Last Updated: January 15, 2022

This Data Protection Addendum (“Addendum”) forms part of the agreement between Customer and HTI covering Customer’s use of the Services (as defined below) (“Agreement”).

I. Introduction

1. Definitions

  • Applicable Data Protection Law” refers to all laws and regulations applicable to HTI’s processing of personal data under the Agreement.
  • controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Customer Account Data” means personal data that relates to Customer’s relationship with HTI, including the names or contact information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data HTI may need to collect for the purpose of identity verification (including providing the MFA Services, as defined below), or as part of its legal obligation to retain Subscriber Records (as defined below).
  • Customer Content” means (a) personal data exchanged as a result of using the Services (as defined below), such as text message bodies, voice and video media, images, email bodies, email recipients, sound, and, where applicable, details Customer submits to the Services from its designated software applications and services and (b) data stored on Customer’s behalf such as communication logs within the Services or marketing campaign data that Customer has uploaded to the Services (as defined below).
  • Customer Data” has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, and Sensitive Data, each as defined in this Addendum.
  • Customer Usage Data” means data processed by HTI for the purposes of transmitting or exchanging Customer Content utilizing phone numbers either through the Public Switched Telephone Network (PSTN) or by way of other communication networks. Customer Usage Data includes data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.
  • Multi Factor Authentication Services” or “MFA Services” means the provision of a portion of the Services under which Customer adds an additional factor for verification of Customer’s end users’ identity in connection with such end users’ use of Customer’s software applications or services.
  • Personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • processor” means the entity which processes personal data on behalf of the controller.
  • processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
  • Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable law or regulation relating to privacy and data protection.
  • Services” means the products and services provided by HTI or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form. Services include products and services that provide both (x) platform services, including access to any application programming interface (“HTI API”) and (y) where applicable, communications services used in connection with the HTI APIs.
  • ” Subscriber Records” means Customer Account Data containing proof of identification and proof of physical address necessary for HTI to provide Customer or Customer’s end users with phone numbers in certain countries (“telephone number assignments”). When required by law or regulation, Subscriber Records are shared with local telecommunications providers, which provide local connectivity services, or local government authorities (additional information about these regulatory requirements is available at https://www.HTI.com/guidelines).
  • sub-processor” means (a) HTI, when HTI is processing Customer Content and where Customer is a processor of such Customer Content or (b) any third-party processor engaged by HTI to process Customer Content in order to provide the Services to Customer. For the avoidance of doubt, telecommunication providers are not sub-processors.
  • The PartnerRequest” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
  • HTI Privacy Notice” means the privacy notice for the Services, the current version of which is available at https://www.HTI.com/legal/privacy.

Capitalized terms not defined in this Section 1 will have the meaning given to them in this Addendum or the Agreement.

II. Controller and Processor

2. Relationship of the Parties

2.1 HTI as a Processor. The parties acknowledge and agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and HTI is a processor. HTI will process Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).

2.2 HTI as a Controller of Customer Account Data. The parties acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller and HTI is an independent controller, not a joint controller with Customer. HTI will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out HTI’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; (e) comply with HTI’s legal or regulatory obligation to retain Subscriber Records; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the HTI Privacy Notice.

2.3 HTI as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and HTI is an independent controller, not a joint controller with Customer. HTI will process Customer Usage Data as a controller in order to carry out the necessary functions as a communications service provider, such as: (a) HTI’s accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the HTI Privacy Notice.

3. Purpose Limitation. HTI will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to HTI for processing in accordance with the terms of the Agreement and this Addendum.

III. HTI as a Processor – Processing Customer Content

5. Customer Instructions. Customer appoints HTI as a processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the HTI Acceptable Use Policy, the current version of which is available at https://www.htinternationalsolutions.com/, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).

5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that HTI is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether HTI’s provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that HTI’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause HTI to violate any applicable law or regulation, including Applicable Data Protection Law. HTI will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.

5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by Customer to HTI for carrying out such additional instructions.

6. Confidentiality

6.1 Responding to The Partner Requests. In the event any The Partner Request is made directly to HTI in connection with HTI’s processing of Customer Content, HTI will promptly inform Customer and provide details of the same, to the extent legally permitted. HTI will not respond to any The Partner Request without Customer’s prior consent, except as legally required to do so or to confirm that such The Partner Request relates to Customer.

6.2 Confidentiality Obligations of HTI Personnel. HTI will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with HTI’s confidentiality obligations in the Agreement.

7. Sub-processors

7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for HTI to engage onward sub-processors that is conditioned on the following requirements:

(a) HTI will restrict the onward sub-processor’s access to Customer Content only to what is strictly necessary to provide the Services, and HTI will prohibit the sub-processor from processing the personal data for any other purpose;

(b) HTI agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and

(c) HTI will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.

7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to HTI engaging The Partner sub-processors to process Customer Content within the Services for the Permitted Purposes provided that HTI maintains an up-to-date list of its sub-processors at https://www.HTI.com/legal/sub-processors, which contains a mechanism for Customer to subscribe to notifications of new sub-processors. If Customer subscribes to such notifications, HTI will provide details of any change in sub-processors as soon as reasonably practicable. With respect to changes in infrastructure providers, HTI will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to HTI’s other sub-processors, HTI will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.

7.3 Objection Right for new Sub-processors. Customer may object to HTI’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of HTI’s receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to HTI. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to HTI replacing or appointing a new sub-processor, HTI will deem Customer to have authorized the new sub-processor.

8. Data Subject Rights. As part of the Services, HTI provides Customer with a number of self-service features, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use these self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects via the Services at no additional cost. To the extent Customer does not have the ability to resolve a data subject request through the self-service features, upon Customer’s request, HTI will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.

9. Impact Assessments and Consultations. HTI will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require HTI to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.

10. Return or Deletion of Customer Content. HTI will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.

10.1 Extension of Addendum. Upon termination of the Agreement, HTI may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that HTI will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, HTI may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.

IV. Security and Audits

11. Security

11.1 Security Measures. HTI has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about HTI’s technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.

11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings, availability of multi-factor authentication on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information HTI makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by HTI to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer’s use of the Services.

11.3 Security Incident Notification. HTI will provide notification of a Security Incident in the following manner:

(a) HTI will, to the extent permitted by applicable law, notify Customer without undue delay, but in no event later than seventy-two (72) hours after HTI’s discovery of a Security Incident impacting Customer Data of which HTI is a processor;

(b) HTI will, to the extent permitted and required by applicable law, notify Customer without undue delay of any Security Incident involving Customer Data of which HTI is a controller; and

(c) HTI will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer’s account.

HTI will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by HTI’s violation of this Addendum, remediate the cause of such Security Incident. HTI will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.

12. Audits. The parties acknowledge that Customer must be able to assess HTI’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as HTI is acting as a processor on behalf of Customer.

12.1 HTI’s Audit Program. HTI uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at HTI’s expense by independent third-party security professionals at HTI’s selection and result in the generation of a confidential audit report (“Audit Report”).

12.2 Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, HTI will make available to Customer a copy of HTI’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that HTI’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with HTI that: (a) ensures the use of an independent third party; (b) provides written notice to HTI in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at HTI’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.

V. International Provisions

13. Jurisdiction Specific Terms. To the extent HTI processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.

14. Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Areathe United Kingdom, Switzerland, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to HTI located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.

VI. Miscellaneous

15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any The Partner Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any The Partner Request and fulfill their respective obligations under Applicable Data Protection Law.

16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the HTI Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.

17. Updates. HTI may update the terms of this Addendum from time to time; provided, however, HTI will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://www.HTI.com/legal/data-protection-addendum.


SCHEDULE 1

DETAILS OF PROCESSING

1. Nature and Purpose of the Processing. HTI will process personal data as necessary to provide the Services under the Agreement. HTI does not sell Customer’s personal data or Customer end users’ personal data and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

1.1 Customer Content. HTI will process Customer Content as a processor in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions) of this Addendum.

1.2 Customer Account Data. HTI will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (HTI as a Controller of Customer Account Data) of this Addendum.

1.3 Customer Usage Data. HTI will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (HTI as a Controller of Customer Usage Data) of this Addendum.

2. Processing Activities.

2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:

(a) the provision of programmable communication products and services, primarily offered in the form of application programming interfaces (APIs), to Customer, including transmittal to or from Customer’s software applications or; services and designated third parties as directed by Customer, from or to the publicly-switched telephone network (PSTN) or by way of other communications networks. Storage of personal data on HTI’s network.

(b) the provision of products and services which allow the transmission and delivery of email communications on behalf of Customer to its recipients. HTI will also provide Customer with analytic reports regarding the email communications it sends on Customer’s behalf. Storage of personal data on HTI’s network.

(c) the provision of products and services which allows Customer to integrate, manage and control its data relating to end users. Storage of personal data on HTI’s network.

2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.

2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.

3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:

3.1 Customer Content.

(a) Services. Prior to the termination of the Agreement, (x) HTI will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Except as set forth in Section 3.1(b) (SendGrid Services) of this Schedule 1, upon termination of the Agreement, HTI will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer Content on HTI’s back-up systems sixty (60) days after the termination effective date. Any Customer Content archived on HTI’s back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.

(b) SendGrid Services. Upon termination of the Agreement, HTI will (i) at Customer’s election, delete or return to Customer the Customer Content (including copies) stored within any services and application programming interfaces branded as “SendGrid” or “HTI SendGrid” (collectively, “SendGrid Services”) and (ii) automatically delete any stored Customer Content in the SendGrid Services on HTI’s back-up systems one (1) year after the termination effective date.

3.2 Customer Account Data. HTI will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for HTI’s legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the HTI Privacy Notice.

3.3 Customer Usage Data. Upon termination of the Agreement, HTI may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. HTI will anonymize or delete Customer Usage Data when HTI no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.

4. Categories of Data Subjects.

4.1 Customer Content. Customer’s end users.

4.2 Customer Account Data. Customer’s employees and individuals authorized by Customer to access Customer’s HTI account or make use of the MFA Services or telephone number assignments received from HTI.

4.3 Customer Usage Data. Customer’s end users.

5. Categories of Personal Data. HTI processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.

6. Sensitive Data or Special Categories of Data.

6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer’s end users to transmit or process, any Sensitive Data via the Services.

6.2 Customer Account Data and Customer Usage Data.

(a) Sensitive Data may be found in Customer Account Data in the form of Subscriber Records containing passport or similar identifier data necessarily processed in order to receive telephone number assignments.

(b) Customer Usage Data does not contain Sensitive Data.


SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The full text of HTI’s technical and organizational security measures to protect Customer Data is available at https://www.HTI.com/legal/security-overview (“Security Overview”).

Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.

Technical and Organizational Security MeasureEvidence of Technical and Organizational Security Measure
Measures of pseudonymisation and encryption of personal dataSee Section Encryption of the Security Overview
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesSee Section Resilience and Service Continuity and Section Customer
Data Backups of the Security Overview
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentSee Section Resilience and Service Continuity and Section Customer
 Data Backups of the Security Overview
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processingSee Section Security Organization and Program, Security
Certifications and Attestations Penetration Testing
of the Security Overview
Measures for the protection of data during transmissionSee Section Encryption and Section Customer Data Backups
of the Security Overview
Measures for the protection of data during storageSee Section 8Hosting Architecture and Data Segregation and Section
Encryption of the Security Overview
Measures for ensuring physical security of locations at which personal data are processedSee Section Physical Security of the Security Overview
Measures for ensuring events loggingSee: https://www.HTI.com/docs/runtime/serverless-api/api/logs and: https://docs.sendgrid.com/ui/analytics-and-reporting/email-activity-feed
Measures for ensuring system configuration, including default configurationSee: https://www.HTI.com/docs/runtime/serverless-api/api/logs and: https://docs.sendgrid.com/ui/analytics-and-reporting/email-activity-feed
Measures for internal IT and IT security governance and managementSee Section Security Organization and Program of the Security Overview
Measures for certification/assurance of processes and productsSee Section 3 (Security Organization and Program) and Section 7 (Security Certifications and Attestations) of the Security Overview
Measures for ensuring data minimisationAs an organization, HTI has adopted Binding Corporate Rules (BCRs) as the “code of conduct” for HTI’s processing of personal data worldwide. BCRs are based on the data protection principles of the GDPR. HTI’s BCRs were approved in May 2018 by European Union data protection authorities, and HTI audits against and re-certifies its commitments established in its BCRs on an annual basis. More information about how HTI processes personal data is set forth in the Privacy Policy available at https://www.HTI.com/legal/privacy, and further detailed in HTI BCRs available at https://www.HTI.com/legal/bcr.
Measures for ensuring data qualityAs an organization, HTI has adopted Binding Corporate Rules (BCRs) as the “code of conduct” for HTI’s processing of personal data worldwide. BCRs are based on the data protection principles of the GDPR. HTI’s BCRs were approved in May 2018 by European Union data protection authorities, and HTI audits against and re-certifies its commitments established in its BCRs on an annual basis. More information about how HTI processes personal data is set forth in the Privacy Policy available at https://www.HTI.com/legal/privacy, and further detailed in HTI’s BCRs available at https://www.HTI.com/legal/bcr.
Measures for ensuring limited data retentionAs an organization, HTI has adopted Binding Corporate Rules (BCRs) as the “code of conduct” for HTI’s processing of personal data worldwide. BCRs are based on the data protection principles of the GDPR. HTI’s BCRs were approved in May 2018 by European Union data protection authorities, and HTI audits against and re-certifies its commitments established in its BCRs on an annual basis. More information about how HTI processes personal data is set forth in the Privacy Policy available at https://www.HTI.com/legal/privacy, and further detailed in HTI’s BCRs available at https://www.HTI.com/legal/bcr.
Measures for ensuring accountabilityAs an organization, HTI has adopted Binding Corporate Rules (BCRs) as the “code of conduct” for HTI’s processing of personal data worldwide. BCRs are based on the data protection principles of the GDPR. HTI’s BCRs were approved in May 2018 by European Union data protection authorities, and HTI audits against and re-certifies its commitments established in its BCRs on an annual basis. More information about how HTI processes personal data is set forth in the Privacy Policy available at https://www.HTI.com/legal/privacy, and further detailed in HTI’s BCRs available at https://www.HTI.com/legal/bcr.
Measures for allowing data portability and ensuring erasureCustomer is able to export or delete Customer Content using the self-service features of the Services as set forth in the applicable documentation for the Services available at https://www.HTI.com/docs.

For an example of data portability self-service features, see: https://www.htinternationalsolutions.com/
For an example of data portability self-service features, see: https://docs.sendgrid.com/ui/managing-contacts/create-and-manage-contacts#export-contacts
For an example of data erasure self-service features, see:
https://www.htinternationalsolutions.com/

For an example of data erasure self-service features, see:
https://docs.sendgrid.com/api-reference/contacts/delete-contacts
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.When HTI engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, HTI and the sub-processor enter into an agreement with data protection obligations substantially similar to those contained in this Addendum. Each sub-processor agreement must ensure that HTI is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify HTI in the event of a Security Incident so HTI may notify Customer; (b) delete personal data when instructed by HTI in accordance with Customer’s instructions to HTI; (c) not engage additional sub-processors without HTI’s authorization; d) not change the location where personal data is processed; or (e) process personal data in a manner which conflicts with Customer’s instructions to HTI.

SCHEDULE 3

CROSS BORDER DATA TRANSFER MECHANISMS

1. Definitions

  • BCR Services” means all Services except the SendGrid Services.
  • EEA” means the European Economic Area
  • EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
  • HTI BCRs” means HTI’s Binding Corporate Rules as set forth at https://www.HTI.com/legal/binding-corporate-rules.
  • UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

2. Cross Border Data Transfer Mechanisms.

2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) HTI’s binding corporate rules as set forth in Section 2.2 (HTI BCRs) of this Schedule 3; (b) the EU Standard Contractual Clauses as set forth in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 3; (c) the UK International Data Transfer Agreement as set forth in Section 2.4 (UK International Data Transfer Agreement) of this Schedule 3; and, if neither (a) nor (b) nor (c) is applicable, then (d) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

2.2 HTI BCRs. The parties agree that HTI will process personal data within the BCR Services in accordance with the HTI BCRs. The parties further agree that, with respect to the BCR Services, the HTI BCRs will be the lawful Transfer Mechanism of Customer Account Data, Customer Content, and Customer Usage Data from the EEA, Switzerland, or the United Kingdom to (a) HTI in the United States of America or (b) any other non-EEA HTI entity. For avoidance of doubt, the HTI BCRs do not serve as a Transfer Mechanism for the SendGrid Services.

2.3 EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to personal data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data and (b) not covered by the HTI BCRs. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) HTI is processing Customer Account Data and (ii) Customer is a controller of Customer Usage Data and HTI is processing Customer Usage Data;

(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Customer Content and HTI is processing Customer Content;

(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Content and HTI is processing Customer Content;

(d) Module Four (Processor to Controller) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Usage Data and HTI processes Customer Usage Data; and

(e) For each Module, where applicable:

(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;

(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 7.2 (Current Sub-processors and Notification of Sub-processor Changes) of this Addendum;

(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;

(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;

(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

(vi) in Annex I, Part A of the EU Standard Contractual Clauses:

Data Exporter: Customer

Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences.

Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.

Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.

Data Importer: HTI Inc.

Contact details: HTI Privacy Team – soporte@HTI.com

Data Importer Role: The Data Importer’s role is set forth in Section 2 (Relationship of the Parties) of this Addendum.

Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;

(vii) in Annex I, Part B of the EU Standard Contractual Clauses:

The categories of data subjects are set forth in Section 4 of Schedule 1 (Details of Processing) of this Addendum.

The Sensitive Data transferred is set forth in Section 6 of Schedule 1 (Details of Processing) of this Addendum.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.

The purpose of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.

The period for which the personal data will be retained is set forth in Section 3 of Schedule 1 (Details of Processing) of this Addendum.

For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://www.htinternationalsolutions.com/

(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and

(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.

2.4 UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data and (b) not covered by the HTI BCRs. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

(a) In Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is located in Section 2.3 (e)(vi) of this Schedule 3.

(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.3 (EU Standard Contractual Clauses) of this Schedule 3.

(c) In Table 3 of the UK International Data Transfer Agreement:

  1. The list of Parties is located in Section 2.3(e)(vi) of this Schedule 3.
  2. The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).
  3. Annex II is located in Schedule 2 (Technical and Organizational Security Measures)
  4. The list of sub-processors is located at https://www.htinternationalsolutions.com/.

(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.

2.5 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the Agreement, or the HTI Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.



Security Overview

Last Updated: January 22, 2022

This HTI Security Overview (“Security Overview”) is incorporated into and made a part of the agreement between HTI and Customer covering Customer’s use of the Services (as defined below) (“Agreement”).

1. Definitions

Segment Services” means any services or application programming interfaces branded as “Segment” or “HTI Segment”.

SendGrid Services” means any services or application programming interfaces branded as “SendGrid” or “HTI SendGrid”.

Services” means, for the purposes of this Security Overview, collectively, the HTI Services (as defined below), SendGrid Services, and Segment Services.

HTI Services” means any services or application programming interfaces branded as “HTI”. For the avoidance of doubt, this Security Overview does not apply to any mobile identification and authentication services branded as “HTI” (“Identity Verification Services“). The security overview for the Identity Verification Services is available at https://www.htinternationalsolutions.com/

2. Purpose. This Security Overview describes HTI’s security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change, HTI continues to update its security program and strategy to help protect Customer Data and the Services. As such, HTI reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview. The then-current terms of this Security Overview are available at https://www.htinternationalsolutions.com/. This Security Overview does not apply to any (a) Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by HTI or (b) communications services provided by telecommunications providers.

3. Security Organization and Program. HTI maintains a risk-based assessment security program. The framework for HTI’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. HTI’s security program is intended to be appropriate to the nature of the Services and the size and complexity of HTI’s business operations. HTI has separate and dedicated Information Security teams that manage HTI’s security program. There is a team that facilitates and supports independent audits and assessments performed by third parties. HTI’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with HTI’s Chief Information Security Officer (CISO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all HTI employees for their reference.

4. Confidentiality. HTI has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All HTI employees and contract personnel are bound by HTI’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.

5. People Security

5.1 Employee Background Checks. HTI performs background checks on all new employees at the time of hire in accordance with applicable local laws. HTI currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, HTI may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.

5.2 Employee Training. At least once (1) per year, HTI employees must complete a security and privacy training which covers HTI’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. HTI’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. HTI has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.

6. The Partner Vendor Management

6.1 Vendor Assessment. HTI may use The Partner vendors to provide the Services. HTI carries out a security risk-based assessment of prospective vendors before working with them to validate they meet HTI’s security requirements. HTI periodically reviews each vendor in light of HTI’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. HTI ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of HTI.

6.2 Vendor Agreements. HTI enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.

7. Security Certifications and Attestations. HTI holds the following security-related certifications and attestations:

Certification or Attestation:Covered Services:
ISO/IEC 27001HTI Services Segment Services
ISO/IEC 27017 & 27018HTI Services Segment Services
SOC 2 Type 2 (Trust Service Principles: Security & Availability)The following HTI Services: Programmable Voice, Programmable Messaging, Programmable Video, HTI Flex, Lookup, Verify, Studio, Conversations, and Authy SendGrid Services Segment Services
PCI DSS Level 1The following HTI Services: Programmable Voice
PCI DSS Level 4SendGrid Services

8. Hosting Architecture and Data Segregation

8.1 Amazon Web Services and Google Cloud Platform.The HTI Services and Segment Services are hosted on Amazon Web Services (“AWS) in the United States of America and protected by the security and environmental controls of Amazon. The production environment within AWS where the HTI Services and Segment Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data. More information about AWS security is available at https://aws.amazon.com/security/ andhttps://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/. The Segment Services are also hosted on Google Cloud Platform (“GCP“) in the United States of America. The production environment within GCP where the Segment Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within GCP is encrypted at all times. GCP does not have access to unencrypted Customer Data. More information about GCP security is available at https://cloud.google.com/architecture#security.

8.2 The SendGrid Services leverage colocation data centers provided by Zayo and Lumen (formerly known as Centurylink), which are located in the United States of America. These colocation data centers do not store any Customer Data.

8.3 Services. For the Services, all network access between production hosts is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly. HTI separates Customer Data using logical identifiers. Customer Data is tagged with a unique customer identifier that is assigned to segregate Customer Data ownership. The HTI APIs are designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other customers from having access to Customer Data.

9. Physical Security. AWS, Zayo, and Lumen data centers and GCP are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, HTI headquarters and office spaces have a physical security program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, and visitors are required to wear identification badges.

10. Security by Design. HTI follows security by design principles when it designs the Services. HTI also applies the HTI Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.

11. Access Controls

11.1 Provisioning Access. To minimize the risk of data exposure, HTI follows the principles of least privilege through a team-based-access-control model when provisioning system access. HTI personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. HTI logs high risk actions and changes in the production environment. HTI leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

11.2 Password Controls. HTI’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication, but not require special characters or frequent changes. For SendGrid employees, password requirements include an eight (8) character minimum, with at least three (3) of the following characteristics: upper case letter, lower case letter, number, or special character. When a customer logs into its account, HTI hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA).

12. Change Management. HTI has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.

13. Encryption. For the HTI Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s software application and the Services using TLS v1.2. For the SendGrid Services, HTI provides opportunistic TLS v1.1 or higher for emails in transit between Customer’s software application and the recipient’s email server. The SendGrid Services are designed to opportunistically try outbound TLS v1.1 or higher when attempting to deliver an email to a recipient. This means that if a recipient’s email server accepts an inbound TLS v1.1 or higher connection, HTI will deliver an email over a TLS encrypted connection. If a recipient’s email server does not support TLS, HTI will deliver an email over the default unencrypted connection. The SendGrid Services provide an optional feature, which Customer has to enable, that allows Customer to enforce TLS encryption. If Customer enables the enforced TLS feature, HTI will only deliver an email to a recipient if the recipient’s email server accepts an inbound TLS v1.1 or higher connection. For the Segment Services, Customer Data is encrypted at rest using the Advanced Encryption Standard.

14. Vulnerability Management. HTI maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. HTI uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in HTI’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the HTI cluster over a predefined schedule. For high-risk patches, HTI will deploy directly to existing nodes through internally developed orchestration tools.

15. Penetration Testing. HTI performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. HTI maintains a Bug Bounty Program through Bug Crowd, which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.

16. Security Incident Management. HTI maintains security incident management policies and procedures in accordance with NIST SP 800-61. HTI’s Security Incident Response Team (T-SIRT) assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. HTI retains security logs for one hundred and eighty (180) days. Access to these security logs is limited to T-SIRT. HTI utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.

17. Discovery, Investigation, and Notification of a Security Incident. HTI will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, HTI will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.

18. Resilience and Service Continuity

18.1 Resilience. The hosting infrastructure for the HTI Services and Segment Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.

18.2 Service Continuity. HTI also leverages specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. HTI is also immediately notified in the event of any suboptimal server performance or overloaded capacity.

19. Customer Data Backups. HTI performs regular backups of Customer Data, which is hosted on AWS’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard.

Service Level Agreement

Last Updated: August 1, 2022

1. Definitions. The following defined terms apply to this Service Level Agreement for the Services APIs (as defined below) (“SLA”).

Actual Monthly Uptime Percentage” = (A-B+C)/A, where:

  • A = Total Monthly Time (as defined below);
  • B = Unavailable Monthly Time (as defined below); and
  • C = Excluded Monthly Times (as defined below).

Monthly Uptime Percentage Threshold” means the applicable percentage set forth in the table in Section 2 (Service Commitments) of this SLA under the heading, “Monthly Uptime Percentage Threshold.”

SendGrid Services API” means the Mail Send application programming interface for the services branded as “SendGrid” or “HTI SendGrid”.

Services APIs” means, collectively, the HTI Services APIs (as defined below) and SendGrid Services API.

Service Credit” means the credit that Customer is eligible to request pursuant to Section 4 (Service Credit Request) of this SLA if (a) the Actual Monthly Uptime Percentage is less than the applicable Monthly Uptime Percentage Threshold or (b) there is a failure to achieve a Successful Connection Rate (as defined below). A Service Credit is calculated by multiplying the applicable percentage set forth in Section 2 (Service Commitments) of this SLA by (x) the fees Customer actually incurs for the affected HTI Services APIs or (y) Customer’s email package fees for the affected SendGrid Services API, in either case, for the applicable calendar month.

Successful Connection Rate” means, in the applicable calendar month, a Web API v3 Mail send request by Customer that returns a “202” accepted response at a rate of at least, (a) with respect to emails originating from North America or South America, fifteen thousand (15,000) requests per second or (b) with respect to emails originating outside of North America or South America, ten thousand (10,000) requests per second. A Successful Connection Rate is conditioned on (x) Customer utilizing a sufficient number of concurrent connections to support such Successful Connection Rate; (y) Customer’s send requests not exceeding (i) with respect to emails originating from North America or South America, six (6) gigabits per second in the aggregate or (ii) with respect to emails originating outside of North America or South America, four (4) gigabits per second in the aggregate; and (z) Customer honoring HTI’s then-current time-to-live value for domain name system lookups of the Web API v3 Mail send address.

Total Monthly Time” means the total number of minutes in the applicable calendar month.

HTI Services APIs” means the application programming interfaces branded as “HTI”.

Unavailable Monthly Time” means the number of minutes in the applicable calendar month during which the HTI Services APIs or SendGrid Services API, as applicable, were unavailable for use.

2. Service Commitments

Applicable APIsMonthly Uptime Percentage ThresholdService Credit
Services APIs99.95%10% credit equivalent
HTI Services APIs during the calendar months in which Customer has purchased the HTI Administration Edition or HTI Enterprise Edition99.99%10% credit equivalent
SendGrid Services API during the calendar months in which Customer has purchased the Email Strategy – Gold, Enterprise Program Management, or Enterprise Program Management & Strategy package99.99%10% credit equivalent

Furthermore, if HTI fails to achieve a Successful Connection Rate for the SendGrid Services API during the calendar months in which Customer has purchased the Email Strategy – Gold, Enterprise Program Management, or Enterprise Program Management & Strategy package, Customer will be eligible to request a Service Credit equal to ten percent (10%).

3. Status Notifications. Customer may subscribe to email notifications for status updates at https://status.HTI.com for the HTI Services APIs and https://status.sendgrid.com for the SendGrid Services API. Customer has the right, exercisable no more than once (1) per calendar month during the time period in which Customer has purchased the Email Strategy – Gold, Enterprise Program Management, or Enterprise Program Management & Strategy package, to request a report from HTI indicating the Successful Connection Rate applicable to Customer’s email sends during the previous thirty (30) days.

4. Service Credit Request. To receive a Service Credit, Customer must submit a request to Customer Support via https://www.HTI.com/help/contact for the HTI Services APIs and https://support.sendgrid.com for the SendGrid Services API within thirty (30) days from the last day of the calendar month in which Customer claims HTI failed to meet the applicable Monthly Uptime Percentage Threshold or achieve a Successful Connection Rate. All submissions must include: (a) “SLA Claim” as the subject of the ticket; (b) the dates and times of (i) Unavailable Monthly Time calculated based on the status page available at https://status.HTI.com for the HTI Services APIs and https://status.sendgrid.com for the SendGrid Services API or (ii) the failure to achieve a Successful Connection Rate; and (c) any documentation of the Unavailable Monthly Time or failure to achieve a Successful Connection Rate. Any Service Credit will be applied to future amounts payable by Customer to HTI for the Services APIs. Service Credits are not available in the form of refunds.

5. Exclusions. Notwithstanding anything to the contrary in this Agreement, no Unavailable Monthly Time will be deemed to have occurred if it: (a) is caused by factors outside of HTI’s reasonable control, including, without limitation, telecommunications provider-related problems or issues, Internet access or related problems occurring beyond the point in the network where HTI maintains access and control over the Services APIs; (b) results from any actions or inactions of Customer or any The Partner(except for HTI’s agents and subcontractors); (c) results from any Customer Application(s), Customer’s equipment, software, or other technology, add-on services, or third-party equipment, software, or other technology (except for equipment within HTI’s direct control); (d) occurs during HTI’s scheduled maintenance for which HTI will provide at least twenty-four (24) hours prior notice; (e) occurs during HTI’s emergency maintenance (maintenance that is necessary for purposes of maintaining the integrity or operation of the Services APIs), regardless of the notice provided by HTI; (f) results from any Services APIs that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services APIs offered by HTI; or (g) is less than five (5) minutes of continuous unavailability in duration (collectively, “Excluded Monthly Times”). This SLA will not apply to any services or application programming interfaces branded as “Segment” or “HTI Segment” (“Segment Services”). The service level agreement for the Segment Services is available at https://www.htinternationalsolutions.com/.

6. Entire SLA Liability. The Service Credits set forth in this SLA are HTI’s sole and entire liability to Customer, and Customer’s sole and exclusive remedy, for HTI’s failure to meet any Monthly Uptime Percentage Threshold or achieve any Successful Connection Rate.

7. Updates. HTI may update this SLA from time to time. The then-current terms of this SLA are available at https://www.htinternationalsolutions.com/