Terms of Service

Last updated: January 2024

These terms of service set out important information regarding your rights and obligations in connection with using our service. Please read these terms of service carefully before you start using the service, as they define Dexatel’s relationship with you as you interact with our services.

Introduction

These terms of service (“Terms of Service”) govern the access and use of the cloud-based communications solution ( “Service”) provided by Dexatel OÜ, a company established under the laws of Estonia, with registry code 12829749 and address Pärnu mnt 139e/2, Tallinn 11317, Estonia ( “Dexatel”), which is accessible through website www.dexatel.com ( “Website”).

The term “Client” or “you” refers to a person who has (i) completed the registration process on the Website and, as a part of the process, has accepted these Terms of Service on the Website, or (ii) in any other binding manner has accepted these Terms of Service. If you are registering the Client’s Account (as defined in Section 2.2) on behalf of a legal entity, you are agreeing to these Terms of Service for that legal entity and representing and warranting to Dexatel that you have the authority to bind that legal entity to these Terms of Service. If you do not have such authority, you must not accept these Terms of Service and must not use the Service.

By accepting these Terms of Service or starting to use the Service, you confirm that you have read and understood these Terms of Service and you agree to be bound by these Terms of Service, the Data Processing Agreement (which is added as an annex to these Terms of Service), and any policies referenced herein, which all form a part of the Terms of Service. Acceptance of these Terms of Service shall form a legally binding agreement (“Agreement”) between the Client and Dexatel for using the Service.

Dexatel and the Client are hereinafter also referred to as the “Parties” and separately as a “Party”.

Should you have any questions or comments about the Website or the Terms of Service, please contact Dexatel at [email protected] .

USE OF THE SERVICE

Dexatel grants the Client and its designated end-users (e.g. the Client’s employees) (“End User”) access through the Website to the Service, including any corresponding SDKs, APIs, documentation, or software made available in connection with the Service, as may be further described on the Website or agreed in a format reproducible in writing.

In order to be able to use the Service, the Client will need to pass account verification conducted by Dexatel, unless the client’s account is created by Dexatel. If the Client passes the account verification, Dexatel will inform the Client via e-mail and make the Service available to the Client. Depending on the Service’s features and/or the Client’s onboarding process, the Client or Dexatel shall create a Client profile to be able to use the Service (“Client’s Account”) containing the Client’s identification information and other required information, through which the Client can manage, create and close sub-accounts for its End Users. The Client may determine for each sub-account to have different rights per sub-account within the Service.

The Client and its End Users can use the Service by logging in to the Client’s Account or respective sub-accounts. The Client is fully responsible for managing and administering the usage of the sub-accounts related to the Client’s Account and fully responsible for the actions of its End Users and any other person who accesses the Service using the Client’s Account or sub-accounts.

The Client and the End Users are liable for maintaining the confidentiality of their username, password, and any other credentials necessary for accessing the Service. The Client shall immediately notify Dexatel if it suspects that the security of the Client’s Account or any sub-accounts has been compromised. Dexatel is not liable in case the Client’s or the End User’s data falls victim to any breach due to the activity or inactivity on behalf of the Client.

The Client shall ensure that it has the equipment, devices, and means (including a stable internet connection) to access the Service at the Client’s cost. Dexatel is not obliged to provide the Client with any hardware or software required to use the Service. The Client is entitled to issue inquiries to Dexatel to familiarise itself with the technical and other requirements necessary for the successful use of the Service.

With respect to the information (including all text, images, documents, personal data, and other content) that the Client or the End User acquires, possesses, enters, records, stores, modifies, discloses, makes available, transmits, uses, deletes or otherwise processes via the Service, the Client represents and warrants to Dexatel that the Client or, respectively, the relevant End User, has the right to acquire, possess and process the same. The Client shall be solely liable for the properties of the said information and the acquisition, possession, and processing of such information under, through, in relation to, or by means of the Client’s Account.

During the validity of these Terms of Service between the Client and Dexatel, the Client may request Dexatel to perform or develop additional services and features, which are not specified in these Terms of Service. Such services or features, compensation, and other specifics shall be mutually agreed upon by the Parties in a separate agreement in a form reproducible in writing or as an annex to these Terms of Service.

TRIAL ACCOUNT

If the Client registers for a free trial, it will need to pass account verification conducted by Dexatel. If the Client passes the account verification, Dexatel will inform the Client via e-mail and make the Service available to the Client on a trial basis free of charge for the purposes of the Client’s internal evaluation of the suitability of the Service (“Trial”). By gaining access to the Service, the Client agrees to be bound by these Terms of Service. Additional Trial terms of service may be provided during the Trial registration process. Any such additional terms are incorporated into these Terms of Service by reference and are legally binding.

The Trial term will be until the end of the free trial period for which the Client registered to use the Service. Each Party may terminate the Trial at any time without notice to the other Party. In case Dexatel terminates the Client’s use of the Trial and features made available in connection therewith, Dexatel will not bear any liability or further obligation of any kind whatsoever to the Client or any other party.

INTENDED AND PROHIBITED USE OF THE SERVICE

The Service is intended for using omnichannel text messaging solutions by making use of the Service’s features as described on the Website. Using the Service for any other purposes is not allowed.

The Client shall use the Service in compliance with applicable laws, including any applicable data protection legislation and the terms of these Terms of Service. The Client is solely responsible for all content and data posted and activity that occurs under the Client’s Account, including the End Users’ sub-accounts (collectively the“Account Content”).

To be eligible to use the Service, the Client shall meet the following criteria, and represent and warrant that the Client:

does not register the Client’s Account by “bots” or other automated methods;

is at least 18 years of age;

provides correct information (including full legal name, valid e-mail address, if applicable ID card or passport, and any other information requested) in order to complete the registration or payment process;

has the legal capacity and authorization to agree to these Terms of Service;

is not suspended from using the Service, or otherwise not prohibited from having a Client’s Account;

has only one Client’s Account at any given time;

is entitled to submit Account Content, which is not confidential and not in violation of any legislation, contractual restriction, or other third-party rights (including, but not limited to any intellectual property rights).

Without excluding or limiting any of the Client’s statutory obligations, the Client shall not, and will not allow any End User to:

use the Service or its content for any unlawful, obscene, or immoral purpose, including for stalking or harassing someone;

solicit others to perform or participate in any unlawful acts;

submit false or misleading information;

collect or track personal information of others without legal basis;

use harvested phone numbers/contact lists;

use third-party, purchased, or rented phone number/contact lists unless the Client or End User is able to provide proof that all of the individuals on the list have affirmatively opted-in to receiving messages of the type the Client or End User will be sending to them;

collect phone numbers/contacts from the web by scanning or other similar such means;

upload, post, host, or transmit unsolicited or unauthorized (including without the required opt-in and a clear opt-out mechanism) e-mails, SMSs (short message service), spam messages, or any other content, including Account Content (e.g unsolicited and unauthorized advertising, promotion, junk mail, chain letters, pyramid, and other similar schemes or any other form of solicitation) which: (i) fails to comply with applicable privacy and electronic communications legislation and Dexatel’s Anti-Spam Policy available here: https://dexatel.com/anti-spam-policy/; or is (ii) unlawful, immoral, hateful, harmful, threatening, false abusive, offensive, libelous, defamatory, slanderous, pornographic, indecent, obscene, insulting, disparaging, intimidating, discriminating, fraudulent, misleading, deceptive, violent or otherwise inappropriate for a broad general audience;

harass, abuse, insult, harm, defame, slander, disparage, intimidate, or discriminate based on gender, sexual orientation, religion, ethnicity, race, age, national origin, or disability;

infringe upon or violate Dexatel’s intellectual property rights or the intellectual property rights of others;

reproduce, duplicate, copy, sell, resell, exploit, modify, translate, create derivative works from, disassemble or decompile, reverse engineer or otherwise attempt to derive any portion of the Website or Service (including the source code, scripts);

remove, alter, hide or obscure any copyright notice, trademark, or other proprietary rights notice embedded in, appearing on or otherwise pertaining to the Service;

create or attempt to create any product, service, or website that is substantially similar to the Service or the Website or falsely imply that it is associated with the Service, Website, or any other service provided by Dexatel;

modify, adapt, hack or gain other unauthorised access to the Service;

upload or transmit any worms, viruses, trojans, logic bombs, or any malicious code or material (including content that will or may be used in any way that will affect the functionality or operation of the Service, the Website, other websites, or the internet);

use any device, software, or routine to interfere or attempt to interfere with the proper functioning, infrastructure, or security features, including imposing an unreasonable or disproportionately heavy load on the Service, the Website, other websites, or the internet;

use technology or other means to interfere with access to unauthorised content, including phish, pharm, pretext, use spiders, crawlers, or scrapers);

process personal data, including sending messages, without a valid legal basis or violating the policy of the company Viber, WhatsApp, or other such providers.

Dexatel has the right to screen the Account Content to prevent prohibited behavior according to the Agreement. Any content that conflicts with the provisions of the Agreement, including this Section, may be removed, disabled, and/or destroyed by Dexatel at its sole discretion without any warning or notice. Dexatel is not liable for any occurrences experienced by the Client due to the removal of content under this Section.

FEES AND PAYMENTS

Dexatel provides the Service for free for the Trial period. After the Trial period, the Client agrees to pay Dexatel fees for the Service requested by the Client, as described at https://dexatel.com/pricing/, on the Website, API, or agreed upon in a format reproducible in writing. For the avoidance of doubt, SMS messages are charged on a “bill by submitted” and “fee per SMS” basis. Except for SMS-s with a submission status “NOT ACCEPTED”, any SMS message regardless of submission status is due for a charge.

Should the Client wish to receive additional features and services as add-ons specified on the Website or agreed in a form reproducible in writing, the Client shall pay an additional fee for such add-ons as long as the add-ons are active.

All fees for the use of the Services are invoiced in the currency chosen by the Client in the registration process or the Client’s Account and are exclusive of VAT or any other taxes. VAT and other taxes shall be added to the fees in case required under applicable legislation. The Client is obliged to pay for all the VAT and other taxes to be added to the fees based on the invoices issued by Dexatel.

The Client shall indemnify and hold harmless Dexatel of all taxes (including interest and penalties) relating to all receivable amounts from the Client that were required to have been withheld or deducted by the Client under applicable laws. The amount payable shall be increased as may be necessary so that, after making all required deductions or withholdings, Dexatel receives and retains an amount equal to the amount that it would have received had no such deduction or withholding been required.

All fees are exclusive of any applicable communications service or telecommunication provider (e.g. carrier) fees or surcharges. The Client shall pay all such communications surcharges associated with the Client’s use of the Services. Communications surcharges will be shown as a separate line item on an invoice. The Client will pay all costs, fines, or penalties that are imposed on Dexatel by a government or regulatory body or a telecommunications provider as a result of the Client’s or End Users’ use of the Services.

The Client can select to pay the fees in advance by credit card (e.g. by adding funds to the Client’s Account) or receive invoices. Each invoice is issued by the third business day of each month to the e-mail set forth in the Client’s Account. Each invoice is due within seven (7) calendar days of issuing the invoice unless otherwise specified on the invoice or in a format reproducible in writing.

Dexatel reserves the right to change its prices at any time upon reasonable advance notice provided that any such changes shall be posted on the Website, in the Client’s Account, or sent to the Client via e-mail.

The Client must notify Dexatel in a form reproducible in writing within fifteen (15) calendar days from the date Dexatel billed the Client for any fees that the Client wishes to dispute. Where the Client is disputing any fees, it must act reasonably and in good faith and cooperate diligently with Dexatel to resolve the dispute. Dexatel will not charge the Client with a late penalty payment or suspend the provision of the Services for unpaid fees that are in dispute unless the Client fails to cooperate diligently with Dexatel or Dexatel determines the dispute is not reasonable or brought in good faith.

In case of delay in the performance of a monetary obligation arising from the Terms of Service, Dexatel shall have the right to demand from the Client a late penalty payment of zero point one percent (0.1%) from the unpaid amount for each calendar day of delay, starting from the moment of delay until full payment of the debt.

All payment obligations are not subject to cancellation and fees, taxes, and communication surcharges are non-refundable unless stipulated in the Terms of Service or a format reproducible in writing.

The Client’s Account balance expires in six (6) months as of the day the services agreed between Dexatel and the Client have not been used during six (6 months) by the Client. For the sake of clarity, after the aforementioned period, the funds on the Client’s Account are non-refundable.

Dexatel reserves the right to suspend or terminate the Service for the Client according to Section 15. In such case, Dexatel does not provide any refunds.

SUPPORT AND MAINTENANCE

The Client acknowledges that Dexatel is not obliged to provide any support in connection with the Service, including End User support, training, or consulting. Unless agreed separately and if the Client requests such support, it will be provided as additional services in accordance with Section 2.7. Dexatel has the right, in good faith and at its sole discretion, to provide the Client with limited free support.

The Client shall notify Dexatel of technical faults related to the Service and Dexatel shall eliminate, within a reasonable time, faults deriving from the Service.

Dexatel has the right to carry out planned and extraordinary maintenance works necessary for the provision of the Service. Dexatel shall inform the Client of planned maintenance works as far in advance as reasonably possible. Dexatel has the right to perform extraordinary maintenance work relating to ensuring the reliability and security of the Service without prior notice. During any maintenance work, the usability of the Service may be limited. If feasible, Dexatel shall notify the Client of the extent of any usage restrictions. Suspension of the Service for the reasons set out in this Section does not relieve the Client from the obligation to pay any applicable fees.

INTELLECTUAL PROPERTY

The Client acknowledges that all trademarks and intellectual property rights in and to any materials, data, or information, including all software (in source code or object code) and documentation related thereto, which have been provided by Dexatel to the Client in connection with the performance of the Service are owned and shall continue to be owned by Dexatel and/or its licensors. Notwithstanding the foregoing, subject to these Terms of Service, Dexatel grants the Client a worldwide, non-exclusive, non-transferable, non-sublicensable, and revocable license to access and use the Service and the features requested by the Client. The Service may only be used internally by the Client (and if applicable, by its designated End Users) for its intended purposes as described in these Terms of Service, and during the term, these Terms of Service remain in force between the Parties.

The Client nor its End Users have no right to rent, lease, lend, sell, redistribute, sub-license, copy, reverse engineer, decompile, disassemble, translate, modify, distribute copies of, make available, adapt, or create derivative works based on the Service’s software or its related intellectual property unless otherwise permitted in writing by Dexatel.

The Client is obliged to ensure that the End Users comply with the restrictions and conditions set forth in these Terms of Service. The Client acknowledges that Dexatel has the right to apply separate end-user license agreements to the End Users at any time and such terms must be accepted by the End Users. The Client is obliged to assist Dexatel to the best of its ability in collecting the relevant acceptances. In the event of failure or disagreement with the aforementioned acceptance, Dexatel has the right to prohibit or restrict the End User’s access to the Service.

In case the Client orders from Dexatel any additional works which relate to localization (e.g. translation), personalization (e.g. with the Client’s logos and branding), or customization of the Service, the Client grants Dexatel free of charge worldwide, non-exclusive, transferable and sub-licensable (only to Dexatel’s contractors for the performance of the works) license to use any materials and input of the Client as necessary for performing the works and providing the Service for the duration the Terms of Service remain in force. The Client acknowledges that the intellectual property rights of any ordered works remain with Dexatel and Dexatel has every right to, among others, use, license, sell and distribute such works for its own benefit.

For all Account Content, including contents and data, that is inserted or made available via the Service, the Client grants Dexatel free of charge a transferable, sub-licensable, non-exclusive, irrevocable, worldwide right of use and exploitation and for the maximum term permitted under applicable legislation and which is unlimited in terms of content, to use the Account Content for any purpose, including but not limited to the purposes of:

providing the Service;

conducting research, developing new products and features;

conducting predictive analytics and insights;

improving and further developing the Service; and

in anonymized or anonymized and aggregated form, transferring and/or making available the Account Content to third parties, including for commercial use ("Right of Use and Exploitation").

The Right of Use and Exploitation covers, for the purposes provided in Section 7.5, the right to amend, edit and translate, as well as to store and reproduce the Account Content. By entering or making available Account Content via the Service, the Client guarantees that the Account Content is in accordance with these Terms of Service, does not violate the rights of third parties, and that the Client is entitled to grant these Rights of Use and Exploitation.

Dexatel continuously wishes to improve the Service, thus it welcomes suggestions or other communications. From the moment of creation of any suggestions and communications, the author and/or owner of the copyrights of such suggestions or communications assigns unconditionally and irrevocably all rights to any intellectual property objects to Dexatel. If the rights cannot belong to Dexatel under the legislation and the legislation prescribes them to the author (e.g. the author’s moral rights), the author and/or the licensee of such rights grants Dexatel a worldwide, exclusive, transferable, sublicensable license to use, exploit and exercise the intellectual property objects according to the needs and wishes of Dexatel. The license is valid for the maximum term permitted under applicable legislation. The author, the owner of the copyrights or licensee (according to relevance) acknowledges that the assignment and licensing of such rights to Dexatel is free of charge.

REFERENCES

The Client grants Dexatel free of charge a worldwide, non-exclusive, transferable, and sub-licensable (only to Dexatel’s contractors for the purposes stipulated herein) license to use the Client’s logo and the Client’s (and its End Users’ testimonials on the Website and in other marketing materials (including client e-mails, advertisements, brochures, etc.) for Dexatel’s marketing purposes. The license shall be valid until the expiry of the respective rights under applicable legislation. The Client ensures that it has every right to grant such license herein.

THIRD-PARTY CONTENT AND LINKS

Certain content and features available via the Service and the Website may include information sourced from third parties. Any such content, data, information, or publications made available through the Service and the Website are furnished by Dexatel on an “as is” and “as available” basis for the Client’s convenience and information and must be used for informational purposes only. Dexatel has no control over the content or information of third-party resources. Dexatel disclaims any warranty or representation, either express or implied, that such information is accurate or complete.

Third-party links on the Service and the Website may direct the Client to third-party websites that are not affiliated with Dexatel. Dexatel is not responsible for examining or evaluating the content or accuracy and Dexatel does not warrant and will not have any liability for any third-party materials or websites, or any other materials, products, or services of third parties. Dexatel is not liable for any harm or damages related to the purchase or use of goods, services, resources, content, or any other transactions made in connection with any third-party websites.

CONFIDENTIALITY

The Parties are obliged throughout the validity of the Agreement and after termination of the Agreement to maintain each other’s confidential information. “Confidential Information” shall mean all information and data, including, without limitation, all trade secrets, such as: business-related financial (including product/service information and pricing, forecasts, details of specific project), commercial (including information about the other Party’s analytics, suppliers, service providers, potential and existing customers, business partners and contractors, and related personal data) and technical information (including information on intellectual property objects, copyrights, IT-systems, source code and software and related information), related to a Party, which the Party has directly or indirectly, orally or in writing or in another form, before or after concluding the Agreement, disclosed to or received from the other Party in connection with performance of the Agreement and which is not publicly available and which the counterparty can reasonably be presumed to be interested in maintaining the confidentiality of. Among other things, Dexatel’s confidential information shall include the process of provision of Service (including any manuals, support materials, etc.).

The Parties undertake to ensure that:

they shall use Confidential Information solely in connection with performance of their obligations arising from the Agreement. Use of Confidential Information for any other purposes may take place only with the prior written consent of the other Party;

they shall keep Confidential Information confidential and not disclose it to third parties or to the public in any manner without the prior written consent of the other Party;

they shall adopt all reasonable precautionary measures to prevent release as a consequence of their actions or inactions, to a third party or public disclosure of Confidential Information.

A Party may disclose Confidential Information to state and local government institutions if the duty to disclose such information derives from applicable legislation. Among other things, Dexatel has the right to disclose and forward the Account Content and the End User’s data to investigative and supervision authorities.

If a Party is obliged by applicable legislation to disclose Confidential Information, it shall, where possible, undertake, within a reasonable time prior to disclosure of such information, to notify the other Party in writing of the relevant obligation of public disclosure and of the extent of the information subject to disclosure, and shall undertake to disclose the relevant information always in the minimum required amount, and if possible, in a generalized form, bearing the marking “Confidential”.

For the purpose of the Agreement, “third party” does not include, nor does the prohibition on disclosure of Confidential Information apply to (a) employees of a Party and other persons related to performance of the Agreement, on condition that Confidential Information is disclosed to them only in an extent necessary for them to perform the Agreement and on condition that the Party ensures that the said persons maintain Confidential Information; and (b) Parties’ auditors, legal advisors and banks bound by the duty of confidentiality.

The Parties undertake to notify each other promptly if Confidential Information is communicated or may be communicated to a person lacking the right thereto. The provisions of this clause shall not in any manner limit the liability for breach of the Agreement.

DATA PROTECTION

Both Parties shall comply with any applicable data protection legislation or regulation in the processing, collection, use and disclosure of personal data. Each Party shall have the necessary legal basis (if necessary, consents) in order to provide the other Party any personal data necessary to perform its obligations hereunder.

During the term of the Terms of Service and thereafter in perpetuity, Dexatel will not process or otherwise undertake any act with respect to any personal data in any manner, including any actual or attempted processing thereof, except for the sole purpose of performing the Service and in compliance with: (i) the express terms and conditions of the Terms of Service, the Data Processing Agreement; and (ii) applicable legislation.

The Parties anticipate that for the provision of the Service, Dexatel shall act as a data processor and the Client shall act as a data controller as further specified in the Data Processing Agreement, which is incorporated as an annex to the Terms of Service.

DISCLAIMERS

The Client acknowledges that all services, features, tools and developments made available under this Agreement, including the Service, are made available on “as is” and “as available” basis. Except as expressly set forth herein, and to the extent permitted by applicable legislation, Dexatel disclaims all warranties, express or implied, of merchantability, fitness for a particular purpose, durability, availability, timeliness, accuracy, reliability or completeness, or non-infringement.

Dexatel additionally disclaims all warranties related to telecommunications providers. The Client acknowledges that the internet and telecommunications providers’ networks are inherently insecure and that Dexatel will have no liability for any changes to, interception of, or loss of data while in transit via the internet or a telecommunications providers’ network.

Among other things, Dexatel makes no representations or warranties:

that the Service and the Website have been designed to meet the Client’s individual requirements, business or professional needs (unless otherwise agreed in a form reproducible in writing);

that the Service and the Website, or any part thereof, will be uninterrupted, error-free, secure, free of viruses or other harmful components or accessible from all devices and browsers;

that defects in the Service and the Website will be corrected;

that the results regarding the use of the Service and the Website are accurate or reliable;

that it will continue to support any particular feature or maintain backwards compatibility with any third-party software or device;

concerning any third-party websites and resources.

LIABILITY, LIMITATIONS, AND INDEMNIFICATION

Dexatel is not liable for any indirect, non-material, incidental, special, punitive, or consequential damages, or any loss of profits, revenue, opportunities, data, or data use, or legal expenses or any other fees incurred by the Client. Dexatel is only liable for a breach of the Terms of Service, if the breach is intentional or caused due to gross negligence or any other action that cannot be excluded or limited by an applicable legislation (e.g. in case of death or personal injury). In this case, the Client has the right to request the performance of the Terms of Service (unless requiring the performance is excluded by legislation). To the extent permitted by applicable legislation, Dexatel’s liability is limited to only direct material damages in the maximum amount of the fees due for the twelve (12) months’ period preceding the event giving rise to the claim.

In no case is Dexatel liable for damages caused by events not caused/occurred on the Service and not offered by Dexatel or third persons not acting on behalf of Dexatel, e.g. loss of data caused by hacking, DDoS attacks, damages caused under police and other authority searches or any other similar events, which may have a negative effect in the Client’s Account and/or the data. This includes situations where authorities lawfully confiscate servers or other equipment that may include the said data.

Dexatel is not liable for any default caused by a third parties’ actions or inactions, including telecommunications providers or mobile network operators. Dexatel will use all commercially reasonable efforts to transmit messages to the applicable telecommunications provider or mobile network operator as quickly as possible, however the final delivery of all messages to designated recipients is the responsibility of such provider or operator. Dexatel does not accept liability, if final delivery does not succeed due to an action, omission or any other failure of the relevant telecommunications provider or mobile network operator.

Dexatel is not liable for any Account Content, including incomplete, inaccurate or inappropriate content, provided by Client or its End Users. Dexatel has no control over how the Client, or its End Users use the service, including the Account Content, as it does not moderate or screen Account Content or its source, except for screening to prevent prohibited behaviour as set out in Section 4 above.

Dexatel is not liable for any activities for which the Client uses the Service or any other circumstances deriving from the Client, e.g. the Client’s instructions, inserted information and managed End Users’ sub-accounts. Dexatel is not liable for any decisions made by the Client or its End Users based on the information inserted or displayed on the Service, including any forecasts or statistics. The Client is aware that any decisions made by it and its End Users in reliance on the Service or the said persons’ interpretations of the information is attributable to them and the Client has full responsibility in this regard. Dexatel is not liable for the Client’s use of any information obtained from the Service.

Dexatel is not liable for any delay or failure caused by (a) acts of god/natural disasters (including hurricanes and earthquakes); (b) disease, epidemic, or pandemic; (c) terrorist attack, civil war, civil commotion or riots, armed conflict, sanctions or embargoes; (d) nuclear, chemical, or biological contamination; (e) collapse of buildings, fire, explosion, or accident; (f) labor or trade strikes; (g) interruption, loss, or malfunction of a utility, transportation, or telecommunications service; (h) any order by a government or public authority, including a quarantine, travel restriction, or other prohibition; or (i) any other circumstance not within Dexatel’s reasonable control, whether or not foreseeable. In the event of a force majeure event, Dexatel shall be relieved from full performance of the contractual obligation until the event passes or no longer prevents performance.

The Client is liable for all damages caused to Dexatel by the Client, its employees, management board members, End Users, or contracting parties. The Client is, among others, liable for damaging the Service and the Service’s infrastructure and the property of third parties. The Client must inform Dexatel as soon as possible if damages occur and compensate the damages.

In the event of a breach of the obligations set out in this Agreement, Dexatel has the right to claim a contractual penalty from the Client in the maximum amount of doubled twelve (12) months’ fee paid preceding each breach within thirty (30) calendar days of receiving a respective request from Dexatel. If the damage exceeds the sum of contractual penalty, Dexatel has the right to demand compensation for damage in the sum exceeding the contractual penalty.

In the event of the Client processing personal data, including sending messages, without a valid legal basis or violating the policy of the company Viber, WhatsApp or other such providers, the Client shall pay Dexatel a contractual penalty in the amount of EUR 5,000.

The Client shall indemnify, defend, and hold harmless Dexatel, its employees, management, and agents and its related companies, at the Client’s expense, from and against all third-party actions, claims and proceedings brought against Dexatel including liability, loss, damages, cost and expense, including reasonable legal fees, resulting from or in connection with, including, but not limited to (i) the Client’s breach of any terms and conditions under the Agreement; (ii) the Account Content the Client submits to the Service; (iii) the exercise of the Rights of Use and Exploitation; (iv) any activity in which the Client engages on or through Dexatel. This remedy of Dexatel will be in addition to and not exclusive of other remedies provided by legislation.

CHANGES TO THE AGREEMENT

Dexatel has the unilateral right to amend the Agreement by notifying the Client of the changes by e-mail at least thirty (30) calendar days before the amendments enter into force. If the Client does not agree with the amendments to the Agreement, the Client may terminate the Agreement in line with Section 15.

Dexatel reserves the right to amend the Agreement with the following types of changes without providing the Client with a prior notice:

if the amendment to the Agreement is only advantageous for the Client;

if the amendment to the Agreement relates solely to new services, functionalities or service components, and do not result in any change to the existing contractual relationship with the Client;

if the amendment is necessary to harmonise the Agreement with the applicable statutory requirements, in particular in the event of a change in the applicable legal situation or if Dexatel is obliged to comply with a binding court judgement or decision by an authority, and if the change does not have any material detrimental effects on the Client.

If Dexatel uses the abovementioned right, Dexatel will concurrently revise the effective date of the Terms of Service above.

Different terms to this Agreement that are mutually agreed upon by the Parties shall be agreed in a separate agreement in a form reproducible in writing or as an annex to these Terms of Service.

TERM, SUSPENSION AND TERMINATION

This Agreement shall enter into force on the date (i) the Client accepted this Agreement on the Website and completed the registration process; (ii) the last approval was provided by a Party to a separate agreement agreed upon according to Section 14.4; or (iii) the Agreement was accepted by the Parties in any other binding manner. The Agreement is effective until terminated by either Party.

Dexatel may suspend or interrupt the operation of the Client’s Account and its End Users’ sub-accounts, at any time either entirely or partly, including, but not limited to:

if it is necessary for repairs or maintenance work according to the Section 6.2 or other similar actions;

if the Client fails to pay the fees according to the Section 5 after having been notified of the failure;

if the Client’s actions or omissions relating to the use of the Service interfere or prevent the normal operation of the Service or otherwise cause, or are likely to cause, harm, damage or other detrimental effects to the Service, Dexatel or other users of the Service;

if there are reasons to suspect that the Client’s credentials have been wrongfully disclosed to an unauthorized third party and the Service is being used under such credentials;

if the Client’s use of the Service is in breach the Terms of Service and have not remedied the breach without delay after having been notified thereof by Dexatel.

Suspension of the Client’s access to the Service does not relieve the Client from the obligation to pay fees. Dexatel is not liable for any occurrences experienced by the Client due to suspension of the access under this Section.

Either Party may terminate these Terms of Service at any time without cause by notifying the other Party thirty (30) calendar days in advance. Such notification to the Client must be sent to the address set forth in the Client’s Account and to Dexatel to the e-mail address [email protected].

Dexatel has the right to terminate the Terms of Service effective immediately by notifying the Client, if the Client has materially breached the Terms of Service. The Client has materially breached the Terms of Service in case of the following (but not limited to): (i) the Client conducts any prohibited act described in Section 4, (ii) the Client has not paid the fees according to the Section 5 despite the reminder of payment and the granting of an additional term of at least seven (7) calendar days, (iii) in the opinion of Dexatel, the actions or omissions of the Client or its End Users endanger the security, integrity, operation or usability of the Service or the Website. If Dexatel terminates the Client’s Account for breach of the Terms of Service, the Client may not re-register.

Either Party has the right to terminate the Terms of Service effective immediately by notifying the other Party if bankruptcy, insolvency, administration, or other similar proceedings are initiated regarding the other Party or it informs the Party or any third party of its permanent or temporary insolvency.

Termination of the Terms of Service causes automatic termination of the Data Processing Agreement, the Client’s Account and any sub-accounts granted to the End Users and the forfeiture and relinquishment of all Account Content contained on the application. The Account Content cannot be recovered once the Client’s Account and its sub-accounts are deleted. In case the Client has caused the extraordinary termination, Dexatel shall not be liable for any damages (including lost profit) occurred due to the actions described in the previous sentence.

Upon termination of the Terms of Service, all rights and obligations will immediately terminate, including the licences granted to the Client under the Terms of Service shall cease and the Client shall delete all documentation related to the Service. Dexatel shall return or delete all materials related to the provision of the Service to the Client pursuant to the Data Processing Agreement, unless stipulated otherwise in a form reproducible in writing. The prior obligation does not apply to anonymised personal data, usage statistics, technical parameters and analyses based on the Account Content, the Client’s other inputs and Confidential Information.

The obligations and liabilities of the Parties incurred prior to the suspension or termination shall survive the termination of the Terms of Service for all purposes (e.g. obligation to pay all fees incurred and owed).

GENERAL

No failure or delay by either Party in exercising any right or enforcing any provision under the Agreement will constitute a waiver of that right or provision, or any other provision.

In the event that any provision of these Terms of Service is determined to be unlawful, void or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable legislation, and the unenforceable portion shall be deemed to be severed from these Terms of Service, such determination shall not affect the validity and enforceability of any other remaining provisions.

The titles of the sections in these Terms of Service are for reference purposes only and do not affect the interpretation of the underlying terms.

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) Data Processing Agreement, (2) the terms set forth in the body of the Terms of Service, (3) the Anti-Spam Policy, (4) any other terms incorporated by reference herein or any other exhibits or attachments hereto.

These Terms of Service, Data Processing Agreement and any policies or operating rules posted by Dexatel on the Website or in respect to the Services constitute the entire agreement and understanding between the Client and Dexatel and govern the Client’s use of the Services, superseding any prior agreements, communications and proposals, whether oral or written, between Dexatel and the Client (including, but not limited to, any prior versions of the Terms of Service).

In case of conflict, the English language version of the Terms of Service prevail.

The Client shall have no right to transfer, including via a transfer of company, or assign the rights and obligations arising from the Agreement either partly or fully to a third party without a prior written consent of Dexatel.

Dexatel shall have the right to assign the Terms of Service and all of the rights and obligations contained therein to another company owned by Dexatel or Dexatel’s parent company or to a third party to which the Services-related business functions are transferred.

GOVERNING LAW AND DISPUTES

These Terms of Service shall be governed by and construed in accordance with the laws of the Republic of Estonia. Any dispute, controversy or claim arising out of or in connection with these Terms of Service, or the breach, termination or invalidity thereof shall be resolved through amicable negotiations, upon failure of which all disputes shall be settled in the Harju County Court in the Republic of Estonia.

NOTICES

All notices and other communication shall be deemed properly given if delivered in person; when receipt is electronically confirmed, if transmitted by e-mail; and upon receipt, if sent by certified or registered mail, return receipt requested. Notices to the Client must be sent to the e-mail or other address as set forth in the Client’s Account. Notices to Dexatel must be sent to the e-mail [email protected] or address Pärnu mnt 139e/2, Tallinn 11317, Estonia; Attn: Legal.

A Party must inform the other Party immediately of any changes in its contact person, address and e-mail by the other Party about it in the manner set out herein.

Annex 1

Data Processing Agreement

Introduction

This data processing agreement (“DPA”) is an annex to and an integral part of the Terms of Service, which governs the personal data processing conducted by Dexatel OÜ as a processor (“Processor”) on behalf of the Client acting as a controller (“Controller”) within the scope of providing the Service under the Terms of Service together with its annexes and any policies referred in the Terms of Service (if applicable) (altogether “Agreement”).

The Parties acknowledge that this DPA and personal data processing activities conducted under the Agreement are governed by the Regulation (EU) 2016/679 of the European Parliament and the Council (“GDPR”), and other relevant legislative acts, or supervisory authorities’ guidelines, governing the processing of personal data in the Republic of Estonia (all together with GDPR “Legislation”).

All and every term, unless specifically defined herein, is being used in the meaning of the GDPR or the Agreement.

For matters not stipulated in this DPA, the Agreement applies. In the event of a conflict or ambiguity between the Agreement and this DPA, this DPA will prevail.

Processing of Personal Data

The Processor shall process personal data only in accordance with documented instructions of the Controller, including the instructions provided by the Controller in the Agreement, DPA, and annexes thereto unless required to do so by the Legislation to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the Legislation prohibits this on important grounds of public interest.

The Processor shall process personal data in accordance with the Agreement, DPA, and annexes thereto only for the specific purposes of the processing and the duration as specified in Annex 1 (Annex 1 – description of the processing).

Rights and Obligations of the Controller

Rights and obligations of the controller:

ensure that all instructions for the processing of the personal data under the Agreement or this DPA or as otherwise agreed or stipulated shall comply with the GDPR and the Legislation, and such instructions will not in any way cause the Processor to be in breach of the Legislation;

comply with the Legislation, including ensuring the accuracy, quality, and lawfulness of the personal data processed by the Processor and informing the data subjects of the processing operations carried out by the Processor.

notify the Processor prior to concluding the Agreement if the Controller requires the Processor to adopt specific procedures, regulations, security measures, or similar.

Rights and Obligations of the Processor

The Parties hereby agree that the Processor shall:

process the personal data on behalf of the Controller based on documented (e.g., received via e-mail or any other documented form) instructions given, received, and updated from time to time, from the Controller and in accordance with the Legislation;

notify the Controller without undue delay if, in the Processor’s opinion instructions given by the Controller under Section 2.1 of this DPA infringe the GDPR or the Legislation;

ensure that all of its employees, subcontractors, members of the management board, or other persons to whom the Processor has provided access to the personal data are subject to confidentiality obligation or an appropriate statutory confidentiality obligation and are aware of their duties and obligations in relation to personal data processing;

engage sub-processors only in accordance with Section 6 of the DPA;

not transfer personal data outside the European Union or European Economic Area (“EU/EEA”), except in case such transfer is in accordance with Section 7 of the DPA;

take measures required pursuant to Article 32 of the GDPR and the Legislation, including implementing the appropriate technical and organisational measures, as specified in Annex 3 ( Annex 3 – technical and organisational measures) to ensure a level of security appropriate to the risk related to the processing of the personal data and avoid alteration, loss or non-authorized processing thereof or access thereto. The Processor has the right to change and update from time to time and as seen necessary by the Processor any and all technical and organisational measures applied at the moment of concluding this DPA;

not communicate with data subjects nor perform the data subject’s request directly and independently. The Processor shall forward any requests received from the relevant data subjects for exercising any of their rights to the Controller as soon as reasonably possible after the receipt of such a request;

provide assistance to the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

support the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, to the extent that it is reasonable, appropriate, and not unduly burdensome while taking into consideration the nature of personal data processing and the information available to the Processor;

make available to the Controller all information necessary to prove the fulfillment of the obligations arising from the DPA and the Legislation, and contribute to audits performed in accordance with Section Error! Reference source not found.;

notify the Controller in writing without undue delay, but no later than within 48 hours after becoming aware of a personal data breach concerning personal data processed by the Processor on the basis of the DPA. Such notification shall contain at least the description of the nature of the breach, categories, and the approximate number of data subjects and data records concerned (as required under Article 33 (3) of the GDPR). For clarity, a personal data breach as such shall not automatically mean the Processor’s infringement of this DPA, the Agreement, and the Legislation, provided that the necessary procedures as defined in this DPA, the Agreement, and the Legislation have been duly applied by the Processor;

delete or return personal data to the Controller according to Section 8 of the DPA.

The Processor is entitled to invoice the Controller for additional costs and remuneration, in addition to the fees provided under the Agreement, for fulfilling its obligations under Sections 4.1.8, 4.1.9, and 4.1.10 of the DPA in case the Processor assesses the costs for fulfilling its obligations to be excessive and unreasonable (e.g. due to the repetitive nature of the requests, the volume of data to be processed, the necessity to compile systematically structured data sets according to the instructions of the Controller which requires additional work). The Processor shall notify the Controller of such costs in advance and prior to issuing such invoices. The invoices shall be issued and paid by the Controller, adhering to the invoicing regulations agreed in the Agreement.

The Processor acknowledges that according to Article 28 (10) of the GDPR the Processor shall be considered a separate controller if it goes beyond the instructions of the DPA and the Agreement and thus itself determines the purposes and means of processing.

Auditing rights

Upon the Controller’s reasonable request, the Processor shall provide the Controller with all information necessary (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) to demonstrate compliance with the obligations laid down in the DPA, within thirty (30) calendar days of receipt of such request.

Where, in the reasonable opinion of the Controller, such information is not sufficient to meet the obligations of Article 28 of the GDPR, the Controller may, upon sixty (60) calendar days prior written notice to the Processor and upon reasonable grounds, conduct an audit by an independent third-party auditor mandated by the Controller. Any costs for conducting the audit shall be borne by each Party themselves.

Any audit shall be solely limited to confirming the Processor’s compliance with its data protection obligations under this DPA, and shall exclude all information data and content which relates to: (i) any other clients, agents, or partners of the Processor; (ii) any of Processor’s internal accounting or financial information; (iii) any trade secrets; (iv) any data that is being accessed for any reason other than the good faith fulfilment of the Controller’s rights under this DPA.

The notification provided according to Section 5.2 shall contain a proposal for an auditing plan. If parts of the requested scope of the audit are covered by an audit report carried out by a qualified third-party auditor within the last twelve (12) months, the Processor is entitled to provide to the Controller such report instead of the proposed audit.

Any audit shall be performed during the Processor’s regular business hours and the performance of the audit must not interrupt the Processor’s business. Furthermore, in order to minimise operational disturbances the Processor can combine the audit with audits conducted on behalf of other clients or resellers.

Any audit must be carried out in a manner that does not disrupt, delay or interfere with the Processor’s performance of its business and in accordance with the Processor’s internal policies. The Controller shall ensure that all participants of the audit are subject to written confidentiality obligation at least to the same extent as provided in the Agreement. Unless prohibited by the Legislation, the Controller must provide a copy of the audit report to the Processor, and the Processor will be entitled to use the report in other client relationships, e.g. as stated in Section 5.4 above.

Use of sub-processors

The Processor is permitted to engage sub-processors for the provision of the Service under the Controller’s authorization (general written authorization pursuant to Article 28 (2) of the GDPR) provided hereby. The Controller acknowledges and agrees that the Processor has engaged the sub-processors identified in Annex 2 ( Annex 2 – sub-processors).

Should the Processor wish to engage a new sub-processor or replace a current sub-processor with a new sub-processor, then the Processor is obliged to inform the Controller. Upon having reasonable grounds, the Controller may object, in a format reproducible in writing, to any such additions, changes, or replacement within thirty (30) days of the Processor informing the Controller. If the Controller does not object during the such time period, the addition, change, or replacement shall be deemed accepted.

In case the Controller has exercised, pursuant to Section 6.2 above, its opportunity to object to the addition or replacement of the sub-processor and the Processor does not, under reasonable grounds, agree with such objections, both Parties have the right to terminate the Agreement, together with the DPA by notifying the other Party thirty (30) calendar days in advance. Until the termination of the Agreement, the Processor has the right to use the sub-processors to which the Controller has issued its objections, for the performance of the Agreement and the DPA. The termination of the Agreement and the DPA does not exclude the application of any legal remedies by both Parties under applicable legislation and under the Agreement.

In the event the Processor engages or replaces a current sub-processor, the Processor shall engage such sub-processor under a written agreement containing equivalent obligations as those set out in this DPA and remain fully liable to the Controller for the performance of each sub-processor’s obligations.

Data Transfers Outside the EU/EEA

The Controller allows the Processor to transfer the personal data outside of the EU/EEA, including engaging any sub-processors, if the Processor transfers personal data to countries in relation to which the European Commission has issued an adequacy decision or if the Processor uses other appropriate safeguards set out in Chapter V of the GDPR (e.g. standard contractual clauses adopted by the European Commission).

The Controller is entitled to request information from the Controller regarding the countries to which personal data is transferred and of the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate safeguards.

In the event that any of the measures referred to in Section 7.1 above are no longer sufficient to satisfy the requirements of the Legislation applicable to the processing of personal data under the DPA to legalise the transfer of personal data outside the EU/EEA, the Processor shall use any reasonable efforts to implement either an alternative transfer mechanism which satisfies the requirements of the Legislation applicable to the processing of personal data under this DPA in order to legalise the transfer of personal data outside the EU/EEA or cease with such transfer.

Deletion or return of personal data

After the receipt of the Controller’s written request, the Processor shall delete or return all of the personal data processed for the provision of the Service according to the Agreement (and any existing copies thereof), unless storage of any personal data is required by the Legislation.

In the event that the Controller does not render a written request to either delete or return the personal data, the Processor shall delete permanently all of the relevant personal data within six (6) months of the end of the provision of the Service to the Controller unless otherwise agreed upon in writing. The foregoing cannot be considered an obligation of the Processor to retain the said personal data for a period of six (6) months and the Processor has the right to delete the said data earlier. The Controller takes note that after the period stipulated herein, the said personal data is permanently deleted. The prior obligation does not apply to anonymized personal data, usage statistics, technical parameters, and analyses.

The Controller acknowledges that the deletion of personal data after the termination of the Agreement and this DPA does not exclude the Processor’s right to retain the said data in its backup systems. The Processor shall ensure that applicable safeguards are in place, the personal data is put beyond use in the backup systems and the personal data is subsequently deleted as soon as possible, i.e. on the Processor’s next deletion/destruction cycle.

The Controller acknowledges that the Processor has the right to retain all of the instructions and other material which relates to the processing of personal data.

General

This DPA becomes effective upon entering into the Agreement by the Parties and is valid until the termination of the Agreement.

The termination of the DPA takes place according to the Agreement. Termination of the DPA causes automatic termination of the Agreement and vice versa. Termination of this DPA does not exempt the Parties from fulfilling their obligations as specified in the Legislation.

The confidentiality obligation set out in Section 4.1.3 applies indefinitely even after the termination of the DPA.

This DPA is governed by the laws of the Republic of Estonia. The Parties agree that any disputes arising from this DPA will be resolved as stipulated in the Agreement.

The Processor is entitled to unilaterally amend this DPA by giving the Controller a prior notification of fourteen (14) calendar days in case it is necessary to comply with the Legislation or any changes thereto. If the Controller declines to accept such amendments, the Processor is entitled to immediately extraordinarily terminate the Agreement and this DPA in order to comply with the Legislation. If necessary to comply with the Legislation, in the period between the issuing of the termination notice and until the end of the termination of the Agreement, the amendments giving rise to the termination shall be applied fully.

The Processor has the unilateral right to amend the DPA by notifying the Controller of the changes by e-mail at least thirty (30) calendar days before the amendments enter into force. If the Controller does not agree with the amendments to the DPA, the Controller may terminate the DPA in line with the Agreement.

DPA Annex 1

Details of Data Processing

Subject-matter of processing

The Processor will process the personal data as necessary to provide the Service according to the Agreement.

Nature of the processing

The Processor may conduct the following processing activities: receiving data, including collection, accessing, retrieval, recording and data entry; using data, including analysing and profiling by the provision of the Service; returning data to the Controller; erasing data, including destruction and deletion.

Categories of data subjects

The Processor may process personal data of the following categories of data subjects: the Controller’s employees, the Controller’s clients, and clients’ end users (including, but not limited to SMS recipients).

Types of personal data

The Processor may process the following types of personal data: name, username, email address, and phone number. The Processor does not process sensitive personal data.

Duration of processing

The Processor will process the personal data as long as it is necessary for the provision of the Service.

DPA Annex 2

Sub-processors

The Processor uses certain sub-processors to assist it in providing its clients the Service as described in the Terms of Service.

A sub-processor is a third-party processor engaged by the Processor who has access or potentially will have access to the data inserted into the Service by the Controller (including personal data).

For the purposes to support the provision of the Service, the Processor uses the following sub-processors: mobile operators (e.g., Vodafone, Telefonica, Telia), messengers (WhatsApp, Viber, Google RSC), and Amazon Web Services.

DPA Annex 3

Technical & Organisational Measures

The Processor has implemented at least the following technical and organisational measures:

Confidentiality (Article 32(1)(b) of the GDPR)

Physical access control

Defined security perimeters with security measures;
Technical monitoring equipment (alarm system, video surveillance, motion detectors);
Access control system and its regular maintenance (doorkeeper service, door lock system, electronic access cards, transponder system);
Obligatory registration of visitors at the reception, visitors accompanied by employees;
Automatic logging of electronic access control system;
Information Security Policy established, documented, and reviewed.

Electronic access control each user;

Strong password (system-controller complex rules for passwords e.g., at least 10 digits, at least one upper and lower case, and at least one number), automated password changes every three months;
Temporary passwords given to users in a secure manner;
Provision of access rights according to the principles of “need-to-know” and “least privilege” (lowest possible rights) based on task-related user profiles and function roles;
Restricted and controlled allocation and use of privileged access rights;
Established procedures for assigning, changing, and revoking access rights and user IDs, without undue delay for all user types to all systems and services;
Established procedures for reporting and revoking compromised access credentials (passwords);
Anti-Virus software;
Firewalls;
Intrusion detection systems;
Use of VPN for remote access;
Automatic desktop lock;
Two-factor authentication in data center operation and for critical systems;
Security patch management;
SSH encrypted access;
Certified SSL encryption;
Encryption of data carriers;
Secure storage of data carriers;
Proper destruction of data carriers;
Use of file shredders and certified waste disposal service providers;
Information Security Policy established, documented, and reviewed.

Electronic access control

Unique user identification for each user;
Strong password (system-controller complex rules for passwords e.g., at least 10 digits, at least one upper and lower case, and at least one number), automated password changes every three months;
Temporary passwords given to users in a secure manner;
Provision of access rights according to the principles of “need-to-know” and “least privilege” (lowest possible rights) based on task-related user profiles and function roles;
Restricted and controlled allocation and use of privileged access rights;
Established procedures for assigning, changing, and revoking access rights and user IDs, without undue delay for all user types to all systems and services;
Established procedures for reporting and revoking compromised access credentials (passwords);
Anti-Virus software;
Firewalls;
Intrusion detection systems;
Use of VPN for remote access;
Automatic desktop lock;
Two-factor authentication in data center operation and for critical systems;
Security patch management;
SSH encrypted access;
Certified SSL encryption;
Encryption of data carriers;
Secure storage of data carriers;
Proper destruction of data carriers;
Use of file shredders and certified waste disposal service providers;
Information Security Policy established, documented, and reviewed.

Separation control

Physical separation of systems/databases/data carriers;
Client systems logically separated such that the data are collected or produced for a single client only, without inadvertently accessing another client’s data;
Physical separation of development, testing and production environments;
No usage of un-anonymized data in the development environment;
VLAN segmentation;
Determination of database rights;
Information Security Policy established, documented, and reviewed;
Data Protection Policy established, documented, and reviewed.

Pseudonymization

In case of pseudonymization: separation of the allocation data and storage in a separate system (encrypted);
Internal instruction to anonymised/pseudonymised personal data as far as possible in the event of disclosure or even after the statutory retention period has expired;
Information Security Policy established, documented, and reviewed;
Data Protection Policy established, documented, and reviewed.

Integrity (Article 32(1)(b) of the GDPR)

Data input control

Controls in place to prevent unauthorised access to the application, program, or source code, and assure it is restricted to authorised personnel only;
Technical logging of the entry, modification, and deletion of data;
Traceability of data entry, modification, and deletion through individual user names;
Information Security Policy established, documented, and reviewed.

Data transfer control

Standardised state-of-the-art transfer protocols via encrypted connections (tls, ssl, sftp, https);
Transport layer security to ensure communication and transfer security over the network connection;
Use of VPN;
Information Security Policy established, documented, and reviewed;
Data Protection Policy established, documented, and reviewed.

Availability and resilience (Article 32(1)(b) of the GDPR)

Availability control

Monitoring and planning conducted for the capacity needs across all infrastructure components;
Monitoring and tuning system performance conducted across all infrastructure components;
Detection systems (fire detection system, server room monitoring temperature and humidity, video surveillance server room, alarm message in case of unauthorised access to server room);
Backup concept established;
Backups are encrypted;
Access to backups is restricted to authorised personnel only;
Existence of a disaster recovery plan, which contains all the procedures and support information required for business resumption;
Information Security Policy established, documented, and reviewed.

Rapid recovery

Backup monitoring and reporting;
Restorability;
Backup concept according to criticality and customer specifications;
Recovery concept;
Ability to automatically replicate data to help guard against unexpected hardware failures;
Regular testing of data recovery results;
Existence of an emergency plan;
Information Security Policy established, documented, and reviewed.

Procedures for regular testing, assessment and evaluation (Article 32(1)(d), Article 25 of the GDPR)

Data protection management

Central documentation of all data protection regulations with access for employees;
At a minimum, annual review for continuous improvement;
Data protection checkpoints consistently implemented in tool-supported risk assessment;
Regular data protection, confidentiality/data secrecy trainings;
Data protection impact assessment carried out as required;
Processes regarding information obligations according to Articles 13 and 14 of the GDPR established;
Formalised process for requests for information from data subjects in place;
Data protection risks established as part of corporate risk management.

Incident response management

Monitoring of service continuity;
Use of firewall, spam filter, and virus scanner and regular updating;
Documented security incident/data breach response plan;
At a minimum, annual testing of the security incident /data breach plan;
Alerting system in place for monitoring privacy breaches, notification of the client if a privacy event may have impacted their data;
Information Security Policy established, documented, and reviewed;
Data Protection Policy established, documented, and reviewed.

Data protection by design and by default

No more personal data is collected than is necessary for the respective purpose;
At a minimum, annual reviews for continuous improvement;
Privacy-friendly default settings in standard and individual software;
Data Protection Policy established, documented, and reviewed.

Order control

Careful selection of the contractor under due diligence aspects (especially with regard to data protection and data security);
Conclusion of the data processing agreement with unambiguous wording;
1. Written processing instructions to the contractor;
2. Obligation of the contractor’s employees to maintain data secrecy;
3. Regulation on the use of further subcontractors;
4. Ensuring the destruction of data after termination of the contract;
Monitoring of the performance of the data processing agreement on a regular basis.

DPA Annex 4

Standard contractual clauses

Section I

Local Laws and Obligations in Case of Access by Public Authorities

Clause 1

Purpose and scope

a.The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

b.The Parties:

the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

c.These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

d.The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and Invariability of the Clauses

a.These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

b.These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

a.Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
Clause 13;
Clause 15.1(c), (d), and (e);
Clause 16(e);
Clause 18 - Modules One, Two, and Three: Clause 18(a) and (b); Module Four: Clause 18.

b.Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

a.Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

b.These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

c.These Clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed upon or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the Transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

The optional docking clause will not apply.

Section II

Obligations of the Parties

Clause 8

Data Protection Safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1Instructions

(a)The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b)The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c)The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d)After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2Security of processing

(a)The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context, and purpose(s) of processing, and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b)The data exporter shall assist the data importer in ensuring the appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c)The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3Documentation and compliance

(a)The Parties shall be able to demonstrate compliance with these Clauses.

(b)The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

This clause is intentionally left blank.

Clause 10

Data subject rights

The Parties shall assist each other in responding to inquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679

Clause 11

Redress

The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

(a)Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses

(b)Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c)Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d)The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(e)The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

This clause is intentionally left blank.

Section III

Local Laws and Obligations in Case of Access by Public Authorities

Clause 14

Local laws and practices affecting compliance with the Clauses

This clause is intentionally left blank.

Clause 15

Obligations of the data importer in case of access by public authorities

This clause is intentionally left blank.

SECTION IV

Final Provisions

Clause 16

Non-compliance with the Clauses and termination

(a)The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
the data importer is in substantial or persistent breach of these Clauses; or
the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Govering law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Estonia.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of the Republic of Estonia.

Standard Contractual Clauses Appendix

Annex I

A. List of Parties

Data exporter:

Name and contact details: Dexatel OÜ, contact details designated in the Terms of Service

Signature and date: by entering into the Agreement, the data exporter is deemed to have signed these EU standard contractual clauses incorporated herein, including their Annexes, as of the effective date of the Terms of Service.

Role: processor

Data importer:

Name and contact details: Client, contact details set forth in the Client’s Account

Role: controller

B. Description of Transfer

Categories of data subjects whose personal data is transferred: the Controller’s employees, the Controller’s clients, and clients’ end users (including, but not limited to SMS recipients);

Categories of personal data transferred: name, username, email address, phone number;

Sensitive data transferred: no sensitive personal data is transferred;

The frequency of the transfer: continuous basis for the duration of the Agreement;

Nature and purposes of the processing: to provide the Service according to the Agreement:

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: as long as it is necessary for the provision of the Service;

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing: the data exporter uses sub-processors, which are set forth in DPA Annex 2, to provide the Service according to the Agreement as long it is necessary for the provision of the Service.