- In the execution of the Agreement, Send AI may process personal data on behalf of the Client through the services it provides. In this case, the terms as set out in this article shall be considered a data processing agreement within the meaning of Article 28(3) of the GDPR, with the Client being the data controller and Send AI being the data processor.
- Send AI processes personal data on behalf of the Client in accordance with the terms and for the purposes as set out in this article. The processing is carried out solely within the scope of the Agreement and for any purposes that may be agreed upon later.
- Send AI does not make independent decisions regarding the processing of personal data for other purposes, including but not limited to the provision of personal data to third parties and the retention periods of the data. Control over the personal data processed under this article and/or other agreements between the Parties rests with the Client. Send AI may anonymize personal data and use it to improve the services.
The categories of personal data that may be processed include: contact and address information, financial data, employee records and/or numbers, customer or identification number(s), date of birth, nationality, race, gender, social security number, medical/health data, (copy of) ID documents, IP address, and other location data, content of emails, chat messages, contact forms, and other (personal) data stored or processed through Send AI's services. - Send AI and the Client adhere to applicable laws and regulations regarding the protection of personal data, including the GDPR. The Client guarantees that the submission or uploading of (personal) data to Send AI is lawful and that the processing of such data in accordance with the Agreement does not violate applicable privacy laws and regulations.
- Upon request, Send AI will promptly provide the Client with further information about the measures it has taken to fulfill its obligations under this Data Processing Agreement. Additionally, Send AI will assist the Client as necessary in complying with its (legal) obligations under the GDPR. Send AI will inform the Client if, in its opinion, an instruction from the Client constitutes a breach of applicable laws and regulations regarding the protection of personal data.
- If there is a (legal) obligation or requirement for Send AI to assist the Client under the GDPR, Send AI will assist the Client in informing the supervisory authority and/or the data subjects concerned.
- Send AI may process personal data in any country within the European Economic Area (EEA). Transfer of personal data to countries outside the EEA is also allowed, provided that the legal requirements for such transfer are met.
- The Client hereby grants Send AI a general authorization to engage third parties (sub-processors). The Client authorizes Send AI to engage the third parties listed in Attachment 1. Upon the Client's request, Send AI will inform the Client about the engaged sub-processors. With sound and justified reasons, the Client has the right to object to new or changed sub-processors. In such cases, the Parties will engage in discussions to find a workable solution. The terms and conditions of the sub-processors also apply to this Agreement.
- Send AI strives to take sufficient and appropriate organizational and technical measures against any unlawful processing related to the processing of personal data. Upon request, Send AI will provide the Client with insight into its security policy, to the extent relevant to the services. Send AI does not guarantee that security is effective under all circumstances. The Client will only provide personal data to Send AI if it has ensured that the required security measures have been taken.
- In the event of a breach in the security of personal data that could cause damage or have adverse consequences for the protection of personal data, Send AI will promptly notify the Client upon discovery of the security breach, after which the Client will decide whether or not to notify the supervisory authority and/or the data subjects. The notification will include, at a minimum, the fact that a security incident has occurred, as well as all other information known to Send AI in this regard.
- If Send AI receives a data subject's request for access, Send AI will forward this request to the Client. The Client will then process this request. Send AI may notify the data subject if necessary, and if required, Send AI will support the Client in enabling the data subject to exercise their legal rights.
The Client has the right to conduct an audit, through an independent third party bound by confidentiality, to verify Send AI's compliance with this article. The Client is allowed to conduct an audit if they have a concrete suspicion of misuse of personal data by Send AI. The audit will not take place earlier than two weeks after the Client's notification to Send AI and without access to confidential information. Send AI will cooperate in the audit and will provide the Client with all reasonably relevant information as soon as possible, including but not limited to supporting data such as system logs and employee records. - The findings of the conducted audit will be discussed and evaluated by the Parties and, if applicable, implemented by Send AI. The costs of the audit will be borne by the party conducting it.
- Send AI may charge reasonable costs to the Client for assisting with the exercise of data subject rights, prior consultation, and demonstrating compliance with the GDPR.
- Once the agreement is terminated for any reason, Send AI, at the Client's choice, will either return all personal data in its possession in original or copy form to the Client and/or delete and/or destroy these original personal data and any copies thereof within a maximum period of 30 days. The terms of this article remain in effect until all data and other details of the Client have been deleted.
Attachment 1 – Sub-processors
- Amazon Web Services
- Google Cloud Platform
- MongoDB Atlas
- Mailgun
Last updated: August 10, 2024