InforUMobile Cookie Policy
20th February 2019
InforUMobile List of Sub-Processors
28th February 2019

Schedule 1: InforUMobile Data Processing Addendum

Note: This current consolidated Data Protection Addendum was published on 20-02-2019

This Data Processing Addendum forms part of the Agreement between InforUMobile (“Processor”) and the company or entity who opened an account on the InforUMobile website (“Customer”)(collectively, the “Parties”).

  1. 1              Definitions
    1. In this Data Protection Addendum capitalised terms have the same meanings as in the Agreement. In addition, the following definitions have the meanings given below with respect to this Data Protection Addendum (“DPA”):
      1. 1.1 Applicable Law means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA’s member states, the United Kingdom and the Republic of Ireland as amended from time to time, subject to clauses 1.1.9(e) and 2.1;
      1. 1.2 Appropriate Safeguards means the mechanism(s) permitting international transfers of Personal Data specified in Chapter V of the GDPR and applicable DP Law, including Adequacy (as defined in DP Law) and Standard Contractual Clauses;
      1. 1.3 Authorised User means you and those of your employees, agents, contractors or associates you have authorised to access and use the Services, or for whom you have created sub-accounts. For greater certainty, a user who has logged into the Services using a valid sub-account assigned to your account shall be deemed an Authorised User unless you have notified us of suspected or confirmed unauthorised use or compromised credentials;
      1. 1.4 Contact means your prospects, customers and any other potential, intended or actual recipients of Contact Communication;
      1. 1.5 Contact Communication means the content of a message of any medium you send to or make available to a Contact using the Service(s);
      1. 1.6 Contact Data means any Personal Data we process on your behalf in the course of offering the Services and includes derived or observed data captured using the Services, e.g. whether a Contact clicked a link, Contact communications preferences (e.g. unsubscribes), metrics;
      1. 1.7 Controller, Data Subject, International Organisation, Personal Data, Personal Data Breach, Processor and processing shall have the respective meanings given to them in applicable DP Law (and related expressions, including process, processed, processing, and processes shall be construed accordingly);
      1. 1.8 Data Privacy Notice means the content and manner of communicating information to Data Subjects by Controllers required under DP Law as specified in Arts. 12 to 14, GDPR and as extended or amended or further addressed in applicable DP Law;
      1. 1.9 Data Protection Law or DP Law means, as applicable and binding on the Customer, the Processor and/or the Services, all legislation and regulatory requirements in force from time to time relating to the use of Personal Data and the privacy of electronic communications, including without limitation the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), Directive 2002/58/EC (the “e-Privacy Directive”) (for so long as and to the extent that EU law has legal effect in the UK); laws implementing such laws, including the UK Data Protection Act 2018 (“UK DPA 2018”), the UK Privacy and Electronic Communications Regulations (EC Directive) 2003 (“UK PECR”), the Irish Data Protection Action 2018 (“Irish DPA 2018”), S.I. No. 336/2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“Irish PECR”) (as amended from time to time or any successor or implementing legislation), all case law, guidance, codes of practice and codes of conduct issued by a Supervisory Authority whether or not legally binding;
      1. 1.10 Data Protection Losses means all liabilities, including all costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (material or non-material) and as permitted by Applicable Law administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; Data Subject compensation ordered by a Supervisory Authority; and reasonable investigation-related costs;
      1. 1.11 Data Subject Request (“DSR”) means a request made by a Data Subject to exercise any rights under DP Laws with respect to Personal Data that we process on your behalf as described in Chapter III of the GDPR (as modified or extended in applicable DP Law);
      1. 1.12 International Data Transfer means the transfer of Protected Data from within the European Economic Area (“EEA”) out of the EEA (including to the UK once the UK ceases to be part of the European Union) or from the UK to a country outside the UK or EU, which would be prohibited by DP Law in the absence of Appropriate Safeguards. For greater certainty, this applies to Protected Data transferred from our servers in Ireland to the UK once the UK ceases to be part of the European Union;
      1. 1.13 List of Sub-Processors means InforUMobile’s List of Sub-Processors https://inforumobile.co.uk/ufaqs/inforumobile-list-of-sub-processors/, as amended;
      1. 1.14 Processing Instructions has the meaning given to that term in clause 6;
      1. 1.15 Protected Data means Personal Data that you have provided to us, that we have received on your behalf, or that you process in connection with the Services or the performance of our obligations under the Agreement or the DPA;
      1. 1.15 Service(s) means any products or services we provide to you in connection with and as described in the Agreement subject to clause 2.1 (Scope);
      1. 1.16 Standard Contractual Clauses means the standard data protection clauses for the transfer of Personal Data from the EEA to Data Processors in third countries in the Annex to European Commission (EC) Decision 2010/87/EU (or subsequent clauses approved under GDPR by the EC or relevant Supervisory Authority);
      1. 1.16 Sub-Processor means any agent, subcontractor or third party (excluding its employees) engaged by us to processing Protected Data on your behalf;
      1. 1.17 Supervisory Authority means the relevant DP Law enforcement authority, notably the UK Information Commissioner’s Office (“ICO”) and the Irish Data Protection Commission (“DPC”);
      1. 1.18 We, us, our means or refers to InforUMobile;
      1. 1.19 You, your, yours means or refers to the natural person or legal entity named as Customer in the Agreement and this DPA.
  2. Relationship with the Agreement
    1. Scope. This DPA only applies to the extent that the processing relates to or is in connection with Protected Data to which DP Law applies. For greater certainty, this applies to processing of the Personal Data of people in the UK and the Republic of Ireland.
    2. Conflict. This DPA forms part of the Agreement. In the event of conflict between the Agreement and the DPA, the DPA shall prevail to the extent of the conflict. Otherwise the Agreement remains unchanged and in effect until terminated according to its own terms, subject to clause 2.6 (Survival).
    3. Prior DPAs. This DPA supersedes any prior DPA between the Parties related to the Services.
    4. No third-party rights. No one other than the Parties or their successors or permitted assignees shall have any rights under this DPA, except where provided under Standard Contractual Clauses.
    5. Governing Law. This DPA shall be governed by and interpreted in accordance with the governing law and jurisdiction applicable to the Agreement.
    6. Survival. This DPA (as updated from time to time) shall survive termination (for any reason) or expiry of the Agreement and continue until no Protected Data remains in the possession or control of the Processor or any Sub-Processor, except that clause 14 (Indemnity) shall continue indefinitely.
    7. Entire agreement. This DPA together with the Agreement encompasses the entire agreement between you and InforUMobile with respect to the subject matter hereof and supersedes all prior representations, agreements and understandings, written or oral. No purchase order or other form submitted by you will modify, supersede, add to or in any way vary the terms of this Agreement, except as provided for under the DPA.
  3. Compliance with Data Protection Law and Relationship of the Parties
    1. Compliance with DP Law. The Parties acknowledge and agree to comply with the DP Law as applicable to the Personal Data they process in relation to the Agreement and in connection with the Services. Nothing in this DPA relieves either party of any responsibilities or liabilities under DP Law.
    1. Processor and Controller. The Parties agree that, for the Protected Data, you (the Customer) are the Controller and InforUMobile is the Processor.
    1. Exception – InforUMobile as Controller. The Parties acknowledge and agree that InforUMobile is a Controller for Personal Data that it processes for the purposes of its own business and in the administration of the Agreement. We undertake to treat such Personal Data as confidential and process it in accordance with InforUMobile’s Data Privacy Notice as updated from time to time.
    1. Registrations and notification requirements. The Parties undertake to fulfil any registration or notification requirements with the relevant Supervisory Authorities.
  4. Your Data Processing Obligations
    1. You shall at all times comply with all applicable DP Laws in connection with the processing of Protected Data and the use of the Services and ensure all Processing Instructions in respect of Protected Data (including the terms of this Agreement) comply at all times with DP Law.
    1. For greater certainty, you warrant, represent and undertake, that at all times:
      1. Lawful Processing. All Protected Data (if processed in accordance with our Agreement) complies in all respects with DP Law, specifically but not limited to:
        1. Mandatory Customer Data Privacy Notice. You have and will clearly post, maintain, and abide by a publicly accessible Data Privacy Notice that describes your use of Protected Data processed using the Services and shall include a link to InforUMobile’s Data Privacy Notice https://inforumobile.co.uk/ufaqs/inforumobile-privacy-policy/;
  • Mandatory Cookie Notice and Consents. You will provide and obtain all Data Privacy Notices and obtain all necessary consents required by applicable DP Law to enable us to use cookies and similar tracking technologies (like web beacons or pixels) lawfully on and collect data from the devices of Contacts and Authorised Users of the Service in accordance with and as described in our Cookie Statement https://inforumobile.co.uk/ufaqs/inforumobile-cookie-policy/;
  • Lawful Collection and Processing. You confirm that: Protected Data was collected lawfully and, where it was collected indirectly, you have undertaken the necessary due diligence to confirm you are permitted to process it; that you have documented a valid lawful basis for processing the Protected Data according to your Processing Instructions; and that you maintain evidence to demonstrate such lawful basis exists. This includes, where consent is required or selected, obtaining and documenting all necessary consents to the different processing activities you undertake using the Services or in the Processing Instructions and ensuring that these will remain valid at all times.  Accuracy. Protected Data is and will remain accurate and up to date.Storage (Data-Retention). Protected Data will only be stored for as long as necessary to satisfy the processing purposes;Security. You shall establish and maintain adequate security measures to: safeguard Protected Data in your possession or control from unauthorised access and copying and maintain complete and accurate backups of all Protected Data provided to us (or anyone acting on our behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption;ensure Contact Communications or other use of the Services does not contain or transmit spyware, viruses, worms, trojan horses, adware or other malware, or expose our Service, the Contacts or the devices of other Data Subjects to such programs or cybersecurity threats directly or indirectly;Agents and employees. You shall ensure that you or any agents, employees, contractors or other Authorised Users comply with all DP Laws in connection with the Protected Data and the Services and the foregoing obligations;You have undertaken due diligence over our processing operations and commitments and you are satisfied (and all times that you continue to use the Services remain satisfied) that:Our processing operations are suitable for your purposes with respect to processing the Protected Data; The technical and organisational measures set out in InforUMobile’s Technical and Organisational Security Measures https://inforumobile.co.uk/ufaqs/security-measures/ (as updated from time to time) ensure a level of security appropriate to the risk with respect to the Protected Data if we comply with them; and We have sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of DP Laws.
  • Our Data Processing Obligations
    • We shall process Protected Data in compliance with our obligations under DP Laws and this DPA.
    • We undertake to process Protected Data only in accordance with Processing Instructions and not to use Protected Data or Contact Communications except as required to provide the Services unless:
      • Alternative Processing Instructions are agreed between the Parties;
      • We are required or permitted to do so by Applicable Law, in which case we shall notify you in advance of any such requirement (except where Applicable Law prohibits it on important grounds of public interest); or
      • We believe a Processing Instruction infringes DP Law, in which case we shall promptly inform you. We reserve the right to cease to provide any or all of the relevant Services until the Parties have agreed appropriate amended Processing Instructions which are not infringing;
      • The processing is required for our own purposes as a Controller as described in our Data Privacy Notice https://inforumobile.co.uk/ufaqs/inforumobile-privacy-policy/, in which case we undertake to take measures to miminise the use of and/or restrict access to the Protected Data as appropriate to ensure any such processing is necessary and proportionate.
  • Processing Instructions
    • Authority. You warrant that where you decide jointly with another Controller how and why to process Protected Data using the Services (i.e. Joint Controller), that you have full authority and authorisation of all relevant Controllers to give us Processing Instructions.
    • Only Authorised Users. It is your responsibility to ensure only Authorised Users provide Processing Instructions. You acknowledge and accept that we are under no obligation to restore or remedy any Protected Data deleted or improperly processed pursuant to Processing Instructions given by an Authorised User and we assume no responsibility for such processing.
    • Providing Processing Instructions. Processing Instructions shall be considered to be provided where an Authorised User provides such instructions:
      • in writing, which may include but is not limited to email, chat message or SMS sent by an Authorised User, or
      • by configuring, selecting or using features, template elements, tools or other aspects of the Services or using any computer command to process (including to delete) any Protected Data;
      • except to the extent any method in clause 6.2.2 is not fulfilled due to technical, operational or other reasons, in which case Processing Instructions will be deemed not provided;
    • Limitation of Processor Liability. To the maximum extent permitted by law, we shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing we do according to your Processing Instructions, including where they infringe DP Law;
    • No Legal Advice; Reliance. No part of this Agreement is intended or shall be construed as legal advice.
  • Details of Processing and Security
    • Details of Processing. Processing of Protected Data shall be as described in Annex A.
    • Security. Taking into account the state of the art, the costs of implementation and the Details of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons presented by the processing, we shall implement appropriate technical and organisational security measures, including those mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.
    • Appropriate security. We have determined that the measures set out InforUMobile’s Technical and Organisational Security Measures document (“Security Measures”) https://inforumobile.co.uk/ufaqs/security-measures/ ensure a level of security appropriate to the risks of processing the Protected Data.
  • Sub-processing and personnel
    • Prior authorisation. We shall only permit agents, subcontractors or other third parties to process Protected Data with your prior written authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed), except with respect to our Sub-Processors’ own employees in the course of their employment where those employees are subject to an enforceable obligation of confidence with regard to the Protected Data.
    • Authorised Sub-Processors. You authorise us to appoint each of the Sub-Processors identified in Annex C (List of Sub-Processors) as updated from time to time. We shall provide reasonable notice of such updates and you will have the opportunity to object to such appointments.
    • We shall
      • appoint each Sub-Processor under a written contract containing materially the same obligations as this DPA prior to processing Protected Data. Such contract shall be enforceable by us and we will ensure each such Sub-Processor complies with all such obligations;
      • remain fully liable for all the acts and omissions of each Sub-Processor as if they were our own to the extent they relate to the data protection obligations under DP Law and this DPA;
      • ensure that all natural persons authorised by us (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation of confidentiality (except where disclosure is required in accordance with Applicable Law, in which case we shall, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
  • Assistance and Data Subject Rights
    • We shall at your cost on a time and materials basis:
      • Security obligations and breach response. Assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (Security of Personal Data and Data Protection Impact Assessments) and any similar obligations under DP Law taking into account the nature of the processing and the information available to us; and
      • Data Subject Rights (DSRs). Taking into account the nature of the processing, assist you (by appropriate technical and organisational measures), insofar as this is possible, in fulfilling your obligations to respond to requests for exercising the Data Subjects’ Rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
  • International Data Transfers
    • Appropriate Safeguards. We shall not process and/or transfer, or otherwise directly or indirectly disclose, Protected Data in or to countries outside the United Kingdom or the EEA or to any International Organisation unless Appropriate Safeguards are in place. We undertake to minimise the amount of Protected Data subject to International Data Transfers and will implement the Appropriate Safeguards described in Annex A (Details of Processing) and in the List of Sub-Processors.
    • Transfers after Brexit. Note that our server is located the Republic of Ireland. It is your responsibility to ensure that if you transfer Protected Data stored on our servers to the UK after the UK has left the European Union, such processing may constitute an International Data Transfer. We do not have control over these decisions and we do not provide legal advice. You assume full responsibility for determining whether International Data Transfer rules apply and ensuring you implement Appropriate Safeguards. We disclaim any liability for any and all DP Losses that may result.
    • Limitation. You acknowledge that due to the nature of cloud services, Authorised Users or others acting on your behalf may initiate International Data Transfers of Protected Data to other geographical locations when using the Service. You acknowledge that we do not control such processing and you shall ensure that Appropriate Safeguards are in place for such transfers.
  • Audits and processing
    • We shall, in accordance with DP Law, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with our obligations under this DPA and Article 28 of the GDPR (and its equivalent under DP Law), and allow for and contribute to a maximum of one audit (including inspections) by you (or another auditor agreed by us) for this purpose per 12 month period at your sole cost and subject to a binding undertaking of confidentiality.
  • Breach
    • We shall notify you in writing without undue delay on becoming aware of any Personal Data Breach that may involve Protected Data.
  • Deletion/return
    • Upon termination of the Services, at your cost and your option, we shall either enable you to return all of the Protected Data to you  (through our self-serve download or export or related functions) or securely dispose of it (and thereafter promptly delete all existing copies) except to the extent that any Applicable Law requires or permits us to store or continue to process such Protected Data. This clause shall survive termination or expiry of the Agreement or this DPA.
  • Indemnity
    • You shall indemnify us and keep us indemnified against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Supervisory Authority), including all Data Protection Losses arising out of or in connection with any breach by you of your obligations.
  • Data protection contact
    • Our Privacy Lead Yael Almog, Product Manager may be contacted at service@inforumobile.co.uk.

Annex A: Details of Processing

Processing of the Protected Data by us under this DPA and the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Annex A based on the expected use of the Services by Customers. You may use some of the functionality we provide to make it easier for you to ensure your use of the Services complies with DP Law and that you respect your Contact’s choices. See our Support Centre https://inforumobile.co.uk/support-center/ for details.

We provide a self-serve, cloud-based platform and Services that you may customise according to your needs. You (and your Authorised Users) are the Controller and therefore decide which Services to use, how to configure them, what Personal Data to process and why. The Details of Processing will vary according to your Processing Instructions but are generally described below based on possible use of the Service.

Brief description of processingCustomers can use the self-serve platform to send marketing messages by SMS, create landing or registration pages, create surveys, manage Contact communication preferences, track and tag campaigns for internal metrics, generate other reports to gauge the effectiveness of their campaigns, and embed code permitting them to track where inbound traffic originates and generate analytics (e.g. Google Analytics).
What processing is being done?The processing activities will be performed by you in your capacity as Controller.  Any processing InforUMobile performs as a Controller e.g. for billing purposes is described in our Data Privacy Notice https://inforumobile.co.uk/ufaqs/inforumobile-privacy-policy/.
Duration of processing  You determine the duration and frequency of Contact Communications using the Service’s various settings and features. Contact Data and Communications you input or generate will remain in your account until you delete or destroy it or upon termination as provided in clause 13 of the DPA.
How is the processing being done?  Contact Data and Contact Communications Data are processed using various self-serve options initiated by you or your Authorised Users.
Why is the processing being done?Customer may use the Service to generate leads, manage Contact relationships, conduct market research, or generate sales. The aim of Contact Communications will generally be to direct Contacts to Customers’ own websites / digital properties or make purchases.
What types of data are being processed on behalf of Customer?  Contact Data and Communications Data: derived data from usage (IP address to track unsubscribes; aggregated metrics for reporting, cookie and analytics data embedded by Customer (only available to Customer), metadata confirming a Contact Communication was sent or open, contents of Contact Communications (but see Security Measures https://inforumobile.co.uk/ufaqs/security-measures/, Contact preferences, suppression lists, etc.
Sensitive dataThe Services are not designed to be used to process sensitive data, including Special Category data whose processing is restricted under Art. 9, GDPR and related DP Law, such as health, ethnicity, political opinion; Criminal Records data, which is restricted under Art. 10,  GDPR; Financial data; Location data. If you or an Authorised User uses the Services to process such data you Acknowledge and mitigate the potential risk of harm to the individuals concerned; you will fulfil any additional requirements (e.g. obtain explicit consent to process health data)]. Assume full liability for such use and indemnify us against any resulting Data Protection Losses.
Are cookies and other tracking tools used?In connection with the Services, we use cookies and other tracking technologies that are necessary to ensure our Contact Communications function properly and to manage preferences. For more detail see our Cookie Notice https://inforumobile.co.uk/ufaqs/inforumobile-cookie-policy/ .   Note: You shall provide Contacts with an appropriate Data Privacy Notice related to the processing of cookie data and a means (e.g. a cookie dashboard, links to settings, etc.) to enable them to opt into cookies (where prior consent is required under DP Law) and/or manage their preferences. You may choose to embed cookies and other trackers, for example for Google Analytics or other code in your various channels, even outside the Services, to track how Contacts have come to your landing page. We do not see or use this data. You are solely responsible for ensuring your use of such options complies with DP Law and your obligations under clause 4.2.1(b) of this DPA.
Who is the data about?  Contacts, Authorised Users, Customer who are natural persons. Note: The Services are designed for use with adults, not for children under 16 years of age or vulnerable people. If your Contacts include or may include children or vulnerable people, you are solely responsible for ensuring you meet the additional requirements under DP Law. See e.g. ICO guidance.
What risks does the data processing pose to data subjects (if any)?  Any type of Personal Data Breach, including use of Protected Data beyond the original purpose or a compatible purpose, e.g.: Marketing under the guise of market research (for the survey functionality) (“sugging”) without fulfilling marketing rulesAccess by unauthorised individuals to Protected DataRetaining Protected Data longer than necessary Processing children’s Personal Data or communicating with children or vulnerable people without appropriate protections.
What mitigating measures are being taken to address those risks?Customer is responsible for ensuring use of the Services complies with DP Law.InforUMobile has implemented various controls and security measures (see Security Measures https://inforumobile.co.uk/ufaqs/security-measures/)The Services include functionality that Customer may use to address these risks, as well as pop-up reminders, training videos, materials and manuals, and technical Support.