Legal docs

Postcards.ai Global Data Processing Addendum

Last Modified: May 18, 2026

This Data Processing Addendum ("DPA") forms part of each agreement with PostPilot, Inc., a Delaware corporation with a principal office at 169 Madison Ave, Suite 11452, New York, NY 10016, US, doing business as Postcards.ai ("Postcards.ai"), including the Postcards.ai Customer Terms of Service, that incorporates this DPA by reference (the "Agreement"). References to "Customer" in this DPA refer to the counterparty to the applicable Agreement. This DPA applies only to Postcards.ai's Services and does not apply to any service Customer purchases from any third party other than Postcards.ai.

Unless otherwise expressly defined in this DPA, capitalized terms used in this DPA have the meanings assigned to them in the Agreement.

Definitions

"Adequate Jurisdiction" means the UK, EEA, or a country, territory, specified sector, or international organization that ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as recognized under applicable Data Protection Laws.

"Approved Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with Section 119A of the Data Protection Act 2018 on February 2, 2022, as revised under Section 18 of the Approved Addendum.

"Attribution Purposes" has the meaning set out in Section 3.4.

"Business" or "Controller" means an entity that determines the purposes and means of Processing Personal Data.

"Covered Data" means Customer Personal Data, Customer Interaction Data, and Postcards.ai Personal Data.

"Customer Interaction Data" means Log Data collected by Postcards.ai or Postcards.ai's third-party data providers through pixels, cookies, web beacons, tags, or other tracking technologies placed on Customer's website or digital properties.

"Customer Personal Data" means Personal Data shared by Customer with Postcards.ai in connection with the Services. Customer Personal Data may include records consisting of names, mailing addresses, email addresses, phone numbers, customer tags, transaction information, order information, audience criteria, campaign information, account-user information, integration data, and Personal Data Customer has obtained from third-party data providers.

"Data Protection Laws" means applicable laws, rules, regulations, or governmental requirements in the United States, EU, UK, or any other applicable jurisdiction relating to the use, collection, retention, storage, security, disclosure, transfer, sale, sharing, or other Processing of Personal Data, as amended or updated from time to time.

"Data Subject" means a natural person whose Personal Data is Processed.

"EEA" means the European Economic Area, including the European Union.

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as defined in Section 3 of the UK Data Protection Act 2018.

"Log Data" means data collected on Customer's websites by third parties using cookies, pixels, web beacons, tags, or other technology for advertising, attribution, retargeting, analytics, or related purposes. Log Data may include IP address, advertising IDs, device identifiers, other unique identifiers linked or reasonably linkable to a particular computer or device, date and time stamps, header and referrer URL data, and information about visitor activities on the site.

"Personal Data" means any data or information that is linked or reasonably linkable to an identified or identifiable natural person or that is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under applicable Data Protection Laws.

"Postcards.ai Personal Data" means Third-Party Licensed Personal Data and any other Personal Data generated, sourced, combined, created, supplemented, or maintained by Postcards.ai that may be shared with Customer in connection with the Services.

"Process" or "Processing" means any operation or set of operations performed on information or sets of information, whether by manual or automated means, including collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification.

"Security Incident" means a confirmed or reasonably suspected breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Covered Data.

"Sell", "Sale", and "Sold" have the meanings set out in the California Consumer Privacy Act.

"Service Provider" or "Processor" means an entity that Processes Personal Data on behalf of a Business or Controller.

"Services" means the services provided by Postcards.ai to Customer under the Agreement.

"Share" has the meaning set out in the California Consumer Privacy Act.

"Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as set out in Schedule 3.

"Sub-processor" means an entity appointed by Processor to Process Covered Data on its behalf.

"Supervisory Authority" has the meaning given in the GDPR.

"Third-Party Licensed Personal Data" means Personal Data contained in Third-Party Licensed Data.

"UK" means the United Kingdom of Great Britain and Northern Ireland.

The parties agree as follows.

1. Details of Processing and Transfer

1.1

The details of the Processing of Covered Data under the Agreement and this DPA, including subject matter, nature and purpose of Processing, categories of Personal Data, categories of Data Subjects, frequency, duration, and the parties' roles, are described in the Agreement and in Schedule 1 and Schedule 2.

2. Compliance With Laws and Third-Party Licenses

2.1

Each party will comply with its obligations under Data Protection Laws with respect to its Processing of Covered Data. Where a party (the "Discloser") shares or otherwise makes Covered Data available to the other party (the "Recipient"), Discloser will have the right to take reasonable and appropriate steps to ensure Recipient uses Covered Data in a manner consistent with Recipient's obligations under Data Protection Laws, and Recipient will notify Discloser promptly if Recipient determines it can no longer meet its obligations under Data Protection Laws.

2.2

Customer will provide all applicable notices to Data Subjects, and obtain all consents, authorizations, and permissions from Data Subjects, in each case as required under Data Protection Laws with respect to Processing Covered Data by Customer and Postcards.ai in connection with the Services.

2.3

To the extent Customer Personal Data contains Personal Data obtained by Customer from a third-party data provider pursuant to an agreement between Customer and that provider:

2.3.1

Customer is solely responsible for ensuring compliance with its obligations under such third-party agreements and with Data Protection Laws applicable to Customer's use of the Services.

2.3.2

Customer represents and warrants that it has all necessary rights and consents needed to share such Customer Personal Data with Postcards.ai.

3. Data Sharing Obligations

3.1

This Section 3 applies to the extent Discloser and Recipient each act as a Controller or Business with respect to Covered Data.

3.2

The parties acknowledge and agree that Covered Data is made available to, Sold to, or Shared with Recipient, and Recipient will Process and use Covered Data solely for the purposes set out in Schedule 1.

3.3

Recipient will notify Discloser promptly if it receives an inquiry or complaint from a Supervisory Authority, Data Subject, or other person relating to Recipient's Processing of Covered Data received from Discloser. Recipient will not respond to the inquiry or complaint without Discloser's consent, unless required by applicable law, and will make reasonable changes to any response requested by Discloser.

3.4 Postcards.ai Personal Data

3.4.1

Customer will use and retain Postcards.ai Personal Data, if made available by Postcards.ai as part of the Services, solely for internal analytics and attribution purposes ("Attribution Purposes") and for no other purpose, commercial or otherwise, including marketing purposes, unless expressly permitted in writing by Postcards.ai. Customer has no right to share, disclose, sell, or otherwise make Postcards.ai Personal Data available to any third party without prior written approval from Postcards.ai.

3.4.2

Customer will erase or otherwise destroy Postcards.ai Personal Data within thirty (30) days from completion of the Services for which such data was provided, unless retention is required under applicable law or otherwise permitted by Postcards.ai and, where applicable, the third-party data provider in writing.

3.5 Covered Data

3.5.1

Customer will ensure that Customer Personal Data and Customer Interaction Data Sold to, Shared with, or otherwise licensed to Postcards.ai does not contain Personal Data relating to a Data Subject who has exercised rights to opt out of or object to such Sale or Sharing under Data Protection Laws. Customer will promptly notify Postcards.ai of any request by a Data Subject to whom Customer Personal Data or Customer Interaction Data relates to opt out of or object to Sale or Sharing or to exercise rights to delete such Personal Data.

4. Data Processing Obligations

4.1

This Section 4 applies to the extent Postcards.ai Processes Customer Personal Data as a Processor or Service Provider.

4.2

Postcards.ai will Process Customer Personal Data for the purpose of providing the Services under the Agreement and in accordance with Customer's instructions set out in the Agreement or in writing. Without limiting the foregoing, Postcards.ai is prohibited from:

  • Selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration;
  • Sharing Customer Personal Data with any third party for cross-context behavioral advertising;
  • retaining, using, or disclosing Customer Personal Data for any purpose other than the business purposes specified in the Agreement or otherwise permitted by Data Protection Laws;
  • retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the parties; or
  • to the extent prohibited by Data Protection Laws, combining Customer Personal Data with other information Postcards.ai receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

Notwithstanding the foregoing, Postcards.ai may anonymize Customer Personal Data through a reliable anonymization procedure and use anonymized data for its own business and commercial purposes, including research, development of new products and services, analytics, security, and fraud prevention.

4.3

Postcards.ai will limit access to Customer Personal Data to personnel and independent contractors who have a business need to access such Customer Personal Data and will ensure that such personnel and independent contractors are subject to obligations at least as protective of Customer Personal Data as the terms of this DPA and the Agreement.

4.4

Postcards.ai may share Customer Personal Data with a Sub-processor for a business purpose, with a third party as necessary to comply with applicable law, or as otherwise permitted by Data Protection Laws.

4.5

Customer grants Postcards.ai general authorization to engage Sub-processors, including current Sub-processors listed in Schedule 4. The parties agree that:

4.5.1

Postcards.ai will inform Customer by email or by posting on the approved Sub-processor list page available at https://www.postcards.ai/approved-list-of-sub-processors or any successor page of intended additions or replacements to Sub-processors it uses to Process Customer Personal Data. Such advance notice will be at least fifteen (15) calendar days, unless a shorter period is reasonably required for security, availability, provider, compliance, or legal reasons. Customer is responsible for subscribing to or monitoring the Sub-processor list page for updates.

4.5.2

Postcards.ai will be liable to Customer for the acts or omissions of any Sub-processor or other third party to whom Postcards.ai has disclosed or permitted to access Customer Personal Data as if they were acts or omissions of Postcards.ai. Postcards.ai will not permit a Sub-processor to Process Customer Personal Data unless Postcards.ai and the Sub-processor have entered into an agreement imposing obligations on the Sub-processor no less restrictive and at least equally protective of Customer Personal Data as those imposed on Postcards.ai under this DPA.

4.5.3

Postcards.ai is responsible for ensuring the compliance of Sub-processors with applicable Data Protection Laws in connection with Processing Customer Personal Data.

4.6

Postcards.ai will reasonably cooperate with Customer, at Customer's expense, to assist Customer with ensuring its compliance with Data Protection Laws, including responding to Data Subject requests for access, knowledge, deletion, or rectification in relation to Customer Personal Data. If Customer instructs Postcards.ai to delete Customer Personal Data in response to a Data Subject request, Postcards.ai will delete or de-identify such information within thirty (30) days of receipt of the request. Postcards.ai has no obligation to delete information that has been de-identified, anonymized, or aggregated such that it is no longer Personal Data under Data Protection Laws.

4.7

Upon termination or expiration of the Agreement or earlier as requested by Customer, Postcards.ai will delete or return to Customer, at Customer's election, all Customer Personal Data in its possession, custody, and control, except Customer Personal Data that must be retained under applicable law, which Postcards.ai will delete once no longer required to retain. Postcards.ai may also retain backup, security, fraud prevention, dispute, and compliance records as permitted by applicable law and the Agreement.

4.8

Customer may audit Postcards.ai's compliance with this Section 4. The parties agree that all such audits will be conducted:

4.8.1

no more than once a year;

4.8.2

upon reasonable written notice to Postcards.ai;

4.8.3

only during Postcards.ai's normal business hours; and

4.8.4

at Customer's cost.

4.9

For audits conducted under Section 4.8, Customer may engage a third-party auditor to conduct the audit on its behalf. Postcards.ai may object to the appointment of a third-party auditor on reasonable confidentiality, security, competitive, or conflict grounds.

4.10

Customer will promptly notify Postcards.ai of any non-compliance discovered during an audit.

4.11

Postcards.ai may, in response to an audit request, provide Customer data protection compliance certifications, third-party audit reports, security documentation, or other documentation reasonably evidencing implementation of technical and organizational data security measures in accordance with industry standards. Customer agrees that provision of such certifications and documentation will satisfy Customer's audit rights under this DPA or Data Protection Laws to the extent permitted by law.

5. Other Data Obligations

5.1

Customer will not, without Postcards.ai's prior written approval, submit or cause to be submitted to Postcards.ai any data that includes: Social Security number, passport number, driver's license number, or similar identifier; credit card or debit card number; employment, financial, or health information; Personal Data relating to an individual under eighteen (18) years of age; Personal Data relating to any individual who has withdrawn consent or exercised a right to opt out; special category data under Article 9 of the GDPR or criminal-offense data under Article 10 of the GDPR; or information subject to additional protections under laws including GLBA, HIPAA, COPPA, FCRA, or similar laws.

5.2

Other than where expressly permitted in Schedule 1, Customer will not submit or cause to be submitted to Postcards.ai any Personal Data to the extent the GDPR applies to Customer's Processing of such Personal Data ("GDPR Personal Data"). Postcards.ai may amend permissions to upload GDPR Personal Data in Schedule 1 from time to time by written notice to Customer, provided that amendments withdrawing permission to upload GDPR Personal Data will take effect not less than thirty (30) days from the date of notice.

6. Standard Contractual Clauses

6.1

The SCCs will apply to the transfer of Covered Data from Discloser to Recipient and form part of this DPA, to the extent Recipient is not in an Adequate Jurisdiction and:

6.1.1

the GDPR applies to Discloser's Processing of Covered Data when it makes that transfer;

6.1.2

the Data Protection Laws that apply to Discloser when making that transfer prohibit transfer of Covered Data to Recipient under this DPA in the absence of a transfer mechanism implementing adequate safeguards, and one or more of the following applies:

  • the relevant authority with jurisdiction over Discloser's transfer of Covered Data has not formally adopted standard data protection clauses or another transfer mechanism under the applicable Data Protection Laws;
  • such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy a requirement to implement adequate safeguards; or
  • entering into standard contractual clauses approved by the European Commission would reasonably satisfy a requirement to implement adequate safeguards; or

6.1.3

the transfer is an onward transfer as defined in the applicable module of the SCCs.

6.2

The parties agree that execution of the Agreement has the same effect as signing the SCCs.

6.3

In the event of conflict between the SCCs and this DPA or the Agreement, the SCCs prevail.

7. Data Security

7.1

Each party will implement appropriate technical and organizational measures designed to safeguard Covered Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Details of these technical and organizational measures are included in Schedule 2. Each party will document those measures in writing and periodically review them to ensure they remain current and complete.

7.2

Each party will notify the other without undue delay after becoming aware of a Security Incident.

7.3

To the extent a Security Incident affects Customer Personal Data Processed by Postcards.ai as Processor, Postcards.ai will provide Customer with reasonable assistance in the investigation of the Security Incident, and Customer will have sole responsibility for determining whether notice to Data Subjects, Supervisory Authorities, or other third parties is required, except to the extent Postcards.ai is required by law to provide notice.

7.4

To the extent a Security Incident affects Postcards.ai Personal Data Processed by Customer, Customer will not, unless required by law, notify any regulator or Data Subject of the Security Incident without Postcards.ai's prior approval, which will not be unreasonably withheld. Customer will provide reasonable assistance in investigation and remediation.

8. Termination and Survival

This DPA will remain in effect for as long as Postcards.ai Processes Covered Data. Sections that by their nature should survive will survive termination or expiration, including restrictions on use of Covered Data, confidentiality, audit and compliance obligations, return or deletion obligations, and international transfer provisions.

9. Conflicts

In the event of conflict between this DPA and the Agreement regarding Processing of Covered Data, this DPA controls. In the event of conflict between the SCCs and this DPA or the Agreement, the SCCs control.

10. Applicable Law and Jurisdiction

Except for the SCCs and Approved Addendum, which are governed as described in Schedule 3, this DPA is governed by the governing law and jurisdiction provisions in the Agreement.

Schedule 1: Details of Processing

1. Party Details

Data exporter: Customer, as identified in the Agreement or applicable Order.

Data importer: PostPilot, Inc. d/b/a Postcards.ai, 169 Madison Ave, Suite 11452, New York, NY 10016, US.

Subject matter: Collection, storage, retrieval, use, analysis, matching, enrichment, disclosure by transfer, rendering, printing, mailing, tracking, attribution, and other Processing of Covered Data for the purposes described in this Schedule 1.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement, this DPA, and the Privacy Notice.

2. Customer Authorized Users

2.1 Customer Personal Data shared by Customer with Postcards.ai

Role:

  • Customer: Controller/Business
  • Postcards.ai: Processor/Service Provider

GDPR Personal Data Permitted: Yes, for Authorized User account and business-contact information only.

Categories of Data Subjects: Customer's Authorized Users and business contacts.

Categories of Personal Data: Name, business email address, business phone number, company name, role, login information, account settings, usage data, support communications, and similar business-contact information.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous.

Purpose: Account administration, authentication, customer support, security, billing, service communications, and provision of the Services.

Duration: Until termination of the applicable Services or until earlier deletion is requested, subject to the Agreement and Privacy Notice.

3. Direct Mailings, Campaign Automation, CSV Importing, and Integrations

3.1 Customer Personal Data shared by Customer with Postcards.ai

Role:

  • Customer: Controller/Business
  • Postcards.ai: Processor/Service Provider or Controller/Business, depending on the specific Services and Processing purpose.

GDPR Personal Data Permitted: No, unless expressly agreed in writing.

Categories of Data Subjects: Customer's existing customers and prospective target customers identified by Customer ("Mailing Targets").

Categories of Personal Data: Name, mailing address, email address, phone number, customer tags, transaction information, order information, products ordered, price, date, browser IP, browser details, landing site, customer source, campaign history, audience criteria, and similar information.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Creation, targeting, rendering, submission, production, delivery, tracking, and analysis of direct mail marketing to Mailing Targets.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

4. MailMatch

4.1 Customer Personal Data shared by Customer with Postcards.ai

Role:

  • Customer: Controller/Business
  • Postcards.ai: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Customer's existing customers and prospective target customers identified by Customer.

Categories of Personal Data: Name, mailing address, email address, phone number, and related matching identifiers.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Identification of mailing addresses associated with Mailing Targets and distribution of mail marketing.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

4.2 Postcards.ai Personal Data shared by Postcards.ai with Customer

Role:

  • Postcards.ai: Controller/Business
  • Customer: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Customer's existing customers and prospective target customers identified by Customer.

Categories of Personal Data: Name, mailing address, and related matching data.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Identification of mailing addresses associated with Mailing Targets and distribution of mail marketing.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

5. Prospecting and Dropswaps

5.1 Customer Personal Data shared by Customer with Postcards.ai

Role:

  • Customer: Controller/Business
  • Postcards.ai: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Customer's existing customers and prospective target customers identified by Customer.

Categories of Personal Data: Name, mailing address, email address, customer tags, transaction information, amount spent, orders placed, order details, currency, phone, shipping address, products ordered, price, date, browser IP, browser details, landing site, and similar information.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Creation of lookalike audiences based on Mailing Targets' characteristics; distribution of mail marketing to Mailing Targets and lookalike mailing targets; distribution of co-branded mail marketing to Mailing Targets; route-based audience creation; and related attribution and analytics.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

5.2 Postcards.ai Personal Data shared with or made available to Customer

Role:

  • Postcards.ai: Controller/Business
  • Customer: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Prospective target customers identified by Customer and lookalike audiences based on Mailing Targets' characteristics.

Categories of Personal Data: Name, mailing address, demographic information, approximate location, and related audience data.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Distribution of mail marketing to Mailing Targets and lookalike mailing targets or for Attribution Purposes.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

6. SiteMatch

6.1 Customer Interaction Data collected by Postcards.ai from Customer's website

Role:

  • Customer: Controller/Business
  • Postcards.ai: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Visitors to Customer's website.

Categories of Personal Data: IP address, advertising IDs, device identifiers, other unique identifiers linked or reasonably linkable to a particular computer or device, dates and timestamps, header and referrer URL data, information about visitor activities on the site, products browsed, clicked on, placed in cart, or purchased, and duration on the website.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous.

Purpose: Identification of individuals or households and retrieval of mailing addresses based on Customer Interaction Data; distribution of mail marketing to such individuals or households; attribution; analytics; and development of enhanced individual profiles to provide the Services.

Duration: Until termination of the applicable Services or until earlier deletion is requested by Customer, subject to the Agreement and Privacy Notice.

7. Postcards.ai AI

7.1 Customer Personal Data and Customer Interaction Data shared by Customer with Postcards.ai

Role:

  • Customer: Controller/Business
  • Postcards.ai: Controller/Business

GDPR Personal Data Permitted: No.

Categories of Data Subjects: Customer's customers, prospective customers, mailing targets, lookalike mailing targets, website visitors, Authorized Users, and other individuals referenced in Customer materials.

Categories of Personal Data: Name, mailing address, purchase information, demographic information, approximate location, IP address, advertising IDs, device identifiers, dates and timestamps, header and referrer URL data, visitor activity, products browsed, clicked on, placed in cart, or purchased, prompts, uploaded creative, brand information, website materials, and campaign context.

Special Categories of Personal Data: None.

Frequency of Transfer: Continuous or as initiated by Customer.

Purpose: Combining Personal Data relating to a Postcards.ai AI end user from Customer and other customers of the Services to identify purchases and browsing habits; determine products and services of interest; identify audiences for distribution of mail marketing from Customer and other customers; identify mailing addresses; enhance individual profiles to provide the Services; create lookalike audiences; generate and parse postcard designs; provide AI-assisted copy, creative, and workflow features; and support security, quality, and service improvement.

Duration: Postcards.ai may retain Customer Data in accordance with the Postcards.ai Privacy Notice.

Schedule 2: Technical and Organizational Measures

The Recipient has implemented the following technical and organizational measures designed to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of Processing and the risks for the rights and freedoms of natural persons.

1. Governance and Policies

The Recipient assigns personnel responsible for determining, reviewing, and implementing security policies and measures. The Recipient documents security measures in security policies, guidelines, or other relevant documents and reviews those measures and policies to ensure they continue to be appropriate for the Personal Data being transferred. The Recipient establishes and follows secure configurations for systems and software and considers security measures during project initiation and development of new IT systems.

2. Breach Response

The Recipient maintains a breach response plan designed to address data breach events, and reviews, tests, and updates that plan as appropriate.

3. Intrusion, Anti-Virus, and Anti-Malware Defenses

The Recipient's IT systems used to Process Personal Data have appropriate data security controls installed or enabled, which may include antivirus, anti-spyware, anti-malware tools, penetration testing, vulnerability scans, event logging, monitoring, review of event logs, and data loss prevention tools.

4. Access Controls

The Recipient limits access to Personal Data by implementing appropriate access controls, including limiting administrative access privileges, changing default passwords before deployment, requiring authentication and authorization, permitting access only where needed for job role or purpose, maintaining procedures for allocation and revocation of access rights, enforcing password policies, using multi-factor authentication where appropriate, using idle session controls where appropriate, blocking or limiting access after repeated failed attempts, monitoring and logging access to IT systems, and monitoring and logging amendments to data or files on IT systems.

5. Availability and Backup of Personal Data

The Recipient maintains disaster recovery and backup practices designed to restore key systems and data in a timely manner in the event of a physical or technical incident. The Recipient backs up information on IT systems, stores backups separately, and tests validity of backups as appropriate.

6. Segmentation of Personal Data

The Recipient separates and limits access between network components and, where appropriate, implements measures to provide separate Processing, storage, amendment, deletion, and transmission of Personal Data collected and used for different purposes.

7. Disposal of IT Equipment

The Recipient maintains processes designed to securely remove Personal Data before disposing of IT systems and uses appropriate technology or procedures to purge equipment of data or destroy storage media.

8. Encryption

The Recipient uses encryption technology to protect Personal Data at rest and in transit where appropriate. Encryption keys are stored separately from encrypted information and are subject to appropriate security measures where appropriate.

9. Transmission or Transport of Personal Data

The Recipient implements appropriate controls to secure Personal Data during transmission or transit, including encryption in transit and logging of electronic transmission where appropriate.

10. Asset and Software Management

The Recipient maintains an inventory of relevant IT assets and data stored on them, together with owners of relevant assets where appropriate. The Recipient documents and implements rules for acceptable use of IT assets, deploys patch management and software update tools, monitors software vulnerabilities and implements out-of-cycle patches as appropriate, and permits use of supported web browsers and email clients. The Recipient stores API keys securely, does not intentionally store secret API keys client-side, and does not intentionally publish API key credentials in online code repositories.

11. Physical Security

The Recipient implements physical security measures designed to safeguard Personal Data.

12. Staff Training and Awareness

The Recipient communicates personnel responsibilities for information security through agreements, policies, handbooks, or similar materials. The Recipient provides staff training on data security and privacy issues relevant to job role, provides appropriate onboarding training, and conducts screening and background checks for individuals with access to sensitive Personal Data where appropriate. The Recipient communicates information security responsibilities that apply before, during, and after termination or change of employment. Staff are subject to disciplinary or contractual measures for breaches of privacy and security policies.

13. Selection of Service Providers and Commission of Services

The Recipient assesses service providers' ability to meet security requirements before engagement. The Recipient maintains written contracts with service providers that require them to implement appropriate security measures to protect Personal Data and limit use of Personal Data in accordance with the parties' instructions.

14. Assistance With Data Subject Rights Requests

The Recipient has implemented policies and measures designed to identify and address data subject rights requests, including storing data processed on behalf of the Discloser separately from data processed by the Recipient where appropriate, maintaining records to enable identification of Personal Data processed on behalf of the Discloser, and overwriting backups of Personal Data processed on behalf of the Discloser on a regular basis to support deletion and rectification requests.

Schedule 3: Standard Contractual Clauses

1. Standard Contractual Clauses

With respect to transfers described in Section 6, the SCCs are completed as follows:

1.1

Module One (Controller to Controller) applies to transfers of Customer Personal Data from Customer as data exporter to Postcards.ai as data importer and transfers of Postcards.ai Personal Data from Postcards.ai as data exporter to Customer as data importer, to the extent each party acts as Controller, as described in Schedule 1.

1.2

Module Two (Controller to Processor) applies to transfers of Customer Personal Data from Customer as data exporter to Postcards.ai as data importer to the extent Postcards.ai acts as Processor, as described in Schedule 1.

1.3

Clause 7 of the SCCs (Docking Clause) does not apply.

1.4

Option 2 of Clause 9 (Subprocessors) applies, and the period for notifying changes to Sub-processors engaged is thirty (30) days for purposes of the SCCs. The approved list of Sub-processors as of the date of this DPA is set out in Schedule 4.

1.5

The option in Clause 11(a) of the SCCs (Independent dispute resolution body) does not apply.

1.6

Option 1 of Clause 17 of the SCCs (Governing Law) applies, and the laws of Ireland apply to the SCCs.

1.7

Clause 18 of the SCCs (Choice of forum and jurisdiction) refers to the courts of Ireland.

1.8

Annex I.A (List of Parties) incorporates the information in Schedule 1. The nature and subject matter of Processing are the collection, storage, retrieval, and disclosure by transfer of Covered Data for the purposes set out in Schedule 1.

1.9

Annex I.B (Description of Transfer) incorporates the information in Schedule 1.

1.10

Annex I.C (Competent Supervisory Authority) refers to the Irish Data Protection Commissioner.

1.11

Annex II (Technical and Organizational Measures) incorporates the information in Schedule 2.

2. Transfers of Covered Data Subject to the UK GDPR

2.1

The Approved Addendum applies to transfers of applicable Covered Data from Discloser to Recipient to the extent:

  • UK data protection laws apply to Customer when making that transfer; and
  • there is an onward transfer as defined in the Approved Addendum.

2.2

The parties agree that the Approved Addendum forms part of this DPA and execution of the Agreement has the same effect as signing the Approved Addendum.

2.3

The Approved Addendum is completed as follows:

  • the "Addendum EU SCCs" refers to the relevant SCCs as incorporated into and applied to transfers between the parties under this DPA;
  • the "Appendix Information" refers to the information in Schedule 1 and Schedule 2; and
  • for purposes of Table 4 of the Approved Addendum, neither Customer nor Postcards.ai may end the Approved Addendum under Section 19 of the Approved Addendum.

3. Transfers of Covered Data Subject to Other Laws

3.1

With respect to any transfers of Covered Data referred to in Section 6.1.2 (each, a "Global Transfer"), the SCCs will not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.

3.2

For Global Transfers, the SCCs are deemed amended to the extent necessary so that they operate:

  • for transfers made by the applicable data exporter to the data importer, to the extent Exporter Data Protection Laws apply to that data exporter's Processing when making the transfer; and
  • to provide appropriate safeguards for transfers in accordance with Exporter Data Protection Laws.

3.3

The amendments described in Section 3.2 include:

  • references to the GDPR and specific GDPR Articles are replaced with equivalent provisions under Exporter Data Protection Laws;
  • references to the Union, EU, and EU Member State are replaced with the jurisdiction in which Exporter Data Protection Laws were issued;
  • the competent supervisory authority is the applicable supervisory authority in that jurisdiction; and
  • Clauses 17 and 18 of the SCCs refer to the laws and courts of that jurisdiction, respectively.

3.4

Where, during Recipient's Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under Exporter Data Protection Laws with respect to transfers of Covered Data by Customer to Recipient, the parties will promptly enter into a supplementary agreement that incorporates the new mechanism, incorporates details of Processing in Schedule 1, and takes precedence over this DPA for transfers subject to those Exporter Data Protection Laws in the event of conflict.

Schedule 4: Approved Sub-Processors

Postcards.ai's approved Sub-processors are listed in the Approved List of Sub-Processors or any successor page.