Software as a Service Agreement
version 1.0 as of April 18, 2025
This Software as a Service Agreement (the “Agreement”), effective as of [DATE] (the “Effective Date”), is entered into by and between Maestra B.V. (“Provider”), and Customer.
Provider provides access to its software-as-a-service offerings to its customers;
Customer desires to access certain software-as-a-service offerings described herein, and Provider desires to provide Customer access to such offerings, subject to the terms and conditions set forth in this Agreement.
NOW, THEREFORE, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
DEFINITIONS
“Accounting period” means one calendar month.
“Client/End Customer” means any person whose Personal Data are transferred to the Maestra Service by the Customer for the purposes of processing.
“Client information” means any information about potential, current or former Clients, connected to the Client’s profile in the Maestra Service with a unique identifier..
“Controller” means the Customer, being the natural or legal person, public authority, agency or other body which, alone or jointly with others, who determines the purposes and means of the processing of Personal Data.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Data Subject” means the individual to whom Personal Data relates.
“End Client/Customer Data” means information, data, and other content, in any form or medium, relating to an End Customer Profile that is collected, transmitted, or otherwise processed by or on behalf of Customer through the Services. End Customer Data may include End Customer’s PII but exclude Resultant Data.
“Force majeure event” means any act of nature or the elements, terrorism, insurrection, revolution or civil strife, civil war or hostile action, labor strikes, acts of public enemies, laws, rules, and regulations of any governmental authorities having jurisdiction over the premises, inability to procure material, equipment, or necessary labor in the open market, material or equipment shortages, or any other causes (except financial) beyond the control of either party.
“Intellectual Property Rights” means any and all registered and unregistered rights, granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.
“Means of Communication” means an email in case the emails are sent from the domains specified in the details in Article 12 hereof, as well as services such as Intercom, Basecamp, and others agreed by Parties.
“Maestra Service” means the internet-based Maestra software technology that is accessible via a web browser through the internet access, and the related services. The Maestra Service is provided on a subscription basis, as a Software-as-a-Service.
“Maestra Service Rates” means the rates of the Maestra Service subscription stated in the EXHIBIT A hereto.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Processing Agreement” means data processing terms agreed by Parties stated in EXHIBIT B hereto.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the Provider, being the legal person who processes Personal Data on behalf of the Controller.
“SLA” means Service Level Agreement incorporated hereto by reference and published on the Provider’s website. SLA defines the quality metrics of the Maestra Service, for example, time of availability of the Maestra Service and speed of email sending as well as limits of Provider’s responsibility - maximum amount of Provider’s responsibility for SLA violation (compensation) and method of its receipt by the Customer (discount for the Subscription to Maestra Service).
“Subscription to Maestra Service” means subscription to the Maestra Service provided to the Customer by the Provider.
“Term” means the period of time during which this Agreement is in effect.
GENERAL PROVISIONS
The Subscription to Maestra Service is provided in accordance with this Agreement. Through the Subscription to the Maestra Service the Provider processes Personal Data of Clients. In terms of General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) (hereinafter — “GDPR”) Provider is a Processor.
The Customer understands and agrees that the Maestra Service processes the Customer’s Client information - citizens of the EU, unless otherwise agreed by the Parties.
Аll intellectual Property Rights associated with Maestra Service belong to the Provider or its affiliated and\or subsidiary entities, or its or their respective licensors.
Except for the limited rights granted to the Customer by this Agreement during the Term, nothing herein grants the Customer title (or any other rights or interests) in or to the Maestra Service or any Intellectual Property Rights associated therewith.
The Customer uses the Maestra Service on its own to perform the respective activities e.g. to create a segment, to launch a campaign or send emails.
The Customer may use the Maestra Service for sending electronic messages to Clients (e.g. sms and emails), including for advertising purposes. The role of Provider is limited to service provider functions. Due to the nature of the Maestra Service, the Provider is not liable for any negative consequences caused by activities performed by the Customer, including (but not limited to) profit loss, personal data complains and issues etc. The Provider provides a tool for the Customer to reach its advertising purposes and shall not be considered as an advertiser, or an advertising provider, and etc.
The Client information is and shall remain the property of the Customer. Each Client has a unique identifier in the Maestra Service. Client information, Client actions and Client segments are available for the Customer in the Maestra Service. The Customer has the technical opportunity to enrich, alter, delete, upload and download information related to the Clients in the Account (as defined below) in the Maestra Service, using web interface or API.
The Provider shall provide the Subscription to the Maestra Service on the principle of “as is.” This means that the Customer independently determines how to use Maestra Service and is responsible for the possible consequences of its use. The Provider shall not be liable for any type of losses caused by Customer’s use or inability to use the Maestra Service or its parts/functions, including possible errors or failures.
If the cost of the Subscription to the Maestra Service for the last Accounting Period is 2 000 EUR excluding VAT or more, then the Provider provides the Customer with a level of the Maestra Service in accordance with the SLA published on https://maestra.io/documents/eu/sla/ and binding on the Parties.The Parties agree that the percentage, speed and quality of sending of electronic messages depend on circumstances beyond the will of the Parties, for example, operational algorithms of email systems spam filters and the peculiarities of communication service providers function.
The Сustomer hereby agrees that the Provider is entitled to change the functionality and user interface of the Maestra Service without notifying the Customer. The modification of the Maestra Service shall not relieve the Provider from any obligations and liabilities hereunder.
The Provider has a right to involve third parties to the Subscription to Maestra Service provision on its own behalf and at its own expense. The Provider assumes full liability for the actions or omissions of such third parties in relation to this Agreement as if the actions and omissions of such third parties are made directly by the Provider.
The Provider executes the following actions within 7 (seven) business days after the parties sign this Agreement:
Creates a Customer’s account (hereinafter - “Account”) in the Maestra Service The identification of the Customer is carried out by unique access credentials: login and password (hereinafter - “Access credentials”). The Customer is entitled to get extra Access credentials without any limitations. Extra Access credentials may be created by the Customer on its own in the Account or by the Provider upon Customer’s request received by Means of communication.
Sends to the Customer an email with all the information required for access to Maestra Service.
Information about the Manager and the Lead manager including phone number and email is available in the Account. In case a new Manager or Lead manager is assigned to the Customer, the information in the Account changes respectively. These changes have legal effect and don’t require a notification from the Provider or any approval from the Customer.
The Parties agree that the following representatives of the Provider have an access to the Account and Client information: Manager, Lead manager, and customer support specialists. The Provider is entitled to give an access to the Account to other responsible officials of the Provider if necessary, for example for error diagnostics.
- After the parties sign the Agreement, the Provider provides the trial period (hereinafter - “Trial period”) on the conditions specified below. Trial period means a free trial offer during which the Customer has access to the Maestra Service, but electronic messages can not actually be sent. During the Trial period the Customer can explore the functionality of the Maestra Service and can integrate the Maestra Service with required data systems and services.
The maximum duration of Trial period 3 month (hereinafter - “Forecasted cost”)
The duration of the Trial period starts from the date when the parties sign the Agreement.
The Customer can stop the trial period and initiate full use of the Maestra Service through the Account or by sending a request to the Provider by Means of communication. If the Customer doesn’t stop the Trial period, the Trial period will end automatically after the maximum duration of the Trial period. The Provider starts to provide the Subscription to Maestra Service on the first day after the Trial period has ended.
SCOPE OF SERVICES AND GRANTED RIGHTS
The Subscription to Maestra Service includes the Basic module (hereinafter - “Basic module”), the Basic module extensions (hereinafter - “Extensions”), the Communication channel modules (hereinafter - “Communication channel”), the additional modules (hereinafter - “Additional modules”), and the additional services (hereinafter - “Additional services”). The complete scope of the modules and services is provided in the Maestra Service Rates. As part of the Subscription to the Service, the Customer can request the Provider to create an additional project for testing campaign settings and other technical requirements (hereinafter - “Staging project”). The cost of the Staging project is calculated according to the Maestra Service Rates. If the Customer uses a Staging project, then the Customer may test modules that are active on the main project.
The Customer may activate or deactivate any Additional module and services on its own in the Account or by sending a request to the Provider by Means of communication.
The Customer agrees that it shall not, directly or indirectly (and shall ensure that Customer Users shall not): (i) engage in any act not expressly permitted by this Agreement, or access or use the Maestra Service in violation of this Agreement or in violation of any applicable laws, rules or regulations; (ii) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available the Maestra Service or your right to access or use the Maestra Service to any third party in any way (unless we have given you express permission in writing to do so); (iii) copy, modify, adapt, publicly display or publicly perform or create derivative works of the Maestra Service or any portion thereof, or decompile, reverse assemble, or otherwise reverse engineer the Maestra Service or any portion thereof, except to the extent as may be expressly permitted by law and authorized hereunder; (iv) attempt to gain unauthorized access to, or otherwise impair the integrity, use or security of, the Maestra Service or any information accessible thereby (including information of third parties) or any systems or data of us or a third party; or (v) use Maestra Service to process, store, transmit or receive any information or materials if prohibited under this Agreement or by applicable laws, rules or regulations. THIS PARAGRAPH WILL SURVIVE TERMINATION OF THIS AGREEMENT FOR ANY REASON.
INVOICING AND PAYMENT, TRANSFER AND ACCEPTANCE
On or before the start of the Trial period, the Customer shall pay to the Provider, in advance, the amount specified in the invoice.
After the end of the Trial period, the Customer shall pay for the Subscription to Maestra Service monthly in advance, in accordance with Provider’s invoices, on or before the 21th day of each Accounting period.
The sum of each invoice will be based upon an advance payment in the amount of the cost of the Subscription to Maestra Service for the previous Accounting period (for the full calendar month, excluding any discounts), as well as an additional payment for the previous Accounting period (if necessary). For clarity, an advance payment made by the Customer in an Accounting period is intended to cover the costs of the Subscription to Maestra Service incurred by the Customer in the future Accounting period.
In case that the Customer has failed to pay the advance payment for the first Accounting period within 3 (three) months from the date of invoicing, the Provider is entitled to cancel the invoice for the first Accounting period and revise the conditions for the provision of services by changing Maestra Service Rates specified in EXHIBIT A to the current version located at maestra.io
The Provider is entitled to suspend the Subscription to Maestra Service with a five (5) business days’ prior notice to the Customer in case the Customer has failed to pay for the Subscription to Maestra Service. In the event of a suspension,the Customer shall be obligated to continue payment to the Provider of all fees in accordance with this Agreement. Only termination of Agreement shall mean complete termination of the Subscription to Maestra Service.
All payments are carried out according to the Agreement by wire transfer to the bank account designated by the Provider, which the Provider may update from time to time with notice to the Customer.
The cost of the Customer’s Subscription to Maestra Service is calculated each Accounting period according to the Maestra Service Rates. The actual cost of the Customer’s Subscription to Maestra Service in a given month will be provided to the Customer in a subscription breakdown, which is available for the Customer in the Maestra Service within approximately (5) business days after the end of the Accounting period to which the costs apply.
The Customer has fifteen (15) business days after the end of Accounting period to notify the Provider in writing of a bona fide dispute asserted in good faith as to one or more of the items of the monthly invoice, otherwise the Subscription to Maestra Service listed in the invoice is deemed to be accepted by the Customer. The Customer agrees that by not sending any notification of a bona fide dispute within the period mentioned in the previous sentence it acknowledges that the Subscription to Maestra Service was duly provided by the Provider and the Customer has no claims and complaints concerning the scope and quality of the Subscription to Maestra Service provided in the respective Accounting period.
Non-use of the Maestra Service by the Customer shall not be construed as a failure to provide the Subscription to Maestra Service by the Provider.
If the commencement date of the Subscription to Maestra Service is not the first calendar day of the Accounting period, the cost of the Subscription to Maestra Service will be calculated in accordance with the following formula A = B / C * D, where:
A is the cost of the Subscription to Maestra Service to be charged;
B is the cost of the Subscription to Maestra Service for the full Accounting period;
C is the number of calendar days in the Accounting period.
D is the actual number of calendar days when the Subscription to Maestra Service was provided.
Additional modules are charged according to the Accounting periods, but in proportion to the number of days when they were actually activated
The Provider is entitled to change the Maestra Service Rates by sending notification with the new version of the Maestra Service Rates to the Customer:
after prior approval from the Customer by Means of communication — without limitation on frequency of such change with changes becoming effective on date agreed by the Parties;
without prior approval from the Customer — not more frequent than once during every twelve (12) Accounting periods with changes becoming effective on date stated in the notification but not earlier than thirty (30) calendar days after such notification.
The Provider is entitled to amend the list of Communication channels, Additional modules or services by sending a notification to the Customer by Means of communication.
The Provider might provide a discount for the services in any cases including but not limited stipulated in SLA. The discount conditions are agreed upon by Means of communication with the subsequent registration in the Account without signing additional documents.
The Customer shall make all payments under the Agreement without withholding or deduction of, or in respect of, any tax unless required by law. If any such withholding or deduction is required, the Customer shall, when making the payment to which the withholding or deduction relates, pay to the Provider such additional amount as will ensure that the Provider receives the same total amount that it would have received if no such withholding or deduction had been required.
Bank fees related to the payments between parties, including but not limited by bank fees of the correspondent banks, shall be covered by sender of the payment (OUR).
DOCUMENTS AND NOTIFICATIONS
The Parties agree that the exchange of electronic documents and messages through Means of communication is an equivalent to the exchange of documents with handwritten signatures signed by simple electronic signature and has a legal effect.
A Customer’s instructions sent by e-mail or by messengers are binding for Provider only if they are addressed to support@maestra.io or to the Manager and the Lead Manager.
Each Party notifies the other Party about any change of the legal entity details or bank details, within five (5) business days after such change.
Each Party notifies the other Party of any requests made by third parties, including claims and claims arising directly or indirectly in relation to the Agreement, attaching the copies of the related documents to the notice, within reasonable time enabling the other Party the opportunity for relevant defense. The Party receiving the notice may assist in the preparation of replies to such third party, giving the sender the necessary information within the time specified in such notice.
WARRANTIES AND LIABILITY
The Customer shall indemnify, defend and hold the Provider including but not limited to its officers, affiliates, directors, agents, employees and its successors and assigns, harmless from and against any and all claims, demands, losses, costs, expenses, obligations, liabilities, damages, recoveries and deficiencies, including interest, penalties and reasonable attorneys’ fees that the Provider may incur or suffer, that arise, result from, or relate to:
any breach of, or failure by, the Customer to perform any of its obligations, warranties, covenants or agreements in this the Agreement or any other agreement furnished, or to be furnished, by the Customer;
any third party copyright and related rights infringement caused by the use by the Provider of resources provided by the Customer, committed by the Customer or other persons using the Customer’s Account under Agreement;
any breach of applicable legislation, including GDPR, committed by Customer by using the Subscription to Maestra Service;
any activities performed by the Customer.
This condition is applicable only if the Provider has notified the Customer about the requests of third parties according to the Agreement.
- The Customer warrants that resources and objects used in accordance with the terms of Agreement are in compliance with the applicable legislation, including GDPR and legislation on personal data, on advertising and competition protection, intellectual property rights and not burdened by claims of third parties, and the Customer is the exclusive owner of the provided resources, objects and/or has all required permissions from authors and other сopyrights holders in respect to intellectual property rights on such resources, on objects included in such resources and in respect of original objects (if such resources represent revisions and/or translations), provided that such permissions should not prejudice the rights of the Provider or impede the use of the objects by the Provider in accordance with this Agreement. The Customer hereby grants the Provider a non-exclusive, non-transferable right to use all the resources and objects for the purposes of due performance of Provider’s obligations under the Agreement.
If the Customer uses client information of citizens of a foreign country (not EU) and/or makes messaging to such citizens when working with the Maestra Service, the Customer guarantees compliance of all materials sent by him or by any other person through the Account applicable to foreign law, as well as compliance by the Customer with the applicable foreign law when working with the Maestra Service.
The Customer is liable for the relevant quality of Client information for Message Delivery Systems and guarantees such relevant quality. To ensure successful delivery of the Customer’s electronic communications and to maintain the rating of the Maestra Service in the systems of message delivery, the Provider is entitled to ask the Customer to carry out the required actions, including:
clean the database from dubious or unreliable information;
change the frequency of mailings;
unsubscribe some Clients from mailings; and
provide the Provider with the information proving that the Client information has legal origins.
The Customer is obliged to perform the required actions within five (5) business days after receipt of the relevant request from the Provider.
The Provider is entitled to suspend respective Additional Modules of the Maestra Service with a five (5) business days’ prior notice to the Customer in case the Customer has breached the provisions of paragraph 6.1. - 6.3. hereof. The period of time during which the Subscription to Maestra Service was suspended as a result of the Customer’s undue performance or nonperformance of its obligations under the Agreement shall be payable according to the Agreement as if the Subscription to Maestra Service was provided by the Provider. Only termination of the Agreement shall mean complete termination of the Subscription to Maestra Service.
The Сontractor guarantees compliance with GDPR and the EU Data Protection Directive in relation to the processing of Personal Data.
The Provider guarantees compliance with Data processing terms.
PENALTIES AND COMPENSATION
- Penalty for late performance or non-performance by the Customer of any obligation equals 0.1% of the value of such obligation for each day of delay, and shall be accrued in the case of due written request. Penalties shall be paid within ten (10) business days after receipt of the relevant request. The Provider can demand performance of both this penalty clause and the obligation to which this penalty clause is linked. Penalties are not charged on advance payments. Any amount due on the basis of this penalty clause will not take the place of the compensation for damages that are due by virtue of law.
FORCE MAJEURE
Neither Party shall be liable to the other Party for any delay, damage, or failure caused by or occasioned by Force majeure event. Delays due to Force majeure events shall not be deemed to be a breach of or a failure to perform under the Agreement.
The Party invoking Force majeure event circumstances shall notify the other Party within a reasonable time after their occurrence, otherwise it loses the right to invoke such circumstances.
TERMINATION OF AGREEMENT
The Term of this Agreement shall commence on the Effective Date set forth in the preamble hereof, and shall continue in full force and effect until terminated in accordance with this Article 9.
This Agreement may be terminated upon written mutual agreement of the Parties.
The Customer shall have the right to terminate this Agreement for convenience by providing a one (1) business day prior notice in writing to the Provider.
The Provider shall have the right to terminate the Agreement:
at least one (1) business day before the termination, if the Provider suspended the Subscription to Maestra Service and the Customer has not cured the cause of the suspension within five (5) business days after the date of such suspension, or if the Customer’s Subscription to Maestra Service was suspended on more than two (2) occasions in any twelve (12) month period;
for convenience, by providing the Customer with at least thirty (30) calendar days’ advance notice prior to the date of termination.
The moment of termination is the moment agreed by the Parties or stated by one of the Parties to be the last day of the Agreement.
The Subscription to Maestra Service that has already been provided at the moment of termination must be fully paid by the Customer.
The Provider shall refund to the Customer all the advance payments excluding the cost of the Subscription to Maestra Service that have already been provided by the Provider at the moment of termination.
GOVERNING LAW AND JURISDICTION
This Agreement shall be governed, construed, and interpreted in accordance with the laws of the Netherlands.
Any dispute arising under this Agreement or any other agreement resulting there from and relating thereto shall be brought before the competent court of Amsterdam, the Netherlands, notwithstanding Provider’s right to have such dispute brought before any other competent court.
MISCELLANEOUS
The Agreement sets forth the entire understanding between the Parties relating to the subject matter of the Agreement and supersedes all prior agreements, correspondence and discussions between the Parties relating to the subject matter of this Agreement and merges all prior and contemporaneous discussions between them.
Any agreements or stipulations mutually agreed on by the Parties in mutually acceptable manner that are contrary to any term of the Agreement shall prevail, unless the Provider and the Customer have expressly agreed in writing that such agreement or stipulation shall not supersede the terms of the Agreement. The EXHIBIT A to Agreement stipulating the Maestra Service Rates, the EXHIBIT B stipulating Data processing agreement shall constitute an integral part of the Agreement and shall be construed in accordance with the Agreement.
In the event that any clause or covenant of the Agreement shall be unenforceable or invalid under applicable laws or be so held by an applicable court decision, such unenforceability or invalidity shall not render this Agreement unenforceable or invalid as a whole.
The Customer shall have the right, but not the obligation to provide at least one recorded interview regarding Customer’s experience with the Provider’s products and services (the “Interview”). In addition, The Customer may provide the Provider with other information, recommendations, suggestions or other feedback regarding the Provider, including, without limitation, its products and services (collectively, “Feedback”). The Provider is authorized to create information and material based on, or arising out of, the Interview and/or Feedback (collectively, “Material”). Without any additional consideration, payment or compensation, the Customer (on behalf of itself and its parent(s), subsidiaries and affiliates (together with the Customer, the “The Customer Entities”) hereby grants the Provider and its parent(s), subsidiaries or affiliates (together with the Provider, collectively the “The Provider Entities”) an irrevocable, fully-paid, perpetual, transferable, worldwide right and license to use, and publish, such Material in any medium as determined by the Provider and/or by the Provider Entities, including, without limitation, on the maestra.io websites. The Provider and Provider Entities shall also have the right to (i) modify and create derivative works of the Material, (ii) publish Material (in whole or in part) on the official webpages or channels of the Provider and Provider Entities including, without limitation, on Facebook, Instagram, YouTube, LinkedIn, (iii) use the Material in any other forum including, without limitation, in presentations, promotional materials, conferences, exhibitions, webinars and other public events, and (iv) use the Customer’s and the Customer Entities’ logo, brand and/or other identifying information, (v) share a hyperlink to a website controlled by the Customer or Customer Entities in connection with Provider’s/ Provider Entities rights to use the Materials in accordance with this Agreement. The Customer may provide Material in the form of text, photo, video, audio or any combination thereof.
The Provider and the Provider Entities shall have the right to assign this Agreement (and/or any of its rights or obligations contained herein) to another party (including to other Provider Entities) including, without limitation, in connection with a change of control or sale of all or substantially all of the assets or business of any of the Provider Entities.
The Agreement as well as all legal instruments with regard to the Agreement may be executed in any number of counterparts, each of which shall be deemed an original and the signed counterparts will together form a single binding instrument.
- Delivery of any executed counterpart by Means of communication shall be equally effective as delivery of hard copy executed original. Upon receipt of such request the Provider shall provide to the Customer with a hard copy of the executed counterpart of the Agreement within seven (7) business days after the request, but failure to do so shall not affect the validity, enforceability or binding effect of the Agreement.
Attachments
EXHIBIT A - Maestra Service Rates
EXHIBIT B – Data Processing Agreemen
EXHIBIT A
SERVICES AND FEES, version m1.0_eu
Deposit
The Deposit is estimated based on the anticipated Service usage by the Customer and can be adjusted based on the actual Service usage. The Deposit shall be: € 7,581.
Fees
The total monthly Fees for Service is determined by the actual usage of the following Services in excess of the including Maestra platform, Active End Customer Profiles, Extensions, Additional Modules, and Additional Services, each as set forth below.
Maestra Platform
Maestra Platform includes (i) unlimited accounts to access the Services with support chat access (“Accounts”), 150,000 Active End Customer Profiles, 3 million Inactive End Customer Profiles, 500 million End Customer Profile actions, one billion End Customer Profile segment change facts and 25 million orders. The monthly fee for the Maestra Platform is €2,300.
Active End Customer Profiles
The Fee for the Active End Customer Profiles is calculated based on the number of unique Active End Customer Profiles in the Customer’s database for each month during the term of this Agreement.
| Number of Active End Customer Profiles in Provider database | Monthly Fee |
|---|---|
| 0 - 150,000 | Included into Maestra Platform |
| 150,001 – 350,000 | €0.009 per each Active End Customer Profile starting with the 150,001 Active End Customer Profile, provided that the aggregate amount shall be capped at €1,800 |
| 350,001 – 1,000,000 | €1,800 for 350,000 Active End Customer Profiles plus €0.004 per each Active End Customer Profile starting with the 350,001 Active End Customer Profile, provided that the aggregate amount shall be capped at €4,400 |
| 1,000,001 – 5,000,000 | €4,000 for 1,000,000 Active End Customer Profiles plus €0.003 per each Active End Customer Profile starting with the 1,000,001 End Customer Profile, provided that the aggregate amount shall be capped at €16,400 |
| 5,000,001 and more | €16,400 for 5,000,000 Active End Customer Profiles plus €0.002 per each Active End Customer Profile starting with the 5,000,001 |
Extensions
| Data Category | Costs per item per Month |
|---|---|
| Each Inactive End Customer Profile exceeding 3 million | €0.00005 |
| Each End Customer action exceeding 500 million | €0.000017 |
| Each End Customer segment change fact exceeding 1 billion | €0.000017 |
| Each Order action exceeding 25 million | €0.000038 |
| Each Email exceeding Active End Customer Profile x 10 | €0.0001 |
| Each Additional Brand exceeding 1 | €500 |
Additional Modules
Realtime POS Processing. The Fee for Realtime POS Processing is calculated as €1000 plus sum based on the number of unique Active End Customer Profiles in the Customer’s database for each month during the term of this Agreement:
| Number of Active End Customer Profiles in Provider database | Monthly Fee |
|---|---|
| 0 - 150,000 | Included into Maestra Platform |
| 150,001 – 350,000 | €0.00135 per each Active End Customer Profile starting with the 150,001 Active End Customer Profile, provided that the aggregate amount shall be capped at €270 |
| 350,001 – 1,000,000 | €270 for 350,000 Active End Customer Profiles plus €0.0006 per each Active End Customer Profile starting with the 350,001 Active End Customer Profile, provided that the aggregate amount shall be capped at €660 |
| 1,000,001 – 5,000,000 | €660 for 1,000,000 Active End Customer Profiles plus €0.00045 per each Active End Customer Profile starting with the 1,000,001 End Customer Profile, provided that the aggregate amount shall be capped at €2,460 |
| 5,000,001 and more | €2,460 for 5,000,000 Active End Customer Profiles plus €0.0003 per each Active End Customer Profile starting with the 5,000,001 |
Additional Services
Deliverability White Glove Service. The Fee for Deliverability White Glove Service is calculated as €1500 plus €0.000036 per each Email with total amount capped at €3,000 for each month during the term of this Agreement.
Staging project. The Fee for Staging Project is calculated as €500 plus sum based on the number of End Customer Profiles and End Customer actions in the Customer’s database for each month during the term of this Agreement:
| Data Category | Costs per item per Month |
|---|---|
| Each End Customer Profile | €0.0005 |
| Each End Customer action | €0.00003 |
Provider will provide a customer success manager as part of the subscription to the Services.
Discount Terms
The Customer is hereby granted a 5% discount on the Subscription to Maestra Service provided under this Agreement. The discount is valid for the first twelve (12) months.
EXHIBIT B
Data processing agreement
This EXHIBIT B “Data Processing Agreement” is applicable if the Customer is incorporated within the EU. GDPR is applicable to processing of the Customer’s database because the Provider and the Customer are both the EU entities.
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
These Clauses apply to the processing of personal data as specified in EXHIBIT B.
Annexes I to IV are an integral part of the Clauses.
These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2
Invariability of the Clauses
The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.
Clause 3
Interpretation
Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679/ Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
Clause 4
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 5 - Optional
Docking clause
Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.
SECTION II
OBLIGATIONS OF THE PARTIES
Clause 6
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.
Clause7
Obligations of the Parties
7.1. Instructions
The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
7.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in EXHIBIT B, unless it receives further instructions from the controller.
7.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in the Agreement.
7.4. Security of processing
The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the
data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
7.6. Documentation and compliance
The Parties shall be able to demonstrate compliance with these Clauses.
The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
7.7. Use of sub-processors
GENERAL WRITTEN AUTHORISATION: The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 5 working days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller
shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
7.8. International transfers
Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
Clause 8
Assistance to the controller
The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.
In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
the obligations in Article 32 of Regulation (EU) 2016/679.
The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.
Clause 9
Notification of personal data breach
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
9.1. Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
- in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
- in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2. Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay and in any case no later than 24 hours after the processor having become aware of the breach. Such notification shall contain, at least:
a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
the details of a contact point where more information concerning the personal data breach can be obtained;
its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III
FINAL PROVISIONS
Clause 10
Non-compliance with the Clauses and termination
Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.
Provider has the right to amend Data processing agreement to the Agreement from time to time to reflect changes in the services or business processes, for legal, regulatory, or security reasons. Before the changes become legally binding, the Provider shall provide Customer with 10 days advance notice. If Customer doesn’t agree to the new terms, Customer can terminate the Agreement by providing 1 day advance notice of termination within the aforementioned 10 days. If Customer fails to provide notice of termination within the aforementioned 10 days, the changes are considered effective.
ANNEX I
List of parties
1. Controller(s):
Name: Customer data as filled in the Agreement
Address: Customer data as filled in the Agreement
Contact person’s name, position and contact details: Data of the Customer’s data privacy manager as filled in the Agreement
Activities relevant to the data transferred under these Clauses: Processings indicated in Annex II “Description of processing” below
Date: the effective date as filled in the Agreement
Controller’s contact email: as filled in the Agreement
2. Processor:
Name: Provider data as filled in the Agreement
Address: Provider data as filled in the Agreement
Contact person’s name, position and contact details: Data of the Provider’s data privacy manager as filled in the Agreement
Activities relevant to the data transferred under these Clauses: provider of the Maestra Service that is a software for marketing automation which is distributed as SaaS, in the course of which it processes certain personal data as a processor
Date: the effective date as filled in clause 12 of the Agreement.
Processor’s contact email: dpo@maestra.io
ANNEX II
Description of the processing
The frequency of the transfer (e.g. whether the data is transferred on a one-of or continuous basis).
The data is transferred on a continuous basis. It is deleted in 30 days after the termination of the contract between the Provider and its Customer plus 6 months after deleting of data before the removal of backup.
I. Processings of controller’s customers’ data
Duration of the processing
The data is transferred on a continuous basis. It is deleted in 30 days after the termination of the contract between the Provider and its Customer plus 6 months after deleting of data before the removal of backup
Maestra CDP
1. PURPOSE: Creating a client (customer) profile in CDP
Categories of personal data processed
● Maestra ID (customer)
● Name
● Phone number
● IP address
● Gender
● Date of birth
● Type of device and its display resolution
● Additional info (from the comments field)
● Extra fields added by customer
● Browser type and version
● GEO (country or town)
● Registration date
Nature of the processing
Registration of customer’s project in the Maestra system.
Subprocessors, subject matter, nature and duration of their processing
The data are stored on the servers of Microsoft and Leaseweb Deutschland GmbH, Amazon Web Service, within the EU. It is deleted in accordance with the storage period identified for this processing. The Maestra Group of Companies may also have access to the data to perform technical operations related to data processing.
2. PURPOSE: To merge profiles of the same people
Categories of personal data processed
● Phone number
● App ID
● Web ID
● Order number
● Bank card hash
● Maestra ID (customer)
Nature of the processing
When there are more than 1 account of the same person, the data contained in those accounts is merged and presented for the controller as the data of one user.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
3. PURPOSE: Saving the history of customer’s actions on customer’s website, interactions with mailing lists etc. (actions)
Categories of personal data processed
● What pages are opened
● Which buttons are clicked
● Whether the emails have been read (opening rate)
● Orders history
● Product list interactions
● Information about the loyalty program
● Maestra ID (customer)
● Information about the lead form where the request was left
● Whether the customer is logged in to the site
● Loyalty card activation
● Bonuses accrual
● Product categories browsing history
● Product browsing history
● Subscription status
● Other actions
Nature of the processing
Actions of the controller’s customer are transferred to Maestra system to configure marketing campaigns more efficiently
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
4. PURPOSE: CDP segmentation (by behavior, purchases, and other personal data) Categories of personal data processed
● Segment
● Maestra ID (customer)
● Phone number
● IP address
● Gender
● Date of birth
● What pages are opened
● Which buttons are clicked
● Whether the emails have been read (opening rate)
● Orders history
● Product lists
● Information about the loyalty program
● Whether the customer is logged in to the site
● Loyalty card activation
● Bonuses accrual
● Viewing product categories
● Viewing product
● Subscription status
● Other actions
● DeviceUUID
Nature of the processing
Adding customer to a particular segment based on parameters, defied by the controller. Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
5. PURPOSE: Building communication workflows
Categories of personal data processed
● Behavioral trigger
● Maestra ID (customer)
Nature of the processing
Controller indicates, which action should Maestra perform with regard to its customers based on different parameters.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
6. PURPOSE: Retention marketing
Categories of personal data processed
● Name
● Phone number
● Orders history
● Order amount
Nature of the processing
Conditions for retention marketing are defined by the controller. Maestra interacts with its customers in accordance with prescribed scenarios.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
7. PURPOSE: Targeting by personal data and behavior on the sit
Categories of personal data processed
● Segment
● Maestra ID (customer)
● Phone number
● IP address
● Sex
● Age
● What pages are opened
● Which buttons are clicked
● Whether the emails have been read (opening rate)
● Orders history
● Product lists
● Information about the loyalty program
● Other actions
Nature of the processing
Maestra analyses customers’ behavior on the website of controller. Based on the obtained analytics, controller defines further marketing activities for particular behavior pattern.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra product recommendations. Best Sending Time
8. PURPOSE: Automated email sending at the best possible time (Machine learning driven algorithm) Categories of personal data processed
● Automatically generated time of sending
Nature of the processing
The system defines which time of newsletter sending is more appropriate for a particular customer and sends the message.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
9. PURPOSE: Determine the best time to send
Categories of personal data processed
● Average Open rate
● Average Click rate
● Name
● Surname
● Maestra ID (customer)
● Distribution of the most appropriate time to send messages by days
● History of client’s interaction with products, newsletters, etc.
● Phone number
● Brand
● Contact point
● Region
Nature of the processing
This algorithm automatically determines the best campaign sending time for each customer Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra campaign modules
Maestra Email
10. PURPOSE: Email campaigns
Categories of personal data processed
● Segment
● Subscription status
● Behavioral trigger
● Order/delivery status
● Name
● Date of birth
Nature of the processing
Bulk, automated and transactional email campaigns via Maestra interface. Includes an ESP with unlimited messages.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra SMS
11. PURPOSE: SMS campaigns
Categories of personal data processed
● Segment
● Phone number
● Subscription status
Nature of the processing
Bulk, automated and transactional SMS campaigns.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra Mobile push and web push campaigns
12. PURPOSE: Mobile push notification campaigns
Categories of personal data processed
● Segment
● Subscription status
● Filter indicated by the customer
● Clicks on the push
● Sender ID
● ID of the project in the firebase
● Secret key
● Tracker (configuration of parameters of service worker and firebase)
● Device settings concerning sending mobile pushes
Nature of the processing
Bulk, automated, and transactional campaigns sent via mobile push notifications.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
When the Customer sends mobile push notifications, the notifications will be delivered to Android phone users through Firebase Cloud Messaging, provided by Google LLC (USA), to iPhone users through Apple Push Notifications, provided by Apple Inc., to Huawei users through Push Kit operated by Huawei Technologies Co. Ltd. (China).
13. PURPOSE: Sending web pushes
Categories of personal data processed
● Segment
● Subscription status
● Filter indicated by the customer
● Clicks on the push
● Whether the browser allows to send push
● Token (if the browser allows to send push)
● Sender ID, ID of the project in the firebase
● Secret key
● Tracker (configuration of parameters of service worker and firebase)
Nature of the processing
Based on the parameters indicated by the controllers and the matching behavior of its customers, customers will receive push notifications in their web browsers.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
To send web pushes our service uses Firebase Cloud Messaging, provided by Google LLC (USA).
Maestra Website Personalization
14. PURPOSE: Customization of popups, banners, embeddings and widgets
Categories of personal data processed
● Segment
● Name
● Subscription status
● UTM-tags
● URL from which new lead was obtained
● Domen
● City
● City ID
● Date and time of creation
● Number of purchases
● Orders history
● History of client’s interaction with products, newsletters, etc.
● Time spent on the website
● Bonuses accrual
● Phone number
● Promocode
● History of website visits
● Type of device and its display resolution
● Commentaries left in the form
● Items in the shopping bag
● Traffic source for the visitor
● Actions on the website page
Nature of the processing
Based on the parameters indicated by the controllers and the matching behavior of its customers, customers will see personalized content on websites and mobile applications.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra Ad Optimization
15. PURPOSE: Integration with advertising tools
Categories of personal data processed
● Customer’s database
● Segment
● Phone number
● Sex
● Date of birth
● Surname
● Name
● Region
● City
● Index
Nature of the processing
Customer may choose to integrate the system with advertising tools (e.g, Facebook Pixel) and merge data obtained by the tools with data stored in Maestra.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Operated by Albato Limited (EU). The data are stored by Albato Limited at Amazon Web Services (USA).
Particular advertising tool is chosen by the controller (customer).
16. PURPOSE: Collection of contacts from lead forms
Categories of personal data processed
● Name
● Company name
● Phone number
● Information about the lead form where the request was left
Nature of the processing
The lead forms are posted in social media by the means of Albato tool. When user responses to the form, history of interaction with it is send to Maestra.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Operated by Albato Limited (EU). The data are stored by Albato Limited at Amazon Web Services (USA). 17. PURPOSE: Setting up audiences for advertising tools
Categories of personal data processed
● Segment
● Customer’s database
Nature of the processing
Defining characteristics (segments) for further marketing via advertising tools
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Operated by Albato Limited (EU). The data are stored by Albato Limited at Amazon Web Services (USA). Particular advertising tool is chosen by the controller (customer).
Maestra standard integrations
18. PURPOSE: Integration with third-party services for data collection/accumulation (CMS, CRM, ERP, Cashiers, BI, App, Wallet. Open API)
Categories of personal data processed
● Customer’s database
Nature of the processing
Customer can upload it database and integrate its databases from other services for data collection with Maestra.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra Loyalty and Promotion engine
19. PURPOSE: Setting up loyalty programs
Categories of personal data processed
● Maestra ID (customer)
● Information about the loyalty program
Nature of the processing
Controller adds its customers to loyalty programs. Maestra provides data on the history of interaction with customers
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra CDP: analytics and reports
20. PURPOSE: Uploading data to the system from CSV files or via API
Categories of personal data processed
● Customer’s database
Nature of the processing
Customer can upload its database in CSV format or via API and merge it with data in Maestra system. Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
21. PURPOSE: Advertising campaign analytics and report generation (conversion, advertising effectiveness measurement)
Categories of personal data processed
● What pages are opened
● Which buttons are clicked
● Whether the emails have been read (opening rate)
Nature of the processing
Customer may generate report with aggregated statistics on the conversion and advertising effectiveness. Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
22. PURPOSE: Generating reports on newsletters
Categories of personal data processed
● Clicks on the newsletter
● Openings of the newsletter
● Name of the newsletter
● Newsletter campaign
● Newsletter channel
● Newsletter type
● Tag
● Brand
● Conversions
● Unsubscribtions
● Revenue
● Orders
Nature of the processing
Analysis of data on newsletters’ views, openings, etc. and reports generation.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
23. PURPOSE: Generating reports on customers
Categories of personal data processed
● Subscription status
● Brand
● Date of subscription
● Whether customer’s client is registered on the chosen channel
● Average Open rate
● Average Click rate
● Orders history
● Age, Sex
● Region
● Segment
● Viewing product
● Viewing product categories
● Information about the loyalty program
Nature of the processing
Generation of reports on particular actions/characteristics.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
24. PURPOSE: Generating a report on billing actions
Categories of personal data processed
● Customer’s database
Nature of the processing
View of billing metrics to verify the correctness of the invoice. The report uses key indicators such as the number of personal and customer actions, transitions between recalculated and static segments.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
25. PURPOSE: Integration of Maestra system with testing environment
Categories of personal data processed
● Customer’s database
Nature of the processing
Customer may simplify integration with Maestra by integrating it with testing environment. Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
Maestra product recommendations
26. PURPOSE: Finding Look-A-like audiences in relation to the products they buy Categories of personal data processed
● Behaviour of similar clients
● History of client’s interaction with products, newsletters, etc.
Nature of the processing
Search of people with similar interests and other characteristics.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
II. Processings of controller’s customers’ and anonymous customers’ data
Maestra Next Best Action algorithm
1. PURPOSE: Build a scenario of recommendations for products
Categories of personal data processed
● Orders history
● Viewing product
● Viewing product categories
● Actions with client’s lists
● Behaviour of similar clients
● Client’s actions with product categories
● Product recommendations
● History of client’s interaction with productsnewsletters, etc.
● Region
● Web ID
● Maestra ID (customer)
Nature of the processing
Controller indicates, which product to recommend based on customers’ behaviour.
Subprocessors, subject matter, nature and duration of the processing
The data are stored on the servers of Microsoft Corporation LLC and Leaseweb Deutschland GmbH, Amazon Web Service, within the EU. It is deleted in accordance with the storage period identified for this processing. The Maestra Group of Companies may also have access to the data to perform technical operations related to data processing.
2. PURPOSE: Generate the next offer
Categories of personal data processed
● Orders history
● Viewing product
● Viewing product categories
● Actions with client’s lists
● Behaviour of similar clients
● Client’s actions with product categories
● The list of clients most likely to buy products (tomorrow)
● Product recommendations
● History of client’s interaction with products, newsletters, etc.
● Region
● Web ID
● Maestra ID (customer)
Nature of the processing
The algorithm defines next marketing offer for a customer based on their behavior.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
3. PURPOSE: Creating a look-a-like for a loyal audience
Categories of personal data processed
● Segment
● Information about the loyalty program
Nature of the processing
Search of potential customers by identifying common characteristics of customers subscribed to loyalty programs.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
III. Processings of controller’s admin and authorized users’ data
Maestra Customer account & billing
1. PURPOSE: Creating an employee account in the system
Categories of personal data processed
● Login
● Password
● Internal ID (employee)
Nature of the processing
The registration of customer’s profile in Maestra system. The customer manages marketing activities and interaction with its customers using this profile.
Subprocessors, subject matter, nature and duration of the processing
The data are stored on the servers of Microsoft Corporation LLC and Leaseweb Deutschland GmbH, Amazon Web Service, within the EU. It is deleted in accordance with the storage period identified for this processing. The Maestra Group of Companies may also have access to the data to perform technical operations related to data processing.
2. PURPOSE: Access distribution for customer’s employees
Categories of personal data processed
● Login
● Access level
● Internal ID (employee)
Nature of the processing
Customer may hide personal data from its certain employees.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
3. PURPOSE: Logging customer logins and employee actions
Categories of personal data processed
● Login
● Time of the login
● Internal ID (employee)
● Actions with customer’s data (editing, deletion, merging of the profiles etc.)
Nature of the processing
The attempts to login to the customer’s profile (admin’s account or in account of authorized employees) as well as other actions in the system are logged.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
4. PURPOSE: Authorization of user
Categories of personal data processed
● Login
● Password
● Phone number
● Internal ID (employee)
Nature of the processing
Login in user account via password.
Subprocessors, subject matter, nature and duration of the processing
The same as described for purpose 1 above.
A. COMPETENT SUPERVISORY AUTHORITY
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG
Telephone number: (+31) - (0)70 - 888 85 00
https://autoriteitpersoonsgegevens.nl/en
ANNEX III
Technical and organisational measures including technical and organisational measures to ensure the security of the data
• Access control policy is implemented
• Employee training on data protection and information security
• Monitoring the composition of hardware software and information security tools • Rules for using email and spam protection
• Information security risk analysis is conducted annually
• Information security policy is implemented
• Differentiation of access rights
• A registry of information assets is maintained
• Inventory of information assets is carried out annually
• Risk management policy
• Areas of responsibility for information security are defined and distributed • Information security provisions are included in contracts with counterparties • MDM tool combined with anti-virus software and enforced updates
• NDAs with employees are signed
• Employees have access to the training material on information security
• NDAs with counterparties are signed
• When an employee quits, they need to complete the steps concerning infosecurity set out in the checklist (Trello)
• System of accounting of hardware in the infrastructure
• Confidentiality policy
• Used components from data centers are transported by the employees of the Company • Network segmentation
• Accounting and reporting of OS on workstations and servers
• Security logs from MacOS are collected in Graylog
• Data in a product are masked
• Protection against brute-force attack while entering password (blocking after 5 failed attempts) • Two-factor authentication
• 1Password is used to ensure password security
• CCTV at the entrance to company’s office
• Equipment is sited as recommended by respective manufacturers and security regulations • Clean desk policy
• Clean screen policy
• Lock screen policy
• Protection of computers with Microsoft Defender
• Master Data Management tools are implemented
• Daily data backup
• Additional off-site backup storage shall be in place
• Log of Information security incidents
• Logging of user workstations is carried out by the built-in means of the OS
• Users’ and administrators’ activities in the information system are logging by the built-in tools of the OS and the information system
• External web application scanning for vulnerabilities
• The network equipment supports the firewall features
• Testing of new versions of information systems in an isolated environment
• Network management and control is performed by Dlink DFL firewalls
• An ACL is configured between VLANs
• Rules are set up to filter incoming traffic; all ports are blocked
• The recommended data transfer channels are given in the product instruction • App sessions are protected with tokens
• Sessions are protected with unique links signed keys sent by email and more • License Agreements are signed with counterparties
• Journal of familiarization with the rules of processing personal data for employees • Formalized list of positions allowed to process personal data
• External information security audits
• Logins and exits to the admin account are logged
• Granting accesses are logged
• The administrator can differentiate access rules for personnel
• The customer can view the actions of a support employee in the action log • Personal data are masked for Maestra employees
• Customer can set retention period for storing personal data
• Backups of deleted data are stored for 6 months
• Customer can set the password expiration date
• Customert can choose to mask personal data in the accounts of its particular employees
• Data encryption type is chosen by the customer in their account