processing: For transfers to Subprocessors, the subject matter and nature of the processing is outlined at https://www.messagebird.com/legal/privacy#processorList and the duration is for the duration of the Agreement.
Anhang I, Teil C. Zuständige Aufsichtsbehörde
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) will be the competent supervisory authority.
ANHANG II ZU DEN STANDARDVERTRAGSKLAUSELN
Where applicable, this Appendix II will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding our technical and organizational security measures set forth below.
Technische und organisatorische Sicherheitsmaßnahmen:
Measures of pseudonymization and protection of Personal Data in storage and transit: All Personal Data is encrypted in transit and at rest, and, to the extent relevant from a security standpoint, treated as if it were classified as sensitive data. Information is always transmitted over TLS with up-to-date encryption methodologies by default.
Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services: we enter into agreements that contain confidentiality provisions with our employees, contractors, vendors, and Subprocessors. Our business continuity policy is to prepare our business and services in the event of extended outages caused by factors beyond our control and to restore services to the widest extent possible in a minimum time frame. We understand the services we provide are mission critical to our customers and therefore have very little tolerance for service disruptions. Our timeframes for recovery are designed to ensure we can meet our obligations to all of our customers.
Processes for regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing: The goal of information security and our Information Security Management System (ISMS) is to protect the confidentiality, integrity and availability of information to the organization, employees, partners, customers and the (authorized) information systems, and to minimize the risk of damage occurring by preventing security incidents and managing security threats and vulnerabilities. Our Rechtliches team, Data Protection Officer, and, Security and Compliance Team make sure that applicable regulations and standards are factored into our security frameworks.
Measures for user identification and authorization: We follow principles of “need to know“ and “least privilege”. We promote the use of role based access control. Provisioning and deprovisioning is overseen by the security team, with Single-Sign-On and 2FA by default. Owners have been defined for each information asset who are responsible for ensuring access to their systems are appropriate and reviewed on a regular basis. Whenever dealing with sensitive information or taking critical action, we use the four-eyes principle.
Measures for ensuring events logging: Audit logs are centrally stored and monitored on a regular basis for security events and are kept secure to avoid risk of tampering. The Incident Management Policy enforces the incident response plan and its procedures. These guidelines are being followed if any type of security or technical incident occurs. In the event that there are Security incidents, they will be reviewed regularly by the Security Steering Committee which consists of senior stakeholders from across the business.
Measures for ensuring systems configuration, including default configuration: We follow a consistent change management process for all the changes to the production environment of the Communication Platform as a Service. To elaborate further, all requests for changes (RFC) need to be approved by a designated party and executed according to the formal change control process. The control process ensures that changes proposed are reviewed, authorized, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored. Configuration baselines are followed to securely configure the systems by following best-practices. Also, within the Engineering department, a tech radar is used to define which technologies (languages, platform tools, databases and data management tools) can be adopted or need to be avoided during development.
Measure for physical security: We actively promote a “Work from Anywhere” policy so our employees are free to work from any place they want. However, we still have our office premises. We have no secure areas/data center on our premises as we are a completely cloud-based company. Our office floors are protected by physical access controls, CCTV, and manned security.
Measures for internal IT and IT security governance and management: We maintain a risk-based assessment security program, which includes administrative, organizational, technical, and physical safeguards designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Our information security program is set up in a systematic and well organized way. In addition, legal and regulatory requirements apply to ensure the confidentiality, integrity, and availability of information to the organization, employees, partners and customers. All these are translated into our information security policies, procedures and guidelines. We have a Security Steering Committee which is responsible for the tactical level of information security. This entails the coordination of information security activities and the translation of strategic activities to operational activities for our security, and our continuous maintenance of regulatory compliance. All employees are responsible for safeguarding company assets. All our employees are screened for expertise, experience, and integrity. Employees are informed about security and data protection am on-boarding stage, as well as by way of regular team-specific training, and other company-wide all-hands presentations about the importance of data protection and security compliance.MessageBird is ISO/IEC 27001:2013 certified, the globally recognised information security standards for Information Security Management Systems (ISMS).
All our hosting providers are ISO/IEC 27001:2013 compliant.
We are also registered with the Dutch Authority for Consumers and Markets. This means we’re always accountable and fully transparent with our clients.
We are an Associate Member of the Groupe Speciale Mobile Association (GSMA). The GSMA represents the interests of mobile operators across the globe.We are always up to the date with all applicable laws and regulations, including the General Data Protection Regulation.
Measures for certifications/assurance of processes and products: We undergo rigorous surveillance as well as certification audits as part of our ISO/IEC 27001:2013 compliance, and regularly execute application vulnerability and penetration testing. MessageBird takes a unified approach to patch and vulnerability management to ensure that our standard SLA timelines are maintained whether vulnerabilities exist in our underlying infrastructure, operating platforms, or source code.
Measures for application security: We ensure security of our applications during the design and development phase based on the MessageBird Secure Code Guidelines.
Appropriate corrections are implemented prior to release.
Code changes are reviewed by skilled individuals (who are familiar with code review and secure development) other than the originating developers.
Applications will undergo rigorous application security testing to identify any new threats and vulnerabilities at least annually (in accordance with industry standards and best practice).
All code changes for applications that are pushed to production environments are reviewed using manual and/or automated processes.
Penetration tests are conducted annually and case-by-case on new products/features. Automated source code analysis tools are being used to detect security defects in code prior to deployment, based on the language.
Measures for vulnerability disclosure: We appreciate security researchers who have found vulnerabilities on our platform to contact us and to send their findings to security@messagebird.com. We have a dedicated security team who follow-up and send invitations to our bug bounty program to investigate and remediate where necessary.
Measures for ensuring accountability: We implement information security and data protection policies in accordance with applicable laws and publish an overview of our ISMS relevant information (link). We have appointed a dedicated VP, Compliance and Information Security and a Data Protection Officer, and maintain documentation of our processing activities, including recording and reporting security incidents involving Personal Data where applicable.
Measures for ensuring accountability: We implement information security and data protection policies in accordance with applicable laws and publish an overview of our ISMS relevant information (link). We have appointed a dedicated VP, Compliance and Information Security and a Data Protection Officer, and maintain documentation of our processing activities, including recording and reporting security incidents involving Personal Data where applicable.
Datenschutz-Einstellungen
© 2024 Bird. Alle Rechte vorbehalten.
Made with <3 in Amsterdam