Version 6 – Date of release: 7 July 2023
This Data Processing Agreement (this « DPA« ) forms part of Sinch master services agreement (the « Principal Agreement« ) between Sinch and the Customer and is subject to the Principal Agreement. Definitions. For the purposes of this DPA, capitalized terms shall have the following meanings. Capitalized terms not otherwise defined shall have the meaning given to them in the Principal Agreement.
(a) « Customer’sPersonal Data » means any personal data that is processed by Sinch on behalf of the Customer to perform the Services under the Principal Agreement.
(b) « Applicable Data Protection Laws » means the GDPR, as transposed into domestic legislation of each Member State (and the United Kingdom) and as amended, replaced or superseded from time to time, and laws implementing, replacing or supplementing the GDPR and all laws applicable to the collection, storage, processing, and use of Customer’s Personal Data, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq (“CCPA”).
(c) « GDPR » means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data.
(d) « Sinch Infrastructure » means (i) Sinch’s physical facilities; (ii) hosted cloud infrastructure; (iii) Sinch’s corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by Sinch; in each case to the extent used to provide the Services.
(e) « Restricted Transfer » means a transfer of the Customer’s Personal Data from Sinch to a sub-processor where such transfer would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Data Protection Laws) in the absence of appropriate safeguards required for such transfers under Applicable Data Protection Laws.
(f) « Services » means the services provided to the Customer by Sinch pursuant to the Principal Agreement.
(g) « Standard Contractual Clauses » means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).
(h) « UK Addendum » means the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
(i) The terms « consent« , « controller« , « data subject« , « Member State« , « personal data« , « personal data breach« , « processor« , « sub processor », « processing« , « supervisory authority » and « third party » shall have the meanings ascribed to them in article 4 of the GDPR or the CCPA, in cases where CCPA is applicable.
2. Compliance with Applicable Data Protection Laws
(a) Sinch and the Customer shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall procure that their employees and sub-processors observe the provisions of the Applicable Data Protection Laws
3. Details and Scope of the Processing
(a) The Processing of the Customer’s Personal Data within the scope of the Agreement shall be carried out in accordance with the following stipulations and as required under Article 28(3) of the GDPR. The parties may amend this information from time to time, as the parties may reasonably consider necessary to meet those requirements.
(i) Subject matter and duration of the processing of personal data: The subject matter and duration of the processing of the personal data are set out in the Principal Agreement.
(ii) The nature and purpose of the processing of personal data: Under the Principal Agreement, Sinch provides certain services such as messaging, email, voice calls and other communication services, as further detailed in the Principal Agreement, to the Customer which involves the processing of personal data. Subject to section 3(a)(iv), such processing activities include (a) providing the Services; (b) the detection, prevention and resolution of security and technical issues; and (c) responding to Customer’s support requests.
(iii) The types of personal data to be processed: The personal data submitted to Sinch’s network, the extent of which is determined and controlled by the Controller in its sole discretion, may include name, email, telephone numbers, IP address and other personal data included in the contact lists and message or call content.
(iv) Independent Data Controller Exclusion: Notwithstanding any other provision herein, when processing personal data in the course of providing communication services as part of the Services, including the transmission and exchange of SMS via telecommunications networks and other messages and communications, including emails, voice, and other media via other communication platforms, regardless of whether Customer acts as a controller or processor, Sinch acts as an independent data controller, and not as joint controller, so as to provide its communications services and carry out its necessary functions and business as a communication services provider, including necessary measures to prevent spam and fraud and control, security, and maintenance of its network, management of its business and compliance functions, and consistent with its obligations under applicable laws.
(v) The categories of data subjects to whom the personal data relates: Senders and recipients of email and sms messages, voice calls or other communication.
(b) Sinch shall only process the Customer’s Personal Data (i) for the purposes of fulfilling its obligations under the Principal Agreement and (ii) in accordance with the documented instructions described in this DPA or as otherwise instructed by the Customer from time to time. Such Customer’s instructions shall be documented in the applicable order, services description, support ticket, other written communication or as directed by Customer using the Services (such as through an API or control panel).
(c) Where Sinch reasonably believes that a Customer instruction is contrary to the provisions of the Principal Agreement or this DPA, or that it infringes the GDPR or other applicable data protection provisions, it shall inform the Customer without delay. In both cases, Sinch shall be authorized to defer the performance of the relevant instruction until it has been amended by Customer or is mutually agreed by both Customer and Sinch.
(d) Customer is solely responsible for its utilization and management of personal data submitted or transmitted by the Services, including: (i) verifying recipient’s information such as phone number or address and that they are correctly entered into the Services (ii) reasonably notifying any recipient of the insecure nature of email or messaging as a means of transmitting personal data (as applicable), (iii) reasonably limiting the amount or type of information disclosed through the Services (iv) encrypting any personal data transmitted through the Services where appropriate or required by applicable law (such as through the use of encrypted attachments, PGP toolsets, or S/MIME). When the Customer decides not to configure mandatory encryption, the Customer acknowledges that the Services may include the transmission of unencrypted email in plain text over the public internet and open networks. Information uploaded to the Services, including message content, is stored in an encrypted format when processed by the Sinch Infrastructure.
(e) Deviations.
(i) For Customers and contracts in Brazil, the obligations set forth in Section 13(b)- 13(c) will not be applicable, and the following definitions shall replace the ones used:
“Special Categories of Personal Data” shall mean Sensitive personal data: this means such data concerning racial or ethnic origin, religious beliefs, political opinions, membership to a trade union or religious, philosophical or political organizations, data concerning health or a natural person’s sex life, genetic or biometric data, when related to a natural person.”
“Data Processing” shall mean any operation carried out with personal data, such as those that refer to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, information evaluation or control, modification, communication, transfer, diffusion or extraction.
(ii) For Customers and contracts in Colombia, in addition to what is agreed upon in this DPA, the following is applicable concerning the processing and transfer of personal data:
“Controller acknowledges that Processor may transfer, store, and process Personal Data to territories outside of Colombia, where it will be subject to the laws of the foreign jurisdictions in which it is held. Controller acknowledges that it possesses all necessary consents and legal authority from data subjects and registrations of databases that would allow Processor to process the data within databases and in countries that meet at least the same data protection standards (adequate level of protection) as the ones provided under Colombian laws (such as, but not limited to, Decree N° 90 of 2018, the Unique Circular from the Superintendence of Industry and Commerce and the External Circular Nº 005 of 2017 from the Superintendence of Industry and Commerce).”
(iii) For Customers and contracts in Argentina, in addition to what is agreed upon in this DPA, the Parties agree to conclude the following Argentinian Standard Contractual Clauses for international transfer in case the Controller of the personal data is from Argentina and/or applicable Data Protection Legislation and/or the Argentinian Data Protection Authority require these clauses to be concluded:
Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios
Entre, por una parte, ______________________________________, con domicilio en la calle________, localidad_____________, provincia de __________, Argentina, (en adelante, “el exportador de datos”) y, por la otra, ____________________________ (nombre), __________ (dirección y país), (“en adelante, el importador de datos”), en conjunto “las partes”, convienen el presente contrato de transferencia internacional de datos personales para la prestación de servicios, sometiéndola a los términos y condiciones que se detallan a continuación.
Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios
(iv) For Customers and contracts in Mexico, the obligations set forth in Section 13(b)- 13(c) will not be applicable.
4. Controller and Processor
(a) For the purposes of this DPA, the Customer is the controller of the Customer’s Personal Data and Sinch is the processor of such data, except when the Customer acts as a processor of the Customer’s Personal Data, in which case Sinch is a sub-processor.
(b) Sinch shall at all times have in place an officer who is responsible for assisting the Customer (i) in responding to inquiries concerning the Data Processing received from Data Subjects; and, (ii) in completing all legal information and disclosure requirements which apply and are associated with the Data Processing. Such assistance may be requested at privacy@mailgun.com for Sinch Email and dpo@sinch.com for other Sinch services.
(c) The Customer warrants that:
(i) The processing of the Customer’s Personal Data is based on legal grounds for processing, as may be required by Applicable Data Protection Laws and that it has made and shall maintain throughout the term of the Principal Agreement all necessary rights, permissions, registrations and consents in accordance with and as required by Applicable Data Protection Laws with respect to Sinch’s processing of the Customer’s Personal Data under this DPA and the Principal Agreement;
(ii) it is entitled to and has all necessary rights, permissions and consents to transfer the Customer’s Personal Data to Sinch and otherwise permit Sinch to process the Customer’s Personal Data on its behalf, so that Sinch may lawfully use, process and transfer the Customer’s Personal Data in order to carry out the Services and perform Sinch’s other rights and obligations under this DPA and the Principal Agreement;
(iii) it will inform its Data Subjects about its use of Processors in Processing their personal data, to the extent required under Applicable Data Protection Laws; and,
(iv) it will respond in a reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their personal data, and to give appropriate instructions to Sinch in a timely manner.
5. Confidentiality
(a) Sinch shall ensure that each of its, and sub-processors’, personnel that is authorized to process the Customer’s Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality and are trained with the relevant security and Data Protection requirements.
6. Technical and Organizational Measures
(a) Sinch shall, in relation to the Customer’s Personal Data, (a) take and document reasonable and appropriate measures, as described in Annex 2, in relation to the security of the Sinch Infrastructure and the platforms used to provide the Services as described in the Principal Agreement, and (b) on reasonable request at the Customer’s cost, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Article 32 of the GDPR.
(b) Sinch’s internal operating procedures shall comply with the specific requirements of an effective Data Protection management.
7. Data Subject Requests
(a) Sinch provides specific tools in order to assist customers in replying to requests received from data subjects. These include our APIs and interfaces to search event data, suppressions, and retrieve message content. When Sinch receives a complaint, inquiry or request (including requests made by data subjects to exercise their rights pursuant to Applicable Data Protection Laws) related to the Customer’s Personal Data directly from data subjects Sinch will notify the Customer. Taking into account the nature of the processing, Sinch shall assist the Customer, by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising such data subjects’ rights.
8. Personal Data Breaches
(a) Sinch shall notify the Customer without undue delay once Sinch becomes aware of a personal data breach affecting the Customer’s Personal Data. Sinch shall, taking into account the nature of the processing and the information available to Sinch, use commercially reasonable efforts to provide the Customer with sufficient information to allow the Customer at the Customer’s cost, to meet any obligations to report or inform regulatory authorities, data subjects and other entities of such personal data breach to the extent required under Applicable Data Protection Laws.
9. Data Protection Impact Assessments
(a) Sinch shall, taking into account the nature of the processing and the information available, provide reasonable assistance to the Customer at the Customer’s cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities as required for the Customer to fulfill its obligations under Applicable Data Protection Laws.
10. Audits
(a) Sinch shall make available to the Customer on reasonable request, information that is reasonably necessary to demonstrate compliance with this DPA.
(b) Customer, or a mandated third party auditor, may upon written reasonable request conduct an inspection in relation to the Processing of the Customer’s Personal Data by Sinch and to the extent necessary according to Data Protections Laws and without interrupting Sinch’s business operations and ensuring confidentiality.
(c) The audit right as described in Paragraph 10(b) above will become applicable for the Customer, in case Sinch has not provided sufficient evidence of its compliance with the provisions of this DPA. Sufficient evidence includes providing either: (i) a certification as to compliance with ISO 27001or other standards implemented by Sinch (scope as defined in the certificate); or (ii) an audit or attestation report of an independent third party. An audit as described within this Paragraph 10 shall be carried out at the Customer’s cost and expense.
11. Return or Destruction of the Customer’s Personal Data
(a) The Customer may, by written notice to Sinch no later than at the time of termination of the Principal Agreement, request the return and/or certificate of deletion of all copies of the Customer’s Personal Data in the control or possession of Sinch and sub-processors. Sinch shall provide a copy of the Customer’s Data in a form that can be read and processed further.
(b) Within ninety (90) days following termination of the account, Sinch shall delete all personal data processed pursuant to this DPA, unless Customer requests the return of personal data as described in Paragraph 11(a) above. This provision shall not affect potential statutory duties of the Parties to preserve records for retention periods set by law, statute or contract.
(c) Any additional cost arising in connection with the return of personal data after the termination or expiration of the Agreement shall be borne by the Customer.
12. Data Transfers
(a) The Standard Contractual Clauses and, if required, the UK Addendum, having Sinch act as data importer with the Customer acting as data exporter are incorporated as part of this DPA. If Sinch’s arrangement with a sub-processor involves a Restricted Transfer, Sinch shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are incorporated into the Principal Agreement, or otherwise entered into between Sinch and the sub-processor. The Customer agrees to exercise its audit right in the Standard Contractual Clauses by instructing Sinch to conduct the audit set out in Paragraph 10.
(b) Customer acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Sinch may transfer personal data within its company group. These transfers are necessary to provide the Services globally.
(c) For transfers of personal data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of Data Protection within the meaning of Data Protection Laws of the foregoing territories, to the extent such transfers are subject to Data Protection Laws and Regulations and in order to implement appropriate safeguards, the following safeguards are taken: (i) Standard Contractual Clauses as per European Commission’s Decision 2021/914/EU of June 4, 2021, (2) UK Addendum, and (3) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls and data minimization principles.
13. Sub-processing
(a) The Customer hereby gives a general authorization to Sinch to appoint sub-processors in accordance with this Paragraph 13 and Annex 1. Sinch will ensure that sub-processors are bound by written agreements that require them to provide at least the level of data protection required of Sinch by this DPA. The Customer also gives Sinch a specific authorization to continue to use those sub-processors already engaged at the date of this DPA, as referenced in section (b).
(b) The current sub-processors for the Services are set out at https://sinch.com/fr/legal/data-protection-agreement-sub-processors/ (“Sub-processor List”). Provided that the Customer subscribes to notifications of new sub-processors through the subscription mechanism found at https://sinch.com/fr/legal/data-protection-agreement-sub-processors/, Sinch shall notify the Customer, through such mechanism, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor. If, within ten (10) business days of receipt of that notice, the Customer notifies Sinch in writing of any objections on reasonable grounds to the proposed appointment, Sinch shall not appoint that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken. If Sinch and the Customer are not able to resolve the appointment of a sub-processor within a reasonable period, either party shall have the right to terminate the Principal Agreement for cause.
14. Governing law and jurisdiction
(a) The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
(b) This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
(c) Notwithstanding the forementioned under this Paragraph (a) and (b), all obligations arising out of or in connection with the Standard Contractual Clauses incorporated into this DPA shall be governed by the laws of the EU Member State specified in Annex 1, as required for the validity of those Standard Contractual Clauses pursuant to European Commission’s Decision 2021/914/EU of June 4, 2021.
15. Order of precedence
(a) With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
16. Severance
(a) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
17. Termination
(a) With the termination of the Principal Agreement, this DPA and the Standard Contractual Clauses will terminate upon the fulfillment of Sinch’s obligation to delete the personal data under processing in accordance with Paragraph 11.
(b) Any amendment or variation to this DPA shall not be binding on the Parties unless set out in writing and signed by authorised representatives of each of the Parties.
* * *
IN WITNESS WHEREOF, this DPA and the Annexes are entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.
SinchThe Customer
Signature: Signature:
Name: Name:
Title: Title:
Date Signed:
ANNEX 1
With regard to the Standard Contractual Clauses the Parties agree that:
(a) Module 2 (Controller-to-Processor) will apply where Sinch acts as Customer’s data processor; Module 3 (Processor-to-Processor) will apply where Sinch acts as Customer sub-processor. For each Module, where applicable:
(b) Clause 7 (Docking clause) is incorporated;
(c) For the purposes of Clause 9.a) (Use of sub-processors), Option 2: General written authorization shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processors from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance;
(d) The optional wording in Clause 11 (Redress) on independent resolution bodies is not incorporated;
(e) For the purpose of Clause 13 (Supervision), IMY, the Swedish Data Protection Authority (Integritetsskyddsmyndigheten) shall act as competent supervisory authority;
(f) Option 1 of Clause 17 (Governing law) shall apply and the laws of Sweden shall govern the Standard Contractual Clauses;
(g) For the purposes of Clause 18 (Choice of forum and jurisdiction), the courts of Sweden will resolve any dispute arising out of the Standard Contractual Clauses;
(h) Annex IA (List of Parties) and Annex IB (Description of Transfer) shall be completed using the information and details specified in the Principal Agreement and listed in Paragraph 3 of the DPA;
(i) Annex IB (Description of Transfer) shall be further completed by specifying that no sensitive data shall be transferred. The frequency of the transfer shall be continuous. For transfers to sub- processors, the subject matter, nature and duration of the processing shall be the same as that of the data importer;
(j) For the purpose of Annex IC, the competent supervisory authority in accordance with Clause 13 is IMY, the Swedish Data Protection Authority (Integritetsskyddsmyndigheten);
(k) For the purpose of Annex II, the Technical and organisational measures are described in Annex 2 of the DPA;
(l) For the purpose of Annex III, the List of Sub processors is included in Annex 3 of the DPA.
(m) where the Restricted Transfer is subject to the Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland (UK GDPR), the Standard Contractual Clauses shall incorporate the UK Addendum completed as follows:
(i) For the purposes of Table 1, the start date is the date of the DPA’s signature and the Parties’ details shall be completed using the information and details specified in the Principal Agreement;
(ii) For the purposes of Table 2, the version of the Approved EU SCCs which the UK Addendum is appended to is the Standard Contractual Clauses as completed in accordance with this Annex 1, with the date being the effective date of this Addendum;
(iii) For the purposes of Table 3, the Appendix Information is as described in paragraphs (h) – (l) of this Annex 1; and,
(iv) For the purposes of Table 4, the Sinch entity acting as the Importer may end the UK Addendum when the Approved Addendum changes.
ANNEX 2
INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES
The Technical and Organizational Measures included within this Annex are measures that are applicable on the Service(s) provided by Sinch. If necessary, for the Service, Sinch may include further Technical and Organizational measures in the Service Order or Service
1) Inventory of information and other associated assets
An inventory of information and other associated assets, including owners, is developed and maintained. An asset owner has been appointed for every asset within the inventory according to the asset tagging policy.
2) Authentication information
The allocation and management of authentication information is controlled by a management process, which includes advising personnel on the appropriate handling of authentication information.
In particular, Sinch:
3) Access rights
Access rights to information and other associated assets is provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
In particular in Sinch:
4) ICT readiness for business continuity
ICT readiness is planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
In particular, in Sinch:
5) Information security awareness, education and training
Personnel of the organization and relevant interested parties receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
In particuar, in Sinch:
6) Capacity management
The use of resources is monitored and adjusted in line with current and expected capacity requirements.
7) Protection against malware
Protection against malware is implemented and supported by appropriate user awareness. All endpoint devices should have EDR Endpoint detection. 8) Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use is obtained, Sinch’s exposure to such vulnerabilities is evaluated and appropriate measures are taken.
In particular, in Sinch:
9) Configuration Management
Configurations, including security configurations, of hardware, software, services and networks is established, documented, implemented, monitored and reviewed against the following standards: NIST 800-53 and CIS Controls.
10) Information Backup
Backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
The backup routine at least specifies:
11) Monitoring activities
Networks, systems and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Networks, systems and application are monitored for anomalous and malicious behaviour in order to detect potential security incidents.
12) Network Security
Networks and network devices are secured, managed and controlled to protect information in systems and applications.
For instance, Sinch:
13) System life cycle management
Rules for the secure development of software and systems are established and applied.
For instance, in Sinch:
14) Security testing in development and acceptance
Security testing processes are defined and implemented in the development life cycle.
15) Measures for ensuring physical security of locations at which personal data are processed
Physical and environmental security measures have been implemented within Sinch.
For instance, in Sinch:
Sinch has also applied an Information Security Management System (ISMS), according to ISO/IEC 27001:2022.
16) Measures for ensuring limited data retention
Measures to ensure limited personal data retention have been implemented.
For instance, Sinch:
17) Measures for ensuring accountability
Appropriate technical and organisational measures have been implemented to meet the requirements of accountability.
For instance, Sinch:
18) Measures for allowing data portability and ensuring erasure
Measures to allow the exercise of data subject rights are implemented within Sinch.
For instance, Sinch:
19) Measures for ensuring data minimisation
Measures to minimize the amount of data processed are implemented.
For instance, for each processing activity Sinch: