Cyrus, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 498 019 298 with its registered office at 55 rue d’Amsterdam, 75008 Paris (hereafter “Cyrus“) operates a solution relating to marketing and/or transactional email and/or SMS via its website www.cyrusmail.com (“the Site“).
Any special conditions potentially negotiated between Cyrus and the User shall prevail over these General Conditions of Use.
The terms used in this document are defined as follows:
The “User” means any natural or legal person using the Cyrus Services.
The “Services” provided by Cyrus are the features made available to Users via the Site such as sending SMSs and emails, providing reports or optimising the deliverability of messages sent (the complete list of features is available at the following address: https://cyrusmail.com/features/).
The “data processor” is the company that performs data processing at the request of a data controller. Thus, Cyrus acts as a data processor to make its Services available to Users, who define the purpose and the means of the processing. Cyrus may also use secondary processors (“sub-processors”) to carry out data processing on its behalf.
The “User’s data” is understood as data processed by Cyrus on behalf of the Users within the framework of the performance of the Services subscribed.
“Personal data” means information relating to an identified or identifiable natural person.
The “Parties” shall mean Cyrus and the User.
1) Purpose of Cyrus Services
Cyrus provides solutions relating to marketing and/or transactional email and/or SMS , through its sending platform, marketed via the Site.
2) User account management
The use of Cyrus Services requires the creation of an online account.
The Users are responsible for the accuracy of the information they provide and undertake to update the information concerning them or to notify Cyrus without delay of any change affecting their situation.
The Users shall take all useful measures to maintain the confidentiality of access to their account.
In the event of fraudulent use of their account, the Users undertake to immediately notify Cyrus and change their access password without delay.
Any costs resulting from such unauthorised use shall be borne by the Users until Cyrus has been notified by them of such use.
Cyrus shall in no event be liable for material or immaterial damages resulting from the use of the account by a third party, with or without the Users’ permission.
Cyrus shall store messages sent through its platform on behalf of the Users. Distribution lists shall be maintained as long as the Users correctly set up and update their account. Cyrus shall protect the integrity, confidentiality and administrative, material and technical security of the Users’ personal information.
3) Financial conditions
By subscribing to Cyrus Services, the Users agree to pay the price corresponding to the Services selected and to their country of residence.
Unless specifically otherwise stipulated, the prices of the Services subscribed shall be paid at the time of subscription and in the currency in which they were invoiced.
The prices displayed on the Site are exclusive of charges, and they do not include VAT. Additional charges shall be applied on the invoice according to the Users’ country of residence and applicable legal and regulatory provisions.
4) Use of the Services
4.1 Compliance with applicable regulations
Each Party declares that it shall respect the regulations applicable to its activity.
In general terms, the Users shall guarantee that the information sent via the Cyrus Services does not contravene any legal or regulatory provision or a provision resulting from an international agreement applicable to them and in particular the provisions in force in France, in the State in which the User carries out their activity and in the State in which the persons appearing on the distribution lists reside, nor the rights of third parties.
For information purposes and without this list being exhaustive, the sending of email and SMSs to customers and prospects is subject to the applicable data protection rules, as well as the following rules:
- United States: Telemarketing Sales Rule, Federal Telephone Consumer Protection Act, Can-Spam-Act.
- In France: Articles L.34-5 of the French Post and Electronic Communications Code (Code des postes et des communications électroniques) and L.121-34-1-1 of the French Consumer Code (Code de la consommation).
- In Italy: Italian Code on Data Protection (Codice in materia di protezione dei dati personali).
- In Spain: Law 34/2002, of 11 July 2002, on company information services and electronic commerce (Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico) and Organic Law 15/1999 of 13 December 1999, on the Protection of Data of a Personal Character (Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal).
- In the United Kingdom: The Privacy and Electronic Communications (EC Directive) Regulations 2003.
User’s intellectual property rights
The Users authorise Cyrus to use their name, brand and visual identity solely for the purpose of executing the Services.
The Users guarantee to Cyrus:
- that they have full power and authority to exploit and grant intellectual and industrial property rights and that these rights are in no way assigned, hypothecated, encumbered or in any way vested in a third party;
- that they have not and will not, by assignment to a third party or by any other means, do anything likely to compromise the use of intellectual and industrial property rights;
- that they have not nor will not introduce into their campaigns any sequence, reproduction or reminiscence likely to infringe on the rights of third parties;
- that no litigation or proceedings are pending or about to be brought in relation to the intellectual property rights.
In addition, the Users shall undertake to guarantee Cyrus against any claim by third parties as well as any penalty that Cyrus may find itself imposed against it resulting from any non-compliance with this article.
4.1.2 Cyrus’s intellectual and industrial property rights
All programs, services, processes, designs, software, technologies, trademarks and trade names and inventions appearing on the Site, accessible via the Site or via the Cyrus Services , are the property of Cyrus or its licensors.
The Users shall undertake not to use, in any way whatsoever, the Site, the Services or any of the elements set out above for purposes other than those provided for herein.
4.2 Protection of the personal data of third parties
For the purposes of providing the Services, Cyrus has access to information contained in email distribution lists created by the Users via their personal account, as well as to the subject and content of emails sent to their distribution lists through the Services. This information contains personal data concerning third parties.
4.2.1 Responsibility of the Users in relation to personal data
As creators of the distribution lists, the Users are responsible for the processing of the personal data appearing in those lists within the meaning of the applicable regulations. As such, if the Users are domiciled in the European Union, or if their distribution lists contain personal data of citizens of the European Union, the User guarantees to Cyrus that they shall comply with the provisions of Regulation No. 2016/679 of 27 April 2016 (the “GDPR”) as well as those of Law No. 78-17 of 6 January 1978 Information Technology, Data Files and Civil Liberties, and in particular:
- that the personal data contained in the files transmitted have been collected and processed in compliance with the applicable regulations;
- that the Users have informed the data subjects in accordance with the applicable rules;
- where appropriate, that the collection and processing have been consented to by the data subjects;
- that the data subjects shall be allowed to exercise their rights in accordance with the applicable rules;
- that the Users undertake that the information will be rectified, completed, clarified, updated or deleted if it is inaccurate, incomplete, ambiguous or out of date, or if the data subject wishes to prohibit its collection, use, communication or storage.
It is specified that the Users are solely responsible for managing the retention periods of personal data that they upload onto the Cyrus platform, and that it is incumbent on them to delete the data as and when its retention period expires. Cyrus is responsible only for deleting this data at the end of its contractual relationship with the Users.
In addition, the Users shall undertake not to include in the distribution lists uploaded onto the Cyrus platform any personal data known as “sensitive” within the meaning of Article 9 of the GDPR, and in particular no health data, but also no data relating to criminal convictions and offences, any social security number, or any bank card number. Cyrus can in no way be held responsible for the presence of such personal data on its platform, and the consequences that could result therefrom. In the event of a violation of this clause, the User shall be solely responsible for any consequences, and undertakes to guarantee, and if necessary indemnify, Cyrus.
4.2.2 Protection of the User’s personal data
Cyrus has taken all the necessary precautions to preserve the security of personal data and, in particular, to prevent it from being distorted or damaged or from unauthorised third parties having access to it.
These measures include the following:
- Multi-level firewall
- Proven anti-virus and detection of intrusion attempts
- Encrypted data transmission using SSL/https/VPN technology
- Tier 3 and PCI DSS certified data centres
In addition, access to processing by Cyrus Services requires authentication of the persons accessing the data, by means of an individual access code and password, sufficiently robust and regularly renewed.
Data transmitted over unsecured communication channels shall be subject to technical measures designed to make such data incomprehensible to any unauthorised person.
4.2.3 Conditions of the processing relationship
Cyrus acts as a data processor on behalf of the Users, and undertakes to respect the obligations described in the Annex “Agreement on the processing of personal data“.
In this context, it is specified that:
- The Users can retrieve their distribution lists at any time by clicking on the “export button” from their personal Cyrus account.
- Personal data contained in the distribution lists may only be disclosed to third parties in the following cases:
- with the authorization of the Users certifying that the data subject have themselves authorized this disclosure;
- at the request of the competent legal authorities, on judicial requisition, or in the context of a legal dispute.
4.2.4 Use of the data by Cyrus
To enable Cyrus to pursue its legitimate interests, in particular relating to risk management, and the evaluation of the quality of Users’ mailing lists (and, for example, to avoid the risks of spam, phishing or fraud), the Users are informed that Cyrus reserves the right to transmit these lists and their content to third party providers domiciled outside the European Union, for the purpose of establishing a reliability score. Any transmission of this data will be carried out by Cyrus in compliance with applicable rules.
Finally, the Users expressly accept that the behavior of the recipients of these emails may be analyzed by Cyrus (tracking opening rates, click rates and bounce rates at the individual level) to improve its emailing campaigns.
4.3 Prohibited uses
The use of the Cyrus Services resulting from the subscription to the said Services is strictly personal and may not be rented or transferred free of charge or for a fee to a third party. In the absence of prior authorisation, the use of Cyrus is limited to only one account per User.
Any use of the Services that may damage, disable, or overload Cyrus’s infrastructure or networks connected to Cyrus’s servers, or interfere with the enjoyment of the Services by other Users, is prohibited.
Any attempt to access, without authorisation, the Services, any other accounts, computer systems or other networks connected to a Cyrus server or any of the Services via hacking or any other method is prohibited.
The use of the Services for the purpose of selling products or services related to illegal or fraudulent activities or encouraging such activities and, in particular, without this list being exhaustive, activities related to illegal drugs, hacking programs, instructions for assembling or creating bombs, grenades or other weapons, materials containing violence against children or which encourages violence is prohibited.
Any use of the Services contrary to the applicable rules relating to telemarketing, email marketing, anti-spam, anti-phishing or personal data protection is prohibited.
Any use of the Services in violation of the rights of third parties is prohibited.
In the event of non-compliance with this article, Cyrus reserves the right to immediately block the Users’ access to their Services and to remove all information from their account without notice and without refund or any other form of compensation.
Cyrus reserves the right to refuse or limit service to accounts not complying with its General Conditions of Use or with laws regulating communications companies, or accounts distributing unwanted communications.
The following topics are prohibited on the Cyrus platform:
- Weight loss
- Exchange of currencies, fraudulent shares and stock market transactions
- Home job offers making “get rich fast” promises, financial packages and pyramid schemes
- Sexually explicit pornography or e-commerce
- Remedies for erectile problems
- Hiring solicitation
- Lists of a political character (consular, government lists, etc.) containing addresses of individuals who have not given their explicit consent to receive communications from an identified advertiser. The fact that an email address was given to a Consulate or Embassy shall not be considered as proof of an undertaking to opt-in.
- Initial Coin Offering (ICO)
Accounts with the following activities will only be validated under certain conditions:
- Clairvoyance, fortune telling and astrology
- Gambling and other money games
- Dating services
- Communications to contacts acquired from social networks like LinkedIn and Viadeo
5) Responsibilities and guarantees
5.1 Responsibilities and guarantees of Cyrus
Except in cases of force majeure, Cyrus guarantees to the Users the proper performance of its service rendered in compliance with these General Conditions of Use.
Any potential compensation due from Cyrus, to the User or to a third party, due to the liability of Cyrus, its subsidiaries or its partners, in respect of the performance of these conditions, shall not exceed the price paid by the User in return for the Service(s) giving rise to the said liability.
In no case shall Cyrus guarantee to the User the economic, image or information returns that the latter may expect from sending emails or SMSs in the context of these conditions.
Cyrus does not systematically control the content of messages sent by the Users to their distribution lists, which remains the responsibility of the Users.
In no case can Cyrus be held responsible in any capacity whatsoever in relation to third parties for any damage resulting from the sending of emails or SMSs on behalf of the Users.
5.2 Responsibilities and guarantees of the Users
The Users shall solely be responsible for the content of emails or SMSs sent to their distribution lists in the context of the performance of these conditions.
The Users may be held liable for non-compliance with these General Conditions of Use, with Cyrus’s privacy and anti-spam policies or with any legal or regulatory provision or with a provision resulting from an applicable international agreement.
The Users guarantee Cyrus against any damage, any claim and any recourse of third parties resulting from a violation, by the Users, of the present General Conditions of Use, of the privacy and anti-spam policies of Cyrus or of any legal or regulatory provision, or a provision resulting from an applicable international agreement.
6) Changes to the use conditions, to Cyrus policies and to the offer
Cyrus may modify these General Conditions of Use, its anti-spam and privacy policies as well as its offer.
The Users will be informed of any changes by email or directly on their cyrusmail.com account and invited to accept this change to continue using the Services.
Cyrus’s General Conditions of Use, anti-spam and privacy policies as well as its offer updated with the latest changes are available at any time on the Site.
7) Duration – Termination
The present General Conditions of Use are in force for an indefinite period.
The Users may terminate their Cyrus account directly from the Site at any time.
In the event of termination by the Users, the sums paid in consideration of the Cyrus Services shall remain due to Cyrus even if the Users did not exhaust the acquired mailing quotas.
In the event of non-compliance by the Users with these General Conditions of Use, with Cyrus’s privacy and anti-spam policies or with any legal or regulatory provision or one resulting from an applicable international agreement, Cyrus reserves the right to terminate the Users’ account subject to 15 days’ notice.
The termination will occur without notice in the event of non-compliance with the article “Use of Services” of these conditions.
8) Force majeure
The Parties shall not be held liable if the non-performance or delay in the performance of one of their obligations described in these General Conditions of Use results from a force majeure event.
Force majeure means any external event which was impossible to prevent and which was unforeseeable as interpreted by the jurisprudence of the French courts, and which prevents one of the Parties from performing their obligations or makes the performance of the same excessively onerous.
Expressly, the following will be considered cases of force majeure, in addition to those usually considered by the jurisprudence of the French courts, and without this list being restrictive:
- wars, armed conflicts, riots, insurrections, sabotage, acts of terrorism,
- general or partial strikes, internal or external to the company, affecting a supplier or a national operator, lockouts, blockades of transport facilities or procurement for any reason whatsoever,
- natural disasters resulting in the destruction of infrastructure, such as fires, storms, floods, water damage,
- governmental or legal restrictions, legal or regulatory changes to forms of marketing, cases involving the suspension, cancellation or revocation of any authorisation by any relevant competent authority,
- interruptions of the network of Cyrus, its subcontractor or its supplier, as a result of computer breakdowns, blocking of telecommunications means, whether resulting from external attacks, interruptions to services by the access provider or other persons, and any other event not attributable to Cyrus, its subcontractor or its supplier, preventing the normal performance of the services rendered,
- interruptions of the power supply of more than 48 hours.
Each party shall notify the other party by registered letter with acknowledgement of receipt of any force majeure event.
9) Protection of personal data concerning the User
10) Partial invalidity of the GCU
The annulment of either of the clauses of the General Conditions of Use may not entail the annulment of the same in their entirety, provided however that the balance and the general economy of the agreement can be safeguarded.
11) Applicable Law – Attribution of jurisdiction
The General Conditions of Use are governed solely by French law.
Any dispute between the Parties arising from questions as to the validity, interpretation and/or performance, termination or breach of the General Conditions of Use shall be submitted by the first-acting Party to the Commercial Court of Paris, including in the event of summary proceedings, guarantee claims and/or multiple defendants.
ANNEX 1 – Agreement on the processing of personal data
In the context of the Services provided to the User, Cyrus is required to carry out personal data processing operations on behalf of the User. This processing is carried out for the duration of the contractual relationship between Cyrus and the User.
The processing carried out by Cyrus on behalf of the User is described below:
- Storage of contact lists uploaded by Users
- Sending messages by email or SMS, whether automated or not
- Retention and analysis of email deliverability data
- Retargeting display
- Collection of unsubscriptions and User information affected
- Collection of consents (in the event that the User uses the Cyrus form to retrieve contact data from their own site)
In this respect, Cyrus declares that it offers sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and ensures the protection of the data subject’s rights, and undertakes to respect the following obligations:
1. Cyrus’s Obligations
a) User’s instructions
Cyrus undertakes to process personal data only for the purposes of performing the Services in accordance with the User’s instructions. Thus, Cyrus agrees not to concede, rent, transfer or otherwise communicate to another person, all or part of the personal data, even free of charge, and not to use the personal data for purposes other than those provided in the General Conditions of Use.
In the event that Cyrus considers that an instruction given by the User constitutes a violation of an applicable law, Cyrus must immediately inform the User.
b) Confidentiality and security
Cyrus guarantees the confidentiality of personal data processed in connection with the Services. As such, it ensures (i) that personal data is communicated only to persons who need to know it, (ii) that these persons are aware of the User’s instructions and undertake to process the personal data entrusted to them only in strict compliance with the instructions and for no other purpose, (iii) that they are subject to an appropriate contractual or legal obligation of confidentiality, and (iv) that they receive the necessary training in the field of data protection.
Cyrus undertakes to implement the appropriate technical and organizational measures in order to preserve the confidentiality and security of personal data and, in particular, to prevent it from being distorted, damaged or communicated to unauthorised third parties, and more generally, to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised dissemination or access, as well as against any form of unlawful processing, it being specified that these measures must ensure, taking into account best practice and the costs associated with their implementation, a level of security appropriate to the risks presented by the processing and the nature of the data to be protected and, more generally, in order to guarantee a level of security of personal data appropriate to the risk.
c) Notification of violations of personal data
In the event of an accidental or unlawful breach of security resulting in the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data processed by Cyrus, Cyrus undertakes to immediately notify the User within 72 hours of the detection of the incident.
In such circumstances, and in consultation with the User, Cyrus undertakes to put in place the necessary data protection measures and to limit any negative effects on the data subjects.
Cyrus undertakes to provide the User with all reasonable information and assistance to enable the latter to comply with its obligations to notify the data protection authorities and, where applicable, the data subjects.
d) User support
Cyrus undertakes, as far as possible, to assist the User in fulfilling its own obligations. Thus, Cyrus shall:
- take charge of the requests to unsubscribe from distribution lists on behalf of the User;
- respond promptly to any request from the User concerning the personal data processed, in order to enable the User to take into account, within the time limits set, any potential requests from data subjects (right of access, right of rectification, right of destruction, etc.), and more generally to take into account the nature of the processing and help the User through appropriate technical and organisational measures to comply with their obligation to respond to requests submitted by the data subjects with a view to exercising their rights;
- forward to the User, on receipt, requests from the data subjects to exercise their rights;
- assist and collaborate with the User in order to guarantee compliance with its obligations, in accordance with the applicable regulations on the matter, and in particular help the User to ensure the security of personal data, to comply with its obligations in the event of a security breach and to assist the User in carrying out any measures necessary prior to processing, such as the implementation of an impact analysis.
e) Data access / deletion
At any time during the implementation of the General Conditions of Use, the User may access the personal data processed by Cyrus or delete it directly from the Site using the export and integrated deletion features.
At the end of the contractual relationship, Cyrus undertakes, at the User’s request, to destroy all personal data, or to return it to the User or another data processor designated by them if technically feasible and within a maximum period of 3 months. The return must be accompanied by the destruction of existing copies in Cyrus’s information systems, unless any applicable law requires their retention. Cyrus undertakes to provide the User, on request, with proof of such destruction.
Cyrus undertakes to provide the User with all the information and documents necessary to demonstrate compliance with the obligations set out herein.
Cyrus authorises the User or any other external auditor not competing with Cyrus and mandated by the User to inspect and audit its personal data processing activities, and undertakes to accede to all reasonable requests made by the User to verify that Cyrus complies with the contractual obligations imposed by this Annex.
It is agreed that, subject to any requests from the regulators to this effect, such audits may take place no more than once (1) per contract year. In all cases, the User must give Cyrus a minimum notice of fifteen (15) days, and the audit must in no case disrupt the ongoing activities of Cyrus. The audit will be limited to the personal data processing activities performed by Cyrus on behalf of the User, and the User will not be able to access data concerning other Cyrus customers.
Cyrus undertakes to communicate all supporting documentation proving the compliance of the processing with the User’s instructions, and that the appropriate security measures have indeed been put in place.
The User is informed, and expressly accepts, that Cyrus may have recourse to sub-processors within the context of the Services, who will have access/process the personal data entrusted by the User on their behalf. The list of the relevant processors is as follows:
The User is made aware that some of these sub-processors are located in countries outside the European Union, including in the United States, and, as such, the User expressly authorises Cyrus to transfer personal data outside the European Union. Cyrus undertakes to put in place all the necessary guarantees in order to supervise these transfers in compliance with the applicable rules.
In this context, the User shall expressly mandate Cyrus to sign, in its name and on its behalf, standard contractual clauses ” data controller to data processor ” with the sub-processors (see the standard clauses of the European Commission at the following address :https://www.cnil.fr/sites/default/files/typo/document/CCT-2010-Ss_Traitants_VF.pdfouhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=EN ).
In the event of modification of the list of its sub-processors, Cyrus will notify the User by email or by notification through the customer account, and the User will have the possibility to cancel the subscription in the event of an objection. It is specified that this notification will include any information relating to possible transfers of personal data outside the European Union.
When Cyrus uses sub-processors to carry out specific processing activities on behalf of and on the instructions of the User, the same data protection obligations as those laid down in these GCU are imposed contractually on the sub-processors, in particular with regard to providing sufficient guarantees as to the implementation of the appropriate technical and organisational measures.
It is Cyrus’s responsibility to ensure that sub-processors provide sufficient guarantees to ensure that the processing meets the requirements of the GDPR. If the sub-processors do not fulfil their data protection obligations, it is recalled that Cyrus remains fully liable to the User for the performance by sub-processors of their obligations.
4. Transfers of personal data outside the EU for legal purposes
If Cyrus is required to make such transfers under the applicable law, it undertakes to immediately inform the User of this legal obligation before the processing, unless the applicable law prohibits such information for reasons of public interest.