Addendum on data processing

2.1 For the purposes of this Addendum, the following words or phrases, when capitalised, will have the following meaning:

‘Addendum’: current addendum on data processing (as a data processing agreement within the meaning of article 28.3 GDPR) which forms an integral part of the Agreement;

‘GDPR’: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); 

‘Services’: the services provided by EasyPost to the Client under the Agreement (regarding EasyPost Classic or EasyPost Connect) as (further) described in the Agreement);

‘Data protection legislation’: the GDPR, together with other legislation arising from the GDPR and/or any other legislation of any other country relating to the data protection or privacy. 

2.2 ‘Personal Data’, ‘Processing’, ‘Process’ or ‘Processed’, ‘Controller’, ‘Processor’ and ‘Data Subject(s)’ will have the meaning defined in article 4 GDPR and as further described in article 3 below. ‘Data breach’ has the meaning of a ‘personal data breach’ within the meaning of article 4.(12) GDPR. 

2.3 Other capitalised words or expressions will have the meaning defined in the Agreement (including as set forth in article 1 Title I of EasyPost’s General Terms and Conditions).

3.1 Subject - nature: for the performance of the Agreement and in the context of the Services, EasyPost processes certain Personal Data of Data Subjects on behalf of the Client. This takes place in the context of the Services. The Personal Data are Processed through EasyPost's systems, tools and software (including, with respect to EasyPost Connect Services through the EasyPost Connect platform or the related specific Services and/or Channels as described under the Agreement).

3.2 Personal Data: the Personal Data Processed by EasyPost are the Personal Data of Data Subjects that are transferred by the Client to EasyPost in the context of the Services or are uploaded, Processed or used on EasyPost Connect to enable or facilitate the performance of the relevant Services. 

In the context of the EasyPost Classic Services, these are primarily identification data  (names, addresses, town/city) and optionally the telephone number and email address of the Data Subjects, as included in the Postal Items and/or receipts, as well as mail ID barcodes that can be linked to Postal Items and/or receipts.

For Digital Post Dispatch, Processing of Personal Data through EasyPost Connect and the Services in this regard, Personal Data other than identification data of certain Data Subjects may also be Processed which, however, are not consulted by EasyPost and/or its employees or agents, but may be included in the Digital Documents or Digital Communications or Processed in the context of the Digital Post Dispatch. This may include other identification data or information such as the date of birth, information on personal characteristics (such as place of birth, gender, marital status, nationality, profession), financial information (such as bank account number(s), credit card number(s)), information on education and training (e.g. with respect to studies / diplomas), information on profession and employment (e.g. current job / position, evaluations), information on property/properties, real estate, homes, information about memberships, images (photos, videos), information on leisure and interests, lifestyle habits, diary planning and activities, physical data, but also special categories of Personal Data such as health data, sensitive data, National Register number, judicial data and/or criminal data.

This Personal Data are Processed via EasyPost Connect by EasyPost on behalf of the Client and only if this is necessary for the performance of the Services.

3.3 Data Subjects: In the context of Post Processing or EasyPost Classic, the Data Subjects are the contacts, addressees, senders and correspondents of the Client. Basically these are all persons with whom the Client comes into contact during or as a result of its business operations, organisation or activities, who receive Postal Items from the Client and whose Personal Data are Processed by EasyPost. These may also be persons to whom the contents of the Postal Items of the Client relate (and not only the relevant addressees of the Postal Items), without prejudice to what is stipulated in this regard in article 3.2 above.

In the context of the EasyPost Connect Services these may also be Data Subjects (natural persons) to whom the content of the Digital Documents or Digital Communication relates and in which Personal Data of these Data Subjects are contained (and which are not consulted by EasyPost and/or its employees or agents).

3.4 Purposes: The purposes of the Processing of Personal Data by EasyPost are to (i) execute the Agreement and to (be able to) provide the relevant Services to the Client as described above under article 3.1 and in the Agreement; (ii) to optimise EasyPost's Services, (iii) to comply with applicable laws as well as (iv) any other category of purposes for the Processing of Personal Data as further specified or described in the Agreement.

With respect to the EasyPost Classic services, EasyPost Processes the outgoing Postal Items (enveloped) with the name and address details for the performance of the Agreement and, in particular, for (i) the collection of the outgoing Postal Items; (ii) optically reading the name and address details of the Postal Items and creating a digital post ID barcode that is affixed to the Postal Items (the post ID barcode is affixed to the Postal Item), the Postal Item goes through the EasyPost hardware while an optical file of this is registered and subsequently Processed by EasyPost’s OCR software to extract the address and link it to the post ID barcode. Finally, the data (address + post ID barcode) is transmitted to the Provider of Universal Postal Services or other engaged Providers of Postal Services through a secured protocol (web service); (iii) sorting and preparing outgoing Postal Items (both Registered Postal Items and regular Postal Items); (iv) arranging the post drop with the Provider of Universal Postal Services or other engaged Providers of Postal Services; and (v) the storage of receipts for Registered Postal Items on the EasyPost portal.

With regard to EasyPost Connect, EasyPost Processes Personal Data in the context of the Services and/or Channels offered on or connected with EasyPost Connect. This may include, as indicated above, Personal Data other than identification data such as names and addresses included in Digital Documents or Digital Communications, but not consulted by EasyPost and/or its employees or agents. More information about these processing activities can be found in the Agreement, Manuals or practice statements regarding the specific EasyPost Connect Services and/or Channels made available to the Client.

3.5 Duration - retention period(s): The Personal Data will, as a rule, only be Processed by EasyPost during the term of the Agreement and/or this Addendum or for as long as the Services are provided by EasyPost and will not be kept longer than necessary for the purposes referred to in article 3.4, unless (special) legal provisions are applicable to the storage, retention or Processing thereof, specific retention periods apply in the Agreement, or if longer storage is necessary for the execution of the Agreement. 

As part of the EasyPost Classic Services, the following specific retention terms apply, among others:

• for post ID files containing address details of Data Subjects: these are deleted by EasyPost immediately after the creation and validation of the post ID barcode, unless longer storage would be necessary for the performance of the Services, and retained for a maximum of one (1) year after creation and validation.
• optical files during the sorting of outgoing Postal Items: these are stored, after Processing and sorting, on a secure local server of EasyPost for a period of three (3) months and retained for a maximum of two (2) years after creation.
• bpost receipts on the Client’s portal: these are retained for ten (10) years from the date of dispatch.

In the context of the EasyPost Connect Services, the following specific retention periods apply, among others:

• electronic registered postal items will remain available through EasyPost Connect for a period of fourteen (14) days. After dispatch, these remain available for two (2) days.
• proof reports relating to electronic registered postal items are retained for a maximum of seven (7) years.
• log files relating to electronic registered postal items are retained for a maximum of two (2) years.

4.1 EasyPost Processes the Personal Data solely in accordance with the (documented or written) instructions from the Client, except in the case of deviating legal obligations, in which case the Client will inform EasyPost thereof prior to the Processing, unless such notification is prohibited by law. The Client hereby authorises and instructs EasyPost to Process Personal Data in accordance with this Addendum and the Agreement. This Addendum and the Agreement together contain the entire instructions from the Client to EasyPost regarding the Processing of Personal Data. All additional or alternative instructions must be given separately in writing and agreed upon by the Parties.

4.2 The Client represents and warrants that it is and will remain authorised to give the aforementioned instructions on behalf of any affiliated company, which is or may be the Controller for the Processing of Personal Data of Data Subjects (whether or not jointly with the Client). 
 

5.1 EasyPost will comply with the Data protection legislation and will take all appropriate technical and organisational measures to this end. 

5.2 The Client will comply with the Data protection legislation. It will take all appropriate technical and organisational measures so that the Processing of Personal Data of Data Subjects complies with the applicable Data protection legislation. The Client will specifically take the required measures with respect to components, services or systems that the Client provides, manages or controls, including workstations from which the Services of EasyPost are connected (e.g., through EasyPost Connect), data transmission systems used, and with respect to its personnel or agents (including employees, subcontractors and independent contractors).

5.3 The Client is responsible for the lawfulness of the (collection and/or Processing of the) Personal Data Processed by EasyPost in the context of the Agreement and/or the Services. The Client will take all necessary measures to update the Personal Data and to delete and/or correct incomplete or incorrect Personal Data. 

5.4 The Client represents and warrants that:

• it has complied with applicable Data protection legislation when collecting and Processing Personal Data of Data Subjects transferred to EasyPost or Processed by the latter in the context of the Services;
• it has adequately informed the Data Subjects about their rights and obligations (in accordance with articles 13-14 GDPR), in particular about the Processing by EasyPost (or a category of service providers such as EasyPost) for and on behalf of the Client in the context of the Services;
• the Processing of Personal Data in the context of the Agreement is lawful and based on a valid legal ground in accordance with the Data protection legislation. If the Processing or storage by EasyPost or transfer to EasyPost of certain Personal Data requires the consent of the Data Subject, the Client represents and warrants that it has validly obtained such consent and will be able to provide evidence thereof, upon EasyPost’s request;
• its personnel and agents (including employees, subcontractors and independent contractors) understand and will strictly comply with the obligations under the Agreement and the Data protection legislation.

5.5 If compliance with Data protection legislation requires any action or measure by EasyPost, in addition to its obligations under this Addendum, EasyPost will take such action or measure after prior consultation with and agreement of the Client. The latter will in any case give prior notice to EasyPost of the required actions or measures to be taken, and render full cooperation and assistance to EasyPost in this regard. EasyPost shall be entitled to invoice the Client on a time and material basis at the then-current prices or agreed upon prices for any time spent on any such additional services, assistance or modifications to the Services.

5.6 However, EasyPost will not be responsible for compliance with any laws applicable to the Client or its business or the Client’s industry that are not generally or specifically applicable to EasyPost. 

6.1 No Personal Data is transferred to countries outside the EEA in the context of the Services.

6.2 Any transfer of Personal Data to ((group) companies, third parties, service providers or servers in) countries outside the EEA will in any case take place in accordance with the Data protection legislation. Parties agree that Personal Data can only be transferred to and/or kept with the recipient outside the EEA in a country that does not fall under any adequacy decision of the European Commission with prior written approval of the Controller and only if necessary to comply with the obligations of this DPA. Such transfer shall in any case be governed by articles 45-48 GDPR or article 49 GDPR if any of the derogations apply.

6.3 EasyPost will Process the Personal Data it Processes on behalf of the Client in any country in which EasyPost, its affiliates and/or sub-processors authorised in accordance with article 9 have facilities. The Client explicitly authorises EasyPost to perform any transfer of Personal Data to, and any Processing in, such country in connection with the Agreement without prejudice to the other provisions of this article.

6.4 EasyPost does not control and is not responsible for the location from which the Client or its end users (may) Process Personal Data. In any case, the Client will fully indemnify and hold harmless EasyPost for any damage suffered by third parties in this regard.

7.1 EasyPost will not transfer or transmit Personal Data to third parties, except:

• on the instruction(s) of the Client;
• if required for Processing of Personal Data by a sub-processor pursuant to article 9 below;    
• if required by law.

7.2 In the event of transfer of Personal Data to a third party on the instruction(s) of the Client, only the latter is responsible for concluding written agreements with this third party regarding the protection and Processing of Personal Data. In any event, the Client will fully indemnify and hold harmless EasyPost for any damage arising from such transfer by EasyPost to a third party, unless said damage is solely due to a proven failure of EasyPost.

7.3 EasyPost warrants that its personnel, acting under its authority, who are authorised to process Personal Data in the context of the Agreement and/or Services and have access thereto, will observe the confidentiality of the Personal Data.

8.1 EasyPost will take all appropriate technical and organisational measures required under article 32 GDPR regarding security of Processing. These security measures guarantee a level of protection appropriate to the risks associated with the Processing and the nature of the Personal Data to be protected, taking into account the currently established technologies and the cost of their implementation.

8.2 EasyPost holds an ISO 27001 certification on information security. 
 

9.1 The Client acknowledges and agrees that EasyPost may engage sub-processors for the Processing of Personal Data related to the Services under the Agreement and transfer Personal Data to these sub-processors. Upon the Client’s request, EasyPost shall provide a current list of EasyPost’s sub-processors in the context of the Services provided to the Client.

9.2 EasyPost will inform the Client about every intended change of sub-processor(s). If the Client does not agree to the Processing of Personal Data by one or more sub-processors, the Client will notify EasyPost in writing within fifteen (15) calendar days of receiving said notification. If necessary, EasyPost will make reasonable efforts to recommend changes to the Client with regard to the affected Services in order to avoid Processing of Personal Data by the sub-processor(s) in question.

9.3 EasyPost will enter into written agreements with any engaged sub-processor that will contain data protection obligations no less protective than EasyPost’s obligations under this Addendum and in particular in respect of the obligation to take appropriate security measures so that the Processing complies with the Data protection legislation. 

9.4 In any event, EasyPost will at all times remain the point of contact for the Client in this regard. Where such sub-processor fails to comply with its data protection obligations, EasyPost shall be liable for such sub-processor’s compliance with its obligations under this Addendum.

10.1 Taking into account the nature of the Processing of Personal Data and to the extent possible, EasyPost will assist and cooperate with the Client in fulfilling (or ensuring the fulfilment of) its obligations under the Data protection legislation, in particular so that the Client can fulfil its obligation(s) to respond (in good time) to requests from Data Subjects exercising their rights. The Client will give the Data Subjects the opportunity to exercise their rights. The Client will provide all necessary information about the Processing of Personal Data to the Data Subjects in accordance with articles 13-14 GDPR.

10.2 Should a Data Subject contact EasyPost directly in order to obtain access / a copy, rectification or erasure of, or a restriction on, the Processing of their Personal Data, EasyPost will refer the Data Subject in question to the Client. EasyPost itself will not respond further to the request. EasyPost may however provide the basic contact information of the Client to the Data Subject for support purposes. The Client will inform Data Subjects that they can only exercise their rights towards the Client. The Client will respond to any such request from a Data Subject and comply with its obligations in this regard under the Data protection legislation.

11.1 Unless prohibited by law, EasyPost will notify the Client without unreasonable delay if EasyPost or any of its sub-processors receives any inquiry, writ of summons or request for inspection or audit from any competent governmental or supervisory authority in connection with the Processing of Personal Data. In addition, EasyPost will inform the Client if EasyPost intends to provide Personal Data to a competent government agency or regulatory authority outside the scope of the Services. Lastly, EasyPost will promptly notify the Client if, in its opinion, any instruction or order from the Client violates the Data protection legislation.

11.2 On request of the Client, EasyPost will provide all required information and assistance to the Client, so that it can comply with its obligations under article 28 GDPR.

11.3 The Client is entitled to reasonably verify EasyPost’s compliance with the Data protection legislation, provided however that EasyPost shall have no obligation to provide confidential and/or proprietary information. To this extent, upon written request, once every twelve (12) months - unless (i) the audit is requested by a competent supervisory authority in accordance with the Data protection legislation or (ii) following a Data Breach - and subject to a thirty (30) calendar days’ prior written notice, the Client may have an audit or verification conducted at EasyPost by an expert. 

11.4 Prior to any such audit or inspection, Parties shall mutually agree upon the scope, timing and duration of the audit, including conditions of confidentiality.

11.5 EasyPost will provide such reasonable assistance and cooperation as may be necessary for any such inspections or audits. EasyPost shall be entitled to invoice the Client on a time and material basis at the then-current applicable prices, the prices set forth in the Price List or the prices agreed upon between Parties for any time spent on any such audit inquiries. 

11.6 The Parties agree that the performance of such inspections or audits will not unduly delay, disrupt or limit EasyPost’s business operations and/or the performance of the Services. In the event of such delay, disruption or limitation, EasyPost will notify the Client and the Parties will attempt to find a solution as soon as possible and by mutual agreement.

11.7 The Client shall promptly notify EasyPost in writing with information regarding any non-compliance discovered during an inspection or audit. The Client will provide a draft (audit) report to EasyPost free of charge. This report, as well as any other information to which the Client or the appointed expert may have access in the context of an inspection or audit, is and will remain and will always be considered strictly confidential. 

11.8 The costs arising from an inspection or audit by the Client shall be borne in full by the Client. The Client may not seek any reimbursement from EasyPost for these costs.

12.1 EasyPost will inform the Client without unreasonable delay as soon as it becomes aware of a Data Breach, regardless of the cause.

12.2 The Client will immediately notify EasyPost of any security incident or security issue, including a Data Breach that is in any way related to the Services.

12.3 The Party responsible for the Data Breach will further investigate the Data Breach and keep the other Party informed of new developments and of the measures that are being and will be taken to limit the consequences of the Data Breach and to prevent its recurrence. 

12.4 Both Parties will cooperate in such investigation and assist one another in fulfilling (or having fulfilled) their obligations under the Data protection legislation, in particular the obligation to report a Data Breach to the Data Protection Authority pursuant to article 33 GDPR.

12.5 A notification or report pursuant to the present article 12 and/or the Data protection legislation will always take place without (adverse) acknowledgement of any fault or liability in respect of the Data Breach.

Should the Client be obliged to perform a DPIA (‘Data Protection Impact Assessment’), EasyPost will provide the necessary cooperation and assistance to the Client in order for the Client to comply with its obligations in this regard. EasyPost shall be entitled to invoice the Client on a time and material basis at the then-current applicable prices, the prices set forth in the Price List or the prices agreed upon between Parties for any time spent on any assistance.

14.1 Upon termination of the Agreement and/or this Addendum, EasyPost shall erase or anonymise all Personal Data on its systems, tools, software or Services (without prejudice to any back-up archives) at the latest sixty (60) calendar days after said termination, unless the Client instructs otherwise or (further) storage or retention of the Personal Data is required by law, is necessary in the context of any legal proceedings or imposed by (judicial or supervisory) authorities. The aforementioned article applies without prejudice to article 3.5 above.

14.2 If requested in writing by the Client no later than thirty (30) days prior to termination of the Agreement and/or current Addendum, EasyPost will provide the Client where (technically) possible with a readable copy of the Personal Data on its systems at the Client’s (full) expense.

14.3 The current article applies notwithstanding the conditions in the Agreement concerning deactivation of accounts and export(s) or Customer Data of the Client.

All intellectual property rights, including copyrights, database rights, trademark rights, trade names, domain names and software rights, in or related to the Services (including EasyPost Classic and EasyPost Connect) or data processing activities (specifically excluding the Personal Data), as well as in or relating to copies or adaptations thereof, will at all times remain the exclusive property of EasyPost and/or its licensor(s). No provision of this Agreement may be construed as a full or partial transfer of such rights, whether in ownership of or in (sub)license, to the Client.