Mailinblack general conditions of use and maintenance (GCUM)
As of 12/01/2023
Mailinblack, a anonyme company (limited liability company), registered in the Marseille Register of Commerce under number B 449 002 104, whose head office is located at 4 place Sadi Carnot, 13002 Marseille (hereinafter referred to as “Mailinblack”) is the creator, developer and publisher of the Mailinblack products.
Consequently, placing an order with Mailinblack or the Distributor entails the purchaser’s full and unconditional acceptance of these GTUM notwithstanding any stipulation to the contrary (deemed invalid and inapplicable) appearing on the Customer’s purchase orders or on its general terms of purchase or on any document provided by the Customer. No special or contrary condition can take precedence over the present GTUM irrespective of when it may have been brought to the attention of Mailinblack or the Distributor, unless expressly accepted in writing by Mailinblack.
In addition to the rights and restrictions set forth herein, any other indications or restrictions contained in the installation and use instructions for the Mailinblack Products or update notes governing their use are incorporated herein by reference.
“Customer” means the natural person or legal entity, acting for professional purposes, who orders the Product. Acceptance of these GTUM by an agent is deemed to be made in the name of and on behalf of the Customer by a duly authorised person.
“Cloud” designates the configuration in which the Product and the Data are hosted by Mailinblack and accessible remotely by the End User.
“Order” means, according to the circumstances, any commercial proposal emanating from Mailinblack or the Distributor accepted by the Customer or any order issued by the Customer and accepted by Mailinblack or the Distributor. The Order is considered as appended to these GTUM by reference.
“Distributor” means the natural person or legal entity, a Mailinblack reseller, with whom the Customer placed the order and who supplied the Product to the Customer.
“Documentation” means paper or electronic documentation, including installation manuals and/or access to and use of the Products.
“Data” designates the data, information and documents created or used by the Customer or the Users in the context of using the Product and, where applicable, stored and hosted by Mailinblack (Cloud) or by the Customer (On-Premise), which remain the property of the Customer.
“On-Premise” means the configuration in which the Product and Data are hosted by the Customer in its environment or under its control and responsibility.
“Product” means the software products (in their executable form and, exceptionally, the hardware) and the related Documentation for which the Customer placed an Order. The definition of the Products includes all updates, new versions, patches and improvements provided directly by Mailinblack or via the Distributor.
“Prerequisites” means the infrastructure, including the computer hardware and the software environment, and any other specification or instruction, in which the Product is installed (On-Premise) and/or from which the Users can access and use the Product and that the Customer must implement to enable the installation (On-Premise) and/or the correct use of the Product. The Distributor or Mailinblack will inform the Customer of the Prerequisites, which may change during the Product’s use.
“Services” means the services provided by Mailinblack related to the Products as described herein.
“User” designates the agents or employees of the Customer duly authorised to use the Product, for whom the Customer vouches for their compliance with the GTUM. The Users may be simple users or administrator users.
2. Purpose of ther GTUM and description of products
The Products are cybersecurity solutions, namely:
- “Protect“: an email security solution (anti-spam, anti-malware, anti-phishing and anti-spearphishing) that authenticates the senders of emails received by Users and “Protect Out”, an option of Protect that allows the use of Mailinblack’s IP addresses for sending emails by Users.
- “Cyber Coach“: a product for simulating campaigns and raising awareness of phishing attacks.
- “Cyber Academy” : a cybersecurity training solution via an online platform.
The Products are made available in Cloud or On-Premise configurations.
At the Customer’s request and subject to acceptance by Mailinblack, Mailinblack may provide the Customer with a server on which the Product will be installed. In this case, the server will be sold to the Customer at the price mentioned in the Order and will become the property of the Customer. Mailinblack does not give any warranty other than the warranty that may be granted by the manufacturer on this equipment, and shall have no maintenance obligation with respect to said equipment.
The Products and Services may be marketed to the Customer either by Mailinblack or by the Distributor. In the event of marketing by a Distributor, the latter is responsible, in any event, for the obligations related to the Product Order. Support and maintenance services and hosting services (Cloud) may be provided by Mailinblack or the Distributor, under its responsibility, as agreed with the Customer.
When the Distributor or any other third party is in charge of the Services and in particular the installation, hosting and/or support or any other service relating to the Products and Data, it provides these services under its own responsibility, to the exclusion of any responsibility of Mailinblack.
Thus, the purpose of these GCUMS is to govern, on the one hand, the terms and conditions under which Mailinblack grants the rights of use to the Product, hosts and makes available the Product and the Data (Cloud), and on the other hand, the conditions under which the Customer and/or the Users install(s), run(s) (On-Premise) and/or access(es) and use(s) the Product.
The purpose of these GCUMS is also to define the terms and conditions under which Mailinblack provides the Services, in particular the support, warranty and maintenance relating to the provision of the said Product and, where applicable, provides the hosting of the Product and the Data (Cloud) when these services are provided by Mailinblack.
Unless expressly provided otherwise, the GCUMS do not include the installation, configuration, adaptation, customization, nor the adaptation of the Product to the specific needs of the Customer who acknowledges that he/she has chosen the Product under his/her responsibility, according to his/her needs and constraints.
The GCUMS, the Order, the Training Agreement (for the use and financing of the Cyber Academy product) and, if applicable, any other document referred to in these GCUMS or annexed by the Parties constitute the “Contract”.
The provisions relating to the personal data processed in the context of the use of the Product are set out in the Annex to these GCUMS.
Mailinblack may modify the Services or the functionalities included in the various offers or Products, or the present GCUMS, at the end of the current subscription period or with a two-month notice (this period will not be applicable in the case of a minor update of the Product not impacting a substantial functionality of the Product, or aiming at improving the security). If the Customer does not agree, the Customer may terminate the contract.
2.1. Protect description.
Emails received by Users transit through Mailinblack’s server before being forwarded and stored on the Customer’s email system if they come from an authenticated source.
When receiving an email from an unknown sender, an email will be sent to the sender allowing him/her to authenticate himself/herself through a link and a captcha (or equivalent) to be filled in. This email can be personalized by the User administrator on the Product.
The source (sender, email or domain name) can also be manually authenticated by the User on the Product.
Emails coming from an unauthenticated source remain pending authentication on Mailinblack’s server for a period of 30 days starting from the day after 0h00 of the day the email was received.
Once a source is authenticated, all emails from that source are immediately delivered to the User’s email system after transit through the Mailinblack server.
The pending emails stored on Mailinblack’s server awaiting authentication and the list of authorized or banned senders are accessible by each user on the Product.
The Customer acknowledges having read the commercial and technical presentation describing the Product made available to him (in particular on the Mailinblack website), undertakes to always respect the Prerequisites (and instructions and recommendations as well as any updates communicated subsequently) for a correct installation (On-Premise), access and use of the Product and accepts in particular that (i) the Product does not in any way constitute a tool or service for storing, archiving and/or hosting immaterial data, for which Mailinblack or the Distributor cannot assume any responsibility (the Customer will be personally responsible for the daily processing, backup, storage and archiving of its data) and that (ii) if the sender of an email does not identify himself or if the User does not authorize the source during the time period set to receive the authentication, the said email is considered as an unsolicited email and is deleted at the end of the said time period with no possibility of restoration. The Customer acknowledges and accepts this mechanism and waives the right to hold Mailinblack or the Distributor liable for any non-delivery of data as a result.
In particular, the Product allows the Customer to route any e-mail sent to his domain name through a Mailinblack Protect server whose purpose is to filter unwanted e-mails. The delivery of e-mails to the User depends either on the authentication performed by the sender or on the manual authentication by the User, so that Mailinblack can in no way guarantee that the User will not receive any unsolicited e-mail, nor that a solicited e-mail will not be intercepted by the filter. At any time, the User can consult on the Protect Product the exhaustive list of e-mails that have been stopped by the Protect Product and can, if he wishes, ask to receive each of them until the expiration of the waiting period mentioned above (Article 2.1).
2.2. Cyber Coach description
This Product allows an Administrator User to send phishing campaigns by email to a set of Users, to visualize statistical data on their interactions with the campaigns and to make them aware of the right attitudes to adopt when faced with these threats.
The campaigns are based on attack templates provided by Mailinblack and customized by the User Administrator according to the Customer’s needs. The User Administrator is responsible for the choice and the settings of the campaigns (for example, the targeted Users, the types of phishing emails sent, the frequency of the campaigns).
Within the framework of the Cyber Coach Product, the User Administrator may choose to refer to third parties to simulate a phishing attack whose distinctive signs will only be used for illustration and awareness purposes, depending on the Customer’s environment. The Customer acknowledges and accepts that there is no link between Mailinblack and the third parties whose trademarks could be used in the context of awareness campaigns.
When a campaign is sent, an email is sent to each User inviting them to click on a link. Once the link is clicked, the User is taken to a fake phishing page where he/she is asked to fill in sensitive information about him/herself or his/her company. Once the User has filled in and transmitted the data, an information page informs them that they have been tricked and educates them on how to protect themselves.
The tool collects information about the User’s interactions on the phishing and awareness pages. This information allows the User Administrator to assess the level of vulnerability of its Users. This information is also used by Mailinblack’s targeting algorithm to provide the most effective phishing campaigns and awareness pages for Users.
The Customer acknowledges and accepts that the emails sent as part of the awareness campaign may in some cases be blocked by the Customer’s email server or any other anti-phishing device put in place by the Customer (anti-spam, firewalls, browser features, flow analysis by the workstation’s antivirus, proxy, etc.) thus preventing the proper execution of an exhaustive campaign.
The Client acknowledges and accepts that the Cyber Coach Product aims at raising the awareness of the Users and obtaining statistics but does not guarantee in any case a protection against phishing attacks, which depends only on the hardware, software and human resources set up by the Client, in particular the devices set up by the Client and the behavior of the Users facing such attacks.
2.3. Cyber Academy description
This product enables a User Administrator to provide his employees with cybersecurity training modules via an online training platform.
The training modules are provided by Mailinblack and consist of several chapters.
The chapters are themselves made up of textual and visual training elements. They are designed to be easy to understand, fun, relevant and engaging. At the end of each chapter there are one or more games which take up, in the form of questions, the elements covered in the chapter. If the learner completes the game without making any mistakes, they can move on to the next chapter. If they make mistakes, they can start again until they have succeeded.
Experience points are accumulated for each chapter completed, making learning more fun and encouraging further training.
The User Administrator has an overview of the training progress of all learners. They can see which modules have been used most and least. If they wish, User Administrators can send an email to certain employees to encourage them to continue with the course if they notice a drop in motivation. They can also send congratulatory messages to top performers, thereby helping to maintain a climate of motivation and commitment.
The User can monitor his own progress via various indicators such as his experience points, his estimated time spent training on Cyber Academy and on the training modules he has not yet completed.
The Customer acknowledges and accepts that the Cyber Academy Product aims to train and educate Users on good cybersecurity practices and obtain statistics but in no way guarantees protection against cyber attacks. Such protection depends exclusively on the hardware, software and human resources put in place by the Customer, in particular security measures and the behaviour of Users in the face of such attacks.
2.4. Guarantee of confidentiality of Data and contents.
Mailinblack undertakes to treat all Data as confidential, more specifically under the conditions set out in the Appendix “Personal Data”.
The Customer acknowledges that the connection identifiers allowing Users to access the Product and the Data are strictly personal and confidential. Consequently, the Customer shall not communicate or share them with third parties. In the event that the Customer or a User disseminates or uses these elements in a manner contrary to their purpose, Mailinblack shall be entitled to terminate the contract. To avoid fraudulent use of the Identifiers, the Customer undertakes to choose a password that provides a high level of security in accordance with the standards and recommendations currently in force. The Customer is solely responsible for the use of these identifiers by third parties, and in this respect guarantees Mailinblack against any request and/or action based on the use, fraudulent or otherwise, of these identifiers. Mailinblack cannot be held responsible in the event of fraudulent use of the Identifiers as it does not have the technical means to ensure the identity of the persons accessing the Product.
in this case, Mailinblack undertakes to host the Product and Data on a server and to monitor and maintain this infrastructure in good working order within the framework of an obligation of means and under the conditions specified in the “Personal Data” Appendix.
It is specified that the fee payable by the Customer is exclusive of any additional expenses, in particular the cost of telecommunications and access to the Internet, necessary to access and use the Product or the costs related to the infrastructure on which the Product is installed (On-Premise) and which remain at the Customer’s expense and responsibility.
The Customer undertakes to only place on Mailinblack’s servers Data that it owns or is authorised to hold and which are not likely to affect the good working order of said servers. Where applicable, the Customer undertakes to use data in the form and manner indicated by Mailinblack or the Distributor.
Mailinblack reserves the right to modify or interrupt access to the Product for reasons of security, maintenance, updating or improvement or to change the content without compensation. Whenever possible, Mailinblack will endeavour to minimize inconvenience to the Customer and to inform it prior to an interruption. Mailinblack will not be liable for technical constraints related to the specific characteristics of the Internet network or any interruption that is not attributable to a fault on its part.
3. Orders and payment
These provisions are applicable when the Order is placed with Mailinblack (otherwise, the terms and conditions of the Distributor apply).
Unless Mailinblack expressly indicates otherwise to the Customer, the Order is placed electronically and becomes binding and definitive when the Customer signs the Mailinblack quotation.
Billing is carried out at the time of the Order, notwithstanding the installation of the Product. Payment shall be made by cheque or bank transfer, within 30 days of receipt of the invoice and then at each renewal date of the Contract.
The interest rate for late payment penalties due on the day following the settlement date shall be equal to the interest rate applied by the European Central Bank on its most recent refinancing operation plus 10 percentage points under the conditions set out by Article L446-1 of the French Commercial Code. Late payment penalties are due without the need for a reminder.
In addition, in the event of late payment, the Customer will by operation of law owe Mailinblack lump sum compensation for collection costs equal to the amount in effect determined by decree. When the collection costs incurred exceed the amount of this lump sum indemnity, Mailinblack may request additional compensation, upon proof of such costs.
4. Transferred rights
The Customer acknowledges that copyright and other rights related in particular to intellectual and industrial property, patents, trademarks, trade secrets, know-how, ideas, concepts and inventions, any interest, covered by applicable law or not, concerning the Products, including but not limited to, any modifications, translations, adaptations, improvements, patches, updates or new versions, derivative works, compilations, technical know-how as well as all content accessible via Cyber Academy, are and remain reserved at all times to Mailinblack (or, where applicable, to their holder).
Mailinblack grants the Customer a right to install (On-Premise) and use the Product (and its related Documentation) as described in the Order and the corresponding invoice, in its executable form, for the number of licenses provided for in the Order. Unless stated otherwise, a license corresponds to a Customer’s mailbox.
This right of use is personal, limited, temporary, non-transferable and non-exclusive to the Customer and may not be assigned or loaned to other persons. The use of the Product is intended to cover only the Customer’s internal and professional needs. The rights granted further to these GTUM do not have the effect of transferring to the Customer or Users any rights other than those expressly granted herein and as detailed in the Order.
Any use not provided for herein is prohibited and, in particular but without limitation, the Customer (including Users) undertakes not to (nor authorise any third party to do so) (i) install the Product and/or use it for purposes other than those described in the Documentation, (ii) make copies (On-Premise: except the legally authorised backup copy), reproduce, alter, adapt, translate in any way or integrate in any other product, all or any part of the Product or its Documentation, create derivative works from the Product, disassemble or practice reverse engineering or attempt to discover the source codes (deemed strictly confidential), (iii) modify the Product in any way, even to the extent of correcting the errors that it may contain, this competence being exclusively reserved for Mailinblack, (iv) distribute, give or sell under sub-licence, broadcast, assign, rent, lend, lease, sell, give or otherwise transfer for commercial purposes, even free of charge, all or part of the Product, by any means, to any person, except with the express consent of Mailinblack; (v) infringe in any way whatsoever the rights of Mailinblack. These provisions apply to content accessible via Cyber Academy.
5. Support & maintenance
These provisions are applicable when the Services are carried out by Mailinblack (in the case where they are provided by the Distributor, the Distributor’s conditions are applicable).
This being said, the level 3 software maintenance services are carried out exclusively by Mailinblack, which thus reserves the right to adapt, modify and correct the Products. In the case where the Distributor is in charge of the Services, it will be the Customer’s sole point of contact for the level 1 and 2 maintenance services.
The Services are valid for a Product regularly ordered, installed and used, and exclusively for the initial installation site of the Product (On-Premise, with a possible site change after informing Mailinblack) and/or the domain name as indicated to Mailinblack.
The Services are provided remotely and include technical support and software maintenance.
This service includes remote technical assistance, via telephone and/or email from Monday to Friday from 8:00 a.m. to 6:30 p.m. except public holidays and when the Customer is informed in advance of the service’s unavailability. It does not cover abusive, repeated requests and/or difficulties that reading the available Documentation can resolve.
5.2. Software maintenance:
Mailinblack maintains the Product, which involves providing Product patches and updates required for its normal operation. These patches and updates must be installed and/or authorised by the Customer (if necessary) within a reasonable time after they are made available (On-Premise), except to relieve Mailinblack of any obligation or liability arising from these GTUM. These patches and updates are licensed under the terms of the GTUM unless conditions of use accompany them on a case-by-case basis.
Mailinblack reserves the right to discontinue the Maintenance of any version of the Product prior to the version being marketed, provided that the Customer has been so informed three (3) months beforehand (On-Premise).
The Services do not include any services to integrate the Product in the Customer’s technical environment (hardware and software), to communicate with other operating or information systems, to develop specific computer programs, additions or modifications to existing programs, nor any user training, incidents due to misuse of the Product by the Customer, a malfunction of the Customer’s IT environment or a failure or interruption of the telecommunication networks and/or electrical network, as well as any intervention on the Customer’s site.
6. Product warranty
Since the Product falls within an especially complex field of computer technology and, in the current state of knowledge, it cannot be physically tested for all possible uses, no other warranty than those described in the GTUM can be accepted.
The operation of the unmodified Product, properly installed and/or used, especially with regard to Mailinblack’s Prerequisites and instructions, unmodified and regularly updated, is warranted and maintained in compliance with the functional and technical characteristics described in the Documentation, for the term of the contract.
The right to install (On-Premise) and/or use the Product is granted “as is” without any other warranty of any kind, express or implied, regarding its quality, performance or results, or the non-infringement of the rights of third parties.
Mailinblack has an obligation of means and can only be held liable for proven fault or negligence in the performance of its obligations, unless expressly stated otherwise.
7. Customer obligations and responsabilities
The Customer and the Users must have the skills, hardware and software required to use the Product, as well as meet Mailinblack’s Requirements to install (On-Premise) and/or use the Product. Mailinblack will not be liable for any damage arising from use of the Product in combination with software or hardware used by the Customer or any technical problem of the Customer on its information system.
In the event of On-Premise subscription, it is the responsibility of the Customer to ensure the operation, availability and security of its servers.
The Customer warrants to Mailinblack that the Data do not infringe the rights of third parties and undertakes to comply with all regulations applicable to it related to its use of the Product.
As such, the Customer undertakes to hold Mailinblack harmless against any legal proceeding and/or complaint and/or conviction pronounced against it (especially in the event of a legal proceeding by a User or a third party), including indemnities, court fees and legal fees that could be charged to it, due to a failure of the Customer and/or User to comply with their legal and contractual obligations.
For the MIB-SMTP Product, the Customer undertakes to hold Mailinblack harmless against any damage or any legal proceeding and/or claim and/or condemnation resulting from the Customer’s use of Mailinblack’s IP addresses to send emails.
8: Exclusion and limitation of liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE LIMITATIONS AND EXCLUSIONS OF LIABILITY SET OUT IN THESE GTUM APPLY, IRRESPECTIVE OF THE GROUNDS OF LIABILITY.
IN NO EVENT SHALL MAILINBLACK BE LIABLE TO THE CUSTOMER, INCLUDING FOR THIRD PARTY CLAIMS, FOR ANY CLAIMS OR COSTS WHATSOEVER RELATING TO ANY INDIRECT DAMAGES, INCLUDING BUT NOT LIMITED TO ANY FOREGONE INCOME, OPERATING LOSSES OR PROFITS, ANY BUSINESS INTERRUPTION RESULTING FROM THE PRODUCT AND ITS DOCUMENTATION, ITS USE OR THE IMPOSSIBILITY OF ACCESSING AND/OR USING IT, OF ITS MAINTENANCE OR IMPOSSIBILITY TO PROVIDE MAINTENANCE, OR EVEN THE PRODUCT’S FAILURE TO RUN WITH ANY OTHER PROGRAM, EVEN IF MAILINBLACK OR THE DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO EVENT CAN MAILINBLACK BE HELD LIABLE OR RESPONSIBLE FOR ANY OTHER DAMAGES OTHER THAN THE PROVEN DIRECT DAMAGES THAT ARE ATTRIBUTED TO IT, WITH THE FOLLOWING LIMITATION: IN ANY EVENT, MAILINBLACK’S TOTAL LIABILITY SHALL BE STRICTLY LIMITED AND IN NO CASE EXCEED THE AMOUNT THAT THE CUSTOMER ACTUALLY PAID FOR THE PRODUCT THAT LED DIRECTLY TO THE PREJUDICE DURING THE PERIOD OF TWELVE (12) MONTHS PRECEDING THE EVENT WHICH CAUSED THE DAMAGE.
Neither party shall be liable nor deemed to have failed in its obligations, if such breach is due to an event of force majeure.
Force majeure is considered to be any event beyond the control of one or all of the parties, and in particular civil or foreign wars, riots, fire, water damages of all kinds, accidents, social movements with occupation of the premises, governmental, regulatory or legislative decisions or any other restrictions, natural disasters, interruptions of channels of communication, shortages of energy, raw materials or finished products, or any other cause that would be beyond the control of one of the parties.
9. Term and termination
The right to access and/or use the Product remains valid for the term stipulated in the Order. At the end of this term, the grant of these rights is automatically extended for successive terms of the same duration unless otherwise notified by either Party by registered letter with acknowledgment of receipt before the end of the current term.
At the end of each term, Mailinblack or the Distributor may change its license fee rate. In this case, the Customer then has a period of 30 working days, from the notification of the change, to inform Mailinblack or the Distributor of its acceptance or rejection of the new rate. In the absence of refusal during this period, the Customer will be deemed to have definitively accepted this new rate.
Without prejudice to any damages that they may claim, Mailinblack or its Distributor reserves the right to terminate any right of access and/or use, by operation of law and without judicial intervention, obligation or other responsibility, in the event the Customer breaches these GTUM or any other conditions related to the Product that aren’t remedied eight (8) days after sending a formal notice.
The termination of the contract, for any reason whatsoever, in advance or at its end, will terminate the rights granted herein. Upon termination, for any reason whatsoever, the Customer shall immediately, as applicable, (i) remove the Product from the environment it was installed in, or from any other computer system, storage tool or file (On-Premise) and cease to use it, in any way, (ii) return to Mailinblack or the Distributor any copy of the Product (On-Premise), including any copies and any Documentation and (iii) certify in writing, at the request of Mailinblack or the Distributor, compliance with these obligations. The rights and obligations that, by their nature, must continue after the end of these GTUM will always be applicable.
10. Applicable law and juridiction
These GTUM are subject to French law, excluding the Vienna Convention on the International Sale of Goods and rules related to conflicts of law and jurisdictions.
ANY DISPUTE INVOLVING MAILINBLACK RELATED TO THESE GTUM AND THEIR CONSEQUENCES, ESPECIALLY CONCERNING THEIR INTERPRETATION, PERFORMANCE OR TERMINATION, SHALL BE REFERRED TO THE COMPETENT COMMERCIAL COURT IN THE JURISDICTION OF MAILINBLACK’S REGISTERED OFFICE WHERE JURISDICTION IS EXPRESSLY ATTRIBUTED, NOTWITHSTANDING MULTIPLE DEFENDANTS, THIRD PARTY CLAIMS OR INCIDENTAL CLAIMS, INCLUDING FOR EMERGENCY PROCEDURES OR PROCEDURES ON REQUEST.
11. General provisions
The failure to exercise, the partial exercise or the delay in exercising the rights provided for in these GTUM does not in any way constitute a waiver of the exercise of these rights, nor a waiver of any other right. Any waiver or modification of the GTUM will only be effective if it is provided for in a written document.
If any provision of the GTUM is deemed to be null and void, it will be considered unwritten but the remaining provisions will remain in force and effect unless the cancelled provision is essential to Mailinblack, in which case the contract will be deemed terminated as a whole.
These GTUM constitute all of the rights and obligations governing the use of the Mailinblack Product in place of any previous proposal or agreement, written or verbal.
APPENDIX 1: PERSONAL DATA PROCESSED IN THE CONTEXT OF THE PRODUCT
The purpose of this appendix is to define the conditions under which Mailinblack undertakes to perform on behalf of the Customer the processing operations for the Personal Data described hereinafter, as part of supplying the Product.
Within the framework of their contractual relations, Mailinblack and the Customer undertake, respectively, to comply with the regulations in force (hereinafter referred to as “Regulations“) concerning the processing of personal data applicable to their activities and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018 (hereinafter referred to as the “GDPR“).
The definition of the words or expressions used in this appendix in upper case is specified in the GTUM or hereinafter.
Data Subject: natural persons whose Personal Data are subject to the Processing.
Personal Data: data which, within the meaning of the Regulations, can be used to designate or identify, directly or indirectly, a Data Subject and are subject to the Processing.
Processing: any operation applied to Personal Data by the Customer as a Controller and by Mailinblack as a Processor in performing the Contract as described below.
II. Description of the Processing
Execution of the Contract is likely to result in the Processing described below in accordance with Article 28.3 of the GDPR.
It is reiterated that the Customer acts as the controller and Mailinblack acts as the processor concerning the Processing of Personal Data.
2.1. Description of the Processing in the context of the use of the Protect Product
Nature, purpose and aims of the Processing: Personal Data may be collected, recorded, organized, structured, stored, accessed, disseminated, made available or deleted in the context of the provision of the Product and the performance of the Contract.
Purposes of the Processing: the Processing carried out by Mailinblack as a subcontractor is intended to provide the Protect Product and the Services, to execute the Contract and the Customer’s instructions in accordance with the Contract, including, where applicable, for the purposes of carrying out maintenance operations, storing, backing up, transmitting or making available the Data during the transit of emails on Mailinblack’s servers, the routing of the same to the Customer’s servers and the hosting of the Protect Product and the Data in Cloud mode.
The Processing carried out by the Customer through the Protect Product is intended in particular, for the User, to manage the emails sent by the senders to the Users, the authentication of the senders and the recovery of the blocked emails and for the User Administrator to manage the Users and information communicated on the Protect Product for the use of the Protect Product by the Users.
Duration of Processing:
- User Data for managing access to the Protect Product: duration of the Contract (and as long as the User is designated as such)
- Data of the senders: duration of the Contract except for the deletion of the data relating to the senders deleted by the User during the use of the Protect Product
- Data related to emails transiting through Mailinblack’s servers: duration necessary for the routing of the email after authentication of the sender (maximum period of 5 days if the Customer’s email server does not respond) or, in the absence of authentication, quarantine period set by the Customer (generally, 30 days).
Categories of Data Subjects: users and senders of emails.
Categories of Personal Data: the categories of Personal Data are determined by the Customer in the context of the use of the Protect Product. It is in principle the following data:
- For Users: last name, first name, email address, whitelist and blacklist of senders, metadata (subject, date and time, sender, recipient) and content of the email sent to the User.
Optional data: name and logo of the Customer, IP address, Title, address of the Customer (zip code, country, state), cell phone, fax, personal phone, Beeper, title, description, nickname, initials, web page, social network pages, as well as any other data included by the Customer in the personalization of emails and authentication pages. The Customer is informed that Mailinblack does not store the User’s passwords in their original form (storage of an imprint of the password via an irreversible hash function) and that in the event of loss or wish to change the password, the Customer must choose a new password.
For email senders: email address, metadata (subject, date and time, sender, recipient) and content of the email sent to the User.
Conservation of data related to the sending of emails for traceability and security purposes:
For the User: email address of the sender, email address of the recipient, subject of the email, IP address of the sender used to send the email, date and time, IP address used when connecting to the interface, interface connection identifier, date and time of connection to the interface.
For the sender: IP address used when accessing the captcha authentication page, sender’s email address, date and time of connection to the interface.
The Customer agrees not to transfer specific categories of personal data as determined by the Regulation.
2.2. Description of the Processing in the context of the use of the Cyber Coach Product
Nature, purpose and aims of the Processing: Personal Data may be collected, recorded, organized, structured, stored, accessed, disseminated, made available or deleted in the context of the provision of the Cyber Coach Product and the performance of the Contract.
Purposes of the Processing: the Processing carried out by Mailinblack as a subcontractor is intended to provide the services resulting from the provision of the Cyber Coach Product, to perform the Contract and the Customer’s instructions in accordance with the Contract, including, where applicable, for the purposes of carrying out maintenance operations, storage, backup, delivery of campaign emails to Users and hosting of the Product and the Data in Cloud mode
The Processing carried out by the Client through the Cyber Coach Product aims in particular at :
Allow the Administrator Users to define sets of Users (using the name/first name/emails) for the realization of the campaigns
Send the phishing simulation emails to the Users designated by the administrator User (using the name/first name/emails)
To enable a targeting algorithm to understand the behavior of Users, their level of sensitivity and education to a phishing attack and their ability to learn about an awareness topic, in order to provide them with tailored content that allows them to progressively improve (using multiple data from the User’s interactions with the phishing and awareness page)
Duration of the Processing: until deletion of the data by the User Administrator during the execution of the Contract or, failing that, during the duration of the Contract plus a period of two months from the termination of the Contract.
Categories of Data Subjects: Users.
Categories of Personal Data: the categories of Personal Data are determined by the Client when using the Cyber Coach Product, according to the settings chosen. It is in principle the following data concerning the Users: name, first name, email address, IP address, connection logs, browsing behavior on the phishing and education/awareness pages (mouse position, mouse movement, speed of movement, duration of mouse immobilization, clicks made, number of page openings, duration of browsing on the page, eventual data entry (the content of these data not being collected)), answers to the evaluation and education questionnaires.
The Parties may agree that other categories of Personal Data will be processed in writing.
2.3. Description of Processing in connection with the use of the Cyber Academy Product
Nature, purpose and aims of the Processing: Personal Data may be collected, recorded, organized, structured, stored, consulted, disseminated, made available or deleted in connection with the provision of the Product and the performance of the contract.
Purposes of the Processing: the Processing carried out by Mailinblack as a subcontractor is intended to provide the services resulting from the supply of the Cyber Academy Product, to perform the Contract and the Customer’s instructions in accordance with the Contract, including, where applicable, for the purposes of carrying out maintenance operations, storage, the supply of usage data and results to Users and the hosting of the Product and Data in Cloud mode.
Duration of Processing : Until deletion of data by the User Administrator during performance of the Contract increased by a period of two months from termination of the Contract.
Categories of Data Subject : Users.
Categories of Personal Data: the categories of Personal Data are those communicated by the User, i.e.: surname, first name and business contact details, time elapsed since last connection, completion rate, success rate, time spent using the Product, emails sent to the User (reminders, congratulations) and, if applicable, certificates required under training obligations.
The Parties may agree that other categories of Personal Data will be processed in writing.
III. Customer’s Obligations
The Customer undertakes to comply with its obligations under the Regulations with regard to the Data Subjects.
In particular, but without limitation, the Customer as data controller undertakes to comply with the principles of Personal Data protection to ensure, as far as it is concerned, the security, confidentiality and integrity of Personal Data by implementing appropriate technical and organisational measures, to only send Mailinblack Personal Data lawfully obtained and processed and not to use the Product for purposes that do not comply with the Regulations.
In addition, to the extent that the Administrator Users can access User Data, the Customer is responsible for ensuring they are authorised to do so.
The Customer must also ensure that the Product Data are regularly deleted when it is no longer necessary to store them for the purposes of the Processing that it determined.
The Customer chose Mailinblack and the Product under its responsibility, considering in particular that the information provided by Mailinblack presents sufficient guarantees that the Processing satisfies the requirements of the Regulations and guarantees the protection of the rights of the Data Subjects.
The Customer acknowledges the risks and limitations of Data transfers via the Internet and more particularly by email and shall refrain from using this channel to transfer sensitive data in accordance with the recommendations of the CNIL (French Data Protection Agency). Mailinblack cannot be held liable for the loss, illegitimate access or alteration of sensitive data sent by email.
IV. Mailinblack’s Obligations
As a processor, Mailinblack processes Personal Data only on the Customer’s documented instructions for the purposes agreed to by the parties. This Agreement, the Customer’s actions when using the Product and any instructions communicated in writing by the Customer within the scope of the Contract constitute the Customer’s instructions.
If Mailinblack is obliged to transfer data to a third country or an international organisation under European Union law or French law, Mailinblack will inform the Customer, unless prohibited for important reasons of public interest.
Mailinblack ensures that the persons authorized to process Personal Data are committed to respecting the confidentiality of such Personal Data and are aware of the need to protect Personal Data.
In the context of the use of Protect, Mailinblack guarantees that the content of the e-mails passing through its servers is treated as strictly confidential information and guarantees that access to these servers is forbidden to any person who is not subject to a confidentiality undertaking or who is not authorized to do so by a final court decision.
To protect the confidentiality of the Data, Mailinblack constitutes a database independent of its other databases of customers and/or prospects and prohibits any use of the information in this database for purposes other than the proper functioning of the service.
4.3. Security and subcontractors:
Mailinblack takes the protection of Customer Data very seriously and has implemented various measures to protect these data from inappropriate access or use by unauthorised persons. This includes restricting access by Mailinblack’s staff, its subcontractors and its distributors.
Mailinblack uses different partners to host the data of its cloud-based solutions, including OVH and Microsoft Azure. These outsourcing partners provide Mailinblack with physical datacentre hosting locations and IaaS and PaaS hosting for cloud computing and storage capacity.
Data access can be divided into two categories: physical access and logical access.
- Physical access to datacentres and servers containing Data:
- IaaS and PaaS hosting, as provided by OVH and Azure, have physical access restricted to the host’s teams.
- All the datacentres are monitored 24/7 and their access is secured by several processes: cameras, barriers, identification, badges, biometrics, etc.
- “Logical” access to data from a network and software perspective is deeply protected by multiple firewalls, secure connections, role-based access controls and restriction and authentication mechanisms.
- Most Mailinblack Cloud solutions are shared, which means that Data may be stored on the same physical hardware as other customers’ data. To ensure that each customer can only access its Data, Mailinblack uses logical isolation to isolate access to the Data.
- Access to the Customer’s functional Data via the provided interface is limited to the authorised Mailinblack technical teams, the Customer’s users, the manager account and the potential Distributor according to the agreements between the Distributor and the Customer.
- Mailinblack’s subcontractors do not have direct logical access to the Data, but may be required to intervene and access it in the event of an incident or to provide service on behalf of Mailinblack. The subcontractors that can access the data are OVH and Microsoft. They are bound by a strict obligation of confidentiality and we make sure to impose the same undertakings on them as we undertake ourselves.
Below you will find the detailed physical and/or logical security measures of the different Mailinblack subcontractors.
4.4. Requests from data subjects:
at the Customer’s request, Mailinblack undertakes to collaborate as far as possible with the Customer to respond to any request from a Data Subject made in accordance with the Regulations concerning his or her Personal Data.
As such, the Customer is informed that it may itself correct or delete the Personal Data on the Product. If a Data Subject sends a request directly to Mailinblack, Mailinblack undertakes to send it as soon as possible to the Customer.
4.5. Customer Information:
the Customer may request from Mailinblack the reasonable information required to demonstrate compliance with its obligations under Article 28 of the GDPR and to permit audits, including inspections, by the Customer or another auditor it has appointed, for the purposes of verifying compliance with the provisions of this Appendix and subject to the signature of a dedicated confidentiality agreement.
Mailinblack will, insofar as possible, inform the Customer if Mailinblack is aware of an instruction which, in its opinion, constitutes a violation of the applicable provisions.
Mailinblack will inform the Customer of any violation of the Customer’s Personal Data immediately upon learning of it.
4.6. Restitution and/or deletion of Personal Data:
- Email from an authenticated source is not retained beyond the time it takes to deliver it to the Customer (maximum of 5 days if the customer’s mail server does not respond);
- Emails pending authentication are not stored beyond the maximum quarantine holding period (30 days);
- Upon termination of the Contract, Mailinblack may return and delete the Customer Data hosted in connection with using the Product within a maximum period of 60 days from the effective date of the Contract’s termination.
Logs can be kept for one year for security reasons.
4.7. Location of Personal Data:
Personal Data is hosted by Mailinblack in France (Roubaix or Paris).
The Customer agrees that where Mailinblack hires a sub-processor in accordance with the clause below to conduct specific processing activities on behalf of the Customer, and such processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, Mailinblack and the subsequent processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using the standard contractual clauses adopted by the Commission on the basis of Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the use of such standard contractual clauses are met.
As such, the Customer accepts that Mailinblack’s subcontractor, managing the Microsoft Azure infrastructure on which the data is hosted, is likely to transfer personal data outside the European Union. In this context, Mailinblack has entered into standard contractual clauses with Microsoft Corporation and, where necessary, the Customer mandates Mailinblack to do so. In addition, the Customer is informed that Microsoft is committed to comply with the personal data protection laws of the European Economic Area regarding the collection, use, transfer, storage and other processing of Personal Data originating from the European Economic Area, and that all transfers of Personal Data to a third country or to an international organization will be subject to appropriate safeguards as defined in Article 46 of the GDPR, and such transfers and measures will be documented in accordance with Article 30(2) of the GDPR.
4.8. Subcontractors of Mailinblack:
The Customer authorizes Mailinblack to use subcontractors for the hosting of the Products and for the supervision of the infrastructure (Cloud), as mentioned in Article 4.4 above, for which Mailinblack undertakes to require them to comply with the obligations applicable to Personal Data. Mailinblack remains responsible to the Customer for the performance of the Contract.
The Customer is informed and accepts that Mailinblack uses the subcontractors whose identity is indicated above or in any subsequent communication from Mailinblack, it being specified that the Customer may access the privacy and security policies of the subcontractors on their respective websites or on request to Mailinblack.
Mailinblack will inform the Customer in advance of any planned changes regarding the addition or replacement of other subcontractors, and the Customer will have the opportunity to object within 15 days to such changes, stating the reasons for such objections.
In the case of On-Premise subscription or hosting of Data by Distributor or any third party, the provisions of this Schedule shall not apply to, nor be enforceable against, Mailinblack for Data that is not hosted or placed under the responsibility of Mailinblack.