Data processing terms

EMAIL HIPPO LTD., A UK CORPORATION (“EMAIL HIPPO”), AND THE COUNTERPARTY AGREEING TO THESE TERMS (“YOU”) HAVE ENTERED INTO AN AGREEMENT FOR THE PROVISION OF PROCESSOR SERVICES (AS AMENDED FROM TIME TO TIME, THE “TERMS OF SERVICE”). 

THESE DATA PROCESSING TERMS:

REFLECT THE PARTIES’ AGREEMENT ON THE TERMS GOVERNING THE PROCESSING AND SECURITY OF PERSONAL DATA BY EMAIL HIPPO ON YOUR BEHALF IN CONNECTION WITH DATA PROTECTION LEGISLATION.
ARE ENTERED INTO BY EMAIL HIPPO AND YOU, EITHER AS AN INDIVIDUAL OR A DULY AUTHORIZED REPRESENTATIVE FOR AN ENTITY (“YOU”/”YOUR”),  AND SUPPLEMENT THE TERMS OF SERVICE. 
WILL BE EFFECTIVE, AND REPLACE ANY PREVIOUSLY APPLICABLE TERMS RELATING TO THEIR SUBJECT MATTER (INCLUDING ANY DATA PROCESSING AMENDMENT OR DATA PROCESSING ADDENDUM RELATING TO THE PROCESSOR SERVICES), FROM THE TERMS EFFECTIVE DATE.

IF YOU ARE ACCEPTING THESE DATA PROCESSING TERMS ON BEHALF OF AN ENTITY, YOU WARRANT THAT: (A) YOU HAVE FULL LEGAL AUTHORITY TO BIND THE ENTITY TO THESE DATA PROCESSING TERMS; (B) YOU HAVE READ AND UNDERSTAND THESE DATA PROCESSING TERMS; AND (C) YOU AGREE, ON BEHALF OF THE ENTITY, TO THESE DATA PROCESSING TERMS.

IF YOU DO NOT HAVE THE LEGAL AUTHORITY TO BIND THE ENTITY PLEASE DO NOT ACCEPT THESE DATA PROCESSING TERMS AND DO NOT USE THE SERVICE.


YOU MUST BE OF LEGAL AGE TO ENTER INTO A BINDING AGREEMENT IN ORDER TO ACCEPT THE TERMS.


PLEASE READ THE TERMS & CONDITIONS OF THIS AGREEMENT AND ANY SUPPLEMENTAL TERMS & CONDITIONS PROVIDED CAREFULLY. IF YOU TICK A BOX OR CLICK A BUTTON CONFIRMING YOU HAVE VIEWED AND ACCEPT THESE TERMS & CONDITIONS, YOU AGREE TO USE EMAIL HIPPO SERVICES UNDER THE TERMS & CONDITIONS OF THIS AGREEMENT.


IF YOU DO NOT AGREE WITH ALL THE TERMS & CONDITIONS OF THIS AGREEMENT, YOU WILL BE UNABLE TO USE THE SERVICES.


YOU SHOULD MAINTAIN A COPY OF THIS AGREEMENT FOR YOUR RECORDS.

1. Definitions

1.1 Specific terms and conditions used in this Agreement will have the following definitions:

“Data Incident” means a breach of Email Hippo’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Personal Data on systems managed by or otherwise controlled by Email Hippo. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Your Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Data Protection Act 1998 (UK).
“EEA” means the European Economic Area.
“EU” means European Union.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Information Security Management System Documentation” means the certificate issued for the ISO 27001 Certification and any other security certifications or documentation that Email Hippo may make available in respect of the Processor Services.
“ISO 27001 Certification” means ISO/IEC 27001:2013 certification for the Processor Services.
“Notification Email Address” means the email address (if any) designated by You, via the user interface of the Processor Services or such other means provided by Email Hippoe, to receive certain notifications from Email Hippo relating to these Data Processing Terms.
“Processor Services” means the applicable services agreed under the Terms of Service, available at https://www.emailhippo.com/terms-of-service
“Subprocessors” means third parties authorised under these Data Processing Terms to have logical access to and process Your Personal Data in order to provide parts of the Processor Services and any related technical support.
“Term” means the period from the Terms Effective Date until the end of Email Hippo’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable: (a) 25 May 2018, if You clicked to accept, or the parties otherwise agreed to these Data Processing Terms, before or on this date; or (b) the date when You clicked to accept, or the parties otherwise agreed to these Data Processing Terms, if the date is after 25 May 2018.
“Third Party Subprocessors” has the meaning given in Consent to Subprocessor Engagement (Section 11.1).
“Your Personal Data” means personal data that is processed by Email Hippo on your behalf in order for Email Hippo to provide the Processor Services.

1.2 The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.

2. Interpretations

2.1 Either Email Hippo or You may be referred to as a “Party” and collectively as the “Parties”. 

2.2 Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.

2.3 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. Application of Terms

3.1 These Data Processing Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Your Personal Data. 

3.2 These Data Processing Terms will only apply to the Processor Services for which the parties agreed to these Data Processing Terms whether they have been specifically agreed or incorporated within Email Hippo’s Terms of Service by reference.

3.3 If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Agreement remains in full force and effect.

 4. Duration of Terms

These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Your Personal Data by Email Hippo as described in Data Deletion (Section 6).

5. Processing of Data

5.1 Processor and Controller Responsibilities and Subject Matter
The parties acknowledge and agree that:

(a) the subject matter and details of the processing of Your Personal Data is as follows:

Subject Matter - Email Hippo’s provision of the Processor Services and any related technical support as requested by You.
Duration of the Processing - Processed data is retained for a maximum of 90 days before automated deletion. Specific processor services operate differently but within this timeframe. If deletion is requested outside our automated process then the duration will expire on the deletion of all Your Personal Data.
Nature and Purpose of the Processing - Email Hippo will process (as applicable to the Processor Services and Your  instructions (Section 5.3) and may include the actions: collecting; recording; organising; structuring; storing; altering; retrieving; using; disclosing; combining; erasing; and destroying) Your Personal Data for the purpose of providing the Processor Services and any related technical support to You in accordance with these Data Processing Terms.
Types of Personal Data - You agree to limit the personal data you provide to Email Hippo to only email addresses. 
Furthermore if you provide Email Hippo with personal data other than email addresses you shall indemnify Email Hippo against any claim, loss, damage, administrative fine or expense (including without limitation legal expenses) suffered or incurred by Email Hippo related to its processing of this personal data.
 
Categories of Data Subjects - data subjects about whom personal data is transferred to Email Hippo in connection with the Processor Services by You or on Your behalf.
(b) Email Hippo is a processor of Your Personal Data under the Data Protection Legislation;

(c) You are a controller or processor, as applicable, of Your Personal Data under the Data
Protection Legislation; and

(d) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Your Personal Data.

5.2 Authorisation by a Third Party Controller
If You are a processor, You warrant to Email Hippo that Your instructions and actions with respect to the relevant Controller’s Personal Data, including its appointment of Email Hippo as another processor, have been authorised by the relevant controller.

5.3 Your Instructions
By entering into these Data Processing Terms, You instruct Email Hippo to process Your Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified by Your use of the Processor Services and any related technical support; (c) as documented in the form of the Terms of Service and these Data Processing Terms; and (d) as further documented in any other written instructions given by You and acknowledged by Email Hippo as constituting instructions for the purposes of these Data Processing Terms.

5.4 Email Hippo’s Compliance with Instructions
Email Hippo will comply with the instructions described in Your Instructions (Section 5.3) (including with regard to data transfers) unless EU or EU Member State law to which Email Hippo is subject requires other processing of Your Personal Data by Email Hippo, in which case Email Hippo will inform You (unless that law prohibits Email Hippo from doing so on important grounds of public interest).

6. Data Deletion

6.1 Deletion During Term
6.1.1 Processor Services With Delete Functionality. During the Term, if the functionality of the Processor Services includes the option for You to delete Your Personal Data and You use the Processor Services to delete certain elements or files containing Your Personal Data You will not be able to recover the data and Email Hippo will delete such Personal Data owned by You from its systems as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires storage.

6.1.2 Processor Services Without Deletion Functionality. During the Term, if the functionality of the Processor Services does not include the option for You to delete Your Personal Data, then Email Hippo will comply with any reasonable request from You to perform such deletion, insofar as this is possible and  taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage.
Email Hippo may charge a fee (based on Email Hippo’s reasonable costs) for any data deletion under Section 6.1.3. Email Hippo will provide You with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

6.1.4 Processor Services With Automated Deletion. During the term, Processor Services with automated deletion will automatically delete Your Personal Data on a rolling basis after a maximum period of 90 days from the date of receiving Your Personal Data.

6.2 Deletion on Term Expiry
On expiry of the Term, You instruct Email Hippo to delete all Your Personal Data (including existing copies) from Email Hippo’s systems in accordance with applicable law. Email Hippo will comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires storage.

7. Data Security

7.1 Security Measures and Assistance
7.1.1 Security Measures. Email Hippo will implement and maintain technical and organisational measures to protect Your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.  Security Measures include measures: (a) to encrypt personal data; (b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Email Hippo’s systems and services; (c) to help restore timely access to personal data following an incident; and (d) for regular testing of effectiveness. 
Email Hippo may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
7.1.2 Security Compliance by Email Hippo Personnel. Email Hippo will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorised to process Your Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.1.3 Security Assistance. You agree that Email Hippo will (taking into account the nature of the processing of Your Personal Data and the information available to Email Hippo) assist You in ensuring compliance with any of Your obligations in respect of security of personal data and personal data breaches, including (if applicable) Your obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
(a) implementing and maintaining the Security Measures in accordance with Email Hippo’s Security Measures (Section 7.1.1);
(b) complying with the terms of Data Incidents (Section 7.2);
(c) and providing the information contained in these Data Processing Terms.

7.2 Data Incidents
7.2.1 Incident Notification. If Email Hippo becomes aware of a Data Incident, Email Hippo will: (a) notify You of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimise harm and secure Your Personal Data.
7.2.2 Details of Data Incident. Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Email Hippo recommends You take to address the Data Incident.
7.2.3 Delivery of Notification. Email Hippo will deliver its notification of any Data Incident to the Notification Email Address or, at Email Hippo’s discretion (including if You have not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). You are solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.
7.2.4 Third Party Notifications. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
7.2.5 No Acknowledgement of Fault by Email Hippo. Email Hippo’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Email Hippo of any fault or liability with respect to the Data Incident.

7.3 Your Security Responsibilities and Assessment
7.3.1 Your Security Responsibilities. You agree that, without prejudice to Email Hippo’s obligations under Sections 7.1 (Email Hippo’s Security Measures and Assistance) and 7.2 (Data Incidents):
(a) You are solely responsible for Your use of the Processor Services, including:
(i) making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Your Personal Data; and
(ii) securing the account authentication credentials, systems and devices You use to access the Processor Services; and
(b) Email Hippo has no obligation to protect Your Personal Data that You elect to store or transfer outside of Email Hippo’s and its Subprocessors’ systems.
7.3.2 Your Security Assessment. You acknowledge and agree that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing of Your Personal Data, as well as the risks to individuals) the Security Measures implemented and maintained by Email Hippo as set out in Email Hippo’s Security Measures (Section 7.1.1) provide a level of security appropriate to the risk in respect of Your Personal Data.

7.4 Security Certification

To evaluate and help ensure the continued effectiveness of the Security Measures, Email Hippo will maintain the ISO 27001 Certification.

7.5 Audits of Compliance

7.5.1 Customer’s Audit Rights.
(a) Email Hippo will allow You or a third party auditor appointed by You to conduct audits (including inspections) to verify Email Hippo’s compliance with its obligations under these Data Processing Terms in accordance with Additional Business Terms for Audits (Section 7.5.3). Email Hippo will contribute to such audits as described in Security Certification (Section 7.4) and this section (Reviews and Audits of Compliance Section 7.5).

(b) You may also conduct an audit to verify Email Hippo’s compliance with its obligations under these Data Processing Terms by reviewing the certificate issued for the ISO 27001 Certification (which reflects the outcome of an audit conducted by a third party auditor).

7.5.2 Additional Business Terms for Audits.
(a) You will send any request for an audit under Section 7.5.2(a) to Email Hippo as described in Contacting Email Hippo (Section 12.1)

(b) Following receipt by Email Hippo of a request under Section 7.5.3(a), Email Hippo and You will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under Section 7.5.2(a).

(c) Email Hippo may charge a fee (based on Email Hippo’s reasonable costs) for any audit under Section 7.5.2(a). Email Hippo will provide You with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. You will be responsible for any fees charged by any third party auditor appointed by You to execute any such audit.

(d) Email Hippo may object to any third party auditor appointed by You to conduct any audit under Section 7.5.2(a) if the auditor is, in Email Hippo’s reasonable opinion, not suitably qualified or independent, a competitor of Email Hippo or otherwise manifestly unsuitable. Any such objection by Email Hippo will require You to appoint another auditor or conduct the audit itself.

(e) Nothing in these Data Processing Terms will require Email Hippo to disclose or allow access to You or Your third party auditor:
(i) any data of any other Email Hippo customers;
(ii) any of Email Hippo’s internal accounting or financial information;
(iii) any trade secrets of Email Hippo;
(iv) any information that, in Email Hippo's reasonable opinion, could compromise: the security of Email Hippo’s systems or premises; or cause Email Hippo to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to You or any third party; or
(v) any information that You or Your third party auditor seeks to access for any reason other than the good faith fulfilment of Your obligations under the Data Protection Legislation.

8. Impact Assessments and Consultations

You agree that Email Hippo will (taking into account the nature of the processing and the information available to Email Hippo) assist You in ensuring compliance with any obligations of You in respect of data protection impact assessments and prior consultation, including (if applicable) Your obligations pursuant to Articles 35 and 36 of the GDPR, by:
(a) providing the information contained in these Data Processing Terms; and
(b) providing or otherwise making available, in accordance with Email Hippo’s standard practices, other materials concerning the nature of the Processor Services and the processing of Your Personal Data.

9. Data Subject Rights

9.1 Responses to Data Subject Requests 

If Email Hippo receives a request from a data subject in relation to Your Personal Data, Email Hippo will advise the data subject to submit his/her request to You, and You will be responsible for responding to such request.

9.2 Data Subject Request Assistance

You agree that Email Hippo will (taking into account the nature of the processing of Customer Personal Data and, if applicable, Article 11 of the GDPR) assist You in fulfilling Your obligation to respond to requests by data subjects, including (if applicable) Your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by: (a) providing an overview of the functionality of the Processor Services; and (b) complying with the commitments set out in Responses to Data Subject Requests (Section 9.1).

10. Storage, Processing and Data Transfer

10.1 Data Storage and Processing Facilities

You agree that Email Hippo will store and process Your Customer Data within the EU, EEA and UK. 

10.2 Processing Records

You acknowledge that Email Hippo is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Email Hippo is acting and (if applicable) of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, You will, where requested and as applicable to You, provide such information to Email Hippo via the user interface of the Processor Services or via such other means as may be provided by Email Hippo, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.

10.3 Transfers of Data Out of the EU, EEA and UK
You also agree that in order to provide the Processor Services individual email addresses (from Your Customer Data) may be sent outside the EU, EEA and UK to the mail servers which host the email address being verified. Furthermore You agree that the only purpose for the email address to be sent to email servers is to interrogate the email server and validate the individual email address to understand its existence and credibility. 

11. Subprocessors

You specifically authorise the engagement of Email Hippo’s Subprocessors who provide cloud computing services. Current Subprocessors are:
Microsoft Azure, Microsoft Inc. - UK, Ireland and Netherlands;
Amazon Web Services Inc. - Ireland and Germany; and
CoreIX Limited - UK.

12. Contacting Email Hippo

You may contact Email Hippo in relation to the exercise of Your rights under these Data Processing Terms by: emailing [email protected]; or contacting the Data Protection Officer at the contact numbers or address provided at emailhippo.com; or  such other means as may be provided by Email Hippo from time to time.

13. Liability

If the Agreement is governed by the laws of:
(a) England, then, notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Legislation); or
(b) a jurisdiction that is not England, then the liability of the parties under or in connection with these Data Processing Terms will be subject to the exclusions and limitations of liability in the Agreement.

14. Changes to these Data Processing Terms

14.1 Changes to Data Processing Terms 

Email Hippo may change these Data Processing Terms if the change:
(a) is expressly permitted by these Data Processing Terms
(b) reflects a change in the name or form of a legal entity;
(c) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
(d) does not: (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of, or remove any restrictions on, Email Hippo’s processing of Your Personal Data, as described in Your Instructions (Section 5.3); and (iii) otherwise have a material adverse impact on Your rights under these Data Processing Terms, as reasonably determined by Email Hippo.

14.2 Notification of Changes 

If Email Hippo intends to change these Data Processing Terms under Section 14.1(c) or 14.1(d), Email Hippo will inform You at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting You via the user interface for the Processor Services. If You object to any such change, You may terminate the Agreement by giving written notice to Email Hippo within 90 days of being informed by Email Hippo of the change.