Terms Of Service

Customer Terms

Part A – Your Contract with Us

About this document

(a) These Customer Terms apply to all Services provided by us to you by agreement between us or, failing agreement, under section 479 of the Telecommunications Act.

(b) These Customer Terms apply:

(i) immediately, for all Customers with a Commencement Date after 19 April 2023; and

(ii) on and from 19 May 2023 for all Customers with a Commencement Date on or before 19 April 2023.

Expiring Terms of Service can be found here: https://bulletin.net/expiring-terms-of-service/

Your Customer Contract

(a) We supply Services to you under your Customer Contract. Your Customer Contract comprises, in order of precedence from highest (i) to lowest (iv):

(i) your Application Form;

(ii) the terms of your Plan;

(iii) the following Parts of these Customer Terms:

this Part A (Your Contract with Us);
Part C (Additional Security Terms applicable to use of our API);
Part D (EU and UK Privacy Terms);
if you are subject to the GDPR, Part E (EC Standard Contractual Clauses); and
if you are subject to the UK GDPR, Part F (UK International Data Transfer Addendum); and

(iv) if you are a Reseller, Part B.

(b) The parties to your Customer Contract are the Customer (you) and the Supplier (we, us).

The Term of Your Customer Contract

(a) Your Customer Contract will continue until the end of the Minimum Term and thereafter on a month-to-month basis until it is terminated in accordance with your Customer Contract.

(b) If your Plan or Application Form does not specify a Minimum Term, states that there is no Minimum Term or is described as month-to-month, casual or no contract or similar, either party may terminate it on 30 days’ notice at any time without penalty.

(c) Your Customer Contract will commence upon our acceptance of your Application Form or when we commence providing the Services to you, whichever happens first (the “Commencement Date”).

Provision of Our Services

The Services

(a) We will provide to you a non-exclusive, non-transferable, licence for the Services subject to the terms of your Customer Contract.

(b) We may provide the Services using such facilities and such Carriers as we choose from time to time. We currently rely on Carrier networks to provide our Services but are not otherwise affiliated or related to such Carriers.

(c) We may provide the Services using Our Facilities and/or third party Provider Facilities. Together, we call those Facilities our Network.

Exclusive or Preferred Supplier

If your Application Form states:

(a) that we are to be your preferred supplier then you must not engage a third party to provide to you more than 10% of your total requirements for the Messaging Services or services substantially similar to the Messaging Services; or

(b) that we are to be your exclusive supplier then you must not engage a third party to provide to you any Messaging Services or services substantially similar to the Messaging Services.

Within 14 days of receipt of a written request, you will provide to us written confirmation from your senior management in a form acceptable to us, attesting to your compliance with clause 5(a) or clause 5(b).

Periodic Entitlements

(a) If your Plan or Application Form states that you are required to pay a Monthly Access Fee you will receive Message Credits equal to the value stated in your Plan or Application Form, which may be redeemed by the Customer against Message Fees incurred during that month. We call these Periodic Entitlements.

(b) Unused Periodic Entitlements do not carry forward and are not redeemable for cash or other credit.

(c) If you exceed your Periodic Entitlements, extra Charges may apply or a Service may be limited in some way. Your Plan or Application Form will give details.

Not used

Compliance with Policies

(a) You must comply with any applicable Acceptable Use Policy or any Anti-Spam Policy we publish on our website or make available to you.

(b) You must comply with any policy we publish on our website or make available to you.

Operational Directions

(a) Acting reasonably, we may give Operational Directions about a Service. Operational Directions will be directed to the safety, security or reliability of Facilities, compliance with Laws or dealing with an emergency. We will only give an Operational Direction as and when reasonably necessary.

(b) You must comply with any applicable Operational Direction.

Carrier or Telecommunications Service provider

You promise that you are not a Carrier or a provider of Telecommunications Services.

Provider Requirements – General

(a) Telecommunications Services, including many of our Services, are commonly provided by means of Provider Facilities, provided by third party Providers.

(b) A Provider may only permit us to provide a Service to you subject to certain requirements (Provider Requirements).

(d) Where a Provider Requirement states that a Provider has a certain right or power:

(i) the Provider itself may exercise that right or power; or

(ii) we may exercise the right or power on behalf of the Provider.

Use of Service by others

(a) Unless your Application Form states that we have appointed you as a Reseller, you must not share, resell or resupply a Service for remuneration or reward.

(b) The acts and omissions of your Staff and End Users with respect to a Service are deemed to be your acts and omissions.

(c) You must ensure that your Staff and End Users do not do (or omit to do) anything that would breach your Customer Contract if done (or not done) by you.

Payment for third party services

Using a Service may depend on you having goods or services supplied by third parties. For instance, in order to use an email-to-SMS Service, you must have an internet connection. You are solely responsible for the costs of all third party goods and services you acquire.

Using a Service

(a) When using a Service, you must comply with:

(i) your Customer Contract (including any applicable Acceptable Use Policy or other policy we provide to you in accordance with clause 9); and

(ii) any applicable Laws.

(b) You must not use a Service, and you must ensure that your End Users do not use a Service:

(i) to send Restricted Content;

(ii) for publishing, reproducing or advertising any message, information, symbol or other communication which is offensive or abusive or of an indecent, obscene or menacing character or for the purpose of causing annoyance, inconvenience or needless anxiety to any person, or for any unlawful purpose;

(iii) to defame any person;

(iv) to breach the rights of any person;

(v) to infringe copyright;

(vi) to create, transmit or communicate communications which are defamatory, obscene, pornographic, discriminatory, offensive, in breach of confidence, illegal or which bring us or any of our Providers into disrepute;

(vii) to host or transmit Content which contains viruses or other harmful code or data designed to interrupt, damage, destroy or limit the functionality of any software, hardware or computer or communications equipment;

(viii) to send, allow to be sent, or assist in the sending of Spam, to use or distribute email harvesting software, or otherwise breach the Spam Laws;

(ix) in a way that is misleading or deceptive;

(x) in a way that results, or is likely to result, in damage to property or injury to any person;

(xi) to transmit, store or process Cardholder Data; or

(xii) in any way that damages or interferes with our Services to other customers, our Providers or any Facilities or exposes us to liability.

(c) You are solely responsible for all acts or omissions that occur under your Account, and the Content of any Messages transmitted through the Service. You acknowledge and agree that any Messages sent using your Account are deemed to have been sent and/or authorised by you.

(d) If you integrate or request us to integrate your account with a third party application or platform, you are solely responsible for such integration. We have no control over any third party application or platform and we are not liable for any transaction you enter into with them. You are responsible for ensuring you comply with any terms of service relevant to the third party and we are not liable for any suspension or termination of the service resulting from your use of the Services. You warrant that your use of the Messaging Services will not infringe the terms and conditions of any third party applications or platforms.

(e) From time to time third parties may recommend our services to new customers. If a third party has referred you to our services we may pay that third party a commission. Any commission paid will not affect the Charges you pay to us. In order to calculate the commission we pay, we may also provide the third party with information about the number of messages you send in a certain period (we will not give them any other information about your Account, message content or other data) and you consent to us doing so.

(f) You must take steps to prevent unauthorised access to a Service and ensure that best security practices are followed, for example, by using strong passwords, not disclosing your log in credentials, by securing any web APIs, and by implementing multi-factor authentication. You indemnify us against any claim, cost, loss or liability which may arise in connection with your failure to comply with your obligations under this clause 15(f).

(g) If you use or facilitate authentication via any social network in the sign-up and/or sign-in process in the course of using the Services, you indemnify us against any claim, cost, loss or liability which may arise in connection with such use or facilitation.

(h) If we incur costs (including but not limited to increased Carrier fees and charges, surcharges or taxes) in connection with your failure to comply with your obligations under this clause 15, you acknowledge and agree that you are responsible for these costs and that we may pass these costs onto you by increasing the amount of the Charges in our sole discretion.

Telephone numbers – General

You must not knowingly and deliberately relocate, reassign or transfer the number for any Service except in accordance with our published procedures, or otherwise as the Law permits.

Telephone numbers – Messaging Services

Any Shared Number or Dedicated Number used in association with your Account has not been issued to you. You acknowledge that we retain ownership of any Dedicated Number used in association with your Account and you have no right to retain a particular number when your Customer Contract ends.
We retain all rights, obligations and liabilities relevant to such numbers.
If your Application Form states that we will provide you with a Dedicated Number/s (inbound or outbound) we will provide you with use of those Dedicated Numbers in accordance with clauses 15 and 16.

Voluntary number porting

If, despite clause 16, we agree to transfer a Shared Number or a Dedicated Number to you or a mobile service number from you for use in connection with an Account, then, as far as the law allows, you release us and our third party supplier/s from all liability to you, and you indemnify us and them against all costs, expenses, liability, loss or damage incurred or suffered by us or them in conjunction with any claims, actions or proceedings against us or them (including third party claims or claims by you) arising out of the following:

(a) our inability to transfer-in or transfer-out the number; or

(b) the fact that the number is not, or ceases to be, available for use in connection with an Account.

Support

We will provide the type and amount of support set out in your SLA. If we are required to undertake on-site support for any reason whatsoever, we will charge you as set out in our SLA. The Customer will also be responsible for any travel expense or other expenses incurred by us in providing on-site support.

Maintenance and faults

(a) From time to time, the Network requires maintenance that may interfere with your Service. We will provide you with notice of any scheduled maintenance where reasonably possible.

(b) You may report faults in relation to a Service or the Network by contacting our help line during its operating hours.

(c) Before reporting a fault, you must take all reasonable steps to ensure that the fault is not caused by Equipment, which is not part of the Network.

(d) You must not report a fault directly to one of our Providers unless we ask you to do so.

(e) If you report a fault that turns out to be a ‘false alarm’, or not to relate to the Network, we may make a reasonable charge for our effort and expenses in responding to your report.

(f) We will use reasonable efforts to repair faults in Our Facilities within a reasonable period.

(g) We will use reasonable efforts to have our Providers repair faults in Provider Facilities within a reasonable period.

(h) You are responsible for maintaining and repairing your own Equipment.

(i) If you cause a fault or damage to the Network, we may charge you the reasonable cost of repairing it.

Your cooperation

(a) You must give us all reasonable cooperation that we require in order to provide a Service to you, and fixing any problems that arise, and resolving any disputes that may arise or complaints that you may have.

(b) We may charge you $100 for each complaint received by us from a Carrier regarding any unsolicited messages despatched by you if we have been charged that sum by a Carrier and are unable to resolve the complaint with the Carrier. The maximum charge to you for any one unsolicited message despatched by you will be NZ$20,000 (subject to any variation to the maximum imposed by any Carrier).

(d) You acknowledge that, where a Service is a telecommunications service within the meaning of the Telecommunications Act, we or a Provider may be required to:

(i) intercept or enable interception communications over the Service pursuant to the Telecommunications (Interception Capability and Security) Act 2013;

(ii) monitor usage of the Service and communications over it; and

(iii) retain and store data, including metadata, as required under Data Retention Laws.

Confidentiality, Intellectual Property and Privacy

Confidentiality

(a) Each party (Recipient) undertakes that, in respect of Confidential Information disclosed to the Recipient by the other party (Disclosing Party), it will not disclose Confidential Information except:

(i) for the purpose for which the Confidential Information was disclosed to the Recipient under the terms of your Customer Contract;

(ii) to those employees, officers and agents of the Recipient who need to know the information for the purposes of your Customer Contract, if that person undertakes to keep confidential the Confidential Information;

(iii) to professional advisers and consultants of the Recipient whose duties in relation to the Recipient require that the Confidential Information be disclosed to them;

(iv) with the prior written approval of the Disclosing Party; or

(v) as otherwise required by law to disclose such information.

(b) The parties acknowledge that monetary damages alone would not be adequate compensation for a breach of the obligations of confidentiality under your Customer Contract, and a Disclosing Party is entitled to seek an injunction from a Court of competent jurisdiction on a breach or threatened breach of this clause.

(c) Despite anything else contained in your Customer Contract and in particular in this clause 21, we retain the unconditional and irrevocable right to disclose your identity and address and those of any of your Staff or End Users in the event of any complaint, query or request received from any regulatory or Government body or Carrier, in connection with your Customer Contract.

(d) Nothing in this clause 21 prevents us from naming you as a customer and user of our Services in our marketing materials.

Intellectual Property

(a) The parties agree that other than as provided in this clause 22, nothing in your Customer Contract transfers ownership in, or otherwise grants any rights in, any Intellectual Property Rights of a party.

(b) If a party provides any material to the other party that contains any Intellectual Property Rights which were developed by or on behalf of, or licensed to, the first party independently of your Customer Contract (Pre-Existing Material), then the first party grants to the other party a non-transferable, non-exclusive, royalty-free licence to use, during the term of your Customer Contract, the Pre-Existing Material solely for the purpose of using or supplying the Services under your Customer Contract or otherwise as required by Law.

Privacy and Spam Laws

(a) If a party is provided with, or has access to, Personal Information in connection with the Services, it must comply with the Privacy Act and any other applicable law in respect of that Personal Information, whether or not it is an organisation bound to comply with the provisions of the Privacy Act. Details of our Privacy Policy can be found on our website.

(b) You acknowledge and agree that where you authorise or require us to collect or otherwise deal with Personal Information in your name, or on your behalf, in connection with providing the Services, that we do so as your agent.

(i) End Users to whom you send Messages have consented or otherwise opted-in to the receipt of such Messages and the collection of Personal Information as required by the Spam Laws or any other applicable Law or regulation; and

(ii) you have provided notice to End Users (including by notifying End Users that their personal information will be handled by us in accordance with our Privacy Policy and by providing End Users with a link to our Privacy Policy) that we may collect, handle, disclose or otherwise will have access to their Personal Information for the purposes of us providing the Services to you and that where our collection, handling or disclosure of, and/or access to Personal Information on your behalf requires the consent of End Users, you have and/or will obtain any such consent before, or at the time such Personal Information is made available to us for collection, handling, disclosure or access (and provide us with evidence of such consent on request).

(d) You acknowledge and agree that except as may be required by your Customer Contract, we are not required to take steps to ensure that any Personal Information collected by you has been collected in accordance with the Privacy Act. Further, you indemnify us for any Claim by a third party that it has suffered Loss as a result of a breach of the Privacy Act.

(e) If the Services or the performance of our respective obligations under your Customer Contract involve any processing of any personal data (as defined in the GDPR) of, or sending Messages to, any individuals in the European Union, then we each agree that we shall comply with the additional terms set out in Parts D and E.

(f) We warrant and represent that the Services include the maintenance of a functioning and effective unsubscribe process that complies with the Spam Laws.

Credit

Credit (1): Guarantees and security

We may, at any time, make supply of Service conditional on you providing and/or maintaining security and/or third party guarantees to our reasonable satisfaction.

Credit (2): Credit checks

(a) At our discretion, we may obtain a credit report about you to help us decide whether to accept your application for service and to help us collect overdue amounts. In the course of a credit check, we may disclose Personal Information about you to a credit reporting agency or other credit information provider. We may receive a credit report and other information about you, including Personal Information. A credit reporting agency may include the fact that we obtained a credit report about you in its credit information file on you.

(b) We may disclose to a credit reporting agency: information in your application, details of your account, that you have applied for credit with us, that we are a current credit provider to you, payments that are more than 60 days overdue and are subject to collection processes, any cheque / direct debit of yours for $100 or more which has been dishonoured / refused more than once, any serious credit infringement you have committed or that payments are no longer overdue.

(i) a debt collection service we engage; and

(ii) anyone who takes, or is considering taking, an assignment of any debt you owe us.

(d) Your consents

(i) If you are an individual, you agree that we can conduct a credit check and verify your personal details, in accordance with this clause.

(ii) If you are self-employed, you agree that we can:

(A) obtain and use any report or information from a credit reporting agency, which contains information about your commercial activities or commercial credit worthiness;

(B) exchange with your other credit providers, any credit report or other report about your credit worthiness or history, or Personal Information contained in those reports – in accordance with this clause.

(e) You acknowledge that credit and other information about you may be used:

(i) to assess your application,

(ii) to assist you to avoid defaulting on your credit obligations,

(iii) to notify other credit providers of a default by you,

(iv) to assess your creditworthiness.

Prices, Billing and Payment Terms

Charges & payment: Prices

(a) You agree to pay our Charges in accordance with the terms of your Customer Contract.

(b) Except as provided in clause 26(c), our current prices are published on our website or otherwise notified to you at any time, referred to as our ‘Price List’. The Price List may be amended from time-to-time without further notice to you.

(c) If the price for a service is not listed in our Price List, for example the price for international SMS, we may charge you a fee equal to the cost to us of providing that service, including without limitation the costs associated with Carrier surcharges, plus a reasonable margin. Our international rates change frequently and we reserve the right to adjust our Charges for international services accordingly without notice.

(d) Our Charges may include the charges and costs which we are charged by third parties (including, without limitation, any charges imposed by Providers or by credit card providers or other payment merchants) in connection with the provision of the Services (Third Party Charges). If any such Third Party Charges increase, then we may pass the increased Third Party Charges on to you by increasing the amount of the Charges accordingly.

(e) Unless specifically provided otherwise in your Application Form or elsewhere in your Customer Contract, our Charges are in New Zealand Dollars. We will calculate any international currency conversions using an exchange rate from a reputable independent provider which we elect to use for currency conversions. Currency conversions will be calculated at or about the date we issue you with a Bill. If our costs of providing the Services to you are increased due to fluctuations in relevant foreign currency exchange rates, we may pass on those increased costs to you as set out in clause 26(d).

(f) You warrant that you will use the Messaging Services exclusively for the sending of Standard Rate Messages containing Unrestricted Content to End Users and, where the Service supports it, receiving Messages from End Users. We may impose an extra Charge if you send any Messages that are not Standard Rate Messages, equal to the amount charged to us by the Carrier plus a reasonable margin (this will not apply to Premium Short Code users).

(g) You must pay for every Message despatched using the Messaging Services irrespective of receipt by the intended recipient.

(h) On written request received within 30 days of the Message being despatched, we will provide evidence that the Message was delivered to the relevant Carrier or Provider.

(i) Any failure by a Carrier to deliver a Message to the intended recipient is beyond our control and you will not hold us liable in respect of any such failure.

(j) Where the Services are such that the Carrier will charge you or your customers, you agree to make payment to the Carrier directly or to ensure that your customers will make payment to the Carrier directly.

(k) Where the Carrier is to charge your customers directly you will, upon request, provide evidence to us that you have obtained appropriate authorisation from your customer.

(l) Where a Message Originator incurs Charges, the Carrier will invoice such Charges directly to the Message Originator and recover all such sums directly from the Message Originator in accordance with the Service Rules. Where your Application Form provides for revenue received by us from a Carrier to be shared with you:

we will pay you the agreed revenue share if any only if we receive payment from the Carrier;

(m) if we are required to repay any revenue share to the Carrier for any reason (or the Carrier sets off any such amount from any future revenue share due to us) we may, at our discretion, require you to refund any revenue share paid to you (or set off that amount from any future amounts due to you).

(n) Our Charges for multichannel messaging / messaging on social channels (for example Messenger, Instagram Direct, Google Business Messages or WhatsApp) are charged per Conversation.

Calculation of number of SMS

Information point: The SMS system allows a maximum message size of 160 characters. If a user sends a longer message, the system splits it to two or more separate SMS’s that may be reassembled on delivery so that they appear to be a single message (or, on some handsets, may be delivered as a series of separate SMS). When a longer message is split in this way, the components are no more than 153 characters long, because seven characters are used to facilitate re-joining on delivery. As a result, a longer message will result in more than one SMS being transmitted, and charges apply accordingly, as described in this clause. Charges for an SMS Service will be based on the number of SMS you send, calculated in accordance with the following rules:

(a) If you include any Unicode characters and send via a Unicode supported service, content that contains no more than 70 characters counts as one SMS. In all other cases, content that contains no more than 160 characters counts as one SMS.

(b) If you include any Unicode characters and send via a Unicode supported service, content that contains more than 70 characters counts as one SMS for each block of 67 characters or part thereof. In all other cases, content that contains more than 160 characters counts as one SMS for each block of 153 characters or part thereof.

(d) Each press of a ‘spacebar’ generates a separate character.

(e) Some special symbols and non-English letters may comprise more than one character and you will be charged accordingly.

(f) Where an SMS is sent to multiple End Users, each one is counted separately.

Billing

(a) Your ‘Billing Period’ is the period between Bills. Unless your Application Form states otherwise, our standard Billing Period is monthly.

(b) We can bill a part-period eg to align your Billing Period with the first day of each month.

Extra Charges for Bills and information

(a) We may charge you an extra Charge if:

(i) you request non-standard information about your Bill or Charges or you ask us to deliver a Bill by a method that is not the standard method for a Plan; or

(ii) we provide billing and payment services for you (for example, accessing your purchasing platform and entering our invoices into your systems).

(b) If you request a paper Bill when that is not the standard method for a Plan or request additional services such as those listed in (a)(ii) above, the extra Charge is $5 per Bill, or as otherwise agreed between the parties.

Late billing

Some Charges in a Bill may relate to a previous Billing Period, if such Charges were not included in any previous Bill or remain unpaid. We do not waive our right to require payment of applicable Charges by not including the Charges in a Bill.

When you must pay

(a) If any Bill is overdue for payment, you must pay that Bill and any other Bill immediately.

(b) You must pay a Bill no later than the 20th day of the calendar month following the Bill date.

How you can Pay

You may pay by EFT or any other payment method we notify you that we accept.

Late payment

If a Bill is not paid on time:

(a) you are in breach of your Contract, and

(b) we may also charge:

(i) interest at the 90-Day Bank Accepted Bill Rate published by the Reserve Bank of New Zealand plus 2% from the Bill date until it is paid in full; and

(ii) a reasonable late fee; and

(iii) any collection fees and expenses that we incur, including costs that we incur in engaging debt collection agencies.

(c) you agree that we may appoint an agent to collect on our behalf any Bills which is not paid on time and we will be entitled to charge you any costs that we incur in engaging debt collection agencies to recover unpaid amounts in a Bill.

Billing disputes

(a) Our records of what you owe us are deemed to be right unless you show them to be wrong.

(b) If you dispute a Bill, you must pay it on time and without set off. We shall credit you if it is later determined that you are entitled to a credit.

(c) You may not raise a billing dispute more than 60 days after payment for a particular Billing Period is due, and we will not pay a refund or give a credit in respect of a period prior to that.

In this clause, an expression within

(a) a pair of asterisks means the same as in the GST Act.

Amounts payable under your Contract are taken to be GST inclusive unless they are expressed to be ‘GST exclusive’, ‘+ GST’ or similar. Where any amount is GST inclusive, it is the gross amount, inclusive of any GST payable in respect of any *taxable supply* for which that amount is paid. Otherwise:

(i) The *consideration* payable by a party represents the *value* of any *taxable supply* for which payment is to be made.

(ii) If a party makes a *taxable supply* for *consideration*, which represents its *value*, then the other party must pay immediately the amount of any GST payable in respect of the *taxable supply*.

(b) If these terms require a party to pay, reimburse or contribute to an amount paid or payable by the first party in respect of an *acquisition* of a *taxable supply* from a third party, the amount the other party must pay, reimburse or contribute will be the value of the *acquisition* by the first party less any *input tax credit* to which the first party is entitled plus, if the first party’s recovery from the other party is a *taxable supply*, any GST payable under this clause.

Warranties and Indemnities

Service Level Agreements

If a Service or a Plan includes a Service Level Agreement (SLA):

(a) we are only liable for the remedy or rebate specified by the SLA (if any); and

(b) subject to the express terms of the SLA, our liability for breach of the SLA is limited to such remedy or rebate; and

Exclusion of Implied Terms and Warranties

You agree and acknowledge that:

(a) any representation, warranty, condition, guarantee or undertaking that would be implied in your Customer Contract by legislation, common law, equity, trade, custom or usage or otherwise is excluded from your Customer Contract to the fullest extent permitted by law;

(b) we do not warrant or represent the performance, accuracy, reliability or continued availability of the Services or Facilities or that the Services or Facilities will operate free from faults, errors or interruptions.

Your liability to us – General

(a) Subject to clause 41, you must indemnify us for any loss or damage we suffer arising from or in connection with:

(i) your breach of your Customer Contract;

(ii) all Content sent or received on your Account;

(iii) any wilful or negligent act or omission by you, your employees, agents or contractors;

(iv) a Claim against us by your Staff, any End User or any third party arising out of or in relation to your use of the Services and/or Equipment;

(v) your use of the Service in a way that breaches any Law or infringes the rights of any third party;

(vi) acts or omissions of End Users; and

(vii) your integration of the Service with a third party application or platform,

except to the extent that we are negligent or caused or contributed to the loss or damage.

(b) Your obligations under this clause survive termination of your Customer Contract.

Your liability to us –requests for information or evidence

(a) This clause applies where we reasonably incur expense as a result of or in connection with:

(i) a police request for information or evidence in relation to you or your use of a Service;

(ii) a Court or other competent authority’s direction for provision of information or evidence in relation to you or your use of a Service; or

(iii) a demand from a legal practitioner for information or evidence in relation to you or your use of a Service.

(b) If we incur any expenses under paragraph (a), you must reimburse us on request.

Our liability to you

(a) Subject to clause 41, we must indemnify you for any loss or damage you suffer arising from or in connection with:

(i) our breach of your Customer Contract;

(ii) any wilful or negligent act or omission by us, our employees, agents or contractors;

(iii) a Claim against you by any End User in relation to a Service we supply to you arising out of our negligence in supplying the Services to you; and

(iv) our supply of the Services in a way that breaches any Law or infringes the rights of any third party,

except to the extent that you are negligent or caused or contributed to the loss or damage.

(b) Our obligations under this clause survive termination of your Customer Contract.

Limitation on Liability

(a) To the maximum extent permitted by law, the parties agree:

(i) that the maximum cumulative liability of a party under or in connection with your Customer Contract (including pursuant to an indemnity) will be the total amount payable to us by you under your Customer Contract in the 12 months preceding the incident or event giving rise to the liability;

(ii) that neither party will be liable to the other party for any loss of profit or indirect loss or consequential loss suffered by the other party arising out of your Customer Contract, whether arising as a result of any act, omission or negligence of a party or otherwise;

(iii) without limiting clause 41(a)(i) or (ii) above or any other liability limitation or exclusion applicable under your Customer Contract, we and our Related Companies disclaim all liability whatsoever that may arise from your use of any third-party products and our licensors will have no liability of any kind whatsoever under your Customer Contract; and

(iv) that a party may only bring a claim against the other in its individual capacity, and not as plaintiff or class member in any purported class action or representative proceeding.

(b) Nothing in this document limits or excludes the liability of a party for claims relating to:

(i) personal injury or death directly arising from that party’s negligent acts or omissions;

(ii) infringement of intellectual property rights; or

(iii) fees and Charges payable.

Termination and Suspension

Termination by us

We may, by written notice to you, terminate your Customer Contract:

(a) at any time (except during the period of the Minimum Term), on 30 days’ written notice to you;

(b) immediately if you are in material breach of your Customer Contract (including but not limited to a failure to pay us on time, a breach of the Acceptable Use Policy) and you fail to remedy such breach within 14 days of being served notice to do so;

(c) immediately if you breach clause 5(a) (preferred supplier) or 5(b) (exclusive supplier) and you fail to remedy such breach within 14 days of being served notice to do so;

(d) where permitted by law, immediately if you suffer an Insolvency Event;

(e) immediately if we become entitled to suspend the Service, and the suspension continues for more than a month;

(f) immediately if we reasonably suspect that you, your Staff or your End User has infringed or attempted to infringe our Intellectual Property Rights;

(g) immediately if you cause to be reversed any Direct Debit or credit card payment to us (except with our prior written agreement);

(h) immediately if it is necessary to do so in order to comply with a warrant or other court order, or as otherwise required or authorised by law;

(i) immediately if we reasonably suspect fraud or attempted fraud involving the Service;

(j) immediately if you are, or become, a carrier or a provider of Telecommunications Service under the Telecommunications Act;

(k) immediately if you breach clause 21 (Confidentiality); or

(l) in any other circumstances stated elsewhere in your Customer Contract.

Termination by you

You may terminate your Customer Contract:

(a) at any time (except during the period of the Minimum Term) on 30 days’ written notice to us;

(b) immediately, by giving us written notice if we are in material breach of your Customer Contract and we fail to remedy that breach within 14 days of being served notice to do so;

(d) by giving us 14 days’ written notice, if an Intervening Event occurs and you are unable to use the Service for more than 30 days;

(e) by giving us 14 days’ written notice, if you reasonably suspect that we have infringed or attempted to infringe your Intellectual Property Rights; or

(f) in any other circumstances stated elsewhere in your Customer Contract.

Consequences of Termination

If your Customer Contract ends:

(a) during the period of the Minimum Term then you will be required to immediately pay us the Early Termination Fee (other than if you terminate your Customer Contract pursuant to clauses 43(b), 43(c), 43(d), 43(e) or 43(f)). You acknowledge and agree that any liability to pay us an Early Termination Fee does not prejudice any other right we may have to claim damages as a result of the termination.

(b) our obligations to you under your Customer Contract are at an end;

(d) we may bill you for any Services we have not yet invoiced and all other amounts we are entitled to under your Customer Contract;

(e) all Bills are payable immediately;

(f) you authorise us to recover any outstanding Charges and Early Termination Fees from any overpayment you have made, or Direct Debit them from your credit card or bank account if you normally pay by Direct Debit;

(g) it does not affect the accrued rights or liabilities of either party; and

(h) it does not affect the provisions which expressly or by implication are intended to operate after termination including, without limitation clauses 21, 22 and 23 and the limitations of liability and rights of indemnity.

Suspension of Service

(a) We may suspend a Service or all Services at any time, without liability and without any requirement to provide notice to you, if:

(i) there are problems with the Network, or we or our Providers need to suspend the Services to conduct operational and maintenance work on the Network;

(ii) you fail to pay any amount owing to us in respect of the Service under your Customer Contract (which is not the subject of a bona fide dispute) by the due date, and you fail to pay that amount within the period specified in any subsequent notice we send you;

(iii) you breach your Customer Contract, including terms relating to your use of the Service or any Acceptable Use Policy including but not limited to a breach of the Spam Laws;

(iv) there is an emergency;

(v) there is a threat or risk to the security of the Service or integrity of the Network;

(vi) the Service may cause death, personal injury or damage to property;

(vii) we are required to do so to comply with any Law or direction of any Regulator;

(viii) an Intervening Event occurs;

(ix) your Account remains inactive for a period of 12 months or more;

(x) we exercise discretion to block a Service in relation to a specific overseas territory, for any reason that we consider appropriate; or

(xi) we are otherwise entitled to do so under your Customer Contract.

(b) Whilst we are under no obligation to provide any notice of a suspension of Service under clause 45(a), our right to suspend Service under clause 45(a) is not waived or otherwise affected by any notification we provide to you in relation to the circumstances or events that rise to our right to suspend Service.

Charges during a period of suspension

If we suspend Service:

(a) because of your fault or breach of your Customer Contract – you remain liable for all Charges payable under your Customer Contract during the period of suspension;

(b) otherwise – you are entitled to a pro rata reduction in Charges in respect of the period of suspension.

General

General power to vary your Customer Contract

Subject to clause 48, and without limiting our rights under clauses 26(b)-(e),

(a) we may vary your Customer Contract from time to time and if such variation is material, we will provide you with 14 days’ written notice of that variation; and

(b) any variations that have been deemed to be accepted pursuant to clause 48 will take effect 15 days after the date of any notice.

Customer Right to terminate on Receipt of Notice of Variation

If you do not accept the variation set out in a notice from us pursuant to clause 47 you must notify us in writing within 14 days. If you fail to do so, you will be deemed to have accepted the variation. If you notify us that you do not agree to the variation, then we must discuss the proposed variation in good faith. If no agreement on the variation is achieved within 10 Business Days either party may terminate your Customer Contract by providing 30 days’ written notice to the other party and no Early Termination Fee will be payable.

Acknowledgments

You acknowledge that:

(a) there has been no reliance by you on our skill or judgement or written or oral representations in deciding whether our Service is fit for a particular purpose or meets particular criteria;

(b) the internet is not an inherently secure system and you undertake responsibility for the protection of your information and data;

(c) the internet may contain viruses (including other destructive programs), which may, if not eliminated, destroy parts or all of the data contained within your system, and that we have no control over these viruses; and

(d) we do not provide any filtering or checking of data to eliminate these viruses, and you agree to provide your own mechanism for checking your system for viruses, and to indemnify us against any damage caused by viruses obtained through the Service.

Assignment

(a) We may assign or novate all or part of our rights and obligations under your Customer Contract without your consent.

(b) You cannot assign or novate all or part of your rights and obligations under your Customer Contract unless we agree in writing.

Governing law

Your Customer Contract is governed by and must be construed in accordance with the laws of New Zealand. You and we submit to the exclusive jurisdiction of the courts of New Zealand.

Entire agreement

Your Customer Contract is the entire agreement between you and us regarding its subject matter, and you acknowledge that:

(a) subject to clause 53 and without otherwise limiting any statutory rights you may have (including under the Consumer Guarantees Act 1993) your Customer Contract does not include any term, condition, warranty, representation or guarantee that is not expressly set out in it; and

(b) you have not relied on any representation that is not expressly set out in your Customer Contract.

Contracting out

Where you are in trade and to the extent that it is fair and reasonable for us to do so, you agree that:

(a) under your Customer Contract we are contracting out of sections 9, 12A, 13 and 14(1) of the Fair Trading Act 1986; and

(b) the goods and services supplied by us to you under your Customer Contract are supplied and acquired in trade and we are contracting out of the Consumer Guarantees Act 1993.

Delays

(a) Time is not of the essence in the performance of our obligations, including the provision of Service, under your Customer Contract.

(b) We are not liable to you for any delay in the provision of any Service.

No waiver

A failure, delay, relaxation or indulgence by us in exercising any power or right conferred under your Customer Contract (such as a right that we have due to your breach of your Customer Contract) does not operate as a waiver of the power or right.

Commercial Electronic Messaging

(a) Subject to this clause, we may send you Commercial Electronic Messages regarding telecommunications goods and services, and ancillary goods and services, and you consent to us doing so.

(b) Your consent under clause 56(a):

(i) applies while your Customer Contract is in force and for a year afterwards; and

(ii) is in addition to any other consent that you may give, or which may be inferred, for the purposes of section 9 of the Unsolicited Electronic Messages Act; but

(iii) terminates if you give us reasonable written notice that it is withdrawn.

(c) Any Commercial Electronic Message we send you does not have to comply with section 11 of the Unsolicited Electronic Messages Act.

(d) This clause 56 survives the termination of your Customer Contract.

Interpretation and Dictionary

Interpreting your Customer Contract

(a) If an expression is defined in the Dictionary in clause 58, that is what it means.

(b) If an expression is defined in the Dictionary, grammatical derivatives of that expression have a corresponding meaning. (For instance, if ‘to colour’ means ‘to paint blue’, then ‘coloured’ means ‘painted blue’.)

(c) Expressions like ‘includes’, ‘including’, ‘eg’ and ‘such as’ are not words of limitation. Any examples that follow them are not to be taken as an exhaustive list.

(d) Headings are only for convenience. They are to be ignored when interpreting our Customer Terms.

(e) A schedule to a document is part of that document.

(f) A reference to the singular includes the plural and vice versa.

(g) There is no significance in the use of gender-specific language.

(h) A ‘person’ includes any entity which can sue and be sued.

(i) A ‘person’ includes any legal successor to or representative of that person.

(j) A reference to a law includes any amendment or replacement of that law.

(k) Anything that is unenforceable must be read down, to the point of severance if necessary.

(l) Anything we can do, we may do through an appropriately authorised representative.

(m) Any matter in our discretion is in our absolute and unfettered discretion.

(n) A reference to a document includes the document as modified from time to time and any document replacing it.

(o) The word ‘month’ means calendar month and ‘year’ means 12 months.

(p) The words ‘in writing’ include any communication sent by letter or email or any other form of communication capable of being read by the recipient.

(q) A reference to all or any part of a statute, rule, regulation or ordinance (statute) includes that statute as amended, consolidated, re-enacted or replaced from time to time.

(r) Money amounts are stated in New Zealand currency unless otherwise specified.

Dictionary

The expression:	*means*:
Acceptable Use Policy	a policy so titled and issued under clause 9
Account	the Customer’s entitlement to Messaging Services subject to your Customer Contract and, where relevant, includes any Service features, associated usernames or passwords
Anti-Spam Policy	a policy so titled and issued under clause 8
API	an application programming interface
Application or Application Form	your application to us to access Messaging Services, in a form we specify from time to time (include via online sign-up or e-form) and which may also contain features, entitlements, Charges and special conditions in connection with a Service.
Automatic Direct Debit	a periodic payment that is automatically deducted by us from your nominated financial institution account
Bill	an invoice from us, in the form specified in your Application Form, which advises you of the total of each Charge that is due for payment
Billing Period	see clause 28(a)
Content	the content of a Message you send or receive
Conversation	for the purposes of clause 26(j) in the context of multichannel messaging / messaging on social channels, means a 24-hour session of unlimited two-way messaging with one End User on one social channel, commencing with the first business-initiated message sent in reply to an End User message
Customer	the customer named in the Application Form
Customer Contract	see clause 2
Customer Terms	the terms and conditions set out in Part A of this document
Data Retention Laws	any Laws which require data, including metadata, to be retained or dealt with in a particular way
Dedicated Number	a digital mobile service number provided by us to you under your Customer Contract for exclusive use by you as part of your Messaging Service.
Direct Debit	a payment that is deducted by us from your nominated financial institution account, including an Automatic Direct Debit
Early Termination Fee	is calculated as a genuine pre-estimate of our loss of net profits and wasted costs as a result of any early termination within the Minimum Term under clause 43(a), following our reasonable steps to mitigate our loss, which is calculated in accordance with the following formula: 45% of the average monthly amount we have invoiced you from your Commencement Date until the date of termination multiplied by the number of remaining months (or any part thereof) of the Minimum Term
End User	a person who receives a Message you send using your Account, and a person who sends you a Message via your Account
Equipment	a handset, modem, router or other hardware
Extract	deduct an amount by Direct Debit
Facilities	systems, software, computers, equipment and network infrastructure of all kinds used to provide or in connection with the provision of a Service
GDPR	the General Data Protection Regulation (Regulation (EU) 2016/6790)
GST	Goods and Services Tax
GST Act	Goods and Services Tax Act 1985
Insolvency Event	includes an event where a receiver or receiver and manager is appointed over a party’s property or assets, an administrator, liquidator or provisional liquidator is appointed to the party, the party enters into any arrangement with its creditors, the party becomes unable to pay its debts when they are due, the party is wound up or becomes bankrupt, or any other analogous event or circumstance occurs under the laws of any jurisdiction
Integrations	is defined in Part C
Intellectual Property Rights	Includes all right, title and interest wherever subsisting (now or in the future) throughout the world, and whether registered or not, in and to: a. copyright, neighbouring rights, moral rights and the protection of databases, circuit layouts, topographies and designs; b. methods, inventions, patents, utility models, trade secrets, confidential information, technical and product information; and c. trade-marks, business and company names and get ups, and includes the right to apply for registration, grant or other issuance of the rights described in paragraphs (a), (b) and (c) above and any other rights generally falling within this term
Intervening Event	an event beyond our reasonable control which interferes with and prevents us from providing the Services to you. Such events include any act or omission of our Providers, any disruption to our or our Providers’ networks, infrastructure and equipment, failure of any electrical power supply, changes to any laws or regulations, industrial action and acts of God including but not limited to lightning strikes, earthquakes, floods or other natural disaster
Law	laws, Acts of Parliament, regulations, mandatory standards and industry codes and including the requirements or directions of any Regulator
Message	an SMS, MMS or OTT Message
Message Credits	a credit equal to your Monthly Access Fee that may be applied to your Messaging Fees for that month, subject to clause 6
Messaging Fee	a Charge per Message sent or received on your Account
Message Originator	the unique telephone number that initiates a Message to a Short Code
Messaging Service	a Telecommunications Service for sending and/or receiving and/or processing Messages
Minimum Term	the period specified in your Plan or Application Form, or if your Plan or Application Form does not so specify, means 12 months
MMS	a message including text and/or multimedia content carried by the multimedia messaging service developed by the Open Mobile Alliance, whether it originates or terminates on a mobile phone or another kind of computer
MMS Service	a Messaging Service for MMS
Monthly Access Fee	the charge identified as such in a Plan or Application Form
Network	see clause 4(c)
Operational Directions	any direction we give you in relation to the Services or your Account in accordance with clause 9
OTT Message	is an instant message that uses the internet for transmission
Our Facilities	Facilities we own and/or operate
Personal Information	as defined in the Privacy Act from time to time
Plan	a particular set of features, entitlements, term of contract, Charges and special conditions in connection with a Service. Many of our Services are available under different Plans, each with its own features, entitlements, contract period, Charges and special conditions. The terms of your Plan form part of your Customer Contract.
Prepaid Entitlement	an entitlement to send a message based on an amount prepaid by the Customer
Prepaid Plan	a Plan where you must pay in full for a Service before you use it
Price List	see clause 26(b)
Privacy Act	Privacy Act 1993, as amended from time to time
Privacy Policy	our privacy policy found on our website
Provider	a third party that, under a contract with us, provides (a) access to Facilities they manage or maintain or (b) content or (c) a service – that we resupply to you
Provider Facilities	Facilities that are managed or maintained by a Provider
Provider Requirements	see clause 11
Regulator	includes the Commerce Commission and any other relevant government or statutory body or authority and the Telecommunications Commissioner
Reseller	a Customer whose Application Form states that they are appointed as a reseller of our Services
Related Company	as defined in the Companies Act 1993
Restricted Content	Content that: a. is likely to be, having regard to the contemporary attitudes of New Zealand society, offensive to reasonable adults; b. is likely to be, having regard to Law and the contemporary attitudes of New Zealand society, unsuitable for minors; c. promotes, incites or instructs in matters of crime; d. describes, incites or promotes unlawful sexual activity; e. promotes or incites violence or hatred against any person or group, or incites racial hatred; f. causes unnecessary alarm, distress or panic or is menacing in character; g. contains a computer worm or virus; h. breaches any Law; i. is in contravention of any privacy rules; j. infringes the confidentiality, copyright or other intellectual property rights or any other proprietary interest of any person; k. is false, misleading or deceptive, or likely to mislead or deceive; l. is fraudulent or promotes fraudulent activity; m. provides financial advice to any person; n. is out of date, having regard to information generally available, subsequently published, or released, or made available; or o. is for the purpose of providing any warning or notification about a serious risk to the safety of persons or property (for example, emergency services)
SDK	a software development kit
Services	a service (including any Equipment) which we provide to you, including but not limited to (a) a telecommunications service of any kind; or (b) ancillary goods or services
Service Level Agreement	a written service quality assurance titled as such, as updated by us from time to time
Service Rules	the service rules provided to you on or about the date of your Application or as published by us on our website from time to time and as updated from time to time by a Carrier
Shared Number	a digital mobile service number that we associate with multiple Accounts
Short Code	a specific short code number which a Carrier has approved for exclusive use by the Customer
SLA	a Service Level Agreement
SMS	a text message carried by the short message service that was originally developed for use on the GSM mobile telephone network, whether it originates or terminates on a mobile phone or another kind of computer
SMS Service	a Messaging Service for SMS
Spam	an unsolicited commercial electronic message within the meaning of the Unsolicited Electronic Messages Act
Spam Laws	the Spam Act 2003 (Australia), the Unsolicited Electronic Messages Act 2007 (New Zealand), the CAN-SPAM Act (USA) and any other similar legislation, guidelines and codes of practice in relation to Spam including but not limited to the e-Marketing Code of Conduct
Staff	any person, whether your employee, contractor or otherwise, who uses your Account
Standard Contractual Clauses	the EU Standard Contractual Clauses between controller to processor and between processor to processor approved by the European Union, as set out in Part E
Standard Rate Messages	Messages that are billed by Carriers at standard rates, and in particular are not premium rate Messages, which are billed by Carriers at premium rates
Supplier	the entity described as such in the Application Form and/or your Plan and/or on the website on which these Customer Terms are published.
Taxes	mean all applicable federal, state and local taxes, fees, charges, telecommunications provider (e.g., carrier) surcharges or other similar exactions, including, without limitation, sales and use taxes, communications service taxes, utility user’s taxes or fees, excise taxes, VAT, GST, other license or business and occupations taxes, franchise fees and universal service fund fees or taxes. Taxes do not include any Taxes that are imposed on or measured by our net income, property tax, or payroll taxes.
Telecommunications Act	Telecommunications Act 2001
Telecommunications Service	as defined in the Telecommunications Act
Unicode	the international encoding standard for use with different languages and scripts, by which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs, including (but not limited to) emojis
Unrestricted Content	Content that is not Restricted Content
Unsolicited Electronic Messages Act	the Unsolicited Electronic Messages Act 2007 (New Zealand)
We / our / us	Bulletin.net (NZ) Limited
You / your	means you, the legal entity entering into this Agreement

Part B – Reseller Terms

About this Part

This Part B applies if your Application Form states that you are a Reseller.

Reseller Rights

We grant you the non-exclusive right to market and resell the Services to your customers.

Reseller Independence

Your business is an independent business. Accordingly:

(a) you are not, and must not (in any circumstances) hold yourself out as our agent, associate or affiliate;

(b) you must not represent that we are in any way the owner or operator of the business;

(d) your Customer Contract does not constitute either you or us as a joint venturer, partner, agent, employee or fiduciary of the other.

Provision of Services to Others

You:

(a) will enter in to separate legal agreements with your customers to whom you resell the Services which contain terms and conditions substantially similar to these Customer Terms (but you must not appoint any sub-seller or partner);

(b) expressly acknowledge that we will not, at any time, be responsible for or liable for the Content or the destination of any Content conveyed by or to you;

(c) agree that, if you become aware that any End User does not wish to continue to receive Messages, you will take all necessary steps, including notifying us, to ensure that the End User does not continue to receive Messages;

(d) must ensure that your customers do not do anything that, if done by you, would breach your Customer Contract;

(e) must comply with any applicable developer terms, including security terms, in relation to your use of developer APIs; and

(f) indemnify us against any claim against us by your customer or a Regulator arising out of or in connection with your business or the Services you resell.

90 Day Notice of Termination

If you are a Reseller, then the reference to “30 days” in clause 44(a) is deleted and replaced with “90 days”. For the avoidance of doubt this means that you may terminate your Customer Contract at any time (except during the period of the Minimum Term) on 90 days’ written notice to us.

Part C – Additional Security Terms applicable to use of our API

This Part C applies to all Customers and Resellers who use our API for integrations, including integrations with the Customer’s or Reseller’s systems or other applications and/or to build integrations (“Integrations“).

Information Security

(a) In relation to your use of our API in Integrations, without limiting any other obligation you have under your Customer Contract and/or Reseller arrangement, you agree as follows:

(i) you will implement and maintain in place appropriate administrative, physical, and technical data security safeguards and controls, in accordance with best industry standards, that are designed to prevent unauthorized access, use, processing, storage, destruction, loss, alteration, disclosure of Personal Information and other sensitive data and confidential information;

(ii) you will comply with all applicable Laws (including the Privacy Act and all other applicable data security and privacy laws and regulations);

(iii) you will keep all credentials that we issue to you strictly confidential and not disclose them to any third party;

(iv) if you become aware of any data breach or other security deficiency or we notify you of any such breach or deficiency, you will:

(A) follow our reasonable instructions to immediately correct any security deficiency, and will immediately disconnect any intrusions or intruders; and

(B) not release any public statements (including, without limitation, any press release, blog post or social media.) without our prior written approval to the proposed statement;

(b) We do not accept responsibility or liability for any loss or damage arising from your failure to maintain the security of your Integration or login, password or other security or identification credentials.

(c) You agree that we may monitor use of our API in your Integrations to ensure quality, improve our products and services, identify security issues and verify your compliance with this Part C, which may include us accessing and using your Integration and associated applications for any of the foregoing purposes. You agree not to interfere with our monitoring activities under this clause 65(c) and you agree that we may use any technical means to overcome such interference. We may suspend your access to our API without notice if we reasonably believe that you are in violation of any provision of this Part C.

(d) You agree not to use our API in any Integrations that run applications on our servers.

(e) Your networks, operating system and software of your web servers, routers, databases, and computer systems (collectively, “Developer System”) must be properly configured to Internet industry standards so as to securely operate the application(s) associated with use of our API and protect against unauthorised access to, disclosure or use of any information you receive from us. If you do not completely control any aspect of the Developer System, you will use all practicable measures to procure compliance with this Part C by any relevant third party. You must correct any security deficiency as soon as practicable and disconnect immediately any known or suspected intrusions or intruder.

API use restrictions

When using our API, you will, and you will ensure that your employees, agents and service providers will:

(i) only use our API (including SDKs) to develop and distribute applications or content for your use with the Services;

(ii) restrict disclosure of the API credentials, or any part thereof, to your agents, employees, or services providers, who must require access to use, maintain, implement, correct or update your application in accordance with this Part C, and who are subject to confidentiality obligations the same as or greater than those contained in clause 21;

(iii) not distribute, sell, lease, rent, lend, transfer, assign or sublicense any rights granted in relation to our API to any third party;

(iv) not use or access our API or a Service in order to monitor the availability, performance, or functionality of our API or any Service or for any similar benchmarking purposes;

(v) not remove or destroy any copyright notices, proprietary markings or confidentiality notices placed upon, contained within or associated with our API;

(vi) not engage in any activity that interferes with, disrupts, harms, damages, or accesses in an unauthorized manner our servers, security, networks, data, applications or our other properties or services or those of any third party;

(vii) not circumvent technological measures intended to prevent direct database access, or manufacture tools or products to that effect;

(viii) not modify, translate, reverse engineer, disassemble, reconstruct, decompile, copy, or create derivative works of our API or any Service, except to the extent that this restriction is expressly prohibited by applicable law;

(ix) not bypass our API restrictions for any reason, including automating administrative functions;

(x) not, except as authorised by us in writing, substantially replicate our API, a Service or our other products or services or those of any of our Related Company;

(xi) not develop applications that excessively burden our system, distribute spyware, adware or other commonly objectionable programs;

(xii) not develop an application that has the purpose of migrating our customers off our Services;

(xiii) not access or use our API to develop or distribute your application in any way in furtherance of criminal, fraudulent, or other unlawful activity, or otherwise violate the our Acceptable Use Policy;

(xiv) not request more than the minimum amount of data from our API needed by your application to provide the intended functionality of such application, or any data outside any permissions granted by a relevant third party merchant;

(xv) not falsify or alter any unique identifier in, or assigned to your application, or otherwise obscure or alter the source of queries coming from such application; and

(xvi) not include code in any of your applications which performs any operations not related to the services provided by the application, whether or not you have the consent of any relevant merchant or end user to do so. For the avoidance of doubt, this prohibited activity includes, without limitation, embedding or incorporating code into any application which utilises the resources of another computer for the purposes of cryptocurrency mining.

Part D – EU and UK Privacy Terms

About this Part

This Part D applies if the Services or the performance of our respective obligations under your Customer Contract involve the processing of any personal data (as defined in the GDPR) of, or sending Messages to, any individuals in the European Union. References in this Part to GDPR will to the extent necessary be deemed to be references to the equivalent laws of the United Kingdom (including the UK GDPR and the Data Protection Act 2018).

Privacy and Electronic Communications and E-Commerce

(a) You warrant and undertake at all times to comply (and to ensure that your Staff and End Users also comply) with your obligations under the Privacy and Electronic Communications Regulations (EC Directive) 2003 and the Electronic Commerce (EC Directive) Regulations 2002, in particular, you:

(i) warrant and represent that End Users to whom you send Messages have consented or otherwise opted-in to the receipt of such Messages as required by any applicable Law or regulation;

(ii) agree that you will include clear opt-out/unsubscribe information on your Messages when required to do so by any applicable Law or regulation; and

(iii) will adhere to the Consumer Best Practices Guidelines promulgated by the Mobile Marketing Association, if applicable to your messages.

(b) You indemnify us for any Claim which results from your breach of paragraph (a) above.

Data Protection

(a) The terms ‘data subject’, ‘personal data’, ‘process’, and ‘supervisory authority’ have the meanings given to them in the GDPR.

(b) If a party is provided with, or has access to personal data in connection with the Services, it must comply with the GDPR and any other applicable law in respect of that personal data.

(c) The subject matter of the processing by us shall be the performance of your Customer Contract. The nature and purpose of the processing shall be the provision of the Services. The duration of the processing shall be the duration of your Customer Contract.

(d) We shall:

(i) only process personal data on your behalf in accordance with, your instructions and for the purposes set out in your Customer Contract;

(ii) implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing;

(iii) ensure that any of our personnel engaged in the processing are subject to a duty of confidentiality.

(iv) co-operate with you if you are required to deal or comply with any assessment, enquiry, notice or investigation by the Information Commissioner, to assist you in complying with such assessment, enquiry, notice or investigation;

(v) notify you if we receive a request from a data subject for access to personal data, and shall provide you with reasonable co-operation and assistance in relation to any such request;

(vi) inform you without undue delay if at any time any personal data is or is suspected to be, lost, corrupted, used or disclosed to a third party except in accordance with your Customer Contract and provide reasonable assistance to you in relation to your obligation to notify data subjects or a supervisory authority.

(e) You acknowledge that in providing the Services, personal data may be transferred outside the European Economic Area under your Customer Contract and each party undertakes to comply with its obligations under the Standard Contractual Clauses.

(f) You hereby consent to the sub-processing of personal data by a Provider. We shall only appoint additional sub-processors where we have your prior consent to do so and where we have written terms in place with the sub-processor that reflect these terms.

(g) You warrant that you have provided a fair processing notice to End Users that notifies them of our processing activities and that where our processing of personal data on your behalf requires the consent of End Users, you have and will obtain this and provide us with evidence on request.

(h) On termination of your Customer Contract, we shall delete all personal data that you have provided to us, unless we are required by law to retain it (in which case, we will not actively process it after the termination date).

(i) You may, not more than once in any 12-month period and on giving at least 30 days’ written notice, conduct an audit of our processing of personal data under your Customer Contract. We shall mutually agree on the scope, timing and duration of the audit. The audit shall exclude any personnel records and any data, systems and facilities which are subject to confidentiality obligations to third parties. You shall not be entitled to take copies of any information.

(j) You indemnify us for any Claim by your Staff, End Users or any other third party that it has suffered Loss as a result of your breach of paragraphs (b), (e) or (g) above.

PART E – EC STANDARD CONTRACTUAL CLAUSES

This Part E forms part of your Customer Contract.

If you are located in the European Economic Area or are otherwise subject to the GDPR, the standard contractual clauses approved by European Commission Decision C2021/3972 dated 4 June 2021 (the “Standard Contractual Clauses”) will apply to any transfer of personal data under your Customer Contract, either directly or via onward transfer, to any country outside of the European Economic Area that does not have an adequacy decision under article 45 of the GDPR.  For transfers that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, incorporated into your Customer Contract by reference, and completed as set out below.

Three modules of the Standard Contractual Clauses may apply:

if you provide us with personal data of your employees and representatives for the purposes of administering the Customer Contract and our business relationship – Module One (controller to controller) will apply to that data;
if you provide us with personal data of message recipients for the purposes of allowing us to send messages and perform services under your Customer Contract, and you are a controller in relation to that data – Module Two (controller to processor) will apply to that data; and
if you provide us with personal data of message recipients for the purposes of allowing us to send messages and perform services under your Customer Contract, and you are a processor in relation to that data – Module Three (processor to processor) will apply to that data.

Full details of these transfers are set out in the Appendix to the Standard Contractual Clauses.

SECTION I

Clause 1

Purpose and scope

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)¹ for the transfer of personal data to a third country.
The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
Have agreed to these standard contractual clauses (hereinafter: “Clauses”).
These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
- Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 – Clause 18(a) and (b).
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Not used

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

MODULE ONE: Transfer controller to controller

8.1 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

where it has obtained the data subject’s prior consent;
where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2 Transparency

In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
- of its identity and contact details;
- of the categories of personal data processed;
- of the right to obtain a copy of these Clauses;
- where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.
Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3 Accuracy and data minimisation

Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4 Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation² of the data and all back-ups at the end of the retention period.

8.5 Security of processing

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7 Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union³ (in the same country as the data importer or in another third country, hereinafter “onward transfer”) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;it is necessary in order to protect the vital interests of the data subject or of another natural person; or
where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8 Processing under the authority of the data importer

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9 Documentation and compliance

Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
The data importer shall make such documentation available to the competent supervisory authority on request.

MODULE TWO: Transfer controller to processor

8.1 Instructions

The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union⁴ (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer processor to processor

8.1 Instructions

The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter⁵.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union⁶ (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.⁷ The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

MODULE THREE: Transfer processor to processor

The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.⁸ The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

MODULE ONE: Transfer controller to controller

The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.⁹ The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.
In particular, upon request by the data subject the data importer shall, free of charge :
- provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);
- rectify inaccurate or incomplete data concerning the data subject;
- erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.
Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.
The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter “automated decision”), which would produce legal effects concerning the data subject or similarly significantly affect him / her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:
- inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and
- implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.
Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.
If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

MODULE TWO: Transfer controller to processor

The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE THREE: Transfer processor to processor

The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

MODULE ONE: Transfer controller to controller

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards¹⁰;
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- [For Module Three: The data exporter shall forward the notification to the controller.]
If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]
The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]
The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
- In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
The Parties agree that those shall be the courts of the Republic of Ireland.
A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter: Customer as shown on the Application Form

Name: Customer’s name as shown on the Application Form

Address: Customer’s address as shown on the Application Form

Contact person’s name, position and contact details: Customer’s contact details as shown on the Application Form

Activities relevant to the data transferred under these Clauses: Using Supplier’s services to send SMS or other messages to data subjects

Signature and date: By entering into the Customer Contract, the data exporter is deemed to have signed this Annex I on the date it entered into the Customer Contract

Role (controller/processor):

Module One and Two: Controller

Module Three: Processor

Data importer: Supplier entity name as shown on the Application Form

Name: Supplier entity name as shown on the Application Form

Address: Supplier address as shown on the Application Form

Contact person’s name, position and contact details: Supplier contact name as shown on the Application Form

Activities relevant to the data transferred under these Clauses: Sending SMS or other messages to data subjects on instructions of Customer

Signature and date: By entering into the Customer Contract, the data importer is deemed to have signed this Annex I on the date it entered into the Customer Contract

Role (controller/processor):

Module One: Controller

Modules Two and Three: Processor

B. DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller

Categories of data subjects whose personal data is transferred

The data subjects are employees or representatives of the data exporter.

Categories of personal data transferred

The personal data transferred will generally include name, job title and business contact details (such as email addresses and phone numbers).

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The collection and transfer of information will occur whenever the data importer interacts with the data exporter, for example, to provide customer support or billing.

Nature of the processing

The data importer collects, uses and stores the personal data in its computer systems, and transmits the personal data over communication networks, as necessary to provide services to the data exporter and communicate with the data exporter in connection with the services.

Purpose(s) of the data transfer and further processing

The purpose of the processing is to enable the data exporter to sign up to the data importer’s services and communicate with the data importer in connection with the services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained for as long as the data exporter remains a customer of the data importer and for a period afterwards in accordance with the data importer’s data retention policy.

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred

The data subjects are individuals to whom the data exporter wishes to send SMS or other messages using the data importer’s services. Those individuals may be customers of the data exporter or of another entity to whom the data exporter is providing services.

Categories of personal data transferred

The personal data transferred will generally include: (a) the data subject’s mobile telephone number or other contact details necessary to allow a message to be sent to the data subject; and (b) any personal data of the data subject contained in the message content. The types of personal data which may be included in message content is at the data exporter’s discretion.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The collection and transfer of information will occur whenever the data exporter sends a message to a data subject or uploads contact information of a data subject.

Nature of the processing

The data importer collects, uses and stores the personal data in its computer systems, and transmits the personal data over communication networks, as necessary to send messages to the data subject as requested by the data exporter.

Purpose(s) of the data transfer and further processing

The purpose of the processing shall be the provision of the services to the data exporter under the Customer Contract.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data will be retained for as long as the data exporter remains a customer of the data importer and for a period afterwards in accordance with the data importer’s data retention policy.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The data importer uses sub-processors to assist it in providing services to the data exporter under the Customer Contract.  A list of sub-processors used by the data importer is available at https://bulletin.net/sub-processors.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority will be as determined under clause 13, depending on whether the data exporter is established in an EU Member State, is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, or is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(1) of Regulation (EU) 2016/679.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The data importer’s security measures include, but are not limited to:

Customers interact with and transmit messages over a secure (encrypted) TLS/SSL connection
Services interact and transmit to carriers over a secure (encrypted) TLS connections and/or VPN tunnels
Firewalls protect the data importer’s production network and servers.
Non-public access to production network and servers as access is restricted by a secure VPN connection
Measures for ensuring physical security of locations at which personal data are processed – Services are hosted in secure Tier 1 data centers protecting physical servers and devices.
Measures for internal IT and IT security governance and management including strict protocols and controls governing authorization and access to the data importer’s servers and devices.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the suitability and success of applied controls; including annual audits by independent security experts, and penetration testing.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

IT security governance and management, including strict protocols and controls authorising access.
Measures for ensuring physical security of locations at which personal data is processed.
Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures.

Part F – UK International Data Transfer Addendum

This Part F forms part of your Customer Contract.

If you are located in the United Kingdom or are otherwise subject to the UK GDPR, the the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 (UK) (the “UK International Data Transfer Addendum”) will apply to any transfer of personal data under your Customer Contract, either directly or via onward transfer, to any country outside of the United Kingdom that does not have an adequacy decision under article 45 of the UK GDPR. For transfers that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed entered into, incorporated into your Customer Contract by reference and completed as follows:

In Table 1:
1. The start date is the date the relevant transfer of personal data commences.
2. The Exporter is the Customer as shown on the Application Form and the details and key contact information of that party are as set out in the Application Form.
3. The Importer is the Supplier as shown on the Application Form and the details and key contact information of that party are as set out in the Application Form.
In Table 2, the version of the approved Standard Contractual Clauses is set out in Part E of your Customer Contract.
In Table 3:
1. Annex IA is as set out in Part E of your Customer Contract.
2. Annex IB is as set out in Part E of your Customer Contract.
3. Annex II is as set out in Part E of your Customer Contract.
4. Annex III is not applicable.
In Table 4: the Importer may end the UK International Data Transfer Addendum in accordance with its terms.

Terms Of Service

Part A – Your Contract with Us

Provision of Our Services

Confidentiality, Intellectual Property and Privacy

Credit

Prices, Billing and Payment Terms

Billing

Warranties and Indemnities

Termination and Suspension

General

Interpretation and Dictionary

Part B – Reseller Terms

Part C – Additional Security Terms applicable to use of our API

Part D – EU and UK Privacy Terms

PART E – EC STANDARD CONTRACTUAL CLAUSES

Part F – UK International Data Transfer Addendum

Talk with an expert

Get Started

Need Help?