Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements Section 7 of the Agreement and further describes the requirements applicable to Personal Data Processed by Graphite in connection with the Services. In the event
of a conflict between Section 7 of the Agreement and this DPA, this DPA shall control. In the event of a conflict between the Agreement and/or DPA and the SCC’s, the SCC’s shall control.
1. Definitions
In this DPA, the following terms shall have the meanings set out below.
a.
“Customer Personal Data” any Personal Data provided by or made available by Customer to Graphite or collected by Graphite on behalf of Customer, which Graphite Processes to perform the Services.
b.
“Data Protection Law” means any local, state, or national law regarding the processing of Personal Data applicable to Graphite in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law.
c.
“EU Area” means European Union, European Economic Area, United Kingdom, and Switzerland.
d.
“EU Area Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”); or (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (iv) any other law relating to the data protection, security, or privacy of individuals that applies in the European Area; or (v) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law).
e.
“Personal Data” means any information deemed “personal data” or “personal information” (or analogous variations of such terms) under applicable Data Protection Laws, including any information relating to an identified or identifiable natural person.
f.
“Personal Data Breach” means the breach of security leading to the unauthorized destruction, loss, alteration, disclosure of or access to Customer Personal Data Processed in connection with the Services.
g.
“Process” or “Processing” means any operation or set of operations which is performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
h.
“Standard Contractual Clauses” or “SCC’s” means (i) the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.
i.
“Third Country” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.
j.
Except as otherwise provided in the DPA, the terms “Business”, “Business Purpose”, “commercial purpose”, “Contractor”, “Data Subject“, “Processor”, “Sell”, “Service Provider”, “Share”, “Subprocessor”, and “Third Party” shall have the same meaning as in applicable Data Protection Law.
k.
All other capitalized terms shall have the same meaning as in the Agreement, including without limitation “Customer Data” and “Services”.
2. Role of the parties.
As between Customer and Graphite, for purposes of the applicable law, Customer is a “Business”, “Controller”, or “Processor” and Graphite is a “Service Provider”, “Processor”, or “Subprocessor” (each as defined under Data Protection Law). This DPA shall apply solely to the Processing of Customer Personal Data by Graphite acting as a Processor, Subprocessor, or Third Party (as specified in Addendum 1 to this DPA) to provide the Services.
3. Compliance with Data Protection Laws.
Each party will comply with its obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data. In connection with its access to and use of the Services, Customer shall Process Customer Personal Data within such Services and provide Graphite with instructions in accordance with applicable Data Protection Law.
4. Purpose of Processing.
The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and related order forms. Addendum 1 (Description of Processing and Transfer Details) describes the subject matter and details of the Processing of Customer Personal Data.
5. Confidentiality.
Graphite will implement and maintain measures designed to ensure that Graphite personnel authorized to Process Customer Personal Data have committed in writing to maintain the confidentiality of such Customer Personal Data (or are under an appropriate statutory obligation of confidentiality) unless disclosure is required by law or professional regulations.
6. Customer Instructions.
Where Graphite is acting as a Processor, the following Customer instructions will apply:
a.
Instruction and Direction. Graphite shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Graphite shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with Customer or for any other purpose (including Graphite’s commercial purpose) except as required or permitted by law. Graphite will inform Customer if, Graphite determines that it is no longer able to meet its obligations under Data Protection Laws or where in Graphite’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure Graphite’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.
b.
Limitation on Use. Graphite shall have rights to process Customer Personal Data solely (i) to the extent necessary to (a) perform the Business Purposes and its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Services including as part of its business operations; (c) to disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Customer Personal Data, including without limitation any individual device or individual person; and/or (d) protect the Services from a threat to the Services or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to Customer; (iii) as otherwise expressly authorized by Customer.
c.
No Combination of Personal Data. Graphite will not combine Customer Personal Data which Graphite Processes on Customer’s behalf, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individual, provided that Graphite may combine personal information to perform any Business Purpose permitted or required under the Agreement to perform the Services.
d.
Reasonable Assistance. Graphite will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection, privacy, or security risk impact assessments, and consultations with the supervisory or regulatory authority.
e.
Requests for Access to Data. Unless otherwise required or prohibited by applicable law or government order, Graphite will promptly notify Customer in writing, and in any case without undue delay, if Graphite receives or learns (i) any requests from an individual, with respect to Customer Personal Data, including individual opt-out requests, requests for access, correction, portability, and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual’s or third party’s rights. Graphite will not respond to any such request or complaint unless expressly authorized to do so by Customer or is otherwise required to respond under applicable Data Protection Laws. Customer may make changes to User data using the features and functionality of the Graphite Platform. Graphite will not make changes to User data except as agreed in writing with Customer. To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 6(e), Graphite shall upon Customer’s written request provide reasonable assistance to Customer in responding to such request.
7. Subprocessors.
Graphite will select and retain Subprocessors that have agreed by written contract to comply with terms substantially similar to those contained in this Schedule A to assist Graphite in performing its rights and obligations under the Agreement.
8. Cross-border Transfers.
The parties will cooperate to ensure that the transfer non-EU Area Customer Personal Data Processed and transferred by Graphite to a Third Country in connection with of the Services under the Agreement will comply with applicable Data Protection Law. Transfers of EU Area Customer Personal Data to Third Countries are subject to the requirements set forth in Section 11 below.
9. Reasonable Security Controls
Graphite will implement and maintain commercially reasonable administrative, technical and physical safeguards to protect the security, confidentiality, availability, and integrity of Customer Personal Data Processed by Graphite in connection with the Services, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk to the right rights and freedoms of individuals and nature of the activities under the Agreement as further described in Exhibit C of the Agreement.
10. Personal Data Breach Notification.
In addition to, and without limiting, any other right or remedy available to Customer under the Agreement or at law or equity, in the event of any actual or potential Personal Data Breach, Graphite shall take appropriate and prompt steps to: (a) notify Customer of such Personal Data Breach without undue delay after Graphite discovers or learns of such Personal Data Breach; and (b) take appropriate steps without unreasonable delay to investigate, mitigate, and remedy the Personal Data Breach and prevent further Personal Data Breaches, including, (as Graphite determines necessary or appropriate), such as hiring qualified forensics investigators, approved and under contract of confidentiality with Customer, to assist with the same. Each party will reasonably cooperate with the other with respect to the investigation and resolution of any Personal Data Breach including, in the case of Graphite, prompt provision of the following, to the extent then known to Graphite: (i) the possible cause and consequences of the Personal Data Breach; (ii) the categories of Customer Personal Data involved; (iii) a summary of the possible consequences for the relevant Users; (iv) a summary of the unauthorized recipients of the Customer Personal Data; and (v) the measures taken by Graphite to mitigate any damage. Where Graphite is Processing Customer Personal Data as a Processor and such Customer Personal Data is impacted by a Data Breach, Graphite will (a) reasonably assist Customer, as needed, in Customer’s investigation, mitigation, and remedying of the Data Breach; (b) reasonably assist Customer in preparing and providing legally required notices to individuals affected by the Data Breach, and any other legal notifications as deemed appropriate by Customer, to inform such persons of the facts and circumstance of the incident which may include, naming Graphite in connection with Data Breach; (c) reasonably cooperate with Customer in any litigation or regulatory action arising from the Data Breach; and (d) reasonably cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach. Upon confirmation of any vulnerability or breach of Graphite’s security affecting Customer Personal Data in Graphite’s custody and control, Graphite will review and update its processes and security program as Graphite determines is necessary to mitigate the effects of the vulnerability or breach upon such Customer Personal Data. Insofar as the Personal Data Breach relates to Customer, and except to the extent required otherwise by applicable law, Customer will have approval rights on notifying its Users and any third-party regulatory authority of the Personal Data Breach. Graphite notifications to Customer will be via the Graphite Platform dashboard or account center, and via email to the persons designated by Customer to receive notices in the Graphite Platform dashboard or account center.
11. EU Area Personal Data.
a.
Assistance. With respect to EU Area Customer Personal Data and taking into account the nature of Processing and the information available to Graphite, Graphite will assist the Customer with meeting its compliance obligations under GDPR Articles 32 to 36.
b.
Data Protection Impact Assessment. Upon reasonable request, Graphite shall provide Customer with reasonable cooperation and assistance with Customer’s obligations to carry out a data protection impact assessment (or similar risk assessment as required under applicable Data Protection Law) related to Customer’s use of the Services and only to the extent the information is available to Graphite and Customer is unable to access such information necessary to perform the assessment.
c.
Subprocessor Authorization for EU Area Customer Personal Data. Customer authorizes Graphite to use Graphite’s Subprocessors described in Addendum 1 to Schedule A. Graphite shall inform the Customer of any such Subprocessor and any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Customer the opportunity to object to such changes. If Graphite engages new Subprocessors, Graphite will give Customer notice at least 30 calendar days in advance of providing that Subprocessor with access to Customer Personal Data. If Customer does not approve of a new Subprocessor, Customer may terminate the applicable Service Order without penalty by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval. Where Graphite engages a Subprocessor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this Schedule A shall be imposed on that Subprocessor by way of a written agreement. Where that Subprocessor fails to fulfil its data protection obligations, Graphite shall remain fully liable to Customer for the performance of its Subprocessors obligations. Without limiting the foregoing, Graphite will develop and use reasonable steps to select and retain Subprocessors that assist Graphite in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this Schedule A and requiring such Subprocessor to agree by written contract to comply with terms substantially similar to those contained in this Schedule A.
d.
Customer Personal Data Transfers
i.
European Economic Area (“EEA”) Customer Personal Data Transfers. Transfers of EEA Customer Personal Data by Customer to Graphite or Graphite to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and (where applicable) Module Three (“Processor to Processor”) attached to this DPA and incorporated by reference. The information required for the urposes of the SCCs is provided in Addendum 1 (“Description of Processing and Transfer Details”) to this DPA. The Parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by executing this DPA, each party is deemed to have executed the SCCs.
ii.
Swiss Customer Personal Data Transfers. Where the Customer Personal Data is subject to the Swiss DPA, the SCCs above shall be read to be modified as follows as applicable:
1.
References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.
2.
References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.
iii.
UK Customer Personal Data Transfers. For Customer Personal Data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the Parties agree as follows:
1.
Each Party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.
2.
The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.
3.
Sections 9 to 11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs.
4.
For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.
5.
Information required by Part 1 of the UK Transfer Addendum is provided as Addendum 1 to this DPA.
6.
To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK Transfer Addendum.
e.
Onward Transfers.
In connection with the provision of the Services to Customer, Graphite may receive from or transfer to and Process Customer Personal Data in Third Countries provided that its Subprocessors take measures to adequately protect such data consistent with applicable Data Protection Laws. Such measures may include to the extent available and applicable under such laws:
i.
Adequacy. Processing in a country, a territory, or one or more specified sectors that are considered under applicable Data Protection Laws as providing an adequate level of data protection;
ii.
SCC’s. Graphite may enter into and comply with the Standard Contractual Clauses with for Customer Personal Data transfers to Third Countries, including any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Data Protection Laws;
iii.
BCR’s. Processing in compliance with Binding Corporate Rules (“BCR’s”) in accordance with Data Protection Laws; or
vi.
Other Approved Transfer Mechanisms. Implementing any other data transfer mechanisms or certifications approved under Data Protection Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework, the Swiss–US Privacy Shield framework.
To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws of the European Area are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
12. Data Protection Audits and Assistance.
Upon Customer’s written request (in accordance with Section 7.2 of the Agreement), and no more than once per calendar year, Graphite will provide reasonable assistance and make available information to Customer regarding its Processing of Customer Personal Data to demonstrate compliance with its obligations under this DPA and applicable Data Protection Laws, where the information sought is not provided in the Agreement or this DPA or otherwise accessible to Customer. Graphite will in addition provide such information regarding its information security systems, policies and procedures as Customer may reasonably request relating to Customer’s due diligence and oversight obligations under applicable Data Protection Law. Any information disclosed pursuant to this Section 12 will be deemed Graphite’s Confidential Information.
13. Retention and Deletion.
Graphite will delete or return (or provide Customer with functionality to permit Customer to delete) Customer Personal Data to Customer in accordance with Section 7.3 of the Agreement.
ADDENDUM 1 TO SCHEDULE A
DESCRIPTION OF PROCESSING ACTIVITIES FOR CUSTOMER PERSONAL DATA
This Addendum 1 includes details of the Processing of Customer Personal Data by Graphite in connection with the Services.
Description of Processing and Transfer Details
1. Data Exporter
| Company Name | Address | Contact name, position, and contact information | Role |
| Customer information as included in the applicable Order Form | Controller | ||
2. Data Importer
| Company Name | Address | Contact name, position, and contact information | Role |
| Graphite Systems Inc. | 3400 Ashton Blvd., Suite 220, Lehi, UT 84043 | Contad Smith, CEO [email protected] | Processor |
3. Activities Relevant to the data transferred under these Clauses
The activities relevant to the data transferred at the Services more fully described in the Agreement and applicable ordering documents.
4. Processing Information
| Categories of data subjects whose personal data is transferred | Customer’s EU Area employees, contractors, agents, advisors, freelancers, suppliers or vendors who are natural persons and whose Customer Personal Data is Processed in connection with the Services |
| Categories of personal data transferred |
|
| Sensitive personal data transferred | N/A – Customer determines data processed by the Services |
| Frequency of the transfer | Continuous |
| Nature of the processing | The nature of the processing is more fully described in the Agreement and accompanying order forms. The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms |
| Purpose of the data transfer and further processing | |
| For processing involving California consumers, please select the Business Purpose(s) for Processing Personal Data | ☐ N/A ☐ Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards ☒ Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes ☒ Debugging to identify and repair errors that impair existing intended functionality. ☐ Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business ☒ Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. ☐ Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. ☒ Undertaking internal research for technological development and demonstration. ☒ Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. ☒ To retain and employ another service provider or contractor as a subcontractor where the subcontractor meets the requirements for a service provider or contractor under CCPA. ☒ To build or improve the quality of the services it is providing to the business even if this Business Purpose is not specified in the written contract required by CCPA provided that Service Provider does not use the Customer Personal Data to perform Services on behalf of another person. ☒ To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this Business Purpose is not specified in the written contract. |
| Period for which the personal data will be retained or criteria used to determine that period | The period for which the Customer Personal Data will be retained is more fully described in the Agreement, DPA, and accompanying order forms. |
| Subprocessor transfers – subject matter, nature, and duration of processing | The subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms. |
5. Signatures
| Signatures | The Parties agree that the EU SCCs and the UK Transfer Addendum are incorporated by reference and that by executing the DPA, each party is deemed to have executed the SCCs and the UK Transfer Addendum. |
6. European Area SCC and UK Transfer Addendum Information
| SCC Clause | GDPR | Swiss DPA | UK Data Protection Law |
| Module in Operation Module Two (Controller to Processor) and Module Three (Processor to Processor) | |||
| Clause 7 – Docking Clause | An entity that is not a party to these clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A | ||
| Clause 9(a)- Use of Sub-processors | GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. | ||
| Clause 11 (Redress) | Optional language in Clause 11 shall not apply. | ||
| Clause 17- Governing Law | These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland or as otherwise described by the data exporter in the Service Order. | These Clauses shall be governed by the aw of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland. | These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales. |
| Clause 18 – Choice of Forum and Jurisdiction | (b) The parties agree that those shall be the courts of the Republic of Ireland. | The parties agree that those shall be the competent courts of Switzerland. | The parties agree that those shall be the competent courts of England and Wales. |
| Annex 1A- List of Parties | The name, address, and contact person’s name, position, and contact details, and each party’s role in processing Customer Personal Data are provided in Section 1, 2, and 3 above | ||
| Annex 1B – Description of Transfer | This information can be found in Section 4 above. To the extent applicable, the descriptions of safeguards applied to the special categories of Customer Personal Data can be found in Exhibit C to the Agreement. | ||
| Clause 13 and Annex 1C – Competent Supervisory Authority | Identify the competent supervisory authority/ies in accordance with Clause 13: the Republic of Ireland, or as otherwise described by the data exporter in the Service Order. | Identify the competent supervisory authority/ies in accordance with Clause 13: FDPIC | Identify the competent supervisory authority/ies in accordance with Clause 13: UK Informational Commissioner |
| Annex II – Technical and Organizational Measures | The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Exhibit C to the Agreement. | ||
| Annex II – Technical and Organizational Measures – Subprocessors | The description of technical and organization measures designed to ensure the security of Customer Personal Data processed by Sub-processors is described more fully in Exhibit C to the Agreement. | ||
| Annex III – List of Subprocessors | See Section 7 below. | ||
| Ending the UK Transfer Addendum when the Approved Addendum changes | N/A | Which Parties may end this Addendum as set out in Section 19:
| |
7. Sub-processors
| Company Name | Countries | Services | Customer Data | Customer Access |
| Google Cloud Platform | Canada | We host our application in GCP. | Yes | No |
| CloudAMQP | Canada | CloudAMQP manages our RabbitMQ cluster. | No | No |
| MongoDB Atlas | Canada | MongoDB Atlas manages our MongoDB cluster. The MongoDB cluster resides in a private network within Google Cloud and its firewall only allows our application to access it. | Yes | No |
| Elastic Cloud | Canada | Elastic.co manages our Elastic Search cluster. The Elastic Search cluster resides in a private network within Google Cloud and its firewall only allows our application to access it. | No | No |
| SendGrid | United States | Management email relay | Yes | No |