Terms, Conditions, Policies & Plans
Terms, Conditions, Policies & Plans Word Doc Version for Download is here. This Doc is posted at RELAYTO.com here. V.23.24 Last updated April 12, 2024 (pv) We reserve the right to modify, amend, or update these terms and conditions at any time without prior notice. Any changes will be effective immediately upon posting the revised terms on our website at RELAYTO.com. It is your responsibility to review these terms periodically for any updates. By continuing to use our services after any such changes, you agree to be bound by the modified terms and conditions. Master Subscription Packet (included Agreements): ● 01 Business Agreement For Paid Accounts • 001 Add Company Name (if applicable) • 002 Add Agreement Period details (default: the Period is defined in your Invoice) • 003 Sign here (if applicable) (covers all Agreements in the entire Packet) ● 02 Privacy Policy ● 03 Service Level Agreement ● 04 Acceptable Use Policy ● 05 Data Processing Addendum ● 06 SCC and Appendix with Annexes I-III ● 07 FAQs - Security Measures Granted by RELAYTO • RELAYTO’s Architecture Diagram • Business Continuity Plan • Disaster Recovery Plan ● 08 Cookies Policy ● 09 DMCA Policy 1
Agreement BUSINESS AGREEMENT FOR PAID ACCOUNTS This Business Agreement for Paid Accounts (“Agreement”) is made TODAY’S DATE (the “Effective Date”) between RELAYTO Limited, (“RELAYTO”), a corporation Registered in Delaware, USA, and [RELAYTO USER COMPANY ACCOUNT]. This Agreement governs access to and use of RELAYTO software and services (together, "RELAYTO''), as well as those Beta Services that are made available to you (together, with RELAYTO, the "Services"). By signing your contract for the Services or using the Services, you agree to this Agreement as a Customer. To the extent RELAYTO is, on behalf of Customer, processing Customer Data that is subject to national laws implementing EU Data Protection Directive (95/46/EC) ("EU Data Protection Laws"), then, by clicking "I agree," you are also agreeing to the EU Standard Contractual Clauses with RELAYTO, Inc. for the transfer of personal data to processors set forth in the Data Processing Addendum ("DPA"). Our Privacy Policy and DPA explain how we collect and use your information along with certain duties and obligations with respect to the protection, security, processing of personal data provided or made available to us by you, while our Acceptable Use Policy outlines your responsibilities when using our Services. By using our Services, you're agreeing to be bound by these Terms and to review our Privacy, DPA, and Acceptable Use Policy. If you're using our Services for an organization, you're agreeing to these Terms on behalf of that organization. If you are agreeing to this Agreement and DPA (if applicable) for use of the Services by an organization, you are agreeing on behalf of that organization. You must have the authority to bind that organization to these terms, otherwise, you must not sign up for the Services. 1. Services a. Provision of Services. Customer and users of Customer's Services account ("End Users") may access and use the Services in accordance with this Agreement. b. Facilities and Data Processing. RELAYTO will use, at a minimum, industry standard technical and organizational security measures to transfer, store, and process Customer Data. These measures are designed to protect the integrity of Customer Data and guard against the unauthorized or unlawful access to, use, and processing of Customer Data. Customer agrees that RELAYTO may transfer, store, and process Customer Data in the United States and locations other than the Customer’s country only after a new Transfer Impact Assessment is completed. 2 of 54
To the extent that Customer Data is subject to EU Data Protection Laws and is processed by RELAYTO as a data processor acting on Customer's behalf (as a data controller), RELAYTO will use and process such Customer Data as Customer instructs in order to provide the Services and fulfill RELAYTO's obligations under the Agreement. "Customer Data" means Stored Data and Account Data. "Stored Data" means the files and structured data submitted to the Services by Customer or End Users. "Account Data" means the account and contact information submitted to the Services by Customer or End Users. c. [removed] d. Software. Some Services allow Customers to download RELAYTO software which may update automatically. Customers may use the software only to access the Services. If any component of the software is offered under an open source license, RELAYTO will make the license available to Customer and the provisions of that license may expressly override some of the terms of this Agreement. e. Beta Services. RELAYTO may provide features or products that we are still testing and evaluating. These products and features are identified as alpha, beta, preview, early access, or evaluation (or words or phrases with similar meanings) (collectively, "Beta Services''). Notwithstanding anything to the contrary in this Agreement or in the DPA, the following terms apply to all Beta Services: (a) you may use or decline to use any Beta Services; (b) Beta Services may not be supported and may be changed at any time without notice to you; (c) Beta Services may not be as reliable or available as RELAYTO Business; (d) Beta Services have not been subjected to the same security measures and auditing to which RELAYTO Business has been subjected; and (e) RELAYTO will have no liability arising out of or in connection with beta services—use at your own risk. 2. Customer Obligations a. Compliance. Customer is responsible for use of the Services by its End Users. Customer and its End Users must use the Services in compliance with the Acceptable Use Policy. Customer will obtain from End Users any consents necessary to allow Administrators to engage in the activities described in this Agreement and to allow RELAYTO to provide the Services. Customer will comply with laws and regulations applicable to Customer's use of the Services, if any. b. Customer Administration of the Services. Customer may specify End Users as "Administrators" through the administrative console. Administrators may have the ability to access, disclose, restrict or remove Customer Data in or from Services accounts. Administrators may also have the ability to monitor, restrict, or terminate access to Services accounts. RELAYTO's responsibilities do not extend to the internal management or administration of the Services. Customer is responsible for: 3 of 54
(i) maintaining the confidentiality of passwords and Administrator accounts; (ii) managing access to Administrator accounts; and (iii) ensuring that Administrators' use of the Services complies with this Agreement. Customer acknowledges that if Customer purchases the Services through a reseller and delegates any of such reseller's personnel as Administrators of Customer's Services account, such reseller may be able to control account information, including Customer Data, and access Customer's Services account as further described above. c. Unauthorized Use & Access. Customer will prevent unauthorized use of the Services by its End Users and terminate any unauthorized use of or access to the Services. The Services are not intended for End Users under the age of 13. Customer will ensure that it does not allow any person under 13 to use the Services. Customer will promptly notify RELAYTO of any unauthorized use of or access to the Services. d. Restricted Uses. Customer will not (i) sell, resell, or lease the Services; (ii) use the Services for activities where use or failure of the Services could lead to physical damage, death, or personal injury; or (iii) reverse engineer the Services, nor attempt nor assist anyone else to do so, unless this restriction is prohibited by law. 3. Third-Party Services i. "Third Party Request" means a request from a third party for records relating to an End User's use of the Services including information in or from an End User or Customer's Services account. Third Party Requests may include valid search warrants, court orders, or subpoenas, or any other request for which there is written consent from End Users permitting a disclosure. ii. Customer is responsible for responding to Third Party Requests via its own access to information. Customer will seek to obtain information required to respond to Third Party Requests and will contact RELAYTO only if it cannot obtain such information despite diligent efforts. iii.RELAYTO will make commercially reasonable efforts, to the extent allowed by law and by the terms of the Third Party Request, to: (A) promptly notify Customer of RELAYTO's receipt of a Third Party Request; (B) comply with Customer's commercially reasonable requests regarding its efforts to oppose a Third Party Request; and (C) provide Customer with information or tools required for Customer to respond to the Third Party Request (if Customer is otherwise unable to obtain the information). If Customer fails to promptly respond to any Third Party Request, then RELAYTO may, but will not be obligated to do so. 4 of 54
4. Suspension a. Of End User Accounts by RELAYTO. If an End User (i) violates this Agreement or (ii) uses the Services in a manner that RELAYTO reasonably believes will cause it liability, then RELAYTO may request that Customer suspend or terminate the applicable End User account. If Customer fails to promptly suspend or terminate the End User account, then RELAYTO may do so. b. Security Emergencies. Notwithstanding anything in this Agreement, if there is a Security Emergency then RELAYTO may automatically suspend use of the Services. RELAYTO will make commercially reasonable efforts to narrowly tailor the suspension as needed to prevent or terminate the Security Emergency. "Security Emergency" means: (i) use of the Services that do or could disrupt the Services, other customers' use of the Services, or the infrastructure used to provide the Services and (ii) unauthorized third-party access to the Services. 5. Intellectual Property Rights a. Reservation of Rights. Except as expressly set forth herein, this Agreement does not grant (i) RELAYTO any Intellectual Property Rights in Customer Data or (ii) Customer any Intellectual Property Rights in the Services or RELAYTO trademarks and brand features. "Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, moral rights, and other similar rights. b. Limited Permission. Customer grants RELAYTO only the limited rights that are reasonably necessary for RELAYTO to offer the Services (e.g., hosting Stored Data). This permission also extends to our affiliates and trusted third parties RELAYTO works with to offer the Services (e.g., payment provider used to process payment of fees) c. Suggestions. RELAYTO may, at its discretion and for any purpose, use, modify, and incorporate into its products and services, license and sublicense, any feedback, comments, or suggestions Customer or End Users send RELAYTO or post in RELAYTO's forums without any obligation to Customer. d. Customer List. RELAYTO may include Customer's name in a list of RELAYTO customers on the RELAYTO website or in promotional materials. 6. Fees & Payment a. Fees. Customer will pay, and authorizes RELAYTO or Customer's reseller to charge using Customer's selected payment method, for all applicable fees. Fees are non-refundable except as required by law. Customer is responsible for providing complete and accurate billing and contact information to RELAYTO or Customer's reseller. RELAYTO may suspend or terminate the Services if fees are past due. b. This Agreement is effective for the Period set forth in the accompanying invoice. 5 of 54
6c. Automatic Renewal c. Automatic Renewal. Each Term shall automatically renew for subsequent periods of the same length as the initial Term unless either party gives the other written notice of termination at least thirty (30) calendar days prior to expiration of the then-current Term. By continuing to use our services after the expiration of the initial term, you agree to the renewal and associated charges. d. Taxes. Customer is responsible for all taxes. RELAYTO or Customer's reseller will charge tax when required to do so. If Customer is required by law to withhold any taxes, Customer must provide RELAYTO or Customer's reseller with an official tax receipt or other appropriate documentation. e. Purchase Orders. If Customer requires the use of a purchase order or purchase order number, Customer (i) must provide the purchase order number at the time of purchase and (ii) agrees that any terms and conditions on a Customer purchase order will not apply to this Agreement and are null and void. If Customer is purchasing through a reseller, any terms and conditions from Customer's reseller or in a purchase order between Customer and its reseller that conflict with the RELAYTO Business Agreement are null and void. f. Price Adjustments: RELAYTO may be subject to periodic adjustments. We reserve the right to increase prices by up to 10% annually, with prior notice to our users. These adjustments may reflect various factors such as inflation, increased operational costs, improvements in service quality, and investments in research and development to enhance user experience. Notification of price adjustments will be provided via email or through the platform at least thirty (30) calendar days before the changes take effect. g. Opt-Out of Automatic Renewal: You have the option to opt-out of automatic renewal by providing written notice to [email protected] at least thirty (30) calendar days before the end of the current subscription term. Failure to opt-out will result in automatic renewal and the associated charges. 7. Term & Termination a. Term. The “Term” means the term of such initial orders and any subsequent orders, including renewals and extensions. b. Termination for Breach. Either RELAYTO or Customer may terminate this Agreement if (i) the other party is in material breach of the Agreement and fails to cure that breach within 30 calendar days after receipt of written notice or (ii) the other party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within 90 calendar days. 6 of 54
c. Effects of Termination. If this Agreement terminates: (i) the rights granted by RELAYTO to Customer will cease immediately (except as set forth in this section); (ii) RELAYTO may provide Customer access to its account at then-current fees so that Customer may export its Stored Data; and (iii) after a commercially reasonable period of time no less than 30 calendar days, RELAYTO may delete any Stored Data relating to Customer's account. The following sections will survive expiration or termination of this Agreement: 3(a) (Third Party Requests), 5 (Intellectual Property Rights), 6 (Fees & Payment), 7(c) (Effects of Termination), 8 (Indemnification), 9 (Disclaimers), 10 (Limitation of Liability), 11 (Disputes), and 12 (Miscellaneous). 8. Indemnification a. By Customer. Customer will indemnify, defend, and hold harmless RELAYTO from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of any claim by a third party against RELAYTO and its affiliates regarding: (i) Customer Data; (ii) Customer's use of the Services in violation of this Agreement; or (iii) End Users' use of the Services in violation of this Agreement. b. By RELAYTO. RELAYTO will indemnify, defend, and hold harmless Customer from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of any claim by a third party against Customer to the extent based on an allegation that RELAYTO's technology used to provide the Services to the Customer infringes or misappropriates any copyright, trade secret, patent, or trademark right of the third party. In no event will Relayto have any obligations or liability under this section arising from: (i) use of any Services in a modified form or in combination with materials not furnished by RELAYTO and (ii) any content, information, or data provided by Customer, End Users, or other third parties. c. Possible Infringement. If RELAYTO believes the Services infringe or may be alleged to infringe a third party's Intellectual Property Rights, then RELAYTO may: (i) obtain the right for Customer, at RELAYTO's expense, to continue using the Services; (ii) provide a non-infringing functionally equivalent replacement; or (iii) modify the Services so that they no longer infringe. If RELAYTO does not believe the options described in this section are commercially reasonable then RELAYTO may suspend or terminate Customer's use of the affected Services (with a pro-rata refund of prepaid fees for the Services). d. General. The party seeking indemnification will promptly notify the other party of the claim and cooperate with the other party in defending the claim. The indemnifying party will have full control and authority over the defense, except that: (i) any settlement requiring the party seeking indemnification to admit liability requires prior written consent, not to be unreasonably withheld or delayed and (ii) the other party may join in the defense with its own counsel at its own expense. The indemnities above are relayto and customer's only remedy under this agreement for violation by the other party of a third party's intellectual property rights. 7 of 54
e. [removed] 9. Disclaimers Subject to the agreed Service Level Agreements, the services are provided "As is." to the fullest extent permitted by law, except as expressly stated in this agreement, neither customer nor RELAYTO and its affiliates, suppliers, and distributors make any warranty of any kind, whether express, implied, statutory or otherwise, including warranties of merchantability, fitness for a particular use, or non-infringement. However, in case the services are not available for more than 24 hours, Customer has the right to terminate the agreement with immediate effect. 10. Limitation of Liability a. Limitation on Indirect Liability. To the fullest extent permitted by law, except for RELAYTO or customer's indemnification obligations, neither customer nor RELAYTO and its affiliates, suppliers, and distributors will be liable under this agreement for (I) indirect, special, incidental, consequential, exemplary, or punitive damages, or (ii) loss of use, data, business, revenues, or profits (in each case whether direct or indirect), even if the party knew or should have known that such damages were possible and even if a remedy fails of its essential purpose. b. Limitation on Amount of Liability. To the fullest extent permitted by law, RELAYTO's liability under this agreement will not exceed $100,000 in case of breach of applicable data privacy law, in particular the EU General Data Protection Regulation. To the fullest extent permitted by law, any other RELAYTO's liability under this agreement will not exceed the amount paid by customer for the services hereunder during the twelve months prior to the event giving rise to liability. 11. Disputes a. Informal Resolution. RELAYTO wants to address your concerns without resorting to a formal legal case. Before filing a claim, each party agrees to try to resolve the dispute by contacting the other party through the notice procedures in section 12(e). If a dispute is not resolved within 30 calendar days of notice, Customer or RELAYTO may bring a formal proceeding. b. Agreement to Arbitrate. Customer and RELAYTO agree to resolve any claims relating to this Agreement or the Services through final and binding arbitration, except as set forth below. The American Arbitration Association (AAA) will administer the arbitration under its Commercial Arbitration Rules. The arbitration will be held in a location which both parties agree to in writing. c. Exception to Agreement to Arbitrate. Either party may bring a lawsuit in the federal or state courts solely for injunctive relief to stop unauthorized use or abuse of the Services or infringement of Intellectual Property Rights without first engaging in the informal dispute notice process described above. Both Customer and RELAYTO consent to venue and personal jurisdiction there. 8 of 54
12. Miscellaneous a. Entire Agreement. This Agreement, including Customer's invoice and (purchase) order form with RELAYTO (if applicable), constitutes the entire agreement between Customer and RELAYTO with respect to the subject matter of this Agreement and supersedes and replaces any prior or contemporaneous understandings and agreements, whether written or oral, with respect to the subject matter of this Agreement. If there is a conflict between the documents that make up this Agreement, the documents will control in the following order: the RELAYTO invoice, the RELAYTO order form, the Agreement. b. Governing Law. The agreement will be governed by Oregon law except for its conflicts of laws principles. c. Severability. Unenforceable provisions will be modified to reflect the parties' intention and only to the extent necessary to make them enforceable, and the remaining provisions of the Agreement will remain in full effect. d. Notice. Notices to RELAYTO may be sent to [email protected]. e. Waiver. A waiver of any default is not a waiver of any subsequent default. f. Assignment. Customer may not assign or transfer this Agreement or any rights or obligations under this Agreement without the written consent of RELAYTO. RELAYTO may not assign this Agreement without providing notice to Customer, except RELAYTO may assign this Agreement or any rights or obligations under this Agreement to an affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets without providing notice. Any other attempt to transfer or assign is void. g. No Agency. RELAYTO and Customer are not legal partners or agents, but are independent contractors. h. Force Majeure. Except for payment obligations, neither RELAYTO nor Customer will be liable for inadequate performance to the extent caused by a condition that was beyond the party's reasonable control (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and RELAYTO Internet disturbance). i. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement. Without limiting this section, a Customer's End Users are not third-party beneficiaries to Customer's rights under this Agreement. 9 of 54
j. Export Restrictions. The export and re-export of Customer Data via the Services may be controlled by the United States Export Administration Regulations or other applicable export restrictions or embargo. The Services may not be used in Cuba, Iran, North Korea, Sudan, or Syria or any country that is subject to an embargo by the United States and Customer must not use the Services in violation of any export restriction or embargo by the United States or any other applicable jurisdiction. In addition, Customer must ensure that the Services are not provided to persons on the United States Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals IN WITNESS WHEREOF, the parties have executed this Agreement as of [TODAY’S DATE]. By: RELAYTO Limited Name: Alex Shevelenko Title: Co-founder, CEO By: [RELAYTO USER COMPANY NAME] Name: Title: Privacy Policy PRIVACY POLICY This policy explains what information we collect when you use RELAYTO’s sites, services, products, and content (“Services”). It also has information about how we store, use, transfer, and delete that information. Our aim is not just to comply with privacy law. It’s to earn your trust. 1. Information We Collect & How We Use It RELAYTO doesn’t make money from ads. So we don’t collect data in order to advertise to you. The tracking we do at RELAYTO is to make our product work as well as possible. In order to give you the best possible experience using RELAYTO, we collect information from your interactions with our products. Some of this information, you actively tell us (such as your email address, which we use to track your account or communicate with you). Other information, we collect based on actions you take while using RELAYTO, such as what pages you access and your interactions with our product features. This information includes records of those interactions, your Internet Protocol address, information about your device (such as device or browser type), and referral information. 10 of 54
We use this information to: ● provide, test, improve, promote and personalize RELAYTO Services ● fight spam and other forms of abuse ● generate aggregate, non-identifying information about how people use RELAYTO Services When you create your RELAYTO account, and authenticate with a third-party service (like Twitter, Facebook or Google) we may collect, store, and periodically update information associated with that third-party account, such as your lists of friends or followers. We will never publish through your third-party account without your permission. 2. Information Disclosure We may share information as discussed below, but we won't sell it to advertisers or other third-parties. Others working for RELAYTO. RELAYTO uses certain trusted third parties to help us provide, improve, protect, and promote our Services. These third parties will access your information only to perform tasks on our behalf and in compliance with this Privacy Policy. Other users. Our Services display information like your name to other users in places like your user profile and your documents. Certain features let you make additional information available to other users. Other applications. You can also give third parties access to your information and account. Just remember that their use of your information will be governed by their privacy policies and terms. RELAYTO Business and RELAYTO Enterprise Admins. If you are a RELAYTO Business or RELAYTO Enterprise user, your administrator may have the ability to access and control your RELAYTO Business or RELAYTO Enterprise account. Please refer to your employer's internal policies if you have questions about this. If you are not a RELAYTO Business user but interact with a RELAYTO Business or RELAYTO Enterprise user (by, for example, joining a shared hub or accessing content shared by that user), members of that organization may be able to view the name and email address that were associated with your account at the time of that interaction. Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of RELAYTO or our users; or (d) protect RELAYTO's property rights. Stewardship of your data is critical to us and a responsibility that we embrace. We believe that our users' data should receive the same legal protections regardless of whether it's stored on our services or on their home computer's hard drive. We'll abide by the following Government Request Principles when receiving, scrutinizing and responding to government requests for our users' data: 11 of 54
● Be transparent, ● Fight blanket requests, ● Protect all users, and ● Provide trusted services. 3. Data Security RELAYTO shall comply with security technical and organizational measures as identified in annex II to the Standard Contractual Clauses. 4. Third-Party Embeds Some of the content that you see displayed on RELAYTO is not hosted by RELAYTO. These “embeds” are hosted by a third-party and embedded in RELAYTO. For example: YouTube or Vimeo videos, Imgur or Giphy gifs, SoundCloud audio files, Twitter tweets, GitHub code, or Scribd documents that appear within RELAYTO document experiences. These files send data to the hosted site just as if you were visiting that site directly (for example, when you load a RELAYTO document experience with a YouTube video embedded in it, YouTube receives data about your activity). RELAYTO does not control what data third parties collect in cases like this, or what they will do with it. So, third-party embeds on RELAYTO are not covered by this privacy policy. They are covered by the privacy policy of the third-party service. Some embeds may ask you for personal information, such as your email address, through a form. We do our best to keep bad actors off of RELAYTO. However, if you choose to submit your information to a third party this way, we don’t know what they may do with it. As explained above, their actions are not covered by this Privacy Policy. So, please be careful when you see embedded forms on RELAYTO asking for your email address or any other personal information. Make sure you understand who you are submitting your information to and what they say they plan to do with it. We suggest that you do not submit personal information to any third-party through an embedded form. If you embed a form that allows submission of personal information by users, you must provide near the embedded form a prominent link to an applicable Privacy Policy that clearly states how you intend to use any information collected. Failure to do so may lead RELAYTO to disable the document experiences or take other action to limit or disable your account. 5. Data Storage To provide you with the Services, we may store, process and transmit information in the United States and locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services. 6. Tracking & Cookies We use browser cookies and similar technologies to recognize you when you return to our Services. 12 of 54
We use them in various ways, for example to log you in, remember your preferences (such as default language), evaluate email effectiveness, and personalize content and other information. RELAYTO doesn’t track you across the Internet. We track only your interactions across the RELAYTO experiences (which encompasses Relayto.com and custom domains hosted by RELAYTO). Some third-party services that we use to provide the RELAYTO Service may place their own cookies in your browser. This Privacy Policy covers use of cookies by RELAYTO only and not the use of cookies by third parties. RELAYTO complies with the “Do Not Track” (“DNT”) standard recommended by the World Wide Web Consortium. For logged-out users browsing with DNT enabled, RELAYTO’s analytics will not receive data about you, but we will do some first-party tracking in order to customize content and provide data to third-party service providers that enable RELAYTO Services to work. When you use RELAYTO while logged-in to your account, we cannot comply with DNT. See our Cookies Policy below. 7. Modifying or Deleting Your Personal Information If you have a RELAYTO account, you can access, modify or export your personal information, or delete your account. Controls for those actions are located in the RELAYTO user settings page. To protect information from accidental or malicious destruction, we may maintain residual copies for a brief time period. But, if you delete your account, your information and content will be unrecoverable after that time (there might be some latency in deleting this information from our servers and back-up storage). 8. Changes If we are involved in a reorganization, merger, acquisition or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event. We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you. 13 of 54
SLA SERVICE LEVEL AGREEMENT RELAYTO will use commercially reasonable efforts to maximize the availability of its services, and provides performance guarantees as detailed below. 1.1. Availability RELAYTO guarantees 99.9% availability of RELAYTO systems utilized to provide services during any calendar month. If RELAYTO fails to meet its availability guarantee, RELAYTO will credit customer's account with an amount according to the table below: Availability during a contracted month Compensation (% of monthly fee)
1.5. Limitation on Remedies Downtime is measured from the time customer reports the event until the time the service is restored and does not include time related to a scheduled or announced maintenance outage; causes beyond RELAYTO’s control; problems with customer or third party content or technology, designs or instructions; unsupported system configurations and platforms or other customer errors; or customer-caused security incident or customer security testing. RELAYTO will apply the highest applicable compensation based on the cumulative availability of the service during each contracted month, as shown in the table above. The total compensation with respect to any contracted month cannot exceed 30 percent of one twelfth (1/12th) of the annual charge for the service. 1.6. Frequency of Backups RELAYTO shall perform regular backups (i.e., rolling hourly & daily) of customer data to prevent data loss and facilitate data recovery in the event of system failures or unforeseen incidents. AUP ACCEPTABLE USE POLICY RELAYTO is used to bring into life some of the most important ideas of our time, and we're proud of the trust placed in us. In exchange, we trust you to use our services responsibly. You agree not to misuse the RELAYTO services ("Services") or help anyone else to do so. For example, you must not even try to do any of the following in connection with the Services: ● probe, scan, or test the vulnerability of any system or network; ● breach or otherwise circumvent any security or authentication measures; ● access, tamper with, or use non-public areas or parts of the Services, or shared areas of the Services you haven't been invited to; ● interfere with or disrupt any user, host, or network, for example by sending a virus, overloading, flooding, spamming, or mail-bombing any part of the Services; ● access, search, or create accounts for the Services by any means other than our publicly supported interfaces (for example, "scraping" or creating accounts in bulk); ● send unsolicited communications, promotions or advertisements, or spam; ● send altered, deceptive or false source-identifying information, including "spoofing" or "phishing"; ● promote or advertise products or services other than your own without appropriate authorization; 15 of 54
● abuse referrals or promotions; ● sell the Services unless specifically authorized to do so; ● publish or share materials that are unlawfully pornographic or indecent, or that contain extreme acts of violence; ● advocate bigotry or hatred against any person or group of people based on their race, religion, ethnicity, sex, gender identity, sexual preference, disability, or impairment; ● violate the law in any way, including storing, publishing or sharing material that's fraudulent, defamatory, or misleading; or ● violate the privacy or infringe the rights of others. DPA DATA PROCESSING ADDENDUM This Data Processing Addendum (“DPA”) is effective and is incorporated by reference into and made a part of the Agreement (all documents as part of the finally executed Master Subscription Packet) entered into between (“RELAYTO LIMITED”) and (“Customer”). This DPA sets forth certain duties and obligations of the parties with respect to the protection, security, processing, and privacy of personal data provided or made available to RELAYTO LIMITED by Customer as part of the Services provided by RELAYTO LIMITED for Customer under the Agreement. This DPA shall supplement (and not supersede) the Agreement, and shall take precedence solely to the extent of any conflict between this DPA and the Agreement. All capitalized terms used and not expressly defined in this Addendum shall have the meanings given to them in the Agreement. In the course of providing the Services to Customer pursuant to the Agreement, RELAYTO LIMITED may Process certain Personal Data provided or made available to RELAYTO LIMITED by Customer on behalf of Customer and the parties agree to comply with the following provisions with respect to any such Personal Data, each acting reasonably and in good faith. 1. Definitions 1.1 “Controller” and “Processor” each have the meaning given to it in the GDPR. 1.2 “Customer Data” is defined in the Agreement as “Customer Data” or “Your Data.” 1.3 “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement. 16 of 54
1.4 “Data Subject” means the identified or identifiable person to whom Personal Data relates. 1.5 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 1.6 “Personal Data” means personal data (as defined in the GDPR) that is uploaded or submitted to the Services by Customer. 1.7 “Processing” has the meaning given in the GDPR. 1.8 “Security Documentation” means RELAYTO LIMITED’s security documentation applicable to the Services, as updated from time to time. 1.9 “Standard Contractual Clauses” or “SCC” means the agreement executed by and between Customer and Service Provider and attached hereto pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Module Two). 1.10 “Sub-processor” means any Processor engaged by RELAYTO LIMITED. 1.11 “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR. 2. Processing of personal data 2.1 Roles. Customer is the Controller and RELAYTO LIMITED is the Processor with regard to the Processing of Personal Data under the Agreement. 2.2 Customer’s Processing of Personal Data. Customer shall (a) collect and Process Personal Data. (b) use the Services, and (c) give RELAYTO LIMITED instructions regarding the Processing of Personal Data for Customer, in all cases, in accordance with all applicable laws, rules, and regulations, including the Data Protection Laws and Regulations. The customer is solely liable and responsible for the accuracy, quality, and legality of Personal Data. 17 of 54
2.3 Service Provider’s Processing of Personal Data. Effective as of 25 May 2018, RELAYTO LIMITED shall Process Personal Data in accordance with the GDPR requirements directly applicable to RELAYTO LIMITED’s provision of its Services. Personal Data shall be considered Customer’s Confidential Information under the Agreement. RELAYTO LIMITED shall only Process Personal Data on behalf of and in accordance with Customer’s instructions set forth in this DPA and the Agreement for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. The subject-matter and purpose of Processing of Personal Data by RELAYTO LIMITED is solely so RELAYTO LIMITED can provide the Services to Customer pursuant to the Agreement. 2.4 Personnel. RELAYTO LIMITED shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written industry standard confidentiality agreements. RELAYTO LIMITED shall ensure that RELAYTO LIMITED’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement. RELAYTO has implemented a formal training program as part of the onboarding process, which includes a dedicated section on cybersecurity & information security to ensure all RELAYTO developers are informed and aligned with our security policies and practices. 2.5 Data Protection Officer. RELAYTO LIMITED has appointed a data protection officer. The appointed person may be reached at [email protected] 3. Rights of data subjects RELAYTO LIMITED shall, to the extent legally permitted, promptly notify Customer if RELAYTO LIMITED receives a request from a Data Subject to exercise the Data Subject’s under the GDPR (“Data Subject Request”). Taking into account the nature of the Processing, RELAYTO LIMITED shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, RELAYTO LIMITED shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent RELAYTO LIMITED is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from RELAYTO LIMITED’s provision of such assistance. 18 of 54
4. Sub-processors 4.1 Appointment of Sub-processors. Customer acknowledges and agrees that RELAYTO LIMITED may engage third-party Sub-processors in connection with the provision of the Services. RELAYTO LIMITED has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor. 4.2 List of Current Sub-processors and Notification of New Sub-processors. RELAYTO LIMITED’s current list of Sub-processors for the Services is attached as Annex III to the SCC applicable to the DPA. Such Sub-processor lists shall include the identities of those Sub-processors and their country of location (“Sub- processor Lists”). RELAYTO LIMITED shall provide Customer notification of potential new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data. 4.3 Objection Right for New Sub-processors. Customer may object to RELAYTO LIMITED’s use of a new Sub-processor by notifying RELAYTO LIMITED promptly in writing within thirty (30) calendar days after receipt of RELAYTO LIMITED’s notice. In the event Customer objects to a new Sub- processor, as permitted in the preceding sentence, RELAYTO LIMITED will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If RELAYTO LIMITED is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) calendar days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by RELAYTO LIMITED without the use of the objected-to new Sub-processor by providing written notice to RELAYTO LIMITED. RELAYTO LIMITED will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. 4.4 Liability. RELAYTO LIMITED shall be liable for the acts and omissions of its Sub-processors to the same extent RELAYTO LIMITED would be liable if performing the services of each Sub- processor directly under the terms of this DPA, except as otherwise set forth in the Agreement. 5. Security 5.1 Controls for the Protection of Customer Data. RELAYTO LIMITED shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. RELAYTO LIMITED’s measures will include those set forth in the Security Documentation attached as Annex II to the SCC applicable to the DPA. RELAYTO LIMITED regularly monitors compliance with these measures. RELAYTO LIMITED will not materially decrease the overall security of the Services during a subscription term. 19 of 54
5.2 Third-Party Certifications and Audits. RELAYTO LIMITED has obtained the third-party certifications and audits set forth in the Security Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, RELAYTO LIMITED shall make available to Customer that is not a competitor of RELAYTO LIMITED (or Customer’s independent, third-party auditor that is not a competitor of RELAYTO LIMITED) a copy of RELAYTO LIMITED’s then most recent third-party audits or certifications, as applicable. 6. Customer data incident management and notification RELAYTO LIMITED maintains security incident management policies and procedures specified in the Security Documentation and shall, notify Customer without undue delay, but in no event in less than 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by RELAYTO LIMITED or its Sub-processors of which RELAYTO LIMITED (a “Customer Data Incident”). RELAYTO LIMITED shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as RELAYTO LIMITED deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within RELAYTO LIMITED’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. 7. Return and deletion of customer data RELAYTO LIMITED shall return Customer Data to Customer or, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security Documentation, or as requested by Customer. 8. GDPR and Onward Transfer 8.1 Assistance. As required by the GDPR, RELAYTO LIMITED shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR. 8.2 Standard Contractual Clauses. The Standard Contractual Clauses apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to RELAYTO LIMITED’s facilities in countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to such Data Protection Laws and Regulations. ” (a) Instructions. For the purposes of Section 2 of the DPA, the following acts are deemed an instruction by the Customer to process Personal Data: (a) Customer’s entering into the Agreement and applicable Order Form(s) are deemed instructions to Process Personal Data as is necessary to perform services under the Agreement; 20 of 54
(b) Users actions that initiate Processing while using the SCC Services; and (c) Customer’s other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. (b) Notification of New Sub-processors and Objection Right for new Sub-processors. Customer acknowledges and expressly agrees that Service Provider may engage new Sub- processors as described in the DPA. (c) Copies of Sub-processor Agreements. The parties agree that RELAYTO LIMITED may redact the copies of the Sub-processor agreements that must be provided by RELAYTO LIMITED to Customer. RELAYTO LIMITED will provide copies of the Sub-processor agreements, only upon request by Customer. (d) Audits and Certifications. The parties agree that the audits shall be carried out in accordance with the following specifications. Customer request an on-site audit of the procedures relevant to the protection of Personal Data, and Customer and RELAYTO LIMITED shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify RELAYTO LIMITED with information regarding any non-compliance discovered during the course of an audit. 8.3 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Standard Contractual Clauses shall be provided by Service Provider to Customer only upon Customer’s request. 8.4 Conflict. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Support may be reached at [email protected] 21 of 54
SCC STANDARD CONTRACTUAL CLAUSES (SCC) SECTION I Clause 1 Purpose and scope (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data 1 Protection Regulation) for the transfer of personal data to a third country. (b) The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”). (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses. Clause 2 Effect and invariability of the Clauses (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. 22 of 54
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. Clause 3 Third-party beneficiaries (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii) Clause 8.1(b), 8.9(a), (c), (d) and (e); (iii) Clause 9(a), (c), (d) and (e); (iv) Clause 12(a), (d) and (f); (v) Clause 13; (vi) Clause 15.1(c), (d) and (e); (vii) Clause 16(e); (viii) Clause 18(a) and (b). (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. Clause 4 Interpretation (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. Clause 5 Hierarchy In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. Clause 6 Description of the transfer(s) The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B. 23 of 54
Clause 7 Docking clause (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A. (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A. (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party. SECTION II – Obligations Of The Parties Clause 8 Data protection safeguards The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses. 8.1 Instructions (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. 8.2 Purpose limitation The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter. 8.3 Transparency On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. 24 of 54
On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679. 8.4 Accuracy If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data. 8.5 Duration of processing and erasure or return of data Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a). 8.6 Security of processing (a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. 25 of 54
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. (d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. 8.7 Sensitive data Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B. 8.8 Onward transfers The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party 2 located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if: 26 of 54
(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; (ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question; (iii) the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation. 8.9 Documentation and compliance (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. (b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter. (c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. 2 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union's internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. (d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. 27 of 54
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. Clause 9 Use of sub-processors (a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 calendar days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. The list of sub-processors already communicated by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.3 The Parties agree that, by complying with this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses. The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfill its obligations under that contract. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub- processor contract and to instruct the sub-processor to erase or return the personal data. 28 of 54
Clause 10 Data subject rights (a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter. (b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. (c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. Clause 11 Redress (a) The data importer agrees that data subjects may also lodge a complaint with an 4 independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such a redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress. (b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. (c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; (ii) refer the dispute to the competent courts within the meaning of Clause 18. (d) The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 29 of 54
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law. 4 The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards. (f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws. Clause 12 Liability (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. (b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. (c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non- material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. (d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage. (e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. 30 of 54
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage. (g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability. Clause 13 Supervision (a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. (b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken. SECTION III – Local Laws And Obligations In Case Of Access By Public Authorities Clause 14 Local laws and practices affecting compliance with the Clauses (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses. (b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: 31 of 54
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable 5 limitations and safeguards ; (iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination. 5 As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. (c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses. (d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request. 32 of 54
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). (f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply. Clause 15 Obligations of the data importer in case of access by public authorities 15.1 Notification (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. 33 of 54
The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc). (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses. 15.2 Review of legality and data minimisation (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. 34 of 54
SECTION IV – Final Provisions Clause 16 Non-compliance with the Clauses and termination (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). (c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. (d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; 35 of 54
or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. Clause 17 Governing law These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of France. Clause 18 Choice of forum and jurisdiction (a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. (f) The Parties agree that those shall be the courts of France. (g) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. (h) The Parties agree to submit themselves to the jurisdiction of such courts. Appendix APPENDIX A EXPLANATORY NOTE: It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used. 36 of 54
ANNEX I 1. List Of Parties Data exporter(s): (if applicable) Name: Address: Contact person’s name, position and contact details: Role (controller/processor): Controller Data importer(s): Name: RELAYTO LIMITED Registered Address: One Commerce Center, 1201 Orange St. #600, New Castle County, Delaware, 19899, United States Contact person’s name, position and contact details: Alex Shevelenko [email protected] Role (controller/processor): Processor 2. Description Of Transfer Categories of data subjects whose personal data is transferred: Employees and collaborators of the Controller Categories of personal data transferred: e-mail and name and/or surname No sensitive data transferred. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: 12 months 3. Competent Supervisory Authority ANNEX II Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data EXPLANATORY NOTE: The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. 37 of 54
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. ANNEX III List Of Sub-Processors Security Measures SECURITY MEASURES GRANTED BY RELAYTO About RELAYTO takes security and safety seriously, protecting the confidentiality, integrity, and availability of customer data. We recognize security as a crucial aspect of our system. At RELAYTO, the latest technologies and security best practices are used to provide a secure service. This FAQ highlights various elements and answers certain security-related questions about RELAYTO. Is 2-factor authentication used by your administrative personnel for maintenance and control of your routers and firewalls? Yes 38 of 54
Are all devices that store or process a third-party company's sensitive information protected from the Internet by a firewall? Yes. Who administers the firewalls and routers? Our CTO is responsible for network & virtual network security. Describe how Customer user authentication and authorization processes for credential adds, changes, and deletes would be managed. All are self-serviced by customer end-users or customer’s admin within the relayto.com platform. Do you support SAML version 2.0X for Single Sign-on authentication with your customers? Yes Is there a documented policy in place for hardening the operating system for web and other servers? Yes Are periodic security scans performed to determine if system vulnerabilities exist (i.e. ISS)? Yes, quarterly. Would Customer data be segregated, so that one customer cannot access another customer’s data? Yes, each customer operates within its own assigned domain. No data is shared between domains. Is there any case in which Customer data might be stored on or copied to a customer PC or Laptop? Yes. When RELAYTO creative support services are used, customer content can be edited/designed on personal machines. This is allowed only for non-sensitive content. Personal machines are required to have a firewall, anti-virus and the latest OS per policy. Are audit trails maintained within your company records of Customer activity? Yes. Web analytics for the customer’s content is stored, including IP addresses with device information. This is stored for the duration of the agreement. Will copies of audit logs be made available to Customer on request? Yes 39 of 54
Are Intrusion Detection or Prevention tools used at your network, on servers, and/or workstations? Yes, our company utilizes Cloudflare's suite of products which includes advanced Intrusion Detection and Prevention tools. These tools are integrated across our network, servers, and workstations to ensure robust security against unauthorized access and potential cyber threats. Does your company have a computer incident or emergency response team with a formal process to respond to cyberattacks? Yes, our company has a dedicated Computer Incident or Emergency Response process in place to respond to cyberattacks. In the event of a cyber incident, the RELAYTO Infrastructure/Security Team is responsible for implementing our response plan, which includes the following key components: Immediate Identification and Assessment, Containment and Mitigation, Notification Protocol, Investigation and Analysis, Recovery and Restoration, Post-Incident Review and Improvement How many of your personnel have either onsite or remote access to Customer data? Depends on the support package. On average up to 10 people. Are background checks performed on all of your personnel who have access to Customer data? Yes Are all such personnel required to sign written confidentiality agreements that prohibit disclosure and use of Customers’ data and other confidential information? Yes Does RELAYTO utilize Open Source software in its operation? Yes. The RELAYTO platform utilizes some of the open-source frameworks and libraries, e.g. Angular, Symfony. File the request for the full list separately over email. 40 of 54
What is RELAYTO’s architecture? How do you mitigate security vulnerabilities? Systems are managed such that security vulnerabilities can be mitigated via centrally managed patch repositories and configuration compliance mechanisms. Routine vulnerability scans and internal/external penetration tests are performed to expose any lapses in preventative application access controls. Security patches are prioritized and applied within 24 hours when possible. We allow our enterprise customers to engage third parties to conduct pen tests on their dedicated RELAYTO environment. How does your patching test and deployment work? Patches (e.g. hotfixes) go through a very similar process as the rest of our product releases. The fixes are reviewed by another developer and functionally tested by QA. Depending upon the fix, we will then test the fix on our stage environment. If that all passes, then we deploy to production. 41 of 54
Can RELAYTO be affected by DDOS attacks? RELAYTO has partnered with Cloudflare, the leader in Web Performance and Security on the Web in order to protect ourselves from DDOS attacks. We benefit from the Cloudflare network and experience of mitigating DDOS attacks. Technical excerpt from Cloudflare website: Cloudflare’s advanced DDoS protection, provisioned as a service at the network edge, matches the sophistication and scale of such threats, and can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks. Cloudflare is one of the largest DDoS protection networks in the world. It offers flat-rate DDoS protection based on Anycast technology and has successfully mitigated attacks bigger than 400Gbps. Can I use RELAYTO on premise? RELAYTO does not offer an on premise solution at this moment. If you are interested exploring enterprise hosting options, please contact [email protected] Do RELAYTO employees access customer data? RELAYTO does not access customer data or customer environments as part of day-to-day operations. When customers request support, authorized RELAYTO employees are able to view customer data and will only do so when specifically requested or when required such as making recommendations to improve document experience, give design suggestions, and so forth. All RELAYTO employees are trained and understand that customer data privacy and confidentiality is paramount, and under no circumstances is customer data ever disclosed to a third-party. Only a limited subset of RELAYTO employees have the ability to view customer environments where that stored data is accessible. Access is routinely evaluated to ensure those rights are retained only when necessary by job function. All system access is logged such that any unauthorized access can be tracked and individual user actions audited. Where is my data stored? Your data is stored at the Amazon Web Services (AWS) data centers in Dublin, Ireland. All published document content, media, and other assets are served from AWS S3 with AWS Cloudfront in front as a CDN. 42 of 54
Do you have a business continuity plan? RELAYTO has a business continuity plan to address how to resume or continue providing services to users—as well as how to function as a company—if business-critical processes and activities are disrupted. We conduct a cyclic process consisting of the following phases: ● Business impact and risk assessments. We conduct a business impact assessment (BIA) at least annually to identify processes critical to RELAYTO, assess the potential impact of disruptions, set prioritized timeframes for recovery, and identify our critical dependencies and suppliers. We also conduct a company-wide risk assessment at least annually. The risk assessment helps us systematically identify, analyze, and evaluate the risk of disruptive incidents to RELAYTO. Together, the risk assessment and BIA inform continuity priorities, and mitigation and recovery strategies for business continuity plans (BCPs). ● Business continuity plans. Teams identified by the BIA as critical to RELAYTO’s continuity use this information to develop BCPs for their critical processes. These plans help the teams know who is responsible for resuming processes if there’s an emergency, who in another RELAYTO office or location can take over their processes during a disruption, and which methods for communications should be used during a continuity event. These plans also help prepare us for a disruptive incident by centralizing our recovery plans and other important information, such as when and how the plan should be used, contact and meeting information, important apps, and recovery strategies. RELAYTO’s continuity plans are tied into our company-wide crisis management plan, which establishes RELAYTO’s crisis management and incident response teams. ● Plan testing/exercising. RELAYTO tests selected elements of its business continuity plans at least annually. These tests are consistent with the scope and objectives, are based on appropriate scenarios, and are well-designed with clearly defined aims. The tests may range in scope from tabletop exercises to full-scale simulations of real-life incidents. Based on the results of the testing, as well as experience from actual incidents, teams update and improve their plans to address issues and strengthen their response capabilities. ● Review and approval of the business continuity plan. At least annually, our executive staff reviews the business continuity plan and communicates changes to the rest of the team. Do you have a disaster recovery plan? To address information security requirements during a major crisis or disaster impacting RELAYTO operations, we maintain a disaster recovery plan. The RELAYTO Infrastructure/Security Team, which is composed of three specialized members from our development team, reviews this plan annually and tests selected elements at least annually. 43 of 54
Relevant findings are documented and tracked until resolution. Our Disaster Recovery Plan (DRP) addresses both durability and availability disasters, which are defined as follows. A durability disaster consists of one or more of the following: ● A complete or permanent loss of a primary data center that stores metadata, or of multiple data centers that store file content ● Lost ability to communicate or serve data from a data center that stores metadata, or from multiple data centers that store file content An availability disaster consists of one or more of the following: ● An outage greater than 10 calendar days ● Lost ability to communicate or serve data from a storage service/data center that stores metadata, or from multiple storage services/data centers that store file content We define a Recovery Time Objective (RTO), which is the duration of time and a service level in which business process or service must be restored after a disaster, and a Recovery Point Objective (RPO), which is the maximum tolerable period in which data might be lost from a service disruption. We also measure the Recovery Time Actual (RTA) during Disaster Recovery testing, performed at least annually. RELAYTO incident response, business continuity, and disaster recovery plans are subject to being tested at planned intervals and upon significant organizational or environmental changes. In the event of a disaster, the estimated time for resumption of the Customer’s services for RTO is 12 hours and RPO is 30 minutes with a guaranteed maximum time for resumption of 12 hours. Disaster recovery backups are encrypted using the AES-256 protocol. Can we restrict individual user access to specific documents? Yes. Private documents require the user to be authenticated & authorized before accessing a document. Author/publisher have access control settings to give access only to certain user accounts. Are the Personally Identifiable Information and other data encrypted at rest? Yes, Encryption-at-rest is automated using AWS's transparent disk encryption, which uses industry-standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS. 44 of 54
Is the connection to RELAYTO encrypted? Everyone with a RELAYTO account has encryption on all RELAYTO connections. RELAYTO defaults and redirects all traffic to the secure HTTPS protocol. The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_ECDSA with P-256), and a strong cipher (AES_128_GCM). SSL is an acronym for “Secure Socket Layer”, a security protocol that provides communications privacy over the Internet. The protocol allows RELAYTO to securely communicate in a way that is designed to prevent eavesdropping, tampering, or communications forgery. It is the same technology used by banks and e-commerce companies such as Amazon.com to keep your information safe and secure during transactions. In RELAYTO's case, SSL keeps your communications absolutely secure (RELAYTO's normal password protection keeps your information private, but SSL keeps it private and secure). Yes, our company maintains a strict standard for encrypted communications, including email communications, with both our customers and third-party entities. We adhere to industry best practices to ensure that all sensitive information transmitted electronically is securely encrypted. Our standard protocol includes: TLS (Transport Layer Security): For email communications, we use TLS to encrypt the connection with email recipients. This ensures that the content of the emails is secure and protected from interception during transit. Is RELAYTO protected against injections attacks, cross site scripting, etc.? RELAYTO combines innovation in incorporating web widgets/embeds and other elements into the documents AND ensuring this richer document experience - attains enterprise-grade security. RELAYTO’s Infrastructure/Security Team reviews security implications and ways to mitigate them. We undergo rigorous security audits before introducing a new innovative feature. Here is how RELAYTO protects your documents while delivering an interactive web experience. RELAYTO has partnered with Cloudflare, the leader in Web Performance and Security on the Web in order to benefit from Cloud Web Application Firewall(WAF). Cloudflare’s WAF protects RELAYTO from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules. - Injection - Broken authentication and session management - Cross-site scripting (XSS) - Insecure direct object references - Security misconfiguration - Sensitive data exposure - Missing function-level access control - Cross-Site Request Forgery (CSRF) - Using components with known vulnerabilities - Unvalidated redirects and forwards 45 of 54
Brief overview: Cloudflare sees roughly 2.9 million requests every second, and our WAF is continually identifying and blocking new potential threats. When a Cloudflare customer requests a new custom WAF rule, Cloudflare analyzes whether it applies to all 4,000,000 domains on the network. If it does, we automatically apply that rule to everybody on our network. The more web properties on the network, the stronger the WAF gets, and the safer the Cloudflare community becomes. On top of Cloudflare's WAF protection RELAYTO sanitizes all the input to have an additional layer against the injection attacks. On Web widget/ embed security, RELAYTO works with Embedly and together we keep the whitelist of web-services that can be used in RELAYTO. All the Web widgets/embeds are securely iframed to avoid interference with your content. RELAYTO also allows to additionally enhance the iframe security settings by modifying the iframe permissions. How is your physical infrastructure protected? RELAYTO utilizes Amazon Web Service (AWS) data centers. Amazon data centers have been accredited under several certificates (including ISO 27001). AWS stands for a high level of physical security to safeguard their data centers. Among other things they employ two-factor authentication for all their authorized staff members, military grade perimeter controls and security staff at all ingress points. As for environmental protection AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high end climate control system to guarantee an optimal working environment for the hardware. AWS data centers are situated in nondescript locations and are closely monitored 24/7 by professional security staff, video surveillance, and intrusion detection systems. Limited Physical Access: Physical access to AWS data centers is strictly controlled with two-factor authentication and a minimum privilege principle. Regular Audits: AWS conducts regular audits to ensure the continued effectiveness of physical security measures. Compliance Standards: AWS data centers comply with various industry standards such as ISO 27001, SOC 1, SOC 2, and SOC 3, ensuring a high level of physical security and data protection. 46 of 54
Strict Personnel Vetting: AWS implements a rigorous personnel screening process to ensure only trustworthy individuals have access. Role-Based Access Control: Access to physical locations is limited based on roles, ensuring only necessary personnel can access sensitive areas. Visitor Control: All visitors are logged and escorted at all times within AWS facilities. Continuous Monitoring: Ongoing surveillance and security audits are conducted to maintain the integrity of access controls. To mitigate risk of heat, fire, water Climate Control Systems: AWS employs advanced climate control systems to maintain optimal temperatures and humidity levels. Fire Detection and Suppression: AWS data centers are equipped with state-of-the-art fire detection and suppression systems. Water Damage Prevention: Facilities are designed to prevent water damage, with sensors and barriers in place to detect and mitigate any potential water hazards. Risk of hurricane, tornado, earthquake Strategic Location Selection: AWS data centers are strategically located in areas with a reduced risk of natural disasters. Structural Integrity: The buildings are designed to withstand various natural disaster scenarios, including hurricanes, tornadoes, and earthquakes. Disaster Recovery Protocols: AWS has comprehensive disaster recovery plans, including data backup and redundant systems, to ensure quick recovery and minimal service interruption in the event of a natural disaster. Our physical infrastructure for data storage and maintenance is hosted entirely on AWS, which involves a network of highly secure data centers across various locations. Due to the stringent security and privacy controls that AWS implements, direct physical access to these data centers by customers, including inspections or audits, is not typically permitted. This policy is in place to protect the integrity and security of the infrastructure, which hosts data for numerous customers globally. If the data you will be managing, storing, maintaining, or using on behalf of the Customer includes personally identifiable details, what provisions do you have in place to: ● Ensure compliance with European data privacy provisions (GDPR), as needed. ● Ensure compliance with data privacy provisions in other countries or regions. ● Ensure compliance with United States data breach laws (as needed, in those states where notification is required). ● Ensure that measures, as appropriate, are in place for the ongoing protection of personally identifiable data and that a program is in place to notify the company in the event of any variance from these measures. 47 of 54
Yes, we have comprehensive provisions in place to ensure compliance with various data privacy laws and regulations, including the GDPR in Europe, data privacy provisions in other countries or regions, and United States data breach laws. Additionally, we maintain ongoing protection of personally identifiable data and have a robust notification program for any variances from our security measures. We have DPAs in place with all our data processors, ensuring GDPR compliance. We collect only the data necessary for the intended purpose and ensure it's processed in alignment with GDPR principles. We have procedures to promptly respond to data subject requests, such as access, rectification, and erasure requests. Conducted for high-risk data processing activities to identify and mitigate risks. We adhere to the data protection laws of each country or region where we operate or process data, including but not limited to CCPA in California, PIPEDA in Canada, and others. We regularly consult with legal experts to stay updated on evolving data privacy regulations globally. We comply with data breach laws of all U.S. states where our customers are located, including breach notification requirements. We have a well-defined incident response plan for timely notification and remediation in case of data breaches. See our Data Processing Agreement, above. Does RELAYTO utilize any Artificial Intelligence utilities such as ChatGPT or any similar utility? We have AI content chat, which allows you to ask questions about user content on RELAYTO. The content data is stored on our side. The response goes through the OpenAi model to generate human-readable output. We & OpenAi do not use your content to train our models. Cookie Policy RELAYTO/ Cookie Policy Cookies Policy (see more on Cookies in our Privacy Policy) RELAYTO uses cookies on its website (relayto.com) and applications (collectively, the "RELAYTO Services"). You can find out more about cookies and how to control them in the information below. 48 of 54
By using the RELAYTO Services, you accept the use of cookies in accordance with this Cookie Notice. In particular, you accept the use of the targeting cookies for the purposes described below. If you do not accept the use of these cookies, then please disable them following the instructions in this Cookie Notice, specifically as described in “Cookie Choices and How to Opt Out” section. If you have any questions, please consult our Privacy Notice or contact us at [email protected] What is a Cookie? Why Do We Use Cookies? Cookies are small pieces of data that are downloaded to your device when you visit a website. RELAYTO uses cookies for a variety of purposes. They were originally designed to reliably record functional activity such as what items a user put in their shopping cart. Today, cookies are used because they allow a website to recognize a user’s device. When you use or access our RELAYTO Services, we and the service providers who are working on our behalf collect information by occasionally saving cookies to your device. More information about cookies can be found at https://www.aboutcookies.org/ and at http://www.aboutads.info/ consumers What Cookies Do We Use? Cookies served through RELAYTO Services are either created by RELAYTO (“First-Party Cookies”) or are created by an independent technology provider (“Third-Party Cookies”). RELAYTO uses a variety of First-Party Cookies to power and improve RELAYTO Services. We use some First-Party Cookies to enable the core features you use in the RELAYTO Services (“Strictly-Necessary Cookies”). These Strictly-Necessary Cookies are served by RELAYTO and will not be used for targeting or advertising purposes. You cannot opt-out of these cookies. Here is an overview of how cookies are utilized: Enhancing User Experience: Cookies are used to remember user preferences and settings, enabling a more personalized and efficient experience on the Relayto platform. Session Management: They help in managing user sessions, ensuring users remain logged in as they navigate through different parts of the platform. Analytics and Performance Tracking: Cookies play a vital role in collecting data for analytics. This includes tracking user interactions, feature usage, and identifying popular areas of the platform. This data is crucial for understanding user behavior and improving the platform. The chart below describes the First-Party Cookies and Third-Party Cookies served through the RELAYTO Services, including the vendor who serves them, their purpose, and how you can manage them. 49 of 54
List of cookies used in RELAYTO Cookie Who Serves Cookie Information and Management Type the Cookie? Functional Functional cookies are used to remember user preferences, settings, and other information that helps RELAYTO improve user experience. Opting-out of these cookies might impair your access to the RELAYTO Service. RELAYTO RELAYTO uses cookies to remember preferences and settings, authenticate users, manage sessions, maintain security, and determine if cookies are enabled. Users cannot opt out of RELAYTO functional cookies or they will be unable to access or use the RELAYTO Services. Cloudflare Cloudflare helps us conduct application performance monitoring. More Information about Cloudflare cookies can be found here. Intercom Intercom helps us to provide customer support. More information about Intercom cookies can be found here. Analytics Analytics cookies, sometimes referred to as “performance cookies”, collect information about how people interact with RELAYTO Services. RELAYTO uses this information to measure site performance and improve the RELAYTO Services. RELAYTO RELAYTO uses cookies to track usage, activity, and performance. New Relic New Relic helps us conduct application performance monitoring. More information about New Relic cookies can be found here 50 of 54
HubSpot HubSpot helps us track usage and performance. More information about HubSpot cookies can be found here Google Google Analytics helps us track usage and performance of Analytics RELAYTO Service. More information about Google cookies, including how they are used and how you can opt out, can be found here You can directly opt out of Google Ad personalization at the following link. Segment Segment helps us track usage and performance of RELAYTO Service. More information about Segment cookies can be found here Mixpanel Mixpanel helps us track usage and performance of RELAYTO Service. More information about Mixpanel cookies can be found here Targeting Targeting cookies, sometimes called “advertising cookies”, are used to provide users and website visitors with more relevant content based on their browsing history and interests. NONE RELAYTO does not use targeting cookies in the RELAYTO web application. Cookie Choices and How to Opt Out Most web browsers accept cookies by default. You can usually set your preferences to remove cookies, reject cookies, or prompt you before accepting a cookie. Disabling a cookie or category of cookie does not delete the cookie from your device, you will need to do this yourself from within your browser. Browser specific information may be found at the following links: 51 of 54
● Mozilla Firefox Cookie opt-out ● Safari Cookie desktop browser opt-out ; iOS ● Chrome Cookie desktop browser opt-out ; Android ; iOS ● Internet Explorer Cookie opt-out ● Microsoft Edge Cookie opt-out Some mobile devices allow you to manage what cookies are served. See the following for instructions for several common operating systems: ● iOS (interest based advertising) – In the device Settings, select Privacy and then toggle on Limit Ad Tracking ● Android (interest based advertising) – Open Google Settings, click on Ads, and then toggle on Opt out of Ads Personalization Do Not Track (DNT) RELAYTO complies with the “Do Not Track” (“DNT”) standard recommended by the World Wide Web Consortium. For logged-out users browsing with DNT enabled, RELAYTO’s analytics will not receive data about you, but we will do some first-party tracking in order to customize content and provide data to third-party service providers that enable RELAYTO Services to work. When you use RELAYTO while logged-in to your account, we cannot comply with DNT. DMCA Policy RELAYTO (“RELAYTO/”) respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998, the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, RELAYTO will respond expeditiously to claims of copyright infringement committed using the RELAYTO service and/or the RELAYTO website (the “Site”) if such claims are reported to RELAYTO’s Designated Copyright Agent identified in the sample notice below. If you are a copyright owner, authorized to act on behalf of one, or authorized to act under any exclusive right under copyright, please report alleged copyright infringements taking place on or through the Site by completing the following DMCA Notice of Alleged Infringement and delivering it to RELAYTO’s Designated Copyright Agent. Upon receipt of Notice as described below, RELAYTO will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Site.4 52 of 54
DMCA Notice of Alleged Infringement (“Notice”) 1. Identify the copyrighted work that you claim has been infringed, or - if multiple copyrighted works are covered by this Notice - you may provide a representative list of the copyrighted works that you claim have been infringed. 2. Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled, including at a minimum, if applicable, the URL of the link shown on the Site or the exact location where such material may be found. 3. Provide your company affiliation (if applicable), mailing address, telephone number, and, if available, email address. 4. Include both of the following statements in the body of the Notice: ● “I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).” ● “I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of, the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.” 5. Provide your full legal name and your electronic or physical signature. Deliver this Notice, with all items completed, to RELAYTO’s Designated Copyright Agent: [email protected] 53 of 54
GLOSSARY ● SAML 1 ● ISS/Security Scans 1 ● Third Party Certs & Audits 1, 2 ● Cloudflare 1 ● Open Source 1 ● DDOS 1 ● AWS 1, 2 ● CDN 1 ● Cloudfront 1 ● Business Continuity Plan 1 ● Disaster Recovery Plan 1 ● TLS/SSL 1 ● Encryption Protocol 1 ● Key Exchange/Cipher 1 ● Cloud Web Application Firewall (WAF) 1 ● OWASP 1 ● SOC/ISO 1 ● CCPA, PIPEDA 1 ● R/ Infrastructure Security Team 1, 2 One Commerce Center 1201 Orange St. #600 NEW CASTLE COUNTY DELAWARE 19899 UNITED STATES 54 of 54