Data Processing Agreement
Introduction
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between (“ Hosting Controller Inc.”) (“Processor”), delivering ExSign for Microsoft 365, and the person or entity whose details are indicated in the Agreement to which this Agreement is attached (“Customer”) (“Controller”). Hosting Controller and the Customer may collectively be referred to herein as the “Parties” and each individually as a “Party”.
WHEREAS
A. The Customer is interested in using ExSign for Microsoft 365, a software used to centrally manage email signatures and hosted on Microsoft Azure. Together the software and associated services are referred to as the “Services”.B. The Customer's use of the Services requires that Customer Data (as defined below) is processed by Hosting Controller.
C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
D. The Parties wish to set out their respective rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions
Agreement means this Data Processing Agreement and all Schedules.
Customer Data refers to the Customer’s profile data, Entra ID (Azure Active Directory) user attributes, and group memberships of people with accounts in the Customer's Microsoft 365 tenant, which the Customer provides to Hosting Controller in connection with their use of the Services.
Customer Emails means the Customer's outgoing emails sent from mailboxes in the Customer's Microsoft 365 tenant.
Data Protection Laws means EU Data Protection Laws and, where applicable, the data protection or privacy laws of any other country.
Data Subject means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, through identifiers such as a name, identification number, location data, online identifier, or other factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Effective Date means the date the Customer consents to be bound by the Agreement, either by checking the relevant box on Hosting Controller’s website confirming acceptance of the terms, or by signing a copy of this Agreement received via email.
GDPR means the EU General Data Protection Regulation 2016/679.
Services refers to the software and associated services provided by the Processor.
Sub-processor means any person appointed by or on behalf of Hosting Controller to process Customer Data under this Agreement.
2. Customer Responsibilities
This Agreement applies whenever Customer Data is processed by Hosting Controller as part of Hosting Controller’s provision of the Service. In this context, the Customer acts as the Data Controller and Hosting Controller acts as the Data Processor.
As the Data Controller, you acknowledge and understand that using the Services requires Customer Data to be processed within the Services.
As the Data Controller, you confirm that this Agreement, together with your use and configuration of the Services and its individual features, constitutes your complete and final instructions to us for processing Customer Data. You agree to provide Hosting Controller with lawful instructions only. If we believe an instruction violates applicable Privacy Laws or Regulations, we will notify you and will not be obligated to follow that instruction until the issue is resolved in good faith between the Parties.
As the Data Controller, you also confirm that Customer Data has been, and will continue to be, obtained in accordance with applicable Data Protection Laws.
3. Hosting Controller Obligations as Processor
We, as a data processor, undertake to process Customer Emails only to enable you to use the Services and its individual features, solely under the conditions set forth in this Agreement and applicable Data Protection Laws.
We will not record, register, store, or back up Customer Data or the content of Customer Emails except in the limited circumstances and to the extent described in Appendix 1 to this Agreement, where such action is necessary to provide the Services to you.
Customer Data and Customer Emails are processed exclusively through automated means by ExSign software. No human intervention is involved in accessing, handling, or processing Customer Data or Customer Emails. Hosting Controller personnel cannot physically view, read, or otherwise access Customer Emails. All processing is performed solely by the ExSign system for the limited purpose of applying email signatures and disclaimers as instructed by the Customer.
We will implement and maintain appropriate technical and organizational measures to protect Customer Data from breaches, as described in Appendix 3 to this Agreement. These Security Measures may be updated or modified at our discretion, provided that such changes do not materially reduce the level of protection they offer.
We will ensure that any personnel authorized to process Customer Data on our behalf are subject to appropriate confidentiality obligations, whether contractual or statutory, with respect to that Customer Data.
We will notify you without undue delay upon becoming aware of any Customer Data Breach and will provide timely updates as new information becomes available or upon your reasonable request. At your request, we will provide reasonable assistance to enable you to notify competent authorities and/or affected Data Subjects, if required under Data Protection Laws.
We will delete all Customer Data processed under this Agreement upon termination or expiration of your Subscription Service. This obligation does not apply where applicable law requires us to retain certain data, or where Customer Data has been archived in backup systems. In such cases, the data will be securely isolated, protected from further processing, and deleted in line with our data deletion practices.
4. Subprocessing
By entering into this Agreement, you give us a general consent to engage sub-processors indicated in Appendix 2. We will inform you of any intended changes to the list of sub-processors in Appendix 2 by sending an email notification. We will send this notification to the contact person indicated by your organization as authorized to receive communication regarding our Services at least 14 days before the engagement of the subprocess or concerned, thereby giving you sufficient time to be able to object to such changes.
We will give you the opportunity to object to the engagement of new sub-processors on reasonable grounds relating to the protection of Customer Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new sub-Processors, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).
We will observe the rules for the engagement of sub-Processors, as described in Applicable Data Protection Laws, including those described in Article 28(2) and 28(4) of the GDPR.
Where we engage sub-Processors, we will impose data protection terms on the sub-Processors that provide at least the same level of protection for Customer Data as those in this Agreement, to the extent applicable to the nature of the services provided by such sub-Processors. We will remain responsible for each sub-Processors compliance with the obligations of this Agreement and for any acts or omissions of such subprocess or that cause us to breach any of its obligations under this Agreement
5. Data Subject Rights
The Service includes technical and organizational measures that allow you to retrieve, correct, delete, or restrict Customer Data. These features are designed to help you meet your obligations under Data Protection Laws, including responding to Data Subjects who exercise their rights.
If you are unable to handle a Data Subject Request directly through the Service, you may submit a written request to us. In such cases, we will provide reasonable assistance to help you respond to requests from Data Subjects, their legal guardians, or data protection authorities regarding the processing of Customer Data under this Agreement.
If a Data Subject Request or other communication about the processing of Customer Data under this Agreement is sent directly to us, we will promptly notify you and direct the Data Subject to submit the request to you. You remain solely responsible for providing a full and substantive response to all such requests and communications.
6. Data Transfers
The Parties acknowledge that, as part of delivering the ExSign service for Microsoft 365, Customer Data may be transmitted only between ExSign’s internal service components when required to provide the Services. These transfers are strictly limited to internal communication within ExSign and will never be transferred, disclosed, or made accessible outside of the ExSign infrastructure under any circumstances.
The Customer understands that ExSign’s cloud service components may be hosted in different geographic regions. However, any transfer of Customer Data will always remain within the secure boundaries of ExSign’s service infrastructure. Hosting Controller will implement and maintain appropriate technical and organizational measures to ensure all such transfers are secure, controlled, and fully compliant with applicable data protection laws, including the GDPR.
7. Data Breaches
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
We shall co-operate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. Deletion of Customer Data
We will delete all Customer Data, including copies, that we process under this Agreement when your Services are terminated or expire. This obligation does not apply if applicable law requires us to keep some or all of the Customer Data, or where Customer Data has been archived on backup systems. In those cases we will securely isolate the archived data, protect it from further processing, and delete it according to our deletion practices.
We will permanently delete Customer Data from the Services within 90 days of termination or expiration of your Services, unless a law requires that the data be retained for a longer period.
After termination or expiration of your Services, we will not perform any operations on Customer Data, unless we are required to do so by law.
9. Audit Rights
We will make available to you, upon request, all information necessary to demonstrate compliance with this Agreement. We will also allow and contribute to audits, including inspections, conducted by you or an auditor authorized by you, in relation to the processing of Customer Data.
Hosting Controller may fulfill its audit obligations under this section by providing or making available to the Customer relevant attestations, certifications, and summaries of audit reports performed by accredited third-party auditors, or other reports necessary to comply with applicable Data Protection Laws.
10. Security
Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons, we will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, where applicable, the safeguards outlined in Article 32(1) of the GDPR.
We will protect Customer Data from unauthorized access, unauthorized removal, damage, or destruction. All necessary steps will be taken to maintain confidentiality and safeguard Customer Data in compliance with applicable Data Protection Laws.
All employees authorized to process personal data are bound by confidentiality obligations and receive regular training on data protection provisions relevant to their work.
We regularly monitor internal processes as well as our technical and organizational measures to ensure that processing remains compliant with applicable Data Protection Laws and safeguards the rights of data subjects.
11. Miscellaneous
We may amend this Agreement from time to time, particularly to reflect changes in applicable Data Protection Laws or to accommodate updates to our products or software.
Any alteration or modification of this Agreement will only be valid if made in writing and signed by duly authorized personnel of both parties. If any term or provision of this Agreement is found to be invalid, illegal, or unenforceable, the remaining provisions will remain in full force and effect. Any invalid provision will be replaced with a valid provision that achieves substantially the same objectives.
If we update or amend this Agreement to reflect changes in applicable Data Protection Laws, regulatory requirements, or service practices, we will notify you in writing by email and provide the revised Agreement in full. No such amendments will be implemented without your explicit consent. If you do not agree to the proposed amendments, you may cancel your subscription to the Services.
12. Governing Law and Jurisdiction
This Agreement is governed by the laws of the Province of Ontario, Canada, without regard to its conflict of law provisions.
Any dispute arising in connection with this Agreement that cannot be resolved amicably will be submitted to the exclusive jurisdiction of the courts of Ontario, Canada, with the right to appeal before the competent courts of Ontario, Canada.
Appendix 1 – Details of Processing
Data Controller: Customer (details as provided during subscription)
Data Processor: Hosting Controller Inc.
Address: 1056 Gardiners Rd, Kingston, ON, K7P 1R7 Canada.
Contact Person: Syed Tahir, tahir@hostingcontroller.com
Categories of Data Subjects: Microsoft 365 tenant users
Categories of Data: Email address, unique ID, subject, email contents (for troubleshooting delivery failures).
Appendix 2 – Sub-Processors
Hosting Controller currently uses only one sub-processor:
| Sub-processor | Role | Location |
|---|---|---|
| Microsoft | Azure Datacenter Provider | Germany West Central |
Appendix 3
Security Measures
We currently observe the Security Measures described in this Appendix 3. The measures provided below apply to the Services provided by Hosting Controller, except where the Customer is responsible for implementing technical and organizational measures to secure its data.
These measures are commercially reasonable and are aligned with industry standard technical and organizational measures to protect personal data. These measures are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing Customer Data in the course of providing Hosting Controller’s ExSign for Microsoft 365 Services. Hosting Controller will regularly carry out tests, review, and update all such measures.
Organizational Measures
- Employee Training & Awareness: : Staff handling Customer Data are trained in GDPR compliance, security awareness, and incident reporting procedures.
- Confidentiality Agreements: Employees handling Customer Data are bound by contractual confidentiality obligations.
Technical Measures
- Data Encryption in Transit: All communications between service components (control server, agents, and Microsoft 365 integration points) are encrypted using TLS 1.2+ or equivalent.
- Data Encryption at Rest: Customer Data stored within ExSign service components is encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
- Authentication & Authorization: Integration with Microsoft 365 employs secure OAuth2 authentication and delegated permissions. Strong password policies and MFA are enforced where applicable.
- System Hardening: Hosting environments are regularly patched and hardened against known vulnerabilities. Default configurations are reviewed and secured.
- Audit Logging: Logging and monitoring mechanisms are implemented for access, configuration changes, and service operations to detect anomalies and unauthorized activity.
Service Integrity & Availability
- Redundancy & High Availability: Service components are deployed with redundancy and failover mechanisms to ensure continuity of service.
- Disaster Recovery & Backups: Regular encrypted backups of service configuration and operational data are performed, with tested disaster recovery procedures.
- Monitoring & Incident Response: Continuous monitoring of service performance and security events, with established incident detection and response processes.
Data Minimization & Processing Controls
- Data Segregation: Customer Data is logically separated across tenants to prevent unauthorized cross-access.
- Minimal Data Processing: ExSign processes only the data necessary to apply and manage email signatures within Microsoft 365.
- No Data Export Outside Service Components: Customer Data is never transferred outside the ExSign service components (control server, agents, and Microsoft 365 integration points), irrespective of reason, unless legally required.
- Automated Processing and Human Access Restrictions: At no point can Hosting Controller personnel view, read, or otherwise access Customer Emails. Any processing operations are carried out solely by the ExSign system for the limited purpose of applying email signatures and disclaimers.
Testing & Validation
- Penetration Testing: Periodic penetration tests and vulnerability assessments are conducted to identify and remediate security weaknesses.
- Change Management: Formal processes are in place for system updates, patching, and changes to ensure security and stability.
Incident & Breach Management
- Incident Response Plan: Documented procedures exist for identifying, reporting, and mitigating security incidents.
- Breach Notification: Hosting Controller will notify affected Customers without undue delay upon becoming aware of a personal data breach, including details required by GDPR Articles 33 and 34.