bento icon close

Treatment of personal data agreement

Version in force on May 25, 2018

The purpose of this agreement is to define the conditions under which Sarbacane Software (hereinafter "Sarbacane Software" or the "Subcontractor") undertakes to perform on behalf of the user (hereinafter "User" or the "Data Controller "), the personal data processing operations defined below. Sarbacane Software and the User together are referred to as the "Parties" and individually as the "Party". This agreement terminates and replaces all conditions and prior agreements between the Parties with the same purpose.

In the context of this agreement, the User acts as a Data Controller and Sarbacane Software acts as a Subcontractor within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable as of 25 May, 2018 (hereinafter the "European Data Protection Regulation").

Sarbacane Software qualifies as a controller when it determines the purposes and means of its processing of personal data. This is particularly the case when it processes the contact details of a natural person (interlocutor of the user company) as part of a request for assistance. The measures implemented by Sarbacane Software in this context are detailed in a charter on the Mailify website.

The Parties undertake to respect the regulations in force and applicable to the processing of personal data and, in particular, the European Data Protection Regulation.

1. Definitions

Personal Data(s): refers to any information relating to an identified or identifiable natural person within the meaning of the European Data Protection Regulation, which the Subcontractor processes on behalf of the Data Controller.

Personal Data Violation: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access to Personal Data transmitted, stored or otherwise processed.

Processing: means any operation or set of operations performed on or to Personal Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, broadcast or combination, restriction or deletion of Personal Data.

2. Treatment Details

a. Types of Personal Data: Contact information, including email addresses, phone numbers, last name, first name, profession, gender, demographic information, preferences, location data, login details and any other type of data determined and controlled by the User in their sole discretion, in the context of its use and setting up services of Sarbacane Software.

b. Categories of data subjects: All categories of data subjects (natural persons) determined and controlled by the User in their sole discretion, namely:

- Any person (customers, prospects, employees, subcontractors, suppliers, etc.) whose email address and/or telephone number is/are included in the User's distribution list; or recipient of any emailing/sms communication; or whose information is stored or collected via the Services.

c. Purpose and nature of the Processing: The subject of the Processing of Personal Data by the Subcontractor is the provision of the Services to the Data Controller, which involves the Processing of Personal Data and the performance of the Subcontractor's obligations within the framework of the agreement, and of all conditions agreed between the Parties. The Subcontractor provides software for the creation, sending, automation and analysis of email and/or SMS campaigns, and supporting services. The services can include: the processing of recipient databases for sending electronic campaigns (email and/or SMS), the analysis of the behavior of recipients, the definition and implementation of a marketing communication strategy etc. Personal Data will be subject to processing activities as specified in the general conditions, the information agreed upon at the time of any order and if applicable, under any particular conditions.

d. Duration of Processing: Personal Data will be processed for the duration of the contractual relationship between the Parties.

3. Obligations of the Parties

3.1. Obligations of the User

The User is responsible for the Treatments made under the services subscribed.

They are therefore solely responsible for the Personal Data that they use, provide and store through the services of Sarbacane Software. As such, the User is solely responsible for the obligations incumbent upon them as the Data Controller in view of the regulations in force applicable to the Processing of Personal Data and, in particular, the European Data Protection Regulation.

The User agrees to:

1. Provide Sarbacane Software with the personal data necessary to perform the services underwritten. They must be careful not to provide so-called sensitive data as defined by the regulations on the protection of personal data;

2. Document any instructions regarding the processing of Personal Data by Sarbacane Software. It is understood that the modalities of use of the services and the present agreement will be worth instruction addressed to Sarbacane Software as for the Treatment to be implemented. Additional or derogatory instructions require written agreement between the Parties. They must initially be specified in writing when ordering services and may, at any time, with the prior written consent of Sarbacane Software, be modified, supplemented or replaced at the request of the User, in separate written instructions;

3. Ensure, in advance and throughout the duration of the Processing, that Sarbacane Software complies with the requirements of the European Data Protection Regulation;

4. Supervise the Processing, including performing audits, inspections with Sarbacane Software. As part of the performance of audits and inspections, the User undertakes to inform Sarbacane Software of its decision to carry out an audit or inspection with a minimum notice period of 15 days;

With regard to these audits/inspections, they undertake to (i) call on a qualified staff or service provider; (ii) bear only the full costs of the audits/inspections; (iii) perform audits/inspections only during working days and hours; (iv) confirm that the purpose of these audits/inspections is: an analysis of compliance with this Agreement and the regulations on the protection of personal data.

5. Take the necessary security measures for the protection of the Personal Data incumbent on them in their capacity as the Data Controller and in particular to ensure the confidentiality of their login and password of their access to the services, to use passwords respecting the rules of good practice; to ensure the security of the workstations and equipment from which its personnel and any person authorized by it, access the services notably by authenticating the users by name, by revising the authorizations periodically, by ensuring the application of the patches and updates of systems, with anti-virus and firewall or the like kept up-to-date, favoring Wi-Fi networks using WPA2, WPA2_PSK or similar encryption, by favoring backups of its users' data in adequate locations; by protecting its premises, in particular by having anti-intrusion systems and periodically tested access controls, differentiating the areas of premises according to the risks (e.g. computer room), granting access to staff according to the operational requirements according to the principle of least privilege; to use people trained and aware of the protection of personal data; etc.

6. To collect, in accordance with the European Data Protection Regulation and other applicable data protection rules, where necessary, any consent of the persons concerned by the proposed processing operations, and in any case, to ensure that the Treatment remains lawful.

It is also the responsibility of the User to provide the information to the persons concerned by the processing operations at the time of the collection of the Personal Data.

7. To respond to requests for the exercise of the rights of data subjects (right of access, rectification, deletion and opposition, limitation of processing, portability of data, not to be subject to an automated individual decision).

And more generally, to respect their obligations imposed by the regulations in force and applicable to the processing of personal data and, in particular, the European Data Protection Regulation.

3.2 Obligations of the Subcontractor

Sarbacane Software processes Personal Data only on the User's documented instructions in accordance with Article 3.1.2, unless obliged to do so by EU law or French law. If Sarbacane Software considers that an instruction constitutes a violation of the European Data Protection Regulation or any other provision of EU law or data protection law of the Member States, it shall immediately inform the User.

Sarbacane Software agrees to:

- process Personal Data only for the purposes that are subcontracted.

- take into account, with regard to its tools, products, applications or services, the principles of data protection by design stage and data protection by default.

- not to transfer Personal Data to any country outside the EU/EEA or to any third country not recognized by the European Commission as ensuring a sufficient level of protection of personal data, without prior consent of the User.

In general, the Data Controller can, at any time, via the services, delete and export any Personal Data. In all cases and unless otherwise instructed by the Data Controller, the Personal Data will not be retained by the Subcontractor for more than six months from the termination, expiry, or early cancellation of the service relating to the Processing of Personal Data, except or data to be retained to meet a legal or regulatory obligation."

Security / Confidentiality / Data breach

Sarbacane Software implements the appropriate technical and organizational measures to ensure that the Processing meets the requirements of the Data Protection Regulations. Sarbacane Software undertakes, among other things, to take all necessary measures to ensure the preservation and integrity of the Personal Data and in order to avoid any misuse or fraudulent use of Personal Data, within the limits of its scope of intervention and the means under its control for and during the contractual relations. The User may, at any time, take note of these measures on the website.

Sarbacane Software undertakes to maintain the confidentiality of Personal Data, not to disclose it, in any form whatsoever, except (i) for the purposes of the execution of the Services and the present agreement; (ii) pursuant to a legal or regulatory provision; (iii) to respond to requests for communications from judicial and/or administrative authorities; (iv) with the prior agreement or request of the User. In this respect, Sarbacane Software ensures that the persons authorized to process Personal Data (personnel, partners, Sub-Subcontractors, etc.) undertake to respect the confidentiality of the Personal Data or are subject to an appropriate legal obligation to confidentiality.

Sarbacane Software notifies the User of any Personal Data Violation within 48 hours of becoming aware of it. This notification is accompanied by any useful documentation to enable the User to fulfill their obligations.


Whenever possible, given the nature of the Processing and the information at its disposal, Sarbacane Software commits to the User, and at the User's request:

- to assist them in fulfilling their obligation to respond to requests for the exercise of the rights of the persons concerned by the Processing, insofar as the User does not have the information or the tools via the services. The User remains solely responsible for the response provided to the persons concerned. In the event of requests for the exercise of rights or complaints by persons concerned coming directly to Sarbacane Software, Sarbacane Software undertakes to forward such requests as soon as possible to the User;

- assisting them to carry out impact assessments relating to the protection of personal data, where the processing of this data is likely to create a high risk for the rights and freedoms of the persons concerned, and for the realization of prior consultation of the supervisory authority;

- assisting them in carrying out the notification to the supervisory authority, and if necessary to the data subject, in case of Personal Data Infringement in accordance with the section "Security, Confidentiality, Data breach";

- to make available to the User all the information necessary to demonstrate compliance with the obligations provided for in the European Data Protection Regulation and to enable audits to be carried out, including inspections. Audits will be conducted in accordance with the provisions of Article 3.1.4.


"Sarbacane Software may use another subcontractor to conduct specific processing activities (hereinafter, ""Subcontractor(s)""), which the Data Controller agrees to. The list of current Subcontractors is available on the website.   Sarbacane Software undertakes to inform the User in advance and in writing, including electronic, of any change envisaged concerning the addition or replacement of other Subcontractors. The User has a maximum of 15 calendar days from the date of sending this information to terminate the service or services in case of opposition. Failing to terminate within that period, the User will be deemed to have accepted any change regarding the addition or replacement of Subcontractors. In the event of termination, the User will receive a refund of expenses paid in advance but not used for the remaining period following the effective date of termination, the latter acting upon receipt of notification by Sarbacane Software. Any notice of termination in this context must be made to the following address:"

"Sarbacane Software agrees to enter into a contract with each of its Subcontractors, with the same obligations as those to which it is subject to in accordance with the agreement. If the Subcontractor processes services outside the EU/EEA, this information is specified in the list above. Sarbacane Software must ensure that the transfer is made in accordance with the standard contractual clauses approved by the European Commission for the transfer of Personal Data, that the User authorizes Sarbacane Software to conclude on its behalf and for its account, or that other appropriate mechanisms for legal data transfer are applied. If the Subcontractor does not fulfill its data protection obligations, Sarbacane Software remains fully liable to the User. If the Subcontractor Subsequent does not fulfill its data protection obligations, Sarbacane Software remains fully liable to the User."

Processing Activity Categories Register

Sarbacane Software declares to keep a written register of all categories of processing activities performed on behalf of the User.

4. Supervisory authorities

The Parties undertake to cooperate with the competent data protection authorities, particularly in the event of a request for information which may be sent to them, or in case of control.

5. Data Protection Officer

Sarbacane Software declares that it has appointed a data protection officer who can be reached at the following email address: or by mail at Sarbacane Software's head office.

As soon as the User has a data protection officer, they undertake to send these details to Sarbacane Software Data Protection Officer.

6. Application of the general conditions

This agreement supplements the general conditions applicable to the Services subscribed by the User.

In the event of contradictions, this agreement takes precedence over these general conditions.

7. Modifications

This Agreement may be amended at any time. All changes are published on the website of Sarbacane Software and are brought to the attention of the User through the website. It is the responsibility of the User to check the Site regularly.

The User may terminate the Services without charge by registered letter with acknowledgment of receipt from Sarbacane Software within thirty days of the entry into force of these changes. Beyond this period, the User will be deemed to have accepted the changes. However, any modification resulting from the law or the regulations can not be considered as giving right to cancellation.