Data Protection Agreement

Date of release: 5 July 2022.

This Data Protection Agreement (“DPA”) becomes effective the date both parties execute a copy of this DPA.

Customer shall make available to SMS APP and Customer authorises SMS APP to process information including personal data for the provision of the Services under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Data Protection Legislation.

1.1 For the purposes of this DPA:

• “Agreement” means the agreement between SMS APP and the Customer under which SMS APP provides specified services (“Services”).
• “Data Protection Legislation” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data by the Customer as Data Controller, including without limitation all binding (inter)national laws and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;
• “Personal Data” means any information relating to an identified or identifiable natural person (“data subject“); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
• “(Data) Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “Special Categories of Personal Data” means information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation or any other special category of data as is indicated within the deviations in Appendix 2 Deviations based on applicable National legislation or in the Agreement;
• “Technical and Organisational Measures” or TOMs means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. This includes the agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1 Technical and organisational measures to this DPA or in the Product Terms or Application Form;
• The terms “data controller” and “data processor“, shall have the meanings given to them under the GDPR.

1.2 Capitalized terms used and not defined in this DPA have the meanings given to such terms in the Agreement.

The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data:

1. he provision of the services (i.e. the database of call data records and the logs created and managed by SMS APP on behalf and under the supervision of Customer) for which SMS APP will act as a data processor and agrees to comply with the respective obligations set out in this DPA, and
2. the transmission of messages (i.e. A2P SMS) by SMS APP and other Service Providers for which SMS APP will act as a data controller and agrees to comply with the respective obligations set out in clause 14.

3.1

The subject matter, nature and purpose of the processing of personal data under this DPA is SMS APP performance of the Services pursuant to the Agreement and as further instructed by the Customer in its use of the Services (“Instructions”), unless required to do so otherwise by Data Protection Legislation and/or Relevant Laws. In such case (and if, to the extent permitted by Data Protection Legislation and/or Relevant Laws.

3.2

Instructions of the Customer shall be in written form (including, but not limited to, email) or can be given through settings and use of SMS APP’s portal(s) and/or software. In exceptional cases, Instructions may be given orally by the Customer. Such oral Instructions will be confirmed by the authorized person of Customer in writing or per email (in text form).

4.1

SMS APP shall only collect or process personal data for the duration of the Agreement to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and Data Protection Legislation applicable to SMS APP in its role as data processor.

4.2

The processing of personal data will be carried out by SMS APP after the Agreement necessary to fulfil the obligations in this DPA or when necessary due to mandatory law unless otherwise agreed upon in writing.

The following Categories of personal data may be processed to deliver the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

• Contact information (company, email, phone, physical address)
• First and last name
• Title
• Position
• Employer
• Connection data

Other data as is defined within the Agreement as agreed upon between parties.

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

• Customers, business partners and vendors of the Customer (who are natural persons)
• Employees of contact persons of the Customer’s customers, business partners and vendors
• Employees, agents, advisors, freelancers of the Customer (who are natural persons)
• Customer’s Service user including any user of the Services, which Customer permits using the Services

7.1

The Customer agrees that SMS APP may engage SMS APP Affiliate or third parties to process personal data in order to assist SMS APP to deliver the Services on behalf of the Customer (“Sub-processors”). SMS APP has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.

7.2

When required by law, SMS APP shall conclude additional agreements (for example, but not limited to, Business Associates Agreements as is required by The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or The Health Information Technology for Economic and Clinical Health act (“HITECH”)).

7.3

The current Sub-processors for the Services can be obtained by contacting privacyofficer@SMS APP.com.au (“Sub-processor List”) and the Customer agrees and approves that SMS APP has engaged such Sub-processors to process personal data as set out in the list. The Customer may also subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe by contacting privacyofficer@SMS APP.com.au, and if the Customer subscribes, SMS APP shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.

7.4

SMS APP shall notify the Customer, in accordance with the mechanism set out in clause 7.3, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following SMS APP’s notification of the intended changes). Should SMS APP choose to retain the objected to Sub-processor, SMS APP will notify the customer at least fourteen (14) days before authorising the Sub-processor to process personal data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. SMS APP will refund the Customer any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.

7.5

SMS APP may replace a Subprocessor without advance notice where the reason for the change is outside of SMS APP’s reasonable control and prompt replacement is required for security or other urgent reasons, such as but not limited to (suspected) non-compliance of a Subprocessor with Data Protection Legislation or the DPA between SMS APP and the Subprocessor. In this case, SMS APP will inform the Data Controller of the replacement Subprocessor as soon as possible following its appointment. Section 7.4 applies accordingly.

7.6

For the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law SMS APP will remain fully liable to the Customer for the fulfilment of its obligations under this DPA.

8.1

Whenever SMS APP (or its sub-processors) processes personal data in other countries than the country in which SMS APP is established, SMS APP will ensure an adequate level of protection for personal data by means of organisational, technical and contractual measures as is required by Data Protectional Legislation and this DPA.

8.2

Where (i) Personal Data of an EEA or Swiss-based Data Controller is processed in a country outside the EEA, Switzerland and any country, organization or territory acknowledged by the European Union as safe country with an adequate level of data protection under art. 45 GDPR and no other lawful transfer mechanism such as Binding Corporate Rules (art. 47 GDPR) or Code of Conduct (art. 40 GDPR) is available, or where (ii) Personal Data of another Data Controller is processed internationally and such international processing requires an adequacy means under the laws of the country of the Data Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, the transfer is made pursuant to European Commission approved Standard Contractual Clauses for the transfer of Personal Data. Customer provides a power of attorney for SMS APP to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 7 in the name and on behalf of the Customer.

8.3

In case that European Commission approved standard contractual clauses are concluded between SMS APP and the Customer, the following applies until a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (in case if such mechanism applies only to some of the data transfers, the following clauses will remain applicable for the transfers that cannot be covered by this new lawful transfer mechanism):

1. Rights granted to data subjects under this DPA and the European Standard Contractual Clauses may be enforced by the data subject against SMS APP irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. These rights are personal and may not be assigned to others. The data subject may only bring a claim under this DPA and the European Standard Contractual Clauses on an individual basis, and not part of a class, collective, group or representative action.
2. In addition to Clause 5(b) of the Standard Contractual Clauses, SMS APP agrees that it, at the time of concluding this Agreement, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the customer and its obligations under the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, it will notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
3. For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
   • In case SMS APP receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, SMS APP will, where possible, redirect the third party to request data directly from Customer.
   • In case SMS APP receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.

SMS APP has implemented and maintains appropriate technical and organizational measures (to act in accordance Data Protection Legislation, for example but not limited to Article 28.3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR). Such measures include but not limited to physical and IT measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures are described in Appendix 1 Technical and Organisational Measures.

10.1

SMS APP shall comply with the following requirements (often referred to by referencing articles 28 to 33 GDPR) being:

• no processing of personal data except on instructions from the controller, unless required to do so by an authority;
• Implementation of data processing register;
• Implement technical and organizational measures to ensure a level of data security appropriate to the level of risk presented by processing personal data;
• Cooperation with the data protection supervisory authority in performance of its tasks;
• Notification of a personal data breach to the supervisory authority and the data subject;
• Carrying out a data protection impact assessment when necessary according to law and consult the supervisory authority prior to data processing where the data protection impact; assessment indicates that the processing would result in a high risk in absence of measures taken by the controller to mitigate the risk,

and ensures in particular compliance with the following requirements:

• Appoint a data protection officer, who performs his/her duties in compliance with Data Protection legislation. The data protection officer can be contacted at DPO@sinch.com.
• Confidentiality in accordance with Data Protection legislation. SMS APP entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. SMS APP and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Data Protection Legislation.
• At the Customer’s cost and expense and taking into account the nature of the processing and the information available to SMS APP, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Data Protection Legislation which may include assisting the Customer to:
  • notify the Customer of any request SMS APP receives for a data subject relating to personal data processed and notify the data subject to contact the Customer if it wants to use its rights;
  • comply with its security obligations;
  • discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services); carry out data protection impact assessment and audit data protection impact assessment compliance and consult with the supervisory authority;
  • following data protection impact assessment.
• For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
• Unless prohibited by applicable law or a legally binding request of law enforcement, SMS APP shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data and, if prohibited from notifying Customer, SMS APP will use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible;
• SMS APP shall periodically monitor the internal processes and the TOMs to ensure that processing within SMS APP area of responsibility is in accordance with the requirements of Data Protection Legislation and the protection of the rights of the data subject.

11.1

In the event that the Customer, a Regulator or data protection authority requires additional information or an audit related to the Services, then, SMS APP agrees to submit access to its data processing facilities, data files and documentation needed for processing personal data. SMS APP agrees to provide reasonable cooperation during such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc., used for the performance of Services, including processing of personal data. For the avoidance of doubt, any audit conducted pursuant to this clause 11.1 is:

1. subject to clause 11. 2 below;
2. must occur at SMS APP’s physical premises; and
3. cannot involve the removal of any equipment, software, data, files, information systems etc from SMS APP’s physical premises.

11.2

The audit right as described within clause 11.1 will become applicable for the Customer, in case SMS APP has not provided sufficient evidence of its compliance with the technical and organizational measures. Sufficient evidence includes providing either:

1. a certification as to compliance with ISO 27001 or other standards implemented by SMS APP (scope as defined in the certificate); or
2. an audit or attestation report of an independent third party. An audit as described within clause 11.1 shall be carried out at the Customer’s cost and expense. An audit can be done by the Customer or any third party reasonably acceptable to the SMS APP (which shall not include any third party auditors who are either a competitor of SMS APP or not suitably qualified or independent)) to ascertain compliance with this DPA, subject to being given reasonable notice (30 days), compliance with SMS APP’s Technical and organisational measures and the auditor entering into a non-disclosure agreement directly with SMS APP.

12.1

In the event that SMS APP becomes aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data SMS APP shall, among other things:

1. Notify the Customer in writing immediately but not later than 72 hours after becoming aware of the personal data breach;
2. Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard;
3. Support the Customer in consultations with data protection authority.

12.2

To the extent legally possible, SMS APP may claim compensation for support services under this clause 12 which are not attributable to personal data breaches caused by SMS APP.

13.1

SMS APP is obliged to erase personal data as stipulated in the Agreement and in accordance with the Data Protection Legislation and/or Relevant Laws.

13.2

Customer has the right to request execution of the rights and obligations described in clause 13.1 during the duration of the entire DPA.

13.3

Statutory retention obligations or contractual obligations towards Service Providers of SMS APP (for example but not limited to operators) remain unaffected by the above provisions. Documentation serving as evidence for an orderly data processing in accordance with the provisions of the DPA shall be retained by SMS APP after termination of the DPA according to Data Protection Legislation and/or Relevant Laws.

In situations where SMS APP will act as a data controller, it undertakes to comply with its obligations under applicable Data Protection Legislation in respect of any personal data processed under the SA. It shall process such personal data in connection with the transmission of messages, and to fulfil its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at https://SMS APP.com/au/legal/privacy-policy/ as amended from time to time, if necessary.

The Customer shall comply at all times with Data Protection Legislation in relation to the processing of personal data in connection with the Agreement and the Services. The Customer shall inform SMS APP in writing in case additional legislation is applicable on the Processing of Personal Data other than the legislation of the country where the Customer is established.

16.1

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA.

16.2

Clause 16.1 shall not apply if the damage has been caused by the incorrect implementation of the commissioned service by the Customer or by an instruction given by the Customer. In such case, Customer will be liable for such damage.

17.1

The DPA forms an integral part of the Agreement between Customer and SMS APP. In case of conflict between the mandatory provisions in the European Standard Contractual Clauses and this DPA, the European Standard Contractual Clauses shall prevail. In case of other conflicts between other documents (including in case of conflict between the Agreement and this DPA), the DPA will prevail.

17.2

Should any provision of this DPA be or become invalid or contain a gap, the remaining provisions shall remain unaffected. Customer and SMS APP undertake to replace the invalid provision with legally valid provisions which come the closest to the interest of the invalid provision respectively fills out the gap.

SMS APP shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the Agreement concluded between the Parties for the processing of data.

The Technical and Organizational measures that are implemented by SMS APP are based on industry standards. The Technical and Organizational Measures are subject to technical progress and development. In this respect SMS APP is permitted to implement alternative adequate measures. The level of security must align with standard industry practice. All major changes likely to detrimentally impact the Customer are to be agreed with the Customer in writing.

The Technical and Organizational Measures as are included within this Appendix are measures that are applicable on the Service(s) provided by SMS APP. If necessary, for the Service, SMS APP may include further Technical and Organizational measures in the Product Terms or Application Form.

1. SMS APP shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
2. SMS APP shall have documented processes and routines for handling risks within its operations and when processing personal data on behalf of the Customer.
3. SMS APP shall periodically assess the risks related to information systems and processing, storing and transmitting information.
4. SMS APP shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by SMS APP, including inter alia as appropriate:
   1. The encryption of personal data;
   2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. The ability to restore the availability and access to the Customer’s Data in the event of a physical or technical incident;
5. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6. SMS APP shall periodically assess the risks related to information systems and processing personal data (e.g. when storing and transmitting personal data).
7. SMS APP shall as appropriate monitor, review and audit Sub-processor’s compliance with the Technical and Organizational Measures.

The internal organization of the processor shall meet the specific requirements of data protection.

1. Policies and Policy Management
   1. SMS APP shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by SMS APP’s management. They shall be published within SMS APP´s organization and communicated to relevant SMS APP Personnel.
   2. SMS APP shall periodically review SMS APP’s policies and procedures concerning data protection and information security and update them if required to ensure their compliance with the Technical and Organizational Measures and the data protection agreement.
2. Organization of Data Protection and Information security
   1. SMS APP shall appoint at least one data protection officer who has appropriate competence and who functions as the main contact person for data protection. If required by law, SMS APP shall appoint a data protection officer on a company level.
   2. SMS APP shall have defined and documented security roles and responsibilities within its organization.
3. Organizational Requirements
   1. SMS APP shall ensure that SMS APP personnel handles information in accordance with the level of confidentiality required under the DPA and that it has the written commitment of the employees to maintain confidentiality.
   2. SMS APP shall ensure that relevant SMS APP personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities, and systems under the DPA.
   3. SMS APP shall ensure that any SMS APP personnel performing assignments under the DPA is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification (if allowed by applicable law).
   4. SMS APP shall ensure that SMS APP personnel with security responsibilities is adequately trained to carry out security related duties.
   5. SMS APP shall provide or ensure periodical awareness training to relevant SMS APP personnel. Such SMS APP training shall include, without limitation:
      1. How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
      2. Why information security is needed to protect customers information and systems;
      3. The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
      4. The importance of complying with information security policies and applying associated standards/procedures;
      5. Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).

1. Access Control (Physical and environmental security)
   1. SMS APP shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
   2. SMS APP shall protect goods from theft, manipulation, and destruction.
   3. SMS APP shall specify authorized individuals allowed within its processing facilities and have an access control process.
2. Access control (Logical)
   1. SMS APP shall have a defined and documented access control policy for facilities, sites, network, system, application, and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for SMS APP personnel in place.
   2. SMS APP shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
   3. SMS APP shall have a joiner-mover-leaver process for its employees.
   4. SMS APP shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
   5. SMS APP shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.
   6. SMS APP shall ensure that SMS APP Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.
3. Cryptography
   1. SMS APP shall use cryptography on information classified as confidential and secret (such as personal data).
   2. SMS APP shall protect cryptographic keys and store these in accordance with applicable legislation.
4. Guidelines concerning the admission to the Customer’s premises and/or SMS APP premises Admission to the premises and property (such as office buildings, technical sites) is subject to the following:
   1. SMS APP shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement.
   2. SMS APP Personnel shall access card or, in case of visitors, a visitor’s badge and be accompanied by an employee of SMS APP while on premise.
   3. After employment or completing the assignment, or when SMS APP personnel is transferred to other tasks, personnel shall without delay inform authorized personnel of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
   4. Access cards shall be personally signed for.
   5. Loss of access card shall be reported without delay to the authorized personnel.
   6. SMS APP Personnel shall not allow unauthorized persons access to the premises.

1. SMS APP shall test and review systems before changes are implemented.
2. SMS APP shall implement malware protection to ensure that software used for SMS APP is protected from malware.
3. The company network is protected from the public network by firewalls.
4. SMS APP shall make backup copies of critical information.
5. SMS APP shall log and monitor activities relating to our Services. Faults and information security events and regularly review these. Furthermore, SMS APP shall protect and store (for at least 6 months or such period/s set by Data Protection Legislation) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out below.
6. SMS APP shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
7. SMS APP shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
8. SMS APP shall ensure development is segregated from test and production environment.

1. SMS APP shall implement network security controls such as service level, firewalling and segregation to protect information systems.
2. SMS APP operates a phishing and SPAM detection system with the aim to protect its customers and SMS APP (and the personal data of which these Parties are the Controller) against unwanted content and the spreading of SPAM/phishing and to comply with operator requirements and applicable legislation..
3. Personal data being processed on behalf shall be processed solely in accordance with the Agreement and instructions of the controller to the processor.
4. SMS APP will work according to written instructions or agreements and documents belonging to that agreement.

1. SMS APP shall have established procedures for data breach management.
2. SMS APP shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 72 hours after the data breach has been identified.
3. All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
4. The data breach report shall contain at least the following information:
   1. The nature of the data breach,
   2. The nature of the personal data affected,
   3. The categories and number of data subjects concerned,
   4. The number of personal data records concerned,
   5. Measures taken to address the data breach,
   6. The possible consequences and adverse effect of the data breach, and
   7. Any other information the Customer is required to report to the relevant regulator or data subject.
5. To the extent legally possible, SMS APP may claim compensation for support services under this clause which are not attributable to failures on the part of SMS APP

1. SMS APP shall identify business continuity risks and take necessary actions to control and mitigate such risks.
2. SMS APP shall have documented processes and routines for handling business continuity.
3. SMS APP shall ensure that information security is embedded into the business continuity plans.
4. SMS APP shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).

1. SMS APP shall implement rules for development lifecycle of software and systems including change and review procedures.
2. Security patch management is implemented to provide regular and periodic deployment of relevant security updates.

The definition “Special Categories of Personal Data” in Clause 1 of this DPA shall be amended as follows:

“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life or any other personal that may be considered as sensitive data based on applicable legislation.”

In addition to what is agreed upon in this DPA, the following is applicable concerning the transfer of Data:

“Controller acknowledges that Processor may transfer, store, and process Personal Data to territories outside of Canada, where it will be subject to the laws of the foreign jurisdictions in which it is held. Processor shall not, and shall make sure that any Affiliate or any third party with whom it contracts to Process Personal Data on its behalf in connection with the relevant Service(s) shall not:

• transfer Personal Data to a territory outside of Canada except on terms substantially similar to terms herein, which are agreed to prior to such transfer; or
• operate in relation to that Personal Data in any way which will put Controller in breach of its obligations under applicable privacy laws.”

In addition to what is agreed upon in this DPA:

“Controller acknowledges that it possesses all necessary consents and legal authority from data subjects that would allow Processor to process the data.”

In addition to what is agreed upon in Section 7 of this DPA:

“Parties will also cooperate with respect to any data breach notifications to Canadian regulatory authorities, individuals and other organizations that are required by law or otherwise advisable in the Controller’s sole discretion.”

Without limiting the terms and conditions of the DPA for Canada and the Agreement as far as it is applicable on Canada, the following apply:

“Processor will comply with all Canadian federal and provincial privacy and anti-spam legislation applicable to Controller and Processor in the course of processing any Data in connection with the Services, including all applicable notice, consent, content and unsubscribe requirements in connection with the sending of electronic messages and the installation of computer programs on another person’s device.

Processor will provide that access to the Data is limited only to those employees and authorized agents of Processor who need to have access to the Data solely for the purposes of Processor rendering the Services.”

The following definitions in clause 1 of this DPA shall be amended as follows:

“Personal data (in the USA the term Personally Identifiable Information is used): any individual element of information concerning the personal or material circumstances of an identified or identifiable individual;

Sensitive data (also known as “Special Categories of Personal Data”): information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, social security number, driver’s license number or state or federally issues identification card number, account number or credit or debit card number, or an account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other information the unauthorized disclosure of which may require Controller to notify affected individuals.”

Appendix 3 to the data protection Agreement – Standard Contractual Clauses