Data Processing Terms and Conditions
Effective Date: March 23rd, 2024

​

This Data Processing Terms and Conditions ("Terms") amend and form an integral part of the Service Agreement according to the Canadian Mail Master Terms of Service (the "Main Agreement"). These Terms come into effect upon their integration into the Main Agreement, which may be outlined in the Main Agreement itself or through a duly executed supplementary amendment. Upon integration, these Terms become a binding aspect of the Main Agreement.

The duration of these Terms shall align with the tenure of the Main Agreement. Any terms not explicitly defined herein shall assume the meanings provided in the Main Agreement.

##WHEREAS
Your organization serves as the Data Controller ("Controller").
Your organization intends to delegate specific Services, entailing the processing of personal data, to Canadian Mail Master, in the capacity of a processor (per the GDPR) and a service provider (per the CCPA).
The Parties aim to establish a data processing agreement that adheres to the prevailing legal standards regarding data processing.
The Parties are committed to defining their respective rights and responsibilities.

##Definitions and Clarifications
"Processor" refers to Canadian Mail Master.

"Organization Personal Data" encompasses all Personal Data processed by a Contracted Processor on behalf of the Controller in line with the Main Agreement.

"Contracted Processor" denotes a Subprocessor.

"Data Protection Laws" include all applicable laws and regulations concerning the processing of personal data under this agreement, including but not limited to the GDPR, CCPA, and other relevant regional data protection laws.

"Data Transfer" entails the movement of Organization Personal Data from the Controller to a Contracted Processor or between any two Contracted Processor sites, restricted by Data Protection Laws or specific data transfer agreements designed to address these restrictions.

"Services" are the services provided by Canadian Mail Master.

"Subprocessor" is any entity engaged by or on behalf of the Processor to process Personal Data on the Controller's behalf in relation to this Terms.

Terms such as "Controller", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" shall inherit the meanings ascribed in the GDPR, with related terms interpreted similarly.

##Processing of Organization Personal Data
The Processor is obligated to adhere to all relevant Data Protection Laws in processing Organization Personal Data and shall only process such data based on the Controller's documented directives.

The Controller authorizes the Processor to process Organization Personal Data to deliver the Services and any associated support.

##Processor Personnel
The Processor is responsible for ensuring the reliability of any personnel from a Contracted Processor accessing Organization Personal Data, restricting access to those specifically required to process the data for the Main Agreement's purposes, in compliance with applicable laws.

##Security Measures
Considering technological advancements, cost implications, and the nature and objectives of Processing, alongside the potential risk to individuals' rights and freedoms, the Processor must implement suitable technical and organizational measures to safeguard Organization Personal Data against such risks, including measures mentioned in Article 32(1) of the GDPR.

##Subprocessing
The Processor is not permitted to engage (or share any Organization Personal Data with) any Subprocessor without the Controller's explicit consent or mandate.

##Data Subject Rights
The Processor agrees to support the Controller with the necessary technical and organizational measures to fulfill the Controller's duty to respond to Data Subject rights requests under Data Protection Laws.

##Personal Data Incident Response
Upon detecting a Personal Data Breach affecting Organization Personal Data, the Processor shall promptly inform the Controller, providing adequate details to enable the Controller to comply with data breach notification obligations under Data Protection Laws.

##Assistance with Compliance
The Processor will assist the Controller with data protection impact assessments and consultations with supervisory authorities as required by Data Protection Laws, considering the nature of processing and the information available to the Contracted Processors.

##Termination of Data Processing
Following the termination of Services involving the Processing of Organization Personal Data, the Processor will delete or return all such data within a specified timeframe, barring any legal requirements to retain the data.

##Data Transfers
The Processor is authorized to transfer Organization Personal Data to jurisdictions outside the EU, provided such transfers comply with Data Protection Laws, utilizing approved mechanisms like EU standard contractual clauses to ensure adequate protection.

##Confidentiality Obligations
Both parties must treat information received in connection with this agreement as confidential, barring legal requirements or prior public knowledge exceptions.

##Notices
All notices under these Terms must be in writing, primarily via email, to designated addresses agreed upon within the Main Agreement.

##Governing Law
These Terms are governed by the laws of United Kingdom