Legal Documents

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into the Agreement by and between Mediafly, Inc. (“Mediafly”) and Customer (together, the “Parties”, and each a “Party”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of EU and UK Data Protection Laws and Regulations. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

By agreeing to the Agreement, Customer enters into this DPA on its own behalf and on behalf of its Affiliates, if and to the extent Mediafly Processes Personal Data for which such Affiliates qualify as Controller.

Data Processing Terms

In the course of providing the Services to Customer pursuant to the Agreement, Mediafly may Process Personal Data on behalf of Customer. Mediafly agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and Processed by or for Customer using the Services.

1. DEFINITIONS

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means the Personal Data which Mediafly is Processing as Processor on behalf of Customer in order to provide the Services.

“Data Protection Laws and Regulations” means the Data Protection Laws and Regulations relating to the Processing of Personal Data under this Agreement. Data Protection Laws and Regulations include, depending on the circumstances: (i) the EU Data Protection Laws and Regulations; (ii) UK Data Protection Laws and Regulations; (iii) the CCPA; and (iv) other applicable US state privacy laws (collectively, “State Privacy Laws”), in each case as updated, amended or replaced from time to time.

“Data Subject” means the individual to whom Customer Personal Data relates.

“EU Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union (the “EU”), the European Economic Area (the “EEA”) and their Member States, applicable to the Processing of Personal Data under the Agreement, including but not limited to: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”); (ii) the Privacy and Electronic Communications Directive (2002/58/EC) (“ePrivacy Directive”) and any applicable national implementing laws, regulations and secondary legislation in any Member State, in relation thereto; (iii) the guidelines, recommendations, best practice opinions, directions, decisions, and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, and/or any Supervisory Authority from time to time in relation to the EU GDPR, the ePrivacy Directive, and any other applicable privacy and data protection laws; and (iv) any judgments of any relevant court of law relating to the processing of personal data, data privacy, and data security, in each case as amended, replaced or superseded from time-to-time.

“FADP” means the Federal Act on Data Protection of 19 June 1992 and, as and when it enters into force on 1 January 2023, its revised version of 25 September 2020.

“Member State” means a country that is a member of the EU or of the EEA.

“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification such as a name, an identification number, location data, an online identifier such as an IP or MAC Address or Mobile ID, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” and grammatical inflections thereof means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of Controller.

“Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EU GDPR, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”); and (iii) in the context of the FADP, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss Government (a “Swiss Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the EU and UK GDPR and/or the FADP (as applicable to the Processing concerned).

“Sensitive Information” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual. Controller’s transfer of Sensitive Information to Processor is subject to the terms and conditions of the Agreement.

“Standard Contractual Clauses” means, as applicable, the agreement executed by and between Mediafly and Customer and attached hereto as Schedule 1 (Commission Decision 2021/914) of this DPA pursuant to the European Commission’s Decision 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

“Sub-processor” means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub- processor, to process Customer Personal Data.

“Sub-processor List” means the list of Sub-processors displayed from time to time at www.mediafly.com/legal/subprocessors or any successor page.

“Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (the “ICO”); and (iii) in the context of Switzerland and the FADP, the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”).

“UK Data Protection Laws and Regulations” shall mean all applicable data protection and privacy legislation in force from time to time in the UK including without limitation: (i) the UK GDPR; (ii) the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); (iii) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and (iv) all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by Supervisory Authorities or other relevant regulatory authority and which are applicable to a Party, in each case as amended, replaced or superseded from time-to-time.

“UK GDPR” shall have the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller of Customer Personal Data, and Mediafly is a Processor in relation to Customer Personal Data. Mediafly will engage Sub-processors pursuant to the requirements set forth in Section 4 (Onward Transfers; Sub-processing) below.

2.2 Purpose Limitation. Mediafly shall Process Customer Personal Data for the purposes set forth in and to perform its obligations pursuant to the Agreement and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. Any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the Parties. Customer shall ensure that its instructions comply with all Data Protection Laws and Regulations, such that the Processing of Customer Personal Data in accordance with Customer’s instructions will not cause Mediafly to be in breach of any Data Protection Laws and Regulations. Mediafly shall notify the Customer immediately if, in Mediafly’s opinion, an instruction for the processing of Customer Personal Data given by Customer infringes Data Protection Laws and Regulations.

2.3 Training. Mediafly shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Customer Personal Data.

3. ROLES AND RESPONSIBILITIES

3.1 Data Subject Requests. Mediafly shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject exercising its rights under Data Protection Laws and Regulations (including for access to, correction, amendment or deletion of that person’s Customer Personal Data) (a “Data Subject Request”) by providing the full details of the request. Mediafly shall not respond to any such Data Subject Request without Customer’s prior written consent except to confirm that the request relates to Customer. Mediafly shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use of the Services. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data.

3.2 Customer’s Responsibilities.

Customer shall ensure: (a) that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Mediafly of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Data Protection Laws and Regulations (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Mediafly of Customer Personal Data.‍

Customer agrees that the Service, as well as the security measures set forth in and Mediafly’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws and Regulations, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.

Customer shall not provide or otherwise make available to Mediafly any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of personal data (as defined in the EU or UK Data Protection Laws and Regulations) and/or data relating to criminal convictions and offenses or related security measures (together, “Restricted Data”).

4. ONWARD TRANSFERS; SUB-PROCESSING

4.1 General. When transferring Customer Personal Data to a Mediafly Sub-processor, Mediafly will: (a) only transfer such Customer Personal Data for the purposes of providing the Services under the Agreement; and (b) ascertain that the Sub-processor is obligated to provide at least the same level of protection to the Customer Personal Data as Mediafly is required to provide under this DPA.

4.2 Changes. Customer generally authorizes Mediafly to appoint Sub-processors to process the Customer Personal Data on Mediafly’s behalf. Mediafly agrees to inform Customer, in writing, no less than ten (10) days prior to changing a Sub-processor, of any changes concerning the addition or replacement of such Sub-processors by providing Customer with an updated copy of the Sub-Processor List, thereby giving Customer the opportunity to object to such changes. Mediafly shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor.

5. SECURITY

5.1 Security. Security. Mediafly shall implement appropriate technical and organizational measures designed to protect the Customer Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a “Security Incident”) and in accordance with Mediafly’s security standards as set forth in Schedule 2 (Mediafly Information Security) of this DPA.

5.2 Confidentiality of Processing. Mediafly shall ensure that any person that it authorizes to process the Customer Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.

5.3 Customer Obligations. Notwithstanding Mediafly’s obligations under Sections 5.1 (Security) and 5.2 (Confidentiality of Processing) above, Customer is responsible for reviewing the information made available by Mediafly relating to data security and making an independent determination as to whether the technical and organizational measures implemented by Mediafly meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the Mediafly’s security standards are subject to technical progress and further development and that Mediafly may update or modify the Mediafly’s security standards from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided to Customer under the Agreement. Customer further agrees that, without prejudice to Mediafly’s obligations under Sections 5.1 (Security) and 5.2 (Confidentiality of Processing) above: (a) Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data, securing its account authentication credentials, managing its data back-up strategies, protecting the security of the Customer Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services; and (b) Mediafly has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Mediafly’s and its Sub-processors’ systems (for example, offline or on premise storage).

5.4 Security Incidents. Upon becoming aware of a Security Incident that is reasonably likely to require a data breach notification by Customer under Data Protection Laws and Regulations, Mediafly shall, without undue delay and pursuant to the terms of the Agreement, notify Customer, and shall provide information as Customer may reasonably require to enable Customer to fulfill any data breach reporting obligations under Data Protection Laws and Regulations, taking into account the nature of the Services, the information available to Mediafly, and any restrictions on disclosing the information, such as confidentiality. Customer agrees that: (a) an unsuccessful Security Incident will not be subject to this Section 5 (Security). An unsuccessful Security Incident is one that results in no unauthorized access to the Customer Personal Data or to any of Mediafly’s equipment or facilities storing the Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and (b) Mediafly’s obligation to report or respond to a Security Incident under this Section 5 (Security) is not and will not be construed as an acknowledgment by Mediafly of any fault or liability of Mediafly with respect to the Security Incident.

6.   DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION

Mediafly shall, taking into account the nature of the Processing and the information available to Mediafly, provide Customer with reasonable assistance at Customer’s costs with data protection impact assessments or prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Laws and Regulations.

7.   ADDITIONAL TERMS RELATING ONLY TO STANDARD CONTRACTUAL CLAUSES

7.1 EEA Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves an EEA Restricted Transfer, the Parties shall comply with their respective obligations set out in the Standard Contractual Clauses, which are hereby deemed to be (a) populated in accordance with paragraph 1 of Schedule 1 (Commission Decision 2021/914) of this DPA; and (b) entered into by the Parties and incorporated by reference into this DPA.

7.2 UK Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer, the Parties shall comply with their respective obligations set out in the Standard Contractual Clauses, which are hereby deemed to be: (a) varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with paragraphs 1 and 2 of Schedule 1 (Commission Decision 2021/914) of this DPA; and (b) entered into by the Parties and incorporated by reference into this DPA. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the Standard Contractual Clauses, shall be read as a reference to those Standard Contractual Clauses as varied pursuant to this Section 7.2 (UK Restricted Transfers).

7.3 Swiss Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves a Swiss Restricted Transfer, the Parties shall comply with their respective obligations set out in the Standard Contractual Clauses, which are hereby deemed to be: (a) varied to address the requirements of the FADP and populated in accordance with paragraphs 1 and 3 of Schedule 1 (Commission Decision 2021/914) of this FPA; and (b) entered into by the Parties and incorporated by reference into this DPA. In relation to any Swiss Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the Standard Contractual Clauses, shall be read as a reference to those Standard Contractual Clauses as varied pursuant to this Section 7.3 (Swiss Restricted Transfers). Nothing in any applicable Standard Contractual Clauses (as deemed amended pursuant to this Section 7.3 (Swiss Restricted Transfers)) should be interpreted or construed in such a way as would limit or exclude the rights of Data Subjects under Clause 18(c) of those Standard Contractual Clauses (as deemed amended pursuant to this Section 7.3 (Swiss Restricted Transfers)) to bring legal proceedings before the courts in Switzerland where Switzerland is that Data Subject’s habitual place of residence.

8. ADDITIONAL TERMS RELATING ONLY TO STATE PRIVACY LAWS

8.1 For purposes of this Section 8, the terms “business,” “commercial purpose,” “sell,” “share” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Customer Personal Data that constitutes personal information governed by the State Privacy Laws.

8.2 It is the parties’ intent that with respect to any personal information, Mediafly is a service provider. Mediafly (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Mediafly’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Mediafly that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

8.3 Mediafly shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services, or as otherwise permitted by the State Privacy Laws; (c) retain, use or disclose the personal information outside of the direct business relationship between Mediafly and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Mediafly’s own interaction with any Consumer to whom such personal information pertains, except as and to the extent necessary as a part of Mediafly’s provision of the Services. Mediafly hereby certifies that it understands its obligations under this Section 8 and will comply with them.

8.4 Giving Customer notice of sub-processor engagements in accordance with Section 4 of this DPA shall satisfy Mediafly’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.

8.5 Mediafly agrees that Company may conduct audits, in accordance with Section 9 of this DPA, to help ensure that Mediafly’s use of personal information is consistent with Mediafly’s obligations under the State Privacy Laws.

The parties acknowledge that Mediafly’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in this DPA are integral to Mediafly’s provision of the Services and the business relationship between the parties.

9.  COMPLIANCE; SECURITY REPORTS AND AUDITS

9.1 Compliance. Mediafly shall make available to Customer such information as Mediafly (acting reasonably) considers necessary to demonstrate its compliance with this DPA.

9.2 Audits. In the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Mediafly pursuant to Section 9.1 (Compliance) is not sufficient in the circumstances to demonstrate Mediafly’s compliance with this DPA, Mediafly shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

9.3 Security Reports. Mediafly shall provide a copy of its most current security attestation report (such as SOC 2, Type II or equivalent reports) upon Customer’s written request.

10. DELETION OR RETURN OF CUSTOMER DATA

Upon termination or expiration of the Agreement, Mediafly shall, in accordance with the terms of the Agreement, return to Customer and/or delete all Customer Personal Data (including copies) in Mediafly’s possession, save to the extent that Mediafly is required by any applicable law to retain some or all of the Customer Personal Data. In such event, Mediafly shall extend the protections of the Agreement and this DPA to such Customer Personal Data and limit any further processing of such Customer Personal Data to only those limited purposes that require the retention for so long as Mediafly maintains the Customer Personal Data.

11. MISCELLANEOUS

11.1 Except as amended by this DPA, the Agreement will remain in full force and effect.

11.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail in respect of the Processing of Customer Personal Data.

11.3 If there is a conflict between this DPA and the Standard Contractual Clauses entered into pursuant to Section 7 (Additional Terms Relating Only to Standard Contractual Clauses) and Schedule 1 (Commission Decision 2021/914) of this DPA, the Standard Contractual Clauses and/or the UK Transfer Addendum will prevail in respect of the Restricted Transfers to which they apply.

11.4 Any claims brought under this DPA shall be subject to the terms and conditions (including, but not limited to, the exclusions and limitations) set forth in the Agreement unless otherwise prohibited by applicable law.

SCHEDULE 1
Commission Decision 2021/914

1. Standard Contractual Clauses (Module 2, Transfer Controller to Processor)

For data transfers from the European Economic Area that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) as amended or completed (as the context requires) as follows:

1. 1. 1. in Clause 7, the optional docking clause will not apply;
      2. for the purposes of Clause 8.6(a), Schedule 2 (Mediafly Information Security) of this DPA shall apply;
      3. in Clause 9, Option 2 will apply. For the purposes of Clause 9(a), the data importer has the data exporter’s general authorization to engage Sub-processors.
      4.  in Clause 11, the optional language will not apply;
      5. the data importer’s liability under Clause 12(b) will be limited to any damage caused by its Processing where data importer has not complied with its obligations under the GDPR, specifically directed to Processors, or where it has acted outside of or contrary to lawful written instructions of the data exporter as documented in this DPA, as specified in Article 82 GDPR;
      6. in Clause 13(a), Option 1 shall apply;
      7. for the purpose of Clause 15(a), the data importer shall notify the data exporter (only) and not the Data Subject(s) in case of government access requests. The data exporter shall be solely responsible for promptly notifying the Data Subject as necessary;
      8. in Clause 17, Option 2 is selected and the Standard Contractual Clauses will be governed by the law of the Member State in which the data exporter is established and in Clause 18(b), disputes will be resolved before the courts in the same jurisdiction;
      9. in Annex I:
         • Part A “List of the Parties” shall be as follows:
           • Data exporter: “Customer”, “Customer Address”, and “Client Contact” as set out in the Order. The activities relevant to the data transferred under these Clauses are the Processing of personal data in connection with the data exporter’s use of the data importer’s services under the Agreement. Signature and date are as set forth in the Order; and
           • Data importer: Mediafly, Inc. of 150 N Michigan Ave, Ste 2000, Chicago, IL 60601, with contact details: Data Protection Officer with email address: dataprotection@www.mediafly.com. The activities relevant to the data transferred under these Standard Contractual Clauses relate to the data importers services to the data exporter in accordance with the Agreement. Signature and date are as set out on Page 6 of this DPA;
         • Part B the “Description of the transfer” is as follows:
           • Categories of data subjects whose personal data is transferred: employees and other representatives of the following potential entities: data exporter, customers and sales prospects of data exporter, and third-party data providers;
           • Categories of personal data transferred: name, email addresses, phone numbers, IP address, User-agent, Tool-specific inputs, and other business contact information.
           • Sensitive data: none / not applicable;
           • The frequency of the transfer: continuous;
           • Nature of the processing: all data described above will be processed to provide analytics and related reports to advise and enhance data exporter’s sales and marketing activities, via data importer’s SaaS offering;
           • Purpose of the data transfer and further processing: to enable provision of the data importer’s SaaS offering to improve data exporter’s sales and marketing effectiveness;
           • The period for which the personal data will be retained: the duration of performance of services under the Agreement;
           • For transfers to Sub-processors: the subject matter, nature and duration of the processing is as above and as set out under paragraph 1(k) of this Schedule 1 (Commission Decision 2021/914) of this DPA. Details regarding Sub-processor retention policies can be provided upon request; and
         • Part C the “Competent Supervisory Authority” shall be the supervisory authority in the EU Member State in which the data exporter is established;
      10. in Annex II the technical and organizational security measures shall be as set out in Schedule 2; (Mediafly Information Security) of this DPA; and
      11. in in Annex III, the data exporter has authorized the use of the Sub-processors set out in the Sub-processor List by the data importer.

      2. UK Transfer Addendum

      The Parties agree that the UK Transfer Addendum will apply only to the Processing of Customer Personal Data by the Mediafly in the course of providing the Services that is transferred via the Services from the United Kingdom, and the UK Transfer Addendum will be deemed entered into (and incorporated into this DPA by this reference) as amended or completed as follows:

      1. in Table 1 of the UK Transfer Addendum, the Parties’ details and key contact information is as set out in paragraph 1(i) of this Schedule 1 (Commission Decision 2021/914) of this DPA;
      2. in Table 2 of the UK Transfer Addendum, information about the version of the Standard Contractual Clauses, modules and selected clauses which this UK Transfer Addendum is appended to is as follows: the Standard Contractual Clauses (Module 2 (Transfer Controller to Processor)) approved by the European Commission in decision 2021/914;
      3. in Table 3 of the UK Transfer Addendum:
         • the list of Parties is located in paragraph 1(i) of this Schedule 1 (Commission Decision 2021/914) of this DPA;
         • the transfer is in connection with the data exporter’s use of the data importer’s services under the Agreement and relates to the Revenue360 analytics engine that is used to provide analytics and related reports to advise and enhance the data exporter’s sales and marketing activities;
         • the technical and organizational measures to ensure the security of the data to be followed by the data importer are as set out at Schedule 2 (Mediafly Information Security) of this DPA; and
         • the data importer’s current list of Sub-processors is as set out in paragraph 1(k) of this Schedule 1 (Commission Decision 2021/914) of this DPA; and
      4. In Table 4 of the UK Transfer Addendum, both the data importer and the data exporter may end the UK Transfer Addendum in accordance with the terms of the UK Transfer Addendum.

3. FADP

The Parties agree that the FADP will apply only to the Processing of Customer Personal Data by the Mediafly in the course of providing the Services that is transferred via the Services from Switzerland, and the Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) in accordance with paragraph 1 of this Schedule 1 (Commission Decision 2021/914) of this DPA, and varied such that following terms will be deemed to have the following substituted meanings:

1. 1. • “GDPR” means the FADP;
      • “European Union”, “Union” and “Member State(s)” each mean Switzerland; and
      • “supervisory authority” means the FDPIC.

SCHEDULE 2
MEDIAFLY Information Security

Mediafly’s Commitment to Security & Privacy

Mediafly is committed to achieving and preserving the trust of our customers, by providing a comprehensive security and privacy program that carefully considers data protection matters across our suite of products and services, including data submitted by customers to our online service (including Customer Personal Data) (“Customer Data”).

Covered Services

This documentation describes the security-related and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to, the Mediafly online services (collectively, the “Service”). This documentation does not apply to free trial services made available by Mediafly.

Architecture, Data Segregation, and Data Processing

The Service is operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The Mediafly architecture provides an effective logical data separation for different customers via customer-specific ID and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, such as for testing and production.

Mediafly has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by Mediafly and its sub- processors.

Security Controls

The Service includes a variety of configurable security controls that allow Mediafly customers to tailor the security of the Service for their own use. Mediafly personnel will not set a defined password for a user. Mediafly strongly encourages all customers, where applicable in their configuration of the Service’s security settings, to use the single sign on features made available by Mediafly.

Information Security Management Program (“ISMP”)

Mediafly maintains a comprehensive information security management program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Mediafly’s business; (b) the amount of resources available to Mediafly; (c) the type of information that Mediafly will store and process; and (d) the need for security and protection from unauthorized disclosure of such Customer Data. The ISMP is documented and updated based on changes in legal and regulatory requirements related to privacy and data security practices and industry standards applicable to the Service.

Mediafly’s ISMP is designed to:

1. • Protect the integrity, availability, and prevent the unauthorized disclosure by Mediafly or its agents, of Customer Data in Mediafly’s possession or control;
   • Protect against any anticipated threats or hazards to the integrity, and availability, and prevention of unauthorized disclosure of Customer Data by Mediafly or its agents;
   • Protect against unauthorized access, use, alteration, or destruction of Customer Data;
   • Protect against accidental loss or destruction of, or damage to, Customer Data; and
   • Safeguard information as set forth in any local, state or federal regulations by which Mediafly may be regulated.
2. 1. Security Standards. Mediafly’s ISMP includes adherence to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes:
      1. Internal risk assessments;
      2. SSAE18 SOC2 Type 2 (“Audit Report”).
   2. Security Audit Report. Mediafly provides its customers, upon their request, with a copy of Mediafly’s then-current Audit Report, including information as to whether the Security Audit revealed any material findings in the Service; and if so, the nature of each finding discovered.
   3. Assigned Security Responsibility. Mediafly assigns responsibility for the development, implementation, and maintenance of its Information Security Management Program, including:
      1. Designating a security official with overall responsibility; and
      2. Defining security roles and responsibilities for individuals with security responsibilities.
   4. Relationship with Sub-processors. Mediafly conducts reasonable due diligence and security assessments of sub-processors engaged by Mediafly in the storing and/or processing of Customer Data (“Sub-processors”), and enters into agreements with Sub-processors that contain provisions similar or more stringent than those provided for in this security and privacy documentation.
   5. Background Check. Mediafly performs background checks on any employees who are to perform material aspects of the Service or have access to Customer Data.
   6. Security Policy, Confidentiality. Mediafly requires all personnel to acknowledge in writing, at the time of hire, that they will comply with the confidential data identification and protection policy and protect all Customer Data at all times.
   7. Security Awareness and Training. Mediafly has mandatory security awareness and training programs, which includes phishing simulations, for all Mediafly personnel that address their implementation of and compliance with the ISMP.
   8. Disciplinary Policy and Process. Mediafly maintains a disciplinary policy and process in the event Mediafly personnel violate the ISMP.
   9. Access Controls. Mediafly has in place policies, procedures, and logical controls that are designed:
      1. To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
      2. To prevent personnel and others who should not have access from obtaining access; and
      3. To remove access in a timely basis in the event of a change in job responsibilities or job status.
         Mediafly institutes:
         • Controls to ensure that only those Mediafly personnel with an actual need-to-know will have access to any Customer Data;
         • Controls to ensure that all Mediafly personnel who are granted access to any Customer Data are based on least-privilege principles;
         • Periodic (no less than quarterly) access reviews to ensure that only those Mediafly personnel with access to Customer Data still require it.
   10. Data Encryption.
       1. Encryption of Transmitted Data: Mediafly uses Internet-industry-standard secure encryption methods designed to encrypt communications between its server(s) and the customer browser(s), and between its servers and customer’s server(s).
       2. Encryption of At-Rest Data: Mediafly uses Internet-industry standard secure encryption methods designed to protect stored Customer Data at rest. Such information is stored on server(s) that are not accessible from the Internet.
       3. Encryption of Backups: All offsite backups are encrypted. Mediafly uses disk storage that is encrypted at rest.
   11. Disaster Recovery. Mediafly maintains policies and procedures for responding to an emergency or a force majeure event that could damage Customer Data or production systems that contain Customer Data. Such procedures include:
       1. Data Backups: A policy for performing periodic backups of production file systems and databases to meet the Recovery Point Objective described below;
       2. Disaster Recovery: A formal disaster recovery plan for the production environment designed to minimize disruption to the Service, which includes requirements for the disaster plan to be tested on a regular basis, currently daily;
       3. Business Continuity Plan: A formal process to address the framework by which an unplanned event might be managed in order to minimize the loss of vital resources.
   12. Secure Development Practices. Mediafly adheres to the following development controls:
       1. Development Policies: Mediafly follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10 and SANS Top 20 Critical Security Controls; and
       2. Training: Mediafly provides employees responsible for secure application design, development, configuration, testing, and deployment appropriate (based on role) training by the security team regarding Mediafly’s secure application development practices.
   13. Malware Control. Mediafly employs then-current industry-standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service.
   14. Data Integrity and Management. Mediafly maintains policies that ensure the following:
       1. Segregation of Data: The Service includes logical controls, including encryption, to segregate each
       2. customer’s Customer Data from that of other customers; and
       3. Back Up/Archival: Mediafly performs full backups of the database(s) containing Customer Data no less than once per day and archival storage on no less than a weekly basis on secure server(s) or on other commercially acceptable secure media.
   15. Vulnerability Management. Mediafly maintains security measures to monitor the network and production systems, including error logs on servers, disks and security events for any potential problems. Such measures include:
       1. Infrastructure Scans: Mediafly performs semi-annual vulnerability scans on all infrastructure components of its production and development environment. Vulnerabilities are remediated on a risk basis. Mediafly installs all high and critical security patches for all components in its production and development environment as soon as commercially possible. Low, medium, and informational findings will be re-evaluated and fixed according to an internal risk score assigned to them;
       2. Application Scans: Mediafly performs semi-annual (as well as after making any major feature change or architectural modification to the Service) application vulnerability scans. Vulnerabilities are remediated on a risk basis. Mediafly installs all high and critical security patches for all components in its production and development environment as soon as commercially possible. Low, medium, and informational findings will be re-evaluated and fixed according to an internal risk score assigned to them; and
       3. External Application Vulnerability Assessment: Mediafly engages third parties to perform network vulnerability assessments and penetration testing on a semi-annual basis (“Vulnerability Assessment”).
          Reports from Mediafly’s then-current Vulnerability Assessment, together with any applicable remediation plans, will be made available to customers on written request.
          Vulnerabilities are remediated on a risk basis. Mediafly installs all high and critical security patches for all components in its production and development environment as soon as commercially possible. Low, medium, and informational findings will be re-evaluated and fixed according to an internal risk score assigned to them.
   16. Change and Configuration Management. Mediafly maintains policies and procedures for managing changes to production systems, applications, and databases. Such policies and procedures include:
       1. A process for documenting, testing and approving the promotion of changes into production;
       2. A security patching process that requires patching systems in a timely manner based on a risk analysis; and
       3. A process for Mediafly to perform security assessments of changes into production.
   17. Intrusion Detection. Mediafly monitors the Service generally for unauthorized intrusions using traffic and activity-based monitoring systems. Mediafly may analyze data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to help customers detect fraudulent authentications, and to ensure that the Service functions properly.
   18. Incident Management. Mediafly has in place a security incident response plan that includes procedures to be followed in the event of any unauthorized disclosure of Customer Data by Mediafly or its agents of which Mediafly becomes aware to the extent permitted by law (such unauthorized disclosure defined herein as a “Security Breach”). The procedures in Mediafly’s security incident response plan include:
       1. Roles and responsibilities: formation of an internal incident response team with a response leader;
       2. Investigation: assessing the risk the incident poses and determining who may be affected;
       3. Communication: internal reporting as well as a notification process in the event of a Security Breach;
       4. Recordkeeping: keeping a record of what was done and by whom to help in subsequent analyses; and
       5. Audit: conducting and documenting a root cause analysis and remediation plan.
       6. Mediafly publishes system status information at https://mediafly.statuspage.io. Client administrators can subscribe for changes on this site. Mediafly typically notifies customers of significant system incidents through this site.
   19. Security Breach Management.
       1. Notification: In the event of a Security Breach, Mediafly notifies impacted customers of such Security Breach. Mediafly cooperates with an impacted customer’s reasonable request for information regarding such Security Breach, and Mediafly provides regular updates on any such Security Breach and the investigative action and corrective action(s) taken.
       2. Remediation: In the event of a Security Breach, Mediafly, at its own expense, (i) investigates the actual or suspected Security Breach, (ii) provides any affected customer with a remediation plan, to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediates the effects of the Security Breach in accordance with such remediation plan, and (iv) reasonably cooperates with any affected customer and any law enforcement or regulatory official investigating such Security Breach.
   20. Logs. Mediafly provides procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports. (i) implements commercially reasonable measures to protect such logs from unauthorized modification or erasure, and (ii) retains such logs in compliance with Mediafly’s data retention policy. If there is suspicion of inappropriate access to the Service, Mediafly has the ability to provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.